@fjall/components-infrastructure 0.96.0 → 0.99.1

package/dist/lib/resources/aws/networking/serviceDiscovery.js

@@ -0,0 +1,96 @@
+import { Construct } from "constructs";
+import { CfnOutput, Duration } from "aws-cdk-lib";
+import { PrivateDnsNamespace, DnsRecordType } from "aws-cdk-lib/aws-servicediscovery";
+import { env } from "../../../utils/env.js";
+import { toRemovalPolicy } from "../../../utils/removalPolicy.js";
+export class ServiceDiscoveryNamespace extends Construct {
+    id;
+    #namespace;
+    #services = new Map();
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.id = id;
+        const description = props.description ??
+            `ServiceDiscovery ${props.name} — Fjall private DNS namespace`;
+        const removalPolicyValue = props.removalPolicy ?? env({ default: "DESTROY", production: "RETAIN" });
+        const namespace = new PrivateDnsNamespace(this, `${id}Namespace`, {
+            vpc: props.vpc,
+            name: props.name,
+            description
+        });
+        this.#namespace = namespace;
+        namespace.applyRemovalPolicy(toRemovalPolicy(removalPolicyValue));
+        new CfnOutput(this, `${id}NamespaceArn`, {
+            key: `${id}NamespaceArn`,
+            value: namespace.namespaceArn,
+            description: `Cloud Map private DNS namespace ARN for ${id}`
+        });
+        new CfnOutput(this, `${id}NamespaceName`, {
+            key: `${id}NamespaceName`,
+            value: namespace.namespaceName,
+            description: `Cloud Map private DNS namespace name for ${id}`
+        });
+    }
+    /**
+     * Get the underlying CDK private DNS namespace as the `IPrivateDnsNamespace`
+     * interface. Per D18(a), the public surface is the interface, never the
+     * concrete `PrivateDnsNamespace` class.
+     */
+    getNamespace() {
+        return this.#namespace;
+    }
+    getNamespaceArn() {
+        return this.#namespace.namespaceArn;
+    }
+    getNamespaceName() {
+        return this.#namespace.namespaceName;
+    }
+    /**
+     * Register a Cloud Map service inside this namespace. Creates an
+     * `AWS::ServiceDiscovery::Service` resource via the underlying CDK
+     * `PrivateDnsNamespace.createService(...)` with Fjall description discipline
+     * applied. Internal-only per D7(d) — Fjall resources call this from inside
+     * their construct bodies; user code never invokes it directly.
+     *
+     * Throws on duplicate registration: a single namespace cannot host two
+     * services with the same DNS name. Caught at synth time, not deploy time.
+     */
+    registerService(props) {
+        if (this.#services.has(props.name)) {
+            throw new Error(`ServiceDiscoveryNamespace '${this.#namespace.namespaceName}': ` +
+                `service '${props.name}' is already registered. Each service name ` +
+                `must be unique within a namespace.`);
+        }
+        const description = props.description ?? `Fjall internal service: ${props.name}`;
+        const service = this.#namespace.createService(`Service-${props.name}`, {
+            name: props.name,
+            description,
+            dnsTtl: props.dnsTtl ?? Duration.seconds(60),
+            dnsRecordType: props.dnsRecordType === "SRV" ? DnsRecordType.SRV : DnsRecordType.A
+        });
+        this.#services.set(props.name, service);
+        return service;
+    }
+    /**
+     * True if a service with this name has been registered in the namespace.
+     * Cheap registry lookup; does NOT consult AWS — only counts services
+     * registered via `registerService(...)` on this construct.
+     */
+    hasService(name) {
+        return this.#services.has(name);
+    }
+    /**
+     * Build the FQDN for a previously-registered service:
+     * `<serviceName>.<namespaceName>` (e.g. `clickhouse.acme.local`). Throws if
+     * the service has not been registered — prevents typos that would silently
+     * resolve to NXDOMAIN at runtime.
+     */
+    getEndpoint(serviceName) {
+        if (!this.#services.has(serviceName)) {
+            throw new Error(`ServiceDiscoveryNamespace '${this.#namespace.namespaceName}': ` +
+                `service '${serviceName}' has not been registered. Call ` +
+                `registerService({ name: '${serviceName}' }) before resolving its endpoint.`);
+        }
+        return `${serviceName}.${this.#namespace.namespaceName}`;
+    }
+}

package/dist/lib/resources/aws/networking/vpc.d.ts

@@ -1,10 +1,13 @@
 import { type Construct } from "constructs";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import { type StackBuilder } from "../base/awsStack.js";
+export declare const FLOW_LOG_TRAFFIC_TYPES: readonly ["ALL", "ACCEPT", "REJECT"];
+export type FlowLogTrafficType = (typeof FLOW_LOG_TRAFFIC_TYPES)[number];
+export declare const DEFAULT_MAX_AZS = 3;
 export interface VpcFlowLogConfig {
     destination?: "cloudwatch" | "s3";
     retentionDays?: number;
-    trafficType?: "ALL" | "ACCEPT" | "REJECT";
+    trafficType?: FlowLogTrafficType;
 }
 export interface VpcNatConfig {
     count?: number;

package/dist/lib/resources/aws/networking/vpc.js

@@ -3,13 +3,16 @@ import * as ec2 from "aws-cdk-lib/aws-ec2";
 import * as s3 from "aws-cdk-lib/aws-s3";
 import { LogGroup } from "../logging/logGroup.js";
 import { S3Bucket } from "../storage/index.js";
+export const FLOW_LOG_TRAFFIC_TYPES = ["ALL", "ACCEPT", "REJECT"];
+// Read at two sites (resources-layer constructor default + patterns-layer natGateways guard) that must agree.
+export const DEFAULT_MAX_AZS = 3;
 export class Vpc extends ec2.Vpc {
     gatewayEndpoints = [];
     interfaceEndpoints = [];
     hasNatGateways;
     constructor(scope, id, props) {
         const { maxAzs: maxAzsFromProps, vpcName: explicitName, ...restProps } = props ?? {};
-        const maxAzs = maxAzsFromProps ?? 3;
+        const maxAzs = maxAzsFromProps ?? DEFAULT_MAX_AZS;
         const natGateways = Vpc.resolveNatGateways(props);
         const vpcName = explicitName ?? id;
         super(scope, `Vpc${id}`, {

package/dist/lib/resources/aws/networking/vpcPeeringConnection.js

@@ -60,9 +60,27 @@ export class VpcPeeringConnection extends Construct {
                 ])
             });
         }
-        if (props.peerRoleArn &&
-            props.peerRegion &&
-            props.peerRouteTableIds &&
+        const hasPeerRoleArn = props.peerRoleArn !== undefined;
+        const hasPeerRegion = props.peerRegion !== undefined;
+        const hasPeerRouteTableIds = props.peerRouteTableIds !== undefined &&
+            props.peerRouteTableIds.length > 0;
+        const presentCount = Number(hasPeerRoleArn) +
+            Number(hasPeerRegion) +
+            Number(hasPeerRouteTableIds);
+        if (presentCount > 0 && presentCount < 3) {
+            const missing = [];
+            if (!hasPeerRoleArn)
+                missing.push("peerRoleArn");
+            if (!hasPeerRegion)
+                missing.push("peerRegion");
+            if (!hasPeerRouteTableIds)
+                missing.push("peerRouteTableIds");
+            throw new Error(`VpcPeeringConnection: cross-account return routes require all of ` +
+                `peerRoleArn, peerRegion, and peerRouteTableIds (non-empty). Missing: ${missing.join(", ")}.`);
+        }
+        if (props.peerRoleArn !== undefined &&
+            props.peerRegion !== undefined &&
+            props.peerRouteTableIds !== undefined &&
             props.peerRouteTableIds.length > 0) {
             new CrossAccountReturnRoutes(this, "ReturnRoutes", {
                 peerRoleArn: props.peerRoleArn,

package/dist/lib/resources/aws/organisation/costAllocationTagActivator.d.ts

@@ -1,17 +1,28 @@
 import { Construct } from "constructs";
+import { type IFunction } from "aws-cdk-lib/aws-lambda";
 import { LambdaFunction } from "../compute/lambda.js";
-export interface CostAllocationTagActivatorProps {
-    /** EventBridge schedule expression. Default: "rate(24 hours)" */
-    scheduleExpression?: string;
-}
 /**
  * Deploys a Lambda that auto-discovers and activates cost allocation tags.
  *
  * Runs daily in the management account. Any non-AWS tag applied to resources
  * (via app.addTags() or CDK aspects) is automatically activated in Cost
  * Explorer within 24 hours — no manual intervention required.
+ *
+ * The schedule is NOT wired by this construct — callers wire the cadence via
+ * `app.addSchedule(...)` so the EventBridge rule lives in the App's messaging
+ * stack alongside every other Fjall schedule (D9). The activator implements
+ * the structural `LambdaComputeShape` (duck-typed by `eventTargets.ts`), so it
+ * can be passed directly as `target` to `app.addSchedule(...)` without a
+ * `LambdaCompute` wrapper.
  */
 export declare class CostAllocationTagActivator extends Construct {
+    /** Marks this construct as a structural Lambda target for `eventTargets.ts`. */
+    readonly computeType: "lambda";
     readonly lambda: LambdaFunction;
-    constructor(scope: Construct, id: string, props?: CostAllocationTagActivatorProps);
+    constructor(scope: Construct, id: string);
+    /**
+     * Structural `LambdaComputeShape` accessor — returns the activator's Lambda
+     * so `eventTargets.ts#resolveTarget` can wire it as an EventBridge target.
+     */
+    getFunction(): IFunction;
 }

package/dist/lib/resources/aws/organisation/costAllocationTagActivator.js

@@ -8,12 +8,20 @@ import { LambdaFunction } from "../compute/lambda.js";
  * Runs daily in the management account. Any non-AWS tag applied to resources
  * (via app.addTags() or CDK aspects) is automatically activated in Cost
  * Explorer within 24 hours — no manual intervention required.
+ *
+ * The schedule is NOT wired by this construct — callers wire the cadence via
+ * `app.addSchedule(...)` so the EventBridge rule lives in the App's messaging
+ * stack alongside every other Fjall schedule (D9). The activator implements
+ * the structural `LambdaComputeShape` (duck-typed by `eventTargets.ts`), so it
+ * can be passed directly as `target` to `app.addSchedule(...)` without a
+ * `LambdaCompute` wrapper.
  */
 export class CostAllocationTagActivator extends Construct {
+    /** Marks this construct as a structural Lambda target for `eventTargets.ts`. */
+    computeType = "lambda";
     lambda;
-    constructor(scope, id, props) {
+    constructor(scope, id) {
         super(scope, id);
-        const schedule = props?.scheduleExpression ?? "rate(24 hours)";
         this.lambda = new LambdaFunction(this, "TagActivatorFunction", {
             runtime: Runtime.NODEJS_22_X,
             handler: "index.handler",
@@ -21,7 +29,6 @@ export class CostAllocationTagActivator extends Construct {
             lambdaDescription: "Auto-discovers and activates cost allocation tags in Cost Explorer",
             memorySize: 128,
             timeout: 60,
-            scheduleExpression: schedule,
             inlinePolicy: [
                 new PolicyStatement({
                     effect: Effect.ALLOW,
@@ -34,6 +41,13 @@ export class CostAllocationTagActivator extends Construct {
             ]
         });
     }
+    /**
+     * Structural `LambdaComputeShape` accessor — returns the activator's Lambda
+     * so `eventTargets.ts#resolveTarget` can wire it as an EventBridge target.
+     */
+    getFunction() {
+        return this.lambda;
+    }
 }
 const HANDLER_CODE = `
 const { CostExplorerClient, ListCostAllocationTagsCommand, UpdateCostAllocationTagsStatusCommand } = require("@aws-sdk/client-cost-explorer");

package/dist/lib/resources/aws/organisation/index.d.ts

@@ -2,4 +2,4 @@ export { Organisation as OrganisationResource, type OrganisationProps as Organis
 export { type OrganisationalUnitProps } from "./organisationalUnit.js";
 export { OrganisationAccount, type OrganisationAccountProps } from "./organisationAccount.js";
 export { OrganisationPolicy, type OrganisationPolicyProps, type OrganisationPolicyType } from "./organisationPolicy.js";
-export { CostAllocationTagActivator, type CostAllocationTagActivatorProps } from "./costAllocationTagActivator.js";
+export { CostAllocationTagActivator } from "./costAllocationTagActivator.js";

package/dist/lib/resources/aws/organisation/organisationPolicy.d.ts

@@ -1,4 +1,5 @@
 import { Construct } from "constructs";
+import { type KeyValue } from "../../../types.js";
 export type OrganisationPolicyType = "SERVICE_CONTROL_POLICY" | "TAG_POLICY" | "BACKUP_POLICY" | "AISERVICES_OPT_OUT_POLICY";
 export interface OrganisationPolicyProps {
     name: string;
@@ -6,6 +7,7 @@ export interface OrganisationPolicyProps {
     content: string | Record<string, unknown>;
     description?: string;
     targetIds?: string[];
+    tags?: KeyValue[];
 }
 export declare class OrganisationPolicy extends Construct {
     readonly policyId: string;

package/dist/lib/resources/aws/organisation/organisationPolicy.js

@@ -10,7 +10,7 @@ export class OrganisationPolicy extends Construct {
                 content = JSON.parse(props.content);
             }
             catch {
-                throw new Error(`Invalid JSON in organisation policy "${props.name}": ${props.content.slice(0, 100)}`);
+                throw new Error(`Invalid JSON in organisation policy "${props.name}"`);
             }
         }
         else {
@@ -21,7 +21,8 @@ export class OrganisationPolicy extends Construct {
             type: props.policyType,
             content,
             description: props.description,
-            targetIds: props.targetIds
+            targetIds: props.targetIds,
+            tags: props.tags?.map((t) => ({ key: t.key, value: t.value }))
         });
         this.policyId = policy.attrId;
     }

package/dist/lib/resources/aws/secrets/secret.d.ts

@@ -8,6 +8,13 @@ interface SecretProps {
     secretObjectValue?: {
         [key: string]: SecretValue;
     };
+    /**
+     * Plain-text secret value. WARNING: embedded in the CloudFormation template
+     * via `SecretValue.unsafePlainText` — anyone with read access to the synth
+     * output, the deploy artefact, or the CFN stack template can recover it.
+     * Prefer `generateSecretString` (server-generated, never leaves AWS) or
+     * `secretObjectValue` with `SecretValue.ssmSecure(...)` for inputs.
+     */
     secretStringValue?: string;
     description?: string;
     aliasName?: string;

package/dist/lib/resources/aws/secrets/secret.js

@@ -17,15 +17,16 @@ export class Secret extends Construct {
             return;
         }
         // Create KMS key for new secrets only
-        this.secretsCustomerManagedKey = new CustomerManagedKey(this, `${id}CustomerManagedKey`, {
+        const customerManagedKey = new CustomerManagedKey(this, `${id}CustomerManagedKey`, {
             aliasName: `cmk/${id}`
         });
+        this.secretsCustomerManagedKey = customerManagedKey;
         /**
          * If a secretStringValue is provided, use it to create the secret.
          */
         const secretStringValue = props.secretStringValue
             ? {
-                secretStringValue: SecretValue.unsafePlainText(props.secretStringValue || "")
+                secretStringValue: SecretValue.unsafePlainText(props.secretStringValue)
             }
             : {};
         /**
@@ -47,7 +48,7 @@ export class Secret extends Construct {
         const secretOptions = {
             secretName: props.secretName,
             secretObjectValue: props.secretObjectValue,
-            encryptionKey: this.secretsCustomerManagedKey.key,
+            encryptionKey: customerManagedKey.key,
             description: props.description,
             ...secretStringValue,
             ...generateSecretString,

package/dist/lib/resources/aws/storage/bucketDeployment.d.ts

@@ -0,0 +1,16 @@
+import { BucketDeployment as CdkBucketDeployment, type BucketDeploymentProps } from "aws-cdk-lib/aws-s3-deployment";
+import { type Construct } from "constructs";
+/**
+ * Routing-point wrapper for `aws-cdk-lib/aws-s3-deployment.BucketDeployment`.
+ *
+ * Currently a thin pass-through — no defaults are applied today. The wrapper
+ * exists so that future SOC2 / compliance defaults (tags, retention, encryption
+ * on the underlying Lambda + Custom Resource) reach every consumer in one edit.
+ * Per `.claude/rules/generator-standards.md § Wrapper Routing Discipline` and
+ * `patterns/infrastructure-wrapper-routing-pattern.md § A3` ("a wrapper that
+ * is a thin pass-through today is still the routing point"), `lib/{config,
+ * patterns}/` MUST instantiate this class rather than the raw CDK construct.
+ */
+export declare class BucketDeployment extends CdkBucketDeployment {
+    constructor(scope: Construct, id: string, props: BucketDeploymentProps);
+}

package/dist/lib/resources/aws/storage/bucketDeployment.js

@@ -0,0 +1,17 @@
+import { BucketDeployment as CdkBucketDeployment } from "aws-cdk-lib/aws-s3-deployment";
+/**
+ * Routing-point wrapper for `aws-cdk-lib/aws-s3-deployment.BucketDeployment`.
+ *
+ * Currently a thin pass-through — no defaults are applied today. The wrapper
+ * exists so that future SOC2 / compliance defaults (tags, retention, encryption
+ * on the underlying Lambda + Custom Resource) reach every consumer in one edit.
+ * Per `.claude/rules/generator-standards.md § Wrapper Routing Discipline` and
+ * `patterns/infrastructure-wrapper-routing-pattern.md § A3` ("a wrapper that
+ * is a thin pass-through today is still the routing point"), `lib/{config,
+ * patterns}/` MUST instantiate this class rather than the raw CDK construct.
+ */
+export class BucketDeployment extends CdkBucketDeployment {
+    constructor(scope, id, props) {
+        super(scope, id, props);
+    }
+}

package/dist/lib/resources/aws/storage/ecr.js

@@ -24,14 +24,14 @@ export class Ecr extends Repository {
         });
     }
     static getRepositoryProps(props) {
-        // todo: lifeCycleRules
-        // todo: Encryption & EncryptionKey (default is AWS managed KMS key)
+        // Gotcha: DESTROY + emptyOnDelete:true silently wipes every pushed image
+        // on stack teardown — next deploy pulls "not found" for any referenced tag.
         return {
             ...(props?.repositoryName && { repositoryName: props.repositoryName }),
             imageScanOnPush: true,
-            imageTagMutability: TagMutability.MUTABLE,
-            emptyOnDelete: true,
-            removalPolicy: RemovalPolicy.DESTROY
+            imageTagMutability: TagMutability.IMMUTABLE,
+            emptyOnDelete: false,
+            removalPolicy: RemovalPolicy.RETAIN
         };
     }
     static build(id, props) {

package/dist/lib/resources/aws/storage/index.d.ts

@@ -1,2 +1,3 @@
 export * from "./s3.js";
 export * from "./ecr.js";
+export * from "./bucketDeployment.js";

package/dist/lib/resources/aws/storage/index.js

@@ -1,2 +1,3 @@
 export * from "./s3.js";
 export * from "./ecr.js";
+export * from "./bucketDeployment.js";

package/dist/lib/resources/aws/storage/s3.js

@@ -1,5 +1,6 @@
 import { CfnOutput, Duration, RemovalPolicy } from "aws-cdk-lib";
 import { BlockPublicAccess, Bucket } from "aws-cdk-lib/aws-s3";
+import { RegionInfo } from "aws-cdk-lib/region-info";
 import { toPascalCase } from "../../../utils/capitaliseString.js";
 function shouldAutoVersion(tier) {
     return tier === "resilient" || tier === "enterprise";
@@ -36,18 +37,24 @@ export class S3Bucket extends Bucket {
         });
         this.backupVaultTier = backupVaultTier;
         if (websiteHosting) {
-            const safeBucket = toPascalCase((props.bucketName ?? id).replace(/[^A-Za-z0-9]/g, ""));
+            const safeBucket = toPascalCase((props.bucketName ?? id).replace(/[^A-Za-z0-9-]/g, ""));
             new CfnOutput(this, `${safeBucket}WebsiteEndpoint`, {
                 key: `${safeBucket}WebsiteEndpoint`,
                 exportName: `${safeBucket}WebsiteEndpoint`,
                 value: this.bucketWebsiteDomainName,
                 description: `S3 website endpoint for ${id} (consumed by Domain alias targets)`
             });
+            const region = this.stack.region;
+            const websiteHostedZoneId = RegionInfo.get(region).s3StaticWebsiteHostedZoneId;
+            if (websiteHostedZoneId === undefined) {
+                throw new Error(`S3 website hosted zone id is not known for region "${region}". ` +
+                    `Update aws-cdk-lib/region-info or provide the bucket's hosted zone id explicitly.`);
+            }
             new CfnOutput(this, `${safeBucket}WebsiteHostedZoneId`, {
                 key: `${safeBucket}WebsiteHostedZoneId`,
                 exportName: `${safeBucket}WebsiteHostedZoneId`,
-                value: this.stack.region,
-                description: `AWS region for ${id}; consumer maps to S3 website Route53 zone ID`
+                value: websiteHostedZoneId,
+                description: `Route 53 hosted zone id for the S3 website endpoint of ${id}`
             });
         }
     }

package/dist/lib/resources/aws/utilities/customResource.js

@@ -3,6 +3,7 @@ import { Provider } from "aws-cdk-lib/custom-resources";
 import { Code } from "aws-cdk-lib/aws-lambda";
 import { Construct } from "constructs";
 import { SingletonFunction, LambdaFunction } from "../compute/lambda.js";
+import { DEFAULT_CUSTOM_RESOURCE_TIMEOUT_SECONDS } from "../compute/ecsConstants.js";
 export class CustomResource extends Construct {
     response;
     resource;
@@ -15,12 +16,20 @@ export class CustomResource extends Construct {
         if (props.codePath && props.inlineCode) {
             throw new Error("CustomResource requires exactly one of codePath or inlineCode, not both");
         }
-        const isInlineCode = !!props.inlineCode;
-        const code = isInlineCode
-            ? Code.fromInline(props.inlineCode)
-            : Code.fromAsset(props.codePath, props.assetOptions);
+        const isInlineCode = props.inlineCode !== undefined;
+        let code;
+        if (props.inlineCode !== undefined) {
+            code = Code.fromInline(props.inlineCode);
+        }
+        else if (props.codePath !== undefined) {
+            code = Code.fromAsset(props.codePath, props.assetOptions);
+        }
+        else {
+            // Unreachable — earlier validation rejects this case
+            throw new Error("CustomResource requires codePath or inlineCode");
+        }
         const handler = props.handler ?? (isInlineCode ? "index.handler" : `${id}.handler`);
-        const timeout = props.timeout?.toSeconds() ?? 300;
+        const timeout = props.timeout?.toSeconds() ?? DEFAULT_CUSTOM_RESOURCE_TIMEOUT_SECONDS;
         // Use LambdaFunction for inline code (unique per use), SingletonFunction for assets (shared)
         const lambdaFunction = isInlineCode
             ? new LambdaFunction(this, `${id}Lambda`, {
@@ -28,16 +37,16 @@ export class CustomResource extends Construct {
                 handler,
                 runtime: props.runtime,
                 timeout,
-                lambdaDescription: props.lambdaDescription || `${id} lambda`,
-                roleDescription: props.roleDescription || `${id} custom resource lambda`,
+                lambdaDescription: props.lambdaDescription ?? `${id} lambda`,
+                roleDescription: props.roleDescription ?? `${id} custom resource lambda`,
                 inlinePolicy: props.inlinePolicy
             })
             : new SingletonFunction(this, `${id}Lambda`, {
                 code,
                 handler,
                 runtime: props.runtime,
-                lambdaDescription: props.lambdaDescription || `${id} lambda`,
-                roleDescription: props.roleDescription || `${id} custom resource lambda`,
+                lambdaDescription: props.lambdaDescription ?? `${id} lambda`,
+                roleDescription: props.roleDescription ?? `${id} custom resource lambda`,
                 inlinePolicy: props.inlinePolicy
             });
         const provider = new Provider(this, `${id}Provider`, {

package/dist/lib/synth_dump.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/lib/synth_dump.js

@@ -0,0 +1,42 @@
+import { App, Stack } from "aws-cdk-lib";
+import { Template } from "aws-cdk-lib/assertions";
+import { Vpc } from "aws-cdk-lib/aws-ec2";
+import { Repository } from "aws-cdk-lib/aws-ecr";
+import { mkdtempSync, mkdirSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { EcsCompute } from "./patterns/aws/computeEcs.js";
+import { RelationalDatabase } from "./patterns/aws/database.js";
+const root = mkdtempSync(join(tmpdir(), "ds-"));
+mkdirSync(join(root, "20260512000000_init"));
+const app = new App();
+const stack = new Stack(app, "S", { env: { account: "123456789012", region: "us-east-1" } });
+const vpc = new Vpc(stack, "Vpc");
+const db = new RelationalDatabase(stack, "Db", {
+    type: "Instance", vpc, databaseName: "appdata",
+    migrations: { tool: "prisma", dir: root }
+});
+new EcsCompute(stack, "Cluster", {
+    type: "ecs",
+    ecrRepository: new Repository(stack, "Ecr"),
+    services: [{
+            name: "web", capacityProvider: "FARGATE",
+            containers: [{ name: "app", image: "nginx:latest", port: 3000 }],
+            connections: [db],
+            migrations: {
+                mode: "lifecycle-hook", command: ["node", "migrate.mjs"], entryPoint: ["/usr/bin/tini", "--"],
+                separateTaskDef: { cpu: 512, memoryLimitMiB: 1024 }
+            }
+        }]
+});
+const t = Template.fromStack(stack);
+const ing = t.findResources("AWS::EC2::SecurityGroupIngress");
+for (const [name, res] of Object.entries(ing)) {
+    console.log("INGRESS:", name);
+    console.log("  props:", JSON.stringify(res.Properties));
+}
+const eg = t.findResources("AWS::EC2::SecurityGroupEgress");
+for (const [name, res] of Object.entries(eg)) {
+    console.log("EGRESS:", name);
+    console.log("  props:", JSON.stringify(res.Properties));
+}

package/dist/lib/utils/cdkContext.d.ts

@@ -1,6 +1,8 @@
 import type { Node } from "constructs";
 export declare const CDK_CONTEXT_KEYS: {
     readonly ORG_ID: "orgId";
+    readonly ROOT_ID: "rootId";
+    readonly MANAGEMENT_ACCOUNT_ID: "managementAccountId";
 };
 export declare const DEFAULT_ORG_ID: "default";
 export declare function resolveOrgId(node: Node, fallback: string): string;

package/dist/lib/utils/cdkContext.js

@@ -1,10 +1,12 @@
 export const CDK_CONTEXT_KEYS = {
-    ORG_ID: "orgId"
+    ORG_ID: "orgId",
+    ROOT_ID: "rootId",
+    MANAGEMENT_ACCOUNT_ID: "managementAccountId"
 };
 export const DEFAULT_ORG_ID = "default";
 export function resolveOrgId(node, fallback) {
     const raw = node.tryGetContext(CDK_CONTEXT_KEYS.ORG_ID);
-    return typeof raw === "string" ? raw : fallback;
+    return typeof raw === "string" && raw !== "" ? raw : fallback;
 }
 export function buildSsmPrefix(orgId, appName) {
     return `/fjall/${orgId}/${appName}`;

package/dist/lib/utils/connections.js

@@ -21,6 +21,7 @@
  *   this.lambdaFunction   // IConnectable (security group)
  * );
  */
+import { Port } from "aws-cdk-lib/aws-ec2";
 import { CONNECTION_TYPE, isConnectionConfig, isConnector, isConnectable, isConnectionAccess, isMessagingAccess } from "./connector.js";
 /** Default access levels for each connector type. */
 const DEFAULT_ACCESS = {
@@ -140,6 +141,11 @@ export function processConnections(connections, grantee, connectable) {
                 case "relational": {
                     requireConnectable(connectable, `${resource.connectorType} connector`);
                     connectable.connections.allowToDefaultPort(resource);
+                    if (resource.additionalTcpPorts !== undefined) {
+                        for (const port of resource.additionalTcpPorts) {
+                            connectable.connections.allowTo(resource, Port.tcp(port));
+                        }
+                    }
                     return buildSecurityGroupResult(resource);
                 }
                 case "remote": {

package/dist/lib/utils/connector.d.ts

@@ -115,6 +115,18 @@ export interface ISecurityGroupConnector extends IConnector {
     readonly connectorType: "securityGroup" | "relational";
     /** The security group connections for this resource. */
     readonly connections: IConnectable["connections"];
+    /**
+     * Additional TCP ports to open beyond the default port carried by
+     * `connections`. Used by dual-port resources such as ClickHouse, where the
+     * primary port (HTTP, 8123) flows through `connections.allowDefaultPortFrom`
+     * and the native protocol port (9000) is appended here. Optional; existing
+     * single-port consumers (Aurora, Instance, GlobalAurora) leave this
+     * undefined and behave unchanged.
+     *
+     * Surfaced as `number[]` (not `aws-cdk-lib/aws-ec2.Port[]`) per the
+     * 2026-05-05 ClickHouse design D18(k); `Port.tcp(n)` is plumbing.
+     */
+    readonly additionalTcpPorts?: number[];
 }
 /**
  * Remote connector interface.

package/dist/lib/utils/costAllocationTags.d.ts

@@ -1,6 +1,15 @@
+import type { IConstruct } from "constructs";
 export declare const COST_ALLOCATION_TAGS: {
     readonly ENVIRONMENT: "fjall:costAllocation:environment";
     readonly SERVICE: "fjall:costAllocation:service";
     readonly DOMAIN: "fjall:costAllocation:domain";
+    readonly OWNER: "fjall:costAllocation:owner";
 };
 export declare const DEFAULT_COST_ALLOCATION_ENVIRONMENT: "management";
+export interface CostAllocationTagsArgs {
+    readonly service: string;
+    readonly domain: string;
+    readonly environment?: string;
+    readonly owner?: string;
+}
+export declare function applyCostAllocationTags(scope: IConstruct, args: CostAllocationTagsArgs): void;

package/dist/lib/utils/costAllocationTags.js

@@ -1,6 +1,16 @@
+import { Tags } from "aws-cdk-lib";
 export const COST_ALLOCATION_TAGS = {
     ENVIRONMENT: "fjall:costAllocation:environment",
     SERVICE: "fjall:costAllocation:service",
-    DOMAIN: "fjall:costAllocation:domain"
+    DOMAIN: "fjall:costAllocation:domain",
+    OWNER: "fjall:costAllocation:owner"
 };
 export const DEFAULT_COST_ALLOCATION_ENVIRONMENT = "management";
+export function applyCostAllocationTags(scope, args) {
+    Tags.of(scope).add(COST_ALLOCATION_TAGS.ENVIRONMENT, args.environment ?? DEFAULT_COST_ALLOCATION_ENVIRONMENT);
+    Tags.of(scope).add(COST_ALLOCATION_TAGS.SERVICE, args.service);
+    Tags.of(scope).add(COST_ALLOCATION_TAGS.DOMAIN, args.domain);
+    if (args.owner !== undefined) {
+        Tags.of(scope).add(COST_ALLOCATION_TAGS.OWNER, args.owner);
+    }
+}