terramend 0.2.0

package/src/mcp/pr.ts

@@ -0,0 +1,194 @@
+import { type } from "arktype";
+import { assertUnderPrCap, recordRemediationPrOpened } from "#app/mcp/guardrails";
+import { assertTargetInScope, recordCreatedTarget } from "#app/mcp/scope";
+import type { ToolContext } from "#app/mcp/server";
+import { execute, tool } from "#app/mcp/shared";
+import { buildTerramendFooter, stripExistingFooter } from "#app/utils/buildTerramendFooter";
+import { log } from "#app/utils/cli";
+import { fixDoubleEscapedString } from "#app/utils/fixDoubleEscapedString";
+import { patchWorkflowRunFields } from "#app/utils/patchWorkflowRunFields";
+import { $ } from "#app/utils/shell";
+
+export const PullRequest = type({
+  title: type.string.describe("the title of the pull request"),
+  body: type.string.describe("the body content of the pull request"),
+  "base?": type.string.describe(
+    "the base branch to merge into (e.g. 'main'). Omit to use the run's resolved base branch: the `base_branch` input, else the repository's default branch (main, or master).",
+  ),
+  "draft?": type.boolean.describe(
+    "if true, create the pull request as a draft. use when the user explicitly asks for a draft PR.",
+  ),
+});
+
+/**
+ * Pure base-branch picker. Precedence: an explicit `base_branch` declaration
+ * always wins; otherwise the repository's default branch (GitHub reports it —
+ * normally `main`, sometimes `master`); otherwise prefer `main`, then `master`;
+ * final fallback `main`. Split out from git/ctx so it's exhaustively testable.
+ */
+export function pickBaseBranch(opts: {
+  declared?: string | undefined;
+  defaultBranch?: string | undefined;
+  mainExists: boolean;
+  masterExists: boolean;
+}): string {
+  if (opts.declared) return opts.declared;
+  if (opts.defaultBranch) return opts.defaultBranch;
+  if (opts.mainExists) return "main";
+  if (opts.masterExists) return "master";
+  return "main";
+}
+
+/** true when `branch` exists as a remote-tracking or local ref. */
+function branchExists(branch: string): boolean {
+  for (const ref of [`refs/remotes/origin/${branch}`, `refs/heads/${branch}`]) {
+    try {
+      $("git", ["rev-parse", "--verify", "--quiet", ref], { log: false });
+      return true;
+    } catch {
+      // ref absent — try the next form
+    }
+  }
+  return false;
+}
+
+/**
+ * Deterministically resolve the branch a PR targets, so the base is never left
+ * to the agent's guess. Resolves to the repository's default branch (`main`, or
+ * `master`), overridable by the `base_branch` input. Git is only probed for
+ * main/master in the last-resort case where neither an explicit declaration nor
+ * a GitHub default branch is available (essentially never).
+ */
+export function resolveBaseBranch(ctx: ToolContext): string {
+  const declared = ctx.payload.baseBranch?.trim() || undefined;
+  const defaultBranch = ctx.repo.data.default_branch?.trim() || undefined;
+  const needsProbe = !declared && !defaultBranch;
+  return pickBaseBranch({
+    declared,
+    defaultBranch,
+    mainExists: needsProbe && branchExists("main"),
+    masterExists: needsProbe && branchExists("master"),
+  });
+}
+
+function buildPrBodyWithFooter(ctx: ToolContext, body: string): string {
+  const footer = buildTerramendFooter({
+    triggeredBy: true,
+    model: ctx.toolState.model,
+    fallbackFrom: ctx.toolState.modelFallback?.from,
+  });
+
+  const bodyWithoutFooter = stripExistingFooter(fixDoubleEscapedString(body));
+  return `${bodyWithoutFooter}${footer}`;
+}
+
+export const UpdatePullRequestBody = type({
+  pull_number: type.number.describe("the pull request number to update"),
+  body: type.string.describe("the new body content for the pull request"),
+});
+
+export function UpdatePullRequestBodyTool(ctx: ToolContext) {
+  return tool({
+    name: "update_pull_request_body",
+    description: "Update the body/description of an existing pull request",
+    parameters: UpdatePullRequestBody,
+    execute: execute(async (params) => {
+      assertTargetInScope(ctx, params.pull_number, "update the body of");
+      const bodyWithFooter = buildPrBodyWithFooter(ctx, params.body);
+
+      const result = await ctx.octokit.rest.pulls.update({
+        owner: ctx.repo.owner,
+        repo: ctx.repo.name,
+        pull_number: params.pull_number,
+        body: bodyWithFooter,
+      });
+      log.info(`» updated pull request #${result.data.number}`);
+
+      ctx.toolState.wasUpdated = true;
+
+      return {
+        success: true,
+        number: result.data.number,
+        url: result.data.html_url,
+      };
+    }),
+  });
+}
+
+export function CreatePullRequestTool(ctx: ToolContext) {
+  return tool({
+    name: "create_pull_request",
+    description: "Create a pull request from the current branch",
+    parameters: PullRequest,
+    execute: execute(async (params) => {
+      // permission gate: opening a PR is a repo write. `push: disabled` means the
+      // repository is configured for read-only access, so block it here the same
+      // way push_branch/create_issue do — an injected or read-only-intended agent
+      // must not be able to open PRs.
+      if (ctx.payload.push === "disabled") {
+        throw new Error(
+          "Creating a pull request is disabled. This repository is configured for read-only access (push: disabled).",
+        );
+      }
+
+      // Remediate-mode guardrail: stop at the configured max_prs. No-op otherwise.
+      assertUnderPrCap(ctx);
+
+      const currentBranch = $("git", ["rev-parse", "--abbrev-ref", "HEAD"], { log: false });
+      const base = params.base ?? resolveBaseBranch(ctx);
+      log.debug(`Current branch: ${currentBranch}; PR base: ${base}`);
+
+      const bodyWithFooter = buildPrBodyWithFooter(ctx, params.body);
+
+      const result = await ctx.octokit.rest.pulls.create({
+        owner: ctx.repo.owner,
+        repo: ctx.repo.name,
+        title: params.title,
+        body: bodyWithFooter,
+        head: currentBranch,
+        base,
+        draft: params.draft ?? false,
+      });
+      log.info(`» created pull request #${result.data.number} (id ${result.data.id})`);
+
+      // record so the agent may update THIS PR's body / comment on it later even
+      // though its number differs from the run's triggering issue_number.
+      recordCreatedTarget(ctx, result.data.number);
+
+      // best-effort: request review from the user who triggered the workflow
+      const reviewer = ctx.payload.triggerer;
+      if (reviewer) {
+        try {
+          log.debug(`requesting review from ${reviewer} on PR #${result.data.number}`);
+          await ctx.octokit.rest.pulls.requestReviewers({
+            owner: ctx.repo.owner,
+            repo: ctx.repo.name,
+            pull_number: result.data.number,
+            reviewers: [reviewer],
+          });
+        } catch {
+          log.info(`failed to request review from ${reviewer} on PR #${result.data.number}`);
+        }
+      }
+
+      if (typeof result.data.node_id === "string" && result.data.node_id.length > 0) {
+        await patchWorkflowRunFields(ctx, {
+          prNodeId: result.data.node_id,
+        });
+      }
+
+      // count this toward the per-run remediation PR cap (Remediate mode only).
+      recordRemediationPrOpened(ctx);
+
+      return {
+        success: true,
+        pullRequestId: result.data.id,
+        number: result.data.number,
+        url: result.data.html_url,
+        title: result.data.title,
+        head: result.data.head.ref,
+        base: result.data.base.ref,
+      };
+    }),
+  });
+}

package/src/mcp/prInfo.test.ts

@@ -0,0 +1,96 @@
+import { describe, expect, it, vi } from "vitest";
+import { PullRequestInfoTool } from "#app/mcp/prInfo";
+import type { ToolContext } from "#app/mcp/server";
+
+type ToolResultShape = { content: [{ type: "text"; text: string }]; isError?: boolean };
+
+async function runTool(t: { execute?: unknown }, params: unknown): Promise<ToolResultShape> {
+  const exec = t.execute as (p: unknown, c: unknown) => Promise<ToolResultShape>;
+  return exec(params, {});
+}
+
+function makePullData(overrides?: Record<string, unknown>) {
+  return {
+    number: 7,
+    html_url: "https://gh/pull/7",
+    title: "Enable bucket versioning",
+    body: "pr body",
+    state: "open",
+    draft: false,
+    merged: false,
+    maintainer_can_modify: true,
+    base: { ref: "main", repo: { full_name: "octo/repo" } },
+    head: { ref: "feat/versioning", repo: { full_name: "octo/repo" } },
+    user: { login: "alice" },
+    assignees: [{ login: "bob" }],
+    labels: [{ name: "infra" }],
+    ...overrides,
+  };
+}
+
+function makeCtx(pullData: Record<string, unknown>) {
+  const pullsGet = vi.fn(async (_p: unknown) => ({ data: pullData }));
+  const issuesGet = vi.fn(async (_p: unknown) => ({
+    data: { body_html: "<p>pr body</p>" },
+  }));
+  const graphql = vi.fn(async (_q: string, _v: unknown) => ({
+    repository: {
+      pullRequest: {
+        closingIssuesReferences: { nodes: [{ number: 3, title: "Bucket is unversioned" }] },
+      },
+    },
+  }));
+  const ctx = {
+    octokit: { rest: { pulls: { get: pullsGet }, issues: { get: issuesGet } }, graphql },
+    repo: { owner: "octo", name: "repo" },
+    tmpdir: "/tmp",
+    githubInstallationToken: "tok",
+  } as unknown as ToolContext;
+  return { ctx, pullsGet, issuesGet, graphql };
+}
+
+describe("PullRequestInfoTool", () => {
+  it("returns PR metadata with linked closing issues", async () => {
+    const { ctx, pullsGet, issuesGet, graphql } = makeCtx(makePullData());
+    const result = await runTool(PullRequestInfoTool(ctx), { pull_number: 7 });
+
+    expect(result.isError).toBeUndefined();
+    expect(pullsGet).toHaveBeenCalledWith({ owner: "octo", repo: "repo", pull_number: 7 });
+    expect(issuesGet).toHaveBeenCalledWith(
+      expect.objectContaining({
+        issue_number: 7,
+        headers: { accept: "application/vnd.github.full+json" },
+      }),
+    );
+    expect(graphql).toHaveBeenCalledWith(expect.stringContaining("closingIssuesReferences"), {
+      owner: "octo",
+      repo: "repo",
+      number: 7,
+    });
+
+    const text = result.content[0].text;
+    expect(text).toContain("Enable bucket versioning");
+    expect(text).toContain("isFork: false");
+    expect(text).toContain("base: main");
+    expect(text).toContain("head: feat/versioning");
+    expect(text).toContain("Bucket is unversioned");
+    expect(text).toContain("infra");
+  });
+
+  it("flags fork PRs when the head repo differs (or is gone)", async () => {
+    const { ctx } = makeCtx(makePullData({ head: { ref: "feat", repo: null } }));
+    const result = await runTool(PullRequestInfoTool(ctx), { pull_number: 7 });
+
+    expect(result.isError).toBeUndefined();
+    expect(result.content[0].text).toContain("isFork: true");
+  });
+
+  it("surfaces API failures as tool errors", async () => {
+    const { ctx, graphql } = makeCtx(makePullData());
+    graphql.mockRejectedValueOnce(new Error("GraphQL exploded"));
+    const result = await runTool(PullRequestInfoTool(ctx), { pull_number: 7 });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain("GraphQL exploded");
+  });
+});

package/src/mcp/prInfo.ts

@@ -0,0 +1,91 @@
+import { type } from "arktype";
+import type { ToolContext } from "#app/mcp/server";
+import { execute, tool } from "#app/mcp/shared";
+import { resolveBodyAssets } from "#app/utils/body";
+
+const CLOSING_ISSUES_QUERY = `
+query($owner: String!, $repo: String!, $number: Int!) {
+  repository(owner: $owner, name: $repo) {
+    pullRequest(number: $number) {
+      closingIssuesReferences(first: 10) {
+        nodes { number title }
+      }
+    }
+  }
+}
+`;
+
+type ClosingIssuesResponse = {
+  repository: {
+    pullRequest: {
+      closingIssuesReferences: { nodes: Array<{ number: number; title: string }> };
+    };
+  };
+};
+
+export const PullRequestInfo = type({
+  pull_number: type.number.describe("The pull request number to fetch"),
+});
+
+export function PullRequestInfoTool(ctx: ToolContext) {
+  return tool({
+    name: "get_pull_request",
+    description:
+      "Retrieve PR metadata (title, body, state, branches, author, labels, linked issues). " +
+      "Example: `get_pull_request({ pull_number: 1234 })`. " +
+      "To checkout a PR branch locally, use checkout_pr instead.",
+    parameters: PullRequestInfo,
+    execute: execute(async ({ pull_number }) => {
+      // fetch REST and GraphQL in parallel. the issues.get call is only for body_html
+      // (PRs are issues; the pulls.get response type omits body_html) so attachment urls
+      // resolve to signed CDN urls — see resolveBodyAssets.
+      const [restResponse, issueResponse, graphqlResponse] = await Promise.all([
+        ctx.octokit.rest.pulls.get({
+          owner: ctx.repo.owner,
+          repo: ctx.repo.name,
+          pull_number,
+        }),
+        ctx.octokit.rest.issues.get({
+          owner: ctx.repo.owner,
+          repo: ctx.repo.name,
+          issue_number: pull_number,
+          headers: { accept: "application/vnd.github.full+json" },
+        }),
+        ctx.octokit.graphql<ClosingIssuesResponse>(CLOSING_ISSUES_QUERY, {
+          owner: ctx.repo.owner,
+          repo: ctx.repo.name,
+          number: pull_number,
+        }),
+      ]);
+
+      const data = restResponse.data;
+      const isFork = data.head.repo?.full_name !== data.base.repo.full_name;
+      const closingIssues = graphqlResponse.repository.pullRequest.closingIssuesReferences.nodes;
+
+      const body = await resolveBodyAssets({
+        body: data.body,
+        bodyHtml: issueResponse.data.body_html,
+        tmpdir: ctx.tmpdir,
+        githubToken: ctx.githubInstallationToken,
+      });
+
+      return {
+        number: data.number,
+        url: data.html_url,
+        title: data.title,
+        body: body,
+        state: data.state,
+        draft: data.draft,
+        merged: data.merged,
+        maintainerCanModify: data.maintainer_can_modify,
+        base: data.base.ref,
+        head: data.head.ref,
+        isFork,
+        author: data.user?.login,
+        assignees: data.assignees?.map((a) => a.login),
+        labels: data.labels.map((l) => l.name),
+        closingIssues: closingIssues.map((i) => ({ number: i.number, title: i.title })),
+      };
+    }),
+  });
+}

package/src/mcp/providerSchema.test.ts

@@ -0,0 +1,85 @@
+import { describe, expect, it } from "vitest";
+import { parseProvidersSchema, unknownArgsForResource } from "#app/mcp/providerSchema";
+
+const SCHEMA = JSON.stringify({
+  format_version: "1.0",
+  provider_schemas: {
+    "registry.terraform.io/hashicorp/aws": {
+      resource_schemas: {
+        aws_s3_bucket: {
+          block: {
+            attributes: { bucket: {}, acl: {}, tags: {} },
+            block_types: { versioning: {}, logging: {} },
+          },
+        },
+        aws_instance: {
+          block: {
+            attributes: { ami: {}, instance_type: {} },
+            block_types: { metadata_options: {} },
+          },
+        },
+      },
+    },
+  },
+});
+
+describe("parseProvidersSchema", () => {
+  it("maps each resource type to its attributes and nested blocks", () => {
+    const schema = parseProvidersSchema(SCHEMA);
+    const bucket = schema.get("aws_s3_bucket")!;
+    expect([...bucket.attributes].sort()).toEqual(["acl", "bucket", "tags"]);
+    expect([...bucket.blocks].sort()).toEqual(["logging", "versioning"]);
+    expect(schema.get("aws_instance")!.blocks.has("metadata_options")).toBe(true);
+  });
+
+  it("tolerates empty / malformed input", () => {
+    expect(parseProvidersSchema("").size).toBe(0);
+    expect(parseProvidersSchema("not json").size).toBe(0);
+    expect(parseProvidersSchema(JSON.stringify({})).size).toBe(0);
+  });
+
+  it("merges resource schemas across multiple providers", () => {
+    const merged = JSON.stringify({
+      provider_schemas: {
+        "registry.terraform.io/hashicorp/aws": {
+          resource_schemas: { aws_s3_bucket: { block: { attributes: { bucket: {} } } } },
+        },
+        "registry.terraform.io/hashicorp/random": {
+          resource_schemas: { random_id: { block: { attributes: { byte_length: {} } } } },
+        },
+      },
+    });
+    const schema = parseProvidersSchema(merged);
+    expect(schema.has("aws_s3_bucket")).toBe(true);
+    expect(schema.has("random_id")).toBe(true);
+  });
+});
+
+describe("unknownArgsForResource", () => {
+  const schema = parseProvidersSchema(SCHEMA);
+
+  it("accepts valid attributes and nested blocks", () => {
+    expect(
+      unknownArgsForResource(schema, "aws_s3_bucket", ["bucket", "acl", "versioning"]),
+    ).toEqual({
+      unknownResourceType: false,
+      unknown: [],
+    });
+  });
+
+  it("flags an argument that does not exist for the resource (would break plan)", () => {
+    // `server_side_encryption_configuration` is inline-deprecated on aws v5 → not in schema.
+    expect(
+      unknownArgsForResource(schema, "aws_s3_bucket", [
+        "bucket",
+        "server_side_encryption_configuration",
+      ]),
+    ).toEqual({ unknownResourceType: false, unknown: ["server_side_encryption_configuration"] });
+  });
+
+  it("reports an unknown resource type rather than guessing", () => {
+    expect(unknownArgsForResource(schema, "aws_not_a_real_type", ["x"]).unknownResourceType).toBe(
+      true,
+    );
+  });
+});

package/src/mcp/providerSchema.ts

@@ -0,0 +1,175 @@
+import { spawnSync } from "node:child_process";
+import { type } from "arktype";
+import type { LocalToolContext } from "#app/mcp/localContext";
+import { execute, tool } from "#app/mcp/shared";
+import { SUBPROCESS_TIMEOUT_MS } from "#app/mcp/terraform/types";
+import { log } from "#app/utils/cli";
+import { resolveEnv } from "#app/utils/secrets";
+
+/**
+ * Provider-schema awareness (§4.15 next). A "correct" fix for the wrong provider
+ * major just breaks `plan` — argument names and nested blocks differ across
+ * majors. After `terraform init`, the installed provider's exact schema is
+ * available via `terraform providers schema -json`; this parses it so a fix can
+ * be checked against the REAL attributes/blocks for the version in use, not the
+ * model's memory of the provider.
+ *
+ * The schema fetch is cached per `cwd` for the process (schemas don't change
+ * within a run) and degrades green (returns `ok: false`) when terraform isn't
+ * installed or the dir isn't initialised.
+ */
+
+export interface ResourceSchema {
+  attributes: Set<string>;
+  blocks: Set<string>;
+}
+
+/** resourceType → its attribute + nested-block names, across all providers. */
+export type ProvidersSchema = Map<string, ResourceSchema>;
+
+interface RawBlock {
+  attributes?: Record<string, unknown>;
+  block_types?: Record<string, unknown>;
+}
+interface RawResourceSchema {
+  block?: RawBlock;
+}
+interface RawProviderSchema {
+  resource_schemas?: Record<string, RawResourceSchema>;
+}
+interface RawSchema {
+  provider_schemas?: Record<string, RawProviderSchema>;
+}
+
+/**
+ * Parse `terraform providers schema -json` into a resource-type → {attributes,
+ * blocks} map. Merges every provider's `resource_schemas`. Pure; tolerant of a
+ * missing/empty schema.
+ */
+export function parseProvidersSchema(json: string): ProvidersSchema {
+  const out: ProvidersSchema = new Map();
+  let parsed: RawSchema;
+  try {
+    parsed = JSON.parse(json || "{}") as RawSchema;
+  } catch {
+    return out;
+  }
+  for (const provider of Object.values(parsed.provider_schemas ?? {})) {
+    for (const [resourceType, schema] of Object.entries(provider.resource_schemas ?? {})) {
+      const attributes = new Set(Object.keys(schema.block?.attributes ?? {}));
+      const blocks = new Set(Object.keys(schema.block?.block_types ?? {}));
+      const existing = out.get(resourceType);
+      if (existing) {
+        for (const a of attributes) existing.attributes.add(a);
+        for (const b of blocks) existing.blocks.add(b);
+      } else {
+        out.set(resourceType, { attributes, blocks });
+      }
+    }
+  }
+  return out;
+}
+
+/**
+ * Given a resource type and the argument names a fix introduces, return the ones
+ * that are NOT valid attributes or nested blocks for that resource in the
+ * installed provider — i.e. names that would break `plan`. Returns `null` for
+ * `unknownResourceType` when the schema has no entry for the type (can't judge).
+ */
+export function unknownArgsForResource(
+  schema: ProvidersSchema,
+  resourceType: string,
+  args: string[],
+): { unknownResourceType: boolean; unknown: string[] } {
+  const res = schema.get(resourceType);
+  if (!res) return { unknownResourceType: true, unknown: [] };
+  const unknown = args.filter((a) => !res.attributes.has(a) && !res.blocks.has(a));
+  return { unknownResourceType: false, unknown };
+}
+
+// per-process cache: cwd → parsed schema (schemas are stable within a run).
+const schemaCache = new Map<string, ProvidersSchema | null>();
+
+/** fetch + cache the providers schema for `cwd`. null when unavailable. */
+export function loadProvidersSchema(cwd: string): ProvidersSchema | null {
+  if (schemaCache.has(cwd)) return schemaCache.get(cwd) ?? null;
+  const r = spawnSync("terraform", ["providers", "schema", "-json"], {
+    cwd,
+    encoding: "utf-8",
+    env: resolveEnv("restricted") as NodeJS.ProcessEnv,
+    stdio: ["ignore", "pipe", "pipe"],
+    maxBuffer: 256 * 1024 * 1024,
+    // bound a hung `terraform providers schema` (e.g. provider plugin install
+    // stalling on the network); a timeout surfaces as r.error → null schema.
+    timeout: SUBPROCESS_TIMEOUT_MS,
+  });
+  if (r.error || r.status !== 0 || !r.stdout?.trim()) {
+    schemaCache.set(cwd, null);
+    return null;
+  }
+  const parsed = parseProvidersSchema(r.stdout);
+  schemaCache.set(cwd, parsed);
+  return parsed;
+}
+
+/** test-only: clear the per-process schema cache. */
+export function _clearProviderSchemaCache(): void {
+  schemaCache.clear();
+}
+
+export const TerraformProviderSchemaParams = type({
+  resource_type: type.string.describe(
+    "the Terraform resource type to inspect, e.g. 'aws_s3_bucket'.",
+  ),
+  "args?": type.string
+    .array()
+    .describe(
+      "optional argument/block names a fix introduces — the tool reports which are NOT valid for the installed provider version.",
+    ),
+});
+
+export function TerraformProviderSchemaTool(ctx: LocalToolContext) {
+  return tool({
+    name: "terraform_provider_schema",
+    description:
+      "Inspect the INSTALLED provider's schema for a resource type (§4.15) so a fix targets the right " +
+      "arguments for the pinned provider major. Returns the resource's valid `attributes` and nested " +
+      "`blocks`; when you pass `args`, it reports which are `unknown` (would break `plan`). Requires the dir " +
+      "to be `terraform init`-ed (run `terraform_validate`/`terraform_plan` first); degrades green " +
+      "(`ok: false`) when terraform isn't installed or the schema isn't available. Cached per run.",
+    parameters: TerraformProviderSchemaParams,
+    execute: execute(async ({ resource_type, args }) => {
+      const cwd = ctx.payload.cwd ?? process.cwd();
+      const schema = loadProvidersSchema(cwd);
+      if (!schema) {
+        return {
+          ok: false,
+          code: "schema_unavailable",
+          detail:
+            "provider schema unavailable — run terraform_validate/terraform_plan first to init the dir, or terraform isn't installed.",
+        };
+      }
+      const res = schema.get(resource_type);
+      if (!res) {
+        return {
+          ok: false,
+          code: "unknown_resource_type",
+          detail: `no schema for '${resource_type}' in the installed providers — check the type name and that its provider is required.`,
+        };
+      }
+      const verdict =
+        args && args.length > 0 ? unknownArgsForResource(schema, resource_type, args) : null;
+      log.info(
+        `» terraform_provider_schema(${resource_type}): ${res.attributes.size} attr / ${res.blocks.size} block(s)` +
+          (verdict ? `, ${verdict.unknown.length} unknown arg(s)` : ""),
+      );
+      return {
+        ok: true,
+        resource_type,
+        attributes: [...res.attributes].sort(),
+        blocks: [...res.blocks].sort(),
+        ...(verdict ? { unknown_args: verdict.unknown } : {}),
+      };
+    }),
+  });
+}