@factiii/stack 0.1.2 → 0.1.8

package/dist/plugins/pipelines/aws/scanfix/s3.js

@@ -0,0 +1,134 @@
+"use strict";
+/**
+ * AWS S3 Fixes
+ *
+ * Provisions S3 bucket with encryption and blocked public access.
+ * Configures CORS for the production domain.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.s3Fixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Check if S3 bucket exists
+ */
+function findBucket(bucketName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws s3api head-bucket --bucket ' + bucketName, region);
+    // head-bucket returns empty on success, throws on failure
+    return result !== null;
+}
+/**
+ * Check if CORS is configured on bucket
+ */
+function hasCors(bucketName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws s3api get-bucket-cors --bucket ' + bucketName, region);
+    return !!result && result !== 'null';
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+exports.s3Fixes = [
+    {
+        id: 'aws-s3-bucket-missing',
+        stage: 'prod',
+        severity: 'warning',
+        description: 'S3 bucket not created for file storage',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const bucketName = 'factiii-' + projectName;
+            return !findBucket(bucketName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const bucketName = 'factiii-' + projectName;
+            try {
+                // Create bucket (us-east-1 doesn't need LocationConstraint)
+                if (region === 'us-east-1') {
+                    (0, aws_helpers_js_1.awsExec)('aws s3api create-bucket --bucket ' + bucketName, region);
+                }
+                else {
+                    (0, aws_helpers_js_1.awsExec)('aws s3api create-bucket --bucket ' + bucketName +
+                        ' --create-bucket-configuration LocationConstraint=' + region, region);
+                }
+                console.log('   Created S3 bucket: ' + bucketName);
+                // Block all public access
+                (0, aws_helpers_js_1.awsExec)('aws s3api put-public-access-block --bucket ' + bucketName +
+                    ' --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true', region);
+                console.log('   Blocked all public access');
+                // Enable server-side encryption (AES-256)
+                (0, aws_helpers_js_1.awsExec)('aws s3api put-bucket-encryption --bucket ' + bucketName +
+                    ' --server-side-encryption-configuration ' +
+                    '"{\\\"Rules\\\":[{\\\"ApplyServerSideEncryptionByDefault\\\":{\\\"SSEAlgorithm\\\":\\\"AES256\\\"}}]}"', region);
+                console.log('   Enabled AES-256 encryption');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create S3 bucket: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create S3 bucket with encryption and blocked public access',
+    },
+    {
+        id: 'aws-s3-cors-missing',
+        stage: 'prod',
+        severity: 'info',
+        description: 'S3 bucket CORS not configured for production domain',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const bucketName = 'factiii-' + projectName;
+            if (!findBucket(bucketName, region))
+                return false;
+            return !hasCors(bucketName, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const bucketName = 'factiii-' + projectName;
+            // Get production domain for CORS
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+            const environments = extractEnvironments(config);
+            const prodEnv = environments.prod ?? environments.production;
+            const domain = prodEnv?.domain;
+            if (!domain || domain.startsWith('EXAMPLE-')) {
+                console.log('   Set production domain in factiii.yml first');
+                return false;
+            }
+            try {
+                const corsConfig = JSON.stringify({
+                    CORSRules: [{
+                            AllowedHeaders: ['*'],
+                            AllowedMethods: ['GET', 'PUT', 'POST', 'DELETE'],
+                            AllowedOrigins: ['https://' + domain],
+                            MaxAgeSeconds: 3600,
+                        }],
+                });
+                (0, aws_helpers_js_1.awsExec)('aws s3api put-bucket-cors --bucket ' + bucketName +
+                    " --cors-configuration '" + corsConfig + "'", region);
+                console.log('   Configured CORS for https://' + domain);
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to configure CORS: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Configure S3 CORS to allow requests from your production domain',
+    },
+];
+//# sourceMappingURL=s3.js.map

package/dist/plugins/pipelines/aws/scanfix/s3.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/s3.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAGH,4DAA6F;AAE7F;;GAEG;AACH,SAAS,UAAU,CAAC,UAAkB,EAAE,MAAc;IACpD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,iCAAiC,GAAG,UAAU,EAC9C,MAAM,CACP,CAAC;IACF,0DAA0D;IAC1D,OAAO,MAAM,KAAK,IAAI,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAS,OAAO,CAAC,UAAkB,EAAE,MAAc;IACjD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,qCAAqC,GAAG,UAAU,EAClD,MAAM,CACP,CAAC;IACF,OAAO,CAAC,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAEY,QAAA,OAAO,GAAU;IAC5B;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,wCAAwC;QACrD,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,UAAU,GAAG,WAAW,CAAC;YAC5C,OAAO,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,UAAU,GAAG,WAAW,CAAC;YAE5C,IAAI,CAAC;gBACH,4DAA4D;gBAC5D,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;oBAC3B,IAAA,wBAAO,EACL,mCAAmC,GAAG,UAAU,EAChD,MAAM,CACP,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,IAAA,wBAAO,EACL,mCAAmC,GAAG,UAAU;wBAChD,oDAAoD,GAAG,MAAM,EAC7D,MAAM,CACP,CAAC;gBACJ,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,UAAU,CAAC,CAAC;gBAEnD,0BAA0B;gBAC1B,IAAA,wBAAO,EACL,6CAA6C,GAAG,UAAU;oBAC1D,mIAAmI,EACnI,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;gBAE5C,0CAA0C;gBAC1C,IAAA,wBAAO,EACL,2CAA2C,GAAG,UAAU;oBACxD,0CAA0C;oBAC1C,wGAAwG,EACxG,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;gBAE7C,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,iCAAiC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC9F,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,4DAA4D;KACxE;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qDAAqD;QAClE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,UAAU,GAAG,WAAW,CAAC;YAC5C,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAClD,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,UAAU,GAAG,UAAU,GAAG,WAAW,CAAC;YAE5C,iCAAiC;YACjC,iEAAiE;YACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;YAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,UAAU,CAAC;YAC7D,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,CAAC;YAE/B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;gBAC7D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;oBAChC,SAAS,EAAE,CAAC;4BACV,cAAc,EAAE,CAAC,GAAG,CAAC;4BACrB,cAAc,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC;4BAChD,cAAc,EAAE,CAAC,UAAU,GAAG,MAAM,CAAC;4BACrC,aAAa,EAAE,IAAI;yBACpB,CAAC;iBACH,CAAC,CAAC;gBAEH,IAAA,wBAAO,EACL,qCAAqC,GAAG,UAAU;oBAClD,yBAAyB,GAAG,UAAU,GAAG,GAAG,EAC5C,MAAM,CACP,CAAC;gBACF,OAAO,CAAC,GAAG,CAAC,iCAAiC,GAAG,MAAM,CAAC,CAAC;gBACxD,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,+BAA+B,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5F,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,iEAAiE;KAC7E;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/security-groups.d.ts

@@ -0,0 +1,10 @@
+/**
+ * AWS Security Group Fixes
+ *
+ * Provisions security groups for EC2 and RDS.
+ * EC2 SG: SSH(22), HTTP(80), HTTPS(443)
+ * RDS SG: PostgreSQL(5432) from EC2 SG only
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const securityGroupFixes: Fix[];
+//# sourceMappingURL=security-groups.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/security-groups.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-groups.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/security-groups.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAwCrE,eAAO,MAAM,kBAAkB,EAAE,GAAG,EAqNnC,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/security-groups.js

@@ -0,0 +1,225 @@
+"use strict";
+/**
+ * AWS Security Group Fixes
+ *
+ * Provisions security groups for EC2 and RDS.
+ * EC2 SG: SSH(22), HTTP(80), HTTPS(443)
+ * RDS SG: PostgreSQL(5432) from EC2 SG only
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.securityGroupFixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Find security group by name and VPC
+ */
+function findSecurityGroup(groupName, vpcId, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-security-groups --filters "Name=group-name,Values=' + groupName + '" "Name=vpc-id,Values=' + vpcId + '" --query "SecurityGroups[0].GroupId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Find VPC by factiii:project tag (shared with vpc.ts)
+ */
+function findVpc(projectName, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-vpcs --filters "Name=tag:factiii:project,Values=' + projectName + '" --query "Vpcs[0].VpcId" --output text', region);
+    if (!result || result === 'None' || result === 'null')
+        return null;
+    return result.replace(/"/g, '');
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+exports.securityGroupFixes = [
+    {
+        id: 'aws-sg-ec2-missing',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'EC2 security group not created (SSH, HTTP, HTTPS)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId)
+                return false; // VPC must exist first
+            return !findSecurityGroup('factiii-' + projectName + '-ec2', vpcId, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId) {
+                console.log('   VPC must be created first');
+                return false;
+            }
+            try {
+                const groupName = 'factiii-' + projectName + '-ec2';
+                // Create security group
+                const sgResult = (0, aws_helpers_js_1.awsExec)('aws ec2 create-security-group --group-name ' + groupName +
+                    ' --description "EC2 security group for ' + projectName + '"' +
+                    ' --vpc-id ' + vpcId +
+                    ' ' + (0, aws_helpers_js_1.tagSpec)('security-group', projectName), region);
+                const sgId = JSON.parse(sgResult).GroupId;
+                console.log('   Created EC2 security group: ' + sgId);
+                // Allow SSH (port 22)
+                (0, aws_helpers_js_1.awsExec)('aws ec2 authorize-security-group-ingress --group-id ' + sgId +
+                    ' --protocol tcp --port 22 --cidr 0.0.0.0/0', region);
+                // Allow HTTP (port 80)
+                (0, aws_helpers_js_1.awsExec)('aws ec2 authorize-security-group-ingress --group-id ' + sgId +
+                    ' --protocol tcp --port 80 --cidr 0.0.0.0/0', region);
+                // Allow HTTPS (port 443)
+                (0, aws_helpers_js_1.awsExec)('aws ec2 authorize-security-group-ingress --group-id ' + sgId +
+                    ' --protocol tcp --port 443 --cidr 0.0.0.0/0', region);
+                console.log('   Allowed inbound: SSH(22), HTTP(80), HTTPS(443)');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create EC2 security group: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create EC2 security group with inbound rules for SSH(22), HTTP(80), HTTPS(443)',
+    },
+    {
+        id: 'aws-sg-rds-missing',
+        stage: 'prod',
+        severity: 'critical',
+        description: 'RDS security group not created (PostgreSQL from EC2 only)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId)
+                return false;
+            return !findSecurityGroup('factiii-' + projectName + '-rds', vpcId, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId) {
+                console.log('   VPC must be created first');
+                return false;
+            }
+            // Need EC2 security group to reference
+            const ec2SgId = findSecurityGroup('factiii-' + projectName + '-ec2', vpcId, region);
+            if (!ec2SgId) {
+                console.log('   EC2 security group must be created first');
+                return false;
+            }
+            try {
+                const groupName = 'factiii-' + projectName + '-rds';
+                // Create RDS security group
+                const sgResult = (0, aws_helpers_js_1.awsExec)('aws ec2 create-security-group --group-name ' + groupName +
+                    ' --description "RDS security group for ' + projectName + '"' +
+                    ' --vpc-id ' + vpcId +
+                    ' ' + (0, aws_helpers_js_1.tagSpec)('security-group', projectName), region);
+                const sgId = JSON.parse(sgResult).GroupId;
+                console.log('   Created RDS security group: ' + sgId);
+                // Allow PostgreSQL (port 5432) from EC2 security group ONLY
+                (0, aws_helpers_js_1.awsExec)('aws ec2 authorize-security-group-ingress --group-id ' + sgId +
+                    ' --protocol tcp --port 5432 --source-group ' + ec2SgId, region);
+                console.log('   Allowed inbound: PostgreSQL(5432) from EC2 SG only');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to create RDS security group: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Create RDS security group allowing PostgreSQL(5432) from EC2 security group only',
+    },
+    {
+        id: 'aws-sg-rds-mac-access',
+        stage: 'prod',
+        severity: 'info',
+        description: 'RDS security group does not allow Mac Mini staging access',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId)
+                return false;
+            const rdsSgId = findSecurityGroup('factiii-' + projectName + '-rds', vpcId, region);
+            if (!rdsSgId)
+                return false; // RDS SG must exist first
+            // Check if staging domain is configured
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+            const environments = extractEnvironments(config);
+            const stagingEnv = environments.staging;
+            if (!stagingEnv?.domain)
+                return false; // No staging configured
+            // Check if RDS SG has an inbound rule for the staging IP
+            const rulesResult = (0, aws_helpers_js_1.awsExecSafe)('aws ec2 describe-security-groups --group-ids ' + rdsSgId + ' --query "SecurityGroups[0].IpPermissions" --output json', region);
+            if (!rulesResult)
+                return false;
+            try {
+                const rules = JSON.parse(rulesResult);
+                const stagingIp = stagingEnv.domain;
+                // Check if any rule allows the staging IP on port 5432
+                for (const rule of rules) {
+                    if (rule.FromPort === 5432 && rule.ToPort === 5432) {
+                        for (const ipRange of (rule.IpRanges || [])) {
+                            if (ipRange.CidrIp === stagingIp + '/32') {
+                                return false; // Already has access
+                            }
+                        }
+                    }
+                }
+                return true; // No rule found for staging IP
+            }
+            catch {
+                return false;
+            }
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const projectName = (0, aws_helpers_js_1.getProjectName)(config);
+            const vpcId = findVpc(projectName, region);
+            if (!vpcId)
+                return false;
+            const rdsSgId = findSecurityGroup('factiii-' + projectName + '-rds', vpcId, region);
+            if (!rdsSgId) {
+                console.log('   RDS security group must be created first');
+                return false;
+            }
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+            const environments = extractEnvironments(config);
+            const stagingEnv = environments.staging;
+            if (!stagingEnv?.domain) {
+                console.log('   No staging domain configured');
+                return false;
+            }
+            try {
+                const stagingIp = stagingEnv.domain;
+                // Add inbound rule for Mac Mini IP on PostgreSQL port
+                (0, aws_helpers_js_1.awsExec)('aws ec2 authorize-security-group-ingress --group-id ' + rdsSgId +
+                    ' --protocol tcp --port 5432 --cidr ' + stagingIp + '/32', region);
+                console.log('   Allowed Mac Mini (' + stagingIp + ') access to RDS on port 5432');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to add Mac Mini access: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Add inbound rule to RDS security group for staging server IP on port 5432',
+    },
+];
+//# sourceMappingURL=security-groups.js.map

package/dist/plugins/pipelines/aws/scanfix/security-groups.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-groups.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/security-groups.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAGH,4DAAsG;AAEtG;;GAEG;AACH,SAAS,iBAAiB,CAAC,SAAiB,EAAE,KAAa,EAAE,MAAc;IACzE,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,qEAAqE,GAAG,SAAS,GAAG,wBAAwB,GAAG,KAAK,GAAG,qDAAqD,EAC5K,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,OAAO,CAAC,WAAmB,EAAE,MAAc;IAClD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,mEAAmE,GAAG,WAAW,GAAG,yCAAyC,EAC7H,MAAM,CACP,CAAC;IACF,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAEY,QAAA,kBAAkB,GAAU;IACvC;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mDAAmD;QAChE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC,CAAC,uBAAuB;YACjD,OAAO,CAAC,iBAAiB,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC9E,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;gBAC5C,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;gBAEpD,wBAAwB;gBACxB,MAAM,QAAQ,GAAG,IAAA,wBAAO,EACtB,6CAA6C,GAAG,SAAS;oBACzD,yCAAyC,GAAG,WAAW,GAAG,GAAG;oBAC7D,YAAY,GAAG,KAAK;oBACpB,GAAG,GAAG,IAAA,wBAAO,EAAC,gBAAgB,EAAE,WAAW,CAAC,EAC5C,MAAM,CACP,CAAC;gBACF,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC;gBAC1C,OAAO,CAAC,GAAG,CAAC,iCAAiC,GAAG,IAAI,CAAC,CAAC;gBAEtD,sBAAsB;gBACtB,IAAA,wBAAO,EACL,sDAAsD,GAAG,IAAI;oBAC7D,4CAA4C,EAC5C,MAAM,CACP,CAAC;gBAEF,uBAAuB;gBACvB,IAAA,wBAAO,EACL,sDAAsD,GAAG,IAAI;oBAC7D,4CAA4C,EAC5C,MAAM,CACP,CAAC;gBAEF,yBAAyB;gBACzB,IAAA,wBAAO,EACL,sDAAsD,GAAG,IAAI;oBAC7D,6CAA6C,EAC7C,MAAM,CACP,CAAC;gBAEF,OAAO,CAAC,GAAG,CAAC,mDAAmD,CAAC,CAAC;gBACjE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,0CAA0C,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,gFAAgF;KAC5F;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2DAA2D;QACxE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YACzB,OAAO,CAAC,iBAAiB,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC9E,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;gBAC5C,OAAO,KAAK,CAAC;YACf,CAAC;YAED,uCAAuC;YACvC,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACpF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,UAAU,GAAG,WAAW,GAAG,MAAM,CAAC;gBAEpD,4BAA4B;gBAC5B,MAAM,QAAQ,GAAG,IAAA,wBAAO,EACtB,6CAA6C,GAAG,SAAS;oBACzD,yCAAyC,GAAG,WAAW,GAAG,GAAG;oBAC7D,YAAY,GAAG,KAAK;oBACpB,GAAG,GAAG,IAAA,wBAAO,EAAC,gBAAgB,EAAE,WAAW,CAAC,EAC5C,MAAM,CACP,CAAC;gBACF,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC;gBAC1C,OAAO,CAAC,GAAG,CAAC,iCAAiC,GAAG,IAAI,CAAC,CAAC;gBAEtD,4DAA4D;gBAC5D,IAAA,wBAAO,EACL,sDAAsD,GAAG,IAAI;oBAC7D,6CAA6C,GAAG,OAAO,EACvD,MAAM,CACP,CAAC;gBAEF,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;gBACrE,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,0CAA0C,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,kFAAkF;KAC9F;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2DAA2D;QACxE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAEzB,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACpF,IAAI,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC,CAAC,0BAA0B;YAEtD,wCAAwC;YACxC,iEAAiE;YACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;YAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC;YACxC,IAAI,CAAC,UAAU,EAAE,MAAM;gBAAE,OAAO,KAAK,CAAC,CAAC,wBAAwB;YAE/D,yDAAyD;YACzD,MAAM,WAAW,GAAG,IAAA,4BAAW,EAC7B,+CAA+C,GAAG,OAAO,GAAG,0DAA0D,EACtH,MAAM,CACP,CAAC;YACF,IAAI,CAAC,WAAW;gBAAE,OAAO,KAAK,CAAC;YAE/B,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;gBACtC,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC;gBACpC,uDAAuD;gBACvD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;wBACnD,KAAK,MAAM,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;4BAC5C,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,GAAG,KAAK,EAAE,CAAC;gCACzC,OAAO,KAAK,CAAC,CAAC,qBAAqB;4BACrC,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,OAAO,IAAI,CAAC,CAAC,+BAA+B;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,IAAA,+BAAc,EAAC,MAAM,CAAC,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAEzB,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,GAAG,WAAW,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACpF,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,iEAAiE;YACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;YAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC;YACxC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;gBAC/C,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC;gBAEpC,sDAAsD;gBACtD,IAAA,wBAAO,EACL,sDAAsD,GAAG,OAAO;oBAChE,qCAAqC,GAAG,SAAS,GAAG,KAAK,EACzD,MAAM,CACP,CAAC;gBAEF,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,SAAS,GAAG,8BAA8B,CAAC,CAAC;gBAClF,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,oCAAoC,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,2EAA2E;KACvF;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/ses.d.ts

@@ -0,0 +1,9 @@
+/**
+ * AWS SES Fixes
+ *
+ * Configures Simple Email Service for transactional email.
+ * Handles domain verification, DKIM setup, and sandbox status.
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const sesFixes: Fix[];
+//# sourceMappingURL=ses.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/ses.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ses.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/ses.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAqDrE,eAAO,MAAM,QAAQ,EAAE,GAAG,EAkIzB,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/ses.js

@@ -0,0 +1,174 @@
+"use strict";
+/**
+ * AWS SES Fixes
+ *
+ * Configures Simple Email Service for transactional email.
+ * Handles domain verification, DKIM setup, and sandbox status.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sesFixes = void 0;
+const aws_helpers_js_1 = require("../utils/aws-helpers.js");
+/**
+ * Get the production domain from config
+ */
+function getProdDomain(config) {
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    const prodEnv = environments.prod ?? environments.production;
+    const domain = prodEnv?.domain;
+    if (!domain || domain.startsWith('EXAMPLE-'))
+        return null;
+    return domain;
+}
+/**
+ * Check if domain is verified in SES
+ */
+function isDomainVerified(domain, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ses get-identity-verification-attributes --identities ' + domain +
+        ' --query "VerificationAttributes.' + domain + '.VerificationStatus" --output text', region);
+    return result === 'Success';
+}
+/**
+ * Check if DKIM is configured for domain
+ */
+function hasDkim(domain, region) {
+    const result = (0, aws_helpers_js_1.awsExecSafe)('aws ses get-identity-dkim-attributes --identities ' + domain +
+        ' --query "DkimAttributes.' + domain + '.DkimEnabled" --output text', region);
+    return result === 'true' || result === 'True';
+}
+/**
+ * Check if AWS is configured for this project
+ */
+function isAwsConfigured(config) {
+    if (config.aws)
+        return true;
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { extractEnvironments } = require('../../../../utils/config-helpers.js');
+    const environments = extractEnvironments(config);
+    return Object.values(environments).some((e) => e.pipeline === 'aws');
+}
+exports.sesFixes = [
+    {
+        id: 'aws-ses-domain-missing',
+        stage: 'prod',
+        severity: 'warning',
+        description: 'SES domain identity not verified for email',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const domain = getProdDomain(config);
+            if (!domain)
+                return false;
+            return !isDomainVerified(domain, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const domain = getProdDomain(config);
+            if (!domain) {
+                console.log('   Set production domain in factiii.yml first');
+                return false;
+            }
+            try {
+                // Start domain verification
+                (0, aws_helpers_js_1.awsExec)('aws ses verify-domain-identity --domain ' + domain, region);
+                // Get the verification token
+                const tokenResult = (0, aws_helpers_js_1.awsExec)('aws ses get-identity-verification-attributes --identities ' + domain +
+                    ' --query "VerificationAttributes.' + domain + '.VerificationToken" --output text', region);
+                const token = tokenResult.replace(/"/g, '');
+                console.log('   Started domain verification for: ' + domain);
+                console.log('');
+                console.log('   Add this TXT record to your DNS:');
+                console.log('   Name:  _amazonses.' + domain);
+                console.log('   Type:  TXT');
+                console.log('   Value: ' + token);
+                console.log('');
+                console.log('   Verification may take a few minutes after DNS propagation.');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to start domain verification: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Verify domain in SES: aws ses verify-domain-identity --domain <domain>\nThen add the TXT record to DNS',
+    },
+    {
+        id: 'aws-ses-dkim-missing',
+        stage: 'prod',
+        severity: 'info',
+        description: 'SES DKIM not configured (improves email deliverability)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const domain = getProdDomain(config);
+            if (!domain)
+                return false;
+            if (!isDomainVerified(domain, region))
+                return false; // Domain must be verified first
+            return !hasDkim(domain, region);
+        },
+        fix: async (config) => {
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const domain = getProdDomain(config);
+            if (!domain)
+                return false;
+            try {
+                // Generate DKIM tokens
+                const result = (0, aws_helpers_js_1.awsExec)('aws ses verify-domain-dkim --domain ' + domain, region);
+                const parsed = JSON.parse(result);
+                const tokens = parsed.DkimTokens ?? [];
+                console.log('   Generated DKIM tokens for: ' + domain);
+                console.log('');
+                console.log('   Add these CNAME records to your DNS:');
+                for (const token of tokens) {
+                    console.log('   Name:  ' + token + '._domainkey.' + domain);
+                    console.log('   Type:  CNAME');
+                    console.log('   Value: ' + token + '.dkim.amazonses.com');
+                    console.log('');
+                }
+                console.log('   DKIM verification may take a few minutes after DNS propagation.');
+                return true;
+            }
+            catch (e) {
+                console.log('   Failed to configure DKIM: ' + (e instanceof Error ? e.message : String(e)));
+                return false;
+            }
+        },
+        manualFix: 'Configure DKIM: aws ses verify-domain-dkim --domain <domain>\nThen add CNAME records to DNS',
+    },
+    {
+        id: 'aws-ses-sandbox',
+        stage: 'prod',
+        severity: 'info',
+        description: 'SES is in sandbox mode (can only send to verified emails)',
+        scan: async (config) => {
+            if (!isAwsConfigured(config))
+                return false;
+            const { region } = (0, aws_helpers_js_1.getAwsConfig)(config);
+            const domain = getProdDomain(config);
+            if (!domain)
+                return false;
+            if (!isDomainVerified(domain, region))
+                return false;
+            // Check sending quota — sandbox has max 200/day
+            const result = (0, aws_helpers_js_1.awsExecSafe)('aws ses get-send-quota --query "Max24HourSend" --output text', region);
+            if (!result)
+                return false;
+            const maxSend = parseFloat(result);
+            return maxSend <= 200; // Sandbox limit
+        },
+        fix: null,
+        manualFix: [
+            'SES is in sandbox mode. To send to unverified emails:',
+            '',
+            '1. Go to AWS Console → SES → Account dashboard',
+            '2. Click "Request production access"',
+            '3. Fill in the form with your use case',
+            '4. AWS typically approves within 24 hours',
+        ].join('\n'),
+    },
+];
+//# sourceMappingURL=ses.js.map

package/dist/plugins/pipelines/aws/scanfix/ses.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ses.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/ses.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAGH,4DAA6E;AAE7E;;GAEG;AACH,SAAS,aAAa,CAAC,MAAqB;IAC1C,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC,UAAU,CAAC;IAC7D,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,CAAC;IAC/B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,MAAc,EAAE,MAAc;IACtD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,4DAA4D,GAAG,MAAM;QACrE,mCAAmC,GAAG,MAAM,GAAG,oCAAoC,EACnF,MAAM,CACP,CAAC;IACF,OAAO,MAAM,KAAK,SAAS,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,OAAO,CAAC,MAAc,EAAE,MAAc;IAC7C,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,oDAAoD,GAAG,MAAM;QAC7D,2BAA2B,GAAG,MAAM,GAAG,6BAA6B,EACpE,MAAM,CACP,CAAC;IACF,OAAO,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,MAAM,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAC5B,iEAAiE;IACjE,MAAM,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CACrC,CAAC,CAAU,EAAE,EAAE,CAAE,CAA2B,CAAC,QAAQ,KAAK,KAAK,CAChE,CAAC;AACJ,CAAC;AAEY,QAAA,QAAQ,GAAU;IAC7B;QACE,EAAE,EAAE,wBAAwB;QAC5B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,4CAA4C;QACzD,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YAC1B,OAAO,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAC;gBAC7D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC;gBACH,4BAA4B;gBAC5B,IAAA,wBAAO,EACL,0CAA0C,GAAG,MAAM,EACnD,MAAM,CACP,CAAC;gBAEF,6BAA6B;gBAC7B,MAAM,WAAW,GAAG,IAAA,wBAAO,EACzB,4DAA4D,GAAG,MAAM;oBACrE,mCAAmC,GAAG,MAAM,GAAG,mCAAmC,EAClF,MAAM,CACP,CAAC;gBACF,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBAE5C,OAAO,CAAC,GAAG,CAAC,sCAAsC,GAAG,MAAM,CAAC,CAAC;gBAC7D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;gBACnD,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,MAAM,CAAC,CAAC;gBAC9C,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,KAAK,CAAC,CAAC;gBAClC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;gBAE7E,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,0CAA0C,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvG,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,wGAAwG;KACpH;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yDAAyD;QACtE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YAC1B,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC,CAAC,gCAAgC;YACrF,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAClC,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACrD,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YAE1B,IAAI,CAAC;gBACH,uBAAuB;gBACvB,MAAM,MAAM,GAAG,IAAA,wBAAO,EACpB,sCAAsC,GAAG,MAAM,EAC/C,MAAM,CACP,CAAC;gBACF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBAClC,MAAM,MAAM,GAAa,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;gBAEjD,OAAO,CAAC,GAAG,CAAC,gCAAgC,GAAG,MAAM,CAAC,CAAC;gBACvD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;gBACvD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;oBAC3B,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,KAAK,GAAG,cAAc,GAAG,MAAM,CAAC,CAAC;oBAC5D,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;oBAC/B,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,KAAK,GAAG,qBAAqB,CAAC,CAAC;oBAC1D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAClB,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;gBAElF,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,CAAC,GAAG,CAAC,+BAA+B,GAAG,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC5F,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EAAE,6FAA6F;KACzG;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,MAAM;QACb,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2DAA2D;QACxE,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC3C,MAAM,EAAE,MAAM,EAAE,GAAG,IAAA,6BAAY,EAAC,MAAM,CAAC,CAAC;YACxC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;YACrC,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YAC1B,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;YAEpD,gDAAgD;YAChD,MAAM,MAAM,GAAG,IAAA,4BAAW,EACxB,8DAA8D,EAC9D,MAAM,CACP,CAAC;YACF,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YAC1B,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;YACnC,OAAO,OAAO,IAAI,GAAG,CAAC,CAAC,gBAAgB;QACzC,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EAAE;YACT,uDAAuD;YACvD,EAAE;YACF,gDAAgD;YAChD,sCAAsC;YACtC,wCAAwC;YACxC,2CAA2C;SAC5C,CAAC,IAAI,CAAC,IAAI,CAAC;KACb;CACF,CAAC"}

package/dist/plugins/pipelines/aws/scanfix/vpc.d.ts

@@ -0,0 +1,9 @@
+/**
+ * AWS VPC Fixes
+ *
+ * Provisions VPC, subnets, and internet gateway for AWS infrastructure.
+ * All resources are tagged with factiii:project={name} for identification.
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const vpcFixes: Fix[];
+//# sourceMappingURL=vpc.d.ts.map

package/dist/plugins/pipelines/aws/scanfix/vpc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpc.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/aws/scanfix/vpc.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAgErE,eAAO,MAAM,QAAQ,EAAE,GAAG,EAmOzB,CAAC"}