@aws/ml-container-creator 0.2.5 → 0.3.0

package/src/lib/validators/required-field-validator.js

@@ -0,0 +1,150 @@
+/**
+ * Required field validator.
+ * Validates that all required fields in an operation's input shape
+ * are present and non-empty in the payload.
+ *
+ * Requirements: 5.1, 5.2, 5.3
+ */
+import BaseValidator from './base-validator.js';
+
+export default class RequiredFieldValidator extends BaseValidator {
+    get name() {
+        return 'required-field';
+    }
+
+    get mode() {
+        return 'static';
+    }
+
+    /**
+     * Validate required field presence for all payload operations.
+     * @param {Object} context - ValidationContext from PayloadBuilder
+     * @param {Object} options
+     * @param {Array} options.serviceModels - Parsed ServiceModelIndex objects
+     * @param {Array} options.priorFindings - Findings from earlier validators
+     * @returns {Promise<Array>} Array of Finding objects
+     */
+    async validate(context, options) {
+        const findings = [];
+        const serviceModels = options.serviceModels || [];
+
+        for (const [operationKey, payload] of Object.entries(context.payloads || {})) {
+            const [service, operation] = operationKey.split(':');
+
+            for (const model of serviceModels) {
+                const op = model.operations.get(operation);
+                if (!op || !op.input) continue;
+
+                const inputShape = model.shapes.get(op.input);
+                if (!inputShape || inputShape.type !== 'structure') continue;
+
+                this._validateRequiredFields(
+                    payload, inputShape, model, service, operation, '', findings
+                );
+            }
+        }
+
+        return findings;
+    }
+
+    /**
+     * Recursively validate required fields in a structure.
+     * @param {Object} payload - The payload object to validate
+     * @param {Object} shape - The structure shape definition
+     * @param {Object} model - The ServiceModelIndex
+     * @param {string} service - Service name
+     * @param {string} operation - Operation name
+     * @param {string} parentPath - Dot-notation path prefix
+     * @param {Array} findings - Accumulator for findings
+     */
+    _validateRequiredFields(payload, shape, model, service, operation, parentPath, findings) {
+        if (!shape || shape.type !== 'structure') return;
+
+        const requiredFields = shape.required || [];
+
+        for (const fieldName of requiredFields) {
+            const fieldPath = parentPath ? `${parentPath}.${fieldName}` : fieldName;
+            const memberDef = shape.members.get
+                ? shape.members.get(fieldName)
+                : shape.members[fieldName];
+
+            const value = payload ? payload[fieldName] : undefined;
+
+            if (value === undefined || value === null || value === '') {
+                const description = memberDef && memberDef.documentation
+                    ? memberDef.documentation
+                    : `Required field for ${operation}`;
+
+                findings.push({
+                    service,
+                    operation,
+                    fieldPath,
+                    invalidValue: value === undefined ? 'undefined' : value === null ? 'null' : '(empty string)',
+                    constraint: { type: 'required', field: fieldName },
+                    severity: 'error',
+                    confidence: 'definitive',
+                    source: this.name,
+                    remediationHint: `Required field "${fieldName}" is missing or empty in ${operation}. ${description}`
+                });
+            } else if (typeof value === 'object' && !Array.isArray(value) && memberDef) {
+                // Recursively validate nested structures
+                const nestedShape = model.shapes.get(memberDef.shape);
+                if (nestedShape && nestedShape.type === 'structure') {
+                    this._validateRequiredFields(
+                        value, nestedShape, model, service, operation, fieldPath, findings
+                    );
+                }
+            }
+        }
+
+        // Also recursively validate nested structures that are present (even if optional)
+        if (payload && typeof payload === 'object' && shape.members) {
+            for (const [fieldName, value] of Object.entries(payload)) {
+                if (value === null || value === undefined) continue;
+                if (typeof value !== 'object' || Array.isArray(value)) continue;
+
+                const memberDef = shape.members.get
+                    ? shape.members.get(fieldName)
+                    : shape.members[fieldName];
+                if (!memberDef) continue;
+
+                const nestedShape = model.shapes.get(memberDef.shape);
+                if (!nestedShape || nestedShape.type !== 'structure') continue;
+
+                // Skip if already validated as a required field above
+                if (requiredFields.includes(fieldName)) continue;
+
+                const fieldPath = parentPath ? `${parentPath}.${fieldName}` : fieldName;
+                this._validateRequiredFields(
+                    value, nestedShape, model, service, operation, fieldPath, findings
+                );
+            }
+        }
+
+        // Recursively validate list elements that are structures
+        if (payload && typeof payload === 'object' && shape.members) {
+            for (const [fieldName, value] of Object.entries(payload)) {
+                if (!Array.isArray(value)) continue;
+
+                const memberDef = shape.members.get
+                    ? shape.members.get(fieldName)
+                    : shape.members[fieldName];
+                if (!memberDef) continue;
+
+                const listShape = model.shapes.get(memberDef.shape);
+                if (!listShape || listShape.type !== 'list' || !listShape.member) continue;
+
+                const elementShape = model.shapes.get(listShape.member.shape);
+                if (!elementShape || elementShape.type !== 'structure') continue;
+
+                const fieldPath = parentPath ? `${parentPath}.${fieldName}` : fieldName;
+                for (let i = 0; i < value.length; i++) {
+                    this._validateRequiredFields(
+                        value[i], elementShape, model, service, operation,
+                        `${fieldPath}[${i}]`, findings
+                    );
+                }
+            }
+        }
+    }
+}

package/src/lib/validators/type-validator.js

@@ -0,0 +1,313 @@
+/* eslint-disable eqeqeq */
+/**
+ * Type constraint validator.
+ * Validates that payload field values match their expected types
+ * (integer, string, boolean, list) and numeric min/max constraints.
+ * Also validates pattern constraints on string fields.
+ *
+ * Requirements: 6.1, 6.2, 6.3, 6.4, 6.5, 4.4
+ */
+import BaseValidator from './base-validator.js';
+
+export default class TypeValidator extends BaseValidator {
+    get name() {
+        return 'type';
+    }
+
+    get mode() {
+        return 'static';
+    }
+
+    /**
+     * Validate type constraints for all payload fields.
+     * @param {Object} context - ValidationContext from PayloadBuilder
+     * @param {Object} options
+     * @param {Array} options.serviceModels - Parsed ServiceModelIndex objects
+     * @param {Array} options.priorFindings - Findings from earlier validators
+     * @returns {Promise<Array>} Array of Finding objects
+     */
+    async validate(context, options) {
+        const findings = [];
+        const serviceModels = options.serviceModels || [];
+
+        for (const [operationKey, payload] of Object.entries(context.payloads || {})) {
+            const [service, operation] = operationKey.split(':');
+
+            for (const model of serviceModels) {
+                const op = model.operations.get(operation);
+                if (!op || !op.input) continue;
+
+                const inputShape = model.shapes.get(op.input);
+                if (!inputShape || inputShape.type !== 'structure') continue;
+
+                this._validateStructure(
+                    payload, inputShape, model, service, operation, '', findings
+                );
+            }
+        }
+
+        return findings;
+    }
+
+    /**
+     * Recursively validate type constraints in a structure.
+     * @param {Object} payload - The payload object to validate
+     * @param {Object} shape - The structure shape definition
+     * @param {Object} model - The ServiceModelIndex
+     * @param {string} service - Service name
+     * @param {string} operation - Operation name
+     * @param {string} parentPath - Dot-notation path prefix
+     * @param {Array} findings - Accumulator for findings
+     */
+    _validateStructure(payload, shape, model, service, operation, parentPath, findings) {
+        if (!payload || typeof payload !== 'object' || !shape.members) return;
+
+        for (const [fieldName, value] of Object.entries(payload)) {
+            const memberDef = shape.members.get
+                ? shape.members.get(fieldName)
+                : shape.members[fieldName];
+            if (!memberDef) continue;
+
+            const fieldPath = parentPath ? `${parentPath}.${fieldName}` : fieldName;
+            const fieldShape = model.shapes.get(memberDef.shape);
+            if (!fieldShape) continue;
+
+            this._validateField(value, fieldShape, model, service, operation, fieldPath, findings);
+        }
+    }
+
+    /**
+     * Validate a single field value against its shape definition.
+     * @param {*} value - The field value
+     * @param {Object} fieldShape - The shape definition for this field
+     * @param {Object} model - The ServiceModelIndex
+     * @param {string} service - Service name
+     * @param {string} operation - Operation name
+     * @param {string} fieldPath - Full dot-notation path
+     * @param {Array} findings - Accumulator for findings
+     */
+    _validateField(value, fieldShape, model, service, operation, fieldPath, findings) {
+        if (value === null || value === undefined) return;
+
+        switch (fieldShape.type) {
+        case 'string':
+            this._validateString(value, fieldShape, service, operation, fieldPath, findings);
+            break;
+        case 'integer':
+        case 'long':
+            this._validateInteger(value, fieldShape, service, operation, fieldPath, findings);
+            break;
+        case 'float':
+        case 'double':
+            this._validateNumeric(value, fieldShape, service, operation, fieldPath, findings);
+            break;
+        case 'boolean':
+            this._validateBoolean(value, service, operation, fieldPath, findings);
+            break;
+        case 'list':
+            this._validateList(value, fieldShape, model, service, operation, fieldPath, findings);
+            break;
+        case 'structure':
+            this._validateStructure(value, fieldShape, model, service, operation, fieldPath, findings);
+            break;
+        }
+    }
+
+    /**
+     * Validate a string field.
+     */
+    _validateString(value, fieldShape, service, operation, fieldPath, findings) {
+        if (typeof value !== 'string') {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'type', expected: 'string', actual: typeof value },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `Expected a string value but got ${typeof value}.`
+            });
+            return;
+        }
+
+        // Pattern validation (only when no enum — enum validator handles enum shapes)
+        if (fieldShape.pattern && !fieldShape.enum) {
+            try {
+                const regex = new RegExp(fieldShape.pattern);
+                if (!regex.test(value)) {
+                    findings.push({
+                        service,
+                        operation,
+                        fieldPath,
+                        invalidValue: value,
+                        constraint: { type: 'pattern', pattern: fieldShape.pattern },
+                        severity: 'error',
+                        confidence: 'definitive',
+                        source: this.name,
+                        remediationHint: `Value "${value}" does not match required pattern: ${fieldShape.pattern}`
+                    });
+                }
+            } catch (e) {
+                // Invalid regex in service model — skip pattern validation
+            }
+        }
+
+        // String length constraints
+        if (fieldShape.min != null && value.length < fieldShape.min) {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'range', min: fieldShape.min, max: fieldShape.max },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `String length ${value.length} is below minimum ${fieldShape.min}.`
+            });
+        }
+        if (fieldShape.max != null && value.length > fieldShape.max) {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'range', min: fieldShape.min, max: fieldShape.max },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `String length ${value.length} exceeds maximum ${fieldShape.max}.`
+            });
+        }
+    }
+
+    /**
+     * Validate an integer field.
+     */
+    _validateInteger(value, fieldShape, service, operation, fieldPath, findings) {
+        if (typeof value !== 'number' || !Number.isInteger(value)) {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'type', expected: 'integer', actual: typeof value },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `Expected an integer value but got ${typeof value === 'number' ? 'float' : typeof value}.`
+            });
+            return;
+        }
+
+        this._validateRange(value, fieldShape, service, operation, fieldPath, findings);
+    }
+
+    /**
+     * Validate a numeric (float/double) field.
+     */
+    _validateNumeric(value, fieldShape, service, operation, fieldPath, findings) {
+        if (typeof value !== 'number') {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'type', expected: 'number', actual: typeof value },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `Expected a numeric value but got ${typeof value}.`
+            });
+            return;
+        }
+
+        this._validateRange(value, fieldShape, service, operation, fieldPath, findings);
+    }
+
+    /**
+     * Validate a boolean field.
+     */
+    _validateBoolean(value, service, operation, fieldPath, findings) {
+        if (typeof value !== 'boolean') {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'type', expected: 'boolean', actual: typeof value },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `Expected a boolean value but got ${typeof value}.`
+            });
+        }
+    }
+
+    /**
+     * Validate a list field.
+     */
+    _validateList(value, fieldShape, model, service, operation, fieldPath, findings) {
+        if (!Array.isArray(value)) {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'type', expected: 'list', actual: typeof value },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `Expected an array but got ${typeof value}.`
+            });
+            return;
+        }
+
+        // Recursively validate each element
+        if (fieldShape.member && fieldShape.member.shape) {
+            const elementShape = model.shapes.get(fieldShape.member.shape);
+            if (elementShape) {
+                for (let i = 0; i < value.length; i++) {
+                    this._validateField(
+                        value[i], elementShape, model, service, operation,
+                        `${fieldPath}[${i}]`, findings
+                    );
+                }
+            }
+        }
+    }
+
+    /**
+     * Validate numeric range constraints (min/max).
+     */
+    _validateRange(value, fieldShape, service, operation, fieldPath, findings) {
+        if (fieldShape.min != null && value < fieldShape.min) {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'range', min: fieldShape.min, max: fieldShape.max },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `Value ${value} is below minimum ${fieldShape.min}.`
+            });
+        }
+        if (fieldShape.max != null && value > fieldShape.max) {
+            findings.push({
+                service,
+                operation,
+                fieldPath,
+                invalidValue: value,
+                constraint: { type: 'range', min: fieldShape.min, max: fieldShape.max },
+                severity: 'error',
+                confidence: 'definitive',
+                source: this.name,
+                remediationHint: `Value ${value} exceeds maximum ${fieldShape.max}.`
+            });
+        }
+    }
+}

package/src/prompt-adapter.js

@@ -1,12 +1,12 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { select, input, confirm, checkbox, number, Separator } from '@inquirer/prompts';
+import { select, input, confirm, checkbox, number, password, Separator } from '@inquirer/prompts';
 
 /**
  * Maps Yeoman prompt type names to @inquirer/prompts runner functions.
  */
-const runners = { list: select, select, input, confirm, checkbox, number };
+const runners = { list: select, select, input, confirm, checkbox, number, password };
 
 /**
  * Runs a sequence of Yeoman-style prompt definitions using @inquirer/prompts.
@@ -55,6 +55,7 @@ export async function runPrompts(prompts, previousAnswers = {}, options = {}) {
         if (mappedChoices !== undefined) config.choices = mappedChoices;
         if (defaultVal !== undefined) config.default = defaultVal;
         if (prompt.validate) config.validate = prompt.validate;
+        if (prompt.mask !== undefined) config.mask = prompt.mask;
 
         answers[prompt.name] = await runner(config);
     }

package/templates/Dockerfile

@@ -10,7 +10,7 @@
 <% } %>
 
 <% if (framework !== 'transformers') { %>
-FROM <%= baseImage || 'python:3.12-slim' %>
+FROM <%= baseImage || 'public.ecr.aws/docker/library/python:3.12-slim' %>
 
 # Set a docker label to name this project, postpended with the build time
 LABEL project.name="<%= projectName %>-<%= buildTimestamp %>" \

package/templates/do/build

@@ -22,6 +22,33 @@ if ! command -v docker &> /dev/null; then
     exit 2
 fi
 
+# Always build for linux/amd64 — SageMaker runs x86_64 instances.
+# Without this, Apple Silicon Macs produce arm64 images that silently
+# fail on SageMaker with CannotStartContainerError.
+PLATFORM_FLAG="--platform linux/amd64"
+
+# --- Secrets Manager resolution (build-time) ---
+if [ -n "${HF_TOKEN_ARN:-}" ]; then
+    echo "🔐 Resolving HuggingFace token from Secrets Manager..."
+    HF_TOKEN=$(aws secretsmanager get-secret-value --secret-id "${HF_TOKEN_ARN}" --query SecretString --output text) || {
+        echo "❌ Failed to resolve HuggingFace token from Secrets Manager"
+        exit 3
+    }
+    export HF_TOKEN
+fi
+
+if [ -n "${NGC_API_KEY_ARN:-}" ]; then
+    echo "🔐 Resolving NGC API key from Secrets Manager..."
+    NGC_API_KEY=$(aws secretsmanager get-secret-value --secret-id "${NGC_API_KEY_ARN}" --query SecretString --output text) || {
+        echo "❌ Failed to resolve NGC API key from Secrets Manager"
+        exit 3
+    }
+    export NGC_API_KEY
+fi
+
+# NOTE: Build-time secrets are passed as --build-arg. The secret value may persist
+# in the image layer. A future improvement will use BuildKit --secret mounts.
+
 # Framework-specific build logic
 case "${DEPLOYMENT_CONFIG}" in
     transformers-tensorrt-llm)
@@ -41,12 +68,12 @@ case "${DEPLOYMENT_CONFIG}" in
         echo "${NGC_API_KEY}" | docker login nvcr.io --username '$oauthtoken' --password-stdin
         
         echo "🏗️  Building GPU-enabled image with TensorRT-LLM..."
-        docker build -t "${PROJECT_NAME}:latest" .
+        docker build ${PLATFORM_FLAG} -t "${PROJECT_NAME}:latest" .
         ;;
         
     transformers-vllm|transformers-sglang)
         echo "🏗️  Building GPU-enabled image..."
-        docker build -t "${PROJECT_NAME}:latest" .
+        docker build ${PLATFORM_FLAG} -t "${PROJECT_NAME}:latest" .
         ;;
         
     transformers-lmi|transformers-djl)
@@ -55,12 +82,17 @@ case "${DEPLOYMENT_CONFIG}" in
         aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 763104351884.dkr.ecr.us-east-1.amazonaws.com
         
         echo "🏗️  Building GPU-enabled image..."
-        docker build -t "${PROJECT_NAME}:latest" .
+        docker build ${PLATFORM_FLAG} -t "${PROJECT_NAME}:latest" .
         ;;
         
-    sklearn-*|xgboost-*|tensorflow-*)
+    sklearn-*|xgboost-*|tensorflow-*|http-flask|http-fastapi)
         echo "🏗️  Building CPU-optimized image..."
-        docker build -t "${PROJECT_NAME}:latest" .
+        docker build ${PLATFORM_FLAG} -t "${PROJECT_NAME}:latest" .
+        ;;
+
+    triton-*)
+        echo "🏗️  Building Triton Inference Server image..."
+        docker build ${PLATFORM_FLAG} -t "${PROJECT_NAME}:latest" .
         ;;
         
     *)

package/templates/do/config

@@ -151,17 +151,29 @@ export <%= key %>=${<%= key %>:-<%= value %>}
 # Framework-specific configuration
 <% if (framework === 'transformers') { %>
 export MODEL_NAME="<%= modelName %>"
-<% if (hfToken) { %>
+# Secrets Manager integration: when an ARN is configured, do-scripts resolve the
+# secret at the appropriate stage (build-time or runtime). When a plaintext value
+# is configured, it is exported directly. The _ARN suffix signals resolution is needed.
+<% if (typeof hfTokenArn !== 'undefined' && hfTokenArn) { %>
+export HF_TOKEN_ARN="<%= hfTokenArn %>"
+<% } else if (hfToken) { %>
 export HF_TOKEN="<%= hfToken %>"
 <% } %>
-<% if (ngcApiKey) { %>
+<% if (typeof ngcTokenArn !== 'undefined' && ngcTokenArn) { %>
+export NGC_API_KEY_ARN="<%= ngcTokenArn %>"
+<% } else if (ngcApiKey) { %>
 export NGC_API_KEY="<%= ngcApiKey %>"
 <% } %>
 <% } %>
 
 <% if (framework === 'diffusors') { %>
 export MODEL_NAME="<%= modelName %>"
-<% if (hfToken) { %>
+# Secrets Manager integration: when an ARN is configured, do-scripts resolve the
+# secret at the appropriate stage (build-time or runtime). When a plaintext value
+# is configured, it is exported directly. The _ARN suffix signals resolution is needed.
+<% if (typeof hfTokenArn !== 'undefined' && hfTokenArn) { %>
+export HF_TOKEN_ARN="<%= hfTokenArn %>"
+<% } else if (hfToken) { %>
 export HF_TOKEN="<%= hfToken %>"
 <% } %>
 <% } %>