@codyswann/lisa 1.0.0 → 1.0.5

package/all/create-only/scripts/setup-deploy-key.sh

@@ -0,0 +1,190 @@
+#!/usr/bin/env bash
+#
+# Setup GitHub Deploy Key for CI/CD
+#
+# This script creates an SSH key pair and configures it as a deploy key
+# with write access, enabling GitHub Actions to push to protected branches.
+#
+# Usage:
+#   ./scripts/setup-deploy-key.sh
+#
+# Requirements:
+#   - ssh-keygen (usually pre-installed)
+#   - gh CLI (optional, for automatic setup)
+#
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+print_step() {
+  echo -e "${BLUE}==>${NC} $1"
+}
+
+print_success() {
+  echo -e "${GREEN}✓${NC} $1"
+}
+
+print_warning() {
+  echo -e "${YELLOW}!${NC} $1"
+}
+
+print_error() {
+  echo -e "${RED}✗${NC} $1"
+}
+
+# Check if we're in a git repository
+if ! git rev-parse --is-inside-work-tree &>/dev/null; then
+  print_error "Not in a git repository. Please run from your project root."
+  exit 1
+fi
+
+# Get repository info
+REPO_URL=$(git remote get-url origin 2>/dev/null || echo "")
+if [[ -z "$REPO_URL" ]]; then
+  print_error "No git remote 'origin' found."
+  exit 1
+fi
+
+# Extract owner/repo from URL
+if [[ "$REPO_URL" =~ github\.com[:/]([^/]+)/([^/.]+)(\.git)?$ ]]; then
+  OWNER="${BASH_REMATCH[1]}"
+  REPO="${BASH_REMATCH[2]}"
+else
+  print_error "Could not parse GitHub repository from remote URL: $REPO_URL"
+  exit 1
+fi
+
+echo ""
+echo "=============================================="
+echo "  GitHub Deploy Key Setup"
+echo "=============================================="
+echo ""
+echo "Repository: $OWNER/$REPO"
+echo ""
+
+# Check for existing key
+KEY_FILE="deploy_key"
+if [[ -f "$KEY_FILE" ]] || [[ -f "${KEY_FILE}.pub" ]]; then
+  print_warning "Deploy key files already exist in current directory."
+  read -p "Overwrite? (y/N) " -n 1 -r
+  echo
+  if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+    echo "Aborted."
+    exit 0
+  fi
+  rm -f "$KEY_FILE" "${KEY_FILE}.pub"
+fi
+
+# Generate SSH key
+print_step "Generating SSH key pair..."
+ssh-keygen -t ed25519 -C "github-actions-deploy-key-${REPO}" -f "$KEY_FILE" -N "" -q
+print_success "Generated $KEY_FILE and ${KEY_FILE}.pub"
+
+# Check if gh CLI is available and authenticated
+GH_AVAILABLE=false
+if command -v gh &>/dev/null; then
+  if gh auth status &>/dev/null; then
+    GH_AVAILABLE=true
+  fi
+fi
+
+if $GH_AVAILABLE; then
+  echo ""
+  print_step "GitHub CLI detected. Attempting automatic setup..."
+  echo ""
+
+  # Add deploy key with write access
+  print_step "Adding deploy key to repository..."
+  if gh repo deploy-key add "${KEY_FILE}.pub" \
+    --repo "$OWNER/$REPO" \
+    --title "GitHub Actions Deploy Key" \
+    --allow-write 2>/dev/null; then
+    print_success "Deploy key added with write access"
+  else
+    print_warning "Could not add deploy key automatically."
+    print_warning "You may not have admin permissions, or the key already exists."
+    echo ""
+    echo "Manual step required:"
+    echo "  1. Go to: https://github.com/$OWNER/$REPO/settings/keys"
+    echo "  2. Click 'Add deploy key'"
+    echo "  3. Title: GitHub Actions Deploy Key"
+    echo "  4. Key: (contents of ${KEY_FILE}.pub)"
+    echo "  5. Check 'Allow write access'"
+    echo ""
+  fi
+
+  # Add secret
+  print_step "Adding DEPLOY_KEY secret..."
+  if gh secret set DEPLOY_KEY --repo "$OWNER/$REPO" < "$KEY_FILE" 2>/dev/null; then
+    print_success "DEPLOY_KEY secret added"
+  else
+    print_warning "Could not add secret automatically."
+    echo ""
+    echo "Manual step required:"
+    echo "  1. Go to: https://github.com/$OWNER/$REPO/settings/secrets/actions"
+    echo "  2. Click 'New repository secret'"
+    echo "  3. Name: DEPLOY_KEY"
+    echo "  4. Value: (entire contents of $KEY_FILE file)"
+    echo ""
+  fi
+
+else
+  echo ""
+  print_warning "GitHub CLI not found or not authenticated."
+  print_warning "Please complete setup manually:"
+  echo ""
+  echo "1. Add the PUBLIC key as a Deploy Key:"
+  echo "   - Go to: https://github.com/$OWNER/$REPO/settings/keys"
+  echo "   - Click 'Add deploy key'"
+  echo "   - Title: GitHub Actions Deploy Key"
+  echo "   - Key: (copy from below)"
+  echo "   - Check 'Allow write access'"
+  echo "   - Click 'Add key'"
+  echo ""
+  echo "   Public key contents:"
+  echo "   ─────────────────────────────────────────"
+  cat "${KEY_FILE}.pub"
+  echo "   ─────────────────────────────────────────"
+  echo ""
+  echo "2. Add the PRIVATE key as a Repository Secret:"
+  echo "   - Go to: https://github.com/$OWNER/$REPO/settings/secrets/actions"
+  echo "   - Click 'New repository secret'"
+  echo "   - Name: DEPLOY_KEY"
+  echo "   - Value: (entire contents of $KEY_FILE file, including BEGIN/END lines)"
+  echo "   - Click 'Add secret'"
+  echo ""
+  echo "   To copy the private key:"
+  echo "   cat $KEY_FILE | pbcopy  # macOS"
+  echo "   cat $KEY_FILE | xclip   # Linux"
+  echo ""
+fi
+
+# Cleanup prompt
+echo ""
+echo "=============================================="
+echo "  Cleanup"
+echo "=============================================="
+echo ""
+print_warning "The key files contain sensitive data!"
+echo ""
+read -p "Delete local key files now? (Y/n) " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Nn]$ ]]; then
+  rm -f "$KEY_FILE" "${KEY_FILE}.pub"
+  print_success "Deleted $KEY_FILE and ${KEY_FILE}.pub"
+else
+  print_warning "Key files kept. Remember to delete them after setup!"
+  echo "  rm $KEY_FILE ${KEY_FILE}.pub"
+fi
+
+echo ""
+print_success "Deploy key setup complete!"
+echo ""
+echo "Your GitHub Actions workflows can now push to protected branches."
+echo ""

package/all/deletions.json

@@ -0,0 +1,5 @@
+{
+  "paths": [
+    ".claude/skills/coding-philosophy"
+  ]
+}

package/cdk/copy-overwrite/.github/workflows/ci.yml

@@ -0,0 +1,142 @@
+# This file is managed by Lisa.
+# Do not edit directly — changes will be overwritten on the next `lisa` run.
+
+name: 🔍 CI Quality Checks
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  determine_environment:
+    name: 🌍 Determine Environment
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      environment: ${{ steps.env.outputs.environment }}
+      cdk_env: ${{ steps.env.outputs.cdk_env }}
+      aws_account_id: ${{ steps.env.outputs.aws_account_id }}
+      role_arn: ${{ steps.env.outputs.role_arn }}
+    steps:
+      - name: 🔄 Set environment
+        id: env
+        run: |
+          # For workflow dispatch, use the input
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+            TARGET_ENV="${{ github.event.inputs.environment }}"
+          # For pull requests, use the target branch
+          elif [ "${{ github.event_name }}" == "pull_request" ]; then
+            TARGET_BRANCH="${{ github.base_ref }}"
+            case $TARGET_BRANCH in
+              main)
+                TARGET_ENV="production"
+                ;;
+              staging)
+                TARGET_ENV="staging"
+                ;;
+              dev)
+                TARGET_ENV="dev"
+                ;;
+              *)
+                TARGET_ENV="dev"  # Default to dev for other branches
+                ;;
+            esac
+          else
+            TARGET_ENV="dev"  # Default fallback
+          fi
+
+          echo "environment=$TARGET_ENV" >> $GITHUB_OUTPUT
+
+          # Map to CDK environment name
+          case $TARGET_ENV in
+            production)
+              echo "cdk_env=production" >> $GITHUB_OUTPUT
+              echo "aws_account_id=017820663592" >> $GITHUB_OUTPUT
+              echo "role_arn=arn:aws:iam::017820663592:role/DeployServiceRole" >> $GITHUB_OUTPUT
+              ;;
+            staging)
+              echo "cdk_env=staging" >> $GITHUB_OUTPUT
+              echo "aws_account_id=017820663537" >> $GITHUB_OUTPUT
+              echo "role_arn=arn:aws:iam::017820663537:role/DeployServiceRole" >> $GITHUB_OUTPUT
+              ;;
+            dev|*)
+              echo "cdk_env=dev" >> $GITHUB_OUTPUT
+              echo "aws_account_id=017820663466" >> $GITHUB_OUTPUT
+              echo "role_arn=arn:aws:iam::017820663466:role/DeployServiceRole" >> $GITHUB_OUTPUT
+              ;;
+          esac
+
+  cdk-checks:
+    name: 🏗️ CDK Validation
+    needs: [determine_environment]
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      id-token: write # needed to interact with GitHub's OIDC Token endpoint.
+      contents: read
+    steps:
+      - name: 📥 Checkout
+        uses: actions/checkout@v4
+
+      - name: 🔧 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.21.1'
+
+      - name: 📦 Install dependencies
+        run: npm ci
+
+      - name: 🏗️ Build project
+        run: npm run build
+
+      - name: 🔧 Install CDK
+        run: npm install -g aws-cdk
+
+      - name: 🔑 Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ needs.determine_environment.outputs.role_arn }}
+          role-session-name: cdk-ci-checks
+          aws-region: us-east-1
+
+      - name: 📋 CDK Synth
+        run: |
+          echo "🔍 Running CDK synth for ${{ needs.determine_environment.outputs.environment }} environment..."
+          export CDK_DEFAULT_ACCOUNT=${{ secrets.AWS_INFRA_ACCOUNT_ID }}
+          export CDK_DEFAULT_REGION=us-east-1
+
+          npx cdk synth --all \
+            --quiet
+
+      - name: 🔍 CDK Diff
+        run: |
+          echo "📊 Running CDK diff for ${{ needs.determine_environment.outputs.environment }} environment..."
+          export CDK_DEFAULT_ACCOUNT=${{ secrets.AWS_INFRA_ACCOUNT_ID }}
+          export CDK_DEFAULT_REGION=us-east-1
+
+          npx cdk diff --all \
+            || true  # Don't fail on diff, just report changes
+
+      - name: 🧪 Run Tests (including snapshots)
+        run: |
+          echo "🧪 Running unit tests with snapshot validation..."
+          npm test
+
+  quality:
+    name: 🔍 Quality Checks
+    needs: [determine_environment, cdk-checks] # Ensure CDK checks pass first
+    # Reference to the quality checks workflow
+    uses: ./.github/workflows/quality.yml
+    with:
+      node_version: '22.21.1'
+      package_manager: 'bun'
+    secrets: inherit
+  create_issue_on_failure:
+    name: 📌 Create Issue on Failure
+    needs: [determine_environment, cdk-checks, quality]
+    if: ${{ always() && (needs.cdk-checks.result == 'failure' || needs.quality.result == 'failure') && !contains(github.event.head_commit.message, '[skip ci]') }}
+    uses: ./.github/workflows/create-issue-on-failure.yml
+    with:
+      workflow_name: 'CI Quality Checks'
+      failed_job: ${{ needs.cdk-checks.result == 'failure' && 'cdk-checks' || 'quality' }}
+    secrets: inherit

package/cdk/copy-overwrite/.github/workflows/deploy.yml

@@ -0,0 +1,59 @@
+# This file is managed by Lisa.
+# Do not edit directly — changes will be overwritten on the next `lisa` run.
+
+name: 🚀 Release and Deploy
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to deploy to'
+        required: true
+        default: 'main'
+        type: choice
+        options:
+          - main
+
+# Prevent concurrent runs of the same workflow on the same ref
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # Environment setup
+  determine_environment:
+    name: 🌍 Determine Environment
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      environment: ${{ steps.env.outputs.environment }}
+    steps:
+      - name: 🔄 Set environment
+        id: env
+        run: |
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+            echo "environment=${{ github.event.inputs.environment }}" >> $GITHUB_OUTPUT
+          else
+            echo "environment=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          fi
+
+  release:
+    name: 📦 Release
+    # Reference to the quality checks workflow
+    uses: ./.github/workflows/release.yml
+    needs: [determine_environment]
+    with:
+      environment: ${{ needs.determine_environment.outputs.environment }}
+      release_strategy: 'semantic'
+      skip_jobs: 'test:e2e,test:integration'
+      require_approval: false
+      require_signatures: false
+      generate_sbom: true
+      override_blackout: true
+      node_version: '22.21.1'
+      package_manager: 'bun'
+    secrets: inherit
+# Trigger staging deployment after CDK trust fix

package/cdk/copy-overwrite/eslint.cdk.ts

@@ -0,0 +1,175 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * ESLint 9 Flat Config - CDK Stack
+ *
+ * This configuration extends TypeScript config for AWS CDK projects.
+ * It adjusts rules for CDK patterns like constructs, stacks, and
+ * infrastructure-as-code conventions.
+ *
+ * Inheritance chain:
+ *   eslint.cdk.ts (this file)
+ *   └── eslint.typescript.ts
+ *       └── eslint.base.ts
+ *
+ * @see https://eslint.org/docs/latest/use/configure/configuration-files-new
+ * @module eslint.cdk
+ */
+
+// Import TypeScript config and utilities
+import {
+  codeOrganization,
+  defaultIgnores,
+  defaultThresholds,
+  getBaseConfigs,
+  getBaseLanguageOptions,
+  getJsFilesOverride,
+  getSharedFilesOverride,
+  getSharedRules,
+  getTestFilesOverride,
+  getTsFilesOverride,
+  getTsTestFilesOverride,
+} from "./eslint.typescript";
+
+// Re-export for downstream configs
+export {
+  defaultIgnores,
+  defaultThresholds,
+  getBaseConfigs,
+  getBaseLanguageOptions,
+  getSharedRules,
+};
+
+// CDK-specific ignores
+const cdkIgnores = [
+  ...defaultIgnores,
+  "cdk.out/**",
+  "*.js", // CDK generates JS files
+  "*.d.ts",
+];
+
+/**
+ * Creates the CDK ESLint configuration.
+ *
+ * @param {object} options - Configuration options
+ * @param {string} options.tsconfigRootDir - Root directory for tsconfig.json
+ * @param {string[]} [options.ignorePatterns] - Patterns to ignore
+ * @param {object} [options.thresholds] - Threshold overrides
+ * @returns {Array} ESLint flat config array
+ */
+export function getCdkConfig({
+  tsconfigRootDir,
+  ignorePatterns = cdkIgnores,
+  thresholds = defaultThresholds,
+}: {
+  tsconfigRootDir: string;
+  ignorePatterns?: string[];
+  thresholds?: typeof defaultThresholds;
+}) {
+  return [
+    // Global ignores
+    {
+      ignores: ignorePatterns,
+    },
+
+    // Base configurations from shared module
+    ...getBaseConfigs(),
+
+    // Base configuration for all files
+    {
+      languageOptions: getBaseLanguageOptions(),
+      plugins: {
+        "code-organization": codeOrganization,
+      },
+      rules: {
+        // Shared rules from base
+        ...getSharedRules(thresholds),
+
+        // Code organization
+        "code-organization/enforce-statement-order": "error",
+
+        // Configuration enforcement - prevent direct process.env access
+        // All configuration should go through config module
+        // @see .claude/rules/PROJECT_RULES.md
+        "no-restricted-syntax": [
+          "error",
+          {
+            selector:
+              "MemberExpression[object.name='process'][property.name='env']",
+            message:
+              "Direct process.env access is forbidden. Use config module for type-safe configuration. See .claude/rules/PROJECT_RULES.md.",
+          },
+        ],
+
+        // CDK uses classes for constructs and stacks
+        "functional/no-classes": "off",
+
+        // CDK constructs and stacks require documentation
+        "jsdoc/require-jsdoc": [
+          "error",
+          {
+            require: {
+              FunctionDeclaration: true,
+              MethodDefinition: true,
+              ClassDeclaration: true,
+              ArrowFunctionExpression: false,
+              FunctionExpression: false,
+            },
+            contexts: [
+              "TSInterfaceDeclaration",
+              "TSTypeAliasDeclaration",
+              "VariableDeclaration[declarations.0.init.type='ArrowFunctionExpression']:has([id.name=/^[A-Z]/])",
+            ],
+          },
+        ],
+      },
+    },
+
+    // JavaScript files override
+    getJsFilesOverride(),
+
+    // Shared hooks and components
+    getSharedFilesOverride(),
+
+    // Test files
+    getTestFilesOverride(),
+
+    // TypeScript files - enable type-checked linting
+    getTsFilesOverride(["**/*.ts"], tsconfigRootDir),
+
+    // TypeScript test files - disable immutable-data
+    getTsTestFilesOverride(["**/*.test.ts", "**/*.spec.ts"]),
+
+    // CDK bin files - entry points can access process.env for stage selection
+    {
+      files: ["bin/**/*.ts"],
+      rules: {
+        "no-restricted-syntax": "off",
+      },
+    },
+
+    // Configuration files - allowed to use process.env directly
+    {
+      files: ["**/*config.*", "**/config/**/*.ts"],
+      rules: {
+        "no-restricted-syntax": "off",
+      },
+    },
+
+    // Lambda handlers - often have different constraints
+    {
+      files: [
+        "**/lambda/**/*.ts",
+        "**/lambdas/**/*.ts",
+        "**/functions/**/*.ts",
+      ],
+      rules: {
+        // Lambda cold starts benefit from simpler code
+        "sonarjs/cognitive-complexity": ["error", 15],
+      },
+    },
+  ];
+}

package/cdk/copy-overwrite/eslint.config.ts

@@ -0,0 +1,51 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * ESLint 9 Flat Config - Main Entry Point (CDK)
+ *
+ * This file imports the CDK-specific configuration and project-local customizations.
+ * Do not modify this file directly - use eslint.config.local.ts for project-specific rules.
+ *
+ * Inheritance chain:
+ *   eslint.config.ts (this file)
+ *   └── eslint.cdk.ts
+ *       └── eslint.typescript.ts
+ *           └── eslint.base.ts
+ *
+ * @see https://eslint.org/docs/latest/use/configure/configuration-files-new
+ * @module eslint.config
+ */
+import { createRequire } from "module";
+import path from "path";
+import { fileURLToPath } from "url";
+
+import { defaultIgnores, defaultThresholds, getCdkConfig } from "./eslint.cdk";
+
+// Project-specific configuration loaded from JSON files (use createRequire for compatibility)
+const require = createRequire(import.meta.url);
+const ignoreConfig = require("./eslint.ignore.config.json");
+const thresholdsConfig = require("./eslint.thresholds.json");
+
+// Project-local customizations (create-only - safe to modify)
+import localConfig from "./eslint.config.local";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+const ignorePatterns = ignoreConfig.ignores || defaultIgnores;
+const thresholds = { ...defaultThresholds, ...thresholdsConfig };
+
+export default [
+  // Stack-specific configuration (CDK)
+  ...getCdkConfig({
+    tsconfigRootDir: __dirname,
+    ignorePatterns,
+    thresholds,
+  }),
+
+  // Project-local customizations
+  ...localConfig,
+];

package/cdk/copy-overwrite/eslint.slow.config.ts

@@ -0,0 +1,80 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * ESLint 9 Flat Config - Slow Rules Only (CDK)
+ *
+ * This configuration runs ONLY slow linting rules that are disabled in the
+ * main eslint.config.ts for performance. Run this periodically via `lint:slow`
+ * rather than on every lint pass.
+ *
+ * Rules included:
+ * - import/namespace - Type checks all namespace imports (slow)
+ * - import/no-cycle - Detects circular dependencies (very slow)
+ *
+ * @see https://github.com/import-js/eslint-plugin-import
+ * @module eslint.slow.config
+ */
+import { createRequire } from "module";
+
+import importPlugin from "eslint-plugin-import";
+import sonarjsPlugin from "eslint-plugin-sonarjs";
+import tseslint from "typescript-eslint";
+
+// Use createRequire for JSON imports (compatible with CDK's CommonJS tsconfig)
+const require = createRequire(import.meta.url);
+const ignoreConfig = require("./eslint.ignore.config.json");
+
+const ignorePatterns = ignoreConfig.ignores || [];
+
+// Get the TypeScript flat config from the import plugin
+const importTypescriptConfig = importPlugin.flatConfigs.typescript;
+
+export default [
+  // Use same ignores as main config, plus ignore all non-TS files
+  // This prevents errors from inline eslint directives in JS files
+  // that reference rules not loaded in this minimal config
+  {
+    ignores: [
+      ...ignorePatterns,
+      "**/*.js",
+      "**/*.mjs",
+      "**/*.cjs",
+      "**/*.jsx",
+      "cdk.out/**",
+    ],
+  },
+
+  // TypeScript files - slow import rules only
+  {
+    files: ["**/*.ts", "**/*.tsx"],
+    languageOptions: {
+      parser: tseslint.parser,
+      parserOptions: {
+        project: "tsconfig.eslint.json",
+      },
+    },
+    plugins: {
+      ...(importTypescriptConfig?.plugins ?? {}),
+      sonarjs: sonarjsPlugin,
+    },
+    settings: {
+      ...(importTypescriptConfig?.settings ?? {}),
+      "import/resolver": {
+        ...((importTypescriptConfig?.settings?.["import/resolver"] as Record<
+          string,
+          unknown
+        >) ?? {}),
+        typescript: true,
+      },
+    },
+    rules: {
+      // ONLY slow rules - everything else runs in the main config
+      "import/namespace": "error",
+      "import/no-cycle": "error",
+      "sonarjs/deprecation": "error",
+    },
+  },
+];