@factiii/stack 0.1.177 → 0.1.182

package/dist/plugins/addons/auth/index.js

@@ -142,13 +142,13 @@ class AuthAddon {
         }
     }
     static helpText = {
-        JWT_SECRET: `
-   JWT signing secret for @factiii/auth.
-
-   This is auto-generated (256-bit random) when you run:
-     npx stack fix --secrets
-
-   The secret is stored in Ansible Vault and used to sign
+        JWT_SECRET: `
+   JWT signing secret for @factiii/auth.
+
+   This is auto-generated (256-bit random) when you run:
+     npx stack fix --secrets
+
+   The secret is stored in Ansible Vault and used to sign
    authentication tokens (JWT) for your application.`,
     };
     // ============================================================

package/dist/plugins/addons/vercel/index.js

@@ -128,15 +128,15 @@ class VercelAddon {
         return false;
     }
     static helpText = {
-        VERCEL_TOKEN: `
-   Vercel API Token for deployments.
-
-   Get from: https://vercel.com/account/tokens
-
-   Create a new token with:
-   - Scope: Full Account (or specific team)
-   - Expiration: No Expiration (or custom)
-
+        VERCEL_TOKEN: `
+   Vercel API Token for deployments.
+
+   Get from: https://vercel.com/account/tokens
+
+   Create a new token with:
+   - Scope: Full Account (or specific team)
+   - Expiration: No Expiration (or custom)
+
    The token will be stored securely in Ansible Vault.`,
     };
     // ============================================================

package/dist/plugins/addons/vercel/scanfix/config.js

@@ -259,13 +259,13 @@ exports.fixes = [
                 return false;
             }
         },
-        manualFix: `
-Add Vercel to stack.yml:
-
-  vercel: {}
-
-Then run: npx stack fix
-(Auto-creates project, detects framework, and saves IDs via Vercel API)
+        manualFix: `
+Add Vercel to stack.yml:
+
+  vercel: {}
+
+Then run: npx stack fix
+(Auto-creates project, detects framework, and saves IDs via Vercel API)
     `,
     },
     {
@@ -335,9 +335,9 @@ Then run: npx stack fix
                 return false;
             }
         },
-        manualFix: `
-Run: npx stack fix
-(Auto-creates .vercel/project.json from Vercel API — no CLI needed)
+        manualFix: `
+Run: npx stack fix
+(Auto-creates .vercel/project.json from Vercel API — no CLI needed)
     `,
     },
     {

package/dist/plugins/addons/vercel/scanfix/token.js

@@ -107,12 +107,12 @@ exports.fixes = [
                 return false;
             }
         },
-        manualFix: `
-Store VERCEL_TOKEN in Ansible Vault manually:
-
-  npx stack deploy --secrets set VERCEL_TOKEN
-
-Or get token from: https://vercel.com/account/tokens
+        manualFix: `
+Store VERCEL_TOKEN in Ansible Vault manually:
+
+  npx stack deploy --secrets set VERCEL_TOKEN
+
+Or get token from: https://vercel.com/account/tokens
     `,
     },
     {
@@ -128,15 +128,15 @@ Or get token from: https://vercel.com/account/tokens
             return !process.env.VERCEL_TOKEN;
         },
         fix: null,
-        manualFix: `
-VERCEL_TOKEN is not required in your environment during development.
-It will be automatically read from Ansible Vault during deployment.
-
-If you want to set it in your shell for testing:
-  export VERCEL_TOKEN="your-token-here"
-
-Or add to your shell profile (~/.bashrc, ~/.zshrc):
-  export VERCEL_TOKEN="$(npx stack deploy --secrets get VERCEL_TOKEN)"
+        manualFix: `
+VERCEL_TOKEN is not required in your environment during development.
+It will be automatically read from Ansible Vault during deployment.
+
+If you want to set it in your shell for testing:
+  export VERCEL_TOKEN="your-token-here"
+
+Or add to your shell profile (~/.bashrc, ~/.zshrc):
+  export VERCEL_TOKEN="$(npx stack deploy --secrets get VERCEL_TOKEN)"
     `,
     },
 ];

package/dist/plugins/approved.json

@@ -1,13 +1,13 @@
-{
-  "version": 1,
-  "description": "List of approved/validated external plugins for Factiii Stack",
-  "approved": [
-    "@factiii/stack-plugin-expo",
-    "@factiii/stack-plugin-prisma-trpc",
-    "@factiii/stack-plugin-nextjs"
-  ],
-  "lastUpdated": "2024-12-16"
-}
-
-
-
+{
+  "version": 1,
+  "description": "List of approved/validated external plugins for Factiii Stack",
+  "approved": [
+    "@factiii/stack-plugin-expo",
+    "@factiii/stack-plugin-prisma-trpc",
+    "@factiii/stack-plugin-nextjs"
+  ],
+  "lastUpdated": "2024-12-16"
+}
+
+
+

package/dist/plugins/pipelines/aws/index.js

@@ -166,17 +166,17 @@ class AWSPipeline {
         'free-tier': free_tier_js_1.default,
     };
     static helpText = {
-        SSH: `
-   SSH private key for accessing the EC2 instance.
-
-   Option A: Auto-generate via AWS (recommended)
-   - Factiii will create an EC2 Key Pair via AWS API
-
-   Option B: Use existing key
+        SSH: `
+   SSH private key for accessing the EC2 instance.
+
+   Option A: Auto-generate via AWS (recommended)
+   - Factiii will create an EC2 Key Pair via AWS API
+
+   Option B: Use existing key
    ssh-keygen -t ed25519 -C "deploy-key" -f ~/.ssh/deploy_key`,
-        AWS_SECRET_ACCESS_KEY: `
-   AWS Secret Access Key
-
+        AWS_SECRET_ACCESS_KEY: `
+   AWS Secret Access Key
+
    Get from AWS Console: IAM -> Users -> Security credentials`,
     };
     // ============================================================
@@ -498,8 +498,8 @@ class AWSPipeline {
             }
             try {
                 const repoName = config.name ?? 'app';
-                await AWSPipeline.sshExec(envConfig, `
-          cd ~/.factiii && docker compose stop ${repoName}-prod
+                await AWSPipeline.sshExec(envConfig, `
+          cd ~/.factiii && docker compose stop ${repoName}-prod
         `);
                 return { success: true, message: 'Production containers stopped' };
             }

package/dist/plugins/pipelines/aws/policies/bootstrap-policy.json

@@ -1,135 +1,135 @@
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "FactiiiEC2Full",
-      "Effect": "Allow",
-      "Action": [
-        "ec2:CreateVpc",
-        "ec2:DeleteVpc",
-        "ec2:DescribeVpcs",
-        "ec2:ModifyVpcAttribute",
-        "ec2:CreateSubnet",
-        "ec2:DeleteSubnet",
-        "ec2:DescribeSubnets",
-        "ec2:ModifySubnetAttribute",
-        "ec2:CreateInternetGateway",
-        "ec2:DeleteInternetGateway",
-        "ec2:AttachInternetGateway",
-        "ec2:DetachInternetGateway",
-        "ec2:DescribeInternetGateways",
-        "ec2:CreateRouteTable",
-        "ec2:DeleteRouteTable",
-        "ec2:CreateRoute",
-        "ec2:AssociateRouteTable",
-        "ec2:DescribeRouteTables",
-        "ec2:CreateSecurityGroup",
-        "ec2:DeleteSecurityGroup",
-        "ec2:AuthorizeSecurityGroupIngress",
-        "ec2:RevokeSecurityGroupIngress",
-        "ec2:DescribeSecurityGroups",
-        "ec2:CreateKeyPair",
-        "ec2:DeleteKeyPair",
-        "ec2:DescribeKeyPairs",
-        "ec2:RunInstances",
-        "ec2:TerminateInstances",
-        "ec2:DescribeInstances",
-        "ec2:AllocateAddress",
-        "ec2:ReleaseAddress",
-        "ec2:AssociateAddress",
-        "ec2:DescribeAddresses",
-        "ec2:DescribeAvailabilityZones",
-        "ec2:DescribeImages",
-        "ec2:CreateTags"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "FactiiiRDSFull",
-      "Effect": "Allow",
-      "Action": [
-        "rds:CreateDBInstance",
-        "rds:DeleteDBInstance",
-        "rds:DescribeDBInstances",
-        "rds:CreateDBSubnetGroup",
-        "rds:DeleteDBSubnetGroup",
-        "rds:DescribeDBSubnetGroups",
-        "rds:AddTagsToResource",
-        "rds:ListTagsForResource"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "FactiiiS3Full",
-      "Effect": "Allow",
-      "Action": [
-        "s3:CreateBucket",
-        "s3:DeleteBucket",
-        "s3:ListBucket",
-        "s3:PutBucketEncryption",
-        "s3:PutBucketPublicAccessBlock",
-        "s3:PutBucketCORS",
-        "s3:GetBucketEncryption",
-        "s3:GetBucketPublicAccessBlock",
-        "s3:GetBucketCORS",
-        "s3:PutObject",
-        "s3:GetObject",
-        "s3:ListAllMyBuckets"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "FactiiiECRFull",
-      "Effect": "Allow",
-      "Action": [
-        "ecr:CreateRepository",
-        "ecr:DeleteRepository",
-        "ecr:DescribeRepositories",
-        "ecr:GetAuthorizationToken",
-        "ecr:PutLifecyclePolicy",
-        "ecr:BatchGetImage",
-        "ecr:BatchCheckLayerAvailability",
-        "ecr:PutImage",
-        "ecr:InitiateLayerUpload",
-        "ecr:UploadLayerPart",
-        "ecr:CompleteLayerUpload"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "FactiiiSES",
-      "Effect": "Allow",
-      "Action": [
-        "ses:VerifyDomainIdentity",
-        "ses:VerifyDomainDkim",
-        "ses:GetAccountSendingEnabled",
-        "ses:GetIdentityVerificationAttributes",
-        "ses:GetIdentityDkimAttributes"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "FactiiiIAMLimited",
-      "Effect": "Allow",
-      "Action": [
-        "iam:CreateUser",
-        "iam:DeleteUser",
-        "iam:GetUser",
-        "iam:PutUserPolicy",
-        "iam:DeleteUserPolicy",
-        "iam:CreateAccessKey",
-        "iam:ListAccessKeys",
-        "iam:ListUsers"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Sid": "FactiiiSTS",
-      "Effect": "Allow",
-      "Action": [
-        "sts:GetCallerIdentity"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "FactiiiEC2Full",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateVpc",
+        "ec2:DeleteVpc",
+        "ec2:DescribeVpcs",
+        "ec2:ModifyVpcAttribute",
+        "ec2:CreateSubnet",
+        "ec2:DeleteSubnet",
+        "ec2:DescribeSubnets",
+        "ec2:ModifySubnetAttribute",
+        "ec2:CreateInternetGateway",
+        "ec2:DeleteInternetGateway",
+        "ec2:AttachInternetGateway",
+        "ec2:DetachInternetGateway",
+        "ec2:DescribeInternetGateways",
+        "ec2:CreateRouteTable",
+        "ec2:DeleteRouteTable",
+        "ec2:CreateRoute",
+        "ec2:AssociateRouteTable",
+        "ec2:DescribeRouteTables",
+        "ec2:CreateSecurityGroup",
+        "ec2:DeleteSecurityGroup",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:DescribeSecurityGroups",
+        "ec2:CreateKeyPair",
+        "ec2:DeleteKeyPair",
+        "ec2:DescribeKeyPairs",
+        "ec2:RunInstances",
+        "ec2:TerminateInstances",
+        "ec2:DescribeInstances",
+        "ec2:AllocateAddress",
+        "ec2:ReleaseAddress",
+        "ec2:AssociateAddress",
+        "ec2:DescribeAddresses",
+        "ec2:DescribeAvailabilityZones",
+        "ec2:DescribeImages",
+        "ec2:CreateTags"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "FactiiiRDSFull",
+      "Effect": "Allow",
+      "Action": [
+        "rds:CreateDBInstance",
+        "rds:DeleteDBInstance",
+        "rds:DescribeDBInstances",
+        "rds:CreateDBSubnetGroup",
+        "rds:DeleteDBSubnetGroup",
+        "rds:DescribeDBSubnetGroups",
+        "rds:AddTagsToResource",
+        "rds:ListTagsForResource"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "FactiiiS3Full",
+      "Effect": "Allow",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:DeleteBucket",
+        "s3:ListBucket",
+        "s3:PutBucketEncryption",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:PutBucketCORS",
+        "s3:GetBucketEncryption",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:GetBucketCORS",
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:ListAllMyBuckets"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "FactiiiECRFull",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:CreateRepository",
+        "ecr:DeleteRepository",
+        "ecr:DescribeRepositories",
+        "ecr:GetAuthorizationToken",
+        "ecr:PutLifecyclePolicy",
+        "ecr:BatchGetImage",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:PutImage",
+        "ecr:InitiateLayerUpload",
+        "ecr:UploadLayerPart",
+        "ecr:CompleteLayerUpload"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "FactiiiSES",
+      "Effect": "Allow",
+      "Action": [
+        "ses:VerifyDomainIdentity",
+        "ses:VerifyDomainDkim",
+        "ses:GetAccountSendingEnabled",
+        "ses:GetIdentityVerificationAttributes",
+        "ses:GetIdentityDkimAttributes"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "FactiiiIAMLimited",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateUser",
+        "iam:DeleteUser",
+        "iam:GetUser",
+        "iam:PutUserPolicy",
+        "iam:DeleteUserPolicy",
+        "iam:CreateAccessKey",
+        "iam:ListAccessKeys",
+        "iam:ListUsers"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "FactiiiSTS",
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity"
+      ],
+      "Resource": "*"
+    }
+  ]
+}

package/dist/plugins/pipelines/aws/prod.js

@@ -154,7 +154,7 @@ async function writeEnvFile(envConfig, repoDir, environment, envVarsString) {
     else {
         // We're remote - SSH to write
         console.log(`   📝 Writing ${envFileName} on remote server (${envVars.length} variables)...`);
-        await sshExecCommand(envConfig, `cat > ${repoDir}/${envFileName} << 'ENVEOF'
+        await sshExecCommand(envConfig, `cat > ${repoDir}/${envFileName} << 'ENVEOF'
 ${envFileContent}ENVEOF`);
     }
 }

package/dist/plugins/pipelines/aws/scanfix/iam.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"iam.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/iam.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AA4PrE,eAAO,MAAM,QAAQ,EAAE,GAAG,EA2MzB,CAAC"}
+{"version":3,"file":"iam.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/iam.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAuQrE,eAAO,MAAM,QAAQ,EAAE,GAAG,EA2MzB,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/iam.js

@@ -181,15 +181,26 @@ function getProdPolicy(projectName, region, accountId) {
 async function ensureIamAccess(config, region) {
     if (await (0, aws_helpers_js_1.canManageIam)(region))
         return true;
-    const callerArn = await (0, aws_helpers_js_1.getCallerArn)(region);
     const { confirm } = await Promise.resolve().then(() => __importStar(require('../../../../utils/secret-prompts.js')));
+    const configKeyId = (0, aws_helpers_js_1.getAwsConfig)(config).accessKeyId;
+    const identity = await (0, aws_helpers_js_1.getCallerArn)(region);
+    // Determine if we can't connect at all vs connected but lacking permissions
+    const canConnect = !!identity;
     console.log('');
     console.log('   ============================================================');
-    console.log('   AWS CREDENTIALS CANNOT CREATE IAM USERS');
-    console.log('   ============================================================');
-    console.log('   Logged in as: ' + (callerArn ?? 'unknown'));
-    console.log('   This account does not have permission to create IAM users.');
-    console.log('   You need admin credentials to continue.');
+    if (canConnect) {
+        console.log('   ACCESS KEY ' + (configKeyId ?? 'unknown') + ' DOES NOT HAVE IAM PERMISSIONS');
+        console.log('   ============================================================');
+        console.log('   Logged in as: ' + identity);
+        console.log('   This IAM user does not have permission to create IAM users.');
+        console.log('   The access_key_id in stack.yml needs to belong to an admin user.');
+    }
+    else {
+        console.log('   CANNOT CONNECT TO AWS WITH ACCESS KEY ' + (configKeyId ?? 'unknown'));
+        console.log('   ============================================================');
+        console.log('   The access_key_id in stack.yml could not authenticate.');
+        console.log('   Check that this key exists and has not been deactivated in AWS.');
+    }
     console.log('   ============================================================');
     console.log('');
     // Check if vault has credentials we can swap to
@@ -210,7 +221,7 @@ async function ensureIamAccess(config, region) {
         }
     }
     if (vaultHasCreds) {
-        const swap = await confirm('   Load admin credentials from Ansible Vault?', true);
+        const swap = await confirm('   Load credentials from Ansible Vault instead?', true);
         if (swap) {
             try {
                 const { AnsibleVaultSecrets } = await Promise.resolve().then(() => __importStar(require('../../../../utils/ansible-vault-secrets.js')));
@@ -218,13 +229,13 @@ async function ensureIamAccess(config, region) {
                     vault_path: config.ansible.vault_path,
                     vault_password_file: config.ansible.vault_password_file,
                 });
-                const accessKeyId = await vault.getSecret('AWS_ACCESS_KEY_ID');
+                const vaultKeyId = await vault.getSecret('AWS_ACCESS_KEY_ID');
                 const secretKey = await vault.getSecret('AWS_SECRET_ACCESS_KEY');
-                if (!accessKeyId || !secretKey) {
+                if (!vaultKeyId || !secretKey) {
                     console.log('   Failed to read credentials from vault.');
                     return false;
                 }
-                (0, aws_helpers_js_1.writeAwsCredentials)(accessKeyId, secretKey, region);
+                (0, aws_helpers_js_1.writeAwsCredentials)(vaultKeyId, secretKey, region);
                 (0, aws_helpers_js_1.clearClientCache)(); // Pick up new credentials
                 const newArn = await (0, aws_helpers_js_1.getCallerArn)(region);
                 console.log('   [OK] Switched to: ' + (newArn ?? 'unknown'));
@@ -233,9 +244,9 @@ async function ensureIamAccess(config, region) {
                     return true;
                 }
                 console.log('');
-                console.log('   Still no IAM permission. The vault credentials need admin access.');
+                console.log('   Vault credentials (' + vaultKeyId + ') also lack IAM permissions.');
                 console.log('');
-                console.log('   To fix, update the vault credentials:');
+                console.log('   To fix, store admin credentials in the vault:');
                 console.log('     npx stack deploy --secrets set AWS_ACCESS_KEY_ID');
                 console.log('     npx stack deploy --secrets set AWS_SECRET_ACCESS_KEY');
                 console.log('   Then run: npx stack fix');
@@ -270,37 +281,37 @@ async function ensureIamAccess(config, region) {
 }
 exports.iamFixes = [
     {
-        id: 'aws-iam-dev-user-missing',
+        id: 'aws-iam-admin-user-missing',
         stage: 'secrets',
         severity: 'warning',
-        description: '👤 IAM dev user not created (read-only access for dev workflows)',
+        description: '👤 IAM admin user not created (recess for dev workflows)',
         scan: async (config) => {
             if (!(0, aws_helpers_js_1.isAwsConfigured)(config))
                 return false;
             const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
             const projectName = (0, aws_helpers_js_1.getProjectName)(config);
-            return !(await (0, aws_helpers_js_1.findIamUser)('factiii-' + projectName + '-dev', region));
+            return !(await (0, aws_helpers_js_1.findIamUser)('factiii-' + projectName + '-admin', region));
         },
         fix: async (config) => {
             const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
             const projectName = (0, aws_helpers_js_1.getProjectName)(config);
-            const userName = 'factiii-' + projectName + '-dev';
+            const userName = 'factiii-' + projectName + '-admin';
             if (!(await ensureIamAccess(config, region)))
                 return false;
             console.log('');
             console.log('   ============================================================');
-            console.log('   CREATE IAM DEV USER');
+            console.log('   CREATE IAM ADMIN USER');
             console.log('   ============================================================');
-            console.log('   Will create IAM user "' + userName + '" with read-only policy:');
+            console.log('   Will create IAM user "' + userName + '" with admin policy:');
             console.log('   - ECR: pull images, list repositories');
             console.log('   - S3: read objects from project bucket');
             console.log('   - EC2/RDS: describe (view) resources');
             console.log('');
-            console.log('   This user is for local development and CI read-only access.');
+            console.log('   This user is for local development and CI access.');
             console.log('   ============================================================');
             console.log('');
             const { confirm } = await Promise.resolve().then(() => __importStar(require('../../../../utils/secret-prompts.js')));
-            const proceed = await confirm('   Create IAM dev user "' + userName + '"?', true);
+            const proceed = await confirm('   Create IAM admin user "' + userName + '"?', true);
             if (!proceed) {
                 console.log('   [--] Skipped — you can create it later with: npx stack fix --secrets');
                 return true;
@@ -320,16 +331,16 @@ exports.iamFixes = [
                 const policy = getDevPolicy(projectName, region, accountId);
                 await iam.send(new aws_helpers_js_1.PutUserPolicyCommand({
                     UserName: userName,
-                    PolicyName: 'factiii-' + projectName + '-dev-policy',
+                    PolicyName: 'factiii-' + projectName + '-admin-policy',
                     PolicyDocument: policy,
                 }));
-                console.log('   Attached dev policy (read-only ECR, S3, EC2, RDS)');
+                console.log('   Attached admin policy (ECR, S3, EC2, RDS)');
                 // Create access key
                 const keyResult = await iam.send(new aws_helpers_js_1.CreateAccessKeyCommand({ UserName: userName }));
                 const accessKeyId = keyResult.AccessKey?.AccessKeyId;
                 const secretKey = keyResult.AccessKey?.SecretAccessKey;
                 console.log('');
-                console.log('   Dev credentials (save these!):');
+                console.log('   Admin credentials (save these!):');
                 console.log('   Access Key ID: ' + accessKeyId);
                 console.log('   Secret Access Key: ' + secretKey);
                 console.log('');
@@ -337,26 +348,26 @@ exports.iamFixes = [
                 return true;
             }
             catch (e) {
-                console.log('   Failed to create dev IAM user: ' + (e instanceof Error ? e.message : String(e)));
+                console.log('   Failed to create admin IAM user: ' + (e instanceof Error ? e.message : String(e)));
                 return false;
             }
         },
         manualFix: [
             '============================================================',
-            'IAM DEV USER SETUP',
+            'IAM ADMIN USER SETUP',
             '============================================================',
             '',
-            '  This creates a read-only IAM user for local dev and CI.',
+            '  This creates an admin IAM user for local dev and CI.',
             '  Permissions: ECR pull, S3 read, EC2/RDS describe.',
             '',
             '  Auto-fix:  npx stack fix --secrets  (creates user + policy + access key)',
             '',
             '  Or manually in AWS Console:',
             '  1. Go to IAM > Users > Create user',
-            '  2. Name: factiii-{project}-dev',
-            '  3. Attach inline policy with read-only ECR, S3, EC2, RDS access',
+            '  2. Name: factiii-{project}-admin',
+            '  3. Attach inline policy with ECR, S3, EC2, RDS access',
             '  4. Create access key: User > Security credentials > Create access key > CLI',
-            '  5. Store secret in vault: npx stack deploy --secrets set AWS_DEV_SECRET_ACCESS_KEY',
+            '  5. Store secret in vault: npx stack deploy --secrets set AWS_SECRET_ACCESS_KEY',
             '',
             '============================================================',
         ].join('\n'),