@codyswann/lisa 2.178.5 → 2.179.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (142) hide show
  1. package/dist/configs/eslint/phaser.d.ts +2 -8
  2. package/dist/configs/eslint/phaser.d.ts.map +1 -1
  3. package/dist/configs/eslint/phaser.js +143 -17
  4. package/dist/configs/eslint/phaser.js.map +1 -1
  5. package/eslint-plugin-phaser/README.md +19 -0
  6. package/eslint-plugin-phaser/index.js +35 -0
  7. package/eslint-plugin-phaser/package.json +10 -0
  8. package/eslint-plugin-phaser/rules/no-allocation-in-update.js +189 -0
  9. package/eslint-plugin-phaser/rules/no-create-in-update.js +200 -0
  10. package/eslint-plugin-phaser/rules/require-shutdown-cleanup.js +191 -0
  11. package/package.json +5 -3
  12. package/phaser/package-lisa/package.lisa.json +11 -3
  13. package/plugins/lisa/.claude-plugin/plugin.json +1 -1
  14. package/plugins/lisa/.codex-plugin/plugin.json +1 -1
  15. package/plugins/lisa/skills/analyze-claude-remote/SKILL.md +72 -2
  16. package/plugins/lisa/skills/generate-claude-remote-build-script/SKILL.md +30 -1
  17. package/plugins/lisa-agy/plugin.json +1 -1
  18. package/plugins/lisa-agy/skills/analyze-claude-remote/SKILL.md +72 -2
  19. package/plugins/lisa-agy/skills/generate-claude-remote-build-script/SKILL.md +30 -1
  20. package/plugins/lisa-cdk/.claude-plugin/plugin.json +1 -1
  21. package/plugins/lisa-cdk/.codex-plugin/plugin.json +1 -1
  22. package/plugins/lisa-cdk-agy/plugin.json +1 -1
  23. package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json +1 -1
  24. package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json +1 -1
  25. package/plugins/lisa-copilot/.claude-plugin/plugin.json +1 -1
  26. package/plugins/lisa-copilot/skills/analyze-claude-remote/SKILL.md +72 -2
  27. package/plugins/lisa-copilot/skills/generate-claude-remote-build-script/SKILL.md +30 -1
  28. package/plugins/lisa-cursor/.claude-plugin/plugin.json +1 -1
  29. package/plugins/lisa-cursor/skills/analyze-claude-remote/SKILL.md +72 -2
  30. package/plugins/lisa-cursor/skills/generate-claude-remote-build-script/SKILL.md +30 -1
  31. package/plugins/lisa-expo/.claude-plugin/plugin.json +1 -1
  32. package/plugins/lisa-expo/.codex-plugin/plugin.json +1 -1
  33. package/plugins/lisa-expo/agents/ops-specialist.md +2 -2
  34. package/plugins/lisa-expo/skills/ops-check-logs/SKILL.md +8 -2
  35. package/plugins/lisa-expo/skills/ops-db-ops/SKILL.md +7 -3
  36. package/plugins/lisa-expo/skills/ops-deploy/SKILL.md +6 -2
  37. package/plugins/lisa-expo/skills/ops-run-local/SKILL.md +5 -2
  38. package/plugins/lisa-expo-agy/agents/ops-specialist.md +2 -2
  39. package/plugins/lisa-expo-agy/plugin.json +1 -1
  40. package/plugins/lisa-expo-agy/skills/ops-check-logs/SKILL.md +8 -2
  41. package/plugins/lisa-expo-agy/skills/ops-db-ops/SKILL.md +7 -3
  42. package/plugins/lisa-expo-agy/skills/ops-deploy/SKILL.md +6 -2
  43. package/plugins/lisa-expo-agy/skills/ops-run-local/SKILL.md +5 -2
  44. package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json +1 -1
  45. package/plugins/lisa-expo-copilot/agents/ops-specialist.agent.md +2 -2
  46. package/plugins/lisa-expo-copilot/skills/ops-check-logs/SKILL.md +8 -2
  47. package/plugins/lisa-expo-copilot/skills/ops-db-ops/SKILL.md +7 -3
  48. package/plugins/lisa-expo-copilot/skills/ops-deploy/SKILL.md +6 -2
  49. package/plugins/lisa-expo-copilot/skills/ops-run-local/SKILL.md +5 -2
  50. package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json +1 -1
  51. package/plugins/lisa-expo-cursor/agents/ops-specialist.md +2 -2
  52. package/plugins/lisa-expo-cursor/skills/ops-check-logs/SKILL.md +8 -2
  53. package/plugins/lisa-expo-cursor/skills/ops-db-ops/SKILL.md +7 -3
  54. package/plugins/lisa-expo-cursor/skills/ops-deploy/SKILL.md +6 -2
  55. package/plugins/lisa-expo-cursor/skills/ops-run-local/SKILL.md +5 -2
  56. package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json +1 -1
  57. package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json +1 -1
  58. package/plugins/lisa-harper-fabric-agy/plugin.json +1 -1
  59. package/plugins/lisa-harper-fabric-copilot/.claude-plugin/plugin.json +1 -1
  60. package/plugins/lisa-harper-fabric-cursor/.claude-plugin/plugin.json +1 -1
  61. package/plugins/lisa-nestjs/.claude-plugin/plugin.json +1 -1
  62. package/plugins/lisa-nestjs/.codex-plugin/plugin.json +1 -1
  63. package/plugins/lisa-nestjs-agy/plugin.json +1 -1
  64. package/plugins/lisa-nestjs-copilot/.claude-plugin/plugin.json +1 -1
  65. package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json +1 -1
  66. package/plugins/lisa-openclaw/.claude-plugin/plugin.json +1 -1
  67. package/plugins/lisa-openclaw/.codex-plugin/plugin.json +1 -1
  68. package/plugins/lisa-openclaw-agy/plugin.json +1 -1
  69. package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json +1 -1
  70. package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json +1 -1
  71. package/plugins/lisa-phaser/.claude-plugin/plugin.json +1 -1
  72. package/plugins/lisa-phaser/.codex-plugin/plugin.json +1 -1
  73. package/plugins/lisa-phaser/rules/phaser.md +111 -44
  74. package/plugins/lisa-phaser/skills/phaser-accessibility/SKILL.md +135 -0
  75. package/plugins/lisa-phaser/skills/phaser-accessibility/agents/openai.yaml +4 -0
  76. package/plugins/lisa-phaser/skills/phaser-asset-pipeline/SKILL.md +148 -0
  77. package/plugins/lisa-phaser/skills/phaser-asset-pipeline/agents/openai.yaml +4 -0
  78. package/plugins/lisa-phaser/skills/phaser-build-deploy/SKILL.md +148 -0
  79. package/plugins/lisa-phaser/skills/phaser-build-deploy/agents/openai.yaml +4 -0
  80. package/plugins/lisa-phaser/skills/phaser-i18n/SKILL.md +122 -0
  81. package/plugins/lisa-phaser/skills/phaser-i18n/agents/openai.yaml +4 -0
  82. package/plugins/lisa-phaser/skills/phaser-services/SKILL.md +208 -0
  83. package/plugins/lisa-phaser/skills/phaser-services/agents/openai.yaml +4 -0
  84. package/plugins/lisa-phaser/skills/phaser-testing/SKILL.md +103 -10
  85. package/plugins/lisa-phaser-agy/plugin.json +1 -1
  86. package/plugins/lisa-phaser-agy/skills/phaser-accessibility/SKILL.md +135 -0
  87. package/plugins/lisa-phaser-agy/skills/phaser-asset-pipeline/SKILL.md +148 -0
  88. package/plugins/lisa-phaser-agy/skills/phaser-build-deploy/SKILL.md +148 -0
  89. package/plugins/lisa-phaser-agy/skills/phaser-i18n/SKILL.md +122 -0
  90. package/plugins/lisa-phaser-agy/skills/phaser-services/SKILL.md +208 -0
  91. package/plugins/lisa-phaser-agy/skills/phaser-testing/SKILL.md +103 -10
  92. package/plugins/lisa-phaser-copilot/.claude-plugin/plugin.json +1 -1
  93. package/plugins/lisa-phaser-copilot/rules/phaser.md +111 -44
  94. package/plugins/lisa-phaser-copilot/skills/phaser-accessibility/SKILL.md +135 -0
  95. package/plugins/lisa-phaser-copilot/skills/phaser-asset-pipeline/SKILL.md +148 -0
  96. package/plugins/lisa-phaser-copilot/skills/phaser-build-deploy/SKILL.md +148 -0
  97. package/plugins/lisa-phaser-copilot/skills/phaser-i18n/SKILL.md +122 -0
  98. package/plugins/lisa-phaser-copilot/skills/phaser-services/SKILL.md +208 -0
  99. package/plugins/lisa-phaser-copilot/skills/phaser-testing/SKILL.md +103 -10
  100. package/plugins/lisa-phaser-cursor/.claude-plugin/plugin.json +1 -1
  101. package/plugins/lisa-phaser-cursor/rules/phaser.mdc +111 -44
  102. package/plugins/lisa-phaser-cursor/skills/phaser-accessibility/SKILL.md +135 -0
  103. package/plugins/lisa-phaser-cursor/skills/phaser-asset-pipeline/SKILL.md +148 -0
  104. package/plugins/lisa-phaser-cursor/skills/phaser-build-deploy/SKILL.md +148 -0
  105. package/plugins/lisa-phaser-cursor/skills/phaser-i18n/SKILL.md +122 -0
  106. package/plugins/lisa-phaser-cursor/skills/phaser-services/SKILL.md +208 -0
  107. package/plugins/lisa-phaser-cursor/skills/phaser-testing/SKILL.md +103 -10
  108. package/plugins/lisa-rails/.claude-plugin/plugin.json +1 -1
  109. package/plugins/lisa-rails/.codex-plugin/plugin.json +1 -1
  110. package/plugins/lisa-rails/agents/ops-specialist.md +1 -1
  111. package/plugins/lisa-rails-agy/agents/ops-specialist.md +1 -1
  112. package/plugins/lisa-rails-agy/plugin.json +1 -1
  113. package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json +1 -1
  114. package/plugins/lisa-rails-copilot/agents/ops-specialist.agent.md +1 -1
  115. package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json +1 -1
  116. package/plugins/lisa-rails-cursor/agents/ops-specialist.md +1 -1
  117. package/plugins/lisa-typescript/.claude-plugin/plugin.json +1 -1
  118. package/plugins/lisa-typescript/.codex-plugin/plugin.json +1 -1
  119. package/plugins/lisa-typescript-agy/plugin.json +1 -1
  120. package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json +1 -1
  121. package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json +1 -1
  122. package/plugins/lisa-wiki/.claude-plugin/plugin.json +1 -1
  123. package/plugins/lisa-wiki/.codex-plugin/plugin.json +1 -1
  124. package/plugins/lisa-wiki-agy/plugin.json +1 -1
  125. package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json +1 -1
  126. package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json +1 -1
  127. package/plugins/src/base/skills/analyze-claude-remote/SKILL.md +72 -2
  128. package/plugins/src/base/skills/generate-claude-remote-build-script/SKILL.md +30 -1
  129. package/plugins/src/expo/agents/ops-specialist.md +2 -2
  130. package/plugins/src/expo/skills/ops-check-logs/SKILL.md +8 -2
  131. package/plugins/src/expo/skills/ops-db-ops/SKILL.md +7 -3
  132. package/plugins/src/expo/skills/ops-deploy/SKILL.md +6 -2
  133. package/plugins/src/expo/skills/ops-run-local/SKILL.md +5 -2
  134. package/plugins/src/phaser/rules/phaser.md +111 -44
  135. package/plugins/src/phaser/skills/phaser-accessibility/SKILL.md +135 -0
  136. package/plugins/src/phaser/skills/phaser-asset-pipeline/SKILL.md +148 -0
  137. package/plugins/src/phaser/skills/phaser-build-deploy/SKILL.md +148 -0
  138. package/plugins/src/phaser/skills/phaser-i18n/SKILL.md +122 -0
  139. package/plugins/src/phaser/skills/phaser-services/SKILL.md +208 -0
  140. package/plugins/src/phaser/skills/phaser-testing/SKILL.md +103 -10
  141. package/plugins/src/rails/agents/ops-specialist.md +1 -1
  142. package/tsconfig/phaser.json +8 -1
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "AWS CDK-specific Lisa plugin.",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "AWS CDK-specific plugin",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "AWS CDK-specific plugin",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-cdk",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "AWS CDK-specific plugin",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -78,13 +78,18 @@ Group the findings as:
78
78
  git, and coreutils are present; `gh` is available but should be installed explicitly if scripts
79
79
  call it. Classify each `REQUIRED` (core path uses it) vs `OPTIONAL` (only a dormant stack/skill
80
80
  uses it). Typical finds: `gh`, `jq`, `docker` (ZAP), `aws`, `acli`, `ruby`/`rubocop`,
81
- `python3`, `playwright`/chromium, secret scanners.
81
+ `python3`, `playwright`/chromium, secret scanners. Treat AWS as more than a
82
+ binary install: if the repo invokes `aws`, imports AWS SDK packages, uses CDK/Serverless/SST,
83
+ references `AWS_*` env vars, or documents `aws sso login` / `sso_*` profile setup, add the AWS
84
+ credential findings in group 4b as well as the `aws` CLI tool finding.
82
85
 
83
86
  4. **Environment variables & secrets** — scan for `process.env.*`, `${VAR}`/`$VAR` in shell,
84
87
  `secrets.*`/`env:` in CI, and config-referenced tokens. Group by integration (GitHub, AWS,
85
88
  Atlassian/JIRA/Confluence, Notion, Linear, Anthropic, notifications, feature flags, other).
86
89
  Cross-reference `.lisa.config.json` `tracker`/`source` to mark which credentials are **active**
87
- for this repo vs **dormant** (`OPTIONAL`). Distinguish *where* each var must be set, because the
90
+ for this repo vs **dormant** (`OPTIONAL`). Separately classify host-project AWS usage in group 4b:
91
+ AWS can be required even when it is not the tracker or PRD source. Distinguish *where* each var
92
+ must be set, because the
88
93
  answer differs and getting it wrong sends the user to do redundant work:
89
94
 
90
95
  - **Committed `.claude/settings.json` `env` flags** (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`,
@@ -128,6 +133,34 @@ Group the findings as:
128
133
  guessed. If a value the table needs (server URL, project key, workspace id, email, team key) is
129
134
  missing from `.lisa.config.json`, flag it as a `GAP`/`Action:` to set it, rather than inventing one.
130
135
 
136
+ 4b. **AWS operations credentials** — scan the host project for AWS usage independent of Lisa's
137
+ tracker/source config:
138
+
139
+ - `aws` CLI invocations in `scripts/`, package scripts, committed skills/agents, or
140
+ `.github/workflows/`.
141
+ - AWS SDK imports/packages (`@aws-sdk/*`, `aws-sdk`, `boto3`, CDK, Serverless, SST, Amplify,
142
+ Terraform providers).
143
+ - `aws sso login`, `aws:signin:*`, `sso_start_url`, `sso_account_id`, `sso_role_name`, or
144
+ `sso_session` in docs or config.
145
+ - `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_DEFAULT_REGION`,
146
+ `AWS_PROFILE`, role ARN, external ID, account, or CloudWatch/STS references.
147
+
148
+ If AWS is present, emit an AWS credential finding and inventory entry. If the repo's current
149
+ local path is `aws sso login` or an `aws:signin:*` script, classify that local path as a `GAP`
150
+ for headless remote routines: it is an interactive browser/device-authorization flow and cannot
151
+ complete in the cloud. Route to the AWS row in the Credential reference instead of suggesting
152
+ SSO auth. The finding must name the headless substrate: a dedicated IAM principal (user or role)
153
+ with only permission to `sts:AssumeRole`, environment credentials in the routine UI, and
154
+ `~/.aws/config` profiles using `role_arn`, `credential_source = Environment`, optional
155
+ `external_id`, and `region`.
156
+
157
+ When the repository contains concrete non-secret AWS metadata (role ARNs, account aliases,
158
+ profile names, regions, or ExternalId values), include it in an `awsProfiles` inventory array so
159
+ `/lisa:generate-claude-remote-build-script` can write matching `~/.aws/config` profiles. Never
160
+ invent account IDs, ExternalIds, role names, or regions. If AWS is detected but profile metadata
161
+ is absent, emit the required AWS secret names plus an action to add project-specific profile
162
+ metadata to the generated artifact or environment notes.
163
+
131
164
  5. **MCP servers** — read every committed `.mcp.json`. For each server report transport and auth.
132
165
  Project-scoped HTTP/SSE servers with no interactive auth are `OK`. Flag stdio servers as
133
166
  `RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
@@ -234,6 +267,31 @@ unsuffixed `…_TOKEN`/`…_KEY` is the simplest to set in a single-account rout
234
267
  - Acquire: `https://linear.app/<workspace>/settings/account/security` → Personal API keys → New API key.
235
268
  - Access: the personal API key inherits the user's workspace permissions — the user must be able to read/create/update Issues in the destination team.
236
269
 
270
+ ### AWS — host-project operations, logs, deploys, CDK/Serverless/SST, or AWS SDK usage
271
+ - Headless substrate: a dedicated IAM principal (user or role) with long-lived bootstrap credentials
272
+ stored in the routine environment, used only to call `sts:AssumeRole` into per-account operational
273
+ roles. The routine writes `~/.aws/config` profiles with `role_arn`, `credential_source =
274
+ Environment`, optional `external_id`, and `region`; agents use `aws --profile <profile> ...`.
275
+ - Env: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`; optional `AWS_SESSION_TOKEN` for temporary
276
+ bootstrap credentials; `AWS_DEFAULT_REGION` when no profile region is provided. Role ARNs,
277
+ ExternalIds, profile names, and regions are non-secret project metadata and belong in generated
278
+ artifacts or project docs, not in the skill's global guidance.
279
+ - Allowlist: `*.amazonaws.com`, or narrower service hosts such as `sts.amazonaws.com`,
280
+ `logs.<region>.amazonaws.com`, `cloudwatch.<region>.amazonaws.com`,
281
+ `xray.<region>.amazonaws.com`, `ssm.<region>.amazonaws.com`, and service-specific endpoints the
282
+ repo uses.
283
+ - Access: the bootstrap principal should have only `sts:AssumeRole` on the scoped operational role
284
+ ARNs, preferably guarded by an `ExternalId` condition. The assumed roles carry the real
285
+ permissions needed by the repo (CloudWatch Logs, deploy, SSM, etc.) as short-lived STS
286
+ credentials.
287
+ - IAM Identity Center caveat: an IAM Identity Center permission set provisions an `AWSReservedSSO_*`
288
+ role whose trust allows the SSO service, not an arbitrary IAM principal. A headless IAM principal
289
+ cannot directly assume that reserved role. Use a separate assumable role that attaches the same
290
+ policy as the permission set, with the delegated Identity Center admin keeping that policy as the
291
+ source of truth.
292
+ - Alternative: IAM Roles Anywhere (X.509 to STS) when long-lived bootstrap access keys are
293
+ unacceptable.
294
+
237
295
  ## Output
238
296
 
239
297
  Render the report grouped exactly as above. Start with one `Summary:` line, then a `Counts:` line
@@ -296,6 +354,15 @@ so the generator can render acquisition comments into its template:
296
354
  { "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
297
355
  { "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
298
356
  ],
357
+ "awsProfiles": [
358
+ {
359
+ "name": "dev",
360
+ "roleArn": "arn:aws:iam::<account-id>:role/<role-name>",
361
+ "credentialSource": "Environment",
362
+ "externalId": "<project-external-id>",
363
+ "region": "us-east-1"
364
+ }
365
+ ],
299
366
  "gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
300
367
  "platform": {
301
368
  "githubProxy": {
@@ -346,6 +413,9 @@ so the generator can render acquisition comments into its template:
346
413
  to environment editors; never imply the generated script can hide them.
347
414
  - A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
348
415
  remediation is its token substrate from the table, not "authenticate the MCP".
416
+ - `aws sso login`, `sso_*` profile configuration, and project scripts that wrap AWS SSO are
417
+ interactive-auth paths. In a headless routine they are a `GAP`, not a setup step. Route AWS access
418
+ to env-var bootstrap credentials plus assume-role profiles.
349
419
  - For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
350
420
  a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
351
421
  vendor-substrate follow-up, not invented credentials.
@@ -31,7 +31,7 @@ tracker/source, plus the host project's own package manager and tooling — not
31
31
 
32
32
  1. **Inventory.** Invoke `/lisa:analyze-claude-remote --json` and parse its machine-readable
33
33
  inventory block (`packageManager`, `tools`, `env`, `mcp`, `gaps`, `platform`,
34
- `networkAccess`, `allowlistDomains`). If the analysis cannot run, stop and report why — never
34
+ `networkAccess`, `allowlistDomains`, `awsProfiles`). If the analysis cannot run, stop and report why — never
35
35
  emit a script from guesses.
36
36
 
37
37
  2. **Compose the setup script** from the inventory. The script must be:
@@ -71,6 +71,9 @@ tracker/source, plus the host project's own package manager and tooling — not
71
71
  include `JAM_PAT`, `SONAR_TOKEN`, or similar documented substrate env vars
72
72
  only as optional secrets, with their acquire/scope comments when the analysis
73
73
  supplied them. Never invent values or promote dormant substrates to required.
74
+ When AWS entries are present, list `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, optional
75
+ `AWS_SESSION_TOKEN`, and `AWS_DEFAULT_REGION` exactly as the analysis reported. State that these
76
+ bootstrap credentials are for STS assume-role only; do not emit or recommend `aws sso login`.
74
77
 
75
78
  3a. **Emit substrate setup snippets.** When the inventory marks an MCP
76
79
  `headlessUsable: true` through a documented substrate, render the matching
@@ -88,6 +91,19 @@ tracker/source, plus the host project's own package manager and tooling — not
88
91
  transport supports static-token auth. Do not print a Jam `.mcp.json` header snippet because
89
92
  Jam's preferred headless substrate is its PAT-authenticated CLI.
90
93
 
94
+ 3b. **Emit AWS assume-role profile setup.** When the inventory includes `awsProfiles`, write an
95
+ idempotent `~/.aws/config` block gated on `[ -n "${AWS_ACCESS_KEY_ID:-}" ]`. The generated block
96
+ must:
97
+ - `mkdir -p "$HOME/.aws"` and create or append profile stanzas without writing secrets.
98
+ - Emit one `[profile <name>]` stanza per inventory profile with `role_arn`,
99
+ `credential_source = Environment`, `region` when present, and `external_id` when present.
100
+ - Keep regions and ExternalIds as non-secret project metadata from the inventory; never invent
101
+ account IDs, role names, profile names, regions, or ExternalIds.
102
+ - Warn and skip profile writing when AWS profile metadata is absent, while still listing the
103
+ required `AWS_*` env var names in the secret template.
104
+ - Include a comment that agents should use `aws --profile <name> ...` and must not run
105
+ `aws sso login` in headless routines.
106
+
91
107
  4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
92
108
  (from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
93
109
  must add when the environment needs Custom network access. Do not include default Trusted domains
@@ -123,6 +139,9 @@ shape, not a fixed payload):
123
139
  # # Note: GH_TOKEN is for gh CLI only. Raw git uses Claude's connected-GitHub proxy/identity;
124
140
  # # sibling repos reached only by raw git do not need to be in this token scope.
125
141
  # - GH_TOKEN=<token> # REQUIRED, github is the active tracker+source
142
+ # - AWS_ACCESS_KEY_ID=<access-key-id> # REQUIRED when AWS inventory is active
143
+ # - AWS_SECRET_ACCESS_KEY=<secret-access-key> # REQUIRED when AWS inventory is active
144
+ # - AWS_SESSION_TOKEN=<session-token> # OPTIONAL for temporary bootstrap creds
126
145
  # NETWORK: set the environment to Custom and allowlist these non-default domains if not on Full:
127
146
  # - <networkAccess.allowlistDomains, if any>
128
147
  set -uo pipefail
@@ -165,6 +184,14 @@ need gh || (sudo apt-get update -y && sudo apt-get install -y gh)
165
184
  need jq || sudo apt-get install -y jq
166
185
  require gh; require jq
167
186
 
187
+ # --- AWS assume-role profiles, when inventory includes awsProfiles ---
188
+ if [ -n "${AWS_ACCESS_KEY_ID:-}" ]; then
189
+ mkdir -p "$HOME/.aws"
190
+ # Generated stanzas use credential_source=Environment and contain no secrets.
191
+ # Agents should run: aws --profile <profile> ...
192
+ # Do not run aws sso login in headless routines; SSO requires an interactive browser/device flow.
193
+ fi
194
+
168
195
  # --- optional, only with --include-optional ---
169
196
  # (docker / ruby / chromium / etc., guarded)
170
197
  ```
@@ -186,6 +213,8 @@ to stop are: the analysis could not run, or the `--out` path is not writable.
186
213
  raw git/cross-repo clone guidance must not expand the token scope to sibling repositories.
187
214
  - Never emit an install for a tool the analysis did not surface, and never install `OPTIONAL` tools
188
215
  unless `--include-optional` is set.
216
+ - When AWS is in the inventory, generate environment-backed assume-role profile stanzas from
217
+ `awsProfiles`; never emit `aws sso login` as a remote setup step.
189
218
  - Prefer `networkAccess.allowlistDomains` over legacy top-level `allowlistDomains`; never emit
190
219
  domains already covered by the routine environment's default Trusted list.
191
220
  - Keep the script idempotent and detect-before-install so it is safe to re-run and cache.
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -78,13 +78,18 @@ Group the findings as:
78
78
  git, and coreutils are present; `gh` is available but should be installed explicitly if scripts
79
79
  call it. Classify each `REQUIRED` (core path uses it) vs `OPTIONAL` (only a dormant stack/skill
80
80
  uses it). Typical finds: `gh`, `jq`, `docker` (ZAP), `aws`, `acli`, `ruby`/`rubocop`,
81
- `python3`, `playwright`/chromium, secret scanners.
81
+ `python3`, `playwright`/chromium, secret scanners. Treat AWS as more than a
82
+ binary install: if the repo invokes `aws`, imports AWS SDK packages, uses CDK/Serverless/SST,
83
+ references `AWS_*` env vars, or documents `aws sso login` / `sso_*` profile setup, add the AWS
84
+ credential findings in group 4b as well as the `aws` CLI tool finding.
82
85
 
83
86
  4. **Environment variables & secrets** — scan for `process.env.*`, `${VAR}`/`$VAR` in shell,
84
87
  `secrets.*`/`env:` in CI, and config-referenced tokens. Group by integration (GitHub, AWS,
85
88
  Atlassian/JIRA/Confluence, Notion, Linear, Anthropic, notifications, feature flags, other).
86
89
  Cross-reference `.lisa.config.json` `tracker`/`source` to mark which credentials are **active**
87
- for this repo vs **dormant** (`OPTIONAL`). Distinguish *where* each var must be set, because the
90
+ for this repo vs **dormant** (`OPTIONAL`). Separately classify host-project AWS usage in group 4b:
91
+ AWS can be required even when it is not the tracker or PRD source. Distinguish *where* each var
92
+ must be set, because the
88
93
  answer differs and getting it wrong sends the user to do redundant work:
89
94
 
90
95
  - **Committed `.claude/settings.json` `env` flags** (e.g. `CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS`,
@@ -128,6 +133,34 @@ Group the findings as:
128
133
  guessed. If a value the table needs (server URL, project key, workspace id, email, team key) is
129
134
  missing from `.lisa.config.json`, flag it as a `GAP`/`Action:` to set it, rather than inventing one.
130
135
 
136
+ 4b. **AWS operations credentials** — scan the host project for AWS usage independent of Lisa's
137
+ tracker/source config:
138
+
139
+ - `aws` CLI invocations in `scripts/`, package scripts, committed skills/agents, or
140
+ `.github/workflows/`.
141
+ - AWS SDK imports/packages (`@aws-sdk/*`, `aws-sdk`, `boto3`, CDK, Serverless, SST, Amplify,
142
+ Terraform providers).
143
+ - `aws sso login`, `aws:signin:*`, `sso_start_url`, `sso_account_id`, `sso_role_name`, or
144
+ `sso_session` in docs or config.
145
+ - `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_DEFAULT_REGION`,
146
+ `AWS_PROFILE`, role ARN, external ID, account, or CloudWatch/STS references.
147
+
148
+ If AWS is present, emit an AWS credential finding and inventory entry. If the repo's current
149
+ local path is `aws sso login` or an `aws:signin:*` script, classify that local path as a `GAP`
150
+ for headless remote routines: it is an interactive browser/device-authorization flow and cannot
151
+ complete in the cloud. Route to the AWS row in the Credential reference instead of suggesting
152
+ SSO auth. The finding must name the headless substrate: a dedicated IAM principal (user or role)
153
+ with only permission to `sts:AssumeRole`, environment credentials in the routine UI, and
154
+ `~/.aws/config` profiles using `role_arn`, `credential_source = Environment`, optional
155
+ `external_id`, and `region`.
156
+
157
+ When the repository contains concrete non-secret AWS metadata (role ARNs, account aliases,
158
+ profile names, regions, or ExternalId values), include it in an `awsProfiles` inventory array so
159
+ `/lisa:generate-claude-remote-build-script` can write matching `~/.aws/config` profiles. Never
160
+ invent account IDs, ExternalIds, role names, or regions. If AWS is detected but profile metadata
161
+ is absent, emit the required AWS secret names plus an action to add project-specific profile
162
+ metadata to the generated artifact or environment notes.
163
+
131
164
  5. **MCP servers** — read every committed `.mcp.json`. For each server report transport and auth.
132
165
  Project-scoped HTTP/SSE servers with no interactive auth are `OK`. Flag stdio servers as
133
166
  `RISK`/`GAP` (need a local process — only viable if the cloud session can spawn them from the
@@ -234,6 +267,31 @@ unsuffixed `…_TOKEN`/`…_KEY` is the simplest to set in a single-account rout
234
267
  - Acquire: `https://linear.app/<workspace>/settings/account/security` → Personal API keys → New API key.
235
268
  - Access: the personal API key inherits the user's workspace permissions — the user must be able to read/create/update Issues in the destination team.
236
269
 
270
+ ### AWS — host-project operations, logs, deploys, CDK/Serverless/SST, or AWS SDK usage
271
+ - Headless substrate: a dedicated IAM principal (user or role) with long-lived bootstrap credentials
272
+ stored in the routine environment, used only to call `sts:AssumeRole` into per-account operational
273
+ roles. The routine writes `~/.aws/config` profiles with `role_arn`, `credential_source =
274
+ Environment`, optional `external_id`, and `region`; agents use `aws --profile <profile> ...`.
275
+ - Env: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`; optional `AWS_SESSION_TOKEN` for temporary
276
+ bootstrap credentials; `AWS_DEFAULT_REGION` when no profile region is provided. Role ARNs,
277
+ ExternalIds, profile names, and regions are non-secret project metadata and belong in generated
278
+ artifacts or project docs, not in the skill's global guidance.
279
+ - Allowlist: `*.amazonaws.com`, or narrower service hosts such as `sts.amazonaws.com`,
280
+ `logs.<region>.amazonaws.com`, `cloudwatch.<region>.amazonaws.com`,
281
+ `xray.<region>.amazonaws.com`, `ssm.<region>.amazonaws.com`, and service-specific endpoints the
282
+ repo uses.
283
+ - Access: the bootstrap principal should have only `sts:AssumeRole` on the scoped operational role
284
+ ARNs, preferably guarded by an `ExternalId` condition. The assumed roles carry the real
285
+ permissions needed by the repo (CloudWatch Logs, deploy, SSM, etc.) as short-lived STS
286
+ credentials.
287
+ - IAM Identity Center caveat: an IAM Identity Center permission set provisions an `AWSReservedSSO_*`
288
+ role whose trust allows the SSO service, not an arbitrary IAM principal. A headless IAM principal
289
+ cannot directly assume that reserved role. Use a separate assumable role that attaches the same
290
+ policy as the permission set, with the delegated Identity Center admin keeping that policy as the
291
+ source of truth.
292
+ - Alternative: IAM Roles Anywhere (X.509 to STS) when long-lived bootstrap access keys are
293
+ unacceptable.
294
+
237
295
  ## Output
238
296
 
239
297
  Render the report grouped exactly as above. Start with one `Summary:` line, then a `Counts:` line
@@ -296,6 +354,15 @@ so the generator can render acquisition comments into its template:
296
354
  { "name": "jam", "transport": "http", "auth": "oauth", "headlessUsable": true, "replacedBy": "jam CLI + JAM_PAT", "dormant": true },
297
355
  { "name": "sonarqube", "transport": "stdio", "auth": "local-wrapper", "headlessUsable": true, "replacedBy": "SONAR_TOKEN + SonarCloud Web API", "dormant": true }
298
356
  ],
357
+ "awsProfiles": [
358
+ {
359
+ "name": "dev",
360
+ "roleArn": "arn:aws:iam::<account-id>:role/<role-name>",
361
+ "credentialSource": "Environment",
362
+ "externalId": "<project-external-id>",
363
+ "region": "us-east-1"
364
+ }
365
+ ],
299
366
  "gaps": [ "auto-memory not synced to cloud", "bun package fetch behind proxy", "OS keychain absent — env-var token form only" ],
300
367
  "platform": {
301
368
  "githubProxy": {
@@ -346,6 +413,9 @@ so the generator can render acquisition comments into its template:
346
413
  to environment editors; never imply the generated script can hide them.
347
414
  - A browser-OAuth MCP (or interactively-authed CLI) backing an active integration is a `GAP`; the
348
415
  remediation is its token substrate from the table, not "authenticate the MCP".
416
+ - `aws sso login`, `sso_*` profile configuration, and project scripts that wrap AWS SSO are
417
+ interactive-auth paths. In a headless routine they are a `GAP`, not a setup step. Route AWS access
418
+ to env-var bootstrap credentials plus assume-role profiles.
349
419
  - For non-tracker MCPs, a documented CLI, PAT/API-key, or REST substrate converts the finding from
350
420
  a flat `GAP` into an `OPTIONAL` headless recovery path; unknown vendors remain gaps with a
351
421
  vendor-substrate follow-up, not invented credentials.
@@ -31,7 +31,7 @@ tracker/source, plus the host project's own package manager and tooling — not
31
31
 
32
32
  1. **Inventory.** Invoke `/lisa:analyze-claude-remote --json` and parse its machine-readable
33
33
  inventory block (`packageManager`, `tools`, `env`, `mcp`, `gaps`, `platform`,
34
- `networkAccess`, `allowlistDomains`). If the analysis cannot run, stop and report why — never
34
+ `networkAccess`, `allowlistDomains`, `awsProfiles`). If the analysis cannot run, stop and report why — never
35
35
  emit a script from guesses.
36
36
 
37
37
  2. **Compose the setup script** from the inventory. The script must be:
@@ -71,6 +71,9 @@ tracker/source, plus the host project's own package manager and tooling — not
71
71
  include `JAM_PAT`, `SONAR_TOKEN`, or similar documented substrate env vars
72
72
  only as optional secrets, with their acquire/scope comments when the analysis
73
73
  supplied them. Never invent values or promote dormant substrates to required.
74
+ When AWS entries are present, list `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, optional
75
+ `AWS_SESSION_TOKEN`, and `AWS_DEFAULT_REGION` exactly as the analysis reported. State that these
76
+ bootstrap credentials are for STS assume-role only; do not emit or recommend `aws sso login`.
74
77
 
75
78
  3a. **Emit substrate setup snippets.** When the inventory marks an MCP
76
79
  `headlessUsable: true` through a documented substrate, render the matching
@@ -88,6 +91,19 @@ tracker/source, plus the host project's own package manager and tooling — not
88
91
  transport supports static-token auth. Do not print a Jam `.mcp.json` header snippet because
89
92
  Jam's preferred headless substrate is its PAT-authenticated CLI.
90
93
 
94
+ 3b. **Emit AWS assume-role profile setup.** When the inventory includes `awsProfiles`, write an
95
+ idempotent `~/.aws/config` block gated on `[ -n "${AWS_ACCESS_KEY_ID:-}" ]`. The generated block
96
+ must:
97
+ - `mkdir -p "$HOME/.aws"` and create or append profile stanzas without writing secrets.
98
+ - Emit one `[profile <name>]` stanza per inventory profile with `role_arn`,
99
+ `credential_source = Environment`, `region` when present, and `external_id` when present.
100
+ - Keep regions and ExternalIds as non-secret project metadata from the inventory; never invent
101
+ account IDs, role names, profile names, regions, or ExternalIds.
102
+ - Warn and skip profile writing when AWS profile metadata is absent, while still listing the
103
+ required `AWS_*` env var names in the secret template.
104
+ - Include a comment that agents should use `aws --profile <name> ...` and must not run
105
+ `aws sso login` in headless routines.
106
+
91
107
  4. **Emit the allowlist + gaps notice.** List any custom domains the setup or runtime reaches
92
108
  (from `networkAccess.allowlistDomains`, falling back to legacy `allowlistDomains`) that the user
93
109
  must add when the environment needs Custom network access. Do not include default Trusted domains
@@ -123,6 +139,9 @@ shape, not a fixed payload):
123
139
  # # Note: GH_TOKEN is for gh CLI only. Raw git uses Claude's connected-GitHub proxy/identity;
124
140
  # # sibling repos reached only by raw git do not need to be in this token scope.
125
141
  # - GH_TOKEN=<token> # REQUIRED, github is the active tracker+source
142
+ # - AWS_ACCESS_KEY_ID=<access-key-id> # REQUIRED when AWS inventory is active
143
+ # - AWS_SECRET_ACCESS_KEY=<secret-access-key> # REQUIRED when AWS inventory is active
144
+ # - AWS_SESSION_TOKEN=<session-token> # OPTIONAL for temporary bootstrap creds
126
145
  # NETWORK: set the environment to Custom and allowlist these non-default domains if not on Full:
127
146
  # - <networkAccess.allowlistDomains, if any>
128
147
  set -uo pipefail
@@ -165,6 +184,14 @@ need gh || (sudo apt-get update -y && sudo apt-get install -y gh)
165
184
  need jq || sudo apt-get install -y jq
166
185
  require gh; require jq
167
186
 
187
+ # --- AWS assume-role profiles, when inventory includes awsProfiles ---
188
+ if [ -n "${AWS_ACCESS_KEY_ID:-}" ]; then
189
+ mkdir -p "$HOME/.aws"
190
+ # Generated stanzas use credential_source=Environment and contain no secrets.
191
+ # Agents should run: aws --profile <profile> ...
192
+ # Do not run aws sso login in headless routines; SSO requires an interactive browser/device flow.
193
+ fi
194
+
168
195
  # --- optional, only with --include-optional ---
169
196
  # (docker / ruby / chromium / etc., guarded)
170
197
  ```
@@ -186,6 +213,8 @@ to stop are: the analysis could not run, or the `--out` path is not writable.
186
213
  raw git/cross-repo clone guidance must not expand the token scope to sibling repositories.
187
214
  - Never emit an install for a tool the analysis did not surface, and never install `OPTIONAL` tools
188
215
  unless `--include-optional` is set.
216
+ - When AWS is in the inventory, generate environment-backed assume-role profile stanzas from
217
+ `awsProfiles`; never emit `aws sso login` as a remote setup step.
189
218
  - Prefer `networkAccess.allowlistDomains` over legacy top-level `allowlistDomains`; never emit
190
219
  domains already covered by the routine environment's default Trusted list.
191
220
  - Keep the script idempotent and detect-before-install so it is safe to re-run and cache.
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-expo",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-expo",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "Expo and React Native-specific skills, agents, rules, and MCP servers.",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -100,10 +100,10 @@ Read `app/` directory structure to discover all available routes.
100
100
  |---------|-------------|-----|
101
101
  | `port 8081 already in use` | Previous Metro bundler running | `lsof -ti :8081 \| xargs kill -9` |
102
102
  | `port 3000 already in use` | Previous backend running | `lsof -ti :3000 \| xargs kill -9` |
103
- | `ExpiredTokenException` | AWS SSO session expired | Run `aws:signin:{env}` script from backend dir |
103
+ | `ExpiredTokenException` | AWS credentials expired | Interactive local: refresh the backend AWS signin flow. Headless: use the environment-backed AWS profile; do not start an SSO browser/device flow |
104
104
  | Metro bundler crash | Cache corruption | `bun start:local --clear` |
105
105
  | `ECONNREFUSED localhost:3000` | Backend not running | Start backend first, then frontend |
106
- | Migration fails | Missing AWS credentials | Run `aws:signin:{env}` script before migration |
106
+ | Migration fails | Missing AWS credentials | Verify `aws sts get-caller-identity --profile {profile}`; use interactive signin only locally, environment-backed profile headless |
107
107
  | EAS CLI not found | Not installed globally | `npm install -g eas-cli` |
108
108
  | `sls` not found | Serverless not installed | `cd $BACKEND_DIR && bun install` |
109
109
  | GraphQL schema mismatch | Stale generated types | Run `generate:types:{env}` script |
@@ -132,9 +132,14 @@ Discover available log scripts from the backend `package.json` (matching `logs:*
132
132
 
133
133
  ```bash
134
134
  cd "${BACKEND_DIR:-../backend-v2}"
135
- bun run aws:signin:{env}
135
+ aws sts get-caller-identity --profile {aws-profile} 2>/dev/null
136
136
  ```
137
137
 
138
+ If this is an interactive local session and credentials are expired, refresh the backend's local
139
+ AWS signin flow. In a headless or remote-routine session, do not start an SSO browser/device flow;
140
+ use the preconfigured `~/.aws/config` profile backed by `AWS_ACCESS_KEY_ID` /
141
+ `AWS_SECRET_ACCESS_KEY` environment credentials.
142
+
138
143
  ### View Recent Logs
139
144
 
140
145
  ```bash
@@ -151,7 +156,8 @@ FUNCTION_NAME={fn} bun run logs:watch:{env}
151
156
 
152
157
  ## Remote Logs (AWS CLI — Advanced Filtering)
153
158
 
154
- For more advanced filtering, use the AWS CLI directly. Discover the AWS profile from backend `package.json` `aws:signin:*` scripts.
159
+ For more advanced filtering, use the AWS CLI directly. Discover the AWS profile from backend
160
+ `package.json` scripts or the remote-routine `~/.aws/config` profile.
155
161
 
156
162
  ### Discover Log Groups
157
163
 
@@ -29,7 +29,7 @@ Read the backend `package.json` to discover available migration and schema scrip
29
29
  - `migration:generate:*` — generate new migration from entity changes
30
30
  - `migration:create` — create empty migration
31
31
  - `generate:sql-schema*` — regenerate SQL schema for MCP
32
- - `aws:signin:*` AWS credential scripts
32
+ - AWS credential/profile scripts such as `aws:signin:*` and any environment-backed remote profile
33
33
 
34
34
  Read the frontend `package.json` to discover codegen scripts:
35
35
  - `fetch:graphql:schema:*` — fetch GraphQL schema
@@ -37,13 +37,17 @@ Read the frontend `package.json` to discover codegen scripts:
37
37
 
38
38
  ## AWS Prerequisite
39
39
 
40
- All database operations (except `codegen`) require AWS credentials. Run the backend's AWS signin script first:
40
+ All database operations (except `codegen`) require AWS credentials. Verify the target profile first:
41
41
 
42
42
  ```bash
43
43
  cd "${BACKEND_DIR:-../backend-v2}"
44
- bun run aws:signin:{env}
44
+ aws sts get-caller-identity --profile {aws-profile}
45
45
  ```
46
46
 
47
+ If this is an interactive local session and credentials are expired, refresh the backend's local AWS
48
+ signin flow. In a headless or remote-routine session, use the preconfigured environment-backed
49
+ assume-role profile and do not start an SSO browser/device flow.
50
+
47
51
  ## Operations
48
52
 
49
53
  ### migrate (run pending migrations)
@@ -73,11 +73,15 @@ Use for JS-only changes (no native module changes).
73
73
 
74
74
  ### Full Deploy (Serverless Framework)
75
75
 
76
- 1. AWS signin (discover script name from backend `package.json`):
76
+ 1. Verify AWS credentials (discover the profile from backend `package.json` or remote-routine
77
+ `~/.aws/config`):
77
78
  ```bash
78
79
  cd "${BACKEND_DIR:-../backend-v2}"
79
- bun run aws:signin:{env}
80
+ aws sts get-caller-identity --profile {aws-profile}
80
81
  ```
82
+ If this is an interactive local session and credentials are expired, refresh the backend's local
83
+ AWS signin flow. In a headless or remote-routine session, use the environment-backed assume-role
84
+ profile and do not start an SSO browser/device flow.
81
85
 
82
86
  2. Deploy all functions:
83
87
  ```bash
@@ -95,11 +95,14 @@ Use when the backend is already deployed and you only need the frontend.
95
95
 
96
96
  ### start-backend (backend only)
97
97
 
98
- 1. Check AWS credentials (discover profile from backend `package.json` `aws:signin:*` scripts):
98
+ 1. Check AWS credentials (discover profile from backend `package.json` scripts or remote-routine
99
+ `~/.aws/config`):
99
100
  ```bash
100
101
  aws sts get-caller-identity --profile {aws-profile} 2>/dev/null
101
102
  ```
102
- If expired, run the backend's `aws:signin:{env}` script.
103
+ If this is an interactive local session and credentials are expired, refresh the backend's local
104
+ AWS signin flow. In headless sessions, rely on the configured environment-backed AWS profile and
105
+ do not start an SSO browser/device flow.
103
106
 
104
107
  2. Start:
105
108
  ```bash
@@ -100,10 +100,10 @@ Read `app/` directory structure to discover all available routes.
100
100
  |---------|-------------|-----|
101
101
  | `port 8081 already in use` | Previous Metro bundler running | `lsof -ti :8081 \| xargs kill -9` |
102
102
  | `port 3000 already in use` | Previous backend running | `lsof -ti :3000 \| xargs kill -9` |
103
- | `ExpiredTokenException` | AWS SSO session expired | Run `aws:signin:{env}` script from backend dir |
103
+ | `ExpiredTokenException` | AWS credentials expired | Interactive local: refresh the backend AWS signin flow. Headless: use the environment-backed AWS profile; do not start an SSO browser/device flow |
104
104
  | Metro bundler crash | Cache corruption | `bun start:local --clear` |
105
105
  | `ECONNREFUSED localhost:3000` | Backend not running | Start backend first, then frontend |
106
- | Migration fails | Missing AWS credentials | Run `aws:signin:{env}` script before migration |
106
+ | Migration fails | Missing AWS credentials | Verify `aws sts get-caller-identity --profile {profile}`; use interactive signin only locally, environment-backed profile headless |
107
107
  | EAS CLI not found | Not installed globally | `npm install -g eas-cli` |
108
108
  | `sls` not found | Serverless not installed | `cd $BACKEND_DIR && bun install` |
109
109
  | GraphQL schema mismatch | Stale generated types | Run `generate:types:{env}` script |
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "lisa-expo",
3
- "version": "2.178.5",
3
+ "version": "2.179.0",
4
4
  "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
5
5
  "author": {
6
6
  "name": "Cody Swann"
@@ -132,9 +132,14 @@ Discover available log scripts from the backend `package.json` (matching `logs:*
132
132
 
133
133
  ```bash
134
134
  cd "${BACKEND_DIR:-../backend-v2}"
135
- bun run aws:signin:{env}
135
+ aws sts get-caller-identity --profile {aws-profile} 2>/dev/null
136
136
  ```
137
137
 
138
+ If this is an interactive local session and credentials are expired, refresh the backend's local
139
+ AWS signin flow. In a headless or remote-routine session, do not start an SSO browser/device flow;
140
+ use the preconfigured `~/.aws/config` profile backed by `AWS_ACCESS_KEY_ID` /
141
+ `AWS_SECRET_ACCESS_KEY` environment credentials.
142
+
138
143
  ### View Recent Logs
139
144
 
140
145
  ```bash
@@ -151,7 +156,8 @@ FUNCTION_NAME={fn} bun run logs:watch:{env}
151
156
 
152
157
  ## Remote Logs (AWS CLI — Advanced Filtering)
153
158
 
154
- For more advanced filtering, use the AWS CLI directly. Discover the AWS profile from backend `package.json` `aws:signin:*` scripts.
159
+ For more advanced filtering, use the AWS CLI directly. Discover the AWS profile from backend
160
+ `package.json` scripts or the remote-routine `~/.aws/config` profile.
155
161
 
156
162
  ### Discover Log Groups
157
163
 
@@ -29,7 +29,7 @@ Read the backend `package.json` to discover available migration and schema scrip
29
29
  - `migration:generate:*` — generate new migration from entity changes
30
30
  - `migration:create` — create empty migration
31
31
  - `generate:sql-schema*` — regenerate SQL schema for MCP
32
- - `aws:signin:*` AWS credential scripts
32
+ - AWS credential/profile scripts such as `aws:signin:*` and any environment-backed remote profile
33
33
 
34
34
  Read the frontend `package.json` to discover codegen scripts:
35
35
  - `fetch:graphql:schema:*` — fetch GraphQL schema
@@ -37,13 +37,17 @@ Read the frontend `package.json` to discover codegen scripts:
37
37
 
38
38
  ## AWS Prerequisite
39
39
 
40
- All database operations (except `codegen`) require AWS credentials. Run the backend's AWS signin script first:
40
+ All database operations (except `codegen`) require AWS credentials. Verify the target profile first:
41
41
 
42
42
  ```bash
43
43
  cd "${BACKEND_DIR:-../backend-v2}"
44
- bun run aws:signin:{env}
44
+ aws sts get-caller-identity --profile {aws-profile}
45
45
  ```
46
46
 
47
+ If this is an interactive local session and credentials are expired, refresh the backend's local AWS
48
+ signin flow. In a headless or remote-routine session, use the preconfigured environment-backed
49
+ assume-role profile and do not start an SSO browser/device flow.
50
+
47
51
  ## Operations
48
52
 
49
53
  ### migrate (run pending migrations)