npm - @fjall/deploy-core - Versions diffs - 0.89.4 → 0.89.6 - Mend

@fjall/deploy-core 0.89.4 → 0.89.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (202) hide show

package/LICENSE +50 -21
package/README.md +25 -0
package/dist/.minified +1 -0
package/dist/src/__test-utils__/awsMockHelpers.d.ts +20 -0
package/dist/src/__test-utils__/awsMockHelpers.js +1 -0
package/dist/src/__test-utils__/index.d.ts +1 -0
package/dist/src/__test-utils__/index.js +1 -0
package/dist/src/aws/AwsProvider.d.ts +2 -2
package/dist/src/aws/AwsProvider.js +0 -1
package/dist/src/aws/SimpleAwsProvider.d.ts +2 -3
package/dist/src/aws/SimpleAwsProvider.js +1 -73
package/dist/src/aws/index.d.ts +4 -2
package/dist/src/aws/index.js +1 -3
package/dist/src/aws/organisations/accounts.js +10 -10
package/dist/src/aws/organisations/backup.js +4 -2
package/dist/src/aws/organisations/costAllocation.js +4 -2
package/dist/src/aws/organisations/delegatedAdmin.d.ts +9 -0
package/dist/src/aws/organisations/delegatedAdmin.js +43 -0
package/dist/src/aws/organisations/identityCentre.d.ts +1 -1
package/dist/src/aws/organisations/identityCentre.js +6 -2
package/dist/src/aws/organisations/index.d.ts +4 -3
package/dist/src/aws/organisations/index.js +1 -12
package/dist/src/aws/organisations/ipam.js +4 -2
package/dist/src/aws/organisations/organisation.js +27 -18
package/dist/src/aws/organisations/organisationalUnits.d.ts +26 -6
package/dist/src/aws/organisations/organisationalUnits.js +149 -35
package/dist/src/aws/organisations/policies.js +4 -3
package/dist/src/aws/organisations/ram.js +6 -2
package/dist/src/aws/organisations/serviceAccess.js +12 -6
package/dist/src/aws/organisations/trustedAccess.js +6 -2
package/dist/src/aws/organisations/types.d.ts +23 -1
package/dist/src/aws/organisations/types.js +1 -16
package/dist/src/aws/utils/__tests__/cloudformationTestHelpers.d.ts +6 -0
package/dist/src/aws/utils/__tests__/cloudformationTestHelpers.js +1 -0
package/dist/src/aws/utils/cloudformationEventHelpers.d.ts +48 -0
package/dist/src/aws/utils/cloudformationEventHelpers.js +1 -0
package/dist/src/aws/utils/cloudformationEventTypes.d.ts +45 -0
package/dist/src/aws/utils/cloudformationEventTypes.js +1 -0
package/dist/src/aws/utils/cloudformationEvents.d.ts +8 -54
package/dist/src/aws/utils/cloudformationEvents.js +1 -596
package/dist/src/aws/utils/index.d.ts +5 -0
package/dist/src/aws/utils/index.js +1 -0
package/dist/src/aws/utils/stackStatus.js +1 -90
package/dist/src/events/index.d.ts +13 -0
package/dist/src/events/index.js +1 -0
package/dist/src/index.d.ts +34 -17
package/dist/src/index.js +41 -21
package/dist/src/orchestration/__tests__/cascadeTestHelpers.d.ts +12 -0
package/dist/src/orchestration/__tests__/cascadeTestHelpers.js +78 -0
package/dist/src/orchestration/activeDeploymentGuard.d.ts +10 -0
package/dist/src/orchestration/activeDeploymentGuard.js +39 -0
package/dist/src/orchestration/applicationDeploy.js +46 -224
package/dist/src/orchestration/applicationDeployHelpers.d.ts +39 -0
package/dist/src/orchestration/applicationDeployHelpers.js +223 -0
package/dist/src/orchestration/applicationDestroy.d.ts +14 -0
package/dist/src/orchestration/applicationDestroy.js +131 -0
package/dist/src/orchestration/builders/dockerBuilder.d.ts +17 -0
package/dist/src/orchestration/builders/dockerBuilder.js +98 -0
package/dist/src/orchestration/builders/frameworkRegistry.d.ts +23 -0
package/dist/src/orchestration/builders/frameworkRegistry.js +1 -0
package/dist/src/orchestration/builders/index.d.ts +4 -0
package/dist/src/orchestration/builders/index.js +1 -0
package/dist/src/orchestration/builders/openNextBuilder.d.ts +21 -0
package/dist/src/orchestration/builders/openNextBuilder.js +144 -0
package/dist/src/orchestration/cascadeDestroyHelpers.d.ts +30 -0
package/dist/src/orchestration/cascadeDestroyHelpers.js +1 -0
package/dist/src/orchestration/cascadeHelpers.d.ts +46 -0
package/dist/src/orchestration/cascadeHelpers.js +160 -0
package/dist/src/orchestration/contextHelpers.d.ts +47 -2
package/dist/src/orchestration/contextHelpers.js +94 -1
package/dist/src/orchestration/destroy.d.ts +13 -0
package/dist/src/orchestration/destroy.js +67 -0
package/dist/src/orchestration/detectionPipeline.d.ts +2 -11
package/dist/src/orchestration/detectionPipeline.js +29 -10
package/dist/src/orchestration/dockerBuildHelper.d.ts +10 -0
package/dist/src/orchestration/dockerBuildHelper.js +49 -0
package/dist/src/orchestration/dockerInterface.d.ts +4 -2
package/dist/src/orchestration/index.d.ts +8 -1
package/dist/src/orchestration/index.js +1 -3
package/dist/src/orchestration/manifestSecretParser.d.ts +11 -0
package/dist/src/orchestration/manifestSecretParser.js +1 -0
package/dist/src/orchestration/openNextBuild.d.ts +28 -0
package/dist/src/orchestration/openNextBuild.js +243 -0
package/dist/src/orchestration/organisationDeploy.js +130 -228
package/dist/src/orchestration/organisationDestroy.d.ts +24 -0
package/dist/src/orchestration/organisationDestroy.js +189 -0
package/dist/src/orchestration/organisationSetup.d.ts +6 -4
package/dist/src/orchestration/organisationSetup.js +28 -8
package/dist/src/orchestration/resolveOperation.js +68 -6
package/dist/src/orchestration/serviceFactory.d.ts +4 -0
package/dist/src/orchestration/serviceFactory.js +1 -16
package/dist/src/orchestration/spawnHelpers.d.ts +47 -0
package/dist/src/orchestration/spawnHelpers.js +1 -0
package/dist/src/orchestration/stackCleanup.d.ts +39 -0
package/dist/src/orchestration/stackCleanup.js +1 -0
package/dist/src/orchestration/welcomeImageHelper.d.ts +15 -0
package/dist/src/orchestration/welcomeImageHelper.js +64 -0
package/dist/src/services/application/ApplicationStackService.d.ts +21 -30
package/dist/src/services/application/ApplicationStackService.js +16 -234
package/dist/src/services/application/applicationStackHelpers.d.ts +46 -0
package/dist/src/services/application/applicationStackHelpers.js +248 -0
package/dist/src/services/application/index.d.ts +1 -0
package/dist/src/services/application/index.js +1 -1
package/dist/src/services/index.d.ts +6 -0
package/dist/src/services/index.js +1 -0
package/dist/src/services/infrastructure/CdkArgumentBuilder.js +1 -67
package/dist/src/services/infrastructure/CdkCommandRunner.d.ts +10 -2
package/dist/src/services/infrastructure/CdkCommandRunner.js +18 -15
package/dist/src/services/infrastructure/CdkErrorFormatter.js +16 -194
package/dist/src/services/infrastructure/CdkEventMonitoring.js +1 -41
package/dist/src/services/infrastructure/CdkOutputAnalyser.js +1 -1
package/dist/src/services/infrastructure/CdkOutputParser.js +2 -33
package/dist/src/services/infrastructure/CdkProcessManager.d.ts +5 -0
package/dist/src/services/infrastructure/CdkProcessManager.js +81 -47
package/dist/src/services/infrastructure/CdkService.d.ts +7 -52
package/dist/src/services/infrastructure/CdkService.js +41 -82
package/dist/src/services/infrastructure/CdkServiceTypes.d.ts +50 -0
package/dist/src/services/infrastructure/CdkServiceTypes.js +0 -0
package/dist/src/services/infrastructure/CloudFormationService.js +9 -10
package/dist/src/services/infrastructure/ICdkProcessManager.d.ts +27 -0
package/dist/src/services/infrastructure/ICdkProcessManager.js +1 -0
package/dist/src/services/infrastructure/__tests__/cloudFormationTestHelpers.d.ts +9 -0
package/dist/src/services/infrastructure/__tests__/cloudFormationTestHelpers.js +1 -0
package/dist/src/services/infrastructure/cdkServiceHelpers.d.ts +9 -0
package/dist/src/services/infrastructure/cdkServiceHelpers.js +1 -0
package/dist/src/services/infrastructure/constructMapEnrichment.d.ts +7 -0
package/dist/src/services/infrastructure/constructMapEnrichment.js +1 -0
package/dist/src/services/infrastructure/index.d.ts +3 -1
package/dist/src/services/infrastructure/index.js +1 -7
package/dist/src/services/supporting/TemplateHashService.js +1 -1
package/dist/src/services/supporting/helpers.js +1 -81
package/dist/src/services/supporting/index.js +1 -3
package/dist/src/steps/index.d.ts +1 -0
package/dist/src/steps/index.js +1 -0
package/dist/src/steps/stepRegistry.d.ts +71 -0
package/dist/src/steps/stepRegistry.js +505 -0
package/dist/src/types/FjallState.js +1 -118
package/dist/src/types/ProgressEvent.js +1 -48
package/dist/src/types/application/ApplicationServiceTypes.js +1 -30
package/dist/src/types/application/index.js +1 -1
package/dist/src/types/callbacks.d.ts +76 -4
package/dist/src/types/callbacks.js +0 -1
package/dist/src/types/constants.d.ts +2 -0
package/dist/src/types/constants.js +1 -6
package/dist/src/types/credentials.d.ts +1 -1
package/dist/src/types/credentials.js +0 -1
package/dist/src/types/deployment/DeploymentServiceTypes.d.ts +5 -2
package/dist/src/types/deployment/DeploymentServiceTypes.js +1 -1
package/dist/src/types/deployment/DeploymentTypes.d.ts +1 -0
package/dist/src/types/deployment/DeploymentTypes.js +0 -1
package/dist/src/types/deployment/cloudformation.js +0 -1
package/dist/src/types/deployment/index.d.ts +3 -1
package/dist/src/types/deployment/index.js +1 -1
package/dist/src/types/deployment/parallel.js +1 -10
package/dist/src/types/deploymentEventSchema.d.ts +158 -0
package/dist/src/types/deploymentEventSchema.js +1 -0
package/dist/src/types/detection.d.ts +22 -0
package/dist/src/types/detection.js +1 -0
package/dist/src/types/entitlements.d.ts +31 -0
package/dist/src/types/entitlements.js +0 -0
package/dist/src/types/errors/CdkError.js +1 -20
package/dist/src/types/errors/ServiceError.d.ts +2 -1
package/dist/src/types/errors/ServiceError.js +1 -119
package/dist/src/types/errors/index.d.ts +2 -0
package/dist/src/types/errors/index.js +1 -0
package/dist/src/types/events.d.ts +3 -9
package/dist/src/types/events.js +0 -5
package/dist/src/types/frameworkBuilder.d.ts +96 -0
package/dist/src/types/frameworkBuilder.js +8 -0
package/dist/src/types/index.d.ts +19 -4
package/dist/src/types/index.js +1 -9
package/dist/src/types/operations.d.ts +3 -2
package/dist/src/types/operations.js +1 -285
package/dist/src/types/orgConfig.d.ts +2 -10
package/dist/src/types/orgConfig.js +0 -11
package/dist/src/types/params.d.ts +61 -0
package/dist/src/types/patternDetection.d.ts +14 -16
package/dist/src/types/patternDetection.js +14 -18
package/dist/src/types/patternTypes.d.ts +19 -0
package/dist/src/types/patternTypes.js +1 -0
package/dist/src/types/stepDefinitions.d.ts +163 -0
package/dist/src/types/stepDefinitions.js +98 -0
package/dist/src/types/validation.js +0 -1
package/dist/src/util/dockerfileDetection.d.ts +5 -0
package/dist/src/util/dockerfileDetection.js +1 -0
package/dist/src/util/index.d.ts +4 -3
package/dist/src/util/index.js +1 -3
package/dist/src/util/sequencedCallbacks.d.ts +44 -0
package/dist/src/util/sequencedCallbacks.js +1 -0
package/package.json +49 -8
package/dist/src/aws/utils/CloudFormationFailureAnalyser.d.ts +0 -32
package/dist/src/aws/utils/CloudFormationFailureAnalyser.js +0 -228
package/dist/src/aws/utils/errors.d.ts +0 -26
package/dist/src/aws/utils/errors.js +0 -59
package/dist/src/util/fsHelpers.d.ts +0 -4
package/dist/src/util/fsHelpers.js +0 -16
package/dist/src/util/securityHelpers.d.ts +0 -31
package/dist/src/util/securityHelpers.js +0 -124
package/dist/src/util/singleton.d.ts +0 -2
package/dist/src/util/singleton.js +0 -9
package/dist/src/util/sleep.d.ts +0 -4
package/dist/src/util/sleep.js +0 -4

package/dist/src/orchestration/organisationDeploy.js CHANGED Viewed

@@ -1,10 +1,11 @@
 import { success, failure } from "@fjall/generator";
-import { logger } from "@fjall/util";
 import { ORGANISATION_TYPES, getOrganisationStackName } from "../types/operations.js";
 import { CdkContextBuilder } from "../services/supporting/CdkContextBuilder.js";
-import { CloudFormationService } from "../services/infrastructure/CloudFormationService.js";
-import { SimpleAwsProvider } from "../aws/SimpleAwsProvider.js";
-import { buildParamsContext } from "./contextHelpers.js";
+import { stubCallerIdentity } from "../types/deployment/index.js";
+import { buildParamsContext, collectStackOutputs, synthOrFail, bootstrapOrFail, forwardOutput, forwardResourceProgress } from "./contextHelpers.js";
+import { partitionAccounts, deployCascadeAccount, readPlatformIpamPoolIds, deployDomains } from "./cascadeHelpers.js";
+import { maskSensitiveOutput } from "@fjall/util";
+import { INFRA_STEP_NAME, STEP_IDS } from "../types/stepDefinitions.js";
 /**
  * Organisation deployment orchestration.
  *
@@ -41,57 +42,81 @@ function buildOrgContext(params, services, operation, deployType, accountName) {
         path: operation.path,
         region: services.awsProvider.getRegion(),
         accountName,
-        callerIdentity: {
-            Account: services.awsProvider.getAccountId() ?? "",
-            Arn: "",
-            UserId: ""
-        },
-        ...buildParamsContext(params)
+        callerIdentity: stubCallerIdentity(services.awsProvider.getAccountId()),
+        ...buildParamsContext({
+            orgConfig: params.orgConfig,
+            identity: params.identity,
+            skipOidc: params.options?.skipOidc
+        })
     }, {
         verbose: params.options?.verbose,
         infraOnly: params.options?.infraOnly
     }, params.orgConfig);
 }
+const INFRA_STEPS = {
+    CONNECT: { id: STEP_IDS.CONNECT, name: INFRA_STEP_NAME.CONNECT },
+    PREPARE: { id: STEP_IDS.PREPARE_ENVIRONMENT, name: INFRA_STEP_NAME.PREPARE },
+    DEPLOY: { id: STEP_IDS.DEPLOY, name: INFRA_STEP_NAME.DEPLOY },
+    MONITORING: { id: STEP_IDS.MONITORING, name: INFRA_STEP_NAME.MONITORING },
+    ORG_DEPLOY: {
+        id: STEP_IDS.ORG_DEPLOY,
+        name: "Deploying organisation infrastructure"
+    }
+};
+const INFRA_STEP_TOTAL = 4;
 /**
  * Deploy a single organisation component (platform or account).
+ *
+ * Emits 4 named steps from INFRASTRUCTURE_STEP_NAMES: Connect securely →
+ * Prepare environment → Deploy infrastructure → Enable monitoring.
  */
 async function deploySingleComponent(params, services, operation, deployType, startTime) {
     const { callbacks } = params;
+    // Step 1: Connect securely — already seeded by the webapp trigger.
+    // Complete it now: credentials are available by the time deploy-core runs.
+    callbacks.onStepComplete?.(INFRA_STEPS.CONNECT.id, INFRA_STEPS.CONNECT.name, "completed", 0, INFRA_STEP_TOTAL);
+    // Step 2: Prepare environment (synth + bootstrap)
+    callbacks.onStepStart?.(INFRA_STEPS.PREPARE.id, INFRA_STEPS.PREPARE.name, 1, INFRA_STEP_TOTAL);
     const context = buildOrgContext(params, services, operation, deployType, deployType === "account" ? operation.target : undefined);
     // Synth
     callbacks.onLog?.(`Synthesising ${deployType} infrastructure…`, "info");
-    const synthResult = await services.cdkService.runCdkSynth(context, (chunk) => callbacks.onCdkOutput?.(chunk, "synth"));
+    const synthResult = await synthOrFail(services, context, callbacks, "CDK synthesis failed");
     if (!synthResult.success) {
-        const error = new Error(`CDK synthesis failed: ${synthResult.error}`);
-        callbacks.onError?.(error);
-        return failure(error);
+        callbacks.onStepComplete?.(INFRA_STEPS.PREPARE.id, INFRA_STEPS.PREPARE.name, "error", 1, INFRA_STEP_TOTAL);
+        return synthResult;
     }
     // Bootstrap
-    callbacks.onCDKBootstrap?.("bootstrapping");
-    const bootstrapResult = await services.cdkService.runCdkBootstrap(context, (chunk) => callbacks.onOutput?.(chunk));
-    if (!bootstrapResult.success) {
-        callbacks.onCDKBootstrap?.("failed");
-        const error = new Error(`Bootstrap failed: ${bootstrapResult.error}`);
-        callbacks.onError?.(error);
-        return failure(error);
+    const bsResult = await bootstrapOrFail(services, context, callbacks);
+    if (!bsResult.success) {
+        callbacks.onStepComplete?.(INFRA_STEPS.PREPARE.id, INFRA_STEPS.PREPARE.name, "error", 1, INFRA_STEP_TOTAL);
+        return bsResult;
     }
-    callbacks.onCDKBootstrap?.("complete");
-    // Deploy
+    callbacks.onStepComplete?.(INFRA_STEPS.PREPARE.id, INFRA_STEPS.PREPARE.name, "completed", 1, INFRA_STEP_TOTAL);
+    // Step 3: Deploy infrastructure
     const stackName = getOrganisationStackName(operation.type);
-    const stepId = `${deployType}-deploy`;
-    const stepName = `Deploying ${deployType} infrastructure`;
-    callbacks.onStepStart?.(stepId, stepName, 0, 1);
-    const deployResult = await services.cdkService.runCdkDeploy(context, stackName, (chunk) => callbacks.onOutput?.(chunk), (event) => callbacks.onResourceProgress?.(event), services.awsProvider);
+    callbacks.onStepStart?.(INFRA_STEPS.DEPLOY.id, INFRA_STEPS.DEPLOY.name, 2, INFRA_STEP_TOTAL);
+    const deployResult = await services.cdkService.runCdkDeploy(context, stackName, forwardOutput(callbacks), forwardResourceProgress(callbacks), services.awsProvider);
     if (!deployResult.success) {
-        callbacks.onStepComplete?.(stepId, stepName, "error", 0, 1);
-        const error = new Error(deployResult.error);
+        callbacks.onStepComplete?.(INFRA_STEPS.DEPLOY.id, INFRA_STEPS.DEPLOY.name, "error", 2, INFRA_STEP_TOTAL);
+        const error = new Error(maskSensitiveOutput(deployResult.error));
         callbacks.onError?.(error);
         return failure(error);
     }
-    callbacks.onStepComplete?.(stepId, stepName, "completed", 0, 1);
+    callbacks.onStepComplete?.(INFRA_STEPS.DEPLOY.id, INFRA_STEPS.DEPLOY.name, "completed", 2, INFRA_STEP_TOTAL);
+    // Capture CloudFormation outputs (OIDC role ARN, etc.)
+    const outputsResult = await services.cfnService.getStackOutputs(stackName);
+    if (!outputsResult.success) {
+        callbacks.onLog?.("Failed to read stack outputs (non-critical)", "debug");
+    }
+    const outputs = collectStackOutputs(outputsResult);
+    // Step 4: Enable monitoring — CloudTrail + alarms are part of the
+    // Account stack. Signal post-deploy readiness.
+    callbacks.onStepStart?.(INFRA_STEPS.MONITORING.id, INFRA_STEPS.MONITORING.name, 3, INFRA_STEP_TOTAL);
+    callbacks.onStepComplete?.(INFRA_STEPS.MONITORING.id, INFRA_STEPS.MONITORING.name, "completed", 3, INFRA_STEP_TOTAL);
     return success({
         target: operation.target,
         deploymentType: "organisation",
+        outputs,
         durationMs: Date.now() - startTime
     });
 }
@@ -102,54 +127,67 @@ async function deployOrgWithCascade(params, services, operation, startTime) {
     const { callbacks, options } = params;
     const providerAccounts = params.orgConfig?.providerAccounts ?? [];
     const context = buildOrgContext(params, services, operation, "organisation");
+    // Compute step counts upfront so pre-deploy failures can reference them
+    const cascadeEnabled = options?.cascade !== false;
+    const cascadeAccountCount = cascadeEnabled ? providerAccounts.length : 0;
+    // Steps: prepare (synth+bootstrap) + org-deploy + cascade accounts
+    const totalSteps = 2 + cascadeAccountCount;
+    const { id: prepareStepId, name: prepareStepName } = INFRA_STEPS.PREPARE;
+    // Step 0: Prepare (synth + bootstrap)
+    callbacks.onStepStart?.(prepareStepId, prepareStepName, 0, totalSteps);
     // Synth
     callbacks.onLog?.("Synthesising organisation infrastructure…", "info");
-    const synthResult = await services.cdkService.runCdkSynth(context, (chunk) => callbacks.onCdkOutput?.(chunk, "synth"));
+    const synthResult = await synthOrFail(services, context, callbacks, "CDK synthesis failed");
     if (!synthResult.success) {
-        const error = new Error(`CDK synthesis failed: ${synthResult.error}`);
-        callbacks.onError?.(error);
-        return failure(error);
+        callbacks.onStepComplete?.(prepareStepId, prepareStepName, "error", 0, totalSteps);
+        return synthResult;
     }
     // Bootstrap org account
-    callbacks.onCDKBootstrap?.("bootstrapping");
-    const bootstrapResult = await services.cdkService.runCdkBootstrap(context, (chunk) => callbacks.onOutput?.(chunk));
-    if (!bootstrapResult.success) {
-        callbacks.onCDKBootstrap?.("failed");
-        const error = new Error(`Bootstrap failed: ${bootstrapResult.error}`);
-        callbacks.onError?.(error);
-        return failure(error);
+    const bsResult = await bootstrapOrFail(services, context, callbacks);
+    if (!bsResult.success) {
+        callbacks.onStepComplete?.(prepareStepId, prepareStepName, "error", 0, totalSteps);
+        return bsResult;
     }
-    callbacks.onCDKBootstrap?.("complete");
-    // Deploy org infrastructure
-    const orgStepId = "organisation-deploy";
-    const orgStepName = "Deploying organisation infrastructure";
-    const cascadeEnabled = options?.cascade !== false;
-    const cascadeAccountCount = cascadeEnabled ? providerAccounts.length : 0;
-    const totalSteps = 1 + cascadeAccountCount;
-    callbacks.onStepStart?.(orgStepId, orgStepName, 0, totalSteps);
+    callbacks.onStepComplete?.(prepareStepId, prepareStepName, "completed", 0, totalSteps);
+    // Step 1: Deploy org infrastructure
+    const { id: orgStepId, name: orgStepName } = INFRA_STEPS.ORG_DEPLOY;
+    callbacks.onStepStart?.(orgStepId, orgStepName, 1, totalSteps);
     const orgStackName = getOrganisationStackName(ORGANISATION_TYPES.ORGANISATION);
-    const orgResult = await services.cdkService.runCdkDeploy(context, orgStackName, (chunk) => callbacks.onOutput?.(chunk), (event) => callbacks.onResourceProgress?.(event), services.awsProvider);
+    const orgResult = await services.cdkService.runCdkDeploy(context, orgStackName, forwardOutput(callbacks), forwardResourceProgress(callbacks), services.awsProvider);
     if (!orgResult.success) {
-        callbacks.onStepComplete?.(orgStepId, orgStepName, "error", 0, totalSteps);
-        const error = new Error(orgResult.error);
+        callbacks.onStepComplete?.(orgStepId, orgStepName, "error", 1, totalSteps);
+        const error = new Error(maskSensitiveOutput(orgResult.error));
         callbacks.onError?.(error);
         return failure(error);
     }
-    callbacks.onStepComplete?.(orgStepId, orgStepName, "completed", 0, totalSteps);
+    // Capture org root stack outputs (OIDC role ARN, etc.)
+    const orgOutputsResult = await services.cfnService.getStackOutputs(orgStackName);
+    if (!orgOutputsResult.success) {
+        callbacks.onLog?.("Failed to read org stack outputs (non-critical)", "debug");
+    }
+    const orgOutputs = collectStackOutputs(orgOutputsResult);
+    callbacks.onStepComplete?.(orgStepId, orgStepName, "completed", 1, totalSteps);
     // Cascade to platform + domains + member accounts
+    const cascadeErrors = [];
+    const allCascadeOutputs = [];
     if (cascadeEnabled && providerAccounts.length > 0) {
         callbacks.onCascadeStart?.();
-        const cascadeErrors = [];
         let accountsDeployed = 0;
         let platformDeployed = false;
         let domainsDeployed = false;
         // Phase 1: Deploy platform account
-        const platformAccount = providerAccounts.find((acc) => acc.environment === "platform");
+        const { platformAccount, memberAccounts } = partitionAccounts(providerAccounts);
         if (platformAccount) {
             callbacks.onCascadePhaseStart?.("platform");
             const platformResult = await deployCascadeAccount(params, services, operation, platformAccount, "platform", callbacks);
             if (platformResult.success) {
                 platformDeployed = true;
+                if (platformResult.data.outputs) {
+                    allCascadeOutputs.push({
+                        accountId: platformAccount.id,
+                        outputs: platformResult.data.outputs
+                    });
+                }
             }
             else {
                 cascadeErrors.push({
@@ -157,6 +195,7 @@ async function deployOrgWithCascade(params, services, operation, startTime) {
                     error: platformResult.error.message
                 });
             }
+            callbacks.onCascadePhaseComplete?.("platform");
         }
         // Phase 1.5: Read Platform stack outputs for IPAM pool IDs
         let ipamPoolIds = new Map();
@@ -168,24 +207,43 @@ async function deployOrgWithCascade(params, services, operation, startTime) {
             const domainResult = await deployDomains(params.domainProvider, callbacks);
             domainsDeployed = domainResult.domainsDeployed > 0;
             for (const err of domainResult.errors) {
-                cascadeErrors.push({ accountId: "domains", error: err });
+                cascadeErrors.push({
+                    accountId: "domains",
+                    error: maskSensitiveOutput(err)
+                });
             }
         }
         // Phase 3: Deploy member accounts in parallel
-        const memberAccounts = providerAccounts.filter((acc) => acc.environment !== "root" && acc.environment !== "platform");
         if (memberAccounts.length > 0) {
             callbacks.onCascadePhaseStart?.("accounts");
             const region = services.awsProvider.getRegion();
-            const memberResults = await Promise.all(memberAccounts.map((account) => {
+            const memberSettled = await Promise.allSettled(memberAccounts.map((account) => {
                 const regionSuffix = region.replace(/-/g, "");
                 const ipamPoolId = ipamPoolIds.get(`${account.id}-${regionSuffix}`);
                 return deployCascadeAccount(params, services, operation, account, "account", callbacks, ipamPoolId);
             }));
-            for (let j = 0; j < memberResults.length; j++) {
-                const result = memberResults[j];
+            memberSettled.forEach((settled, j) => {
                 const account = memberAccounts[j];
+                if (!account)
+                    return;
+                if (settled.status === "rejected") {
+                    cascadeErrors.push({
+                        accountId: account.id,
+                        error: maskSensitiveOutput(settled.reason instanceof Error
+                            ? settled.reason.message
+                            : String(settled.reason))
+                    });
+                    return;
+                }
+                const result = settled.value;
                 if (result.success) {
                     accountsDeployed++;
+                    if (result.data.outputs) {
+                        allCascadeOutputs.push({
+                            accountId: account.id,
+                            outputs: result.data.outputs
+                        });
+                    }
                 }
                 else {
                     cascadeErrors.push({
@@ -193,7 +251,8 @@ async function deployOrgWithCascade(params, services, operation, startTime) {
                         error: result.error.message
                     });
                 }
-            }
+            });
+            callbacks.onCascadePhaseComplete?.("accounts");
         }
         callbacks.onCascadeComplete?.({
             platformDeployed,
@@ -206,177 +265,20 @@ async function deployOrgWithCascade(params, services, operation, startTime) {
             const errorSummary = cascadeErrors
                 .map((e) => `  ${e.accountId}: ${e.error}`)
                 .join("\n");
-            callbacks.onLog?.(`Cascade completed with ${cascadeErrors.length} failure(s):\n${errorSummary}`, "warn");
+            callbacks.onLog?.(maskSensitiveOutput(`Cascade completed with ${cascadeErrors.length} failure(s):\n${errorSummary}`), "warn");
         }
     }
+    const warnings = cascadeErrors.length > 0
+        ? cascadeErrors.map((e) => maskSensitiveOutput(`${e.accountId}: ${e.error}`))
+        : undefined;
     return success({
         target: operation.target,
         deploymentType: "organisation",
-        durationMs: Date.now() - startTime
-    });
-}
-/**
- * Deploy a single cascade account (platform or member).
- * Assumes the target account's role, sets env credentials, and deploys.
- */
-async function deployCascadeAccount(params, services, operation, account, deployType, callbacks, ipamPoolId) {
-    const operationKey = `${account.name}-${account.id}`;
-    const region = services.awsProvider.getRegion();
-    callbacks.onCascadeAccountStart?.(operationKey, account.id, region);
-    // Assume role in target account
-    if (!services.awsProvider.assumeRole) {
-        const error = new Error(`Cannot cascade to account ${account.name}: AwsProvider does not support assumeRole`);
-        callbacks.onCascadeAccountComplete?.(operationKey, false, error.message, region);
-        return failure(error);
-    }
-    const roleArn = `arn:aws:iam::${account.id}:role/fjall-deployment-role`;
-    let assumedCredentials;
-    try {
-        assumedCredentials = await services.awsProvider.assumeRole(roleArn, `fjall-cascade-${account.name}`);
-    }
-    catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        callbacks.onCascadeAccountComplete?.(operationKey, false, message, region);
-        return failure(new Error(`Failed to assume role for ${account.name}: ${message}`));
-    }
-    // Build context for this account (includes IPAM pool ID if available)
-    const accountContext = CdkContextBuilder.buildDeploymentContext({
-        deployType,
-        target: operation.target,
-        path: operation.path,
-        region,
-        accountName: account.name,
-        callerIdentity: { Account: account.id, Arn: "", UserId: "" },
-        ipamPoolId,
-        ...buildParamsContext(params)
-    }, { verbose: params.options?.verbose }, params.orgConfig);
-    // Create account-scoped provider for CDK monitoring
-    const accountProvider = new SimpleAwsProvider({
-        accessKeyId: assumedCredentials.accessKeyId,
-        secretAccessKey: assumedCredentials.secretAccessKey,
-        sessionToken: assumedCredentials.sessionToken,
-        region,
-        accountId: account.id
+        outputs: orgOutputs,
+        ...(allCascadeOutputs.length > 0
+            ? { cascadeOutputs: allCascadeOutputs }
+            : {}),
+        durationMs: Date.now() - startTime,
+        warnings
     });
-    // Export account credentials for CDK subprocess
-    accountProvider.exportToEnv();
-    // Bootstrap the target account
-    callbacks.onCascadeAccountPhaseChange?.(operationKey, "synth", region);
-    const bootstrapResult = await services.cdkService.runCdkBootstrap(accountContext, (chunk) => callbacks.onOutput?.(chunk));
-    if (!bootstrapResult.success) {
-        services.awsProvider.exportToEnv();
-        callbacks.onCascadeAccountComplete?.(operationKey, false, `Bootstrap failed: ${bootstrapResult.error}`, region);
-        return failure(new Error(`Bootstrap failed for ${account.name}: ${bootstrapResult.error}`));
-    }
-    // Deploy the account stack
-    callbacks.onCascadeAccountPhaseChange?.(operationKey, "deploy", region);
-    const stackName = getOrganisationStackName(deployType === "platform"
-        ? ORGANISATION_TYPES.PLATFORM
-        : ORGANISATION_TYPES.ACCOUNT);
-    const deployResult = await services.cdkService.runCdkDeploy(accountContext, stackName, (chunk) => callbacks.onOutput?.(chunk), (event) => callbacks.onCascadeAccountResourceProgress?.(operationKey, event, region), accountProvider);
-    // Restore parent credentials
-    services.awsProvider.exportToEnv();
-    if (!deployResult.success) {
-        callbacks.onCascadeAccountComplete?.(operationKey, false, deployResult.error, region);
-        return failure(new Error(deployResult.error));
-    }
-    callbacks.onCascadeAccountComplete?.(operationKey, true, undefined, region);
-    return success(undefined);
-}
-/**
- * Read Platform stack outputs to extract IPAM pool IDs for member accounts.
- * Output keys follow the pattern `IpamPoolId{12-digit-accountId}{regionSuffix}`.
- * Returns a map keyed by `{accountId}-{regionSuffix}` → pool ID.
- * Non-fatal: returns empty map on any error.
- */
-async function readPlatformIpamPoolIds(services, platformAccount, callbacks) {
-    const poolIds = new Map();
-    // Assume role in platform account to read its stack outputs
-    if (!services.awsProvider.assumeRole) {
-        logger.debug("organisationDeploy", "Cannot read Platform outputs: assumeRole not available");
-        return poolIds;
-    }
-    const region = services.awsProvider.getRegion();
-    const roleArn = `arn:aws:iam::${platformAccount.id}:role/fjall-deployment-role`;
-    let assumedCredentials;
-    try {
-        assumedCredentials = await services.awsProvider.assumeRole(roleArn, `fjall-ipam-read-${platformAccount.name}`);
-    }
-    catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        logger.debug("organisationDeploy", `Cannot read Platform outputs: AssumeRole failed: ${message}`);
-        return poolIds;
-    }
-    // Create a temporary provider scoped to the platform account
-    const platformProvider = new SimpleAwsProvider({
-        accessKeyId: assumedCredentials.accessKeyId,
-        secretAccessKey: assumedCredentials.secretAccessKey,
-        sessionToken: assumedCredentials.sessionToken,
-        region,
-        accountId: platformAccount.id
-    });
-    const platformCfn = new CloudFormationService(platformProvider);
-    const outputsResult = await platformCfn.getStackOutputs("Platform");
-    if (!outputsResult.success) {
-        logger.debug("organisationDeploy", `Failed to read Platform stack outputs: ${outputsResult.error.message}`);
-        return poolIds;
-    }
-    const ipamPattern = /^IpamPoolId(\d{12})(\w+)$/;
-    for (const output of outputsResult.data) {
-        const match = output.OutputKey?.match(ipamPattern);
-        if (match && output.OutputValue) {
-            const key = `${match[1]}-${match[2]}`;
-            poolIds.set(key, output.OutputValue);
-        }
-    }
-    if (poolIds.size > 0) {
-        callbacks.onLog?.(`Read ${poolIds.size} IPAM pool ID(s) from Platform stack`, "info");
-    }
-    return poolIds;
-}
-/**
- * Deploy configured domains: apex domains sequentially, then delegated
- * domains in parallel. Delegates to the caller-provided DomainDeployProvider.
- */
-async function deployDomains(provider, callbacks) {
-    const domains = provider.getDomains();
-    if (domains.length === 0) {
-        return { domainsDeployed: 0, errors: [] };
-    }
-    callbacks.onCascadePhaseStart?.("domains");
-    const apexDomains = domains.filter((d) => d.type === "apex");
-    const delegatedDomains = domains.filter((d) => d.type === "delegated");
-    let domainsDeployed = 0;
-    const errors = [];
-    // Phase A: Apex domains (sequential — delegation roles must exist first)
-    for (const domain of apexDomains) {
-        const result = await provider.deployDomain(domain.name, callbacks);
-        if (result.success) {
-            domainsDeployed++;
-        }
-        else {
-            errors.push(`${domain.name}: ${result.error.message}`);
-        }
-    }
-    // Phase B: Delegated subdomains (parallel — independent of each other)
-    if (delegatedDomains.length > 0) {
-        const subdomainResults = await Promise.allSettled(delegatedDomains.map(async (domain) => {
-            const result = await provider.deployDomain(domain.name, callbacks);
-            if (result.success) {
-                domainsDeployed++;
-            }
-            else {
-                errors.push(`${domain.name}: ${result.error.message}`);
-            }
-        }));
-        for (const result of subdomainResults) {
-            if (result.status === "rejected") {
-                const message = result.reason instanceof Error
-                    ? result.reason.message
-                    : String(result.reason);
-                errors.push(`Subdomain deploy error: ${message}`);
-            }
-        }
-    }
-    return { domainsDeployed, errors };
 }

package/dist/src/orchestration/organisationDestroy.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Organisation destroy orchestration.
+ *
+ * Receives pre-authenticated credentials and destroys all organisation
+ * infrastructure in cascade order:
+ * 1. Member accounts across ALL regions in parallel
+ * 2. Platform account in primary region
+ * 3. Organisation root stack
+ *
+ * Auth, verification, and interactive prompts are the caller's job
+ * (per engine/consumer boundary).
+ */
+import { type Result } from "@fjall/generator";
+import type { DestroyParams, DestroyResult } from "../types/params.js";
+import type { OrganisationOperation } from "../types/operations.js";
+import type { DeployServices } from "./serviceFactory.js";
+/**
+ * Destroy organisation infrastructure with cascade.
+ *
+ * The cascade ordering is: members (parallel, multi-region) -> platform -> org stack.
+ * If any member or platform destruction fails, the org stack is NOT destroyed
+ * (to avoid orphaning resources).
+ */
+export declare function destroyOrganisation(params: DestroyParams, services: DeployServices, operation: OrganisationOperation): Promise<Result<DestroyResult>>;