@fjall/components-infrastructure 0.95.0 → 0.99.1

package/dist/lib/utils/manifestWriter.d.ts

@@ -7,99 +7,16 @@
  *
  * The manifest is written to cdk.out/fjall-manifest.json after synthesis.
  *
- * NOTE: This file uses synchronous file operations (writeFileSync, readFileSync, etc.)
- * because CDK synthesis is inherently synchronous. The synth() method blocks until
- * complete, so async operations would provide no benefit and add complexity.
+ * Synchronous fs ops are intentional: CDK synth() is inherently synchronous.
  *
- * TYPE DUPLICATION NOTE: The interfaces below (ManifestService, ManifestPattern, etc.)
- * are mirrored by Zod schemas in cli/src/types/FjallManifest.ts. The CLI schemas are
- * the authoritative source for validation. If you modify these interfaces, update
- * the Zod schemas to match. Future work: extract to shared @fjall/types package.
+ * Manifest type shapes are re-exported from @fjall/util/manifest/schemas — the
+ * Zod-derived definitions there are the single source of truth for both runtime
+ * validation and TypeScript inference.
  */
 import type { CloudAssembly } from "aws-cdk-lib/cx-api";
-import { type ResourceMapEntry, MANIFEST_SCHEMA_VERSION } from "@fjall/util/constructMap";
 import { type ResourceCategory } from "@fjall/util/resourceCategorisation";
-/**
- * Service configuration extracted from ECS services.
- */
-export interface ManifestService {
-    /** Service name (must match ECS service name) */
-    name: string;
-    /** Cluster name this service belongs to */
-    clusterName?: string;
-    /** Path to Dockerfile relative to app root */
-    dockerfilePath?: string;
-    /** Docker build target for multi-stage builds */
-    dockerTarget?: string;
-    /** Container port */
-    containerPort?: number;
-    /** SSM secrets configured for this service (aggregated from all containers) */
-    secrets?: string[];
-    /** SSM secrets path (derived or explicit) */
-    ssmSecretsPath?: string;
-}
-/**
- * Pattern configuration extracted from PatternFactory.
- */
-export interface ManifestPattern {
-    /** Pattern type */
-    type: "payload";
-    /** Pattern name (CMS name) */
-    name: string;
-    /** Source directory containing build output */
-    source: string;
-}
-/**
- * ECR configuration.
- */
-export interface ManifestEcr {
-    /** ECR repository name */
-    repositoryName: string;
-}
-/**
- * Lambda function configuration extracted from Lambda compute.
- * Enables CLI discovery of Lambda functions for secrets management.
- */
-export interface ManifestLambda {
-    /** Lambda function name (construct ID) */
-    name: string;
-    /** SSM secrets configured for this Lambda */
-    secrets?: string[];
-    /** SSM secrets path (derived or explicit) */
-    ssmSecretsPath?: string;
-}
-/**
- * Stack hash entry computed from synthesised template.
- */
-export interface ManifestStackHash {
-    /** SHA-256 hash of the synthesised template */
-    templateHash: string;
-    /** ISO timestamp when synth completed */
-    synthTimestamp: string;
-}
-/**
- * Fjall manifest - generated during CDK synth.
- */
-export interface FjallManifest {
-    /** Schema version for future compatibility */
-    version: typeof MANIFEST_SCHEMA_VERSION;
-    /** ISO timestamp when manifest was generated */
-    generatedAt: string;
-    /** Application name */
-    appName: string;
-    /** Resolved service configurations */
-    services: ManifestService[];
-    /** Lambda function configurations */
-    lambdas: ManifestLambda[];
-    /** Pattern configuration (if using PatternFactory) */
-    pattern?: ManifestPattern;
-    /** ECR configuration */
-    ecr?: ManifestEcr;
-    /** Template hashes by stack name */
-    stacks: Record<string, ManifestStackHash>;
-    /** Resource map: logicalId → construct context for topology grouping */
-    resourceMap?: Record<string, ResourceMapEntry>;
-}
+import { type ManifestService, type ManifestPattern, type ManifestEcr, type ManifestLambda, type ManifestStackHash, type FjallManifest } from "@fjall/util/manifest/schemas";
+export type { ManifestService, ManifestPattern, ManifestEcr, ManifestLambda, ManifestStackHash, FjallManifest };
 /**
  * Collected manifest data during synthesis.
  * Stores all data that will be written to the manifest file.

package/dist/lib/utils/manifestWriter.js

@@ -7,19 +7,18 @@
  *
  * The manifest is written to cdk.out/fjall-manifest.json after synthesis.
  *
- * NOTE: This file uses synchronous file operations (writeFileSync, readFileSync, etc.)
- * because CDK synthesis is inherently synchronous. The synth() method blocks until
- * complete, so async operations would provide no benefit and add complexity.
+ * Synchronous fs ops are intentional: CDK synth() is inherently synchronous.
  *
- * TYPE DUPLICATION NOTE: The interfaces below (ManifestService, ManifestPattern, etc.)
- * are mirrored by Zod schemas in cli/src/types/FjallManifest.ts. The CLI schemas are
- * the authoritative source for validation. If you modify these interfaces, update
- * the Zod schemas to match. Future work: extract to shared @fjall/types package.
+ * Manifest type shapes are re-exported from @fjall/util/manifest/schemas — the
+ * Zod-derived definitions there are the single source of truth for both runtime
+ * validation and TypeScript inference.
  */
-import { writeFileSync, readFileSync, existsSync, readdirSync } from "fs";
+import { writeFileSync, readFileSync, existsSync, readdirSync, renameSync, unlinkSync } from "fs";
 import { join, basename } from "path";
 import { createHash } from "crypto";
-import { buildConstructMap, constructMapToRecord, ACCOUNT_CONSTRUCT_GROUPS, FJALL_MANIFEST_FILENAME, MANIFEST_SCHEMA_VERSION } from "@fjall/util/constructMap";
+import { buildConstructMap, constructMapToRecord, ACCOUNT_CONSTRUCT_GROUPS } from "@fjall/util/constructMap";
+import { maskSensitiveOutput } from "@fjall/util";
+import { FJALL_MANIFEST_FILENAME, MANIFEST_SCHEMA_VERSION, FjallManifestSchema } from "@fjall/util/manifest/schemas";
 import { FjallLogger } from "./validationLogger.js";
 /**
  * Collected manifest data during synthesis.
@@ -118,8 +117,8 @@ function computeTemplateHash(templatePath) {
         return createHash("sha256").update(normalised).digest("hex");
     }
     catch (error) {
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        FjallLogger.warn(`Failed to compute hash for ${templatePath}: ${errorMessage}`);
+        const maskedMessage = maskSensitiveOutput(error instanceof Error ? error.message : String(error));
+        FjallLogger.warn(`Failed to compute hash for ${templatePath}: ${maskedMessage}`);
         return null;
     }
 }
@@ -145,8 +144,8 @@ function computeStackHashes(cdkOutPath) {
         }
     }
     catch (error) {
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        FjallLogger.warn(`Failed to read cdk.out for hash computation: ${errorMessage}`);
+        const maskedMessage = maskSensitiveOutput(error instanceof Error ? error.message : String(error));
+        FjallLogger.warn(`Failed to read cdk.out for hash computation: ${maskedMessage}`);
     }
     return stacks;
 }
@@ -181,13 +180,30 @@ export function writeManifest(assembly, collector) {
     if (ecr) {
         manifest.ecr = ecr;
     }
+    // CLI deploy reads this manifest and silently degrades on malformed JSON,
+    // so a truncated write is worse than no write — atomic-rename via .tmp.
+    const tmpPath = `${manifestPath}.tmp`;
     try {
-        writeFileSync(manifestPath, JSON.stringify(manifest, null, 2), "utf-8");
+        writeFileSync(tmpPath, JSON.stringify(manifest, null, 2), "utf-8");
+        renameSync(tmpPath, manifestPath);
         FjallLogger.info(`Fjall manifest written to ${manifestPath}`);
     }
     catch (error) {
+        if (existsSync(tmpPath)) {
+            try {
+                unlinkSync(tmpPath);
+            }
+            catch (cleanupError) {
+                const cleanupMessage = cleanupError instanceof Error
+                    ? cleanupError.message
+                    : String(cleanupError);
+                FjallLogger.warn(`Failed to clean up tmp manifest at ${tmpPath}: ${maskSensitiveOutput(cleanupMessage)}`);
+            }
+        }
         const errorMessage = error instanceof Error ? error.message : String(error);
-        FjallLogger.warn(`Failed to write Fjall manifest: ${errorMessage}`);
+        throw new Error(`Failed to write Fjall manifest: ${errorMessage}`, {
+            cause: error
+        });
     }
 }
 /**
@@ -200,19 +216,16 @@ export function readExistingManifest(cdkOutPath) {
     }
     try {
         const content = readFileSync(manifestPath, "utf-8");
-        const parsed = JSON.parse(content);
-        if (typeof parsed !== "object" ||
-            parsed === null ||
-            !("version" in parsed) ||
-            !("appName" in parsed)) {
-            FjallLogger.warn("Existing manifest has unexpected shape");
+        const result = FjallManifestSchema.safeParse(JSON.parse(content));
+        if (!result.success) {
+            FjallLogger.warn(`Existing manifest has unexpected shape: ${maskSensitiveOutput(result.error.message)}`);
             return null;
         }
-        return parsed;
+        return result.data;
     }
     catch (error) {
         const message = error instanceof Error ? error.message : String(error);
-        FjallLogger.warn(`Failed to parse existing manifest: ${message}`);
+        FjallLogger.warn(`Failed to parse existing manifest: ${maskSensitiveOutput(message)}`);
         return null;
     }
 }

package/dist/lib/utils/migrationVersionResolvers.d.ts

@@ -0,0 +1,2 @@
+export { PRISMA_MIGRATION_DIR_RE } from "@fjall/util";
+export { pickLatestPrismaMigration } from "@fjall/util/migration";

package/dist/lib/utils/migrationVersionResolvers.js

@@ -0,0 +1,2 @@
+export { PRISMA_MIGRATION_DIR_RE } from "@fjall/util";
+export { pickLatestPrismaMigration } from "@fjall/util/migration";

package/dist/lib/utils/orgConfigParser.js

@@ -1,3 +1,4 @@
+import { maskSensitiveOutput } from "@fjall/util";
 import { FjallLogger } from "./validationLogger.js";
 /**
  * Parse orgConfig JSON from CDK context into a validated structure.
@@ -43,7 +44,7 @@ export function parseOrgConfig(raw) {
         };
     }
     catch (error) {
-        FjallLogger.warn(`[fjall] Failed to parse orgConfig from CDK context: ${error instanceof Error ? error.message : String(error)}`);
+        FjallLogger.warn(`[fjall] Failed to parse orgConfig from CDK context: ${maskSensitiveOutput(error instanceof Error ? error.message : String(error))}`);
         return empty;
     }
 }

package/dist/lib/utils/resolveAlertsTopic.d.ts

@@ -0,0 +1,14 @@
+import type { Construct } from "constructs";
+import type { ITopic } from "aws-cdk-lib/aws-sns";
+/**
+ * Resolve an `ITopic | string | undefined` alertsTopic to an `ITopic | undefined`.
+ *
+ * String values are accepted in two shapes:
+ * - `"import:<ExportName>"` — resolved via `Fn.importValue`.
+ * - `"arn:..."` — used as-is.
+ *
+ * Any other string shape throws — `Topic.fromTopicArn` accepts any string without
+ * validation, so a non-`import:` value MUST be ARN-shape-checked here or a malformed
+ * reference reaches synth.
+ */
+export declare function resolveAlertsTopic(scope: Construct, id: string, alertsTopic: ITopic | string | undefined): ITopic | undefined;

package/dist/lib/utils/resolveAlertsTopic.js

@@ -0,0 +1,30 @@
+import { Fn } from "aws-cdk-lib";
+import { Topic } from "aws-cdk-lib/aws-sns";
+/**
+ * Resolve an `ITopic | string | undefined` alertsTopic to an `ITopic | undefined`.
+ *
+ * String values are accepted in two shapes:
+ * - `"import:<ExportName>"` — resolved via `Fn.importValue`.
+ * - `"arn:..."` — used as-is.
+ *
+ * Any other string shape throws — `Topic.fromTopicArn` accepts any string without
+ * validation, so a non-`import:` value MUST be ARN-shape-checked here or a malformed
+ * reference reaches synth.
+ */
+export function resolveAlertsTopic(scope, id, alertsTopic) {
+    if (alertsTopic === undefined)
+        return undefined;
+    if (typeof alertsTopic !== "string")
+        return alertsTopic;
+    let arn;
+    if (alertsTopic.startsWith("import:")) {
+        arn = Fn.importValue(alertsTopic.slice("import:".length));
+    }
+    else {
+        if (!alertsTopic.startsWith("arn:")) {
+            throw new Error(`alertsTopic string must be an ARN (starts with "arn:") or use the "import:<ExportName>" form; got "${alertsTopic}"`);
+        }
+        arn = alertsTopic;
+    }
+    return Topic.fromTopicArn(scope, id, arn);
+}

package/dist/lib/utils/validationLogger.js

@@ -6,7 +6,10 @@
 import { appendFileSync, existsSync, mkdirSync } from "fs";
 import { homedir } from "os";
 import { join } from "path";
-const LOG_DIR = process.env.FJALL_LOG_DIR ?? join(homedir(), ".fjall", "logs");
+const ENV_LOG_DIR = process.env.FJALL_LOG_DIR;
+const LOG_DIR = ENV_LOG_DIR !== undefined && ENV_LOG_DIR !== ""
+    ? ENV_LOG_DIR
+    : join(homedir(), ".fjall", "logs");
 const LOG_FILE = join(LOG_DIR, "infrastructure.jsonl");
 /**
  * Write a log entry to the infrastructure JSONL file
@@ -25,8 +28,8 @@ function writeToLog(level, message) {
         });
         appendFileSync(LOG_FILE, entry + "\n");
     }
-    catch {
-        // Never crash CDK on logging failure
+    catch (err) {
+        console.debug("[Fjall] writeToLog failed:", err instanceof Error ? err.message : String(err));
     }
 }
 export const FjallLogger = {

package/dist/lib/utils/vpcPeerInterface.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Canonical home for the `IVpcPeer` interface — placed in `utils/` so both
+ * `resources/` (the synth-time `resolveRemoteConnections` helper) and
+ * `patterns/` (the consumer-facing `RemoteConnectionSpec`) can import it
+ * without crossing the resources -> patterns layer boundary.
+ *
+ * `peerAppName` is typed as `string | undefined` to match the underlying
+ * `VpcPeeringConnection` construct, which accepts the prop optionally. The
+ * `VpcPeerFactory` always populates it, but consumers must still guard
+ * against `undefined` and CFN-token contamination at synth time (see
+ * `resolveRemoteConnections()` for the canonical guard).
+ */
+export interface IVpcPeer {
+    /** Name of the remote Fjall app this peering targets. */
+    readonly peerAppName: string | undefined;
+    /**
+     * Organisation ID of the remote app, when known. Falls back to `"default"`
+     * during SSM path construction when undefined — mirroring the `VpcPeer`
+     * factory's existing behaviour.
+     */
+    readonly peerOrgId: string | undefined;
+}

package/dist/lib/utils/vpcPeerInterface.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "0.95.0",
+  "version": "0.99.1",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -30,39 +30,42 @@
   "scripts": {
     "clean": "rm -rf ./dist",
     "clean:node": "rm -rf ./node_modules",
-    "build": "tsc && cp -r lib/layers dist/lib/layers",
+    "build": "tsc && cp -r lib/layers dist/lib/layers && cp lib/resources/aws/compute/lifecycleHookLambda.source.cjs dist/lib/resources/aws/compute/lifecycleHookLambda.source.cjs && cp lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs dist/lib/resources/aws/compute/ec2GracefulTerminationLambda.source.cjs && cp lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs dist/lib/resources/aws/compute/persistentDataVolumeLambda.source.cjs",
     "watch": "tsc -w",
     "watch:only": "tsc -w",
     "test": "vitest run",
     "test:watch": "vitest",
     "cdk": "cdk",
-    "typecheck": "tsc --noEmit",
+    "typecheck": "tsc --noEmit && tsc --noEmit -p tsconfig.test.json",
+    "typecheck:tests": "tsc --noEmit -p tsconfig.test.json",
     "check:scripts": "tsc --project tsconfig.scripts.json",
+    "lint": "eslint lib --no-warn-ignored",
+    "lint:fix": "eslint lib --fix --no-warn-ignored",
     "format": "prettier --write \"lib/**/*.{ts,tsx,js,jsx,json}\" \"scripts/**/*.mts\"",
     "format:check": "prettier --check \"lib/**/*.{ts,tsx,js,jsx,json}\" \"scripts/**/*.mts\""
   },
   "devDependencies": {
-    "@types/aws-lambda": "^8.10.109",
-    "@types/node": "^22.13.10",
-    "@types/uuid": "^10.0.0",
-    "@typescript-eslint/eslint-plugin": "^8.26.1",
-    "@typescript-eslint/parser": "^8.26.1",
-    "eslint": "^9.39.1",
-    "prettier": "^3.2.5",
-    "typescript": "^5.8.2",
-    "vitest": "^4.1.2"
+    "@aws-sdk/client-elastic-load-balancing-v2": "^3.1045.0",
+    "@types/aws-lambda": "^8.10.161",
+    "@types/node": "^25.6.0",
+    "@types/uuid": "^11.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.59.1",
+    "@typescript-eslint/parser": "^8.59.1",
+    "eslint": "^10.2.1",
+    "prettier": "^3.8.3",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.5"
   },
   "dependencies": {
-    "@aws-sdk/client-organizations": "^3.997.0",
-    "@fjall/util": "^0.95.0",
-    "cdk-time-sleep": "^1.0.0",
+    "@aws-sdk/client-organizations": "^3.1038.0",
+    "@fjall/generator": "^0.99.1",
+    "@fjall/util": "^0.99.1",
     "constructs": "^10.0.0",
-    "uuid": "^10.0.0"
+    "uuid": "^14.0.0"
   },
   "overrides": {
     "@smithy/core": "2.5.5"
   },
-  "gitHead": "7fdbf0c5dd58088642c67d877e5e224831dfc149",
   "peerDependencies": {
     "aws-cdk": "^2.239.0",
     "aws-cdk-lib": "^2.239.0",
@@ -70,5 +73,6 @@
   },
   "engines": {
     "node": ">=18.0.0"
-  }
+  },
+  "gitHead": "0b8cc9b7c5017ca126c884da4cb29793dd26c96a"
 }