@fjall/generator 0.88.4 → 0.89.2

package/dist/src/schemas/databaseSchemas.js

@@ -0,0 +1,366 @@
+import { z } from "zod";
+import { VALIDATION_PATTERNS, VALIDATION_MESSAGES, } from "../validation/patterns.js";
+import { DATABASE_TYPES, VALID_MONITORING_INTERVALS, constIncludes, } from "./constants.js";
+import { optionalOrDisabled, ResourceNameSchema, AppNameSchema, ExtraPropertySchema, } from "./baseSchemas.js";
+// ─── Reusable database-specific validation schemas ───────────────────────────
+/** Reusable backup retention validation. Range: 1-35 days. */
+export const BackupRetentionSchema = z
+    .number()
+    .int(VALIDATION_MESSAGES.BACKUP_RETENTION.INTEGER)
+    .min(1, VALIDATION_MESSAGES.BACKUP_RETENTION.MIN)
+    .max(35, VALIDATION_MESSAGES.BACKUP_RETENTION.MAX);
+/** Reusable monitoring interval validation. Must be one of: 0, 1, 5, 10, 15, 30, 60. */
+export const MonitoringIntervalSchema = z
+    .number()
+    .int(VALIDATION_MESSAGES.MONITORING_INTERVAL.INTEGER)
+    .refine((val) => constIncludes(VALID_MONITORING_INTERVALS, val), {
+    message: VALIDATION_MESSAGES.MONITORING_INTERVAL.VALUES,
+});
+/** Reusable database port validation. Range: 1024-65535. */
+export const DatabasePortSchema = z
+    .number()
+    .int(VALIDATION_MESSAGES.DATABASE.PORT.INTEGER)
+    .min(1024, VALIDATION_MESSAGES.DATABASE.PORT.MIN)
+    .max(65535, VALIDATION_MESSAGES.DATABASE.PORT.MAX);
+// ─── Database type ───────────────────────────────────────────────────────────
+export const DatabaseTypeSchema = z
+    .enum(DATABASE_TYPES)
+    .describe(`Database type must be one of: ${DATABASE_TYPES.join(", ")}`);
+// ─── Nested configuration schemas ────────────────────────────────────────────
+export const ProxyConfigSchema = z
+    .object({
+    maxConnections: z
+        .number()
+        .int(VALIDATION_MESSAGES.MAX_CONNECTIONS.INTEGER)
+        .min(1, VALIDATION_MESSAGES.MAX_CONNECTIONS.MIN)
+        .max(100, VALIDATION_MESSAGES.MAX_CONNECTIONS.MAX)
+        .optional(),
+    maxIdleConnections: z
+        .number()
+        .int(VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.INTEGER)
+        .min(0, VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.MIN)
+        .max(100, VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.MAX)
+        .optional(),
+    connectionBorrowTimeout: z
+        .number()
+        .int(VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.INTEGER)
+        .min(1, VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.MIN)
+        .max(3600, VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.MAX)
+        .optional(),
+    requireTLS: z.boolean().optional(),
+})
+    .strict()
+    .describe("RDS Proxy configuration");
+export const ReadReplicaConfigSchema = z
+    .object({
+    instanceType: z.string().optional(),
+    availabilityZone: z.string().optional(),
+})
+    .strict()
+    .describe("Read replica configuration");
+export const SecretRotationConfigSchema = z
+    .object({
+    automaticallyAfterDays: z
+        .number()
+        .int(VALIDATION_MESSAGES.ROTATION.INTEGER)
+        .min(1, VALIDATION_MESSAGES.ROTATION.MIN)
+        .max(365, VALIDATION_MESSAGES.ROTATION.MAX)
+        .optional(),
+})
+    .strict()
+    .describe("Secret rotation configuration");
+export const CredentialsConfigSchema = z
+    .object({
+    username: z
+        .string()
+        .min(1, VALIDATION_MESSAGES.REQUIRED.USERNAME)
+        .max(63, VALIDATION_MESSAGES.USERNAME.MAX_LENGTH)
+        .optional(),
+    secretRotation: SecretRotationConfigSchema.optional(),
+})
+    .strict()
+    .describe("Database credentials configuration");
+export const ProxyConfigOrFalseSchema = optionalOrDisabled(ProxyConfigSchema);
+export const ReadReplicaConfigOrFalseSchema = optionalOrDisabled(ReadReplicaConfigSchema);
+// ─── Aurora-specific nested configuration ────────────────────────────────────
+export const AuroraReaderConfigSchema = z
+    .object({
+    scaleWithWriter: z.boolean().optional(),
+    enableDatabaseInsights: z.boolean().optional(),
+    identifierSuffix: z
+        .string()
+        .min(1, VALIDATION_MESSAGES.IDENTIFIER_SUFFIX.REQUIRED)
+        .max(50, VALIDATION_MESSAGES.IDENTIFIER_SUFFIX.MAX_LENGTH)
+        .optional(),
+    availabilityZone: z.string().optional(),
+})
+    .strict()
+    .describe("Configuration for a single Aurora reader instance");
+export const AuroraWriterConfigSchema = z
+    .object({
+    enableDatabaseInsights: z.boolean().optional(),
+    identifierSuffix: z
+        .string()
+        .min(1, VALIDATION_MESSAGES.IDENTIFIER_SUFFIX.REQUIRED)
+        .max(50, VALIDATION_MESSAGES.IDENTIFIER_SUFFIX.MAX_LENGTH)
+        .optional(),
+    availabilityZone: z.string().optional(),
+})
+    .strict()
+    .describe("Configuration for Aurora writer instance");
+export const AuroraReadersConfigSchema = z
+    .object({
+    count: z
+        .number()
+        .int(VALIDATION_MESSAGES.READER.COUNT.INTEGER)
+        .min(0, VALIDATION_MESSAGES.READER.COUNT.MIN)
+        .max(15, VALIDATION_MESSAGES.READER.COUNT.MAX)
+        .optional(),
+    instances: z
+        .array(AuroraReaderConfigSchema)
+        .max(15, VALIDATION_MESSAGES.READER_INSTANCES.MAX)
+        .optional(),
+    defaultEnableDatabaseInsights: z.boolean().optional(),
+})
+    .strict()
+    .refine((data) => !(data.count !== undefined && data.instances !== undefined), {
+    message: VALIDATION_MESSAGES.READER_INSTANCES.COUNT_OR_INSTANCES,
+    path: ["count"],
+})
+    .describe("Aurora readers configuration");
+export const AuroraReadersConfigOrFalseSchema = optionalOrDisabled(AuroraReadersConfigSchema);
+// ─── Encryption key specification ────────────────────────────────────────────
+export const AwsManagedKeySchema = z
+    .object({
+    awsManaged: z.literal(true),
+})
+    .strict();
+export const CustomerManagedKeyMarkerSchema = z
+    .object({
+    useCMK: z.literal(true),
+})
+    .strict();
+export const EncryptionKeySpecSchema = z.union([
+    AwsManagedKeySchema,
+    CustomerManagedKeyMarkerSchema,
+]);
+export const DatabaseInsightsConfigSchema = z
+    .object({
+    mode: z.enum(["standard", "advanced"]).optional(),
+    encryptionKey: EncryptionKeySpecSchema.optional(),
+})
+    .strict()
+    .describe("Database Insights configuration");
+export const DatabaseInsightsConfigOrFalseSchema = optionalOrDisabled(DatabaseInsightsConfigSchema);
+export const EncryptionConfigSchema = z
+    .object({
+    storageKey: EncryptionKeySpecSchema.optional(),
+})
+    .strict()
+    .describe("Encryption configuration (DESTRUCTIVE to change storageKey)");
+// ─── Database resource plan ──────────────────────────────────────────────────
+export const DatabaseResourcePlanSchema = z
+    .object({
+    name: ResourceNameSchema,
+    type: DatabaseTypeSchema,
+    databaseName: z.string().min(1, VALIDATION_MESSAGES.REQUIRED.DATABASE_NAME),
+    // Instance-specific props (only apply when type is "Instance")
+    instanceType: z.string().optional(),
+    multiAz: z.boolean().optional(),
+    publiclyAccessible: z.boolean().optional(),
+    enableSecretRotation: z.boolean().optional(),
+    // Shared props (Instance and Aurora)
+    databaseInsights: DatabaseInsightsConfigOrFalseSchema.optional(),
+    port: DatabasePortSchema.optional(),
+    deletionProtection: z.boolean().optional(),
+    // Nested configurations (presence-based: object = enabled, false = disabled)
+    proxy: ProxyConfigOrFalseSchema.optional(),
+    credentials: CredentialsConfigSchema.optional(),
+    // Instance-specific nested config
+    readReplica: ReadReplicaConfigOrFalseSchema.optional(),
+    // Shared encryption config (Instance and Aurora)
+    encryption: EncryptionConfigSchema.optional(),
+    // Aurora/GlobalAurora-specific props
+    writer: AuroraWriterConfigSchema.optional(),
+    readers: AuroraReadersConfigOrFalseSchema.optional(),
+    // Shared operational props (Instance, Aurora, GlobalAurora)
+    backupRetention: BackupRetentionSchema.optional(),
+    preferredMaintenanceWindow: z.string().optional(),
+    monitoringInterval: MonitoringIntervalSchema.optional(),
+    // GlobalAurora-specific props
+    primaryRegion: z.string().optional(),
+    secondaryRegions: z.array(z.string()).optional(),
+    globalClusterIdentifier: z.string().optional(),
+    enableGlobalWriteForwarding: z.boolean().optional(),
+    // Shared restore/snapshot props
+    snapshotIdentifier: z.string().optional(),
+    snapshotUsername: z.string().optional(),
+    // Round-trip preservation fields (set by AST parser, used by generator)
+    databaseEngine: z.enum(["postgresql", "mysql"]).optional(),
+    engineExpression: z.string().optional(),
+    variableName: z.string().optional(),
+    extraProperties: z.array(ExtraPropertySchema).optional(),
+})
+    .strict();
+// ─── Database generator schemas ──────────────────────────────────────────────
+// Common fields shared across all database types
+const DatabaseGeneratorBaseSchema = z
+    .object({
+    appName: AppNameSchema,
+    nameProvidedByFlag: z.boolean().optional(),
+    databaseName: z
+        .string()
+        .min(1, VALIDATION_MESSAGES.REQUIRED.DATABASE_NAME)
+        .max(63, VALIDATION_MESSAGES.MAX_LENGTH.DATABASE_NAME)
+        .regex(VALIDATION_PATTERNS.DATABASE_NAME, VALIDATION_MESSAGES.DATABASE_NAME),
+    resourceName: ResourceNameSchema.optional(),
+    connectionConfig: z
+        .object({
+        /** Connect to entire compute resources (legacy, cluster-level) */
+        connectToCompute: z.array(z.string()).optional(),
+        /** Connect to specific ECS services (format: "ClusterName/ServiceName") */
+        connectToServices: z.array(z.string()).optional(),
+    })
+        .strict()
+        .optional(),
+    // Shared fields (all database types)
+    databaseInsights: DatabaseInsightsConfigOrFalseSchema.optional(),
+    port: DatabasePortSchema.optional(),
+    proxy: ProxyConfigOrFalseSchema.optional(),
+    credentials: CredentialsConfigSchema.optional(),
+    encryption: EncryptionConfigSchema.optional(),
+    deletionProtection: z.boolean().optional(),
+})
+    .strict();
+// Type-specific field definitions shared between CLI and UI schemas
+const instanceSpecificFields = {
+    databaseType: z.literal("Instance"),
+    instanceType: z.string().optional(),
+    multiAz: z.boolean().optional(),
+    readReplica: ReadReplicaConfigOrFalseSchema.optional(),
+    publiclyAccessible: z.boolean().optional(),
+    backupRetention: BackupRetentionSchema.optional(),
+    allocatedStorage: z.number().optional(),
+    snapshotIdentifier: z.string().optional(),
+    snapshotUsername: z.string().optional(),
+};
+const auroraSpecificFields = {
+    databaseType: z.literal("Aurora"),
+    writer: AuroraWriterConfigSchema.optional(),
+    readers: AuroraReadersConfigOrFalseSchema.optional(),
+    backupRetention: BackupRetentionSchema.optional(),
+    preferredMaintenanceWindow: z.string().optional(),
+    monitoringInterval: MonitoringIntervalSchema.optional(),
+    snapshotIdentifier: z.string().optional(),
+    snapshotUsername: z.string().optional(),
+};
+const globalAuroraSpecificFields = {
+    databaseType: z.literal("GlobalAurora"),
+    primaryRegion: z
+        .string()
+        .min(1, VALIDATION_MESSAGES.GLOBAL_AURORA.PRIMARY_REGION_REQUIRED),
+    secondaryRegions: z.array(z.string()).optional(),
+    globalClusterIdentifier: z.string().optional(),
+    enableGlobalWriteForwarding: z.boolean().optional(),
+    writer: AuroraWriterConfigSchema.optional(),
+    readers: AuroraReadersConfigOrFalseSchema.optional(),
+    backupRetention: BackupRetentionSchema.optional(),
+    preferredMaintenanceWindow: z.string().optional(),
+    monitoringInterval: MonitoringIntervalSchema.optional(),
+    snapshotIdentifier: z.string().optional(),
+    snapshotUsername: z.string().optional(),
+};
+const InstanceDatabaseGeneratorSchema = DatabaseGeneratorBaseSchema.extend(instanceSpecificFields).strict();
+const AuroraDatabaseGeneratorSchema = DatabaseGeneratorBaseSchema.extend(auroraSpecificFields).strict();
+const GlobalAuroraDatabaseGeneratorSchema = DatabaseGeneratorBaseSchema.extend(globalAuroraSpecificFields).strict();
+/**
+ * Database generator schema using discriminated union.
+ * This ensures type-specific fields are only allowed for the correct database type:
+ * - Instance: instanceType, multiAz, readReplica
+ * - Aurora: writer, readers, backupRetention
+ * - GlobalAurora: primaryRegion (required!), secondaryRegions, enableGlobalWriteForwarding
+ */
+export const DatabaseGeneratorSchema = z.discriminatedUnion("databaseType", [
+    InstanceDatabaseGeneratorSchema,
+    AuroraDatabaseGeneratorSchema,
+    GlobalAuroraDatabaseGeneratorSchema,
+]);
+// Base schema with required resourceName for UI
+const DatabaseGeneratorBaseSchemaFromUI = DatabaseGeneratorBaseSchema.extend({
+    resourceName: ResourceNameSchema,
+}).strict();
+/**
+ * Stricter schema for UI-originated database creation.
+ * Requires resourceName to prevent silent failures where
+ * the generator falls back to a default name that may conflict.
+ */
+const InstanceDatabaseGeneratorSchemaFromUI = DatabaseGeneratorBaseSchemaFromUI.extend(instanceSpecificFields).strict();
+const AuroraDatabaseGeneratorSchemaFromUI = DatabaseGeneratorBaseSchemaFromUI.extend(auroraSpecificFields).strict();
+const GlobalAuroraDatabaseGeneratorSchemaFromUI = DatabaseGeneratorBaseSchemaFromUI.extend(globalAuroraSpecificFields).strict();
+export const DatabaseGeneratorSchemaFromUI = z.discriminatedUnion("databaseType", [
+    InstanceDatabaseGeneratorSchemaFromUI,
+    AuroraDatabaseGeneratorSchemaFromUI,
+    GlobalAuroraDatabaseGeneratorSchemaFromUI,
+]);
+/**
+ * Schema for adding RDS Proxy to an existing database.
+ * Used by the `fjall add proxy` command.
+ */
+export const AddProxyGeneratorSchema = z
+    .object({
+    appName: AppNameSchema,
+    databaseName: z.string().min(1, VALIDATION_MESSAGES.REQUIRED.DATABASE_NAME),
+    maxConnections: z
+        .number()
+        .int(VALIDATION_MESSAGES.MAX_CONNECTIONS.INTEGER)
+        .min(1, VALIDATION_MESSAGES.MAX_CONNECTIONS.MIN)
+        .max(100, VALIDATION_MESSAGES.MAX_CONNECTIONS.MAX)
+        .optional(),
+    maxIdleConnections: z
+        .number()
+        .int(VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.INTEGER)
+        .min(0, VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.MIN)
+        .max(100, VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.MAX)
+        .optional(),
+    connectionBorrowTimeout: z
+        .number()
+        .int(VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.INTEGER)
+        .min(1, VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.MIN)
+        .max(3600, VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.MAX)
+        .optional(),
+    requireTLS: z.boolean().optional(),
+    nameProvidedByFlag: z.boolean().optional(),
+})
+    .strict();
+// ─── DynamoDB schemas ────────────────────────────────────────────────────────
+const DYNAMODB_ATTRIBUTE_TYPES = ["S", "N", "B"];
+const DynamoDBKeySchema = z
+    .object({
+    name: z.string(),
+    type: z.enum(DYNAMODB_ATTRIBUTE_TYPES),
+})
+    .strict();
+/**
+ * DynamoDB table resource plan schema (for OpenNext patterns)
+ */
+export const DynamoDBResourcePlanSchema = z
+    .object({
+    name: ResourceNameSchema,
+    partitionKey: DynamoDBKeySchema,
+    sortKey: DynamoDBKeySchema.optional(),
+    globalSecondaryIndexes: z
+        .array(z
+        .object({
+        indexName: z.string(),
+        partitionKey: DynamoDBKeySchema,
+        sortKey: DynamoDBKeySchema.optional(),
+    })
+        .strict())
+        .optional(),
+    ttlAttribute: z.string().optional(),
+    stream: z.boolean().optional(),
+    // Round-trip preservation
+    variableName: z.string().optional(),
+    extraProperties: z.array(ExtraPropertySchema).optional(),
+})
+    .strict();

package/dist/src/schemas/messagingSchemas.d.ts

@@ -0,0 +1,20 @@
+import { z } from "zod";
+/**
+ * SQS queue resource plan schema (for OpenNext patterns)
+ */
+export declare const SQSResourcePlanSchema: z.ZodObject<{
+    name: z.ZodString;
+    queueType: z.ZodDefault<z.ZodEnum<{
+        standard: "standard";
+        fifo: "fifo";
+    }>>;
+    visibilityTimeout: z.ZodOptional<z.ZodNumber>;
+    retentionPeriod: z.ZodOptional<z.ZodNumber>;
+    contentBasedDeduplication: z.ZodOptional<z.ZodBoolean>;
+    variableName: z.ZodOptional<z.ZodString>;
+    extraProperties: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        key: z.ZodString;
+        sourceText: z.ZodString;
+    }, z.core.$strict>>>;
+}, z.core.$strict>;
+export type SQSResourcePlan = z.infer<typeof SQSResourcePlanSchema>;

package/dist/src/schemas/messagingSchemas.js

@@ -0,0 +1,29 @@
+import { z } from "zod";
+import { VALIDATION_MESSAGES } from "../validation/patterns.js";
+import { ResourceNameSchema, ExtraPropertySchema } from "./baseSchemas.js";
+// ─── SQS resource plan ──────────────────────────────────────────────────────
+/**
+ * SQS queue resource plan schema (for OpenNext patterns)
+ */
+export const SQSResourcePlanSchema = z
+    .object({
+    name: ResourceNameSchema,
+    queueType: z.enum(["standard", "fifo"]).default("standard"),
+    visibilityTimeout: z
+        .number()
+        .int(VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.INTEGER)
+        .min(0, VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.MIN)
+        .max(43200, VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.MAX)
+        .optional(),
+    retentionPeriod: z
+        .number()
+        .int(VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.INTEGER)
+        .min(60, VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.MIN)
+        .max(1209600, VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.MAX)
+        .optional(),
+    contentBasedDeduplication: z.boolean().optional(),
+    // Round-trip preservation
+    variableName: z.string().optional(),
+    extraProperties: z.array(ExtraPropertySchema).optional(),
+})
+    .strict();

package/dist/src/schemas/networkSchemas.d.ts

@@ -0,0 +1,246 @@
+import { z } from "zod";
+export declare const NatConfigSchema: z.ZodObject<{
+    count: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>;
+export declare const NatConfigOrFalseSchema: z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+    count: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>]>;
+export declare const FlowLogConfigSchema: z.ZodObject<{
+    destination: z.ZodOptional<z.ZodEnum<{
+        cloudwatch: "cloudwatch";
+        s3: "s3";
+    }>>;
+    retentionDays: z.ZodOptional<z.ZodNumber>;
+    trafficType: z.ZodOptional<z.ZodEnum<{
+        ALL: "ALL";
+        ACCEPT: "ACCEPT";
+        REJECT: "REJECT";
+    }>>;
+}, z.core.$strict>;
+export declare const FlowLogConfigOrFalseSchema: z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+    destination: z.ZodOptional<z.ZodEnum<{
+        cloudwatch: "cloudwatch";
+        s3: "s3";
+    }>>;
+    retentionDays: z.ZodOptional<z.ZodNumber>;
+    trafficType: z.ZodOptional<z.ZodEnum<{
+        ALL: "ALL";
+        ACCEPT: "ACCEPT";
+        REJECT: "REJECT";
+    }>>;
+}, z.core.$strict>]>;
+export declare const GatewayEndpointsConfigSchema: z.ZodObject<{
+    s3: z.ZodOptional<z.ZodBoolean>;
+    dynamodb: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>;
+export declare const GatewayEndpointsConfigOrFalseSchema: z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+    s3: z.ZodOptional<z.ZodBoolean>;
+    dynamodb: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>]>;
+export declare const InterfaceEndpointsConfigSchema: z.ZodObject<{
+    ecr: z.ZodOptional<z.ZodBoolean>;
+    secretsManager: z.ZodOptional<z.ZodBoolean>;
+    kms: z.ZodOptional<z.ZodBoolean>;
+    cloudwatchLogs: z.ZodOptional<z.ZodBoolean>;
+    ssm: z.ZodOptional<z.ZodBoolean>;
+    sts: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>;
+export declare const InterfaceEndpointsConfigOrFalseSchema: z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+    ecr: z.ZodOptional<z.ZodBoolean>;
+    secretsManager: z.ZodOptional<z.ZodBoolean>;
+    kms: z.ZodOptional<z.ZodBoolean>;
+    cloudwatchLogs: z.ZodOptional<z.ZodBoolean>;
+    ssm: z.ZodOptional<z.ZodBoolean>;
+    sts: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>]>;
+export declare const VpcEndpointsConfigSchema: z.ZodObject<{
+    gateway: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        s3: z.ZodOptional<z.ZodBoolean>;
+        dynamodb: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strict>]>>;
+    interface: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        ecr: z.ZodOptional<z.ZodBoolean>;
+        secretsManager: z.ZodOptional<z.ZodBoolean>;
+        kms: z.ZodOptional<z.ZodBoolean>;
+        cloudwatchLogs: z.ZodOptional<z.ZodBoolean>;
+        ssm: z.ZodOptional<z.ZodBoolean>;
+        sts: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strict>]>>;
+}, z.core.$strict>;
+export declare const VpcEndpointsConfigOrFalseSchema: z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+    gateway: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        s3: z.ZodOptional<z.ZodBoolean>;
+        dynamodb: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strict>]>>;
+    interface: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        ecr: z.ZodOptional<z.ZodBoolean>;
+        secretsManager: z.ZodOptional<z.ZodBoolean>;
+        kms: z.ZodOptional<z.ZodBoolean>;
+        cloudwatchLogs: z.ZodOptional<z.ZodBoolean>;
+        ssm: z.ZodOptional<z.ZodBoolean>;
+        sts: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strict>]>>;
+}, z.core.$strict>]>;
+export declare const NetworkResourcePlanSchema: z.ZodObject<{
+    maxAzs: z.ZodOptional<z.ZodNumber>;
+    natGateways: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        count: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strict>]>>;
+    flowLogs: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        destination: z.ZodOptional<z.ZodEnum<{
+            cloudwatch: "cloudwatch";
+            s3: "s3";
+        }>>;
+        retentionDays: z.ZodOptional<z.ZodNumber>;
+        trafficType: z.ZodOptional<z.ZodEnum<{
+            ALL: "ALL";
+            ACCEPT: "ACCEPT";
+            REJECT: "REJECT";
+        }>>;
+    }, z.core.$strict>]>>;
+    vpcEndpoints: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        gateway: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+            s3: z.ZodOptional<z.ZodBoolean>;
+            dynamodb: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strict>]>>;
+        interface: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+            ecr: z.ZodOptional<z.ZodBoolean>;
+            secretsManager: z.ZodOptional<z.ZodBoolean>;
+            kms: z.ZodOptional<z.ZodBoolean>;
+            cloudwatchLogs: z.ZodOptional<z.ZodBoolean>;
+            ssm: z.ZodOptional<z.ZodBoolean>;
+            sts: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strict>]>>;
+    }, z.core.$strict>]>>;
+    cidrMask: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>;
+/**
+ * Additional network resource plan schema for app.addNetwork() VPCs.
+ * Extends NetworkResourcePlanSchema with a required name field.
+ */
+export declare const AdditionalNetworkResourcePlanSchema: z.ZodObject<{
+    maxAzs: z.ZodOptional<z.ZodNumber>;
+    natGateways: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        count: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strict>]>>;
+    flowLogs: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        destination: z.ZodOptional<z.ZodEnum<{
+            cloudwatch: "cloudwatch";
+            s3: "s3";
+        }>>;
+        retentionDays: z.ZodOptional<z.ZodNumber>;
+        trafficType: z.ZodOptional<z.ZodEnum<{
+            ALL: "ALL";
+            ACCEPT: "ACCEPT";
+            REJECT: "REJECT";
+        }>>;
+    }, z.core.$strict>]>>;
+    vpcEndpoints: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        gateway: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+            s3: z.ZodOptional<z.ZodBoolean>;
+            dynamodb: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strict>]>>;
+        interface: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+            ecr: z.ZodOptional<z.ZodBoolean>;
+            secretsManager: z.ZodOptional<z.ZodBoolean>;
+            kms: z.ZodOptional<z.ZodBoolean>;
+            cloudwatchLogs: z.ZodOptional<z.ZodBoolean>;
+            ssm: z.ZodOptional<z.ZodBoolean>;
+            sts: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strict>]>>;
+    }, z.core.$strict>]>>;
+    cidrMask: z.ZodOptional<z.ZodNumber>;
+    name: z.ZodString;
+}, z.core.$strict>;
+/**
+ * Network configuration for App.getApp() options.
+ * - false: No network (S3-only apps)
+ * - object: Create VPC with specified configuration
+ */
+export declare const NetworkConfigSchema: z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+    maxAzs: z.ZodOptional<z.ZodNumber>;
+    natGateways: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        count: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strict>]>>;
+    flowLogs: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        destination: z.ZodOptional<z.ZodEnum<{
+            cloudwatch: "cloudwatch";
+            s3: "s3";
+        }>>;
+        retentionDays: z.ZodOptional<z.ZodNumber>;
+        trafficType: z.ZodOptional<z.ZodEnum<{
+            ALL: "ALL";
+            ACCEPT: "ACCEPT";
+            REJECT: "REJECT";
+        }>>;
+    }, z.core.$strict>]>>;
+    vpcEndpoints: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        gateway: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+            s3: z.ZodOptional<z.ZodBoolean>;
+            dynamodb: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strict>]>>;
+        interface: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+            ecr: z.ZodOptional<z.ZodBoolean>;
+            secretsManager: z.ZodOptional<z.ZodBoolean>;
+            kms: z.ZodOptional<z.ZodBoolean>;
+            cloudwatchLogs: z.ZodOptional<z.ZodBoolean>;
+            ssm: z.ZodOptional<z.ZodBoolean>;
+            sts: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strict>]>>;
+    }, z.core.$strict>]>>;
+    cidrMask: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>]>;
+/**
+ * Network name schema for additional VPCs.
+ * Must be PascalCase as it's used as a CDK construct ID.
+ */
+export declare const NetworkNameSchema: z.ZodString;
+/**
+ * Network generator schema for configuring network infrastructure.
+ *
+ * Behaviour depends on whether networkName is provided:
+ * - With networkName: Adds an additional VPC via app.addNetwork()
+ * - Without networkName: Updates the primary network config in App.getApp()
+ */
+export declare const NetworkGeneratorSchema: z.ZodObject<{
+    appName: z.ZodString;
+    networkName: z.ZodOptional<z.ZodString>;
+    maxAzs: z.ZodOptional<z.ZodNumber>;
+    natGateways: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        count: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strict>]>>;
+    flowLogs: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        destination: z.ZodOptional<z.ZodEnum<{
+            cloudwatch: "cloudwatch";
+            s3: "s3";
+        }>>;
+        retentionDays: z.ZodOptional<z.ZodNumber>;
+        trafficType: z.ZodOptional<z.ZodEnum<{
+            ALL: "ALL";
+            ACCEPT: "ACCEPT";
+            REJECT: "REJECT";
+        }>>;
+    }, z.core.$strict>]>>;
+    vpcEndpoints: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+        gateway: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+            s3: z.ZodOptional<z.ZodBoolean>;
+            dynamodb: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strict>]>>;
+        interface: z.ZodOptional<z.ZodUnion<[z.ZodLiteral<false>, z.ZodObject<{
+            ecr: z.ZodOptional<z.ZodBoolean>;
+            secretsManager: z.ZodOptional<z.ZodBoolean>;
+            kms: z.ZodOptional<z.ZodBoolean>;
+            cloudwatchLogs: z.ZodOptional<z.ZodBoolean>;
+            ssm: z.ZodOptional<z.ZodBoolean>;
+            sts: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$strict>]>>;
+    }, z.core.$strict>]>>;
+}, z.core.$strict>;
+export type NatConfig = z.infer<typeof NatConfigSchema>;
+export type FlowLogConfig = z.infer<typeof FlowLogConfigSchema>;
+export type GatewayEndpointsConfig = z.infer<typeof GatewayEndpointsConfigSchema>;
+export type InterfaceEndpointsConfig = z.infer<typeof InterfaceEndpointsConfigSchema>;
+export type VpcEndpointsConfig = z.infer<typeof VpcEndpointsConfigSchema>;
+export type NetworkResourcePlan = z.infer<typeof NetworkResourcePlanSchema>;
+export type AdditionalNetworkResourcePlan = z.infer<typeof AdditionalNetworkResourcePlanSchema>;
+export type NetworkGeneratorOptions = z.infer<typeof NetworkGeneratorSchema>;