@fjall/deploy-core 0.89.2

package/dist/src/orchestration/detectionPipeline.js

@@ -0,0 +1,65 @@
+import { join } from "path";
+import { success, failure } from "@fjall/generator";
+import { logger } from "@fjall/util";
+import { detectPattern, deriveResourcesFromManifestStacks } from "../types/patternDetection.js";
+import { emitProgress, PROGRESS_MESSAGES } from "../services/supporting/helpers.js";
+/**
+ * Pre-deployment analysis pipeline.
+ *
+ * Detects the application pattern, synthesises infrastructure, computes
+ * template hashes, and determines which stacks have changed.
+ */
+export async function runDetectionPipeline(operation, services, context, callbacks) {
+    // 1. Detect application pattern
+    const { pattern, hasDatabase } = detectPattern(operation.path);
+    callbacks.onLog?.(`Pattern detected: ${pattern ?? "standard"}`, "info");
+    // 2. Synthesise infrastructure
+    emitProgress(callbacks, PROGRESS_MESSAGES.SYNTH);
+    const synthResult = await services.cdkService.runCdkSynth(context, (chunk) => callbacks.onCdkOutput?.(chunk, "synth"));
+    if (!synthResult.success) {
+        return failure(new Error(`CDK synthesis failed: ${synthResult.error}`));
+    }
+    // 3. Compute template hashes
+    emitProgress(callbacks, PROGRESS_MESSAGES.HASH);
+    const cdkOutPath = join(operation.path, "cdk.out");
+    const hashResult = await services.hashService.getTemplateHashes(cdkOutPath);
+    if (!hashResult.success) {
+        return failure(new Error(`Template hash computation failed: ${hashResult.error.message}`));
+    }
+    const currentHashes = hashResult.data;
+    // 4. Compare with stored state
+    const comparisonResult = await services.hashService.compareWithState(currentHashes, operation.path);
+    if (!comparisonResult.success) {
+        return failure(new Error(`Hash comparison failed: ${comparisonResult.error.message}`));
+    }
+    const comparison = comparisonResult.data;
+    // 5. Stale hash detection: unchanged templates whose stacks don't exist in CFN
+    const stackChanges = new Map(comparison.stackChanges);
+    for (const [stackName, hasChanged] of comparison.stackChanges) {
+        if (!hasChanged) {
+            const exists = await services.cfnService.stackExists(stackName);
+            if (!exists) {
+                logger.debug("detectionPipeline", "Stale hash detected — stack missing in CFN", {
+                    stackName
+                });
+                stackChanges.set(stackName, true);
+            }
+        }
+    }
+    // 6. Derive resource flags from manifest stacks
+    const stackNames = Array.from(currentHashes.keys());
+    const resources = deriveResourcesFromManifestStacks(stackNames);
+    // 7. Detect Dockerfile (Compute stack presence implies Docker)
+    const hasDockerfile = resources.hasCompute;
+    const hasDifferences = Array.from(stackChanges.values()).some(Boolean);
+    callbacks.onLog?.(`Detection complete: ${comparison.changedCount} changed, ${comparison.unchangedCount} unchanged`, "info");
+    return success({
+        pattern,
+        hasDatabase,
+        hasDifferences,
+        stackChanges,
+        currentHashes,
+        resources,
+        hasDockerfile
+    });
+}

package/dist/src/orchestration/dockerInterface.d.ts

@@ -0,0 +1,56 @@
+import type { Result } from "@fjall/generator";
+export interface DockerServiceConfig {
+    name: string;
+    dockerfilePath: string;
+    dockerTarget?: string;
+}
+export interface DockerBuildParams {
+    appName: string;
+    appPath: string;
+    region: string;
+    accountId: string;
+    imageTag?: string;
+    services?: DockerServiceConfig[];
+    platform?: string;
+}
+export interface DockerBuildResult {
+    imageUri: string;
+    imageTag: string;
+    services?: Array<{
+        name: string;
+        imageUri: string;
+    }>;
+}
+export interface ECRInitParams {
+    appName: string;
+    region: string;
+    accountId: string;
+}
+export interface ECRInitResult {
+    repositoryUri: string;
+}
+/**
+ * Parameters for tagging existing ECR images for ECS services.
+ * Used for non-Dockerfile apps where CodeBuild pushes :latest but
+ * ECS expects :<serviceName>-latest tags.
+ */
+export interface TagImagesParams {
+    appName: string;
+    appPath: string;
+    region: string;
+    accountId: string;
+}
+export interface TagImagesResult {
+    taggedServices: string[];
+}
+/**
+ * Interface for Docker operations (build, push, ECR initialisation).
+ * CLI provides CliDockerProvider (wraps dockerode-based services).
+ * Worker passes undefined (Docker ops skipped until container deployments enabled).
+ */
+export interface DockerProvider {
+    buildAndPush(params: DockerBuildParams): Promise<Result<DockerBuildResult>>;
+    initialiseECR(params: ECRInitParams): Promise<Result<ECRInitResult>>;
+    /** Tag existing ECR images for ECS services (non-Dockerfile apps). Optional. */
+    tagImages?(params: TagImagesParams): Promise<Result<TagImagesResult>>;
+}

package/dist/src/orchestration/dockerInterface.js

@@ -0,0 +1 @@
+export {};

package/dist/src/orchestration/domainInterface.d.ts

@@ -0,0 +1,37 @@
+import type { Result } from "@fjall/generator";
+import type { DeployCallbacks } from "../types/callbacks.js";
+/**
+ * Configuration for a single domain to deploy.
+ */
+export interface DomainConfig {
+    name: string;
+    type: "apex" | "delegated";
+}
+/**
+ * Result of a domain deployment phase.
+ */
+export interface DomainDeployResult {
+    domainsDeployed: number;
+    errors: string[];
+}
+/**
+ * Provider interface for domain deployment operations.
+ *
+ * Domain deployment requires CLI-specific services (zone file parsing, CDK
+ * synthesis in domain component directories). deploy-core defines the cascade
+ * structure; the caller provides the implementation.
+ *
+ * If no provider is given, the domains phase is skipped.
+ */
+export interface DomainDeployProvider {
+    /**
+     * Get the list of configured domains for this organisation.
+     * Returns an empty array if no domains are configured.
+     */
+    getDomains(): DomainConfig[];
+    /**
+     * Deploy a single domain. Apex domains create hosted zones and delegation
+     * roles; delegated domains create NS records in the parent zone.
+     */
+    deployDomain(domainName: string, callbacks: DeployCallbacks): Promise<Result<void>>;
+}

package/dist/src/orchestration/domainInterface.js

@@ -0,0 +1 @@
+export {};

package/dist/src/orchestration/index.d.ts

@@ -0,0 +1,8 @@
+export { deploy } from "./deploy.js";
+export { deployOrganisation } from "./organisationDeploy.js";
+export type { DockerProvider, DockerServiceConfig, DockerBuildParams, DockerBuildResult, ECRInitParams, ECRInitResult, TagImagesParams, TagImagesResult } from "./dockerInterface.js";
+export type { DomainDeployProvider, DomainConfig, DomainDeployResult } from "./domainInterface.js";
+export type { DeployServices } from "./serviceFactory.js";
+export type { DetectionResult } from "./detectionPipeline.js";
+export { runOrganisationSetup } from "./organisationSetup.js";
+export type { OrgSetupPhase, OrgSetupCallbacks, OrgSetupConfig, OrgSetupResult } from "./organisationSetup.js";

package/dist/src/orchestration/index.js

@@ -0,0 +1,3 @@
+export { deploy } from "./deploy.js";
+export { deployOrganisation } from "./organisationDeploy.js";
+export { runOrganisationSetup } from "./organisationSetup.js";

package/dist/src/orchestration/organisationDeploy.d.ts

@@ -0,0 +1,16 @@
+import { type Result } from "@fjall/generator";
+import type { DeployParams, DeployResult } from "../types/params.js";
+import type { OrganisationOperation } from "../types/operations.js";
+import type { DeployServices } from "./serviceFactory.js";
+/**
+ * Organisation deployment orchestration.
+ *
+ * Handles three target types:
+ * - organisation: deploy org infra + cascade to platform + all accounts
+ * - platform: deploy platform stack only
+ * - account: deploy single account stack
+ *
+ * Auth and org setup (creating AWS accounts/OUs) are the caller's
+ * responsibility. deploy-core receives credentials and deploys.
+ */
+export declare function deployOrganisation(params: DeployParams, services: DeployServices, operation: OrganisationOperation): Promise<Result<DeployResult>>;

package/dist/src/orchestration/organisationDeploy.js

@@ -0,0 +1,382 @@
+import { success, failure } from "@fjall/generator";
+import { logger } from "@fjall/util";
+import { ORGANISATION_TYPES, getOrganisationStackName } from "../types/operations.js";
+import { CdkContextBuilder } from "../services/supporting/CdkContextBuilder.js";
+import { CloudFormationService } from "../services/infrastructure/CloudFormationService.js";
+import { SimpleAwsProvider } from "../aws/SimpleAwsProvider.js";
+import { buildParamsContext } from "./contextHelpers.js";
+/**
+ * Organisation deployment orchestration.
+ *
+ * Handles three target types:
+ * - organisation: deploy org infra + cascade to platform + all accounts
+ * - platform: deploy platform stack only
+ * - account: deploy single account stack
+ *
+ * Auth and org setup (creating AWS accounts/OUs) are the caller's
+ * responsibility. deploy-core receives credentials and deploys.
+ */
+export async function deployOrganisation(params, services, operation) {
+    const startTime = Date.now();
+    switch (operation.type) {
+        case ORGANISATION_TYPES.ORGANISATION:
+            return deployOrgWithCascade(params, services, operation, startTime);
+        case ORGANISATION_TYPES.PLATFORM:
+            return deploySingleComponent(params, services, operation, "platform", startTime);
+        case ORGANISATION_TYPES.ACCOUNT:
+            return deploySingleComponent(params, services, operation, "account", startTime);
+        default: {
+            const _exhaustive = operation.type;
+            return failure(new Error(`Unsupported organisation type: ${String(_exhaustive)}`));
+        }
+    }
+}
+/**
+ * Build a deployment context for an organisation component.
+ */
+function buildOrgContext(params, services, operation, deployType, accountName) {
+    return CdkContextBuilder.buildDeploymentContext({
+        deployType,
+        target: operation.target,
+        path: operation.path,
+        region: services.awsProvider.getRegion(),
+        accountName,
+        callerIdentity: {
+            Account: services.awsProvider.getAccountId() ?? "",
+            Arn: "",
+            UserId: ""
+        },
+        ...buildParamsContext(params)
+    }, {
+        verbose: params.options?.verbose,
+        infraOnly: params.options?.infraOnly
+    }, params.orgConfig);
+}
+/**
+ * Deploy a single organisation component (platform or account).
+ */
+async function deploySingleComponent(params, services, operation, deployType, startTime) {
+    const { callbacks } = params;
+    const context = buildOrgContext(params, services, operation, deployType, deployType === "account" ? operation.target : undefined);
+    // Synth
+    callbacks.onLog?.(`Synthesising ${deployType} infrastructure…`, "info");
+    const synthResult = await services.cdkService.runCdkSynth(context, (chunk) => callbacks.onCdkOutput?.(chunk, "synth"));
+    if (!synthResult.success) {
+        const error = new Error(`CDK synthesis failed: ${synthResult.error}`);
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    // Bootstrap
+    callbacks.onCDKBootstrap?.("bootstrapping");
+    const bootstrapResult = await services.cdkService.runCdkBootstrap(context, (chunk) => callbacks.onOutput?.(chunk));
+    if (!bootstrapResult.success) {
+        callbacks.onCDKBootstrap?.("failed");
+        const error = new Error(`Bootstrap failed: ${bootstrapResult.error}`);
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    callbacks.onCDKBootstrap?.("complete");
+    // Deploy
+    const stackName = getOrganisationStackName(operation.type);
+    const stepId = `${deployType}-deploy`;
+    const stepName = `Deploying ${deployType} infrastructure`;
+    callbacks.onStepStart?.(stepId, stepName, 0, 1);
+    const deployResult = await services.cdkService.runCdkDeploy(context, stackName, (chunk) => callbacks.onOutput?.(chunk), (event) => callbacks.onResourceProgress?.(event), services.awsProvider);
+    if (!deployResult.success) {
+        callbacks.onStepComplete?.(stepId, stepName, "error", 0, 1);
+        const error = new Error(deployResult.error);
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    callbacks.onStepComplete?.(stepId, stepName, "completed", 0, 1);
+    return success({
+        target: operation.target,
+        deploymentType: "organisation",
+        durationMs: Date.now() - startTime
+    });
+}
+/**
+ * Full organisation deployment with cascade to platform + member accounts.
+ */
+async function deployOrgWithCascade(params, services, operation, startTime) {
+    const { callbacks, options } = params;
+    const providerAccounts = params.orgConfig?.providerAccounts ?? [];
+    const context = buildOrgContext(params, services, operation, "organisation");
+    // Synth
+    callbacks.onLog?.("Synthesising organisation infrastructure…", "info");
+    const synthResult = await services.cdkService.runCdkSynth(context, (chunk) => callbacks.onCdkOutput?.(chunk, "synth"));
+    if (!synthResult.success) {
+        const error = new Error(`CDK synthesis failed: ${synthResult.error}`);
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    // Bootstrap org account
+    callbacks.onCDKBootstrap?.("bootstrapping");
+    const bootstrapResult = await services.cdkService.runCdkBootstrap(context, (chunk) => callbacks.onOutput?.(chunk));
+    if (!bootstrapResult.success) {
+        callbacks.onCDKBootstrap?.("failed");
+        const error = new Error(`Bootstrap failed: ${bootstrapResult.error}`);
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    callbacks.onCDKBootstrap?.("complete");
+    // Deploy org infrastructure
+    const orgStepId = "organisation-deploy";
+    const orgStepName = "Deploying organisation infrastructure";
+    const cascadeEnabled = options?.cascade !== false;
+    const cascadeAccountCount = cascadeEnabled ? providerAccounts.length : 0;
+    const totalSteps = 1 + cascadeAccountCount;
+    callbacks.onStepStart?.(orgStepId, orgStepName, 0, totalSteps);
+    const orgStackName = getOrganisationStackName(ORGANISATION_TYPES.ORGANISATION);
+    const orgResult = await services.cdkService.runCdkDeploy(context, orgStackName, (chunk) => callbacks.onOutput?.(chunk), (event) => callbacks.onResourceProgress?.(event), services.awsProvider);
+    if (!orgResult.success) {
+        callbacks.onStepComplete?.(orgStepId, orgStepName, "error", 0, totalSteps);
+        const error = new Error(orgResult.error);
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    callbacks.onStepComplete?.(orgStepId, orgStepName, "completed", 0, totalSteps);
+    // Cascade to platform + domains + member accounts
+    if (cascadeEnabled && providerAccounts.length > 0) {
+        callbacks.onCascadeStart?.();
+        const cascadeErrors = [];
+        let accountsDeployed = 0;
+        let platformDeployed = false;
+        let domainsDeployed = false;
+        // Phase 1: Deploy platform account
+        const platformAccount = providerAccounts.find((acc) => acc.environment === "platform");
+        if (platformAccount) {
+            callbacks.onCascadePhaseStart?.("platform");
+            const platformResult = await deployCascadeAccount(params, services, operation, platformAccount, "platform", callbacks);
+            if (platformResult.success) {
+                platformDeployed = true;
+            }
+            else {
+                cascadeErrors.push({
+                    accountId: platformAccount.id,
+                    error: platformResult.error.message
+                });
+            }
+        }
+        // Phase 1.5: Read Platform stack outputs for IPAM pool IDs
+        let ipamPoolIds = new Map();
+        if (platformDeployed && platformAccount) {
+            ipamPoolIds = await readPlatformIpamPoolIds(services, platformAccount, callbacks);
+        }
+        // Phase 2: Deploy domains (apex sequential, delegated parallel)
+        if (params.domainProvider) {
+            const domainResult = await deployDomains(params.domainProvider, callbacks);
+            domainsDeployed = domainResult.domainsDeployed > 0;
+            for (const err of domainResult.errors) {
+                cascadeErrors.push({ accountId: "domains", error: err });
+            }
+        }
+        // Phase 3: Deploy member accounts in parallel
+        const memberAccounts = providerAccounts.filter((acc) => acc.environment !== "root" && acc.environment !== "platform");
+        if (memberAccounts.length > 0) {
+            callbacks.onCascadePhaseStart?.("accounts");
+            const region = services.awsProvider.getRegion();
+            const memberResults = await Promise.all(memberAccounts.map((account) => {
+                const regionSuffix = region.replace(/-/g, "");
+                const ipamPoolId = ipamPoolIds.get(`${account.id}-${regionSuffix}`);
+                return deployCascadeAccount(params, services, operation, account, "account", callbacks, ipamPoolId);
+            }));
+            for (let j = 0; j < memberResults.length; j++) {
+                const result = memberResults[j];
+                const account = memberAccounts[j];
+                if (result.success) {
+                    accountsDeployed++;
+                }
+                else {
+                    cascadeErrors.push({
+                        accountId: account.id,
+                        error: result.error.message
+                    });
+                }
+            }
+        }
+        callbacks.onCascadeComplete?.({
+            platformDeployed,
+            domainsDeployed,
+            accountsDeployed,
+            accountsFailed: cascadeErrors.length,
+            errors: cascadeErrors
+        });
+        if (cascadeErrors.length > 0) {
+            const errorSummary = cascadeErrors
+                .map((e) => `  ${e.accountId}: ${e.error}`)
+                .join("\n");
+            callbacks.onLog?.(`Cascade completed with ${cascadeErrors.length} failure(s):\n${errorSummary}`, "warn");
+        }
+    }
+    return success({
+        target: operation.target,
+        deploymentType: "organisation",
+        durationMs: Date.now() - startTime
+    });
+}
+/**
+ * Deploy a single cascade account (platform or member).
+ * Assumes the target account's role, sets env credentials, and deploys.
+ */
+async function deployCascadeAccount(params, services, operation, account, deployType, callbacks, ipamPoolId) {
+    const operationKey = `${account.name}-${account.id}`;
+    const region = services.awsProvider.getRegion();
+    callbacks.onCascadeAccountStart?.(operationKey, account.id, region);
+    // Assume role in target account
+    if (!services.awsProvider.assumeRole) {
+        const error = new Error(`Cannot cascade to account ${account.name}: AwsProvider does not support assumeRole`);
+        callbacks.onCascadeAccountComplete?.(operationKey, false, error.message, region);
+        return failure(error);
+    }
+    const roleArn = `arn:aws:iam::${account.id}:role/fjall-deployment-role`;
+    let assumedCredentials;
+    try {
+        assumedCredentials = await services.awsProvider.assumeRole(roleArn, `fjall-cascade-${account.name}`);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        callbacks.onCascadeAccountComplete?.(operationKey, false, message, region);
+        return failure(new Error(`Failed to assume role for ${account.name}: ${message}`));
+    }
+    // Build context for this account (includes IPAM pool ID if available)
+    const accountContext = CdkContextBuilder.buildDeploymentContext({
+        deployType,
+        target: operation.target,
+        path: operation.path,
+        region,
+        accountName: account.name,
+        callerIdentity: { Account: account.id, Arn: "", UserId: "" },
+        ipamPoolId,
+        ...buildParamsContext(params)
+    }, { verbose: params.options?.verbose }, params.orgConfig);
+    // Create account-scoped provider for CDK monitoring
+    const accountProvider = new SimpleAwsProvider({
+        accessKeyId: assumedCredentials.accessKeyId,
+        secretAccessKey: assumedCredentials.secretAccessKey,
+        sessionToken: assumedCredentials.sessionToken,
+        region,
+        accountId: account.id
+    });
+    // Export account credentials for CDK subprocess
+    accountProvider.exportToEnv();
+    // Bootstrap the target account
+    callbacks.onCascadeAccountPhaseChange?.(operationKey, "synth", region);
+    const bootstrapResult = await services.cdkService.runCdkBootstrap(accountContext, (chunk) => callbacks.onOutput?.(chunk));
+    if (!bootstrapResult.success) {
+        services.awsProvider.exportToEnv();
+        callbacks.onCascadeAccountComplete?.(operationKey, false, `Bootstrap failed: ${bootstrapResult.error}`, region);
+        return failure(new Error(`Bootstrap failed for ${account.name}: ${bootstrapResult.error}`));
+    }
+    // Deploy the account stack
+    callbacks.onCascadeAccountPhaseChange?.(operationKey, "deploy", region);
+    const stackName = getOrganisationStackName(deployType === "platform"
+        ? ORGANISATION_TYPES.PLATFORM
+        : ORGANISATION_TYPES.ACCOUNT);
+    const deployResult = await services.cdkService.runCdkDeploy(accountContext, stackName, (chunk) => callbacks.onOutput?.(chunk), (event) => callbacks.onCascadeAccountResourceProgress?.(operationKey, event, region), accountProvider);
+    // Restore parent credentials
+    services.awsProvider.exportToEnv();
+    if (!deployResult.success) {
+        callbacks.onCascadeAccountComplete?.(operationKey, false, deployResult.error, region);
+        return failure(new Error(deployResult.error));
+    }
+    callbacks.onCascadeAccountComplete?.(operationKey, true, undefined, region);
+    return success(undefined);
+}
+/**
+ * Read Platform stack outputs to extract IPAM pool IDs for member accounts.
+ * Output keys follow the pattern `IpamPoolId{12-digit-accountId}{regionSuffix}`.
+ * Returns a map keyed by `{accountId}-{regionSuffix}` → pool ID.
+ * Non-fatal: returns empty map on any error.
+ */
+async function readPlatformIpamPoolIds(services, platformAccount, callbacks) {
+    const poolIds = new Map();
+    // Assume role in platform account to read its stack outputs
+    if (!services.awsProvider.assumeRole) {
+        logger.debug("organisationDeploy", "Cannot read Platform outputs: assumeRole not available");
+        return poolIds;
+    }
+    const region = services.awsProvider.getRegion();
+    const roleArn = `arn:aws:iam::${platformAccount.id}:role/fjall-deployment-role`;
+    let assumedCredentials;
+    try {
+        assumedCredentials = await services.awsProvider.assumeRole(roleArn, `fjall-ipam-read-${platformAccount.name}`);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        logger.debug("organisationDeploy", `Cannot read Platform outputs: AssumeRole failed: ${message}`);
+        return poolIds;
+    }
+    // Create a temporary provider scoped to the platform account
+    const platformProvider = new SimpleAwsProvider({
+        accessKeyId: assumedCredentials.accessKeyId,
+        secretAccessKey: assumedCredentials.secretAccessKey,
+        sessionToken: assumedCredentials.sessionToken,
+        region,
+        accountId: platformAccount.id
+    });
+    const platformCfn = new CloudFormationService(platformProvider);
+    const outputsResult = await platformCfn.getStackOutputs("Platform");
+    if (!outputsResult.success) {
+        logger.debug("organisationDeploy", `Failed to read Platform stack outputs: ${outputsResult.error.message}`);
+        return poolIds;
+    }
+    const ipamPattern = /^IpamPoolId(\d{12})(\w+)$/;
+    for (const output of outputsResult.data) {
+        const match = output.OutputKey?.match(ipamPattern);
+        if (match && output.OutputValue) {
+            const key = `${match[1]}-${match[2]}`;
+            poolIds.set(key, output.OutputValue);
+        }
+    }
+    if (poolIds.size > 0) {
+        callbacks.onLog?.(`Read ${poolIds.size} IPAM pool ID(s) from Platform stack`, "info");
+    }
+    return poolIds;
+}
+/**
+ * Deploy configured domains: apex domains sequentially, then delegated
+ * domains in parallel. Delegates to the caller-provided DomainDeployProvider.
+ */
+async function deployDomains(provider, callbacks) {
+    const domains = provider.getDomains();
+    if (domains.length === 0) {
+        return { domainsDeployed: 0, errors: [] };
+    }
+    callbacks.onCascadePhaseStart?.("domains");
+    const apexDomains = domains.filter((d) => d.type === "apex");
+    const delegatedDomains = domains.filter((d) => d.type === "delegated");
+    let domainsDeployed = 0;
+    const errors = [];
+    // Phase A: Apex domains (sequential — delegation roles must exist first)
+    for (const domain of apexDomains) {
+        const result = await provider.deployDomain(domain.name, callbacks);
+        if (result.success) {
+            domainsDeployed++;
+        }
+        else {
+            errors.push(`${domain.name}: ${result.error.message}`);
+        }
+    }
+    // Phase B: Delegated subdomains (parallel — independent of each other)
+    if (delegatedDomains.length > 0) {
+        const subdomainResults = await Promise.allSettled(delegatedDomains.map(async (domain) => {
+            const result = await provider.deployDomain(domain.name, callbacks);
+            if (result.success) {
+                domainsDeployed++;
+            }
+            else {
+                errors.push(`${domain.name}: ${result.error.message}`);
+            }
+        }));
+        for (const result of subdomainResults) {
+            if (result.status === "rejected") {
+                const message = result.reason instanceof Error
+                    ? result.reason.message
+                    : String(result.reason);
+                errors.push(`Subdomain deploy error: ${message}`);
+            }
+        }
+    }
+    return { domainsDeployed, errors };
+}

package/dist/src/orchestration/organisationSetup.d.ts

@@ -0,0 +1,42 @@
+import { type Result } from "@fjall/generator";
+import type { AwsProvider } from "../aws/AwsProvider.js";
+export type OrgSetupPhase = "create-organisation" | "enable-policies" | "enable-service-access" | "enable-ram-sharing" | "activate-trusted-access" | "enable-ipam" | "configure-backup" | "create-accounts" | "create-organisational-units" | "place-accounts" | "activate-cost-tags" | "check-identity-centre";
+export interface OrgSetupCallbacks {
+    onPhaseStart?(phase: OrgSetupPhase): void;
+    onPhaseComplete?(phase: OrgSetupPhase, result: "completed" | "skipped" | "error"): void;
+    onProgress?(message: string): void;
+    onError?(phase: OrgSetupPhase, error: Error): void;
+}
+export interface OrgSetupConfig {
+    accounts: Array<{
+        name: string;
+        email: string;
+    }>;
+    platformAccountId: string;
+    organisationalUnits: string[];
+    accountPlacements?: Record<string, string>;
+    costAllocationTags?: string[];
+    skipIdentityCentre?: boolean;
+}
+export interface OrgSetupResult {
+    organisationId: string;
+    createdAccounts: Array<{
+        name: string;
+        accountId: string;
+    }>;
+    identityCentreStatus?: string;
+    phasesCompleted: OrgSetupPhase[];
+    phasesSkipped: OrgSetupPhase[];
+    errors: Array<{
+        phase: OrgSetupPhase;
+        error: string;
+    }>;
+}
+/**
+ * Orchestrate the full AWS Organisation setup sequence.
+ *
+ * Runs 12 phases sequentially. Non-fatal phase failures are recorded
+ * and execution continues. The only fatal failure is phase 1
+ * (create-organisation) since all subsequent phases depend on the org ID.
+ */
+export declare function runOrganisationSetup(awsProvider: AwsProvider, config: OrgSetupConfig, callbacks?: OrgSetupCallbacks): Promise<Result<OrgSetupResult>>;