@fjall/deploy-core 2.9.1 → 2.11.1

package/dist/.minified

@@ -1 +1 @@
-120 files minified at 2026-06-02T21:42:55.155Z
+121 files minified at 2026-06-07T01:02:15.647Z

package/dist/src/aws/organisations/backup.d.ts

@@ -34,3 +34,31 @@ export declare function accountHasDisasterRecovery(environment: string | undefin
  * into a broken by-reference deploy.
  */
 export declare function describeBackupVaultExists(client: BackupClient): Promise<Result<boolean>>;
+/**
+ * A backup vault that survives stack teardown (vault + KMS key are
+ * RemovalPolicy.RETAIN). Populated from a single DescribeBackupVault call —
+ * deliberately NOT paginating recovery points, which on a populated vault would
+ * be tens of API calls inside a destroy gate. Per-point expiry detail belongs
+ * in the dedicated `fjall backup status` view (G4).
+ */
+export interface SurvivingBackupVault {
+    vaultName: string;
+    region: string;
+    locked: boolean;
+    lockDate?: Date;
+    lockPermanent: boolean;
+    recoveryPointCount: number;
+    encryptionKeyArn?: string;
+}
+/**
+ * Probe the fixed-name DR vault for what survives a destroy. Returns
+ * success(null) when no vault exists (ResourceNotFoundException); every other
+ * error propagates as failure for the caller to treat as best-effort.
+ */
+export declare function describeSurvivingBackupVault(client: BackupClient, region: string): Promise<Result<SurvivingBackupVault | null>>;
+/**
+ * Honest, non-suppressible warning for a backup vault a destroy cannot remove.
+ * The vault and its KMS key are RemovalPolicy.RETAIN — CloudFormation marks them
+ * DELETE_SKIPPED and reports the destroy clean; this makes the orphan visible.
+ */
+export declare function formatSurvivingVaultWarning(vault: SurvivingBackupVault): string;

package/dist/src/aws/organisations/backup.js

@@ -1 +1,2 @@
-import{DescribeBackupVaultCommand as c,UpdateGlobalSettingsCommand as l}from"@aws-sdk/client-backup";import{success as r,failure as n}from"@fjall/generator";import{getErrorMessage as o,maskSensitiveOutput as p}from"@fjall/util";import{SDK_TIMEOUT_MS as i}from"./types.js";const s="backupVault",d={enableCrossAccountBackup:!0,enableDelegatedAdministrator:!0,enableMpa:!1};async function S(e,t){try{const a={...d,...t},u={isCrossAccountBackupEnabled:a.enableCrossAccountBackup.toString(),isDelegatedAdministratorEnabled:a.enableDelegatedAdministrator.toString(),isMpaEnabled:a.enableMpa.toString()};return await e.send(new l({GlobalSettings:u}),{abortSignal:AbortSignal.timeout(i)}),r(void 0)}catch(a){return n(new Error(`Failed to update backup global settings: ${o(a)}`))}}function A(e,t){return t===void 0||t===""?!1:e==="production"||e==="compliance"}async function E(e){try{return await e.send(new c({BackupVaultName:s}),{abortSignal:AbortSignal.timeout(i)}),r(!0)}catch(t){return t instanceof Error&&t.name==="ResourceNotFoundException"?r(!1):n(new Error(`Failed to describe backup vault "${s}": ${p(o(t))}`))}}export{s as BACKUP_VAULT_NAME,A as accountHasDisasterRecovery,E as describeBackupVaultExists,S as updateBackupGlobalSettings};
+import{DescribeBackupVaultCommand as s,UpdateGlobalSettingsCommand as p}from"@aws-sdk/client-backup";import{success as o,failure as i}from"@fjall/generator";import{getErrorMessage as c,maskSensitiveOutput as l}from"@fjall/util";import{SDK_TIMEOUT_MS as u}from"./types.js";const a="backupVault",m={enableCrossAccountBackup:!0,enableDelegatedAdministrator:!0,enableMpa:!1};async function y(e,t){try{const n={...m,...t},r={isCrossAccountBackupEnabled:n.enableCrossAccountBackup.toString(),isDelegatedAdministratorEnabled:n.enableDelegatedAdministrator.toString(),isMpaEnabled:n.enableMpa.toString()};return await e.send(new p({GlobalSettings:r}),{abortSignal:AbortSignal.timeout(u)}),o(void 0)}catch(n){return i(new Error(`Failed to update backup global settings: ${c(n)}`))}}function S(e,t){return t===void 0||t===""?!1:e==="production"||e==="compliance"}async function A(e){try{return await e.send(new s({BackupVaultName:a}),{abortSignal:AbortSignal.timeout(u)}),o(!0)}catch(t){return t instanceof Error&&t.name==="ResourceNotFoundException"?o(!1):i(new Error(`Failed to describe backup vault "${a}": ${l(c(t))}`))}}async function E(e,t){try{const n=await e.send(new s({BackupVaultName:a}),{abortSignal:AbortSignal.timeout(u)}),r=n.LockDate,d=r!==void 0&&r.getTime()<=Date.now();return o({vaultName:n.BackupVaultName??a,region:t,locked:n.Locked??!1,...r!==void 0&&{lockDate:r},lockPermanent:d,recoveryPointCount:n.NumberOfRecoveryPoints??0,...n.EncryptionKeyArn!==void 0&&{encryptionKeyArn:n.EncryptionKeyArn}})}catch(n){return n instanceof Error&&n.name==="ResourceNotFoundException"?o(null):i(new Error(`Failed to describe surviving backup vault "${a}": ${l(c(n))}`))}}function v(e){const t=e.locked?e.lockPermanent?"compliance-locked, PERMANENT \u2014 cannot be removed by anyone, including AWS or the root user":e.lockDate!==void 0?`compliance-locked, immutable from ${e.lockDate.toISOString().slice(0,10)}`:"governance-locked \u2014 removable by privileged IAM":"unlocked";return[`Backup vault "${e.vaultName}" in ${e.region} SURVIVES this destroy.`,`  \u2022 Lock: ${t}`,`  \u2022 Recovery points retained: ${e.recoveryPointCount}`,...e.encryptionKeyArn!==void 0?[`  \u2022 Retained KMS key (also orphaned): ${e.encryptionKeyArn}`]:[],"  The vault and its KMS key are RemovalPolicy.RETAIN \u2014 destroy cannot delete them."].join(`
+`)}export{a as BACKUP_VAULT_NAME,S as accountHasDisasterRecovery,A as describeBackupVaultExists,E as describeSurvivingBackupVault,v as formatSurvivingVaultWarning,y as updateBackupGlobalSettings};

package/dist/src/orchestration/cascadeDestroyHelpers.js

@@ -1 +1 @@
-import{logger as S}from"@fjall/util/logger";import{maskSensitiveOutput as s,getErrorMessage as E}from"@fjall/util";import{stubCallerIdentity as P}from"../types/deployment/index.js";import{CloudFormationClient as $,DescribeStacksCommand as R}from"@aws-sdk/client-cloudformation";import{NodeHttpHandler as O}from"@smithy/node-http-handler";import{ORGANISATION_TYPES as h,getOrganisationStackName as _}from"../types/operations.js";import{CdkContextBuilder as k}from"../services/supporting/CdkContextBuilder.js";import{buildParamsContext as F,assumeCascadeRole as x,forwardOutput as I}from"./contextHelpers.js";import{cleanupFailedStack as L}from"./stackCleanup.js";import{STACK_NOT_FOUND_PATTERN as M,STACK_FAILED_STATE_PATTERN as K}from"../types/constants.js";async function V(c,i,m,t,o,e,r){const n=Date.now(),a=`${t.name} (${e})`;r.onCascadeAccountStart?.(a,t.id,e,o);const f=await x(i.awsProvider,t.id,e,`fjall-cascade-destroy-${t.name}`);if(!f.success)return r.onCascadeAccountComplete?.(a,!1,s(f.error.message),e),{accountName:t.name,accountId:t.id,region:e,success:!1,duration:Date.now()-n,error:`AssumeRole failed: ${s(f.error.message)}`};const{provider:v,credentials:l}=f.data,A=k.buildDeploymentContext({deployType:o,target:m.target,path:m.path,region:e,accountName:t.name,callerIdentity:P(t.id),...F({orgConfig:c.orgConfig,identity:c.identity})},{verbose:c.options?.verbose},c.orgConfig);r.onCascadeAccountPhaseChange?.(a,"synth",e);const w=await i.cdkService.runCdkSynth(A,I(r));if(!w.success){const d=s(`Synth failed: ${w.error}`);return r.onCascadeAccountComplete?.(a,!1,d,e),{accountName:t.name,accountId:t.id,region:e,success:!1,duration:Date.now()-n,error:d}}r.onCascadeAccountPhaseChange?.(a,"destroy",e);const u=_(o==="platform"?h.PLATFORM:h.ACCOUNT),y=await i.cdkService.runCdkDestroy(A,u,I(r),d=>r.onCascadeAccountResourceProgress?.(a,d,e),v,!0,l);if(!y.success){const d=y.error;if(d.includes(K)){S.warn("cascadeDestroy",`CDK destroy failed on ${u} in failed state, retrying via CloudFormation API`,{region:e,account:t.name});try{await L(u,e,l,void 0,r)}catch(C){const T=`cleanupFailedStack threw for ${u}: ${s(E(C))}`;S.warn("cascadeDestroy",T),r.onLog?.(T,"warn")}const p=await H(u,e,l);if(p.deleted)return r.onCascadeAccountComplete?.(a,!0,void 0,e),{accountName:t.name,accountId:t.id,region:e,success:!0,duration:Date.now()-n};if(p.error){const C=s(p.error);return r.onCascadeAccountComplete?.(a,!1,C,e),{accountName:t.name,accountId:t.id,region:e,success:!1,duration:Date.now()-n,error:C}}const N=s(`Stack ${u} cleanup attempted but stack still exists in ${e}`);return r.onCascadeAccountComplete?.(a,!1,N,e),{accountName:t.name,accountId:t.id,region:e,success:!1,duration:Date.now()-n,error:N}}const D=s(d);return r.onCascadeAccountComplete?.(a,!1,D,e),{accountName:t.name,accountId:t.id,region:e,success:!1,duration:Date.now()-n,error:D}}return r.onCascadeAccountComplete?.(a,!0,void 0,e),{accountName:t.name,accountId:t.id,region:e,success:!0,duration:Date.now()-n}}async function H(c,i,m){try{const e=(await new $({region:i,credentials:m,requestHandler:new O({requestTimeout:15e3})}).send(new R({StackName:c}))).Stacks?.[0]?.StackStatus;return!e||e==="DELETE_COMPLETE"?{deleted:!0}:{deleted:!1,error:`Stack still in ${e} after cleanup attempt`}}catch(t){if(t instanceof Error&&t.message?.includes(M))return{deleted:!0};const o=s(E(t));return S.debug("cascadeDestroy","Stack verification failed",{error:o}),{deleted:!1,error:`Stack verification failed: ${o}`}}}export{V as destroyCascadeAccount};
+import{logger as f}from"@fjall/util/logger";import{maskSensitiveOutput as s,getErrorMessage as y}from"@fjall/util";import{stubCallerIdentity as E}from"../types/deployment/index.js";import{CloudFormationClient as I,DescribeStacksCommand as R}from"@aws-sdk/client-cloudformation";import{BackupClient as $}from"@aws-sdk/client-backup";import{accountHasDisasterRecovery as g,describeSurvivingBackupVault as O,formatSurvivingVaultWarning as _}from"../aws/organisations/backup.js";import{NodeHttpHandler as B}from"@smithy/node-http-handler";import{ORGANISATION_TYPES as k,getOrganisationStackName as F}from"../types/operations.js";import{CdkContextBuilder as x}from"../services/supporting/CdkContextBuilder.js";import{buildParamsContext as L,assumeCascadeRole as M,forwardOutput as T}from"./contextHelpers.js";import{cleanupFailedStack as H}from"./stackCleanup.js";import{STACK_NOT_FOUND_PATTERN as K,STACK_FAILED_STATE_PATTERN as V}from"../types/constants.js";async function re(n,o,i,e,c,t,r){const d=Date.now(),a=`${e.name} (${t})`;r.onCascadeAccountStart?.(a,e.id,t,c);const l=await M(o.awsProvider,e.id,t,`fjall-cascade-destroy-${e.name}`);if(!l.success)return r.onCascadeAccountComplete?.(a,!1,s(l.error.message),t),{accountName:e.name,accountId:e.id,region:t,success:!1,duration:Date.now()-d,error:`AssumeRole failed: ${s(l.error.message)}`};const{provider:w,credentials:p}=l.data,S=x.buildDeploymentContext({deployType:c,target:i.target,path:i.path,region:t,accountName:e.name,callerIdentity:E(e.id),...L({orgConfig:n.orgConfig,identity:n.identity})},{verbose:n.options?.verbose},n.orgConfig);r.onCascadeAccountPhaseChange?.(a,"synth",t);const A=await o.cdkService.runCdkSynth(S,T(r));if(!A.success){const u=s(`Synth failed: ${A.error}`);return r.onCascadeAccountComplete?.(a,!1,u,t),{accountName:e.name,accountId:e.id,region:t,success:!1,duration:Date.now()-d,error:u}}r.onCascadeAccountPhaseChange?.(a,"destroy",t);const m=F(c==="platform"?k.PLATFORM:k.ACCOUNT);g(e.environment,n.orgConfig?.disasterRecoveryRegion)&&await q(w.getClient($),t,r);const D=await o.cdkService.runCdkDestroy(S,m,T(r),u=>r.onCascadeAccountResourceProgress?.(a,u,t),w,!0,p);if(!D.success){const u=D.error;if(u.includes(V)){f.warn("cascadeDestroy",`CDK destroy failed on ${m} in failed state, retrying via CloudFormation API`,{region:t,account:e.name});try{await H(m,t,p,void 0,r)}catch(C){const h=`cleanupFailedStack threw for ${m}: ${s(y(C))}`;f.warn("cascadeDestroy",h),r.onLog?.(h,"warn")}const v=await U(m,t,p);if(v.deleted)return r.onCascadeAccountComplete?.(a,!0,void 0,t),{accountName:e.name,accountId:e.id,region:t,success:!0,duration:Date.now()-d};if(v.error){const C=s(v.error);return r.onCascadeAccountComplete?.(a,!1,C,t),{accountName:e.name,accountId:e.id,region:t,success:!1,duration:Date.now()-d,error:C}}const P=s(`Stack ${m} cleanup attempted but stack still exists in ${t}`);return r.onCascadeAccountComplete?.(a,!1,P,t),{accountName:e.name,accountId:e.id,region:t,success:!1,duration:Date.now()-d,error:P}}const N=s(u);return r.onCascadeAccountComplete?.(a,!1,N,t),{accountName:e.name,accountId:e.id,region:t,success:!1,duration:Date.now()-d,error:N}}return r.onCascadeAccountComplete?.(a,!0,void 0,t),{accountName:e.name,accountId:e.id,region:t,success:!0,duration:Date.now()-d}}async function q(n,o,i){try{const e=await O(n,o);if(!e.success){f.debug("cascadeDestroy","Backup-vault survival probe failed",{region:o,error:s(e.error.message)});return}if(e.data===null)return;i.onProgress?.({type:"warning",message:_(e.data),metadata:{source:"backup-vault-survival"}}),f.warn("cascadeDestroy","Backup vault survives destroy",{region:o,vaultName:e.data.vaultName,recoveryPointCount:e.data.recoveryPointCount,lockPermanent:e.data.lockPermanent})}catch(e){f.debug("cascadeDestroy","Backup-vault survival probe threw",{region:o,error:s(y(e))})}}async function U(n,o,i){try{const t=(await new I({region:o,credentials:i,requestHandler:new B({requestTimeout:15e3})}).send(new R({StackName:n}))).Stacks?.[0]?.StackStatus;return!t||t==="DELETE_COMPLETE"?{deleted:!0}:{deleted:!1,error:`Stack still in ${t} after cleanup attempt`}}catch(e){if(e instanceof Error&&e.message?.includes(K))return{deleted:!0};const c=s(y(e));return f.debug("cascadeDestroy","Stack verification failed",{error:c}),{deleted:!1,error:`Stack verification failed: ${c}`}}}export{re as destroyCascadeAccount};

package/dist/src/orchestration/detectionPipeline.js

@@ -1 +1 @@
-import{join as E}from"path";import{success as $,failure as d}from"@fjall/generator";import{logger as H}from"@fjall/util/logger";import{maskSensitiveOutput as u}from"@fjall/util";import{deriveResourcesFromManifestStacks as F}from"../types/patternDetection.js";import{emitProgress as C,PROGRESS_MESSAGES as D}from"../services/supporting/helpers.js";import{parseRequiredSecretsFromManifest as M}from"./manifestSecretParser.js";import{parseDockerServicesFromManifest as x}from"@fjall/util/manifest";async function K(o,t,P,e){e.onDetectionPhaseChange?.("detect","started");const f=t.frameworkRegistry.resolve({appPath:o.path}),p=f?.detection.pattern??null,y=f?.detection.hasDatabase??!1;e.onLog?.(`Pattern detected: ${p??"standard"}`,"info"),e.onDetectionPhaseChange?.("detect","completed");const r=E(o.path,"cdk.out");e.onDetectionPhaseChange?.("synth","started"),C(e,D.SYNTH);const g=await t.cdkService.runCdkSynth(P,s=>e.onCdkOutput?.(s,"synth"));if(!g.success)return d(new Error(u(`CDK synthesis failed: ${g.error}`)));e.onDetectionPhaseChange?.("synth","completed");const a=M(r);a.length>0&&e.onLog?.(`Found ${a.length} required secret path(s) in manifest`,"info"),e.onDetectionPhaseChange?.("hash","started"),C(e,D.HASH);const i=await t.hashService.getTemplateHashes(r);if(!i.success)return d(new Error(u(`Template hash computation failed: ${i.error.message}`)));const c=i.data,h=await t.hashService.compareWithState(c,o.path);if(!h.success)return d(new Error(u(`Hash comparison failed: ${h.error.message}`)));const n=h.data;e.onDetectionPhaseChange?.("hash","completed");const m=new Map(n.stackChanges);for(const[s,v]of n.stackChanges)v||await t.cfnService.stackExists(s)||(H.debug("detectionPipeline","Stale hash detected \u2014 stack missing in CFN",{stackName:s}),m.set(s,!0));const k=Array.from(c.keys()),S=F(k),w=x(r),R=S.hasCompute&&w.length>0,l=Array.from(m.values()).some(Boolean);return e.onLog?.(`Detection complete: ${n.changedCount} changed, ${n.unchangedCount} unchanged`,"info"),$({pattern:p,hasDatabase:y,hasDifferences:l,stackChanges:m,currentHashes:c,resources:S,hasDockerfile:R,requiredSecrets:a})}export{K as runDetectionPipeline};
+import{join as A}from"path";import{success as N,failure as n}from"@fjall/generator";import{logger as F}from"@fjall/util/logger";import{maskSensitiveOutput as o}from"@fjall/util";import{deriveResourcesFromManifestStacks as H}from"../types/patternDetection.js";import{emitProgress as P,PROGRESS_MESSAGES as w}from"../services/supporting/helpers.js";import{parseRequiredSecretsFromManifest as M,parseImportedSecretNamesFromManifest as O}from"./manifestSecretParser.js";import{resolveSecretArns as L}from"./secretArnResolver.js";import{parseDockerServicesFromManifest as q}from"@fjall/util/manifest";async function Y(h,r,a,e){e.onDetectionPhaseChange?.("detect","started");const S=r.frameworkRegistry.resolve({appPath:h.path}),C=S?.detection.pattern??null,l=S?.detection.hasDatabase??!1;e.onLog?.(`Pattern detected: ${C??"standard"}`,"info"),e.onDetectionPhaseChange?.("detect","completed");const i=A(h.path,"cdk.out");e.onDetectionPhaseChange?.("synth","started"),P(e,w.SYNTH);const y=await r.cdkService.runCdkSynth(a,t=>e.onCdkOutput?.(t,"synth"));if(!y.success)return n(new Error(o(`CDK synthesis failed: ${y.error}`)));if(e.onDetectionPhaseChange?.("synth","completed"),a.resolvedSecretArns===void 0){const t=O(i);if(t.length>0){e.onLog?.(`Resolving ${t.length} imported secret ARN(s)\u2026`,"info");const s=await L(r.awsProvider,t);if(!s.success)return n(new Error(o(s.error.message)));a.resolvedSecretArns=JSON.stringify(s.data);const g=await r.cdkService.runCdkSynth(a,$=>e.onCdkOutput?.($,"synth"));if(!g.success)return n(new Error(o(`CDK synthesis failed: ${g.error}`)))}}const d=M(i);d.length>0&&e.onLog?.(`Found ${d.length} required secret path(s) in manifest`,"info"),e.onDetectionPhaseChange?.("hash","started"),P(e,w.HASH);const m=await r.hashService.getTemplateHashes(i);if(!m.success)return n(new Error(o(`Template hash computation failed: ${m.error.message}`)));const u=m.data,f=await r.hashService.compareWithState(u,h.path);if(!f.success)return n(new Error(o(`Hash comparison failed: ${f.error.message}`)));const c=f.data;e.onDetectionPhaseChange?.("hash","completed");const p=new Map(c.stackChanges);for(const[t,s]of c.stackChanges)s||await r.cfnService.stackExists(t)||(F.debug("detectionPipeline","Stale hash detected \u2014 stack missing in CFN",{stackName:t}),p.set(t,!0));const R=Array.from(u.keys()),D=H(R),v=q(i),k=D.hasCompute&&v.length>0,E=Array.from(p.values()).some(Boolean);return e.onLog?.(`Detection complete: ${c.changedCount} changed, ${c.unchangedCount} unchanged`,"info"),N({pattern:C,hasDatabase:l,hasDifferences:E,stackChanges:p,currentHashes:u,resources:D,hasDockerfile:k,requiredSecrets:d})}export{Y as runDetectionPipeline};

package/dist/src/orchestration/manifestSecretParser.d.ts

@@ -9,3 +9,23 @@
  * parsed, or contains no secrets. Never throws.
  */
 export declare function parseRequiredSecretsFromManifest(cdkOutPath: string): string[];
+/**
+ * Extract name-form Secrets Manager imports from the Fjall manifest.
+ *
+ * Reads `fjall-manifest.json` and collects every `importedSecretNames` entry
+ * from ECS services and Lambda functions — the externally-managed secrets the
+ * construct declared `secretsImport: { id, name }` for. deploy-core resolves
+ * each to its complete ARN via DescribeSecret and re-injects them as CDK
+ * context so the construct renders an authorising complete-ARN `valueFrom`.
+ *
+ * Source-driven, not template-scanning: the name is read from the declared
+ * import, so it is found regardless of how CDK renders the suffixless ARN — a
+ * plain string in an env-bound stack (concrete account+region) or an Fn::Join
+ * in a token-env stack. The arn-form escape hatch never reaches this field (the
+ * synth-time writer excludes it), so a cross-account complete ARN is never
+ * handed to the fail-closed resolver.
+ *
+ * Returns an empty array if the manifest does not exist, cannot be parsed, or
+ * declares no imports. Never throws.
+ */
+export declare function parseImportedSecretNamesFromManifest(cdkOutPath: string): string[];

package/dist/src/orchestration/manifestSecretParser.js

@@ -1 +1 @@
-import{readFileSync as m}from"fs";import{join as y}from"path";import{FJALL_MANIFEST_FILENAME as p}from"@fjall/util/constructMap";import{logger as f}from"@fjall/util/logger";function a(t){return typeof t=="object"&&t!==null&&!Array.isArray(t)}function l(t){const n=y(t,p);let i;try{i=m(n,"utf-8")}catch{return f.debug("manifestSecretParser","Manifest file not readable \u2014 no secrets extracted",{path:n}),[]}let r;try{r=JSON.parse(i)}catch{return f.debug("manifestSecretParser","Manifest is not valid JSON \u2014 no secrets extracted",{path:n}),[]}if(!a(r))return[];const o=[];if(Array.isArray(r.services))for(const s of r.services){if(!a(s))continue;const e=s;if(!(!Array.isArray(e.secrets)||e.secrets.length===0||typeof e.ssmSecretsPath!="string"))for(const c of e.secrets)typeof c=="string"&&o.push(`${e.ssmSecretsPath}/${c}`)}if(Array.isArray(r.lambdas))for(const s of r.lambdas){if(!a(s))continue;const e=s;if(!(!Array.isArray(e.secrets)||e.secrets.length===0||typeof e.ssmSecretsPath!="string"))for(const c of e.secrets)typeof c=="string"&&o.push(`${e.ssmSecretsPath}/${c}`)}return o}export{l as parseRequiredSecretsFromManifest};
+import{readFileSync as m}from"fs";import{join as p}from"path";import{FJALL_MANIFEST_FILENAME as d}from"@fjall/util/constructMap";import{logger as f}from"@fjall/util/logger";function i(a){return typeof a=="object"&&a!==null&&!Array.isArray(a)}function S(a){const n=p(a,d);let c;try{c=m(n,"utf-8")}catch{return f.debug("manifestSecretParser","Manifest file not readable \u2014 no secrets extracted",{path:n}),[]}let r;try{r=JSON.parse(c)}catch{return f.debug("manifestSecretParser","Manifest is not valid JSON \u2014 no secrets extracted",{path:n}),[]}if(!i(r))return[];const o=[];if(Array.isArray(r.services))for(const s of r.services){if(!i(s))continue;const e=s;if(!(!Array.isArray(e.secrets)||e.secrets.length===0||typeof e.ssmSecretsPath!="string"))for(const t of e.secrets)typeof t=="string"&&o.push(`${e.ssmSecretsPath}/${t}`)}if(Array.isArray(r.lambdas))for(const s of r.lambdas){if(!i(s))continue;const e=s;if(!(!Array.isArray(e.secrets)||e.secrets.length===0||typeof e.ssmSecretsPath!="string"))for(const t of e.secrets)typeof t=="string"&&o.push(`${e.ssmSecretsPath}/${t}`)}return o}function A(a){const n=p(a,d);let c;try{c=m(n,"utf-8")}catch{return f.debug("manifestSecretParser","Manifest file not readable \u2014 no imported secret names extracted",{path:n}),[]}let r;try{r=JSON.parse(c)}catch{return f.debug("manifestSecretParser","Manifest is not valid JSON \u2014 no imported secret names extracted",{path:n}),[]}if(!i(r))return[];const o=new Set;for(const s of[r.services,r.lambdas])if(Array.isArray(s)){for(const e of s)if(!(!i(e)||!Array.isArray(e.importedSecretNames)))for(const t of e.importedSecretNames)typeof t=="string"&&t!==""&&o.add(t)}return Array.from(o)}export{A as parseImportedSecretNamesFromManifest,S as parseRequiredSecretsFromManifest};

package/dist/src/orchestration/secretArnResolver.d.ts

@@ -0,0 +1,19 @@
+import { type Result } from "@fjall/generator";
+import type { AwsProvider } from "../aws/AwsProvider.js";
+/**
+ * Resolve each externally-managed secret NAME to its COMPLETE ARN (with the AWS
+ * 6-char suffix) via DescribeSecret. The complete ARN is what
+ * `Secret.fromSecretCompleteArn` needs to render a plain-string `valueFrom` and an
+ * exact-ARN `grantRead` — the only shape real Secrets Manager authorises at ECS
+ * task launch (the suffixless `fromSecretNameV2` shape is AccessDenied regardless
+ * of grant width: the 2026-06-04 outage).
+ *
+ * Fail-CLOSED: a missing secret or a DescribeSecret AccessDenied aborts the deploy
+ * at this cheap pre-synth point, NEVER silently falling back to the suffixless
+ * shape. This deliberately inverts the non-fatal IPAM-pool resolution precedent —
+ * a mis-resolution here would reintroduce the exact production failure.
+ *
+ * Issues DescribeSecret ONLY — never GetSecretValue — so no secret value can reach
+ * the resolved-ARN context map, the logs, or the synthesised template.
+ */
+export declare function resolveSecretArns(awsProvider: AwsProvider, names: string[]): Promise<Result<Record<string, string>>>;

package/dist/src/orchestration/secretArnResolver.js

@@ -0,0 +1 @@
+import{SecretsManagerClient as a,DescribeSecretCommand as m}from"@aws-sdk/client-secrets-manager";import{success as d,failure as n}from"@fjall/generator";import{getErrorMessage as l,maskSensitiveOutput as p}from"@fjall/util";const u=3e4;async function g(s,c){const i=s.getClient(a),o={};for(const r of c)try{const e=(await i.send(new m({SecretId:r}),{abortSignal:AbortSignal.timeout(u)})).ARN;if(e===void 0||e==="")return n(new Error(`DescribeSecret for "${r}" returned no ARN \u2014 cannot resolve a complete ARN.`));o[r]=e}catch(t){const e=t instanceof Error?t.name:"";return e==="ResourceNotFoundException"?n(new Error(`Imported secret "${r}" does not exist in this account/region. Create it, or reference it by complete ARN via the secretsImport { arn } escape hatch.`)):e==="AccessDeniedException"||e==="AccessDenied"?n(new Error(`The deploy identity lacks secretsmanager:DescribeSecret on "${r}" \u2014 grant DescribeSecret on this secret so its complete ARN can be resolved.`)):n(new Error(`Failed to resolve imported secret "${r}": ${p(l(t))}`))}return d(o)}export{g as resolveSecretArns};

package/dist/src/services/infrastructure/CdkArgumentBuilder.js

@@ -1 +1 @@
-import{filterDangerousEnvVars as u}from"@fjall/util";class s{buildContextArgs(r){const a=[];return r?.accountId&&a.push("-c",`accountId=${r.accountId}`),r?.environment&&a.push("-c",`environment=${r.environment}`),r?.managedAccount&&a.push("-c","managedAccount=true"),r?.accountName&&a.push("-c",`accountName=${r.accountName}`),r?.orgId&&a.push("-c",`orgId=${r.orgId}`),r?.rootId&&a.push("-c",`rootId=${r.rootId}`),r?.managementAccountId&&a.push("-c",`managementAccountId=${r.managementAccountId}`),r?.ipamPoolId&&a.push("-c",`ipamPoolId=${r.ipamPoolId}`),r?.fjallOrgId&&a.push("-c",`fjallOrgId=${r.fjallOrgId}`),r?.fjallOidcConfigured&&a.push("-c",`fjallOidcConfigured=${r.fjallOidcConfigured}`),r?.fjallAccountGlobalsConfigured&&a.push("-c",`fjallAccountGlobalsConfigured=${r.fjallAccountGlobalsConfigured}`),r?.orgConfig&&a.push("-c",`orgConfig=${r.orgConfig}`),r?.fjallAdoptBackupVault&&a.push("-c","fjallAdoptBackupVault=true"),a}buildParameterArgs(r){if(r===void 0)return[];const a=Object.entries(r);if(a.length===0)return[];const o=[];for(const[e,n]of a){if(!/^[A-Za-z][A-Za-z0-9]*$/.test(e))throw new Error(`Invalid CloudFormation parameter name "${e}": must match /^[A-Za-z][A-Za-z0-9]*$/ (alphanumeric, leading letter, no separators).`);if(n==="")throw new Error(`CloudFormation parameter "${e}" has an empty value.`);if(/[,\n\r]/.test(n))throw new Error(`CloudFormation parameter "${e}" value contains "," or newline \u2014 cdk's --parameters splits on "," so the deploy would silently fragment.`);o.push("--parameters",`${e}=${n}`)}return o}injectCascadeCredentials(r,a){a&&(r.AWS_ACCESS_KEY_ID=a.accessKeyId,r.AWS_SECRET_ACCESS_KEY=a.secretAccessKey,delete r.AWS_SESSION_TOKEN,a.sessionToken&&(r.AWS_SESSION_TOKEN=a.sessionToken))}buildCdkEnv(r){const a={...u(process.env),CI:"true",FORCE_COLOR:"0",CDK_DISABLE_VERSION_CHECK:"1"};return r?.context?.region&&(a.AWS_REGION=r.context.region,a.AWS_DEFAULT_REGION=r.context.region,a.CDK_DEFAULT_REGION=r.context.region),r?.context?.accountId&&(a.CDK_DEFAULT_ACCOUNT=r.context.accountId),this.injectCascadeCredentials(a,r?.credentials),a}}export{s as CdkArgumentBuilder};
+import{filterDangerousEnvVars as u}from"@fjall/util";class s{buildContextArgs(r){const e=[];return r?.accountId&&e.push("-c",`accountId=${r.accountId}`),r?.environment&&e.push("-c",`environment=${r.environment}`),r?.managedAccount&&e.push("-c","managedAccount=true"),r?.accountName&&e.push("-c",`accountName=${r.accountName}`),r?.orgId&&e.push("-c",`orgId=${r.orgId}`),r?.rootId&&e.push("-c",`rootId=${r.rootId}`),r?.managementAccountId&&e.push("-c",`managementAccountId=${r.managementAccountId}`),r?.ipamPoolId&&e.push("-c",`ipamPoolId=${r.ipamPoolId}`),r?.fjallOrgId&&e.push("-c",`fjallOrgId=${r.fjallOrgId}`),r?.fjallOidcConfigured&&e.push("-c",`fjallOidcConfigured=${r.fjallOidcConfigured}`),r?.fjallAccountGlobalsConfigured&&e.push("-c",`fjallAccountGlobalsConfigured=${r.fjallAccountGlobalsConfigured}`),r?.orgConfig&&e.push("-c",`orgConfig=${r.orgConfig}`),r?.fjallAdoptBackupVault&&e.push("-c","fjallAdoptBackupVault=true"),r?.resolvedSecretArns&&e.push("-c",`fjallResolvedSecretArns=${r.resolvedSecretArns}`),e}buildParameterArgs(r){if(r===void 0)return[];const e=Object.entries(r);if(e.length===0)return[];const o=[];for(const[a,n]of e){if(!/^[A-Za-z][A-Za-z0-9]*$/.test(a))throw new Error(`Invalid CloudFormation parameter name "${a}": must match /^[A-Za-z][A-Za-z0-9]*$/ (alphanumeric, leading letter, no separators).`);if(n==="")throw new Error(`CloudFormation parameter "${a}" has an empty value.`);if(/[,\n\r]/.test(n))throw new Error(`CloudFormation parameter "${a}" value contains "," or newline \u2014 cdk's --parameters splits on "," so the deploy would silently fragment.`);o.push("--parameters",`${a}=${n}`)}return o}injectCascadeCredentials(r,e){e&&(r.AWS_ACCESS_KEY_ID=e.accessKeyId,r.AWS_SECRET_ACCESS_KEY=e.secretAccessKey,delete r.AWS_SESSION_TOKEN,e.sessionToken&&(r.AWS_SESSION_TOKEN=e.sessionToken))}buildCdkEnv(r){const e={...u(process.env),CI:"true",FORCE_COLOR:"0",CDK_DISABLE_VERSION_CHECK:"1"};return r?.context?.region&&(e.AWS_REGION=r.context.region,e.AWS_DEFAULT_REGION=r.context.region,e.CDK_DEFAULT_REGION=r.context.region),r?.context?.accountId&&(e.CDK_DEFAULT_ACCOUNT=r.context.accountId),this.injectCascadeCredentials(e,r?.credentials),e}}export{s as CdkArgumentBuilder};

package/dist/src/services/infrastructure/CdkProcessManager.js

@@ -1,3 +1,3 @@
-import{spawn as K}from"child_process";import{existsSync as E}from"fs";import{join as T}from"path";import{createRequire as A}from"module";import{logger as $}from"@fjall/util/logger";import{filterDangerousEnvVars as M,maskSensitiveOutput as g}from"@fjall/util";import{success as H,failure as i}from"@fjall/generator";import{getErrorMessage as w}from"@fjall/util";function L(){try{const e=A(import.meta.url).resolve("aws-cdk/bin/cdk");return{command:process.execPath,prefixArgs:[e]}}catch(h){return $.debug("CdkService","Failed to resolve aws-cdk binary, falling back to npx",{error:h instanceof Error?h.message:String(h)}),{command:"npx",prefixArgs:["cdk"]}}}const x=L(),j=5e3;class v{runningProcesses=new Map;processCounter=0;argBuilder;exitHandler;sigintHandler;sigtermHandler;constructor(e){this.argBuilder=e,this.exitHandler=()=>this.cleanup(),this.sigintHandler=()=>{this.cleanup(),process.exit(130)},this.sigtermHandler=()=>{this.cleanup(),process.exit(143)},process.on("exit",this.exitHandler),process.on("SIGINT",this.sigintHandler),process.on("SIGTERM",this.sigtermHandler)}forceKillProcess(e){e.stdout?.destroy(),e.stderr?.destroy(),e.kill("SIGTERM");const c=setTimeout(()=>{e.exitCode===null&&e.kill("SIGKILL")},j);c.unref(),e.once("exit",()=>clearTimeout(c))}cleanup(){for(const[e,c]of this.runningProcesses)c.killed||(c.stdout?.destroy(),c.stderr?.destroy(),c.kill("SIGTERM"));this.runningProcesses.clear()}dispose(){this.cleanup(),process.removeListener("exit",this.exitHandler),process.removeListener("SIGINT",this.sigintHandler),process.removeListener("SIGTERM",this.sigtermHandler)}async runCdkCommandPassthrough(e,c,r){return new Promise(t=>{if(!E(e)){t(i(`Directory not found: ${e}`));return}const a=T(e,"cdk.json");if(!E(a)){t(i(`No CDK project found in ${e}`));return}const m=this.argBuilder.buildContextArgs(r?.context),f=[...x.prefixArgs,...c,...m],S=this.argBuilder.buildCdkEnv(r),d=K(x.command,f,{cwd:e,env:S,stdio:"inherit",shell:!1,detached:!1});if(!d.pid){d.on("error",u=>{$.debug("CdkProcess","Spawn error on failed child process",{error:u.message})}),t(i(`Failed to spawn CDK process - no PID. cwd=${e}, args=${f.join(" ")}`));return}const C=`cdk-passthrough-${++this.processCounter}`;this.runningProcesses.set(C,d);let o=!1,l=!1;const p=r?.timeout??1800*1e3,k=setTimeout(()=>{d.killed||(o=!0,this.forceKillProcess(d))},p);d.on("close",u=>{if(clearTimeout(k),this.runningProcesses.delete(C),!l){if(l=!0,o){t(i("CDK command timed out"));return}u===0||r?.ignoreExitCode?t(H({exitCode:u||0})):t(i(`CDK command failed with exit code ${u}`))}}),d.on("error",u=>{clearTimeout(k),this.runningProcesses.delete(C),!(l||o)&&(l=!0,t(i(`Failed to run CDK command: ${u.message}`)))})})}async runCdkCommand(e,c,r){return new Promise(t=>{if(!E(e)){t(i(`Directory not found: ${e}`));return}if(!r?.skipProjectCheck){const s=T(e,"cdk.json");if(!E(s)){t(i(`No CDK project found in ${e}`));return}}let a="",m="",f=!1;const S=this.argBuilder.buildContextArgs(r?.context),d=[...x.prefixArgs,...c,...S],C={...this.argBuilder.buildCdkEnv(r),NO_COLOR:"1",...r?.extraEnv?M(r.extraEnv):{}};$.debug("CdkService","Spawning CDK process",{command:`${x.command} ${d.join(" ")}`,workingDir:e});const o=K(x.command,d,{cwd:e,env:C,stdio:["ignore","pipe","pipe"],shell:!1,detached:!1});if(!o.pid){const s=`Failed to spawn CDK process - no PID. cwd=${e}, args=${d.join(" ")}`;o.on("error",n=>{$.debug("CdkProcess","Deferred spawn error on failed child process",{error:n.message})}),t(i(s));return}const l=`cdk-${++this.processCounter}`;this.runningProcesses.set(l,o);let p=!1;const k=r?.timeout??1800*1e3,u=setTimeout(()=>{o.killed||(f=!0,this.forceKillProcess(o))},k);o.stdout?.on("data",s=>{const n=s.toString();a+=n,r?.outputCallback&&r.outputCallback(g(n)),r?.cdkOutputLogger?.writeCdkOutput("stdout",g(n))}),o.stderr?.on("data",s=>{const n=s.toString();r?.cdkOutputLogger?.writeCdkOutput("stderr",g(n)),!n.includes("deprecated")&&!n.includes("npm WARN")&&!n.includes("ENOENT")&&(m+=n),r?.errorCallback&&r.errorCallback(g(n))}),o.on("error",s=>{clearTimeout(u),this.runningProcesses.delete(l),!(p||f)&&(p=!0,t(i(w(s))))}),o.on("close",s=>{if(clearTimeout(u),this.runningProcesses.delete(l),p)return;if(p=!0,f){t(i("CDK command timed out"));return}const n=s===0||r?.ignoreExitCode===!0&&s===1,O=a+(m?`
-${m}`:"");if(n){const P=r?.combineOutput?O:a;t(H({output:g(P),exitCode:s||0}));return}let b=m;if(a){const P=a.match(/❌.*?Error:(.*)$/m);P&&(b=P[1]?.trim()??"")}const I=b||`CDK command failed with exit code ${s}`,y=a?`${I}
-${a}`:I;t(i(g(y)))})})}}export{v as CdkProcessManager};
+import{spawn as K}from"child_process";import{existsSync as E}from"fs";import{join as b}from"path";import{createRequire as A}from"module";import{logger as T}from"@fjall/util/logger";import{filterDangerousEnvVars as L,maskSensitiveOutput as g}from"@fjall/util";import{success as O,failure as i}from"@fjall/generator";import{getErrorMessage as w}from"@fjall/util";function j(){try{const e=A(import.meta.url).resolve("aws-cdk/bin/cdk");return{command:process.execPath,prefixArgs:[e]}}catch(h){return T.debug("CdkService","Failed to resolve aws-cdk binary, falling back to npx",{error:h instanceof Error?h.message:String(h)}),{command:"npx",prefixArgs:["cdk"]}}}const x=j(),G=5e3,H=1800*1e3;class J{runningProcesses=new Map;processCounter=0;argBuilder;exitHandler;sigintHandler;sigtermHandler;constructor(e){this.argBuilder=e,this.exitHandler=()=>this.cleanup(),this.sigintHandler=()=>{this.cleanup(),process.exit(130)},this.sigtermHandler=()=>{this.cleanup(),process.exit(143)},process.on("exit",this.exitHandler),process.on("SIGINT",this.sigintHandler),process.on("SIGTERM",this.sigtermHandler)}forceKillProcess(e){e.stdout?.destroy(),e.stderr?.destroy(),e.kill("SIGTERM");const c=setTimeout(()=>{e.exitCode===null&&e.kill("SIGKILL")},G);c.unref(),e.once("exit",()=>clearTimeout(c))}cleanup(){for(const[e,c]of this.runningProcesses)c.killed||(c.stdout?.destroy(),c.stderr?.destroy(),c.kill("SIGTERM"));this.runningProcesses.clear()}dispose(){this.cleanup(),process.removeListener("exit",this.exitHandler),process.removeListener("SIGINT",this.sigintHandler),process.removeListener("SIGTERM",this.sigtermHandler)}async runCdkCommandPassthrough(e,c,r){return new Promise(t=>{if(!E(e)){t(i(`Directory not found: ${e}`));return}const a=b(e,"cdk.json");if(!E(a)){t(i(`No CDK project found in ${e}`));return}const m=this.argBuilder.buildContextArgs(r?.context),f=[...x.prefixArgs,...c,...m],S=this.argBuilder.buildCdkEnv(r),d=K(x.command,f,{cwd:e,env:S,stdio:"inherit",shell:!1,detached:!1});if(!d.pid){d.on("error",u=>{T.debug("CdkProcess","Spawn error on failed child process",{error:u.message})}),t(i(`Failed to spawn CDK process - no PID. cwd=${e}, args=${f.join(" ")}`));return}const C=`cdk-passthrough-${++this.processCounter}`;this.runningProcesses.set(C,d);let o=!1,l=!1;const p=r?.timeout??H,k=setTimeout(()=>{d.killed||(o=!0,this.forceKillProcess(d))},p);d.on("close",u=>{if(clearTimeout(k),this.runningProcesses.delete(C),!l){if(l=!0,o){t(i("CDK command timed out"));return}u===0||r?.ignoreExitCode?t(O({exitCode:u||0})):t(i(`CDK command failed with exit code ${u}`))}}),d.on("error",u=>{clearTimeout(k),this.runningProcesses.delete(C),!(l||o)&&(l=!0,t(i(`Failed to run CDK command: ${u.message}`)))})})}async runCdkCommand(e,c,r){return new Promise(t=>{if(!E(e)){t(i(`Directory not found: ${e}`));return}if(!r?.skipProjectCheck){const s=b(e,"cdk.json");if(!E(s)){t(i(`No CDK project found in ${e}`));return}}let a="",m="",f=!1;const S=this.argBuilder.buildContextArgs(r?.context),d=[...x.prefixArgs,...c,...S],C={...this.argBuilder.buildCdkEnv(r),NO_COLOR:"1",...r?.extraEnv?L(r.extraEnv):{}};T.debug("CdkService","Spawning CDK process",{command:`${x.command} ${d.join(" ")}`,workingDir:e});const o=K(x.command,d,{cwd:e,env:C,stdio:["ignore","pipe","pipe"],shell:!1,detached:!1});if(!o.pid){const s=`Failed to spawn CDK process - no PID. cwd=${e}, args=${d.join(" ")}`;o.on("error",n=>{T.debug("CdkProcess","Deferred spawn error on failed child process",{error:n.message})}),t(i(s));return}const l=`cdk-${++this.processCounter}`;this.runningProcesses.set(l,o);let p=!1;const k=r?.timeout??H,u=setTimeout(()=>{o.killed||(f=!0,this.forceKillProcess(o))},k);o.stdout?.on("data",s=>{const n=s.toString();a+=n,r?.outputCallback&&r.outputCallback(g(n)),r?.cdkOutputLogger?.writeCdkOutput("stdout",g(n))}),o.stderr?.on("data",s=>{const n=s.toString();r?.cdkOutputLogger?.writeCdkOutput("stderr",g(n)),!n.includes("deprecated")&&!n.includes("npm WARN")&&!n.includes("ENOENT")&&(m+=n),r?.errorCallback&&r.errorCallback(g(n))}),o.on("error",s=>{clearTimeout(u),this.runningProcesses.delete(l),!(p||f)&&(p=!0,t(i(w(s))))}),o.on("close",s=>{if(clearTimeout(u),this.runningProcesses.delete(l),p)return;if(p=!0,f){t(i("CDK command timed out"));return}const n=s===0||r?.ignoreExitCode===!0&&s===1,M=a+(m?`
+${m}`:"");if(n){const P=r?.combineOutput?M:a;t(O({output:g(P),exitCode:s||0}));return}let $=m;if(a){const P=a.match(/❌.*?Error:(.*)$/m);P&&($=P[1]?.trim()??"")}const I=$||`CDK command failed with exit code ${s}`,y=a?`${I}
+${a}`:I;t(i(g(y)))})})}}export{J as CdkProcessManager};

package/dist/src/services/infrastructure/CdkServiceTypes.d.ts

@@ -15,6 +15,14 @@ export interface CdkContext {
     fjallAccountGlobalsConfigured?: string;
     orgConfig?: string;
     fjallAdoptBackupVault?: string;
+    /**
+     * JSON `Record<secretName, completeArn>` of deploy-time-resolved externally-managed
+     * Secrets Manager ARNs. Emitted as `-c fjallResolvedSecretArns=<json>` and consumed
+     * by `resolveImportedSecret` in @fjall/components-infrastructure
+     * (`resources/aws/secrets/secret.ts`) via `fromSecretCompleteArn`. Keep the context
+     * key literal in sync with that reader.
+     */
+    resolvedSecretArns?: string;
 }
 export interface CdkOptions {
     verbose?: boolean;

package/dist/src/services/infrastructure/cdkServiceHelpers.js

@@ -1 +1 @@
-import{getApplicationStackName as i,getOrganisationStackName as u,isApplicationStack as l}from"../../types/operations.js";const p=5e3;function t(a,o){if(a&&!a.includes("*"))return a;if(a){const e=a.match(/\*?(\w+)\*?/);if(e?.[1]){const n=e[1],r=o.target;return l(n)?i(r,n):`${r}${n}`}return a}}function c(a){const o=a.deployType;return o==="organisation"||o==="platform"||o==="account"?u(o):`${a.target}Network`}function f(a,o,e){return{accountId:o,region:e,environment:a.environment,managedAccount:a.isManagedAccount,accountName:a.accountName,orgId:a.orgId,rootId:a.rootId,managementAccountId:a.managementAccountId,ipamPoolId:a.ipamPoolId,fjallOrgId:a.fjallOrgId,fjallOidcConfigured:a.fjallOidcConfigured?"true":void 0,fjallAccountGlobalsConfigured:a.fjallAccountGlobalsConfigured?"true":void 0,orgConfig:a.orgConfig,fjallAdoptBackupVault:a.fjallAdoptBackupVault?"true":void 0}}export{p as STACK_DETECTION_FALLBACK_MS,f as buildDeploymentCdkContext,c as getFallbackStackName,t as resolveStackName};
+import{getApplicationStackName as l,getOrganisationStackName as i,isApplicationStack as u}from"../../types/operations.js";const p=5e3;function t(e,a){if(e&&!e.includes("*"))return e;if(e){const o=e.match(/\*?(\w+)\*?/);if(o?.[1]){const n=o[1],r=a.target;return u(n)?l(r,n):`${r}${n}`}return e}}function c(e){const a=e.deployType;return a==="organisation"||a==="platform"||a==="account"?i(a):`${e.target}Network`}function f(e,a,o){return{accountId:a,region:o,environment:e.environment,managedAccount:e.isManagedAccount,accountName:e.accountName,orgId:e.orgId,rootId:e.rootId,managementAccountId:e.managementAccountId,ipamPoolId:e.ipamPoolId,fjallOrgId:e.fjallOrgId,fjallOidcConfigured:e.fjallOidcConfigured?"true":void 0,fjallAccountGlobalsConfigured:e.fjallAccountGlobalsConfigured?"true":void 0,orgConfig:e.orgConfig,fjallAdoptBackupVault:e.fjallAdoptBackupVault?"true":void 0,resolvedSecretArns:e.resolvedSecretArns}}export{p as STACK_DETECTION_FALLBACK_MS,f as buildDeploymentCdkContext,c as getFallbackStackName,t as resolveStackName};

package/dist/src/types/deployment/DeploymentTypes.d.ts

@@ -25,6 +25,7 @@ export interface DeploymentContext {
     fjallAccountGlobalsConfigured?: boolean;
     orgConfig?: string;
     fjallAdoptBackupVault?: boolean;
+    resolvedSecretArns?: string;
     options: {
         verbose?: boolean;
         infraOnly?: boolean;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/deploy-core",
-  "version": "2.9.1",
+  "version": "2.11.1",
   "description": "Shared deployment engine for Fjall — used by CLI and webapp worker",
   "type": "module",
   "main": "dist/src/index.js",
@@ -71,10 +71,11 @@
     "@aws-sdk/client-organizations": "^3.1038.0",
     "@aws-sdk/client-ram": "^3.1038.0",
     "@aws-sdk/client-s3": "^3.1038.0",
+    "@aws-sdk/client-secrets-manager": "^3.1038.0",
     "@aws-sdk/client-sso-admin": "^3.1038.0",
     "@aws-sdk/client-sts": "^3.1038.0",
-    "@fjall/generator": "^2.9.1",
-    "@fjall/util": "^2.9.1",
+    "@fjall/generator": "^2.11.1",
+    "@fjall/util": "^2.11.1",
     "@smithy/node-http-handler": "^4.6.1",
     "tsx": "^4.21.0",
     "zod": "^4.4.3"
@@ -83,5 +84,5 @@
     "@types/node": "^25.6.0",
     "vitest": "^4.1.5"
   },
-  "gitHead": "a97423cf3df727994364a0907fa2b5c544a86b0d"
+  "gitHead": "69823c3d7f2eacba419657464381119c5b5b5fd6"
 }