1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
//! CLI Args structs for validate-related commands.
use std::path::PathBuf;
/// CLI arguments for the `validate` command.
#[derive(clap::Args, Debug)]
pub struct ValidateArgs {
/// Path to forjar.yaml
#[arg(short, long, default_value = "forjar.yaml")]
pub file: PathBuf,
/// FJ-282: Extended validation — check machine refs, paths, deps, templates
#[arg(long)]
pub strict: bool,
/// Output validation result as JSON
#[arg(long)]
pub json: bool,
/// FJ-330: Show fully expanded config after template resolution
#[arg(long)]
pub dry_expand: bool,
/// FJ-381: Validate against specific schema version
#[arg(long)]
pub schema_version: Option<String>,
/// FJ-391: Validate all cross-references, machine existence, and param usage
#[arg(long)]
pub exhaustive: bool,
/// FJ-2503: Run all deep validation checks (templates, deps, overlaps, secrets, naming)
#[arg(long)]
pub deep: bool,
/// FJ-401: Validate against external policy rules file
#[arg(long)]
pub policy_file: Option<PathBuf>,
/// FJ-411: Test SSH connectivity to all machines during validation
#[arg(long)]
pub check_connectivity: bool,
/// FJ-421: Verify all template variables resolve
#[arg(long)]
pub check_templates: bool,
/// FJ-431: Verify dependency ordering matches resource declaration order
#[arg(long)]
pub strict_deps: bool,
/// FJ-441: Scan config for hardcoded secrets or credentials
#[arg(long)]
pub check_secrets: bool,
/// FJ-451: Verify all resources produce idempotent scripts
#[arg(long)]
pub check_idempotency: bool,
/// FJ-461: Verify all resources have drift detection configured
#[arg(long)]
pub check_drift_coverage: bool,
/// FJ-471: Detect indirect circular dependencies via transitive closure
#[arg(long)]
pub check_cycles_deep: bool,
/// FJ-481: Enforce resource naming conventions (kebab-case, prefix rules)
#[arg(long)]
pub check_naming: bool,
/// FJ-491: Detect resources targeting the same path/port/name on same machine
#[arg(long)]
pub check_overlaps: bool,
/// FJ-501: Enforce resource count limits per machine/type
#[arg(long)]
pub check_limits: bool,
/// FJ-511: Warn on resources with high dependency fan-out
#[arg(long)]
pub check_complexity: bool,
/// FJ-521: Scan for insecure permissions, ports, or user configs
#[arg(long)]
pub check_security: bool,
/// FJ-531: Warn on deprecated resource fields or types
#[arg(long)]
pub check_deprecation: bool,
/// FJ-541: Score drift risk based on resource volatility
#[arg(long)]
pub check_drift_risk: bool,
/// FJ-551: Validate against compliance policy (CIS, SOC2)
#[arg(long)]
pub check_compliance: Option<String>,
/// FJ-561: Check resources for platform-specific assumptions
#[arg(long)]
pub check_portability: bool,
/// FJ-571: Validate resource counts don't exceed per-machine limits
#[arg(long)]
pub check_resource_limits: bool,
/// FJ-581: Detect resources not referenced by any dependency chain
#[arg(long)]
pub check_unused: bool,
/// FJ-591: Validate all depends_on references resolve correctly
#[arg(long)]
pub check_dependencies: bool,
/// FJ-601: Validate resource ownership/mode fields are secure
#[arg(long)]
pub check_permissions: bool,
/// FJ-611: Deep idempotency analysis with simulation
#[arg(long)]
pub check_idempotency_deep: bool,
/// FJ-621: Verify machines are reachable before apply
#[arg(long)]
pub check_machine_reachability: bool,
/// FJ-631: Detect circular template/param references
#[arg(long)]
pub check_circular_refs: bool,
/// FJ-641: Enforce naming conventions across resources
#[arg(long)]
pub check_naming_conventions: bool,
/// FJ-661: Ensure all resources have consistent ownership
#[arg(long)]
pub check_owner_consistency: bool,
/// FJ-671: Detect overlapping file paths across resources
#[arg(long)]
pub check_path_conflicts: bool,
/// FJ-681: Validate service dependency chains are satisfiable
#[arg(long)]
pub check_service_deps: bool,
/// FJ-691: Validate all template variables are defined
#[arg(long)]
pub check_template_vars: bool,
/// FJ-701: Validate file mode consistency across resources
#[arg(long)]
pub check_mode_consistency: bool,
/// FJ-711: Validate user/group consistency across resources
#[arg(long)]
pub check_group_consistency: bool,
/// FJ-721: Validate mount point paths don't conflict
#[arg(long)]
pub check_mount_points: bool,
/// FJ-731: Validate cron schedule expressions
#[arg(long)]
pub check_cron_syntax: bool,
/// FJ-741: Verify all {{env.*}} references have matching env vars
#[arg(long)]
pub check_env_refs: bool,
/// FJ-745: Enforce resource naming regex pattern
#[arg(long)]
pub check_resource_names: Option<String>,
/// FJ-749: Warn if resource count exceeds threshold per machine
#[arg(long)]
pub check_resource_count: Option<usize>,
/// FJ-753: Detect duplicate file paths across resources on same machine
#[arg(long)]
pub check_duplicate_paths: bool,
/// FJ-757: Detect circular dependency chains
#[arg(long)]
pub check_circular_deps: bool,
/// FJ-761: Verify all machine references in resources exist
#[arg(long)]
pub check_machine_refs: bool,
/// FJ-765: Verify consistent package providers per machine
#[arg(long)]
pub check_provider_consistency: bool,
/// FJ-769: Verify state field values are valid for each resource type
#[arg(long)]
pub check_state_values: bool,
/// FJ-773: Detect machines defined but not referenced by any resource
#[arg(long)]
pub check_unused_machines: bool,
/// FJ-777: Verify resource tags follow naming conventions
#[arg(long)]
pub check_tag_consistency: bool,
/// FJ-781: Verify all depends_on targets reference existing resources
#[arg(long)]
pub check_dependency_exists: bool,
/// FJ-785: Detect resources targeting the same file path on the same machine
#[arg(long)]
pub check_path_conflicts_strict: bool,
/// FJ-789: Detect duplicate resource names across groups
#[arg(long)]
pub check_duplicate_names: bool,
/// FJ-793: Verify resource groups are non-empty
#[arg(long)]
pub check_resource_groups: bool,
/// FJ-797: Detect resources not reachable from any root
#[arg(long)]
pub check_orphan_resources: bool,
/// FJ-801: Verify resource compatibility with machine architecture
#[arg(long)]
pub check_machine_arch: bool,
/// FJ-805: Detect resources with conflicting health indicators
#[arg(long)]
pub check_resource_health_conflicts: bool,
/// FJ-809: Detect resources with overlapping scope on same machine
#[arg(long)]
pub check_resource_overlap: bool,
/// FJ-813: Enforce tag conventions (required tags, naming rules)
#[arg(long)]
pub check_resource_tags: bool,
/// FJ-817: Verify state fields match resource type constraints
#[arg(long)]
pub check_resource_state_consistency: bool,
/// FJ-821: Verify all depends_on targets actually exist
#[arg(long)]
pub check_resource_dependencies_complete: bool,
/// FJ-825: Verify machines are reachable (dry-run connectivity check)
#[arg(long)]
pub check_machine_connectivity: bool,
/// FJ-829: Enforce regex naming pattern for resources
#[arg(long)]
pub check_resource_naming_pattern: Option<String>,
/// FJ-833: Verify providers match resource types
#[arg(long)]
pub check_resource_provider_support: bool,
/// FJ-837: Verify secret references exist and are valid
#[arg(long)]
pub check_resource_secret_refs: bool,
/// FJ-841: Check resources have idempotency markers
#[arg(long)]
pub check_resource_idempotency_hints: bool,
/// FJ-845: Warn if dependency chain exceeds threshold
#[arg(long)]
pub check_resource_dependency_depth: Option<usize>,
/// FJ-849: Verify resources match machine capabilities
#[arg(long)]
pub check_resource_machine_affinity: bool,
/// FJ-853: Score drift risk per resource based on type + deps
#[arg(long)]
pub check_resource_drift_risk: bool,
/// FJ-857: Verify all resources have required tags
#[arg(long)]
pub check_resource_tag_coverage: bool,
/// FJ-861: Verify lifecycle hook references are valid
#[arg(long)]
pub check_resource_lifecycle_hooks: bool,
/// FJ-865: Verify provider version compatibility
#[arg(long)]
pub check_resource_provider_version: bool,
/// FJ-869: Enforce naming patterns across resources
#[arg(long)]
pub check_resource_naming_convention: bool,
/// FJ-873: Verify resources are idempotent-safe
#[arg(long)]
pub check_resource_idempotency: bool,
/// FJ-877: Verify resources have descriptions or comments
#[arg(long)]
pub check_resource_documentation: bool,
/// FJ-881: Verify all resources have assigned owners
#[arg(long)]
pub check_resource_ownership: bool,
/// FJ-885: Detect secrets accidentally exposed in resource content
#[arg(long)]
pub check_resource_secret_exposure: bool,
/// FJ-889: Enforce tag naming standards across resources
#[arg(long)]
pub check_resource_tag_standards: bool,
/// FJ-893: Detect resources that could enable privilege escalation
#[arg(long)]
pub check_resource_privilege_escalation: bool,
/// FJ-897: Verify resources can be safely updated without downtime
#[arg(long)]
pub check_resource_update_safety: bool,
/// FJ-901: Detect config inconsistencies across machines
#[arg(long)]
pub check_resource_cross_machine_consistency: bool,
/// FJ-905: Verify resources pin explicit versions
#[arg(long)]
pub check_resource_version_pinning: bool,
/// FJ-909: Verify all dependencies exist and are reachable
#[arg(long)]
pub check_resource_dependency_completeness: bool,
/// FJ-913: Verify all resources declare explicit states
#[arg(long)]
pub check_resource_state_coverage: bool,
/// FJ-917: Verify resources can be safely rolled back
#[arg(long)]
pub check_resource_rollback_safety: bool,
/// FJ-921: Score resource configuration maturity
#[arg(long)]
pub check_resource_config_maturity: bool,
/// FJ-925: Verify dependency ordering is topologically valid
#[arg(long)]
pub check_resource_dependency_ordering: bool,
/// FJ-929: Ensure all resources have required tag categories
#[arg(long)]
pub check_resource_tag_completeness: bool,
/// FJ-933: Enforce naming conventions via configurable regex patterns
#[arg(long)]
pub check_resource_naming_standards: bool,
/// FJ-937: Detect asymmetric dependency declarations
#[arg(long)]
pub check_resource_dependency_symmetry: bool,
/// FJ-941: Detect circular alias references in resource configs
#[arg(long)]
pub check_resource_circular_alias: bool,
/// FJ-945: Warn when dependency chains exceed a threshold
#[arg(long)]
pub check_resource_dependency_depth_limit: bool,
/// FJ-949: Detect parameters defined but never referenced in templates
#[arg(long)]
pub check_resource_unused_params: bool,
/// FJ-953: Warn when machines have unbalanced resource counts
#[arg(long)]
pub check_resource_machine_balance: bool,
/// FJ-957: Verify content hashes match declared checksums
#[arg(long)]
pub check_resource_content_hash_consistency: bool,
/// FJ-961: Ensure all referenced dependencies exist in the resource set
#[arg(long)]
pub check_resource_dependency_refs: bool,
/// FJ-965: Ensure all trigger references point to existing resources
#[arg(long)]
pub check_resource_trigger_refs: bool,
/// FJ-969: Validate parameter types match expected usage patterns
#[arg(long)]
pub check_resource_param_type_safety: bool,
/// FJ-973: Validate environment variable references match declared params
#[arg(long)]
pub check_resource_env_consistency: bool,
/// FJ-977: Validate secret resources have rotation policies defined
#[arg(long)]
pub check_resource_secret_rotation: bool,
/// FJ-981: Verify resources define all lifecycle stages
#[arg(long)]
pub check_resource_lifecycle_completeness: bool,
/// FJ-985: Verify resource types are compatible with declared providers
#[arg(long)]
pub check_resource_provider_compatibility: bool,
/// FJ-989: Enforce naming conventions on resource names
#[arg(long)]
pub check_resource_naming_convention_strict: bool,
/// FJ-993: Warn if resources lack idempotency annotations or markers
#[arg(long)]
pub check_resource_idempotency_annotations: bool,
/// FJ-997: Warn if resource content exceeds size threshold
#[arg(long)]
pub check_resource_content_size_limit: bool,
/// FJ-1001: Warn if any resource exceeds max fan-in or fan-out
#[arg(long)]
pub check_resource_dependency_fan_limit: bool,
/// FJ-1014: Warn if GPU resources reference mismatched backends within a stack
#[arg(long)]
pub check_resource_gpu_backend_consistency: bool,
/// FJ-1018: Validate when-field expressions for syntactic correctness
#[arg(long)]
pub check_resource_when_condition_syntax: bool,
/// FJ-1022: Warn if side-effect resources lack lifecycle hooks
#[arg(long)]
pub check_resource_lifecycle_hook_coverage: bool,
/// FJ-1025: Warn if resources contain encrypted secrets needing rotation
#[arg(long)]
pub check_resource_secret_rotation_age: bool,
/// FJ-1028: Warn if dependency chains exceed max depth limit (configurable)
#[arg(long)]
pub check_resource_dependency_chain_depth: bool,
/// FJ-1030: Warn if recipe resources reference undefined inputs
#[arg(long)]
pub check_recipe_input_completeness: bool,
/// FJ-1033: Warn if resources have duplicate content across different machines
#[arg(long)]
pub check_resource_cross_machine_content_duplicates: bool,
/// FJ-1036: Warn if resources reference machines not defined in config
#[arg(long)]
pub check_resource_machine_reference_validity: bool,
/// FJ-1038: Detect correlated failures across resources
#[arg(long)]
pub check_resource_health_correlation: bool,
/// FJ-1041: Identify redundant dependency chains
#[arg(long)]
pub check_dependency_optimization: bool,
/// FJ-1044: Identify resource consolidation opportunities
#[arg(long)]
pub check_resource_consolidation_opportunities: bool,
/// FJ-1046: Validate resources have proper compliance tags
#[arg(long)]
pub check_resource_compliance_tags: bool,
/// FJ-1049: Validate resources have rollback coverage
#[arg(long)]
pub check_resource_rollback_coverage: bool,
/// FJ-1052: Validate dependency balance across resources
#[arg(long)]
pub check_resource_dependency_balance: bool,
/// FJ-1054: Warn if secrets are referenced outside intended machine scope
#[arg(long)]
pub check_resource_secret_scope: bool,
/// FJ-1057: Warn if deprecated resources are still depended upon
#[arg(long)]
pub check_resource_deprecation_usage: bool,
/// FJ-1060: Warn if conditional resources lack when clause coverage
#[arg(long)]
pub check_resource_when_condition_coverage: bool,
/// FJ-1062: Warn if bidirectional dependency patterns exist
#[arg(long)]
pub check_resource_dependency_symmetry_deep: bool,
/// FJ-1065: Warn if tags don't follow namespace conventions
#[arg(long)]
pub check_resource_tag_namespace: bool,
/// FJ-1068: Warn if machines have too many resources
#[arg(long)]
pub check_resource_machine_capacity: bool,
/// FJ-1070: Warn if resource dependency fan-out exceeds limit
#[arg(long)]
pub check_resource_dependency_fan_out_limit: bool,
/// FJ-1073: Warn if resources lack required tag keys
#[arg(long)]
pub check_resource_tag_required_keys: bool,
/// FJ-1076: Score drift risk based on type, content, and dependency count
#[arg(long)]
pub check_resource_content_drift_risk: bool,
/// FJ-1078: Warn if circular dependency chains exist
#[arg(long)]
pub check_resource_circular_dependency_depth: bool,
/// FJ-1081: Detect orphan resources unreachable from any root
#[arg(long)]
pub check_resource_orphan_detection_deep: bool,
/// FJ-1084: Warn if all resources use a single provider type
#[arg(long)]
pub check_resource_provider_diversity: bool,
/// FJ-1086: Warn if resources in different stages share dependencies
#[arg(long)]
pub check_resource_dependency_isolation: bool,
/// FJ-1089: Warn if tag values are inconsistent across similar resources
#[arg(long)]
pub check_resource_tag_value_consistency: bool,
/// FJ-1092: Warn if resources are unevenly distributed across machines
#[arg(long)]
pub check_resource_machine_distribution_balance: bool,
/// FJ-1094: Warn if version-pinned dependencies are outdated
#[arg(long)]
pub check_resource_dependency_version_drift: bool,
/// FJ-1097: Warn if resource names exceed character limit
#[arg(long)]
pub check_resource_naming_length_limit: bool,
/// FJ-1100: Warn if machines lack expected resource type coverage
#[arg(long)]
pub check_resource_type_coverage_per_machine: bool,
/// FJ-1102: Warn if dependency chain depths vary wildly
#[arg(long)]
pub check_resource_dependency_depth_variance: bool,
/// FJ-1105: Warn if tag keys don't follow naming conventions
#[arg(long)]
pub check_resource_tag_key_naming: bool,
/// FJ-1108: Warn if resource content exceeds size threshold
#[arg(long)]
pub check_resource_content_length_limit: bool,
/// FJ-1110: Verify all declared dependencies exist
#[arg(long)]
pub check_resource_dependency_completeness_audit: bool,
/// FJ-1113: Warn if machines lack expected resource types
#[arg(long)]
pub check_resource_machine_coverage_gap: bool,
/// FJ-1116: Warn if file paths exceed directory depth limit
#[arg(long)]
pub check_resource_path_depth_limit: bool,
/// FJ-1118: Verify dependency ordering consistency
#[arg(long)]
pub check_resource_dependency_ordering_consistency: bool,
/// FJ-1121: Validate tag value format
#[arg(long)]
pub check_resource_tag_value_format: bool,
/// FJ-1124: Check resource provider version pinning
#[arg(long)]
pub check_resource_provider_version_pinning: bool,
/// FJ-1306: Report per-resource purity levels
#[arg(long)]
pub check_recipe_purity: bool,
/// FJ-1329: Output reproducibility score (0-100)
#[arg(long)]
pub check_reproducibility_score: bool,
/// FJ-2500: Reject configs with unknown YAML fields (typo detection)
#[arg(long)]
pub deny_unknown_fields: bool,
}