@fjall/deploy-core 0.89.5 → 0.94.0

package/dist/src/orchestration/cascadeHelpers.js

@@ -0,0 +1,160 @@
+import { success, failure } from "@fjall/generator";
+import { logger } from "@fjall/util/logger";
+import { maskSensitiveOutput } from "@fjall/util";
+import { ORGANISATION_TYPES, getOrganisationStackName } from "../types/operations.js";
+import { CdkContextBuilder } from "../services/supporting/CdkContextBuilder.js";
+import { stubCallerIdentity } from "../types/deployment/index.js";
+import { CloudFormationService } from "../services/infrastructure/CloudFormationService.js";
+import { buildParamsContext, collectStackOutputs, assumeCascadeRole, forwardOutput } from "./contextHelpers.js";
+import { STRUCTURAL_ENVIRONMENTS } from "@fjall/util";
+/**
+ * Partition provider accounts into platform and member accounts.
+ * Used by both deploy and destroy orchestration.
+ */
+export function partitionAccounts(providerAccounts) {
+    const platformAccount = providerAccounts.find((acc) => acc.environment === STRUCTURAL_ENVIRONMENTS.PLATFORM);
+    const memberAccounts = providerAccounts.filter((acc) => acc.environment !== STRUCTURAL_ENVIRONMENTS.ROOT &&
+        acc.environment !== STRUCTURAL_ENVIRONMENTS.PLATFORM);
+    return { platformAccount, memberAccounts };
+}
+// Re-export for backwards compatibility (canonical definition in contextHelpers)
+export { buildCascadeRoleArn } from "./contextHelpers.js";
+export async function deployCascadeAccount(params, services, operation, account, deployType, callbacks, ipamPoolId) {
+    const operationKey = `${account.name}-${account.id}`;
+    const region = services.awsProvider.getRegion();
+    callbacks.onCascadeAccountStart?.(operationKey, account.id, region, deployType);
+    // Assume role in target account
+    const roleResult = await assumeCascadeRole(services.awsProvider, account.id, region, `fjall-cascade-${account.name}`);
+    if (!roleResult.success) {
+        callbacks.onCascadeAccountComplete?.(operationKey, false, maskSensitiveOutput(roleResult.error.message), region);
+        return failure(new Error(`Failed to assume role for ${account.name}: ${maskSensitiveOutput(roleResult.error.message)}`));
+    }
+    const { provider: accountProvider, credentials: cascadeCredentials } = roleResult.data;
+    // Build context for this account (includes IPAM pool ID if available)
+    const accountContext = CdkContextBuilder.buildDeploymentContext({
+        deployType,
+        target: operation.target,
+        path: operation.path,
+        region,
+        accountName: account.name,
+        callerIdentity: stubCallerIdentity(account.id),
+        ipamPoolId,
+        ...buildParamsContext({
+            orgConfig: params.orgConfig,
+            identity: params.identity,
+            skipOidc: params.options?.skipOidc
+        })
+    }, { verbose: params.options?.verbose }, params.orgConfig);
+    // Bootstrap the target account
+    callbacks.onCascadeAccountPhaseChange?.(operationKey, "bootstrap", region);
+    const bootstrapResult = await services.cdkService.runCdkBootstrap(accountContext, forwardOutput(callbacks), cascadeCredentials);
+    if (!bootstrapResult.success) {
+        callbacks.onCascadeAccountComplete?.(operationKey, false, maskSensitiveOutput(`Bootstrap failed: ${bootstrapResult.error}`), region);
+        return failure(new Error(`Bootstrap failed for ${account.name}: ${maskSensitiveOutput(bootstrapResult.error)}`));
+    }
+    // Deploy the account stack
+    callbacks.onCascadeAccountPhaseChange?.(operationKey, "deploy", region);
+    const stackName = getOrganisationStackName(deployType === "platform"
+        ? ORGANISATION_TYPES.PLATFORM
+        : ORGANISATION_TYPES.ACCOUNT);
+    const deployResult = await services.cdkService.runCdkDeploy(accountContext, stackName, forwardOutput(callbacks), (event) => callbacks.onCascadeAccountResourceProgress?.(operationKey, event, region), accountProvider, cascadeCredentials);
+    if (!deployResult.success) {
+        callbacks.onCascadeAccountComplete?.(operationKey, false, maskSensitiveOutput(deployResult.error), region);
+        return failure(new Error(maskSensitiveOutput(deployResult.error)));
+    }
+    // Capture stack outputs (OIDC role ARN, etc.) from the target account
+    const accountCfn = new CloudFormationService(accountProvider);
+    const outputsResult = await accountCfn.getStackOutputs(stackName);
+    if (!outputsResult.success) {
+        logger.debug("cascadeHelpers", "Failed to read cascade account stack outputs (non-critical)", { stackName, account: account.name });
+    }
+    const outputs = collectStackOutputs(outputsResult);
+    callbacks.onCascadeAccountComplete?.(operationKey, true, undefined, region, outputs);
+    return success({ outputs });
+}
+/**
+ * Read Platform stack outputs to extract IPAM pool IDs for member accounts.
+ * Output keys follow the pattern `IpamPoolId{12-digit-accountId}{regionSuffix}`.
+ * Returns a map keyed by `{accountId}-{regionSuffix}` → pool ID.
+ * Non-fatal: returns empty map on any error.
+ */
+export async function readPlatformIpamPoolIds(services, platformAccount, callbacks) {
+    const poolIds = new Map();
+    // Assume role in platform account to read its stack outputs
+    const region = services.awsProvider.getRegion();
+    const roleResult = await assumeCascadeRole(services.awsProvider, platformAccount.id, region, `fjall-ipam-read-${platformAccount.name}`);
+    if (!roleResult.success) {
+        logger.debug("organisationDeploy", `Cannot read Platform outputs: ${roleResult.error.message}`);
+        return poolIds;
+    }
+    const platformCfn = new CloudFormationService(roleResult.data.provider);
+    const platformStackName = getOrganisationStackName(ORGANISATION_TYPES.PLATFORM);
+    const outputsResult = await platformCfn.getStackOutputs(platformStackName);
+    if (!outputsResult.success) {
+        logger.debug("organisationDeploy", `Failed to read Platform stack outputs: ${outputsResult.error.message}`);
+        return poolIds;
+    }
+    const ipamPattern = /^IpamPoolId(\d{12})(\w+)$/;
+    for (const output of outputsResult.data) {
+        const match = output.OutputKey?.match(ipamPattern);
+        if (match && output.OutputValue) {
+            const key = `${match[1]}-${match[2]}`;
+            poolIds.set(key, output.OutputValue);
+        }
+    }
+    if (poolIds.size > 0) {
+        callbacks.onLog?.(`Read ${poolIds.size} IPAM pool ID(s) from Platform stack`, "info");
+    }
+    return poolIds;
+}
+/**
+ * Deploy configured domains: apex domains sequentially, then delegated
+ * domains in parallel. Delegates to the caller-provided DomainDeployProvider.
+ */
+export async function deployDomains(provider, callbacks) {
+    const domains = provider.getDomains();
+    if (domains.length === 0) {
+        return { domainsDeployed: 0, errors: [] };
+    }
+    callbacks.onCascadePhaseStart?.("domains");
+    const apexDomains = domains.filter((d) => d.type === "apex");
+    const delegatedDomains = domains.filter((d) => d.type === "delegated");
+    let domainsDeployed = 0;
+    const errors = [];
+    // Phase A: Apex domains (sequential — delegation roles must exist first)
+    for (const domain of apexDomains) {
+        const result = await provider.deployDomain(domain.name, callbacks);
+        if (result.success) {
+            domainsDeployed++;
+        }
+        else {
+            errors.push(`${domain.name}: ${result.error.message}`);
+        }
+    }
+    // Phase B: Delegated subdomains (parallel — independent of each other)
+    if (delegatedDomains.length > 0) {
+        const subdomainResults = await Promise.allSettled(delegatedDomains.map((domain) => provider.deployDomain(domain.name, callbacks)));
+        for (let i = 0; i < subdomainResults.length; i++) {
+            const settled = subdomainResults[i];
+            const domain = delegatedDomains[i];
+            if (!settled || !domain)
+                continue;
+            if (settled.status === "fulfilled") {
+                if (settled.value.success) {
+                    domainsDeployed++;
+                }
+                else {
+                    errors.push(`${domain.name}: ${settled.value.error.message}`);
+                }
+            }
+            else {
+                const message = settled.reason instanceof Error
+                    ? settled.reason.message
+                    : String(settled.reason);
+                errors.push(`${domain.name}: ${message}`);
+            }
+        }
+    }
+    callbacks.onCascadePhaseComplete?.("domains");
+    return { domainsDeployed, errors };
+}

package/dist/src/orchestration/contextHelpers.d.ts

@@ -1,10 +1,54 @@
-import type { DeployParams } from "../types/params.js";
+import { type Result } from "@fjall/generator";
+import type { ResourceEvent } from "@fjall/util/aws";
+import type { OrgConfig } from "../types/orgConfig.js";
+import type { DeployIdentity } from "../types/credentials.js";
+import type { AwsProviderCredentials } from "../aws/AwsProvider.js";
+import { SimpleAwsProvider } from "../aws/SimpleAwsProvider.js";
+import type { DeploymentContext } from "../types/deployment/DeploymentTypes.js";
+import type { DeployCallbacks } from "../types/callbacks.js";
+import type { DeployServices } from "./serviceFactory.js";
 /**
  * Build the orgConfig/identity context fields shared by all deployment paths.
  * CdkContextBuilder expects orgConfig as a JSON string and fjallOrgId as a string.
  */
-export declare function buildParamsContext(params: DeployParams): {
+export declare function buildParamsContext(params: {
+    orgConfig?: OrgConfig;
+    identity?: DeployIdentity;
+    skipOidc?: boolean;
+}): {
     orgConfig?: string;
     fjallOrgId?: string;
     fjallOidcConfigured?: boolean;
 };
+/** Forward onOutput callback — reduces lambda repetition across orchestration files. */
+export declare function forwardOutput(callbacks: DeployCallbacks): (chunk: string) => void;
+/** Forward onResourceProgress callback — reduces lambda repetition across orchestration files. */
+export declare function forwardResourceProgress(callbacks: DeployCallbacks): (event: ResourceEvent) => void;
+/** Convert CloudFormation getStackOutputs result to Record<string, string>. */
+export declare function collectStackOutputs(result: Result<Array<{
+    OutputKey?: string;
+    OutputValue?: string;
+}>, unknown>): Record<string, string> | undefined;
+/** Build the IAM role ARN used for cross-account cascade operations. */
+export declare function buildCascadeRoleArn(accountId: string): string;
+export interface CascadeAssumedRole {
+    provider: SimpleAwsProvider;
+    credentials: AwsProviderCredentials;
+}
+/**
+ * Assume a cross-account cascade role and create a scoped provider.
+ * Callers handle failure (callbacks, logging, return type) — this helper
+ * only owns the assume + provider construction.
+ */
+export declare function assumeCascadeRole(awsProvider: SimpleAwsProvider, accountId: string, region: string, sessionName: string): Promise<Result<CascadeAssumedRole, Error>>;
+/**
+ * Run CDK synth and return failure with masked error if it fails.
+ * Calls `onError` on the callbacks so callers only need to handle
+ * step-specific reporting (e.g. onStepComplete) before returning.
+ */
+export declare function synthOrFail(services: DeployServices, context: DeploymentContext, callbacks: DeployCallbacks, errorPrefix: string): Promise<Result<void>>;
+/**
+ * Run CDK bootstrap and return failure with masked error if it fails.
+ * Emits onCDKBootstrap status callbacks and calls onError on failure.
+ */
+export declare function bootstrapOrFail(services: DeployServices, context: DeploymentContext, callbacks: DeployCallbacks): Promise<Result<void>>;

package/dist/src/orchestration/contextHelpers.js

@@ -1,3 +1,6 @@
+import { success, failure } from "@fjall/generator";
+import { getErrorMessage, maskSensitiveOutput } from "@fjall/util";
+import { SimpleAwsProvider } from "../aws/SimpleAwsProvider.js";
 /**
  * Build the orgConfig/identity context fields shared by all deployment paths.
  * CdkContextBuilder expects orgConfig as a JSON string and fjallOrgId as a string.
@@ -10,6 +13,95 @@ export function buildParamsContext(params) {
         ...(params.identity !== undefined
             ? { fjallOrgId: params.identity.fjallOrgId }
             : {}),
-        ...(params.options?.skipOidc ? { fjallOidcConfigured: true } : {})
+        ...(params.skipOidc ? { fjallOidcConfigured: true } : {})
     };
 }
+/** Forward onOutput callback — reduces lambda repetition across orchestration files. */
+export function forwardOutput(callbacks) {
+    return (chunk) => callbacks.onOutput?.(chunk);
+}
+/** Forward onResourceProgress callback — reduces lambda repetition across orchestration files. */
+export function forwardResourceProgress(callbacks) {
+    return (event) => callbacks.onResourceProgress?.(event);
+}
+/** Convert CloudFormation getStackOutputs result to Record<string, string>. */
+export function collectStackOutputs(result) {
+    if (!result.success || result.data.length === 0)
+        return undefined;
+    const record = {};
+    for (const output of result.data) {
+        if (output.OutputKey && output.OutputValue !== undefined) {
+            record[output.OutputKey] = output.OutputValue;
+        }
+    }
+    return Object.keys(record).length > 0 ? record : undefined;
+}
+/** Role name created by the Account CDK stack for cross-account cascade operations. */
+const CASCADE_DEPLOYMENT_ROLE = "fjall-deployment-role";
+/** Build the IAM role ARN used for cross-account cascade operations. */
+export function buildCascadeRoleArn(accountId) {
+    return `arn:aws:iam::${accountId}:role/${CASCADE_DEPLOYMENT_ROLE}`;
+}
+/**
+ * Assume a cross-account cascade role and create a scoped provider.
+ * Callers handle failure (callbacks, logging, return type) — this helper
+ * only owns the assume + provider construction.
+ */
+export async function assumeCascadeRole(awsProvider, accountId, region, sessionName) {
+    if (!awsProvider.assumeRole) {
+        return failure(new Error("AwsProvider does not support assumeRole"));
+    }
+    const roleArn = buildCascadeRoleArn(accountId);
+    let assumed;
+    try {
+        assumed = await awsProvider.assumeRole(roleArn, sessionName);
+    }
+    catch (err) {
+        return failure(new Error(getErrorMessage(err)));
+    }
+    const provider = new SimpleAwsProvider({
+        accessKeyId: assumed.accessKeyId,
+        secretAccessKey: assumed.secretAccessKey,
+        sessionToken: assumed.sessionToken,
+        region,
+        accountId
+    });
+    return success({
+        provider,
+        credentials: {
+            accessKeyId: assumed.accessKeyId,
+            secretAccessKey: assumed.secretAccessKey,
+            sessionToken: assumed.sessionToken
+        }
+    });
+}
+/**
+ * Run CDK synth and return failure with masked error if it fails.
+ * Calls `onError` on the callbacks so callers only need to handle
+ * step-specific reporting (e.g. onStepComplete) before returning.
+ */
+export async function synthOrFail(services, context, callbacks, errorPrefix) {
+    const synthResult = await services.cdkService.runCdkSynth(context, (chunk) => callbacks.onCdkOutput?.(chunk, "synth"));
+    if (!synthResult.success) {
+        const error = new Error(maskSensitiveOutput(`${errorPrefix}: ${synthResult.error}`));
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    return success(undefined);
+}
+/**
+ * Run CDK bootstrap and return failure with masked error if it fails.
+ * Emits onCDKBootstrap status callbacks and calls onError on failure.
+ */
+export async function bootstrapOrFail(services, context, callbacks) {
+    callbacks.onCDKBootstrap?.("bootstrapping");
+    const bootstrapResult = await services.cdkService.runCdkBootstrap(context, forwardOutput(callbacks));
+    if (!bootstrapResult.success) {
+        callbacks.onCDKBootstrap?.("failed");
+        const error = new Error(maskSensitiveOutput(`Bootstrap failed: ${bootstrapResult.error}`));
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    callbacks.onCDKBootstrap?.("complete");
+    return success(undefined);
+}

package/dist/src/orchestration/destroy.d.ts

@@ -0,0 +1,13 @@
+import { type Result } from "@fjall/generator";
+import type { DestroyParams, DestroyResult } from "../types/params.js";
+/**
+ * Destroy infrastructure for a target.
+ *
+ * Primary entry point for both CLI and webapp worker. Determines whether
+ * the target is an application or organisation and routes to the
+ * appropriate orchestrator.
+ *
+ * Mirrors the deploy() entry point -- same resolution, same service
+ * factory, same callback contract.
+ */
+export declare function destroy(params: DestroyParams): Promise<Result<DestroyResult>>;

package/dist/src/orchestration/destroy.js

@@ -0,0 +1,67 @@
+import { success, failure } from "@fjall/generator";
+import { isApplicationOperation, isOrganisationOperation, getApplicationStackName, getOrganisationStackName, APPLICATION_STACKS } from "../types/operations.js";
+import { createDeployServices } from "./serviceFactory.js";
+import { resolveOperation } from "./resolveOperation.js";
+import { destroyApplication } from "./applicationDestroy.js";
+import { destroyOrganisation } from "./organisationDestroy.js";
+import { checkActiveDeployments } from "./activeDeploymentGuard.js";
+/**
+ * Destroy infrastructure for a target.
+ *
+ * Primary entry point for both CLI and webapp worker. Determines whether
+ * the target is an application or organisation and routes to the
+ * appropriate orchestrator.
+ *
+ * Mirrors the deploy() entry point -- same resolution, same service
+ * factory, same callback contract.
+ */
+export async function destroy(params) {
+    const startTime = Date.now();
+    const services = createDeployServices({
+        target: params.target,
+        workingDirectory: params.workingDirectory,
+        awsCredentials: params.awsCredentials,
+        callbacks: params.callbacks,
+        options: {
+            verbose: params.options?.verbose,
+            force: params.options?.force,
+            cascade: params.options?.cascade,
+            skipConfirmation: params.options?.skipConfirmation
+        },
+        orgConfig: params.orgConfig,
+        identity: params.identity
+    });
+    const opResult = await resolveOperation(params.target, params.workingDirectory);
+    if (!opResult.success) {
+        params.callbacks.onError?.(opResult.error);
+        return opResult;
+    }
+    const operation = opResult.data;
+    // Pre-flight: reject if any target stacks are mid-operation (unless --force)
+    if (!params.options?.force) {
+        const stackNames = isApplicationOperation(operation)
+            ? Object.values(APPLICATION_STACKS).map((stack) => getApplicationStackName(operation.appName, stack))
+            : [getOrganisationStackName(operation.type)];
+        const guardResult = await checkActiveDeployments(stackNames, services.cfnService);
+        if (!guardResult.success) {
+            params.callbacks.onError?.(guardResult.error);
+            return failure(guardResult.error);
+        }
+    }
+    if (isApplicationOperation(operation)) {
+        const result = await destroyApplication(params, services, operation);
+        if (result.success && result.data.durationMs === undefined) {
+            return success({
+                ...result.data,
+                durationMs: Date.now() - startTime
+            });
+        }
+        return result;
+    }
+    if (isOrganisationOperation(operation)) {
+        return destroyOrganisation(params, services, operation);
+    }
+    const error = new Error(`Unsupported destroy target: ${params.target}`);
+    params.callbacks.onError?.(error);
+    return failure(error);
+}

package/dist/src/orchestration/detectionPipeline.d.ts

@@ -2,18 +2,9 @@ import { type Result } from "@fjall/generator";
 import type { DeployCallbacks } from "../types/callbacks.js";
 import type { DeploymentContext } from "../types/deployment/DeploymentTypes.js";
 import type { ApplicationOperation } from "../types/operations.js";
-import { type AppResourceFlags } from "../types/patternDetection.js";
-import type { PatternType } from "@fjall/generator";
 import type { DeployServices } from "./serviceFactory.js";
-export interface DetectionResult {
-    pattern: PatternType | null;
-    hasDatabase: boolean;
-    hasDifferences: boolean;
-    stackChanges: Map<string, boolean>;
-    currentHashes: Map<string, string>;
-    resources: AppResourceFlags;
-    hasDockerfile: boolean;
-}
+import type { DetectionResult } from "../types/detection.js";
+export type { DetectionResult };
 /**
  * Pre-deployment analysis pipeline.
  *

package/dist/src/orchestration/detectionPipeline.js

@@ -1,8 +1,11 @@
 import { join } from "path";
 import { success, failure } from "@fjall/generator";
-import { logger } from "@fjall/util";
-import { detectPattern, deriveResourcesFromManifestStacks } from "../types/patternDetection.js";
+import { logger } from "@fjall/util/logger";
+import { maskSensitiveOutput } from "@fjall/util";
+import { hasDockerfile } from "../util/dockerfileDetection.js";
+import { deriveResourcesFromManifestStacks } from "../types/patternDetection.js";
 import { emitProgress, PROGRESS_MESSAGES } from "../services/supporting/helpers.js";
+import { parseRequiredSecretsFromManifest } from "./manifestSecretParser.js";
 /**
  * Pre-deployment analysis pipeline.
  *
@@ -11,28 +14,43 @@ import { emitProgress, PROGRESS_MESSAGES } from "../services/supporting/helpers.
  */
 export async function runDetectionPipeline(operation, services, context, callbacks) {
     // 1. Detect application pattern
-    const { pattern, hasDatabase } = detectPattern(operation.path);
+    callbacks.onDetectionPhaseChange?.("detect", "started");
+    const resolved = services.frameworkRegistry.resolve({
+        appPath: operation.path
+    });
+    const pattern = resolved?.detection.pattern ?? null;
+    const hasDatabase = resolved?.detection.hasDatabase ?? false;
     callbacks.onLog?.(`Pattern detected: ${pattern ?? "standard"}`, "info");
+    callbacks.onDetectionPhaseChange?.("detect", "completed");
+    const cdkOutPath = join(operation.path, "cdk.out");
     // 2. Synthesise infrastructure
+    callbacks.onDetectionPhaseChange?.("synth", "started");
     emitProgress(callbacks, PROGRESS_MESSAGES.SYNTH);
     const synthResult = await services.cdkService.runCdkSynth(context, (chunk) => callbacks.onCdkOutput?.(chunk, "synth"));
     if (!synthResult.success) {
-        return failure(new Error(`CDK synthesis failed: ${synthResult.error}`));
+        return failure(new Error(maskSensitiveOutput(`CDK synthesis failed: ${synthResult.error}`)));
+    }
+    callbacks.onDetectionPhaseChange?.("synth", "completed");
+    // 2b. Parse required secrets from manifest (pure data, no AWS calls)
+    const requiredSecrets = parseRequiredSecretsFromManifest(cdkOutPath);
+    if (requiredSecrets.length > 0) {
+        callbacks.onLog?.(`Found ${requiredSecrets.length} required secret path(s) in manifest`, "info");
     }
     // 3. Compute template hashes
+    callbacks.onDetectionPhaseChange?.("hash", "started");
     emitProgress(callbacks, PROGRESS_MESSAGES.HASH);
-    const cdkOutPath = join(operation.path, "cdk.out");
     const hashResult = await services.hashService.getTemplateHashes(cdkOutPath);
     if (!hashResult.success) {
-        return failure(new Error(`Template hash computation failed: ${hashResult.error.message}`));
+        return failure(new Error(maskSensitiveOutput(`Template hash computation failed: ${hashResult.error.message}`)));
     }
     const currentHashes = hashResult.data;
     // 4. Compare with stored state
     const comparisonResult = await services.hashService.compareWithState(currentHashes, operation.path);
     if (!comparisonResult.success) {
-        return failure(new Error(`Hash comparison failed: ${comparisonResult.error.message}`));
+        return failure(new Error(maskSensitiveOutput(`Hash comparison failed: ${comparisonResult.error.message}`)));
     }
     const comparison = comparisonResult.data;
+    callbacks.onDetectionPhaseChange?.("hash", "completed");
     // 5. Stale hash detection: unchanged templates whose stacks don't exist in CFN
     const stackChanges = new Map(comparison.stackChanges);
     for (const [stackName, hasChanged] of comparison.stackChanges) {
@@ -49,8 +67,8 @@ export async function runDetectionPipeline(operation, services, context, callbac
     // 6. Derive resource flags from manifest stacks
     const stackNames = Array.from(currentHashes.keys());
     const resources = deriveResourcesFromManifestStacks(stackNames);
-    // 7. Detect Dockerfile (Compute stack presence implies Docker)
-    const hasDockerfile = resources.hasCompute;
+    // 7. Detect Dockerfile on disk (Compute stack alone is not sufficient)
+    const dockerfilePresent = resources.hasCompute && hasDockerfile(operation.path);
     const hasDifferences = Array.from(stackChanges.values()).some(Boolean);
     callbacks.onLog?.(`Detection complete: ${comparison.changedCount} changed, ${comparison.unchangedCount} unchanged`, "info");
     return success({
@@ -60,6 +78,7 @@ export async function runDetectionPipeline(operation, services, context, callbac
         stackChanges,
         currentHashes,
         resources,
-        hasDockerfile
+        hasDockerfile: dockerfilePresent,
+        requiredSecrets
     });
 }

package/dist/src/orchestration/dockerBuildHelper.d.ts

@@ -0,0 +1,10 @@
+import { type Result } from "@fjall/generator";
+import type { DeployParams } from "../types/params.js";
+import type { DeployCallbacks } from "../types/callbacks.js";
+import type { ApplicationOperation } from "../types/operations.js";
+import type { DeployServices } from "./serviceFactory.js";
+/**
+ * Run Docker build and push before deploying the Compute stack.
+ * Initialises ECR if needed, then builds and pushes the image.
+ */
+export declare function runDockerBuild(params: DeployParams, services: DeployServices, operation: ApplicationOperation, callbacks: DeployCallbacks): Promise<Result<void>>;

package/dist/src/orchestration/dockerBuildHelper.js

@@ -0,0 +1,49 @@
+import { success, failure } from "@fjall/generator";
+import { maskSensitiveOutput } from "@fjall/util";
+import { STEP_IDS } from "../types/stepDefinitions.js";
+const DOCKER_BUILD_STEP_NAME = "Building and pushing Docker image";
+/**
+ * Run Docker build and push before deploying the Compute stack.
+ * Initialises ECR if needed, then builds and pushes the image.
+ */
+export async function runDockerBuild(params, services, operation, callbacks) {
+    const dockerProvider = params.dockerProvider;
+    if (!dockerProvider)
+        return success(undefined);
+    const accountId = services.awsProvider.getAccountId();
+    if (!accountId) {
+        callbacks.onLog?.("Skipping Docker build — account ID not available", "warn");
+        return success(undefined);
+    }
+    const region = services.awsProvider.getRegion();
+    callbacks.onStepStart?.(STEP_IDS.DOCKER_OPERATIONS, DOCKER_BUILD_STEP_NAME);
+    // Initialise ECR repository (non-fatal — CDK creates it if needed)
+    callbacks.onLog?.("Initialising ECR repository…", "info");
+    const ecrResult = await dockerProvider.initialiseECR({
+        appName: operation.appName,
+        region,
+        accountId
+    });
+    if (!ecrResult.success) {
+        callbacks.onLog?.(`ECR initialisation failed: ${ecrResult.error.message}`, "warn");
+    }
+    // Build and push Docker image
+    callbacks.onLog?.("Building and pushing Docker image…", "info");
+    const buildResult = await dockerProvider.buildAndPush({
+        appName: operation.appName,
+        appPath: operation.path,
+        region,
+        accountId
+    }, (message, percentage, layerId, status) => {
+        callbacks.onDockerProgress?.(maskSensitiveOutput(message), percentage, layerId, status);
+    });
+    if (!buildResult.success) {
+        callbacks.onStepComplete?.(STEP_IDS.DOCKER_OPERATIONS, DOCKER_BUILD_STEP_NAME, "error");
+        const error = new Error(maskSensitiveOutput(buildResult.error.message));
+        callbacks.onError?.(error);
+        return failure(error);
+    }
+    callbacks.onStepComplete?.(STEP_IDS.DOCKER_OPERATIONS, DOCKER_BUILD_STEP_NAME, "completed");
+    callbacks.onLog?.(`Docker image pushed: ${buildResult.data.imageUri}`, "info");
+    return success(undefined);
+}

package/dist/src/orchestration/dockerInterface.d.ts

@@ -43,14 +43,16 @@ export interface TagImagesParams {
 export interface TagImagesResult {
     taggedServices: string[];
 }
+/** Callback for Docker build/push progress reporting. */
+export type DockerProgressCallback = (message: string, percentage?: number, layerId?: string, status?: string) => void;
 /**
  * Interface for Docker operations (build, push, ECR initialisation).
  * CLI provides CliDockerProvider (wraps dockerode-based services).
  * Worker passes undefined (Docker ops skipped until container deployments enabled).
  */
 export interface DockerProvider {
-    buildAndPush(params: DockerBuildParams): Promise<Result<DockerBuildResult>>;
+    buildAndPush(params: DockerBuildParams, onProgress?: DockerProgressCallback): Promise<Result<DockerBuildResult>>;
     initialiseECR(params: ECRInitParams): Promise<Result<ECRInitResult>>;
     /** Tag existing ECR images for ECS services (non-Dockerfile apps). Optional. */
-    tagImages?(params: TagImagesParams): Promise<Result<TagImagesResult>>;
+    tagImages?(params: TagImagesParams, onProgress?: DockerProgressCallback): Promise<Result<TagImagesResult>>;
 }

package/dist/src/orchestration/index.d.ts

@@ -1,8 +1,15 @@
 export { deploy } from "./deploy.js";
+export { destroy } from "./destroy.js";
 export { deployOrganisation } from "./organisationDeploy.js";
-export type { DockerProvider, DockerServiceConfig, DockerBuildParams, DockerBuildResult, ECRInitParams, ECRInitResult, TagImagesParams, TagImagesResult } from "./dockerInterface.js";
+export { destroyOrganisation } from "./organisationDestroy.js";
+export { cleanupFailedStack, isCleanableState, SAFE_CLEANUP_STATES } from "./stackCleanup.js";
+export type { CascadeDestroyAccountResult } from "./cascadeDestroyHelpers.js";
+export { partitionAccounts } from "./cascadeHelpers.js";
+export type { DockerProvider, DockerProgressCallback, DockerServiceConfig, DockerBuildParams, DockerBuildResult, ECRInitParams, ECRInitResult, TagImagesParams, TagImagesResult } from "./dockerInterface.js";
 export type { DomainDeployProvider, DomainConfig, DomainDeployResult } from "./domainInterface.js";
 export type { DeployServices } from "./serviceFactory.js";
 export type { DetectionResult } from "./detectionPipeline.js";
+export { runOpenNextBuild } from "./openNextBuild.js";
 export { runOrganisationSetup } from "./organisationSetup.js";
 export type { OrgSetupPhase, OrgSetupCallbacks, OrgSetupConfig, OrgSetupResult } from "./organisationSetup.js";
+export * from "./builders/index.js";

package/dist/src/orchestration/index.js

@@ -1,3 +1 @@
-export { deploy } from "./deploy.js";
-export { deployOrganisation } from "./organisationDeploy.js";
-export { runOrganisationSetup } from "./organisationSetup.js";
+import{deploy as t}from"./deploy.js";import{destroy as p}from"./destroy.js";import{deployOrganisation as n}from"./organisationDeploy.js";import{destroyOrganisation as x}from"./organisationDestroy.js";import{cleanupFailedStack as m,isCleanableState as l,SAFE_CLEANUP_STATES as s}from"./stackCleanup.js";import{partitionAccounts as u}from"./cascadeHelpers.js";import{runOpenNextBuild as c}from"./openNextBuild.js";import{runOrganisationSetup as A}from"./organisationSetup.js";export*from"./builders/index.js";export{s as SAFE_CLEANUP_STATES,m as cleanupFailedStack,t as deploy,n as deployOrganisation,p as destroy,x as destroyOrganisation,l as isCleanableState,u as partitionAccounts,c as runOpenNextBuild,A as runOrganisationSetup};

package/dist/src/orchestration/manifestSecretParser.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Extract required SSM secret paths from the Fjall manifest.
+ *
+ * Reads `fjall-manifest.json` from the given cdk.out directory and
+ * collects all `ssmSecretsPath/secretName` entries from ECS services
+ * and Lambda functions.
+ *
+ * Returns an empty array if the manifest does not exist, cannot be
+ * parsed, or contains no secrets. Never throws.
+ */
+export declare function parseRequiredSecretsFromManifest(cdkOutPath: string): string[];

package/dist/src/orchestration/manifestSecretParser.js

@@ -0,0 +1 @@
+import{readFileSync as m}from"fs";import{join as y}from"path";import{FJALL_MANIFEST_FILENAME as p}from"@fjall/util/constructMap";import{logger as f}from"@fjall/util/logger";function a(t){return typeof t=="object"&&t!==null&&!Array.isArray(t)}function l(t){const n=y(t,p);let i;try{i=m(n,"utf-8")}catch{return f.debug("manifestSecretParser","Manifest file not readable \u2014 no secrets extracted",{path:n}),[]}let r;try{r=JSON.parse(i)}catch{return f.debug("manifestSecretParser","Manifest is not valid JSON \u2014 no secrets extracted",{path:n}),[]}if(!a(r))return[];const o=[];if(Array.isArray(r.services))for(const s of r.services){if(!a(s))continue;const e=s;if(!(!Array.isArray(e.secrets)||e.secrets.length===0||typeof e.ssmSecretsPath!="string"))for(const c of e.secrets)typeof c=="string"&&o.push(`${e.ssmSecretsPath}/${c}`)}if(Array.isArray(r.lambdas))for(const s of r.lambdas){if(!a(s))continue;const e=s;if(!(!Array.isArray(e.secrets)||e.secrets.length===0||typeof e.ssmSecretsPath!="string"))for(const c of e.secrets)typeof c=="string"&&o.push(`${e.ssmSecretsPath}/${c}`)}return o}export{l as parseRequiredSecretsFromManifest};