@action-llama/action-llama 0.10.2 → 0.11.0

package/dist/{cli/commands/cloud-iam.js → cloud/aws/iam.js}

@@ -1,138 +1,25 @@
 /**
- * Cloud IAM reconciliation for doctor and cloud-setup commands.
+ * AWS IAM reconciliation for ECS cloud agents.
  *
- * Extracted from doctor.ts to keep the credential validation logic
- * separate from cloud infrastructure provisioning.
+ * Extracted from cli/commands/cloud-iam.ts into the cloud provider module.
+ * Handles per-agent IAM task roles, Lambda roles, and ECR policies.
  */
-import { execFileSync } from "child_process";
-import { confirm } from "@inquirer/prompts";
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
-import { IAMClient, CreateRoleCommand, PutRolePolicyCommand, PutUserPolicyCommand, GetRoleCommand } from "@aws-sdk/client-iam";
+import { IAMClient, CreateRoleCommand, PutRolePolicyCommand, PutUserPolicyCommand, GetRoleCommand, } from "@aws-sdk/client-iam";
 import { ECRClient, SetRepositoryPolicyCommand } from "@aws-sdk/client-ecr";
 import { discoverAgents, loadAgentConfig, loadGlobalConfig } from "../../shared/config.js";
 import { parseCredentialRef } from "../../shared/credentials.js";
-import { AWS_CONSTANTS } from "../../shared/aws-constants.js";
+import { AWS_CONSTANTS } from "./constants.js";
+import { CONSTANTS } from "../../shared/constants.js";
 import { ConfigError, CloudProviderError } from "../../shared/errors.js";
-export async function reconcileCloudIam(projectPath, cloud) {
-    if (cloud.provider === "cloud-run") {
-        await reconcileGcp(projectPath, cloud);
-    }
-    else if (cloud.provider === "ecs") {
-        await reconcileAws(projectPath, cloud);
-    }
-    else {
-        throw new CloudProviderError(`Unknown cloud provider: "${cloud.provider}"`);
-    }
-}
-async function reconcileGcp(projectPath, cloud) {
-    const { gcpProject, secretPrefix: configPrefix } = cloud;
-    if (!gcpProject) {
-        throw new ConfigError("cloud.gcpProject is required in config.toml");
-    }
-    const secretPrefix = configPrefix || AWS_CONSTANTS.DEFAULT_SECRET_PREFIX;
-    // Verify gcloud is available and authenticated
-    try {
-        gcloud(["auth", "print-access-token"], gcpProject);
-    }
-    catch (err) {
-        throw new CloudProviderError("gcloud CLI is not authenticated. Run 'gcloud auth login' first.\n" +
-            `Original error: ${err.message}`);
-    }
-    const agents = discoverAgents(projectPath);
-    if (agents.length === 0) {
-        console.log("No agents found. Create agents first.");
-        return;
-    }
-    // Pre-flight: check if any secrets exist in GSM with this prefix
-    const preflight = listGsmSecretCount(gcpProject, secretPrefix);
-    if (preflight === 0) {
-        console.log(`\nWarning: No secrets found in GSM with prefix "${secretPrefix}".\n` +
-            `IAM bindings are created against existing secrets, so you should push credentials first.\n`);
-        const proceed = await confirm({
-            message: "Continue anyway? (Service accounts will be created but no secrets will be bound)",
-            default: false,
-        });
-        if (!proceed) {
-            console.log("Aborted. Push credentials first, then re-run.");
-            return;
-        }
-    }
-    console.log(`\nSetting up Cloud Run service accounts for ${agents.length} agent(s)...\n`);
-    for (const name of agents) {
-        const config = loadAgentConfig(projectPath, name);
-        const saName = AWS_CONSTANTS.serviceAccountName(name);
-        const saEmail = AWS_CONSTANTS.serviceAccountEmail(name, gcpProject);
-        console.log(`  Agent: ${name}`);
-        console.log(`    SA: ${saEmail}`);
-        // 1. Create service account (idempotent)
-        try {
-            gcloud([
-                "iam", "service-accounts", "create", saName,
-                "--display-name", `Action Llama agent: ${name}`,
-                "--project", gcpProject,
-            ], gcpProject);
-            console.log(`    Created service account`);
-        }
-        catch (err) {
-            if (err.message?.includes("already exists")) {
-                console.log(`    Service account already exists`);
-            }
-            else {
-                throw err;
-            }
-        }
-        // 2. Collect all secret names this agent needs
-        const credRefs = [...new Set(config.credentials)];
-        if (config.model.authType !== "pi_auth" && !credRefs.includes("anthropic_key:default")) {
-            credRefs.push("anthropic_key:default");
-        }
-        const secretNames = [];
-        for (const ref of credRefs) {
-            const { type, instance } = parseCredentialRef(ref);
-            const fields = listGsmFields(gcpProject, secretPrefix, type, instance);
-            for (const field of fields) {
-                secretNames.push(`${secretPrefix}--${type}--${instance}--${field}`);
-            }
-        }
-        // 3. Grant secretmanager.secretAccessor on each secret
-        let boundCount = 0;
-        for (const secretName of secretNames) {
-            try {
-                gcloud([
-                    "secrets", "add-iam-policy-binding", secretName,
-                    "--member", `serviceAccount:${saEmail}`,
-                    "--role", "roles/secretmanager.secretAccessor",
-                    "--project", gcpProject,
-                ], gcpProject);
-                boundCount++;
-            }
-            catch (err) {
-                if (err.message?.includes("already exists") || err.message?.includes("already has")) {
-                    boundCount++;
-                }
-                else {
-                    console.log(`    Warning: failed to bind ${secretName}: ${err.message}`);
-                }
-            }
-        }
-        console.log(`    Bound ${boundCount} secret(s)`);
-        // 4. Grant the SA permission to act as itself (for Cloud Run job execution)
-        try {
-            gcloud([
-                "iam", "service-accounts", "add-iam-policy-binding", saEmail,
-                "--member", `serviceAccount:${saEmail}`,
-                "--role", "roles/iam.serviceAccountUser",
-                "--project", gcpProject,
-            ], gcpProject);
-        }
-        catch {
-            // May already be bound
-        }
-        console.log("");
-    }
-    console.log("Done. Each agent now has an isolated service account with access to only its declared secrets.");
-}
-async function reconcileAws(projectPath, cloud) {
+/**
+ * Reconcile per-agent ECS task roles and Secrets Manager policies.
+ *
+ * Creates an IAM task role for each agent with a trust policy for
+ * ecs-tasks.amazonaws.com, then attaches an inline policy granting
+ * secretsmanager:GetSecretValue on each agent's declared credentials.
+ */
+export async function reconcileAwsAgents(projectPath, cloud) {
     const { awsRegion, ecrRepository, awsSecretPrefix } = cloud;
     if (!awsRegion) {
         throw new ConfigError("cloud.awsRegion is required in config.toml");
@@ -140,7 +27,7 @@ async function reconcileAws(projectPath, cloud) {
     if (!ecrRepository) {
         throw new ConfigError("cloud.ecrRepository is required in config.toml");
     }
-    const secretPrefix = awsSecretPrefix || AWS_CONSTANTS.DEFAULT_SECRET_PREFIX;
+    const secretPrefix = awsSecretPrefix || CONSTANTS.DEFAULT_SECRET_PREFIX;
     // Extract account ID from ECR repo URI
     const accountMatch = ecrRepository.match(/^(\d+)\.dkr\.ecr\./);
     if (!accountMatch) {
@@ -325,54 +212,9 @@ export async function grantPassRole(awsRegion, iamClient, roleArns, policyName)
         }
     }
 }
-function gcloud(args, _project) {
-    return execFileSync("gcloud", args, {
-        encoding: "utf-8",
-        timeout: 30_000,
-        stdio: ["pipe", "pipe", "pipe"],
-    }).trim();
-}
-function listGsmSecretCount(gcpProject, prefix) {
-    try {
-        const output = gcloud([
-            "secrets", "list",
-            "--filter", `name:${prefix}--`,
-            "--format", "value(name)",
-            "--project", gcpProject,
-        ], gcpProject);
-        if (!output.trim())
-            return 0;
-        return output.trim().split("\n").length;
-    }
-    catch {
-        return 0;
-    }
-}
-function listGsmFields(gcpProject, prefix, type, instance) {
-    const filter = `name:${prefix}--${type}--${instance}--`;
-    try {
-        const output = gcloud([
-            "secrets", "list",
-            "--filter", filter,
-            "--format", "value(name)",
-            "--project", gcpProject,
-        ], gcpProject);
-        if (!output.trim())
-            return [];
-        const fields = [];
-        for (const line of output.split("\n")) {
-            const secretId = line.trim().split("/").pop();
-            const parts = secretId.split("--");
-            if (parts.length === 4 && parts[0] === prefix && parts[1] === type && parts[2] === instance) {
-                fields.push(parts[3]);
-            }
-        }
-        return fields;
-    }
-    catch {
-        return [];
-    }
-}
+/**
+ * Validate that per-agent ECS task roles exist and have correct trust policies.
+ */
 export async function validateEcsRoles(projectPath, cloud) {
     const { awsRegion } = cloud;
     if (!awsRegion) {
@@ -443,7 +285,10 @@ export async function validateEcsRoles(projectPath, cloud) {
         console.log(`All ${agents.length} IAM task role(s) exist and have correct trust policies.`);
     }
 }
-async function ensureLambdaEcrPolicy(awsRegion, ecrRepoUri) {
+/**
+ * Ensure the ECR repository policy grants Lambda pull access.
+ */
+export async function ensureLambdaEcrPolicy(awsRegion, ecrRepoUri) {
     const repoName = ecrRepoUri.split("/").pop();
     if (!repoName)
         return;
@@ -471,11 +316,17 @@ async function ensureLambdaEcrPolicy(awsRegion, ecrRepoUri) {
         console.log(`Warning: could not set ECR repository policy for Lambda: ${err.message}`);
     }
 }
+/**
+ * Reconcile per-agent Lambda execution roles for agents with short timeouts.
+ *
+ * Agents with timeout <= LAMBDA_MAX_TIMEOUT are automatically routed to Lambda.
+ * Each gets an IAM role with Secrets Manager, ECR, and CloudWatch Logs access.
+ */
 export async function reconcileLambdaRoles(projectPath, cloud) {
     const { awsRegion, ecrRepository, awsSecretPrefix } = cloud;
     if (!awsRegion || !ecrRepository)
         return;
-    const secretPrefix = awsSecretPrefix || AWS_CONSTANTS.DEFAULT_SECRET_PREFIX;
+    const secretPrefix = awsSecretPrefix || CONSTANTS.DEFAULT_SECRET_PREFIX;
     const accountMatch = ecrRepository.match(/^(\d+)\.dkr\.ecr\./);
     if (!accountMatch)
         return;
@@ -588,4 +439,4 @@ export async function reconcileLambdaRoles(projectPath, cloud) {
         await grantPassRole(awsRegion, iamClient, lambdaRoleArns, "ActionLlamaLambdaPassRole");
     }
 }
-//# sourceMappingURL=cloud-iam.js.map
+//# sourceMappingURL=iam.js.map

package/dist/cloud/aws/iam.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"iam.js","sourceRoot":"","sources":["../../../src/cloud/aws/iam.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAE,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,EACpB,cAAc,GACf,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE3F,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAEzE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,WAAmB,EAAE,KAAqB;IACjF,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,KAAK,CAAC;IAC5D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,WAAW,CAAC,4CAA4C,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,WAAW,CAAC,gDAAgD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,YAAY,GAAG,eAAe,IAAI,SAAS,CAAC,qBAAqB,CAAC;IAExE,uCAAuC;IACvC,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,WAAW,CACnB,4DAA4D,aAAa,KAAK;YAC9E,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAElC,mCAAmC;IACnC,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,wBAAwB,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,kBAAkB,CAC1B,qGAAqG;YACrG,mBAAmB,GAAG,CAAC,OAAO,EAAE,CACjC,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC3C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IAED,6BAA6B;IAC7B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC;gBACV,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,EAAE,OAAO,EAAE,yBAAyB,EAAE;gBACjD,MAAM,EAAE,gBAAgB;aACzB,CAAC;KACH,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvD,0FAA0F;IAC1F,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,MAAM,iBAAiB,GAAG,KAAK,CAAC,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC;QACnE,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC;gBAC5C,QAAQ,EAAE,iBAAiB;gBAC3B,UAAU,EAAE,sBAAsB;gBAClC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC;oBAC7B,OAAO,EAAE,YAAY;oBACrB,SAAS,EAAE;wBACT;4BACE,MAAM,EAAE,OAAO;4BACf,MAAM,EAAE,+BAA+B;4BACvC,QAAQ,EAAE,0BAA0B,SAAS,IAAI,SAAS,WAAW,YAAY,IAAI;yBACtF;wBACD;4BACE,MAAM,EAAE,OAAO;4BACf,MAAM,EAAE,qBAAqB;4BAC7B,QAAQ,EAAE,gBAAgB,SAAS,IAAI,SAAS,cAAc,aAAa,CAAC,SAAS,GAAG;yBACzF;qBACF;iBACF,CAAC;aACH,CAAC,CAAC,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,mBAAmB,iBAAiB,gDAAgD,CAAC,CAAC;QACpG,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,kBAAkB,CAC1B,mDAAmD,iBAAiB,KAAK,GAAG,CAAC,OAAO,IAAI;gBACxF,+FAA+F;gBAC/F,8GAA8G,CAC/G,CAAC;QACJ,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,MAAM,qBAAqB,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAEtD,OAAO,CAAC,GAAG,CAAC,mCAAmC,MAAM,CAAC,MAAM,gBAAgB,CAAC,CAAC;IAE9E,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAElD,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;QAChC,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC;QAErC,kCAAkC;QAClC,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,iBAAiB,CAAC;gBACzC,QAAQ,EAAE,QAAQ;gBAClB,wBAAwB,EAAE,WAAW;aACtC,CAAC,CAAC,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,IAAI,KAAK,8BAA8B,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QAClD,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YACvF,QAAQ,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACnD,UAAU,CAAC,IAAI,CACb,0BAA0B,SAAS,IAAI,SAAS,WAAW,YAAY,IAAI,IAAI,IAAI,QAAQ,IAAI,CAChG,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC5B,OAAO,EAAE,YAAY;gBACrB,SAAS,EAAE,CAAC;wBACV,MAAM,EAAE,OAAO;wBACf,MAAM,EAAE,+BAA+B;wBACvC,QAAQ,EAAE,UAAU;qBACrB,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC;oBAC5C,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,eAAe;oBAC3B,cAAc,EAAE,MAAM;iBACvB,CAAC,CAAC,CAAC;gBACJ,OAAO,CAAC,GAAG,CAAC,aAAa,UAAU,CAAC,MAAM,iBAAiB,CAAC,CAAC;YAC/D,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,sCAAsC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAED,gFAAgF;IAChF,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAC7B,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,SAAS,SAAS,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAC/E,CAAC;IACF,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,wBAAwB,CAAC,CAAC;IACpF,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,8FAA8F,CAAC,CAAC;IAC5G,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;IAC5E,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;AAC7E,CAAC;AAED,kBAAkB;AAElB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,SAAiB,EACjB,SAAoB,EACpB,QAAkB,EAClB,UAAkB;IAElB,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,wBAAwB,CAAC,EAAE,CAAC,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAI,CAAC;IAEhC,kEAAkE;IAClE,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IAClD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,oBAAoB,SAAS,yDAAyD,CAAC,CAAC;QACpG,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;QACnF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE,CAAC;oBACV,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,cAAc;oBACtB,QAAQ,EAAE,QAAQ;iBACnB,CAAC;SACH,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACb,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;QAC5B,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC;gBACV,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,cAAc;gBACtB,QAAQ,EAAE,QAAQ;aACnB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC;YAC5C,QAAQ,EAAE,QAAQ;YAClB,UAAU,EAAE,UAAU;YACtB,cAAc,EAAE,MAAM;SACvB,CAAC,CAAC,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,6BAA6B,QAAQ,CAAC,MAAM,oBAAoB,QAAQ,EAAE,CAAC,CAAC;IAC1F,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,mDAAmD,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,OAAO,CAAC,GAAG,CAAC,yEAAyE,CAAC,CAAC;QACvF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB,EAAE,KAAqB;IAC/E,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,CAAC;IAC5B,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,WAAW,CAAC,gDAAgD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC3C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAEhC,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,iBAAiB,GAAa,EAAE,CAAC;IAEvC,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;YAE9E,+DAA+D;YAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAK,CAAC,wBAAyB,CAAC,CAAC,CAAC;YACzF,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,IAAS,EAAE,EAAE,CAC5D,IAAI,CAAC,MAAM,KAAK,OAAO;gBACvB,IAAI,CAAC,SAAS,EAAE,OAAO,KAAK,yBAAyB;gBACrD,CAAC,IAAI,CAAC,MAAM,KAAK,gBAAgB,IAAI,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAC9E,CAAC;YAEF,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACjC,OAAO,CAAC,GAAG,CAAC,mBAAmB,QAAQ,kCAAkC,CAAC,CAAC;YAC7E,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,UAAU,QAAQ,EAAE,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;gBACzC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,eAAe,QAAQ,EAAE,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAE1E,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,KAAK,OAAO,CAAC,MAAM,gCAAgC,CAAC,CAAC;YACjE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,GAAG,CAAC,KAAK,iBAAiB,CAAC,MAAM,6CAA6C,CAAC,CAAC;YACxF,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;YAC9D,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC;YACjF,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,mGAAmG,CAAC,CAAC;QACnH,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE,CAAC;oBACV,MAAM,EAAE,OAAO;oBACf,SAAS,EAAE,EAAE,OAAO,EAAE,yBAAyB,EAAE;oBACjD,MAAM,EAAE,gBAAgB;iBACzB,CAAC;SACH,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAEb,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QAEhC,+DAA+D;QAC/D,MAAM,IAAI,kBAAkB,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,iBAAiB,CAAC,MAAM,iHAAiH,CAAC,CAAC;IAC9L,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,CAAC,MAAM,0DAA0D,CAAC,CAAC;IAC9F,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,SAAiB,EAAE,UAAkB;IAC/E,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7C,IAAI,CAAC,QAAQ;QAAE,OAAO;IAEtB,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;QAC5B,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC;gBACV,GAAG,EAAE,+BAA+B;gBACpC,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,EAAE,OAAO,EAAE,sBAAsB,EAAE;gBAC9C,MAAM,EAAE;oBACN,mBAAmB;oBACnB,4BAA4B;iBAC7B;aACF,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC;YAClD,cAAc,EAAE,QAAQ;YACxB,UAAU,EAAE,MAAM;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;IACnE,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,4DAA4D,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACzF,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,WAAmB,EAAE,KAAqB;IACnF,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,KAAK,CAAC;IAC5D,IAAI,CAAC,SAAS,IAAI,CAAC,aAAa;QAAE,OAAO;IAEzC,MAAM,YAAY,GAAG,eAAe,IAAI,SAAS,CAAC,qBAAqB,CAAC;IACxE,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAC/D,IAAI,CAAC,YAAY;QAAE,OAAO;IAC1B,MAAM,SAAS,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAElC,MAAM,YAAY,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC3C,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvD,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;QACjC,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE,CAAC;gBACV,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE,EAAE,OAAO,EAAE,sBAAsB,EAAE;gBAC9C,MAAM,EAAE,gBAAgB;aACzB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,MAAM,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,IAAI,GAAG,CAAC;QAE9E,gEAAgE;QAChE,IAAI,gBAAgB,GAAG,aAAa,CAAC,kBAAkB;YAAE,SAAS;QAElE,MAAM,QAAQ,GAAG,aAAa,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAEpD,cAAc;QACd,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,iBAAiB,CAAC;gBACzC,QAAQ,EAAE,QAAQ;gBAClB,wBAAwB,EAAE,WAAW;aACtC,CAAC,CAAC,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,0BAA0B,QAAQ,EAAE,CAAC,CAAC;YAClD,OAAO,EAAE,CAAC;QACZ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,IAAI,KAAK,8BAA8B,EAAE,CAAC;gBAChD,OAAO,CAAC,GAAG,CAAC,UAAU,QAAQ,EAAE,CAAC,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACrD,SAAS;YACX,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;QAClD,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YACvF,QAAQ,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,UAAU,GAAa,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YAChD,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACnD,OAAO,0BAA0B,SAAS,IAAI,SAAS,WAAW,YAAY,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC;QACzG,CAAC,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;YAC5B,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,+BAA+B;oBACvC,QAAQ,EAAE,UAAU;iBACrB;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE;wBACN,qBAAqB;wBACrB,sBAAsB;wBACtB,mBAAmB;qBACpB;oBACD,QAAQ,EAAE,gBAAgB,SAAS,IAAI,SAAS,IAAI;iBACrD;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,2BAA2B;oBACnC,QAAQ,EAAE,GAAG;iBACd;gBACD;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE;wBACN,mBAAmB;wBACnB,4BAA4B;qBAC7B;oBACD,QAAQ,EAAE,eAAe,SAAS,IAAI,SAAS,eAAe;iBAC/D;aACF;SACF,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC;gBAC5C,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,iBAAiB;gBAC7B,cAAc,EAAE,MAAM;aACvB,CAAC,CAAC,CAAC;QACN,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,sCAAsC,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,4BAA4B,CAAC,CAAC;IAC9D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAC9C,CAAC;IAED,6DAA6D;IAC7D,MAAM,cAAc,GAAG,MAAM;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QACf,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,IAAI,GAAG,CAAC;QAC9E,OAAO,gBAAgB,IAAI,aAAa,CAAC,kBAAkB,CAAC;IAC9D,CAAC,CAAC;SACD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,SAAS,SAAS,aAAa,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEzF,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,cAAc,EAAE,2BAA2B,CAAC,CAAC;IACzF,CAAC;AACH,CAAC"}

package/dist/cloud/aws/provider.d.ts

@@ -0,0 +1,69 @@
+/**
+ * AWS (ECS) cloud provider implementation.
+ *
+ * Wraps EcsCloudConfig and delegates to the extracted AWS modules
+ * (provision, teardown, iam, deploy) via the CloudProvider interface.
+ */
+import type { EcsCloudConfig, AgentConfig, GlobalConfig } from "../../shared/config.js";
+import type { ContainerRuntime } from "../../docker/runtime.js";
+import type { CredentialBackend } from "../../shared/credential-backend.js";
+import type { CloudProvider, SchedulerServiceInfo, RuntimeResult } from "../provider.js";
+export declare class AwsCloudProvider implements CloudProvider {
+    readonly providerName: "ecs";
+    private config;
+    constructor(config: EcsCloudConfig);
+    /**
+     * Interactive provisioning wizard. Runs the ECS setup flow and
+     * returns config fields to write to config.toml.
+     */
+    provision(): Promise<Record<string, unknown> | null>;
+    /**
+     * Tear down all provisioned AWS cloud resources for this project.
+     */
+    teardown(projectPath: string): Promise<void>;
+    /**
+     * Reconcile per-agent IAM resources (ECS task roles + Lambda roles).
+     */
+    reconcileAgents(projectPath: string): Promise<void>;
+    /**
+     * Validate that per-agent IAM task roles exist and are correctly configured.
+     */
+    validateRoles(projectPath: string): Promise<void>;
+    /**
+     * Create the primary ECS Fargate container runtime.
+     */
+    createRuntime(): ContainerRuntime;
+    /**
+     * Create a runtime for a specific agent.
+     *
+     * Agents with timeout <= LAMBDA_MAX_TIMEOUT are routed to Lambda
+     * for faster cold starts and lower cost. All others use ECS Fargate.
+     */
+    createAgentRuntime(agentConfig: AgentConfig, globalConfig: GlobalConfig): ContainerRuntime;
+    /**
+     * Create primary ECS runtime + per-agent Lambda overrides for
+     * agents with short timeouts.
+     */
+    createRuntimes(activeAgentConfigs: AgentConfig[], globalConfig: GlobalConfig): RuntimeResult;
+    /**
+     * Create an AWS Secrets Manager credential backend.
+     */
+    createCredentialBackend(): Promise<CredentialBackend>;
+    /**
+     * Deploy the scheduler as an App Runner service.
+     */
+    deployScheduler(imageUri: string): Promise<SchedulerServiceInfo>;
+    /**
+     * Get the current scheduler App Runner service status.
+     */
+    getSchedulerStatus(): Promise<SchedulerServiceInfo | null>;
+    /**
+     * Fetch recent scheduler logs from CloudWatch.
+     */
+    getSchedulerLogs(limit: number): Promise<string[]>;
+    /**
+     * Tear down the scheduler App Runner service only.
+     */
+    teardownScheduler(): Promise<void>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/dist/cloud/aws/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/cloud/aws/provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACxF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAC5E,OAAO,KAAK,EACV,aAAa,EACb,oBAAoB,EACpB,aAAa,EACd,MAAM,gBAAgB,CAAC;AAMxB,qBAAa,gBAAiB,YAAW,aAAa;IACpD,QAAQ,CAAC,YAAY,EAAG,KAAK,CAAU;IACvC,OAAO,CAAC,MAAM,CAAiB;gBAEnB,MAAM,EAAE,cAAc;IAIlC;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAY1D;;OAEG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKlD;;OAEG;IACG,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMzD;;OAEG;IACG,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKvD;;OAEG;IACH,aAAa,IAAI,gBAAgB;IAcjC;;;;;OAKG;IACH,kBAAkB,CAAC,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,GAAG,gBAAgB;IAkB1F;;;OAGG;IACH,cAAc,CAAC,kBAAkB,EAAE,WAAW,EAAE,EAAE,YAAY,EAAE,YAAY,GAAG,aAAa;IA8B5F;;OAEG;IACG,uBAAuB,IAAI,OAAO,CAAC,iBAAiB,CAAC;IAQ3D;;OAEG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IActE;;OAEG;IACG,kBAAkB,IAAI,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAYhE;;OAEG;IACG,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKxD;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;CAIzC"}

package/dist/cloud/aws/provider.js

@@ -0,0 +1,173 @@
+/**
+ * AWS (ECS) cloud provider implementation.
+ *
+ * Wraps EcsCloudConfig and delegates to the extracted AWS modules
+ * (provision, teardown, iam, deploy) via the CloudProvider interface.
+ */
+import { ECSFargateRuntime } from "../../docker/ecs-runtime.js";
+import { LambdaRuntime } from "../../docker/lambda-runtime.js";
+import { AWS_CONSTANTS } from "./constants.js";
+import { CONSTANTS } from "../../shared/constants.js";
+export class AwsCloudProvider {
+    providerName = "ecs";
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Interactive provisioning wizard. Runs the ECS setup flow and
+     * returns config fields to write to config.toml.
+     */
+    async provision() {
+        const { setupEcsCloud } = await import("./provision.js");
+        // setupEcsCloud mutates the config object in place and returns success/failure
+        const configCopy = { ...this.config };
+        const success = await setupEcsCloud(configCopy);
+        if (!success) {
+            return null;
+        }
+        // Return the full mutated config as a flat record
+        return configCopy;
+    }
+    /**
+     * Tear down all provisioned AWS cloud resources for this project.
+     */
+    async teardown(projectPath) {
+        const { teardownAws } = await import("./teardown.js");
+        await teardownAws(projectPath, this.config);
+    }
+    /**
+     * Reconcile per-agent IAM resources (ECS task roles + Lambda roles).
+     */
+    async reconcileAgents(projectPath) {
+        const { reconcileAwsAgents, reconcileLambdaRoles } = await import("./iam.js");
+        await reconcileAwsAgents(projectPath, this.config);
+        await reconcileLambdaRoles(projectPath, this.config);
+    }
+    /**
+     * Validate that per-agent IAM task roles exist and are correctly configured.
+     */
+    async validateRoles(projectPath) {
+        const { validateEcsRoles } = await import("./iam.js");
+        await validateEcsRoles(projectPath, this.config);
+    }
+    /**
+     * Create the primary ECS Fargate container runtime.
+     */
+    createRuntime() {
+        return new ECSFargateRuntime({
+            awsRegion: this.config.awsRegion,
+            ecsCluster: this.config.ecsCluster,
+            ecrRepository: this.config.ecrRepository,
+            executionRoleArn: this.config.executionRoleArn,
+            taskRoleArn: this.config.taskRoleArn,
+            subnets: this.config.subnets,
+            securityGroups: this.config.securityGroups,
+            secretPrefix: this.config.awsSecretPrefix || CONSTANTS.DEFAULT_SECRET_PREFIX,
+            buildBucket: this.config.buildBucket,
+        });
+    }
+    /**
+     * Create a runtime for a specific agent.
+     *
+     * Agents with timeout <= LAMBDA_MAX_TIMEOUT are routed to Lambda
+     * for faster cold starts and lower cost. All others use ECS Fargate.
+     */
+    createAgentRuntime(agentConfig, globalConfig) {
+        const effectiveTimeout = agentConfig.timeout ?? globalConfig.local?.timeout ?? 900;
+        if (effectiveTimeout <= AWS_CONSTANTS.LAMBDA_MAX_TIMEOUT) {
+            return new LambdaRuntime({
+                awsRegion: this.config.awsRegion,
+                ecrRepository: this.config.ecrRepository,
+                secretPrefix: this.config.awsSecretPrefix || CONSTANTS.DEFAULT_SECRET_PREFIX,
+                buildBucket: this.config.buildBucket,
+                lambdaRoleArn: this.config.lambdaRoleArn,
+                lambdaSubnets: this.config.lambdaSubnets,
+                lambdaSecurityGroups: this.config.lambdaSecurityGroups,
+            });
+        }
+        return this.createRuntime();
+    }
+    /**
+     * Create primary ECS runtime + per-agent Lambda overrides for
+     * agents with short timeouts.
+     */
+    createRuntimes(activeAgentConfigs, globalConfig) {
+        const runtime = this.createRuntime();
+        const agentRuntimeOverrides = {};
+        // Check which agents should be routed to Lambda
+        let lambdaRuntime = null;
+        for (const agentConfig of activeAgentConfigs) {
+            const effectiveTimeout = agentConfig.timeout ?? globalConfig.local?.timeout ?? 900;
+            if (effectiveTimeout <= AWS_CONSTANTS.LAMBDA_MAX_TIMEOUT) {
+                // Lazily create a single shared Lambda runtime
+                if (!lambdaRuntime) {
+                    lambdaRuntime = new LambdaRuntime({
+                        awsRegion: this.config.awsRegion,
+                        ecrRepository: this.config.ecrRepository,
+                        secretPrefix: this.config.awsSecretPrefix || CONSTANTS.DEFAULT_SECRET_PREFIX,
+                        buildBucket: this.config.buildBucket,
+                        lambdaRoleArn: this.config.lambdaRoleArn,
+                        lambdaSubnets: this.config.lambdaSubnets,
+                        lambdaSecurityGroups: this.config.lambdaSecurityGroups,
+                    });
+                }
+                agentRuntimeOverrides[agentConfig.name] = lambdaRuntime;
+            }
+        }
+        return { runtime, agentRuntimeOverrides };
+    }
+    /**
+     * Create an AWS Secrets Manager credential backend.
+     */
+    async createCredentialBackend() {
+        const { AwsSecretsManagerBackend } = await import("../../shared/asm-backend.js");
+        return new AwsSecretsManagerBackend(this.config.awsRegion, this.config.awsSecretPrefix || CONSTANTS.DEFAULT_SECRET_PREFIX);
+    }
+    /**
+     * Deploy the scheduler as an App Runner service.
+     */
+    async deployScheduler(imageUri) {
+        const { deployAppRunner } = await import("./deploy.js");
+        const result = await deployAppRunner({
+            imageUri,
+            cloudConfig: this.config,
+        });
+        return {
+            serviceUrl: result.serviceUrl,
+            status: result.status,
+            createdAt: result.createdAt,
+            updatedAt: result.updatedAt,
+        };
+    }
+    /**
+     * Get the current scheduler App Runner service status.
+     */
+    async getSchedulerStatus() {
+        const { getAppRunnerStatus } = await import("./deploy.js");
+        const result = await getAppRunnerStatus(this.config);
+        if (!result)
+            return null;
+        return {
+            serviceUrl: result.serviceUrl,
+            status: result.status,
+            createdAt: result.createdAt,
+            updatedAt: result.updatedAt,
+        };
+    }
+    /**
+     * Fetch recent scheduler logs from CloudWatch.
+     */
+    async getSchedulerLogs(limit) {
+        const { getAppRunnerLogs } = await import("./deploy.js");
+        return getAppRunnerLogs(this.config, limit);
+    }
+    /**
+     * Tear down the scheduler App Runner service only.
+     */
+    async teardownScheduler() {
+        const { teardownAppRunner } = await import("./deploy.js");
+        await teardownAppRunner(this.config);
+    }
+}
+//# sourceMappingURL=provider.js.map

package/dist/cloud/aws/provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../../src/cloud/aws/provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAUH,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAEtD,MAAM,OAAO,gBAAgB;IAClB,YAAY,GAAG,KAAc,CAAC;IAC/B,MAAM,CAAiB;IAE/B,YAAY,MAAsB;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,SAAS;QACb,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACzD,+EAA+E;QAC/E,MAAM,UAAU,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QACD,kDAAkD;QAClD,OAAO,UAAgD,CAAC;IAC1D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,WAAmB;QAChC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,WAAmB;QACvC,MAAM,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QAC9E,MAAM,kBAAkB,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACnD,MAAM,oBAAoB,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,WAAmB;QACrC,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACtD,MAAM,gBAAgB,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,aAAa;QACX,OAAO,IAAI,iBAAiB,CAAC;YAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;YAClC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;YACxC,gBAAgB,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;YAC9C,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc;YAC1C,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,SAAS,CAAC,qBAAqB;YAC5E,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACrC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,kBAAkB,CAAC,WAAwB,EAAE,YAA0B;QACrE,MAAM,gBAAgB,GAAG,WAAW,CAAC,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,IAAI,GAAG,CAAC;QAEnF,IAAI,gBAAgB,IAAI,aAAa,CAAC,kBAAkB,EAAE,CAAC;YACzD,OAAO,IAAI,aAAa,CAAC;gBACvB,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;gBAChC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACxC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,SAAS,CAAC,qBAAqB;gBAC5E,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;gBACpC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACxC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACxC,oBAAoB,EAAE,IAAI,CAAC,MAAM,CAAC,oBAAoB;aACvD,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC,aAAa,EAAE,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,kBAAiC,EAAE,YAA0B;QAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;QACrC,MAAM,qBAAqB,GAAqC,EAAE,CAAC;QAEnE,gDAAgD;QAChD,IAAI,aAAa,GAA4B,IAAI,CAAC;QAElD,KAAK,MAAM,WAAW,IAAI,kBAAkB,EAAE,CAAC;YAC7C,MAAM,gBAAgB,GAAG,WAAW,CAAC,OAAO,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,IAAI,GAAG,CAAC;YAEnF,IAAI,gBAAgB,IAAI,aAAa,CAAC,kBAAkB,EAAE,CAAC;gBACzD,+CAA+C;gBAC/C,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,aAAa,GAAG,IAAI,aAAa,CAAC;wBAChC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;wBAChC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;wBACxC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,SAAS,CAAC,qBAAqB;wBAC5E,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;wBACpC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;wBACxC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;wBACxC,oBAAoB,EAAE,IAAI,CAAC,MAAM,CAAC,oBAAoB;qBACvD,CAAC,CAAC;gBACL,CAAC;gBACD,qBAAqB,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,qBAAqB,EAAE,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,uBAAuB;QAC3B,MAAM,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QACjF,OAAO,IAAI,wBAAwB,CACjC,IAAI,CAAC,MAAM,CAAC,SAAS,EACrB,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,SAAS,CAAC,qBAAqB,CAC/D,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,QAAgB;QACpC,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC;YACnC,QAAQ;YACR,WAAW,EAAE,IAAI,CAAC,MAAM;SACzB,CAAC,CAAC;QACH,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB;QACtB,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,KAAa;QAClC,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACzD,OAAO,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB;QACrB,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;CACF"}

package/dist/cloud/aws/provision.d.ts

@@ -0,0 +1,9 @@
+/**
+ * ECS-specific cloud provisioning logic.
+ *
+ * Extracted from cli/commands/cloud-setup-ecs.ts into the cloud provider module.
+ * Contains all AWS resource creation/discovery for ECS Fargate setup.
+ */
+import type { EcsCloudConfig } from "../../shared/config.js";
+export declare function setupEcsCloud(cloud: EcsCloudConfig): Promise<boolean>;
+//# sourceMappingURL=provision.d.ts.map

package/dist/cloud/aws/provision.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provision.d.ts","sourceRoot":"","sources":["../../../src/cloud/aws/provision.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAsCH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAO7D,wBAAsB,aAAa,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CA2L3E"}

package/dist/{cli/commands/cloud-setup-ecs.js → cloud/aws/provision.js}

@@ -1,7 +1,7 @@
 /**
- * ECS-specific cloud setup logic.
+ * ECS-specific cloud provisioning logic.
  *
- * Extracted from cloud-setup.ts to keep the main orchestrator slim.
+ * Extracted from cli/commands/cloud-setup-ecs.ts into the cloud provider module.
  * Contains all AWS resource creation/discovery for ECS Fargate setup.
  */
 import { select, input, confirm } from "@inquirer/prompts";
@@ -11,7 +11,8 @@ import { ECSClient, ListClustersCommand, DescribeClustersCommand, CreateClusterC
 import { IAMClient, ListRolesCommand, CreateRoleCommand, GetRoleCommand, AttachRolePolicyCommand, PutRolePolicyCommand, PutUserPolicyCommand, CreateServiceLinkedRoleCommand, } from "@aws-sdk/client-iam";
 import { EC2Client, DescribeVpcsCommand, DescribeSubnetsCommand, DescribeSecurityGroupsCommand, } from "@aws-sdk/client-ec2";
 import { CloudWatchLogsClient, CreateLogGroupCommand, } from "@aws-sdk/client-cloudwatch-logs";
-import { AWS_CONSTANTS } from "../../shared/aws-constants.js";
+import { AWS_CONSTANTS } from "./constants.js";
+import { CONSTANTS } from "../../shared/constants.js";
 const CREATE_NEW = "__create_new__";
 const MANUAL_INPUT = "__manual_input__";
 export async function setupEcsCloud(cloud) {
@@ -51,7 +52,7 @@ export async function setupEcsCloud(cloud) {
     cloud.taskRoleArn = await pickOrCreateEcsRole(iamClient, "Default task role (Secrets Manager access)", AWS_CONSTANTS.DEFAULT_TASK_ROLE, [], [cloud.executionRoleArn]);
     // Add Secrets Manager + CloudWatch Logs inline policy to execution role
     const executionRoleName = cloud.executionRoleArn.split("/").pop();
-    const secretPrefix = AWS_CONSTANTS.DEFAULT_SECRET_PREFIX;
+    const secretPrefix = CONSTANTS.DEFAULT_SECRET_PREFIX;
     try {
         await iamClient.send(new PutRolePolicyCommand({
             RoleName: executionRoleName,
@@ -103,8 +104,8 @@ export async function setupEcsCloud(cloud) {
     const sgs = await pickSecurityGroups(ec2Client, result.vpcId);
     if (sgs.length > 0)
         cloud.securityGroups = sgs;
-    const prefix = await input({ message: "Secret prefix:", default: AWS_CONSTANTS.DEFAULT_SECRET_PREFIX });
-    if (prefix !== AWS_CONSTANTS.DEFAULT_SECRET_PREFIX)
+    const prefix = await input({ message: "Secret prefix:", default: CONSTANTS.DEFAULT_SECRET_PREFIX });
+    if (prefix !== CONSTANTS.DEFAULT_SECRET_PREFIX)
         cloud.awsSecretPrefix = prefix;
     // Grant iam:PassRole, logs read, and iam:PutUserPolicy to the calling
     // IAM user so that al start/run can assign roles, al logs can read
@@ -648,8 +649,8 @@ async function ensureAppRunnerInstanceRole(iamClient, accountId, region, ecrRepo
                     { Sid: "PassRole", Effect: "Allow", Action: "iam:PassRole", Resource: `arn:aws:iam::${accountId}:role/al-*`, Condition: { StringEquals: { "iam:PassedToService": ["ecs-tasks.amazonaws.com", "codebuild.amazonaws.com", "lambda.amazonaws.com", "apprunner.amazonaws.com"] } } },
                     { Sid: "IAMAgentRoles", Effect: "Allow", Action: ["iam:CreateRole", "iam:GetRole", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:AttachRolePolicy"], Resource: `arn:aws:iam::${accountId}:role/al-*` },
                     { Sid: "IAMListRoles", Effect: "Allow", Action: "iam:ListRoles", Resource: "*" },
-                    { Sid: "ECR", Effect: "Allow", Action: ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability", "ecr:GetAuthorizationToken", "ecr:SetRepositoryPolicy"], Resource: "*" },
-                    { Sid: "CodeBuild", Effect: "Allow", Action: ["codebuild:StartBuild", "codebuild:BatchGetBuilds", "codebuild:CreateProject"], Resource: `arn:aws:codebuild:${region}:${accountId}:project/al-image-builder` },
+                    { Sid: "ECR", Effect: "Allow", Action: ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability", "ecr:GetAuthorizationToken", "ecr:SetRepositoryPolicy", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload"], Resource: "*" },
+                    { Sid: "CodeBuild", Effect: "Allow", Action: ["codebuild:StartBuild", "codebuild:BatchGetBuilds", "codebuild:CreateProject", "codebuild:UpdateProject"], Resource: `arn:aws:codebuild:${region}:${accountId}:project/al-image-builder` },
                     { Sid: "Lambda", Effect: "Allow", Action: ["lambda:GetFunction", "lambda:CreateFunction", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:PutFunctionEventInvokeConfig", "lambda:InvokeFunction"], Resource: `arn:aws:lambda:${region}:${accountId}:function:al-*` },
                     { Sid: "S3", Effect: "Allow", Action: ["s3:CreateBucket", "s3:PutObject", "s3:GetObject", "s3:ListBucket"], Resource: [`arn:aws:s3:::${bucketName}`, `arn:aws:s3:::${bucketName}/*`] },
                     { Sid: "AppRunner", Effect: "Allow", Action: ["apprunner:CreateService", "apprunner:UpdateService", "apprunner:DescribeService", "apprunner:DeleteService"], Resource: `arn:aws:apprunner:${region}:${accountId}:service/al-scheduler/*` },
@@ -694,4 +695,4 @@ async function pickSecurityGroups(ec2Client, vpcId) {
     const raw = await input({ message: "Security group IDs (comma-separated, optional):" });
     return raw.trim() ? raw.split(",").map(s => s.trim()).filter(Boolean) : [];
 }
-//# sourceMappingURL=cloud-setup-ecs.js.map
+//# sourceMappingURL=provision.js.map