Skip to content

Add @epilot/blueprint-tester: format-agnostic blueprint validation library#366

Open
NishuGoel wants to merge 2 commits intomainfrom
NishuGoel/blueprint-tester
Open

Add @epilot/blueprint-tester: format-agnostic blueprint validation library#366
NishuGoel wants to merge 2 commits intomainfrom
NishuGoel/blueprint-tester

Conversation

@NishuGoel
Copy link
Copy Markdown
Member

@NishuGoel NishuGoel commented Mar 16, 2026
edited
Loading

Summary

  • Add @epilot/blueprint-tester library for validating epilot blueprint exports
  • Supports any input format: ZIP files (.tf), JSON manifests (API responses), or direct BlueprintData objects
  • 8 validation rules: dangling UUIDs, source org references, cross-reference integrity, token detection, public journey safety, incomplete webhooks, environment URLs, email addresses
  • Adapter pattern: terraform-adapter (ZIP → BlueprintData), json-adapter (manifest → BlueprintData), with auto-detection
  • CLI integration via epilot blueprint-test <file.zip|file.json>
  • 62 tests passing

Architecture

Input (ZIP / JSON / API response)
  → Adapter (auto-detect format)
    → BlueprintData (normalized)
      → Validation Rules (format-aware)
        → ValidationReport

Test plan

  • 56 original terraform-path tests pass
  • 6 new JSON adapter tests pass
  • TypeScript type check clean
  • Build (ESM + CJS) succeeds

🤖 Generated with Claude Opus 4.6

@claude
Add @epilot/blueprint-tester library for post-export blueprint valida…
3fc4474 
…tion

Catches dangling UUIDs, leaked tokens/secrets, source org references,
and other issues in exported blueprint ZIP files before publishing.

8 validation rules:
- dangling-uuid (error): hardcoded UUIDs not matching any blueprint resource
- source-org-ref (error): hardcoded organization IDs
- cross-ref-integrity (error): broken depends_on / terraform references
- token-detection (warning): API keys, bearer tokens, OAuth secrets
- public-journey-safety (warning): public journeys with hardcoded refs
- incomplete-webhook (warning): webhooks with hardcoded URLs/auth
- environment-url (info): sandbox/staging/dev URLs
- email-address (info): hardcoded email addresses

Also adds `epilot blueprint-test` CLI command.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 16, 2026
View reviewed changes
packages/blueprint-tester/src/rules/environment-urls.ts
{ name: 'dev URL', regex: /dev[.\-_][a-z]+\.epilot\.cloud/gi },
{ name: 'localhost URL', regex: /(?:localhost|127\.0\.0\.1)(?::\d+)?/g },
{ name: 'org-specific S3 path', regex: /(?:s3:\/\/|amazonaws\.com\/)[^\s"']*\d{5,}[^\s"']*/g },
{ name: 'internal service URL', regex: /https?:\/\/[a-z-]+\.sls\.epilot\.io/g },

Check failure

Code scanning / CodeQL

Missing regular expression anchor High

When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it.

Copilot Autofix

AI 17 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

packages/blueprint-tester/__tests__/validator.test.ts
@@ -0,0 +1,130 @@
import { resolve } from 'node:path';

Check notice

Code scanning / CodeQL

Unused variable, import, function or class Note test

Unused import resolve.

Copilot Autofix

AI 17 days ago

To fix the problem, remove the unused resolve import from the top of packages/blueprint-tester/__tests__/validator.test.ts. This does not change any functionality, since resolve is never used and node:path has no needed side effects here. Concretely, delete line 1 containing import { resolve } from 'node:path'; and leave the remaining imports and code unchanged. No additional methods, imports, or definitions are required.

Suggested changeset 1
packages/blueprint-tester/__tests__/validator.test.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/blueprint-tester/__tests__/validator.test.ts b/packages/blueprint-tester/__tests__/validator.test.ts
--- a/packages/blueprint-tester/__tests__/validator.test.ts
+++ b/packages/blueprint-tester/__tests__/validator.test.ts
@@ -1,4 +1,3 @@
-import { resolve } from 'node:path';
 import AdmZip from 'adm-zip';
 import { describe, expect, it } from 'vitest';
 import { validateBlueprint } from '../src/validator.js';
EOF
@@ -1,4 +1,3 @@
import { resolve } from 'node:path';
import AdmZip from 'adm-zip';
import { describe, expect, it } from 'vitest';
import { validateBlueprint } from '../src/validator.js';
Copilot is powered by AI and may make mistakes. Always verify output.
@claude
Refactor blueprint-tester to be format-agnostic with adapter pattern
1b7b4c7 
Accept any blueprint input format (ZIP, JSON manifest, API response) via
adapters that normalize to a common BlueprintData type. Rules now use
rawContent instead of rawHcl and conditionally apply terraform-specific
checks based on the input format.

- Add BlueprintResource, BlueprintData, BlueprintManifest types
- Add terraform-adapter (ZIP → BlueprintData) and json-adapter (manifest → BlueprintData)
- Add auto-detection in normalizeBlueprintInput
- Update all 8 rules to be format-aware
- Update CLI to accept .json files
- Add JSON adapter tests (6 new, 62 total)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@NishuGoel NishuGoel changed the title Add @epilot/blueprint-tester library Add @epilot/blueprint-tester: format-agnostic blueprint validation library Mar 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NishuGoel @github-advanced-security