@aws/ml-container-creator 0.2.0 → 0.2.2

package/infra/ci-harness/buildspec.yml

@@ -0,0 +1,352 @@
+version: 0.2
+
+env:
+  variables:
+    CI_TABLE_NAME: ""
+    CI_LOG_GROUP: ""
+    CONFIG_ID: ""
+    CONFIG_JSON: ""
+    BUILD_STRATEGY: "codebuild-submit"
+
+phases:
+  install:
+    runtime-versions:
+      nodejs: 22
+    commands:
+      - echo "=== MLCC CI Harness - Install Phase ==="
+      - npm install -g @aws/ml-container-creator
+      # Track overall build start time for total duration calculation
+      - BUILD_START_TIME=$(date +%s)
+      # Initialize stage results tracking as flat variables.
+      # Each stage gets: _STATUS, _DURATION, _LOG_POINTER, _ERROR_SUMMARY
+      - FIRST_FAILURE=""
+      - GENERATE_STATUS="skip"
+      - GENERATE_DURATION=0
+      - GENERATE_LOG_POINTER=""
+      - GENERATE_ERROR_SUMMARY=""
+      - VALIDATE_STATUS="skip"
+      - VALIDATE_DURATION=0
+      - VALIDATE_LOG_POINTER=""
+      - VALIDATE_ERROR_SUMMARY=""
+      - BUILD_STATUS="skip"
+      - BUILD_DURATION=0
+      - BUILD_LOG_POINTER=""
+      - BUILD_ERROR_SUMMARY=""
+      - DEPLOY_TEST_STATUS="skip"
+      - DEPLOY_TEST_DURATION=0
+      - DEPLOY_TEST_LOG_POINTER=""
+      - DEPLOY_TEST_ERROR_SUMMARY=""
+      - REGISTER_STATUS="skip"
+      - REGISTER_DURATION=0
+      - REGISTER_LOG_POINTER=""
+      - REGISTER_ERROR_SUMMARY=""
+      - TEARDOWN_STATUS="skip"
+      - TEARDOWN_DURATION=0
+      - TEARDOWN_LOG_POINTER=""
+      - TEARDOWN_ERROR_SUMMARY=""
+      - UPDATE_STATUS="skip"
+      - UPDATE_DURATION=0
+      - UPDATE_LOG_POINTER=""
+      - UPDATE_ERROR_SUMMARY=""
+      # Build the log pointer prefix for this execution
+      - BUILD_TIMESTAMP=$(date -u +%Y%m%d-%H%M%S)
+      - LOG_POINTER_PREFIX="${CI_LOG_GROUP}:build/${CONFIG_ID}/${BUILD_TIMESTAMP}"
+
+  pre_build:
+    commands:
+      # --- Stage: Generate ---
+      - echo "=== Stage: Generate ==="
+      - STAGE_START=$(date +%s)
+      - GENERATE_LOG_POINTER="$LOG_POINTER_PREFIX"
+      - STAGE_STDERR_FILE=$(mktemp)
+      - |
+        (
+          set -e
+          echo "$CONFIG_JSON" > /tmp/ci-config.json
+          mkdir -p /tmp/ci-project
+          cd /tmp/ci-project
+          ml-container-creator --config /tmp/ci-config.json --skip-prompts
+          chmod +x do/*
+        ) 2>"$STAGE_STDERR_FILE"; STAGE_EXIT=$?
+      - STAGE_END=$(date +%s)
+      - GENERATE_DURATION=$((STAGE_END - STAGE_START))
+      - |
+        if [ "$STAGE_EXIT" -eq 0 ]; then
+          GENERATE_STATUS="pass"
+          echo "Generate stage passed in ${GENERATE_DURATION}s"
+        else
+          GENERATE_STATUS="fail"
+          GENERATE_ERROR_SUMMARY=$(tail -c 500 "$STAGE_STDERR_FILE" | tr -d '\000' | tr '"' "'" | tr '\n' ' ')
+          FIRST_FAILURE="generate"
+          echo "Generate stage FAILED (exit code $STAGE_EXIT) in ${GENERATE_DURATION}s"
+        fi
+      - rm -f "$STAGE_STDERR_FILE"
+
+  build:
+    commands:
+      # --- Stage: Validate (placeholder) ---
+      - echo "=== Stage: Validate ==="
+      - STAGE_START=$(date +%s)
+      - VALIDATE_LOG_POINTER="$LOG_POINTER_PREFIX"
+      - STAGE_STDERR_FILE=$(mktemp)
+      - |
+        if [ -n "$FIRST_FAILURE" ]; then
+          echo "Skipping Validate stage due to prior failure in $FIRST_FAILURE"
+          VALIDATE_STATUS="skip"
+          VALIDATE_DURATION=0
+        else
+          (
+            set -e
+            cd /tmp/ci-project
+            echo "Validate stage placeholder — static checks are a backlog item (BL-001)"
+          ) 2>"$STAGE_STDERR_FILE"; STAGE_EXIT=$?
+          STAGE_END=$(date +%s)
+          VALIDATE_DURATION=$((STAGE_END - STAGE_START))
+          if [ "$STAGE_EXIT" -eq 0 ]; then
+            VALIDATE_STATUS="pass"
+            echo "Validate stage passed in ${VALIDATE_DURATION}s"
+          else
+            VALIDATE_STATUS="fail"
+            VALIDATE_ERROR_SUMMARY=$(tail -c 500 "$STAGE_STDERR_FILE" | tr -d '\000' | tr '"' "'" | tr '\n' ' ')
+            FIRST_FAILURE="validate"
+            echo "Validate stage FAILED (exit code $STAGE_EXIT) in ${VALIDATE_DURATION}s"
+          fi
+        fi
+      - rm -f "$STAGE_STDERR_FILE"
+
+      # --- Stage: Build (strategy-dependent) ---
+      - echo "=== Stage: Build ==="
+      - STAGE_START=$(date +%s)
+      - BUILD_LOG_POINTER="$LOG_POINTER_PREFIX"
+      - STAGE_STDERR_FILE=$(mktemp)
+      - |
+        if [ -n "$FIRST_FAILURE" ]; then
+          echo "Skipping Build stage due to prior failure in $FIRST_FAILURE"
+          BUILD_STATUS="skip"
+          BUILD_DURATION=0
+        else
+          (
+            set -e
+            cd /tmp/ci-project
+            if [ "$BUILD_STRATEGY" = "docker-in-docker" ]; then
+              echo "Build strategy: docker-in-docker"
+              ./do/build
+              ./do/push
+            else
+              echo "Build strategy: codebuild-submit"
+              ./do/submit
+            fi
+          ) 2>"$STAGE_STDERR_FILE"; STAGE_EXIT=$?
+          STAGE_END=$(date +%s)
+          BUILD_DURATION=$((STAGE_END - STAGE_START))
+          if [ "$STAGE_EXIT" -eq 0 ]; then
+            BUILD_STATUS="pass"
+            echo "Build stage passed in ${BUILD_DURATION}s"
+          else
+            BUILD_STATUS="fail"
+            BUILD_ERROR_SUMMARY=$(tail -c 500 "$STAGE_STDERR_FILE" | tr -d '\000' | tr '"' "'" | tr '\n' ' ')
+            FIRST_FAILURE="build"
+            echo "Build stage FAILED (exit code $STAGE_EXIT) in ${BUILD_DURATION}s"
+          fi
+        fi
+      - rm -f "$STAGE_STDERR_FILE"
+
+      # --- Stage: Deploy_Test ---
+      - echo "=== Stage: Deploy_Test ==="
+      - STAGE_START=$(date +%s)
+      - DEPLOY_TEST_LOG_POINTER="$LOG_POINTER_PREFIX"
+      - STAGE_STDERR_FILE=$(mktemp)
+      - |
+        if [ -n "$FIRST_FAILURE" ]; then
+          echo "Skipping Deploy_Test stage due to prior failure in $FIRST_FAILURE"
+          DEPLOY_TEST_STATUS="skip"
+          DEPLOY_TEST_DURATION=0
+        else
+          (
+            set -e
+            cd /tmp/ci-project
+            ./do/deploy
+            ./do/test
+          ) 2>"$STAGE_STDERR_FILE"; STAGE_EXIT=$?
+          STAGE_END=$(date +%s)
+          DEPLOY_TEST_DURATION=$((STAGE_END - STAGE_START))
+          if [ "$STAGE_EXIT" -eq 0 ]; then
+            DEPLOY_TEST_STATUS="pass"
+            echo "Deploy_Test stage passed in ${DEPLOY_TEST_DURATION}s"
+          else
+            DEPLOY_TEST_STATUS="fail"
+            DEPLOY_TEST_ERROR_SUMMARY=$(tail -c 500 "$STAGE_STDERR_FILE" | tr -d '\000' | tr '"' "'" | tr '\n' ' ')
+            FIRST_FAILURE="deploy_test"
+            echo "Deploy_Test stage FAILED (exit code $STAGE_EXIT) in ${DEPLOY_TEST_DURATION}s"
+          fi
+        fi
+      - rm -f "$STAGE_STDERR_FILE"
+
+      # --- Stage: Register (placeholder) ---
+      - echo "=== Stage: Register ==="
+      - STAGE_START=$(date +%s)
+      - REGISTER_LOG_POINTER="$LOG_POINTER_PREFIX"
+      - STAGE_STDERR_FILE=$(mktemp)
+      - |
+        if [ -n "$FIRST_FAILURE" ]; then
+          echo "Skipping Register stage due to prior failure in $FIRST_FAILURE"
+          REGISTER_STATUS="skip"
+          REGISTER_DURATION=0
+        else
+          (
+            set -e
+            cd /tmp/ci-project
+            echo "Register stage placeholder — future registration capabilities"
+          ) 2>"$STAGE_STDERR_FILE"; STAGE_EXIT=$?
+          STAGE_END=$(date +%s)
+          REGISTER_DURATION=$((STAGE_END - STAGE_START))
+          if [ "$STAGE_EXIT" -eq 0 ]; then
+            REGISTER_STATUS="pass"
+            echo "Register stage passed in ${REGISTER_DURATION}s"
+          else
+            REGISTER_STATUS="fail"
+            REGISTER_ERROR_SUMMARY=$(tail -c 500 "$STAGE_STDERR_FILE" | tr -d '\000' | tr '"' "'" | tr '\n' ' ')
+            FIRST_FAILURE="register"
+            echo "Register stage FAILED (exit code $STAGE_EXIT) in ${REGISTER_DURATION}s"
+          fi
+        fi
+      - rm -f "$STAGE_STDERR_FILE"
+
+  post_build:
+    commands:
+      # --- Stage: Teardown (always runs regardless of prior failures) ---
+      - echo "=== Stage: Teardown ==="
+      - STAGE_START=$(date +%s)
+      - TEARDOWN_LOG_POINTER="$LOG_POINTER_PREFIX"
+      - STAGE_STDERR_FILE=$(mktemp)
+      - |
+        (
+          set -e
+          cd /tmp/ci-project
+          ./do/clean all --force
+        ) 2>"$STAGE_STDERR_FILE"; TEARDOWN_EXIT=$?
+      - STAGE_END=$(date +%s)
+      - TEARDOWN_DURATION=$((STAGE_END - STAGE_START))
+      - |
+        if [ "$TEARDOWN_EXIT" -eq 0 ]; then
+          TEARDOWN_STATUS="pass"
+          echo "Teardown stage passed in ${TEARDOWN_DURATION}s"
+        else
+          TEARDOWN_STATUS="fail"
+          TEARDOWN_ERROR_SUMMARY=$(tail -c 500 "$STAGE_STDERR_FILE" | tr -d '\000' | tr '"' "'" | tr '\n' ' ')
+          echo "Teardown stage FAILED (exit code $TEARDOWN_EXIT) in ${TEARDOWN_DURATION}s"
+        fi
+      - rm -f "$STAGE_STDERR_FILE"
+
+      # --- Stage: Update (always runs — writes results to DynamoDB) ---
+      - echo "=== Stage: Update ==="
+      - STAGE_START=$(date +%s)
+      - UPDATE_LOG_POINTER="$LOG_POINTER_PREFIX"
+      - STAGE_STDERR_FILE=$(mktemp)
+      # Determine final testStatus
+      - |
+        if [ -n "$FIRST_FAILURE" ]; then
+          FINAL_TEST_STATUS="fail-${FIRST_FAILURE}"
+        else
+          FINAL_TEST_STATUS="pass"
+        fi
+      # Compute total duration as wall-clock elapsed time from build start
+      - TOTAL_DURATION=$(($(date +%s) - BUILD_START_TIME))
+      # Build the error message from the first failing stage
+      - |
+        if [ -n "$FIRST_FAILURE" ]; then
+          case "$FIRST_FAILURE" in
+            generate)    FINAL_ERROR_MESSAGE="$GENERATE_ERROR_SUMMARY" ;;
+            validate)    FINAL_ERROR_MESSAGE="$VALIDATE_ERROR_SUMMARY" ;;
+            build)       FINAL_ERROR_MESSAGE="$BUILD_ERROR_SUMMARY" ;;
+            deploy_test) FINAL_ERROR_MESSAGE="$DEPLOY_TEST_ERROR_SUMMARY" ;;
+            register)    FINAL_ERROR_MESSAGE="$REGISTER_ERROR_SUMMARY" ;;
+            *)           FINAL_ERROR_MESSAGE="Unknown failure stage" ;;
+          esac
+        else
+          FINAL_ERROR_MESSAGE=""
+        fi
+      # Escape special characters in error messages for JSON
+      - |
+        ESCAPED_GENERATE_ERROR=$(printf '%s' "$GENERATE_ERROR_SUMMARY" | sed 's/\\/\\\\/g; s/"/\\"/g')
+        ESCAPED_VALIDATE_ERROR=$(printf '%s' "$VALIDATE_ERROR_SUMMARY" | sed 's/\\/\\\\/g; s/"/\\"/g')
+        ESCAPED_BUILD_ERROR=$(printf '%s' "$BUILD_ERROR_SUMMARY" | sed 's/\\/\\\\/g; s/"/\\"/g')
+        ESCAPED_DEPLOY_TEST_ERROR=$(printf '%s' "$DEPLOY_TEST_ERROR_SUMMARY" | sed 's/\\/\\\\/g; s/"/\\"/g')
+        ESCAPED_REGISTER_ERROR=$(printf '%s' "$REGISTER_ERROR_SUMMARY" | sed 's/\\/\\\\/g; s/"/\\"/g')
+        ESCAPED_TEARDOWN_ERROR=$(printf '%s' "$TEARDOWN_ERROR_SUMMARY" | sed 's/\\/\\\\/g; s/"/\\"/g')
+        ESCAPED_FINAL_ERROR=$(printf '%s' "$FINAL_ERROR_MESSAGE" | sed 's/\\/\\\\/g; s/"/\\"/g')
+      # Write results to DynamoDB
+      - |
+        (
+          set -e
+          LAST_TEST_TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+          aws dynamodb update-item \
+            --table-name "$CI_TABLE_NAME" \
+            --key "{\"configId\":{\"S\":\"$CONFIG_ID\"}}" \
+            --update-expression "SET testStatus = :ts, lastTestTimestamp = :ltt, lastTestDuration = :ltd, errorMessage = :em, stageResults = :sr" \
+            --expression-attribute-values "{
+              \":ts\": {\"S\": \"$FINAL_TEST_STATUS\"},
+              \":ltt\": {\"S\": \"$LAST_TEST_TIMESTAMP\"},
+              \":ltd\": {\"N\": \"$TOTAL_DURATION\"},
+              \":em\": {\"S\": \"$ESCAPED_FINAL_ERROR\"},
+              \":sr\": {\"M\": {
+                \"generate\": {\"M\": {
+                  \"status\": {\"S\": \"$GENERATE_STATUS\"},
+                  \"durationSeconds\": {\"N\": \"$GENERATE_DURATION\"},
+                  \"logPointer\": {\"S\": \"$GENERATE_LOG_POINTER\"},
+                  \"errorSummary\": {\"S\": \"$ESCAPED_GENERATE_ERROR\"}
+                }},
+                \"validate\": {\"M\": {
+                  \"status\": {\"S\": \"$VALIDATE_STATUS\"},
+                  \"durationSeconds\": {\"N\": \"$VALIDATE_DURATION\"},
+                  \"logPointer\": {\"S\": \"$VALIDATE_LOG_POINTER\"},
+                  \"errorSummary\": {\"S\": \"$ESCAPED_VALIDATE_ERROR\"}
+                }},
+                \"build\": {\"M\": {
+                  \"status\": {\"S\": \"$BUILD_STATUS\"},
+                  \"durationSeconds\": {\"N\": \"$BUILD_DURATION\"},
+                  \"logPointer\": {\"S\": \"$BUILD_LOG_POINTER\"},
+                  \"errorSummary\": {\"S\": \"$ESCAPED_BUILD_ERROR\"}
+                }},
+                \"deploy_test\": {\"M\": {
+                  \"status\": {\"S\": \"$DEPLOY_TEST_STATUS\"},
+                  \"durationSeconds\": {\"N\": \"$DEPLOY_TEST_DURATION\"},
+                  \"logPointer\": {\"S\": \"$DEPLOY_TEST_LOG_POINTER\"},
+                  \"errorSummary\": {\"S\": \"$ESCAPED_DEPLOY_TEST_ERROR\"}
+                }},
+                \"register\": {\"M\": {
+                  \"status\": {\"S\": \"$REGISTER_STATUS\"},
+                  \"durationSeconds\": {\"N\": \"$REGISTER_DURATION\"},
+                  \"logPointer\": {\"S\": \"$REGISTER_LOG_POINTER\"},
+                  \"errorSummary\": {\"S\": \"$ESCAPED_REGISTER_ERROR\"}
+                }},
+                \"teardown\": {\"M\": {
+                  \"status\": {\"S\": \"$TEARDOWN_STATUS\"},
+                  \"durationSeconds\": {\"N\": \"$TEARDOWN_DURATION\"},
+                  \"logPointer\": {\"S\": \"$TEARDOWN_LOG_POINTER\"},
+                  \"errorSummary\": {\"S\": \"$ESCAPED_TEARDOWN_ERROR\"}
+                }},
+                \"update\": {\"M\": {
+                  \"status\": {\"S\": \"pass\"},
+                  \"durationSeconds\": {\"N\": \"0\"},
+                  \"logPointer\": {\"S\": \"$UPDATE_LOG_POINTER\"},
+                  \"errorSummary\": {\"S\": \"\"}
+                }}
+              }}
+            }"
+        ) 2>"$STAGE_STDERR_FILE"; UPDATE_EXIT=$?
+      - STAGE_END=$(date +%s)
+      - UPDATE_DURATION=$((STAGE_END - STAGE_START))
+      - |
+        if [ "$UPDATE_EXIT" -eq 0 ]; then
+          UPDATE_STATUS="pass"
+          echo "Update stage passed in ${UPDATE_DURATION}s"
+        else
+          UPDATE_STATUS="fail"
+          UPDATE_ERROR_SUMMARY=$(tail -c 500 "$STAGE_STDERR_FILE" | tr -d '\000' | tr '"' "'" | tr '\n' ' ')
+          echo "Update stage FAILED (exit code $UPDATE_EXIT) in ${UPDATE_DURATION}s"
+        fi
+      - rm -f "$STAGE_STDERR_FILE"
+      - echo "=== MLCC CI Harness Complete ==="
+      - echo "Final status: $FINAL_TEST_STATUS"
+      - echo "Total duration: ${TOTAL_DURATION}s"

package/infra/ci-harness/cdk.json

@@ -0,0 +1,27 @@
+{
+  "app": "npx ts-node bin/ci-harness.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "node_modules",
+      "dist",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}

package/infra/ci-harness/lambda/scanner/index.ts

@@ -0,0 +1,199 @@
+import { DynamoDBClient, QueryCommand } from '@aws-sdk/client-dynamodb';
+import { SFNClient, StartExecutionCommand } from '@aws-sdk/client-sfn';
+
+/**
+ * Scanner Lambda handler — queries the CI_Table GSI for records that need
+ * re-testing and starts Step Functions executions directly.
+ *
+ * Query pattern (uses GSI `testStatus-lastTestTimestamp-index`):
+ *   1. All records with testStatus = 'untested'
+ *   2. Records with testStatus IN (pass, fail-generate, fail-validate,
+ *      fail-build, fail-deploy, fail-test) AND lastTestTimestamp < now - 24h
+ *
+ * Records with testStatus = 'running' are always excluded.
+ *
+ * Requirements: 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 14.1
+ */
+
+const TABLE_NAME = process.env.CI_TABLE_NAME ?? '';
+const STATE_MACHINE_ARN = process.env.STATE_MACHINE_ARN ?? '';
+const GSI_NAME = process.env.GSI_NAME ?? 'testStatus-lastTestTimestamp-index';
+
+const dynamodb = new DynamoDBClient({});
+const sfn = new SFNClient({});
+
+/** Default build strategy when the attribute is missing from a record. */
+const DEFAULT_BUILD_STRATEGY = 'codebuild-submit';
+
+/**
+ * Status values that qualify for stale-record re-testing (all except 'running'
+ * and 'untested', which is handled separately without a timestamp filter).
+ */
+const STALE_STATUSES = [
+    'pass',
+    'fail-generate',
+    'fail-validate',
+    'fail-build',
+    'fail-deploy',
+    'fail-test',
+];
+
+interface CiRecord {
+    configId: string;
+    configJson: string;
+    buildStrategy: string;
+}
+
+/**
+ * Query all 'untested' records from the GSI. No timestamp filter needed —
+ * every untested record should be picked up.
+ */
+async function queryUntestedRecords(): Promise<CiRecord[]> {
+    const records: CiRecord[] = [];
+    let exclusiveStartKey: Record<string, any> | undefined;
+
+    do {
+        const command = new QueryCommand({
+            TableName: TABLE_NAME,
+            IndexName: GSI_NAME,
+            KeyConditionExpression: 'testStatus = :status',
+            ExpressionAttributeValues: {
+                ':status': { S: 'untested' },
+            },
+            ProjectionExpression: 'configId, configJson, buildStrategy',
+            ExclusiveStartKey: exclusiveStartKey,
+        });
+
+        const result = await dynamodb.send(command);
+
+        for (const item of result.Items ?? []) {
+            records.push({
+                configId: item.configId?.S ?? '',
+                configJson: item.configJson?.S ?? '',
+                buildStrategy: item.buildStrategy?.S ?? DEFAULT_BUILD_STRATEGY,
+            });
+        }
+
+        exclusiveStartKey = result.LastEvaluatedKey;
+    } while (exclusiveStartKey);
+
+    return records;
+}
+
+/**
+ * Query records for a specific testStatus where lastTestTimestamp is older
+ * than the given cutoff (ISO 8601 string comparison works because the format
+ * is lexicographically sortable).
+ */
+async function queryStaleRecordsByStatus(
+    status: string,
+    cutoffTimestamp: string
+): Promise<CiRecord[]> {
+    const records: CiRecord[] = [];
+    let exclusiveStartKey: Record<string, any> | undefined;
+
+    do {
+        const command = new QueryCommand({
+            TableName: TABLE_NAME,
+            IndexName: GSI_NAME,
+            KeyConditionExpression:
+                'testStatus = :status AND lastTestTimestamp < :cutoff',
+            ExpressionAttributeValues: {
+                ':status': { S: status },
+                ':cutoff': { S: cutoffTimestamp },
+            },
+            ProjectionExpression: 'configId, configJson, buildStrategy',
+            ExclusiveStartKey: exclusiveStartKey,
+        });
+
+        const result = await dynamodb.send(command);
+
+        for (const item of result.Items ?? []) {
+            records.push({
+                configId: item.configId?.S ?? '',
+                configJson: item.configJson?.S ?? '',
+                buildStrategy: item.buildStrategy?.S ?? DEFAULT_BUILD_STRATEGY,
+            });
+        }
+
+        exclusiveStartKey = result.LastEvaluatedKey;
+    } while (exclusiveStartKey);
+
+    return records;
+}
+
+/**
+ * Start a Step Functions execution for a CI record.
+ * Returns the execution ARN on success, or null on failure.
+ */
+async function startExecution(record: CiRecord): Promise<string | null> {
+    try {
+        const input = JSON.stringify({
+            configId: record.configId,
+            configJson: record.configJson,
+            buildStrategy: record.buildStrategy,
+        });
+
+        const command = new StartExecutionCommand({
+            stateMachineArn: STATE_MACHINE_ARN,
+            input,
+        });
+
+        const result = await sfn.send(command);
+        return result.executionArn ?? null;
+    } catch (error) {
+        console.error(
+            `Failed to start execution for ${record.configId}:`,
+            error
+        );
+        return null;
+    }
+}
+
+/**
+ * Lambda entry point. Invoked on an hourly EventBridge schedule or manually via do/ci trigger.
+ */
+export async function handler(): Promise<{ executionArns: string[] }> {
+    const now = new Date();
+    const cutoff = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+    const cutoffTimestamp = cutoff.toISOString();
+
+    // 1. Collect qualifying records from multiple GSI queries
+    const allRecords: CiRecord[] = [];
+
+    // 1a. All untested records (no timestamp filter)
+    const untestedRecords = await queryUntestedRecords();
+    allRecords.push(...untestedRecords);
+
+    // 1b. Stale records for each non-running status
+    for (const status of STALE_STATUSES) {
+        const staleRecords = await queryStaleRecordsByStatus(
+            status,
+            cutoffTimestamp
+        );
+        allRecords.push(...staleRecords);
+    }
+
+    const totalFound = allRecords.length;
+
+    if (totalFound === 0) {
+        console.log('Found 0 qualifying records, started 0 executions');
+        return { executionArns: [] };
+    }
+
+    // 2. Start Step Functions execution for each record
+    const executionArns: string[] = [];
+
+    for (const record of allRecords) {
+        const arn = await startExecution(record);
+        if (arn) {
+            executionArns.push(arn);
+        }
+    }
+
+    console.log(
+        `Found ${totalFound} qualifying records, started ${executionArns.length} executions`
+    );
+
+    return { executionArns };
+}