@composurecdk/cloudformation 0.8.2 → 0.8.4

package/dist/commonjs/constraints/char-sets.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Character-class fragments shared across multiple AWS-property constraints.
+ *
+ * Each value is pre-escaped and ordered for use *inside* a `[...]` character
+ * class (the `-` is escaped, so position is irrelevant). A constraint spreads
+ * these into its own class alongside any property-specific characters, so the
+ * common spine is declared once and the per-property tail stays local.
+ *
+ * They are grouped under a single {@link charSets} export to keep the package
+ * surface tidy. A fragment graduates here only once a *second* property needs
+ * it — promotion is a one-line move plus an import change in the owning
+ * packages. See ADR-0010.
+ */
+/**
+ * Shared character-class fragments. Spread one into a constraint's `charClass`:
+ * `` charClass: `${charSets.ALNUM}${charSets.AWS_NAME_PUNCT}...` ``.
+ */
+export declare const charSets: {
+    readonly ALNUM: "A-Za-z0-9";
+    readonly AWS_NAME_PUNCT: " _./:+=@#()\\-";
+};
+//# sourceMappingURL=char-sets.d.ts.map

package/dist/commonjs/constraints/char-sets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"char-sets.d.ts","sourceRoot":"","sources":["../../../src/constraints/char-sets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAYH;;;GAGG;AACH,eAAO,MAAM,QAAQ;;;CAAqC,CAAC"}

package/dist/commonjs/constraints/char-sets.js

@@ -0,0 +1,30 @@
+"use strict";
+/**
+ * Character-class fragments shared across multiple AWS-property constraints.
+ *
+ * Each value is pre-escaped and ordered for use *inside* a `[...]` character
+ * class (the `-` is escaped, so position is irrelevant). A constraint spreads
+ * these into its own class alongside any property-specific characters, so the
+ * common spine is declared once and the per-property tail stays local.
+ *
+ * They are grouped under a single {@link charSets} export to keep the package
+ * surface tidy. A fragment graduates here only once a *second* property needs
+ * it — promotion is a one-line move plus an import change in the owning
+ * packages. See ADR-0010.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.charSets = void 0;
+/** ASCII letters and digits — the base of nearly every AWS name/description. */
+const ALNUM = "A-Za-z0-9";
+/**
+ * The punctuation common to AlarmName, SecurityGroup descriptions, and tags
+ * (the measured intersection). Individual properties extend this with their
+ * own additional characters; they do not redefine the shared set.
+ */
+const AWS_NAME_PUNCT = " _./:+=@#()\\-";
+/**
+ * Shared character-class fragments. Spread one into a constraint's `charClass`:
+ * `` charClass: `${charSets.ALNUM}${charSets.AWS_NAME_PUNCT}...` ``.
+ */
+exports.charSets = { ALNUM, AWS_NAME_PUNCT };
+//# sourceMappingURL=char-sets.js.map

package/dist/commonjs/constraints/char-sets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"char-sets.js","sourceRoot":"","sources":["../../../src/constraints/char-sets.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,gFAAgF;AAChF,MAAM,KAAK,GAAG,WAAW,CAAC;AAE1B;;;;GAIG;AACH,MAAM,cAAc,GAAG,gBAAgB,CAAC;AAExC;;;GAGG;AACU,QAAA,QAAQ,GAAG,EAAE,KAAK,EAAE,cAAc,EAAW,CAAC"}

package/dist/commonjs/constraints/index.d.ts

@@ -0,0 +1,4 @@
+export { type StringConstraint, stringConstraint, validateString, sanitizeString, } from "./string-constraint.js";
+export { charSets } from "./char-sets.js";
+export { type ConstraintNamespace } from "./namespace.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/commonjs/constraints/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/constraints/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,gBAAgB,EACrB,gBAAgB,EAChB,cAAc,EACd,cAAc,GACf,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/commonjs/constraints/index.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.charSets = exports.sanitizeString = exports.validateString = exports.stringConstraint = void 0;
+var string_constraint_js_1 = require("./string-constraint.js");
+Object.defineProperty(exports, "stringConstraint", { enumerable: true, get: function () { return string_constraint_js_1.stringConstraint; } });
+Object.defineProperty(exports, "validateString", { enumerable: true, get: function () { return string_constraint_js_1.validateString; } });
+Object.defineProperty(exports, "sanitizeString", { enumerable: true, get: function () { return string_constraint_js_1.sanitizeString; } });
+var char_sets_js_1 = require("./char-sets.js");
+Object.defineProperty(exports, "charSets", { enumerable: true, get: function () { return char_sets_js_1.charSets; } });
+//# sourceMappingURL=index.js.map

package/dist/commonjs/constraints/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/constraints/index.ts"],"names":[],"mappings":";;;AAAA,+DAKgC;AAH9B,wHAAA,gBAAgB,OAAA;AAChB,sHAAA,cAAc,OAAA;AACd,sHAAA,cAAc,OAAA;AAEhB,+CAA0C;AAAjC,wGAAA,QAAQ,OAAA"}

package/dist/commonjs/constraints/namespace.d.ts

@@ -0,0 +1,17 @@
+/**
+ * The shape every package's `constraints` export conforms to.
+ *
+ * Discoverability is a convention, not a runtime aggregate: each builder
+ * package exposes its own `constraints` object of this shape, so the calling
+ * pattern (`constraints.validate.*` / `constraints.sanitize.*`) is identical
+ * everywhere and a consumer imports only the package they already use. The
+ * browsable index of the whole catalogue is a generated doc, not an import.
+ * See ADR-0010.
+ */
+export interface ConstraintNamespace {
+    /** Throwing validators for user-authored values the author can fix. */
+    readonly validate: Readonly<Record<string, (raw: string) => void>>;
+    /** Transforming sanitisers for derived values the author does not control. */
+    readonly sanitize: Readonly<Record<string, (raw: string) => string>>;
+}
+//# sourceMappingURL=namespace.d.ts.map

package/dist/commonjs/constraints/namespace.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.d.ts","sourceRoot":"","sources":["../../../src/constraints/namespace.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,MAAM,WAAW,mBAAmB;IAClC,uEAAuE;IACvE,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC;IACnE,8EAA8E;IAC9E,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC;CACtE"}

package/dist/commonjs/constraints/namespace.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=namespace.js.map

package/dist/commonjs/constraints/namespace.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.js","sourceRoot":"","sources":["../../../src/constraints/namespace.ts"],"names":[],"mappings":""}

package/dist/commonjs/constraints/string-constraint.d.ts

@@ -0,0 +1,73 @@
+/**
+ * The shared mechanism behind the AWS-property constraint catalogue.
+ *
+ * AWS rejects malformed property strings (bad character sets, over-length
+ * values) at deploy time, after a successful `cdk synth`. A {@link StringConstraint}
+ * captures one AWS property's character-set and length rules as data, so a
+ * builder can fail at synth — at the authoring call site — instead.
+ *
+ * The catalogue is deliberately split: this mechanism lives here, while the
+ * per-resource constraint *data* lives in the package that owns the builder
+ * (e.g. `SECURITY_GROUP_DESCRIPTION` in `@composurecdk/ec2`). Cross-cutting
+ * constraints that apply to every resource (such as tags) live alongside this
+ * mechanism instead. See ADR-0010.
+ */
+/**
+ * A single AWS-property constraint, expressed as data. One entry per
+ * `(resource, property)` pair.
+ *
+ * Both regexes are compiled once. `validate*` helpers test {@link pattern};
+ * `sanitize*` helpers replace runs matched by {@link sanitizePattern}. Use
+ * {@link stringConstraint} to build one so the two stay in sync.
+ */
+export interface StringConstraint {
+    /** Human-readable property identifier, e.g. `"EC2 SecurityGroup GroupDescription"`. */
+    readonly name: string;
+    /** Anchored full-match pattern used by `validate*`. */
+    readonly pattern: RegExp;
+    /** Global negated-character-class pattern used by `sanitize*`; absent for pattern-only constraints. */
+    readonly sanitizePattern?: RegExp;
+    readonly minLength?: number;
+    readonly maxLength?: number;
+    /** Human-readable allowed-set, surfaced in validation error messages. */
+    readonly allowed: string;
+    /** AWS doc / CFN reference URL, surfaced in validation error messages. */
+    readonly source: string;
+}
+/**
+ * Builds a {@link StringConstraint} from a character class and bounds. The
+ * anchored validation pattern and the negated sanitisation pattern are both
+ * derived from `charClass` and compiled once here, so a single declaration
+ * drives both validation and sanitisation and the two cannot drift apart.
+ *
+ * @param spec - The constraint's character class, length bounds, and metadata.
+ * @returns A constraint ready for {@link validateString} / {@link sanitizeString}.
+ */
+export declare function stringConstraint(spec: {
+    name: string;
+    charClass: string;
+    minLength?: number;
+    maxLength?: number;
+    allowed: string;
+    source: string;
+    flags?: string;
+}): StringConstraint;
+/**
+ * Validates `value` against `constraint`, throwing synchronously on the first
+ * violation. Use for **user-authored** values the author can fix — the error
+ * fires at the call site, naming the allowed set and linking the AWS doc.
+ *
+ * @throws If `value` is shorter than `minLength`, longer than `maxLength`, or
+ * contains characters outside the constraint's pattern.
+ */
+export declare function validateString(value: string, constraint: StringConstraint): void;
+/**
+ * Returns a copy of `value` made legal for `constraint` by replacing runs of
+ * disallowed characters with `replacement` and truncating to `maxLength`. Use
+ * for **derived** values the author does not control (e.g. a DNS name composed
+ * into a construct ID), where rewriting is the only sensible move.
+ *
+ * @throws If the constraint is pattern-only and declares no sanitisation pattern.
+ */
+export declare function sanitizeString(value: string, constraint: StringConstraint, replacement?: string): string;
+//# sourceMappingURL=string-constraint.d.ts.map

package/dist/commonjs/constraints/string-constraint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"string-constraint.d.ts","sourceRoot":"","sources":["../../../src/constraints/string-constraint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH;;;;;;;GAOG;AACH,MAAM,WAAW,gBAAgB;IAC/B,uFAAuF;IACvF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,uDAAuD;IACvD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,uGAAuG;IACvG,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,yEAAyE;IACzE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,0EAA0E;IAC1E,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,gBAAgB,CAWnB;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG,IAAI,CAgBhF;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,gBAAgB,EAC5B,WAAW,SAAM,GAChB,MAAM,CAWR"}

package/dist/commonjs/constraints/string-constraint.js

@@ -0,0 +1,78 @@
+"use strict";
+/**
+ * The shared mechanism behind the AWS-property constraint catalogue.
+ *
+ * AWS rejects malformed property strings (bad character sets, over-length
+ * values) at deploy time, after a successful `cdk synth`. A {@link StringConstraint}
+ * captures one AWS property's character-set and length rules as data, so a
+ * builder can fail at synth — at the authoring call site — instead.
+ *
+ * The catalogue is deliberately split: this mechanism lives here, while the
+ * per-resource constraint *data* lives in the package that owns the builder
+ * (e.g. `SECURITY_GROUP_DESCRIPTION` in `@composurecdk/ec2`). Cross-cutting
+ * constraints that apply to every resource (such as tags) live alongside this
+ * mechanism instead. See ADR-0010.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stringConstraint = stringConstraint;
+exports.validateString = validateString;
+exports.sanitizeString = sanitizeString;
+/**
+ * Builds a {@link StringConstraint} from a character class and bounds. The
+ * anchored validation pattern and the negated sanitisation pattern are both
+ * derived from `charClass` and compiled once here, so a single declaration
+ * drives both validation and sanitisation and the two cannot drift apart.
+ *
+ * @param spec - The constraint's character class, length bounds, and metadata.
+ * @returns A constraint ready for {@link validateString} / {@link sanitizeString}.
+ */
+function stringConstraint(spec) {
+    const quantifier = `{${String(spec.minLength ?? 0)},${spec.maxLength === undefined ? "" : String(spec.maxLength)}}`;
+    return {
+        name: spec.name,
+        pattern: new RegExp(`^[${spec.charClass}]${quantifier}$`, spec.flags),
+        sanitizePattern: new RegExp(`[^${spec.charClass}]+`, spec.flags?.includes("u") ? "gu" : "g"),
+        minLength: spec.minLength,
+        maxLength: spec.maxLength,
+        allowed: spec.allowed,
+        source: spec.source,
+    };
+}
+/**
+ * Validates `value` against `constraint`, throwing synchronously on the first
+ * violation. Use for **user-authored** values the author can fix — the error
+ * fires at the call site, naming the allowed set and linking the AWS doc.
+ *
+ * @throws If `value` is shorter than `minLength`, longer than `maxLength`, or
+ * contains characters outside the constraint's pattern.
+ */
+function validateString(value, constraint) {
+    if (constraint.minLength !== undefined && value.length < constraint.minLength) {
+        throw new Error(`${constraint.name} "${value}" is shorter than the ${String(constraint.minLength)}-character minimum. See ${constraint.source}.`);
+    }
+    if (constraint.maxLength !== undefined && value.length > constraint.maxLength) {
+        throw new Error(`${constraint.name} "${value}" exceeds the ${String(constraint.maxLength)}-character limit. See ${constraint.source}.`);
+    }
+    if (!constraint.pattern.test(value)) {
+        throw new Error(`${constraint.name} "${value}" is invalid. Allowed: ${constraint.allowed}. See ${constraint.source}.`);
+    }
+}
+/**
+ * Returns a copy of `value` made legal for `constraint` by replacing runs of
+ * disallowed characters with `replacement` and truncating to `maxLength`. Use
+ * for **derived** values the author does not control (e.g. a DNS name composed
+ * into a construct ID), where rewriting is the only sensible move.
+ *
+ * @throws If the constraint is pattern-only and declares no sanitisation pattern.
+ */
+function sanitizeString(value, constraint, replacement = "-") {
+    if (constraint.sanitizePattern === undefined) {
+        throw new Error(`${constraint.name} cannot be sanitised: the constraint has no character class.`);
+    }
+    let out = value.replace(constraint.sanitizePattern, replacement);
+    if (constraint.maxLength !== undefined && out.length > constraint.maxLength) {
+        out = out.slice(0, constraint.maxLength);
+    }
+    return out;
+}
+//# sourceMappingURL=string-constraint.js.map

package/dist/commonjs/constraints/string-constraint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"string-constraint.js","sourceRoot":"","sources":["../../../src/constraints/string-constraint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAkCH,4CAmBC;AAUD,wCAgBC;AAUD,wCAeC;AA/ED;;;;;;;;GAQG;AACH,SAAgB,gBAAgB,CAAC,IAQhC;IACC,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC;IACpH,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,SAAS,IAAI,UAAU,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC;QACrE,eAAe,EAAE,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,SAAS,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;QAC5F,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,cAAc,CAAC,KAAa,EAAE,UAA4B;IACxE,IAAI,UAAU,CAAC,SAAS,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CACb,GAAG,UAAU,CAAC,IAAI,KAAK,KAAK,yBAAyB,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,2BAA2B,UAAU,CAAC,MAAM,GAAG,CACjI,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,SAAS,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CACb,GAAG,UAAU,CAAC,IAAI,KAAK,KAAK,iBAAiB,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,yBAAyB,UAAU,CAAC,MAAM,GAAG,CACvH,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,GAAG,UAAU,CAAC,IAAI,KAAK,KAAK,0BAA0B,UAAU,CAAC,OAAO,SAAS,UAAU,CAAC,MAAM,GAAG,CACtG,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,cAAc,CAC5B,KAAa,EACb,UAA4B,EAC5B,WAAW,GAAG,GAAG;IAEjB,IAAI,UAAU,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CACb,GAAG,UAAU,CAAC,IAAI,8DAA8D,CACjF,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACjE,IAAI,UAAU,CAAC,SAAS,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;QAC5E,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/commonjs/index.d.ts

@@ -5,4 +5,5 @@ export { taggedBuilder, type ITaggedBuilder, TAG_OVERRIDE_WARNING_NAME } from ".
 export { applyBuilderTags } from "./apply-builder-tags.js";
 export { validateTag } from "./tag-validator.js";
 export { tags, type TagDefinitions } from "./tags.js";
+export { type StringConstraint, stringConstraint, validateString, sanitizeString, charSets, type ConstraintNamespace, } from "./constraints/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/commonjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,kBAAkB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,KAAK,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EAAE,aAAa,EAAE,KAAK,cAAc,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACpG,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,kBAAkB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,KAAK,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EAAE,aAAa,EAAE,KAAK,cAAc,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACpG,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EACL,KAAK,gBAAgB,EACrB,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,QAAQ,EACR,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC"}

package/dist/commonjs/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.tags = exports.validateTag = exports.applyBuilderTags = exports.TAG_OVERRIDE_WARNING_NAME = exports.taggedBuilder = exports.outputs = exports.groupedStacks = exports.singleStack = exports.createStackBuilder = void 0;
+exports.charSets = exports.sanitizeString = exports.validateString = exports.stringConstraint = exports.tags = exports.validateTag = exports.applyBuilderTags = exports.TAG_OVERRIDE_WARNING_NAME = exports.taggedBuilder = exports.outputs = exports.groupedStacks = exports.singleStack = exports.createStackBuilder = void 0;
 var stack_builder_js_1 = require("./stack-builder.js");
 Object.defineProperty(exports, "createStackBuilder", { enumerable: true, get: function () { return stack_builder_js_1.createStackBuilder; } });
 var strategies_js_1 = require("./strategies.js");
@@ -17,4 +17,9 @@ var tag_validator_js_1 = require("./tag-validator.js");
 Object.defineProperty(exports, "validateTag", { enumerable: true, get: function () { return tag_validator_js_1.validateTag; } });
 var tags_js_1 = require("./tags.js");
 Object.defineProperty(exports, "tags", { enumerable: true, get: function () { return tags_js_1.tags; } });
+var index_js_1 = require("./constraints/index.js");
+Object.defineProperty(exports, "stringConstraint", { enumerable: true, get: function () { return index_js_1.stringConstraint; } });
+Object.defineProperty(exports, "validateString", { enumerable: true, get: function () { return index_js_1.validateString; } });
+Object.defineProperty(exports, "sanitizeString", { enumerable: true, get: function () { return index_js_1.sanitizeString; } });
+Object.defineProperty(exports, "charSets", { enumerable: true, get: function () { return index_js_1.charSets; } });
 //# sourceMappingURL=index.js.map

package/dist/commonjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,uDAI4B;AAH1B,sHAAA,kBAAkB,OAAA;AAIpB,iDAA6D;AAApD,4GAAA,WAAW,OAAA;AAAE,8GAAA,aAAa,OAAA;AACnC,2CAAsF;AAA7E,qGAAA,OAAO,OAAA;AAChB,yDAAoG;AAA3F,kHAAA,aAAa,OAAA;AAAuB,8HAAA,yBAAyB,OAAA;AACtE,iEAA2D;AAAlD,yHAAA,gBAAgB,OAAA;AACzB,uDAAiD;AAAxC,+GAAA,WAAW,OAAA;AACpB,qCAAsD;AAA7C,+FAAA,IAAI,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,uDAI4B;AAH1B,sHAAA,kBAAkB,OAAA;AAIpB,iDAA6D;AAApD,4GAAA,WAAW,OAAA;AAAE,8GAAA,aAAa,OAAA;AACnC,2CAAsF;AAA7E,qGAAA,OAAO,OAAA;AAChB,yDAAoG;AAA3F,kHAAA,aAAa,OAAA;AAAuB,8HAAA,yBAAyB,OAAA;AACtE,iEAA2D;AAAlD,yHAAA,gBAAgB,OAAA;AACzB,uDAAiD;AAAxC,+GAAA,WAAW,OAAA;AACpB,qCAAsD;AAA7C,+FAAA,IAAI,OAAA;AACb,mDAOgC;AAL9B,4GAAA,gBAAgB,OAAA;AAChB,0GAAA,cAAc,OAAA;AACd,0GAAA,cAAc,OAAA;AACd,oGAAA,QAAQ,OAAA"}

package/dist/commonjs/tag-validator.d.ts

@@ -4,14 +4,12 @@
  * Throws synchronously at the call site so authors see the failure where the
  * bad value was written, not at deploy time. Validates:
  *
- * - `key` is non-empty and at most {@link KEY_MAX} characters.
- * - `key` does not start with the reserved `aws:` prefix (case-insensitive).
- * - `value` is at most {@link VALUE_MAX} characters.
- * - both `key` and `value` use only the AWS-permitted character set.
+ * - `key` is non-empty and does not start with the reserved `aws:` prefix
+ *   (case-insensitive) — both tag-specific rules.
+ * - `key` and `value` length and character set, via the shared catalogue
+ *   mechanism. Empty values are permitted; empty keys are not.
  *
- * The regex matches Unicode letters, digits, and whitespace plus the
- * documented punctuation set, so non-ASCII tags are accepted as AWS
- * supports them.
+ * Non-ASCII letters, digits, and whitespace are accepted, matching AWS.
  */
 export declare function validateTag(key: string, value: string): void;
 /**

package/dist/commonjs/tag-validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tag-validator.d.ts","sourceRoot":"","sources":["../../src/tag-validator.ts"],"names":[],"mappings":"AAkBA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CA2B5D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAItE"}
+{"version":3,"file":"tag-validator.d.ts","sourceRoot":"","sources":["../../src/tag-validator.ts"],"names":[],"mappings":"AAyCA;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAW5D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAItE"}

package/dist/commonjs/tag-validator.js

@@ -2,58 +2,65 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateTag = validateTag;
 exports.validateTagRecord = validateTagRecord;
+const index_js_1 = require("./constraints/index.js");
 /**
  * AWS allows letters, digits, whitespace, and the symbols `_ . : / = + - @`
  * in tag keys and values, with non-ASCII letters/digits permitted via
- * Unicode classes. Empty values are permitted by AWS for `Value`, but
- * empty `Key` is not. The character set is validated against this regex.
+ * Unicode classes.
  *
- * `\p{Z}` matches the full Unicode separator class — slightly more
- * permissive than AWS's documented "white space," but errors on the side
- * of accepting input that the AWS API may yet reject at deploy time. The
- * extra rejections happen later but are reported in the API response.
- *
- * @see https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
+ * `\p{Z}` matches the full Unicode separator class — slightly more permissive
+ * than AWS's documented "white space," but errs on the side of accepting input
+ * the AWS API may yet reject at deploy time, where the failure is reported in
+ * the API response.
+ */
+const TAG_CHARS = "\\p{L}\\p{Z}\\p{N}_.:/=+@\\-";
+const TAG_ALLOWED = "the AWS tag character set: letters, digits, whitespace, and _ . : / = + - @";
+const TAG_SOURCE = "https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html";
+/**
+ * Tags are cross-cutting — they apply to every resource — so unlike per-resource
+ * constraints they live alongside the catalogue mechanism rather than in a
+ * service package. Both entries are module-private and reached only through
+ * {@link validateTag}, which layers the tag-specific empty-key and reserved-
+ * prefix rules on top of {@link validateString}. See ADR-0010.
  */
-const TAG_CHAR_RE = /^[\p{L}\p{Z}\p{N}_.:/=+\-@]*$/u;
-const KEY_MAX = 128;
-const VALUE_MAX = 256;
+const TAG_KEY = (0, index_js_1.stringConstraint)({
+    name: "Tag key",
+    charClass: TAG_CHARS,
+    maxLength: 128,
+    allowed: TAG_ALLOWED,
+    source: TAG_SOURCE,
+    flags: "u",
+});
+const TAG_VALUE = (0, index_js_1.stringConstraint)({
+    name: "Tag value",
+    charClass: TAG_CHARS,
+    maxLength: 256,
+    allowed: TAG_ALLOWED,
+    source: TAG_SOURCE,
+    flags: "u",
+});
 /**
  * Validates a single tag key/value pair against AWS tag constraints.
  *
  * Throws synchronously at the call site so authors see the failure where the
  * bad value was written, not at deploy time. Validates:
  *
- * - `key` is non-empty and at most {@link KEY_MAX} characters.
- * - `key` does not start with the reserved `aws:` prefix (case-insensitive).
- * - `value` is at most {@link VALUE_MAX} characters.
- * - both `key` and `value` use only the AWS-permitted character set.
+ * - `key` is non-empty and does not start with the reserved `aws:` prefix
+ *   (case-insensitive) — both tag-specific rules.
+ * - `key` and `value` length and character set, via the shared catalogue
+ *   mechanism. Empty values are permitted; empty keys are not.
  *
- * The regex matches Unicode letters, digits, and whitespace plus the
- * documented punctuation set, so non-ASCII tags are accepted as AWS
- * supports them.
+ * Non-ASCII letters, digits, and whitespace are accepted, matching AWS.
  */
 function validateTag(key, value) {
     if (key.length === 0) {
         throw new Error("Tag key must be non-empty.");
     }
-    if (key.length > KEY_MAX) {
-        throw new Error(`Tag key "${key}" exceeds ${String(KEY_MAX)}-character limit.`);
-    }
     if (key.toLowerCase().startsWith("aws:")) {
         throw new Error(`Tag key "${key}" uses reserved "aws:" prefix; AWS rejects user tags with this prefix.`);
     }
-    if (!TAG_CHAR_RE.test(key)) {
-        throw new Error(`Tag key "${key}" contains characters outside the AWS tag character set ` +
-            "(letters, digits, whitespace, and `_ . : / = + - @`).");
-    }
-    if (value.length > VALUE_MAX) {
-        throw new Error(`Tag value for key "${key}" exceeds ${String(VALUE_MAX)}-character limit.`);
-    }
-    if (!TAG_CHAR_RE.test(value)) {
-        throw new Error(`Tag value for key "${key}" contains characters outside the AWS tag character set ` +
-            "(letters, digits, whitespace, and `_ . : / = + - @`).");
-    }
+    (0, index_js_1.validateString)(key, TAG_KEY);
+    (0, index_js_1.validateString)(value, TAG_VALUE);
 }
 /**
  * Validates every entry of a record via {@link validateTag}, throwing on the

package/dist/commonjs/tag-validator.js.map

@@ -1 +1 @@
-{"version":3,"file":"tag-validator.js","sourceRoot":"","sources":["../../src/tag-validator.ts"],"names":[],"mappings":";;AAiCA,kCA2BC;AAMD,8CAIC;AAtED;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,GAAG,gCAAgC,CAAC;AAErD,MAAM,OAAO,GAAG,GAAG,CAAC;AACpB,MAAM,SAAS,GAAG,GAAG,CAAC;AAEtB;;;;;;;;;;;;;;GAcG;AACH,SAAgB,WAAW,CAAC,GAAW,EAAE,KAAa;IACpD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,YAAY,GAAG,aAAa,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,YAAY,GAAG,wEAAwE,CACxF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,YAAY,GAAG,0DAA0D;YACvE,uDAAuD,CAC1D,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,aAAa,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,sBAAsB,GAAG,0DAA0D;YACjF,uDAAuD,CAC1D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,MAA8B;IAC9D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC"}
+{"version":3,"file":"tag-validator.js","sourceRoot":"","sources":["../../src/tag-validator.ts"],"names":[],"mappings":";;AAsDA,kCAWC;AAMD,8CAIC;AA3ED,qDAA0E;AAE1E;;;;;;;;;GASG;AACH,MAAM,SAAS,GAAG,8BAA8B,CAAC;AACjD,MAAM,WAAW,GAAG,6EAA6E,CAAC;AAClG,MAAM,UAAU,GAAG,gEAAgE,CAAC;AAEpF;;;;;;GAMG;AACH,MAAM,OAAO,GAAG,IAAA,2BAAgB,EAAC;IAC/B,IAAI,EAAE,SAAS;IACf,SAAS,EAAE,SAAS;IACpB,SAAS,EAAE,GAAG;IACd,OAAO,EAAE,WAAW;IACpB,MAAM,EAAE,UAAU;IAClB,KAAK,EAAE,GAAG;CACX,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,IAAA,2BAAgB,EAAC;IACjC,IAAI,EAAE,WAAW;IACjB,SAAS,EAAE,SAAS;IACpB,SAAS,EAAE,GAAG;IACd,OAAO,EAAE,WAAW;IACpB,MAAM,EAAE,UAAU;IAClB,KAAK,EAAE,GAAG;CACX,CAAC,CAAC;AAEH;;;;;;;;;;;;GAYG;AACH,SAAgB,WAAW,CAAC,GAAW,EAAE,KAAa;IACpD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,YAAY,GAAG,wEAAwE,CACxF,CAAC;IACJ,CAAC;IACD,IAAA,yBAAc,EAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC7B,IAAA,yBAAc,EAAC,KAAK,EAAE,SAAS,CAAC,CAAC;AACnC,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,MAA8B;IAC9D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC"}

package/dist/esm/constraints/char-sets.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Character-class fragments shared across multiple AWS-property constraints.
+ *
+ * Each value is pre-escaped and ordered for use *inside* a `[...]` character
+ * class (the `-` is escaped, so position is irrelevant). A constraint spreads
+ * these into its own class alongside any property-specific characters, so the
+ * common spine is declared once and the per-property tail stays local.
+ *
+ * They are grouped under a single {@link charSets} export to keep the package
+ * surface tidy. A fragment graduates here only once a *second* property needs
+ * it — promotion is a one-line move plus an import change in the owning
+ * packages. See ADR-0010.
+ */
+/**
+ * Shared character-class fragments. Spread one into a constraint's `charClass`:
+ * `` charClass: `${charSets.ALNUM}${charSets.AWS_NAME_PUNCT}...` ``.
+ */
+export declare const charSets: {
+    readonly ALNUM: "A-Za-z0-9";
+    readonly AWS_NAME_PUNCT: " _./:+=@#()\\-";
+};
+//# sourceMappingURL=char-sets.d.ts.map

package/dist/esm/constraints/char-sets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"char-sets.d.ts","sourceRoot":"","sources":["../../../src/constraints/char-sets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAYH;;;GAGG;AACH,eAAO,MAAM,QAAQ;;;CAAqC,CAAC"}

package/dist/esm/constraints/char-sets.js

@@ -0,0 +1,27 @@
+/**
+ * Character-class fragments shared across multiple AWS-property constraints.
+ *
+ * Each value is pre-escaped and ordered for use *inside* a `[...]` character
+ * class (the `-` is escaped, so position is irrelevant). A constraint spreads
+ * these into its own class alongside any property-specific characters, so the
+ * common spine is declared once and the per-property tail stays local.
+ *
+ * They are grouped under a single {@link charSets} export to keep the package
+ * surface tidy. A fragment graduates here only once a *second* property needs
+ * it — promotion is a one-line move plus an import change in the owning
+ * packages. See ADR-0010.
+ */
+/** ASCII letters and digits — the base of nearly every AWS name/description. */
+const ALNUM = "A-Za-z0-9";
+/**
+ * The punctuation common to AlarmName, SecurityGroup descriptions, and tags
+ * (the measured intersection). Individual properties extend this with their
+ * own additional characters; they do not redefine the shared set.
+ */
+const AWS_NAME_PUNCT = " _./:+=@#()\\-";
+/**
+ * Shared character-class fragments. Spread one into a constraint's `charClass`:
+ * `` charClass: `${charSets.ALNUM}${charSets.AWS_NAME_PUNCT}...` ``.
+ */
+export const charSets = { ALNUM, AWS_NAME_PUNCT };
+//# sourceMappingURL=char-sets.js.map

package/dist/esm/constraints/char-sets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"char-sets.js","sourceRoot":"","sources":["../../../src/constraints/char-sets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,gFAAgF;AAChF,MAAM,KAAK,GAAG,WAAW,CAAC;AAE1B;;;;GAIG;AACH,MAAM,cAAc,GAAG,gBAAgB,CAAC;AAExC;;;GAGG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG,EAAE,KAAK,EAAE,cAAc,EAAW,CAAC"}

package/dist/esm/constraints/index.d.ts

@@ -0,0 +1,4 @@
+export { type StringConstraint, stringConstraint, validateString, sanitizeString, } from "./string-constraint.js";
+export { charSets } from "./char-sets.js";
+export { type ConstraintNamespace } from "./namespace.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/constraints/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/constraints/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,gBAAgB,EACrB,gBAAgB,EAChB,cAAc,EACd,cAAc,GACf,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/esm/constraints/index.js

@@ -0,0 +1,3 @@
+export { stringConstraint, validateString, sanitizeString, } from "./string-constraint.js";
+export { charSets } from "./char-sets.js";
+//# sourceMappingURL=index.js.map

package/dist/esm/constraints/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/constraints/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,gBAAgB,EAChB,cAAc,EACd,cAAc,GACf,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/esm/constraints/namespace.d.ts

@@ -0,0 +1,17 @@
+/**
+ * The shape every package's `constraints` export conforms to.
+ *
+ * Discoverability is a convention, not a runtime aggregate: each builder
+ * package exposes its own `constraints` object of this shape, so the calling
+ * pattern (`constraints.validate.*` / `constraints.sanitize.*`) is identical
+ * everywhere and a consumer imports only the package they already use. The
+ * browsable index of the whole catalogue is a generated doc, not an import.
+ * See ADR-0010.
+ */
+export interface ConstraintNamespace {
+    /** Throwing validators for user-authored values the author can fix. */
+    readonly validate: Readonly<Record<string, (raw: string) => void>>;
+    /** Transforming sanitisers for derived values the author does not control. */
+    readonly sanitize: Readonly<Record<string, (raw: string) => string>>;
+}
+//# sourceMappingURL=namespace.d.ts.map

package/dist/esm/constraints/namespace.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.d.ts","sourceRoot":"","sources":["../../../src/constraints/namespace.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,MAAM,WAAW,mBAAmB;IAClC,uEAAuE;IACvE,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC;IACnE,8EAA8E;IAC9E,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC;CACtE"}

package/dist/esm/constraints/namespace.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=namespace.js.map

package/dist/esm/constraints/namespace.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"namespace.js","sourceRoot":"","sources":["../../../src/constraints/namespace.ts"],"names":[],"mappings":""}

package/dist/esm/constraints/string-constraint.d.ts

@@ -0,0 +1,73 @@
+/**
+ * The shared mechanism behind the AWS-property constraint catalogue.
+ *
+ * AWS rejects malformed property strings (bad character sets, over-length
+ * values) at deploy time, after a successful `cdk synth`. A {@link StringConstraint}
+ * captures one AWS property's character-set and length rules as data, so a
+ * builder can fail at synth — at the authoring call site — instead.
+ *
+ * The catalogue is deliberately split: this mechanism lives here, while the
+ * per-resource constraint *data* lives in the package that owns the builder
+ * (e.g. `SECURITY_GROUP_DESCRIPTION` in `@composurecdk/ec2`). Cross-cutting
+ * constraints that apply to every resource (such as tags) live alongside this
+ * mechanism instead. See ADR-0010.
+ */
+/**
+ * A single AWS-property constraint, expressed as data. One entry per
+ * `(resource, property)` pair.
+ *
+ * Both regexes are compiled once. `validate*` helpers test {@link pattern};
+ * `sanitize*` helpers replace runs matched by {@link sanitizePattern}. Use
+ * {@link stringConstraint} to build one so the two stay in sync.
+ */
+export interface StringConstraint {
+    /** Human-readable property identifier, e.g. `"EC2 SecurityGroup GroupDescription"`. */
+    readonly name: string;
+    /** Anchored full-match pattern used by `validate*`. */
+    readonly pattern: RegExp;
+    /** Global negated-character-class pattern used by `sanitize*`; absent for pattern-only constraints. */
+    readonly sanitizePattern?: RegExp;
+    readonly minLength?: number;
+    readonly maxLength?: number;
+    /** Human-readable allowed-set, surfaced in validation error messages. */
+    readonly allowed: string;
+    /** AWS doc / CFN reference URL, surfaced in validation error messages. */
+    readonly source: string;
+}
+/**
+ * Builds a {@link StringConstraint} from a character class and bounds. The
+ * anchored validation pattern and the negated sanitisation pattern are both
+ * derived from `charClass` and compiled once here, so a single declaration
+ * drives both validation and sanitisation and the two cannot drift apart.
+ *
+ * @param spec - The constraint's character class, length bounds, and metadata.
+ * @returns A constraint ready for {@link validateString} / {@link sanitizeString}.
+ */
+export declare function stringConstraint(spec: {
+    name: string;
+    charClass: string;
+    minLength?: number;
+    maxLength?: number;
+    allowed: string;
+    source: string;
+    flags?: string;
+}): StringConstraint;
+/**
+ * Validates `value` against `constraint`, throwing synchronously on the first
+ * violation. Use for **user-authored** values the author can fix — the error
+ * fires at the call site, naming the allowed set and linking the AWS doc.
+ *
+ * @throws If `value` is shorter than `minLength`, longer than `maxLength`, or
+ * contains characters outside the constraint's pattern.
+ */
+export declare function validateString(value: string, constraint: StringConstraint): void;
+/**
+ * Returns a copy of `value` made legal for `constraint` by replacing runs of
+ * disallowed characters with `replacement` and truncating to `maxLength`. Use
+ * for **derived** values the author does not control (e.g. a DNS name composed
+ * into a construct ID), where rewriting is the only sensible move.
+ *
+ * @throws If the constraint is pattern-only and declares no sanitisation pattern.
+ */
+export declare function sanitizeString(value: string, constraint: StringConstraint, replacement?: string): string;
+//# sourceMappingURL=string-constraint.d.ts.map

package/dist/esm/constraints/string-constraint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"string-constraint.d.ts","sourceRoot":"","sources":["../../../src/constraints/string-constraint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH;;;;;;;GAOG;AACH,MAAM,WAAW,gBAAgB;IAC/B,uFAAuF;IACvF,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,uDAAuD;IACvD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,uGAAuG;IACvG,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,yEAAyE;IACzE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,0EAA0E;IAC1E,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,gBAAgB,CAWnB;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG,IAAI,CAgBhF;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,gBAAgB,EAC5B,WAAW,SAAM,GAChB,MAAM,CAWR"}

package/dist/esm/constraints/string-constraint.js

@@ -0,0 +1,73 @@
+/**
+ * The shared mechanism behind the AWS-property constraint catalogue.
+ *
+ * AWS rejects malformed property strings (bad character sets, over-length
+ * values) at deploy time, after a successful `cdk synth`. A {@link StringConstraint}
+ * captures one AWS property's character-set and length rules as data, so a
+ * builder can fail at synth — at the authoring call site — instead.
+ *
+ * The catalogue is deliberately split: this mechanism lives here, while the
+ * per-resource constraint *data* lives in the package that owns the builder
+ * (e.g. `SECURITY_GROUP_DESCRIPTION` in `@composurecdk/ec2`). Cross-cutting
+ * constraints that apply to every resource (such as tags) live alongside this
+ * mechanism instead. See ADR-0010.
+ */
+/**
+ * Builds a {@link StringConstraint} from a character class and bounds. The
+ * anchored validation pattern and the negated sanitisation pattern are both
+ * derived from `charClass` and compiled once here, so a single declaration
+ * drives both validation and sanitisation and the two cannot drift apart.
+ *
+ * @param spec - The constraint's character class, length bounds, and metadata.
+ * @returns A constraint ready for {@link validateString} / {@link sanitizeString}.
+ */
+export function stringConstraint(spec) {
+    const quantifier = `{${String(spec.minLength ?? 0)},${spec.maxLength === undefined ? "" : String(spec.maxLength)}}`;
+    return {
+        name: spec.name,
+        pattern: new RegExp(`^[${spec.charClass}]${quantifier}$`, spec.flags),
+        sanitizePattern: new RegExp(`[^${spec.charClass}]+`, spec.flags?.includes("u") ? "gu" : "g"),
+        minLength: spec.minLength,
+        maxLength: spec.maxLength,
+        allowed: spec.allowed,
+        source: spec.source,
+    };
+}
+/**
+ * Validates `value` against `constraint`, throwing synchronously on the first
+ * violation. Use for **user-authored** values the author can fix — the error
+ * fires at the call site, naming the allowed set and linking the AWS doc.
+ *
+ * @throws If `value` is shorter than `minLength`, longer than `maxLength`, or
+ * contains characters outside the constraint's pattern.
+ */
+export function validateString(value, constraint) {
+    if (constraint.minLength !== undefined && value.length < constraint.minLength) {
+        throw new Error(`${constraint.name} "${value}" is shorter than the ${String(constraint.minLength)}-character minimum. See ${constraint.source}.`);
+    }
+    if (constraint.maxLength !== undefined && value.length > constraint.maxLength) {
+        throw new Error(`${constraint.name} "${value}" exceeds the ${String(constraint.maxLength)}-character limit. See ${constraint.source}.`);
+    }
+    if (!constraint.pattern.test(value)) {
+        throw new Error(`${constraint.name} "${value}" is invalid. Allowed: ${constraint.allowed}. See ${constraint.source}.`);
+    }
+}
+/**
+ * Returns a copy of `value` made legal for `constraint` by replacing runs of
+ * disallowed characters with `replacement` and truncating to `maxLength`. Use
+ * for **derived** values the author does not control (e.g. a DNS name composed
+ * into a construct ID), where rewriting is the only sensible move.
+ *
+ * @throws If the constraint is pattern-only and declares no sanitisation pattern.
+ */
+export function sanitizeString(value, constraint, replacement = "-") {
+    if (constraint.sanitizePattern === undefined) {
+        throw new Error(`${constraint.name} cannot be sanitised: the constraint has no character class.`);
+    }
+    let out = value.replace(constraint.sanitizePattern, replacement);
+    if (constraint.maxLength !== undefined && out.length > constraint.maxLength) {
+        out = out.slice(0, constraint.maxLength);
+    }
+    return out;
+}
+//# sourceMappingURL=string-constraint.js.map

package/dist/esm/constraints/string-constraint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"string-constraint.js","sourceRoot":"","sources":["../../../src/constraints/string-constraint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAyBH;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAQhC;IACC,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC;IACpH,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,SAAS,IAAI,UAAU,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC;QACrE,eAAe,EAAE,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,SAAS,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;QAC5F,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM;KACpB,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa,EAAE,UAA4B;IACxE,IAAI,UAAU,CAAC,SAAS,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CACb,GAAG,UAAU,CAAC,IAAI,KAAK,KAAK,yBAAyB,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,2BAA2B,UAAU,CAAC,MAAM,GAAG,CACjI,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,SAAS,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CACb,GAAG,UAAU,CAAC,IAAI,KAAK,KAAK,iBAAiB,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,yBAAyB,UAAU,CAAC,MAAM,GAAG,CACvH,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,GAAG,UAAU,CAAC,IAAI,KAAK,KAAK,0BAA0B,UAAU,CAAC,OAAO,SAAS,UAAU,CAAC,MAAM,GAAG,CACtG,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,KAAa,EACb,UAA4B,EAC5B,WAAW,GAAG,GAAG;IAEjB,IAAI,UAAU,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CACb,GAAG,UAAU,CAAC,IAAI,8DAA8D,CACjF,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACjE,IAAI,UAAU,CAAC,SAAS,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;QAC5E,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/esm/index.d.ts

@@ -5,4 +5,5 @@ export { taggedBuilder, type ITaggedBuilder, TAG_OVERRIDE_WARNING_NAME } from ".
 export { applyBuilderTags } from "./apply-builder-tags.js";
 export { validateTag } from "./tag-validator.js";
 export { tags, type TagDefinitions } from "./tags.js";
+export { type StringConstraint, stringConstraint, validateString, sanitizeString, charSets, type ConstraintNamespace, } from "./constraints/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,kBAAkB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,KAAK,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EAAE,aAAa,EAAE,KAAK,cAAc,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACpG,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,KAAK,aAAa,EAClB,KAAK,kBAAkB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,KAAK,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EAAE,aAAa,EAAE,KAAK,cAAc,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACpG,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAE,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EACL,KAAK,gBAAgB,EACrB,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,QAAQ,EACR,KAAK,mBAAmB,GACzB,MAAM,wBAAwB,CAAC"}

package/dist/esm/index.js

@@ -5,4 +5,5 @@ export { taggedBuilder, TAG_OVERRIDE_WARNING_NAME } from "./tagged-builder.js";
 export { applyBuilderTags } from "./apply-builder-tags.js";
 export { validateTag } from "./tag-validator.js";
 export { tags } from "./tags.js";
+export { stringConstraint, validateString, sanitizeString, charSets, } from "./constraints/index.js";
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,GAGnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAiD,MAAM,cAAc,CAAC;AACtF,OAAO,EAAE,aAAa,EAAuB,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACpG,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAuB,MAAM,WAAW,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,GAGnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAiD,MAAM,cAAc,CAAC;AACtF,OAAO,EAAE,aAAa,EAAuB,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACpG,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,IAAI,EAAuB,MAAM,WAAW,CAAC;AACtD,OAAO,EAEL,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,QAAQ,GAET,MAAM,wBAAwB,CAAC"}

package/dist/esm/tag-validator.d.ts

@@ -4,14 +4,12 @@
  * Throws synchronously at the call site so authors see the failure where the
  * bad value was written, not at deploy time. Validates:
  *
- * - `key` is non-empty and at most {@link KEY_MAX} characters.
- * - `key` does not start with the reserved `aws:` prefix (case-insensitive).
- * - `value` is at most {@link VALUE_MAX} characters.
- * - both `key` and `value` use only the AWS-permitted character set.
+ * - `key` is non-empty and does not start with the reserved `aws:` prefix
+ *   (case-insensitive) — both tag-specific rules.
+ * - `key` and `value` length and character set, via the shared catalogue
+ *   mechanism. Empty values are permitted; empty keys are not.
  *
- * The regex matches Unicode letters, digits, and whitespace plus the
- * documented punctuation set, so non-ASCII tags are accepted as AWS
- * supports them.
+ * Non-ASCII letters, digits, and whitespace are accepted, matching AWS.
  */
 export declare function validateTag(key: string, value: string): void;
 /**

package/dist/esm/tag-validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tag-validator.d.ts","sourceRoot":"","sources":["../../src/tag-validator.ts"],"names":[],"mappings":"AAkBA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CA2B5D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAItE"}
+{"version":3,"file":"tag-validator.d.ts","sourceRoot":"","sources":["../../src/tag-validator.ts"],"names":[],"mappings":"AAyCA;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAW5D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAItE"}

package/dist/esm/tag-validator.js

@@ -1,55 +1,62 @@
+import { stringConstraint, validateString } from "./constraints/index.js";
 /**
  * AWS allows letters, digits, whitespace, and the symbols `_ . : / = + - @`
  * in tag keys and values, with non-ASCII letters/digits permitted via
- * Unicode classes. Empty values are permitted by AWS for `Value`, but
- * empty `Key` is not. The character set is validated against this regex.
+ * Unicode classes.
  *
- * `\p{Z}` matches the full Unicode separator class — slightly more
- * permissive than AWS's documented "white space," but errors on the side
- * of accepting input that the AWS API may yet reject at deploy time. The
- * extra rejections happen later but are reported in the API response.
- *
- * @see https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
+ * `\p{Z}` matches the full Unicode separator class — slightly more permissive
+ * than AWS's documented "white space," but errs on the side of accepting input
+ * the AWS API may yet reject at deploy time, where the failure is reported in
+ * the API response.
+ */
+const TAG_CHARS = "\\p{L}\\p{Z}\\p{N}_.:/=+@\\-";
+const TAG_ALLOWED = "the AWS tag character set: letters, digits, whitespace, and _ . : / = + - @";
+const TAG_SOURCE = "https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html";
+/**
+ * Tags are cross-cutting — they apply to every resource — so unlike per-resource
+ * constraints they live alongside the catalogue mechanism rather than in a
+ * service package. Both entries are module-private and reached only through
+ * {@link validateTag}, which layers the tag-specific empty-key and reserved-
+ * prefix rules on top of {@link validateString}. See ADR-0010.
  */
-const TAG_CHAR_RE = /^[\p{L}\p{Z}\p{N}_.:/=+\-@]*$/u;
-const KEY_MAX = 128;
-const VALUE_MAX = 256;
+const TAG_KEY = stringConstraint({
+    name: "Tag key",
+    charClass: TAG_CHARS,
+    maxLength: 128,
+    allowed: TAG_ALLOWED,
+    source: TAG_SOURCE,
+    flags: "u",
+});
+const TAG_VALUE = stringConstraint({
+    name: "Tag value",
+    charClass: TAG_CHARS,
+    maxLength: 256,
+    allowed: TAG_ALLOWED,
+    source: TAG_SOURCE,
+    flags: "u",
+});
 /**
  * Validates a single tag key/value pair against AWS tag constraints.
  *
  * Throws synchronously at the call site so authors see the failure where the
  * bad value was written, not at deploy time. Validates:
  *
- * - `key` is non-empty and at most {@link KEY_MAX} characters.
- * - `key` does not start with the reserved `aws:` prefix (case-insensitive).
- * - `value` is at most {@link VALUE_MAX} characters.
- * - both `key` and `value` use only the AWS-permitted character set.
+ * - `key` is non-empty and does not start with the reserved `aws:` prefix
+ *   (case-insensitive) — both tag-specific rules.
+ * - `key` and `value` length and character set, via the shared catalogue
+ *   mechanism. Empty values are permitted; empty keys are not.
  *
- * The regex matches Unicode letters, digits, and whitespace plus the
- * documented punctuation set, so non-ASCII tags are accepted as AWS
- * supports them.
+ * Non-ASCII letters, digits, and whitespace are accepted, matching AWS.
  */
 export function validateTag(key, value) {
     if (key.length === 0) {
         throw new Error("Tag key must be non-empty.");
     }
-    if (key.length > KEY_MAX) {
-        throw new Error(`Tag key "${key}" exceeds ${String(KEY_MAX)}-character limit.`);
-    }
     if (key.toLowerCase().startsWith("aws:")) {
         throw new Error(`Tag key "${key}" uses reserved "aws:" prefix; AWS rejects user tags with this prefix.`);
     }
-    if (!TAG_CHAR_RE.test(key)) {
-        throw new Error(`Tag key "${key}" contains characters outside the AWS tag character set ` +
-            "(letters, digits, whitespace, and `_ . : / = + - @`).");
-    }
-    if (value.length > VALUE_MAX) {
-        throw new Error(`Tag value for key "${key}" exceeds ${String(VALUE_MAX)}-character limit.`);
-    }
-    if (!TAG_CHAR_RE.test(value)) {
-        throw new Error(`Tag value for key "${key}" contains characters outside the AWS tag character set ` +
-            "(letters, digits, whitespace, and `_ . : / = + - @`).");
-    }
+    validateString(key, TAG_KEY);
+    validateString(value, TAG_VALUE);
 }
 /**
  * Validates every entry of a record via {@link validateTag}, throwing on the

package/dist/esm/tag-validator.js.map

@@ -1 +1 @@
-{"version":3,"file":"tag-validator.js","sourceRoot":"","sources":["../../src/tag-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,GAAG,gCAAgC,CAAC;AAErD,MAAM,OAAO,GAAG,GAAG,CAAC;AACpB,MAAM,SAAS,GAAG,GAAG,CAAC;AAEtB;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,KAAa;IACpD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,YAAY,GAAG,aAAa,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,YAAY,GAAG,wEAAwE,CACxF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,YAAY,GAAG,0DAA0D;YACvE,uDAAuD,CAC1D,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,aAAa,MAAM,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,sBAAsB,GAAG,0DAA0D;YACjF,uDAAuD,CAC1D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA8B;IAC9D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC"}
+{"version":3,"file":"tag-validator.js","sourceRoot":"","sources":["../../src/tag-validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAE1E;;;;;;;;;GASG;AACH,MAAM,SAAS,GAAG,8BAA8B,CAAC;AACjD,MAAM,WAAW,GAAG,6EAA6E,CAAC;AAClG,MAAM,UAAU,GAAG,gEAAgE,CAAC;AAEpF;;;;;;GAMG;AACH,MAAM,OAAO,GAAG,gBAAgB,CAAC;IAC/B,IAAI,EAAE,SAAS;IACf,SAAS,EAAE,SAAS;IACpB,SAAS,EAAE,GAAG;IACd,OAAO,EAAE,WAAW;IACpB,MAAM,EAAE,UAAU;IAClB,KAAK,EAAE,GAAG;CACX,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,gBAAgB,CAAC;IACjC,IAAI,EAAE,WAAW;IACjB,SAAS,EAAE,SAAS;IACpB,SAAS,EAAE,GAAG;IACd,OAAO,EAAE,WAAW;IACpB,MAAM,EAAE,UAAU;IAClB,KAAK,EAAE,GAAG;CACX,CAAC,CAAC;AAEH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,KAAa;IACpD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,YAAY,GAAG,wEAAwE,CACxF,CAAC;IACJ,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC7B,cAAc,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;AACnC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA8B;IAC9D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@composurecdk/cloudformation",
-  "version": "0.8.2",
+  "version": "0.8.4",
   "description": "Composable CloudFormation stack builder and stack assignment strategies",
   "repository": {
     "type": "git",
@@ -38,7 +38,7 @@
   },
   "peerDependencies": {
     "@composurecdk/core": "^0.8.0",
-    "aws-cdk-lib": "^2.0.0",
+    "aws-cdk-lib": "^2.1.0",
     "constructs": "^10.0.0"
   },
   "devDependencies": {