@fjall/deploy-core 0.94.1 → 0.96.0

package/dist/src/orchestration/openNextBuild.js

@@ -1,243 +1,3 @@
-/**
- * OpenNext build orchestration for Next.js and Payload applications.
- *
- * Resolves `@opennextjs/aws` from the app's own node_modules (not from
- * deploy-core's dependencies) and runs the build with timeout handling,
- * stream cleanup, and credential masking.
- *
- * For Payload apps, generates the import map before building.
- */
-import { createRequire } from "module";
-import { existsSync, statSync, rmSync } from "fs";
-import { join } from "path";
-import { success, failure } from "@fjall/generator";
-import { filterDangerousEnvVars, maskSensitiveOutput, parseShellArgs } from "@fjall/util";
-import { logger } from "@fjall/util/logger";
-import { isOpenNextPattern } from "../types/patternDetection.js";
-import { spawnWithTimeout } from "./spawnHelpers.js";
-const OPENNEXT_PACKAGE = "@opennextjs/aws";
-/** Default build timeout: 10 minutes */
-export const BUILD_TIMEOUT_MS = 600_000;
-/** Timeout for Payload import map generation: 30 seconds */
-export const IMPORT_MAP_TIMEOUT_MS = 30_000;
-/**
- * Resolve the `open-next` binary from the app's own node_modules.
- *
- * Uses `createRequire` anchored to the app path so that the binary
- * comes from the project's dependencies, not deploy-core's.
- */
-function resolveOpenNextBinary(appPath) {
-    const require = createRequire(join(appPath, "package.json"));
-    let searchPaths;
-    try {
-        searchPaths = require.resolve.paths(OPENNEXT_PACKAGE);
-    }
-    catch (err) {
-        return failure(new Error(`Cannot determine module search paths for ${OPENNEXT_PACKAGE}. ` +
-            `Ensure it is installed in your project. (${err instanceof Error ? err.message : String(err)})`));
-    }
-    if (!searchPaths || searchPaths.length === 0) {
-        return failure(new Error(`Cannot determine module search paths for ${OPENNEXT_PACKAGE}. ` +
-            "Ensure it is installed in your project."));
-    }
-    for (const nodeModulesPath of searchPaths) {
-        const packageDir = join(nodeModulesPath, "@opennextjs", "aws");
-        try {
-            const stat = statSync(packageDir);
-            if (stat.isDirectory()) {
-                const binPath = join(nodeModulesPath, ".bin", "open-next");
-                if (!existsSync(binPath)) {
-                    logger.debug("openNextBuild", "Package found but binary missing", {
-                        nodeModulesPath,
-                        binPath
-                    });
-                    continue;
-                }
-                logger.debug("openNextBuild", "Resolved OpenNext binary", {
-                    binPath
-                });
-                return success(binPath);
-            }
-        }
-        catch (err) {
-            logger.debug("openNextBuild", "Package not at location", {
-                nodeModulesPath,
-                error: String(err)
-            });
-        }
-    }
-    return failure(new Error(`Cannot find ${OPENNEXT_PACKAGE} package. ` +
-        `Ensure it is installed in your project: npm install ${OPENNEXT_PACKAGE}`));
-}
-/**
- * Clean up the `.open-next/` directory on build failure to prevent
- * stale artefacts from being used by a subsequent CDK synth.
- */
-function cleanupOpenNextOutput(appPath) {
-    const openNextDir = join(appPath, ".open-next");
-    if (existsSync(openNextDir)) {
-        try {
-            rmSync(openNextDir, { recursive: true, force: true });
-            logger.debug("openNextBuild", "Cleaned up stale .open-next directory", {
-                path: openNextDir
-            });
-        }
-        catch (err) {
-            logger.debug("openNextBuild", "Failed to clean up .open-next", {
-                error: String(err)
-            });
-        }
-    }
-}
-/**
- * Handle the common error cases (timeout, enoent, spawn_error) from spawnWithTimeout.
- * Returns a failure Result for error cases, or undefined if the result is "success".
- */
-function handleSpawnError(result, labels, onCleanup, onError) {
-    switch (result.type) {
-        case "timeout": {
-            onCleanup?.();
-            onError?.(labels.timeoutMsg);
-            return failure(new Error(labels.timeoutMsg));
-        }
-        case "enoent": {
-            onCleanup?.();
-            onError?.(labels.enoentMsg);
-            return failure(new Error(labels.enoentMsg));
-        }
-        case "spawn_error": {
-            const msg = `${labels.spawnErrorPrefix}: ${result.error.message}`;
-            onCleanup?.();
-            onError?.(msg);
-            return failure(new Error(msg));
-        }
-        default:
-            return undefined;
-    }
-}
-/**
- * Generate the Payload CMS import map before running the OpenNext build.
- */
-async function generatePayloadImportMap(appPath, callbacks) {
-    callbacks.onOpenNextProgress?.(maskSensitiveOutput("Generating Payload import map..."));
-    const [cmd, ...args] = parseShellArgs("npx payload generate:importmap");
-    const safeEnv = filterDangerousEnvVars(globalThis.process.env);
-    const result = await spawnWithTimeout({
-        command: cmd,
-        args,
-        cwd: appPath,
-        env: { ...safeEnv, FORCE_COLOR: "0" },
-        timeout: IMPORT_MAP_TIMEOUT_MS,
-        onStdoutData: (output) => {
-            callbacks.onOpenNextProgress?.(maskSensitiveOutput(output.trim()));
-        }
-    });
-    const spawnError = handleSpawnError(result, {
-        timeoutMsg: `Payload import map generation timed out after ${IMPORT_MAP_TIMEOUT_MS / 1000} seconds`,
-        enoentMsg: "Payload CLI not found. Ensure payload is installed: npm install payload",
-        spawnErrorPrefix: "Failed to generate Payload import map"
-    });
-    if (spawnError)
-        return spawnError;
-    if (result.type !== "success")
-        return failure(new Error("Unexpected spawn result"));
-    if (result.code !== 0) {
-        const maskedOutput = maskSensitiveOutput(result.stderr || result.stdout);
-        return failure(new Error(`Payload import map generation failed (exit code ${result.code}):\n${maskedOutput}`));
-    }
-    logger.debug("openNextBuild", "Payload import map generated", { appPath });
-    callbacks.onOpenNextProgress?.(maskSensitiveOutput("Payload import map generated"));
-    return success(undefined);
-}
-/**
- * Run the OpenNext build for a Next.js or Payload application.
- *
- * Checks pattern and options internally — returns `success(undefined)`
- * when build is not needed (wrong pattern, skipBuild, infraOnly).
- *
- * Must be called BEFORE the detection pipeline and BEFORE the
- * `deployOnly` early-return check, so built artefacts are available
- * for CDK synth.
- */
-export async function runOpenNextBuild(operation, pattern, callbacks, options) {
-    // Guard: skip if not an OpenNext pattern
-    if (!isOpenNextPattern(pattern)) {
-        return success(undefined);
-    }
-    // Guard: skip if build explicitly disabled
-    if (options?.skipBuild || options?.infraOnly) {
-        logger.debug("openNextBuild", "Build skipped", {
-            skipBuild: options?.skipBuild,
-            infraOnly: options?.infraOnly
-        });
-        callbacks.onLog?.(options?.infraOnly
-            ? "Infrastructure-only mode — skipping OpenNext build"
-            : "Build skipped (--skip-build)", "info");
-        return success(undefined);
-    }
-    const appPath = operation.path;
-    // For Payload apps, generate import map first
-    if (pattern === "payload") {
-        const importMapResult = await generatePayloadImportMap(appPath, callbacks);
-        if (!importMapResult.success) {
-            callbacks.onOpenNextBuildError?.(importMapResult.error.message);
-            cleanupOpenNextOutput(appPath);
-            return failure(importMapResult.error);
-        }
-    }
-    // Resolve OpenNext binary from the app's node_modules
-    const binaryResult = resolveOpenNextBinary(appPath);
-    if (!binaryResult.success) {
-        callbacks.onOpenNextBuildError?.(binaryResult.error.message);
-        return failure(binaryResult.error);
-    }
-    const openNextBinary = binaryResult.data;
-    // Start build
-    callbacks.onOpenNextBuildStart?.();
-    callbacks.onOpenNextProgress?.(maskSensitiveOutput("Starting OpenNext build..."));
-    const safeEnv = filterDangerousEnvVars(globalThis.process.env);
-    const projectNodeModules = join(appPath, "node_modules");
-    const result = await spawnWithTimeout({
-        command: openNextBinary,
-        args: ["build"],
-        cwd: appPath,
-        env: {
-            ...safeEnv,
-            FORCE_COLOR: "0",
-            NODE_PATH: projectNodeModules,
-            npm_config_loglevel: "error",
-            PNPM_HOME: safeEnv.PNPM_HOME || ""
-        },
-        timeout: BUILD_TIMEOUT_MS,
-        onStdoutData: (output) => {
-            callbacks.onOpenNextProgress?.(maskSensitiveOutput(output.trim()));
-        },
-        onStderrData: (output) => {
-            callbacks.onOpenNextProgress?.(maskSensitiveOutput(output.trim()));
-        }
-    });
-    const spawnError = handleSpawnError(result, {
-        timeoutMsg: `OpenNext build timed out after ${BUILD_TIMEOUT_MS / 1000} seconds`,
-        enoentMsg: "OpenNext binary not found. Ensure Node.js is installed and in PATH.",
-        spawnErrorPrefix: "Failed to spawn OpenNext build"
-    }, () => cleanupOpenNextOutput(appPath), (msg) => callbacks.onOpenNextBuildError?.(msg));
-    if (spawnError)
-        return spawnError;
-    if (result.type !== "success")
-        return failure(new Error("Unexpected spawn result"));
-    if (result.code !== 0) {
-        cleanupOpenNextOutput(appPath);
-        const maskedOutput = maskSensitiveOutput(result.stderr || result.stdout);
-        callbacks.onOpenNextBuildError?.(`OpenNext build failed (exit code ${result.code})`);
-        return failure(new Error(`OpenNext build failed (exit code ${result.code}):\n${maskedOutput}`));
-    }
-    // Verify .open-next directory was created
-    const openNextDir = join(appPath, ".open-next");
-    if (!existsSync(openNextDir)) {
-        callbacks.onOpenNextBuildError?.("OpenNext build completed but .open-next directory not found");
-        return failure(new Error("OpenNext build completed but .open-next directory not found"));
-    }
-    callbacks.onOpenNextBuildComplete?.();
-    callbacks.onOpenNextProgress?.(maskSensitiveOutput("OpenNext build completed successfully"));
-    return success(undefined);
-}
+import{createRequire as _}from"module";import{existsSync as g,statSync as S,rmSync as $}from"fs";import{join as l}from"path";import{success as f,failure as i}from"@fjall/generator";import{filterDangerousEnvVars as y,maskSensitiveOutput as p,parseShellArgs as v}from"@fjall/util";import{logger as c}from"@fjall/util/logger";import{isOpenNextPattern as b}from"../types/patternDetection.js";import{spawnWithTimeout as E}from"./spawnHelpers.js";const x="@opennextjs/aws",P=6e5,w=3e4;function T(s){const n=_(l(s,"package.json"));let e;try{e=n.resolve.paths(x)}catch(r){return i(new Error(`Cannot determine module search paths for ${x}. Ensure it is installed in your project. (${r instanceof Error?r.message:String(r)})`))}if(!e||e.length===0)return i(new Error(`Cannot determine module search paths for ${x}. Ensure it is installed in your project.`));for(const r of e){const t=l(r,"@opennextjs","aws");try{if(S(t).isDirectory()){const d=l(r,".bin","open-next");if(!g(d)){c.debug("openNextBuild","Package found but binary missing",{nodeModulesPath:r,binPath:d});continue}return c.debug("openNextBuild","Resolved OpenNext binary",{binPath:d}),f(d)}}catch(o){c.debug("openNextBuild","Package not at location",{nodeModulesPath:r,error:String(o)})}}return i(new Error(`Cannot find ${x} package. Ensure it is installed in your project: npm install ${x}`))}function O(s){const n=l(s,".open-next");if(g(n))try{$(n,{recursive:!0,force:!0}),c.debug("openNextBuild","Cleaned up stale .open-next directory",{path:n})}catch(e){c.debug("openNextBuild","Failed to clean up .open-next",{error:String(e)})}}function B(s,n,e,r){switch(s.type){case"timeout":return e?.(),r?.(n.timeoutMsg),i(new Error(n.timeoutMsg));case"enoent":return e?.(),r?.(n.enoentMsg),i(new Error(n.enoentMsg));case"spawn_error":{const t=`${n.spawnErrorPrefix}: ${s.error.message}`;return e?.(),r?.(t),i(new Error(t))}default:return}}async function D(s,n){n.onOpenNextProgress?.(p("Generating Payload import map..."));const[e,...r]=v("npx payload generate:importmap"),t=y(globalThis.process.env),o=await E({command:e,args:r,cwd:s,env:{...t,FORCE_COLOR:"0"},timeout:w,onStdoutData:m=>{n.onOpenNextProgress?.(p(m.trim()))}}),d=B(o,{timeoutMsg:`Payload import map generation timed out after ${w/1e3} seconds`,enoentMsg:"Payload CLI not found. Ensure payload is installed: npm install payload",spawnErrorPrefix:"Failed to generate Payload import map"});if(d)return d;if(o.type!=="success")return i(new Error("Unexpected spawn result"));if(o.code!==0){const m=p(o.stderr||o.stdout);return i(new Error(`Payload import map generation failed (exit code ${o.code}):
+${m}`))}return c.debug("openNextBuild","Payload import map generated",{appPath:s}),n.onOpenNextProgress?.(p("Payload import map generated")),f(void 0)}async function H(s,n,e,r){if(!b(n))return f(void 0);if(r?.skipBuild||r?.infraOnly)return c.debug("openNextBuild","Build skipped",{skipBuild:r?.skipBuild,infraOnly:r?.infraOnly}),e.onLog?.(r?.infraOnly?"Infrastructure-only mode \u2014 skipping OpenNext build":"Build skipped (--skip-build)","info"),f(void 0);const t=s.path;if(n==="payload"){const u=await D(t,e);if(!u.success)return e.onOpenNextBuildError?.(u.error.message),O(t),i(u.error)}const o=T(t);if(!o.success)return e.onOpenNextBuildError?.(o.error.message),i(o.error);const d=o.data;e.onOpenNextBuildStart?.(),e.onOpenNextProgress?.(p("Starting OpenNext build..."));const m=y(globalThis.process.env),M=l(t,"node_modules"),a=await E({command:d,args:["build"],cwd:t,env:{...m,FORCE_COLOR:"0",NODE_PATH:M,npm_config_loglevel:"error",PNPM_HOME:m.PNPM_HOME||""},timeout:P,onStdoutData:u=>{e.onOpenNextProgress?.(p(u.trim()))},onStderrData:u=>{e.onOpenNextProgress?.(p(u.trim()))}}),N=B(a,{timeoutMsg:`OpenNext build timed out after ${P/1e3} seconds`,enoentMsg:"OpenNext binary not found. Ensure Node.js is installed and in PATH.",spawnErrorPrefix:"Failed to spawn OpenNext build"},()=>O(t),u=>e.onOpenNextBuildError?.(u));if(N)return N;if(a.type!=="success")return i(new Error("Unexpected spawn result"));if(a.code!==0){O(t);const u=p(a.stderr||a.stdout);return e.onOpenNextBuildError?.(`OpenNext build failed (exit code ${a.code})`),i(new Error(`OpenNext build failed (exit code ${a.code}):
+${u}`))}const h=l(t,".open-next");return g(h)?(e.onOpenNextBuildComplete?.(),e.onOpenNextProgress?.(p("OpenNext build completed successfully")),f(void 0)):(e.onOpenNextBuildError?.("OpenNext build completed but .open-next directory not found"),i(new Error("OpenNext build completed but .open-next directory not found")))}export{P as BUILD_TIMEOUT_MS,w as IMPORT_MAP_TIMEOUT_MS,H as runOpenNextBuild};

package/dist/src/orchestration/organisationDeploy.js

@@ -1,284 +1,3 @@
-import { success, failure } from "@fjall/generator";
-import { ORGANISATION_TYPES, getOrganisationStackName } from "../types/operations.js";
-import { CdkContextBuilder } from "../services/supporting/CdkContextBuilder.js";
-import { stubCallerIdentity } from "../types/deployment/index.js";
-import { buildParamsContext, collectStackOutputs, synthOrFail, bootstrapOrFail, forwardOutput, forwardResourceProgress } from "./contextHelpers.js";
-import { partitionAccounts, deployCascadeAccount, readPlatformIpamPoolIds, deployDomains } from "./cascadeHelpers.js";
-import { maskSensitiveOutput } from "@fjall/util";
-import { INFRA_STEP_NAME, STEP_IDS } from "../types/stepDefinitions.js";
-/**
- * Organisation deployment orchestration.
- *
- * Handles three target types:
- * - organisation: deploy org infra + cascade to platform + all accounts
- * - platform: deploy platform stack only
- * - account: deploy single account stack
- *
- * Auth and org setup (creating AWS accounts/OUs) are the caller's
- * responsibility. deploy-core receives credentials and deploys.
- */
-export async function deployOrganisation(params, services, operation) {
-    const startTime = Date.now();
-    switch (operation.type) {
-        case ORGANISATION_TYPES.ORGANISATION:
-            return deployOrgWithCascade(params, services, operation, startTime);
-        case ORGANISATION_TYPES.PLATFORM:
-            return deploySingleComponent(params, services, operation, "platform", startTime);
-        case ORGANISATION_TYPES.ACCOUNT:
-            return deploySingleComponent(params, services, operation, "account", startTime);
-        default: {
-            const _exhaustive = operation.type;
-            return failure(new Error(`Unsupported organisation type: ${String(_exhaustive)}`));
-        }
-    }
-}
-/**
- * Build a deployment context for an organisation component.
- */
-function buildOrgContext(params, services, operation, deployType, accountName) {
-    return CdkContextBuilder.buildDeploymentContext({
-        deployType,
-        target: operation.target,
-        path: operation.path,
-        region: services.awsProvider.getRegion(),
-        accountName,
-        callerIdentity: stubCallerIdentity(services.awsProvider.getAccountId()),
-        ...buildParamsContext({
-            orgConfig: params.orgConfig,
-            identity: params.identity,
-            skipOidc: params.options?.skipOidc
-        })
-    }, {
-        verbose: params.options?.verbose,
-        infraOnly: params.options?.infraOnly
-    }, params.orgConfig);
-}
-const INFRA_STEPS = {
-    CONNECT: { id: STEP_IDS.CONNECT, name: INFRA_STEP_NAME.CONNECT },
-    PREPARE: { id: STEP_IDS.PREPARE_ENVIRONMENT, name: INFRA_STEP_NAME.PREPARE },
-    DEPLOY: { id: STEP_IDS.DEPLOY, name: INFRA_STEP_NAME.DEPLOY },
-    MONITORING: { id: STEP_IDS.MONITORING, name: INFRA_STEP_NAME.MONITORING },
-    ORG_DEPLOY: {
-        id: STEP_IDS.ORG_DEPLOY,
-        name: "Deploying organisation infrastructure"
-    }
-};
-const INFRA_STEP_TOTAL = 4;
-/**
- * Deploy a single organisation component (platform or account).
- *
- * Emits 4 named steps from INFRASTRUCTURE_STEP_NAMES: Connect securely →
- * Prepare environment → Deploy infrastructure → Enable monitoring.
- */
-async function deploySingleComponent(params, services, operation, deployType, startTime) {
-    const { callbacks } = params;
-    // Step 1: Connect securely — already seeded by the webapp trigger.
-    // Complete it now: credentials are available by the time deploy-core runs.
-    callbacks.onStepComplete?.(INFRA_STEPS.CONNECT.id, INFRA_STEPS.CONNECT.name, "completed", 0, INFRA_STEP_TOTAL);
-    // Step 2: Prepare environment (synth + bootstrap)
-    callbacks.onStepStart?.(INFRA_STEPS.PREPARE.id, INFRA_STEPS.PREPARE.name, 1, INFRA_STEP_TOTAL);
-    const context = buildOrgContext(params, services, operation, deployType, deployType === "account" ? operation.target : undefined);
-    // Synth
-    callbacks.onLog?.(`Synthesising ${deployType} infrastructure…`, "info");
-    const synthResult = await synthOrFail(services, context, callbacks, "CDK synthesis failed");
-    if (!synthResult.success) {
-        callbacks.onStepComplete?.(INFRA_STEPS.PREPARE.id, INFRA_STEPS.PREPARE.name, "error", 1, INFRA_STEP_TOTAL);
-        return synthResult;
-    }
-    // Bootstrap
-    const bsResult = await bootstrapOrFail(services, context, callbacks);
-    if (!bsResult.success) {
-        callbacks.onStepComplete?.(INFRA_STEPS.PREPARE.id, INFRA_STEPS.PREPARE.name, "error", 1, INFRA_STEP_TOTAL);
-        return bsResult;
-    }
-    callbacks.onStepComplete?.(INFRA_STEPS.PREPARE.id, INFRA_STEPS.PREPARE.name, "completed", 1, INFRA_STEP_TOTAL);
-    // Step 3: Deploy infrastructure
-    const stackName = getOrganisationStackName(operation.type);
-    callbacks.onStepStart?.(INFRA_STEPS.DEPLOY.id, INFRA_STEPS.DEPLOY.name, 2, INFRA_STEP_TOTAL);
-    const deployResult = await services.cdkService.runCdkDeploy(context, stackName, forwardOutput(callbacks), forwardResourceProgress(callbacks), services.awsProvider);
-    if (!deployResult.success) {
-        callbacks.onStepComplete?.(INFRA_STEPS.DEPLOY.id, INFRA_STEPS.DEPLOY.name, "error", 2, INFRA_STEP_TOTAL);
-        const error = new Error(maskSensitiveOutput(deployResult.error));
-        callbacks.onError?.(error);
-        return failure(error);
-    }
-    callbacks.onStepComplete?.(INFRA_STEPS.DEPLOY.id, INFRA_STEPS.DEPLOY.name, "completed", 2, INFRA_STEP_TOTAL);
-    // Capture CloudFormation outputs (OIDC role ARN, etc.)
-    const outputsResult = await services.cfnService.getStackOutputs(stackName);
-    if (!outputsResult.success) {
-        callbacks.onLog?.("Failed to read stack outputs (non-critical)", "debug");
-    }
-    const outputs = collectStackOutputs(outputsResult);
-    // Step 4: Enable monitoring — CloudTrail + alarms are part of the
-    // Account stack. Signal post-deploy readiness.
-    callbacks.onStepStart?.(INFRA_STEPS.MONITORING.id, INFRA_STEPS.MONITORING.name, 3, INFRA_STEP_TOTAL);
-    callbacks.onStepComplete?.(INFRA_STEPS.MONITORING.id, INFRA_STEPS.MONITORING.name, "completed", 3, INFRA_STEP_TOTAL);
-    return success({
-        target: operation.target,
-        deploymentType: "organisation",
-        outputs,
-        durationMs: Date.now() - startTime
-    });
-}
-/**
- * Full organisation deployment with cascade to platform + member accounts.
- */
-async function deployOrgWithCascade(params, services, operation, startTime) {
-    const { callbacks, options } = params;
-    const providerAccounts = params.orgConfig?.providerAccounts ?? [];
-    const context = buildOrgContext(params, services, operation, "organisation");
-    // Compute step counts upfront so pre-deploy failures can reference them
-    const cascadeEnabled = options?.cascade !== false;
-    const cascadeAccountCount = cascadeEnabled ? providerAccounts.length : 0;
-    // Steps: prepare (synth+bootstrap) + org-deploy + cascade accounts
-    const totalSteps = 2 + cascadeAccountCount;
-    const { id: prepareStepId, name: prepareStepName } = INFRA_STEPS.PREPARE;
-    // Step 0: Prepare (synth + bootstrap)
-    callbacks.onStepStart?.(prepareStepId, prepareStepName, 0, totalSteps);
-    // Synth
-    callbacks.onLog?.("Synthesising organisation infrastructure…", "info");
-    const synthResult = await synthOrFail(services, context, callbacks, "CDK synthesis failed");
-    if (!synthResult.success) {
-        callbacks.onStepComplete?.(prepareStepId, prepareStepName, "error", 0, totalSteps);
-        return synthResult;
-    }
-    // Bootstrap org account
-    const bsResult = await bootstrapOrFail(services, context, callbacks);
-    if (!bsResult.success) {
-        callbacks.onStepComplete?.(prepareStepId, prepareStepName, "error", 0, totalSteps);
-        return bsResult;
-    }
-    callbacks.onStepComplete?.(prepareStepId, prepareStepName, "completed", 0, totalSteps);
-    // Step 1: Deploy org infrastructure
-    const { id: orgStepId, name: orgStepName } = INFRA_STEPS.ORG_DEPLOY;
-    callbacks.onStepStart?.(orgStepId, orgStepName, 1, totalSteps);
-    const orgStackName = getOrganisationStackName(ORGANISATION_TYPES.ORGANISATION);
-    const orgResult = await services.cdkService.runCdkDeploy(context, orgStackName, forwardOutput(callbacks), forwardResourceProgress(callbacks), services.awsProvider);
-    if (!orgResult.success) {
-        callbacks.onStepComplete?.(orgStepId, orgStepName, "error", 1, totalSteps);
-        const error = new Error(maskSensitiveOutput(orgResult.error));
-        callbacks.onError?.(error);
-        return failure(error);
-    }
-    // Capture org root stack outputs (OIDC role ARN, etc.)
-    const orgOutputsResult = await services.cfnService.getStackOutputs(orgStackName);
-    if (!orgOutputsResult.success) {
-        callbacks.onLog?.("Failed to read org stack outputs (non-critical)", "debug");
-    }
-    const orgOutputs = collectStackOutputs(orgOutputsResult);
-    callbacks.onStepComplete?.(orgStepId, orgStepName, "completed", 1, totalSteps);
-    // Cascade to platform + domains + member accounts
-    const cascadeErrors = [];
-    const allCascadeOutputs = [];
-    if (cascadeEnabled && providerAccounts.length > 0) {
-        callbacks.onCascadeStart?.();
-        let accountsDeployed = 0;
-        let platformDeployed = false;
-        let domainsDeployed = false;
-        // Phase 1: Deploy platform account
-        const { platformAccount, memberAccounts } = partitionAccounts(providerAccounts);
-        if (platformAccount) {
-            callbacks.onCascadePhaseStart?.("platform");
-            const platformResult = await deployCascadeAccount(params, services, operation, platformAccount, "platform", callbacks);
-            if (platformResult.success) {
-                platformDeployed = true;
-                if (platformResult.data.outputs) {
-                    allCascadeOutputs.push({
-                        accountId: platformAccount.id,
-                        outputs: platformResult.data.outputs
-                    });
-                }
-            }
-            else {
-                cascadeErrors.push({
-                    accountId: platformAccount.id,
-                    error: platformResult.error.message
-                });
-            }
-            callbacks.onCascadePhaseComplete?.("platform");
-        }
-        // Phase 1.5: Read Platform stack outputs for IPAM pool IDs
-        let ipamPoolIds = new Map();
-        if (platformDeployed && platformAccount) {
-            ipamPoolIds = await readPlatformIpamPoolIds(services, platformAccount, callbacks);
-        }
-        // Phase 2: Deploy domains (apex sequential, delegated parallel)
-        if (params.domainProvider) {
-            const domainResult = await deployDomains(params.domainProvider, callbacks);
-            domainsDeployed = domainResult.domainsDeployed > 0;
-            for (const err of domainResult.errors) {
-                cascadeErrors.push({
-                    accountId: "domains",
-                    error: maskSensitiveOutput(err)
-                });
-            }
-        }
-        // Phase 3: Deploy member accounts in parallel
-        if (memberAccounts.length > 0) {
-            callbacks.onCascadePhaseStart?.("accounts");
-            const region = services.awsProvider.getRegion();
-            const memberSettled = await Promise.allSettled(memberAccounts.map((account) => {
-                const regionSuffix = region.replace(/-/g, "");
-                const ipamPoolId = ipamPoolIds.get(`${account.id}-${regionSuffix}`);
-                return deployCascadeAccount(params, services, operation, account, "account", callbacks, ipamPoolId);
-            }));
-            memberSettled.forEach((settled, j) => {
-                const account = memberAccounts[j];
-                if (!account)
-                    return;
-                if (settled.status === "rejected") {
-                    cascadeErrors.push({
-                        accountId: account.id,
-                        error: maskSensitiveOutput(settled.reason instanceof Error
-                            ? settled.reason.message
-                            : String(settled.reason))
-                    });
-                    return;
-                }
-                const result = settled.value;
-                if (result.success) {
-                    accountsDeployed++;
-                    if (result.data.outputs) {
-                        allCascadeOutputs.push({
-                            accountId: account.id,
-                            outputs: result.data.outputs
-                        });
-                    }
-                }
-                else {
-                    cascadeErrors.push({
-                        accountId: account.id,
-                        error: result.error.message
-                    });
-                }
-            });
-            callbacks.onCascadePhaseComplete?.("accounts");
-        }
-        callbacks.onCascadeComplete?.({
-            platformDeployed,
-            domainsDeployed,
-            accountsDeployed,
-            accountsFailed: cascadeErrors.length,
-            errors: cascadeErrors
-        });
-        if (cascadeErrors.length > 0) {
-            const errorSummary = cascadeErrors
-                .map((e) => `  ${e.accountId}: ${e.error}`)
-                .join("\n");
-            callbacks.onLog?.(maskSensitiveOutput(`Cascade completed with ${cascadeErrors.length} failure(s):\n${errorSummary}`), "warn");
-        }
-    }
-    const warnings = cascadeErrors.length > 0
-        ? cascadeErrors.map((e) => maskSensitiveOutput(`${e.accountId}: ${e.error}`))
-        : undefined;
-    return success({
-        target: operation.target,
-        deploymentType: "organisation",
-        outputs: orgOutputs,
-        ...(allCascadeOutputs.length > 0
-            ? { cascadeOutputs: allCascadeOutputs }
-            : {}),
-        durationMs: Date.now() - startTime,
-        warnings
-    });
-}
+import{success as K,failure as M}from"@fjall/generator";import{ORGANISATION_TYPES as h,getOrganisationStackName as U}from"../types/operations.js";import{CdkContextBuilder as Z}from"../services/supporting/CdkContextBuilder.js";import{stubCallerIdentity as tt}from"../types/deployment/index.js";import{buildParamsContext as et,collectStackOutputs as v,synthOrFail as B,bootstrapOrFail as V,forwardOutput as W,forwardResourceProgress as q}from"./contextHelpers.js";import{partitionAccounts as ot,deployCascadeAccount as z,readPlatformIpamPoolIds as nt,deployDomains as rt}from"./cascadeHelpers.js";import{maskSensitiveOutput as E}from"@fjall/util";import{INFRA_STEP_NAME as w,STEP_IDS as I}from"../types/stepDefinitions.js";async function ft(n,e,a){const s=Date.now();switch(a.type){case h.ORGANISATION:return at(n,e,a,s);case h.PLATFORM:return J(n,e,a,"platform",s);case h.ACCOUNT:return J(n,e,a,"account",s);default:{const t=a.type;return M(new Error(`Unsupported organisation type: ${String(t)}`))}}}function H(n,e,a,s,t){return Z.buildDeploymentContext({deployType:s,target:a.target,path:a.path,region:e.awsProvider.getRegion(),accountName:t,callerIdentity:tt(e.awsProvider.getAccountId()),...et({orgConfig:n.orgConfig,identity:n.identity,skipOidc:n.options?.skipOidc})},{verbose:n.options?.verbose,infraOnly:n.options?.infraOnly},n.orgConfig)}const o={CONNECT:{id:I.CONNECT,name:w.CONNECT},PREPARE:{id:I.PREPARE_ENVIRONMENT,name:w.PREPARE},DEPLOY:{id:I.DEPLOY,name:w.DEPLOY},MONITORING:{id:I.MONITORING,name:w.MONITORING},ORG_DEPLOY:{id:I.ORG_DEPLOY,name:"Deploying organisation infrastructure"}},d=4;async function J(n,e,a,s,t){const{callbacks:r}=n;r.onStepComplete?.(o.CONNECT.id,o.CONNECT.name,"completed",0,d),r.onStepStart?.(o.PREPARE.id,o.PREPARE.name,1,d);const m=H(n,e,a,s,s==="account"?a.target:void 0);r.onLog?.(`Synthesising ${s} infrastructure\u2026`,"info");const g=await B(e,m,r,"CDK synthesis failed");if(!g.success)return r.onStepComplete?.(o.PREPARE.id,o.PREPARE.name,"error",1,d),g;const R=await V(e,m,r);if(!R.success)return r.onStepComplete?.(o.PREPARE.id,o.PREPARE.name,"error",1,d),R;r.onStepComplete?.(o.PREPARE.id,o.PREPARE.name,"completed",1,d);const D=U(a.type);r.onStepStart?.(o.DEPLOY.id,o.DEPLOY.name,2,d);const u=await e.cdkService.runCdkDeploy(m,D,W(r),q(r),e.awsProvider);if(!u.success){r.onStepComplete?.(o.DEPLOY.id,o.DEPLOY.name,"error",2,d);const C=new Error(E(u.error));return r.onError?.(C),M(C)}r.onStepComplete?.(o.DEPLOY.id,o.DEPLOY.name,"completed",2,d);const f=await e.cfnService.getStackOutputs(D);f.success||r.onLog?.("Failed to read stack outputs (non-critical)","debug");const O=v(f);return r.onStepStart?.(o.MONITORING.id,o.MONITORING.name,3,d),r.onStepComplete?.(o.MONITORING.id,o.MONITORING.name,"completed",3,d),K({target:a.target,deploymentType:"organisation",outputs:O,durationMs:Date.now()-t})}async function at(n,e,a,s){const{callbacks:t,options:r}=n,m=n.orgConfig?.providerAccounts??[],g=H(n,e,a,"organisation"),R=r?.cascade!==!1,u=2+(R?m.length:0),{id:f,name:O}=o.PREPARE;t.onStepStart?.(f,O,0,u),t.onLog?.("Synthesising organisation infrastructure\u2026","info");const C=await B(e,g,t,"CDK synthesis failed");if(!C.success)return t.onStepComplete?.(f,O,"error",0,u),C;const Y=await V(e,g,t);if(!Y.success)return t.onStepComplete?.(f,O,"error",0,u),Y;t.onStepComplete?.(f,O,"completed",0,u);const{id:T,name:L}=o.ORG_DEPLOY;t.onStepStart?.(T,L,1,u);const _=U(h.ORGANISATION),$=await e.cdkService.runCdkDeploy(g,_,W(t),q(t),e.awsProvider);if(!$.success){t.onStepComplete?.(T,L,"error",1,u);const l=new Error(E($.error));return t.onError?.(l),M(l)}const x=await e.cfnService.getStackOutputs(_);x.success||t.onLog?.("Failed to read org stack outputs (non-critical)","debug");const Q=v(x);t.onStepComplete?.(T,L,"completed",1,u);const c=[],y=[];if(R&&m.length>0){t.onCascadeStart?.();let l=0,k=!1,F=!1;const{platformAccount:P,memberAccounts:b}=ot(m);if(P){t.onCascadePhaseStart?.("platform");const i=await z(n,e,a,P,"platform",t);i.success?(k=!0,i.data.outputs&&y.push({accountId:P.id,outputs:i.data.outputs})):c.push({accountId:P.id,error:i.error.message}),t.onCascadePhaseComplete?.("platform")}let j=new Map;if(k&&P&&(j=await nt(e,P,t)),n.domainProvider){const i=await rt(n.domainProvider,t);F=i.domainsDeployed>0;for(const N of i.errors)c.push({accountId:"domains",error:E(N)})}if(b.length>0){t.onCascadePhaseStart?.("accounts");const i=e.awsProvider.getRegion();(await Promise.allSettled(b.map(p=>{const G=i.replace(/-/g,""),S=j.get(`${p.id}-${G}`);return z(n,e,a,p,"account",t,S)}))).forEach((p,G)=>{const S=b[G];if(!S)return;if(p.status==="rejected"){c.push({accountId:S.id,error:E(p.reason instanceof Error?p.reason.message:String(p.reason))});return}const A=p.value;A.success?(l++,A.data.outputs&&y.push({accountId:S.id,outputs:A.data.outputs})):c.push({accountId:S.id,error:A.error.message})}),t.onCascadePhaseComplete?.("accounts")}if(t.onCascadeComplete?.({platformDeployed:k,domainsDeployed:F,accountsDeployed:l,accountsFailed:c.length,errors:c}),c.length>0){const i=c.map(N=>`  ${N.accountId}: ${N.error}`).join(`
+`);t.onLog?.(E(`Cascade completed with ${c.length} failure(s):
+${i}`),"warn")}}const X=c.length>0?c.map(l=>E(`${l.accountId}: ${l.error}`)):void 0;return K({target:a.target,deploymentType:"organisation",outputs:Q,...y.length>0?{cascadeOutputs:y}:{},durationMs:Date.now()-s,warnings:X})}export{ft as deployOrganisation};