@fjall/components-infrastructure 0.95.0 → 0.99.1

package/dist/lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs

@@ -0,0 +1,398 @@
+/**
+ * PersistentDataVolume LAUNCHING handler. Inlined into a Lambda at synth
+ * time by persistentDataVolume.ts. Triggered by an SQS queue fed by an
+ * EventBridge rule subscribed to the ASG EC2_INSTANCE_LAUNCHING lifecycle
+ * event on the default bus.
+ *
+ * Wire format: the SQS message body is the EventBridge event envelope
+ *   `{ version, "detail-type", source, account, time, region, resources,
+ *      detail: { LifecycleActionToken, AutoScalingGroupName,
+ *                LifecycleHookName, EC2InstanceId, LifecycleTransition,
+ *                NotificationMetadata, ... } }`.
+ * The lifecycle payload lives at `body.detail`. Records whose envelope does
+ * not match (wrong source, missing detail, non-Lifecycle Action detail-type)
+ * are logged and skipped — they shouldn't reach this queue but a defensive
+ * guard is cheap and avoids crashing the loop on stray test events.
+ *
+ * Behaviour:
+ *   1. Unwrap the EventBridge envelope; reject non-lifecycle records.
+ *   2. DescribeVolumes filtered by THREE tags: `tag:fjall:Lifecycle ==
+ *      data-volume` AND `tag:fjall:OwnerLogicalId == OWNER_LOGICAL_ID` AND
+ *      `tag:fjall:StackId == STACK_ID`. The StackId filter discriminates
+ *      this deploy's volume from any prior-iteration orphans (CREATE_ROLLBACK
+ *      failures, aborted destroys) that share the OwnerLogicalId but carry
+ *      a stale StackId. No match → ABANDON so the ASG kills the new instance
+ *      and retries; multiple matches → ABANDON and surface to the
+ *      Lambda-Errors alarm (a tag-uniqueness invariant violation; silently
+ *      picking one risks attaching the wrong data and requires operator
+ *      investigation).
+ *   3. AttachVolume(Device: DEVICE_NAME, InstanceId, VolumeId).
+ *   4. Poll DescribeVolumes until State === "in-use" AND the matching
+ *      Attachments[].State === "attached", deadline 90s. Timeout → ABANDON.
+ *   5. CompleteLifecycleAction(CONTINUE) on success.
+ *
+ * The Lambda is paired with the TERMINATING-side DetachVolume branch in
+ * ec2GracefulTerminationLambda.source.cjs. The two Lambdas form a closed
+ * re-attach contract: TERMINATING detaches the tagged volume from the
+ * outgoing instance, LAUNCHING (this file) re-attaches it to the incoming
+ * instance.
+ *
+ * CommonJS rather than ESM because Code.fromInline lands the source as
+ * `index.js`, which Lambda treats as CommonJS by default.
+ */
+const {
+  EC2Client,
+  DescribeVolumesCommand,
+  AttachVolumeCommand
+} = require("@aws-sdk/client-ec2");
+const {
+  AutoScalingClient,
+  CompleteLifecycleActionCommand
+} = require("@aws-sdk/client-auto-scaling");
+
+const ATTACH_POLL_INTERVAL_MS = 5_000;
+// 90s attach deadline. AWS volume attach is usually < 30s; the bootstrap
+// script waits 60s for /dev/xvdf so the hook MUST complete inside that.
+const ATTACH_DEADLINE_MS = 90_000;
+const TAG_OWNER_LOGICAL_ID = "fjall:OwnerLogicalId";
+const TAG_LIFECYCLE = "fjall:Lifecycle";
+const TAG_LIFECYCLE_VALUE = "data-volume";
+const TAG_STACK_ID = "fjall:StackId";
+
+function errMessage(err) {
+  return err && err.message ? err.message : String(err);
+}
+
+let _ec2;
+let _asg;
+function getEc2() {
+  if (!_ec2) _ec2 = new EC2Client({});
+  return _ec2;
+}
+function getAsg() {
+  if (!_asg) _asg = new AutoScalingClient({});
+  return _asg;
+}
+
+function parseLifecycleMessage(record) {
+  const envelope = JSON.parse(record.body);
+  const detail = envelope && envelope.detail;
+  const source = envelope && envelope.source;
+  const detailType = envelope && envelope["detail-type"];
+  const valid =
+    detail !== undefined &&
+    detail !== null &&
+    typeof detail === "object" &&
+    source === "aws.autoscaling" &&
+    typeof detailType === "string" &&
+    detailType.endsWith("Lifecycle Action");
+  if (!valid) {
+    return { valid: false };
+  }
+  return {
+    valid: true,
+    instanceId: detail.EC2InstanceId,
+    asgName: detail.AutoScalingGroupName,
+    actionToken: detail.LifecycleActionToken,
+    hookName: detail.LifecycleHookName,
+    isTest: false
+  };
+}
+
+function readEnv(env, name) {
+  const value = env[name];
+  if (typeof value !== "string" || value === "") return undefined;
+  return value;
+}
+
+async function findOwnedVolume(ec2Client, ownerLogicalId, stackId) {
+  const result = await ec2Client.send(
+    new DescribeVolumesCommand({
+      Filters: [
+        { Name: `tag:${TAG_OWNER_LOGICAL_ID}`, Values: [ownerLogicalId] },
+        { Name: `tag:${TAG_LIFECYCLE}`, Values: [TAG_LIFECYCLE_VALUE] },
+        { Name: `tag:${TAG_STACK_ID}`, Values: [stackId] }
+      ]
+    })
+  );
+  const volumes = result.Volumes || [];
+  return volumes;
+}
+
+async function pollUntilAttached(
+  ec2Client,
+  volumeId,
+  instanceId,
+  sleepFn,
+  nowFn
+) {
+  const deadline = nowFn() + ATTACH_DEADLINE_MS;
+  while (nowFn() < deadline) {
+    const desc = await ec2Client.send(
+      new DescribeVolumesCommand({ VolumeIds: [volumeId] })
+    );
+    const volume =
+      desc.Volumes && desc.Volumes[0] ? desc.Volumes[0] : undefined;
+    if (volume) {
+      const attachment = (volume.Attachments || []).find(
+        (a) => a.InstanceId === instanceId
+      );
+      if (volume.State === "in-use" && attachment?.State === "attached") {
+        return true;
+      }
+    }
+    await sleepFn(ATTACH_POLL_INTERVAL_MS);
+  }
+  return false;
+}
+
+async function completeLifecycle(
+  asgClient,
+  asgName,
+  hookName,
+  actionToken,
+  result
+) {
+  await asgClient.send(
+    new CompleteLifecycleActionCommand({
+      AutoScalingGroupName: asgName,
+      LifecycleHookName: hookName,
+      LifecycleActionToken: actionToken,
+      LifecycleActionResult: result
+    })
+  );
+}
+
+async function processRecord(record, deps) {
+  const ec2Client = (deps && deps.ec2Client) || getEc2();
+  const asgClient = (deps && deps.asgClient) || getAsg();
+  const sleepFn =
+    (deps && deps.sleep) ||
+    ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const nowFn = (deps && deps.now) || (() => Date.now());
+  const env = (deps && deps.env) || process.env;
+  const log =
+    (deps && deps.log) ||
+    ((msg, fields) => {
+      console.log(JSON.stringify({ message: msg, ...(fields || {}) }));
+    });
+
+  const parsed = parseLifecycleMessage(record);
+  if (!parsed.valid) {
+    log("Record is not an aws.autoscaling Lifecycle Action; skipping", {
+      bodyPreview: record.body ? String(record.body).slice(0, 200) : undefined
+    });
+    return;
+  }
+  const { instanceId, asgName, actionToken, hookName } = parsed;
+
+  const ownerLogicalId = readEnv(env, "OWNER_LOGICAL_ID");
+  const stackId = readEnv(env, "STACK_ID");
+  const deviceName = readEnv(env, "DEVICE_NAME");
+  if (
+    ownerLogicalId === undefined ||
+    stackId === undefined ||
+    deviceName === undefined
+  ) {
+    log("OWNER_LOGICAL_ID, STACK_ID or DEVICE_NAME unset; abandoning", {
+      asgName,
+      instanceId
+    });
+    await completeLifecycle(
+      asgClient,
+      asgName,
+      hookName,
+      actionToken,
+      "ABANDON"
+    );
+    return;
+  }
+
+  let volumes;
+  try {
+    volumes = await findOwnedVolume(ec2Client, ownerLogicalId, stackId);
+  } catch (err) {
+    log("DescribeVolumes failed; abandoning", {
+      asgName,
+      instanceId,
+      error: errMessage(err)
+    });
+    await completeLifecycle(
+      asgClient,
+      asgName,
+      hookName,
+      actionToken,
+      "ABANDON"
+    );
+    return;
+  }
+
+  if (volumes.length === 0) {
+    log("No tagged data volume found; abandoning launch", {
+      ownerLogicalId,
+      instanceId
+    });
+    await completeLifecycle(
+      asgClient,
+      asgName,
+      hookName,
+      actionToken,
+      "ABANDON"
+    );
+    return;
+  }
+
+  if (volumes.length > 1) {
+    log(
+      "Multiple tagged data volumes found; abandoning launch — tag-uniqueness invariant violated",
+      {
+        ownerLogicalId,
+        volumeIds: volumes.map((v) => v.VolumeId)
+      }
+    );
+    await completeLifecycle(
+      asgClient,
+      asgName,
+      hookName,
+      actionToken,
+      "ABANDON"
+    );
+    return;
+  }
+
+  const volume = volumes[0];
+  const volumeId = volume.VolumeId;
+
+  // Already attached to the launching instance (e.g. previous Lambda invocation
+  // succeeded before the hook timeout fired and ASG re-fired the message).
+  const existingAttachment = (volume.Attachments || []).find(
+    (a) => a.InstanceId === instanceId && a.State === "attached"
+  );
+  if (existingAttachment !== undefined) {
+    log("Volume already attached to launching instance; completing CONTINUE", {
+      volumeId,
+      instanceId
+    });
+    await completeLifecycle(
+      asgClient,
+      asgName,
+      hookName,
+      actionToken,
+      "CONTINUE"
+    );
+    return;
+  }
+
+  try {
+    await ec2Client.send(
+      new AttachVolumeCommand({
+        VolumeId: volumeId,
+        InstanceId: instanceId,
+        Device: deviceName
+      })
+    );
+  } catch (err) {
+    log("AttachVolume failed; abandoning", {
+      volumeId,
+      instanceId,
+      error: errMessage(err)
+    });
+    await completeLifecycle(
+      asgClient,
+      asgName,
+      hookName,
+      actionToken,
+      "ABANDON"
+    );
+    return;
+  }
+
+  const attached = await pollUntilAttached(
+    ec2Client,
+    volumeId,
+    instanceId,
+    sleepFn,
+    nowFn
+  );
+  if (!attached) {
+    log(
+      "Volume attach did not reach in-use/attached within deadline; abandoning",
+      {
+        volumeId,
+        instanceId,
+        deadlineMs: ATTACH_DEADLINE_MS
+      }
+    );
+    await completeLifecycle(
+      asgClient,
+      asgName,
+      hookName,
+      actionToken,
+      "ABANDON"
+    );
+    return;
+  }
+
+  log("Volume attached successfully; completing CONTINUE", {
+    volumeId,
+    instanceId
+  });
+  await completeLifecycle(
+    asgClient,
+    asgName,
+    hookName,
+    actionToken,
+    "CONTINUE"
+  );
+}
+
+exports.handler = async (event) => {
+  const records = (event && event.Records) || [];
+  for (const record of records) {
+    try {
+      await processRecord(record);
+    } catch (err) {
+      console.error(
+        JSON.stringify({
+          message:
+            "PersistentDataVolume LAUNCHING handler crashed; attempting ABANDON",
+          error: errMessage(err)
+        })
+      );
+      try {
+        const parsed = parseLifecycleMessage(record);
+        if (!parsed.valid) continue;
+        await completeLifecycle(
+          getAsg(),
+          parsed.asgName,
+          parsed.hookName,
+          parsed.actionToken,
+          "ABANDON"
+        );
+      } catch (innerErr) {
+        console.error(
+          JSON.stringify({
+            message: "CompleteLifecycleAction also failed",
+            error: errMessage(innerErr)
+          })
+        );
+        throw err;
+      }
+    }
+  }
+};
+
+exports._internals = {
+  parseLifecycleMessage,
+  readEnv,
+  findOwnedVolume,
+  pollUntilAttached,
+  completeLifecycle,
+  processRecord,
+  ATTACH_POLL_INTERVAL_MS,
+  ATTACH_DEADLINE_MS,
+  TAG_OWNER_LOGICAL_ID,
+  TAG_LIFECYCLE,
+  TAG_LIFECYCLE_VALUE,
+  TAG_STACK_ID
+};

package/dist/lib/resources/aws/compute/samApplication.d.ts

@@ -0,0 +1,15 @@
+import { Construct } from "constructs";
+export interface SamApplicationProps {
+    readonly applicationId: string;
+    readonly semanticVersion: string;
+    readonly parameters: Record<string, string>;
+    readonly description?: string;
+    readonly costAllocationService: string;
+    readonly costAllocationDomain: string;
+    readonly costAllocationEnvironment?: string;
+}
+export declare class SamApplication extends Construct {
+    private readonly application;
+    readonly description: string;
+    constructor(scope: Construct, id: string, props: SamApplicationProps);
+}

package/dist/lib/resources/aws/compute/samApplication.js

@@ -0,0 +1,27 @@
+import { Tags } from "aws-cdk-lib";
+import { CfnApplication } from "aws-cdk-lib/aws-sam";
+import { Construct } from "constructs";
+import { applyCostAllocationTags } from "../../../utils/costAllocationTags.js";
+export class SamApplication extends Construct {
+    application;
+    description;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.description =
+            props.description ??
+                `Fjall-managed SAR application: ${props.applicationId}`;
+        this.application = new CfnApplication(this, "Application", {
+            location: {
+                applicationId: props.applicationId,
+                semanticVersion: props.semanticVersion
+            },
+            parameters: props.parameters
+        });
+        Tags.of(this).add("fjall:description", this.description);
+        applyCostAllocationTags(this, {
+            service: props.costAllocationService,
+            domain: props.costAllocationDomain,
+            environment: props.costAllocationEnvironment
+        });
+    }
+}

package/dist/lib/resources/aws/database/clickhouseConstants.d.ts

@@ -0,0 +1,159 @@
+/** Database name created at ClickHouse bootstrap; consumed by BACKUP DATABASE,
+ *  OPTIMIZE TABLE, and the DatabaseName CfnOutput so all four sites share one source. */
+export declare const CLICKHOUSE_DATABASE_NAME = "analytics";
+/** Default EC2 instance type for ClickHouse (Graviton3 — fixed-spec cores).
+ *
+ *  `m7g.medium` (1 vCPU sustained, 4 GiB) chosen over `t4g.medium` (2 vCPU
+ *  burst, 4 GiB) because CH's steady-state merge/scan/aggregation profile is
+ *  not bursty — burst credits run out under the per-5min metrics ingest plus
+ *  the OPTIMIZE FINAL sidecar, leaving the box throttled at baseline (10–20%
+ *  of 2 vCPU) for the rest of the hour. Graviton3 is also ~25% faster on
+ *  columnar scans than Graviton2.
+ *
+ *  Settings are tuned for 1 vCPU sustained (max_threads=1 across all profiles,
+ *  max_concurrent_queries=4) — see clickhouseUserData.ts. Bumping to a larger
+ *  instance MUST be paired with raising those thread/concurrency caps.
+ *
+ *  Next size up: `m7g.large` (2 vCPU, 8 GiB) for sustained workloads, or
+ *  `r7g.medium` (1 vCPU, 8 GiB) when memory-bound. Set via
+ *  `clickhouseInstanceType` CDK context or the `instanceType` prop, no code
+ *  change needed (see clickhouseDatabase.ts:162). */
+export declare const DEFAULT_CLICKHOUSE_INSTANCE_TYPE = "m7g.medium";
+/** ClickHouse container image. Explicit `docker.io/` prefix is required so
+ *  string-form consumers in `ecsImages.ts#getContainerImage()` route through
+ *  `ContainerImage.fromRegistry(...)` instead of the ECR-repo fallback (which
+ *  would otherwise append a service-tag suffix and produce a double-colon
+ *  malformed image reference).
+ *
+ *  Pin the full patch (not the floating `26.3`) so prod and local containers
+ *  always run the same digest. The floating tag bit us once when CH 26.3.10
+ *  tightened config.xml validation overnight while local Docker caches still
+ *  held the prior patch — keep this pin in lockstep with
+ *  `webapp/docker-compose.yaml`.
+ *
+ *  Default Ubuntu (glibc) variant chosen over `-alpine` (musl): musl's
+ *  threading/NPTL implementation is materially slower under CH's per-merge
+ *  / per-query-stage thread fan-out, and musl's 128 KB default thread stack
+ *  has a recurring history of stack-overflow incidents on deep query plans.
+ *  Image size is ~250 MB larger but irrelevant on a single-instance EC2 ASG
+ *  that pulls once per launch. Upstream CH CI runs its full perf + stress
+ *  matrix on the Ubuntu build; Alpine is community-tier coverage. */
+export declare const CLICKHOUSE_IMAGE = "docker.io/clickhouse/clickhouse-server:26.3.10.60";
+/** EBS volume configuration. */
+export declare const CLICKHOUSE_EBS_VOLUME_SIZE_GB = 80;
+export declare const CLICKHOUSE_EBS_IOPS = 3000;
+export declare const CLICKHOUSE_EBS_THROUGHPUT_MBPS = 125;
+/** ECS task resource allocation. m7g.medium ships with 4 GB; reserve 1 GB
+ *  for the host (kernel + ECS agent + cloudwatch agent + IMDS) and give
+ *  ClickHouse the remaining 3 GB. Stays right when bumping to m7g.large
+ *  (8 GB) — raise this value in lockstep, or fall back to deriving from
+ *  the instance type if we ever support multiple sizes. */
+export declare const CLICKHOUSE_TASK_MEMORY_MIB = 3072;
+/** ClickHouse ports. */
+export declare const CLICKHOUSE_HTTP_PORT = 8123;
+export declare const CLICKHOUSE_NATIVE_PORT = 9000;
+export declare const CLICKHOUSE_PROMETHEUS_PORT = 9363;
+/** EBS device name for the data volume (must match user data script). */
+export declare const CLICKHOUSE_EBS_DEVICE_NAME = "/dev/xvdf";
+/** EBS mount path on the EC2 host. */
+export declare const CLICKHOUSE_DATA_MOUNT_PATH = "/mnt/clickhouse-data";
+/** Secrets Manager path prefix. */
+export declare const CLICKHOUSE_SECRETS_PREFIX = "fjall/clickhouse";
+/** Canonical Secrets Manager secret name for a ClickHouse user.
+ *  Two sites compute this name and they MUST match:
+ *    (a) the secret mint inside `createClickHouseUserSecret(...)` in
+ *        `clickhouseDatabase.ts` — calls this helper directly;
+ *    (b) the SSM live-reload script that fetches the admin password via
+ *        `aws secretsmanager get-secret-value --secret-id` — also calls
+ *        this helper directly.
+ *  Drift between the two would silently break the live-reload path post-
+ *  deploy on a users.d S3 change (no compile or test signal). */
+export declare function clickHouseUserSecretName(userName: string): string;
+/** ECS-injected env var name carrying a user's plaintext password.
+ *  Canonical source is `@fjall/util/migration § userPasswordEnvName` — re-exported
+ *  here so the construct-side import chain stays unchanged while the runner
+ *  (`webapp/scripts/migration-runner.mjs`) and any future consumer share a single
+ *  declaration. Coupled values per `.claude/rules/code-quality.md § "Coupled values:
+ *  shared source at 2 occurrences"`. */
+export { userPasswordEnvName } from "@fjall/util/migration";
+/** Env var name carrying the SHA-256 of a user's plaintext password.
+ *  The container entrypoint wrapper derives this name from the
+ *  `USER_<NAME>_PASSWORD` env var injected by ECS `secretsImport`, then
+ *  resolves `<password_sha256_hex from_env="..."/>` directives in
+ *  `users.d/fjall.xml` against it at server start. */
+export declare function userSha256EnvName(userName: string): string;
+/** Canonical bash pipeline that hashes a ClickHouse user password.
+ *  Invoked from the container entrypoint wrapper
+ *  (`buildClickHouseEntrypointWrapper`) to derive `USER_<NAME>_SHA256` from
+ *  the ECS-injected plaintext at server start.
+ *  @param plaintextShellRef A quoted bash reference to the plaintext
+ *    password (e.g. `"\${!var}"` for the wrapper's indirect deref). */
+export declare function clickHousePasswordSha256Snippet(plaintextShellRef: string): string;
+/** Tag identifying ClickHouse server ASG instances.
+ *  Three sites carry this pair and they MUST match: (a) the `tags:` map on
+ *  the ClickHouse EC2 instance (threaded through to ASG instance tags),
+ *  (b) the SSM `Targets: [{ Key: "tag:<key>", Values: ["<value>"] }]` filter
+ *  on the live-reload `AwsCustomResource`, and (c) the synth snapshot tests
+ *  pinning the relationship. Drift between (a) and (b) silently routes the
+ *  reload command to zero instances — the `InvocationDoesNotExist` failure
+ *  is already suppressed by `ignoreErrorCodesMatching`, so the misroute
+ *  emits no signal. */
+export declare const CLICKHOUSE_SERVER_ROLE_TAG: {
+    readonly key: "ClickHouseRole";
+    readonly value: "server";
+};
+/** Shared secret generation options (all ClickHouse users share the same policy). */
+export declare const CLICKHOUSE_SECRET_OPTIONS: {
+    readonly excludePunctuation: true;
+    readonly passwordLength: 32;
+};
+/** Health check configuration. */
+export declare const CLICKHOUSE_HEALTH_CHECK: {
+    readonly INTERVAL_SECONDS: 30;
+    readonly TIMEOUT_SECONDS: 5;
+    readonly RETRIES: 3;
+    readonly START_PERIOD_SECONDS: 120;
+};
+/** Container stop timeout in seconds. ECS waits this long after SIGTERM
+ *  before sending SIGKILL. ClickHouse needs the longer-than-default window
+ *  (CDK default: 30s) to flush in-progress merges, finish writing parts,
+ *  and close the data directory cleanly — premature SIGKILL on a 1 vCPU
+ *  m7g.medium under merge load risks `max_suspicious_broken_parts` on the
+ *  next start. ECS upper bound is 120s. */
+export declare const CLICKHOUSE_STOP_TIMEOUT_SECONDS = 90;
+/** OPTIMIZE TABLE FINAL schedule.
+ *  RMT tables carry min_age_to_force_merge_seconds=600 so the engine already merges
+ *  old parts within 10 min; this task is a safety net for MVs (no engine-level setting)
+ *  and for ReplacingMergeTree dedup under skewed write patterns. 6 hours is sufficient. */
+export declare const OPTIMISE_FINAL_SCHEDULE = "rate(6 hours)";
+/** Tables requiring periodic OPTIMIZE FINAL (ReplacingMergeTree only).
+ *  Keep in sync with REPLACING_MERGE_TREE_TABLES in
+ *  webapp/app/.server/lib/clickhouse/tenantQuery/tableConstants.ts (auto-FINAL). */
+export declare const REPLACING_MERGE_TREE_TABLES: readonly ["application_metrics", "cost_records", "log_fingerprints", "insights", "asset_inventory"];
+/** Subdirectory on the EBS volume for server config files (must match CDK volume mount). */
+export declare const CLICKHOUSE_CONFIG_SUBDIR = "server-config.d";
+/** Subdirectory on the EBS volume for users config files (must match CDK volume mount). */
+export declare const CLICKHOUSE_USERS_SUBDIR = "server-users.d";
+/** Cloud Map service name (resolves to `clickhouse.<appName>.local` via the per-app namespace registered by `App.getInstance().registerService(...)`). */
+export declare const CLICKHOUSE_CLOUDMAP_SERVICE_NAME = "clickhouse";
+/** ECS container name for the ClickHouse server task. Threaded through both
+ *  the `addContainer` call site and the SSM reload script (which uses
+ *  `docker ps --filter "label=com.amazonaws.ecs.container-name=<name>"` to
+ *  locate the running container). Drift between the two sites turns the
+ *  live-reload path into a silent no-op without any compile/test signal,
+ *  so this lives as a single source of truth. */
+export declare const CLICKHOUSE_SERVER_CONTAINER_NAME = "clickhouse";
+/** Materialised views that benefit from periodic OPTIMIZE to reduce part count at read time.
+ *  These are not ReplacingMergeTree (no dedup needed) but un-merged parts force
+ *  read-time aggregation which degrades query performance. */
+export declare const OPTIMISE_MV_TABLES: readonly ["metrics_hourly_mv", "metrics_daily_mv", "response_time_quantiles_hourly_mv", "deployment_duration_quantiles_daily_mv", "log_severity_hourly_mv", "compliance_score_daily_mv", "ai_usage_daily_mv", "finding_daily_aggregate", "insight_pattern_dismissals"];
+/** Resource allocation for the lightweight optimise task. */
+export declare const OPTIMISE_TASK_MEMORY_MIB = 256;
+export declare const OPTIMISE_TASK_CPU_UNITS = 256;
+/** Automated backup schedule (daily 03:00 UTC — low-traffic window). */
+export declare const BACKUP_SCHEDULE = "cron(0 3 * * ? *)";
+/** Resource allocation for the backup task (lightweight — clickhouse-client only). */
+export declare const BACKUP_TASK_MEMORY_MIB = 256;
+export declare const BACKUP_TASK_CPU_UNITS = 256;
+/** Backup object expiration: 14 days (retains 14 daily snapshots). */
+export declare const BACKUP_RETENTION_DAYS = 14;