@fjall/generator 0.88.4 → 0.89.2

package/dist/src/schemas/resourceSchemas.js

@@ -1,2015 +1,28 @@
-import { z } from "zod";
-import { validateArchitectureMatch, getArchitectureForInstanceType, } from "./instanceTypeArchitecture.js";
-import { VALIDATION_PATTERNS, VALIDATION_MESSAGES, } from "../validation/patterns.js";
-import { DATABASE_TYPES, COMPUTE_TYPES, ECS_CAPACITY_PROVIDERS, APP_TYPES, PATTERN_TYPE_VALUES, EC2_INSTANCE_TYPES, HTTP_METHODS, STORAGE_PRESET_TYPES, S3_ENCRYPTION_TYPES, BACKUP_VAULT_TIERS, MIN_PORT, MAX_PORT, MIN_LAMBDA_MEMORY, MAX_LAMBDA_MEMORY, MIN_LAMBDA_TIMEOUT, MAX_LAMBDA_TIMEOUT, MIN_ECS_CAPACITY, MAX_ECS_CAPACITY, VALID_MONITORING_INTERVALS, constIncludes, COMPUTE_ARCHITECTURES, } from "./constants.js";
-import { regions } from "../aws/regions.js";
-// Base schemas
-export const ResourceNameSchema = z
-    .string()
-    .min(1, VALIDATION_MESSAGES.REQUIRED.RESOURCE_NAME)
-    .max(63, VALIDATION_MESSAGES.MAX_LENGTH.RESOURCE_NAME)
-    .regex(VALIDATION_PATTERNS.RESOURCE_NAME, VALIDATION_MESSAGES.RESOURCE_NAME);
-export const BucketNameSchema = z
-    .string()
-    .min(1, VALIDATION_MESSAGES.REQUIRED.BUCKET_NAME)
-    .max(63, VALIDATION_MESSAGES.MAX_LENGTH.BUCKET_NAME)
-    .regex(VALIDATION_PATTERNS.BUCKET_NAME, VALIDATION_MESSAGES.BUCKET_NAME);
-export const DatabaseNameSchema = z
-    .string()
-    .min(1, VALIDATION_MESSAGES.REQUIRED.DATABASE_NAME)
-    .max(63, VALIDATION_MESSAGES.MAX_LENGTH.DATABASE_NAME)
-    .regex(VALIDATION_PATTERNS.DATABASE_NAME, VALIDATION_MESSAGES.DATABASE_NAME);
-export const AppNameSchema = z
-    .string()
-    .min(2, VALIDATION_MESSAGES.IDENTIFIER_MIN_LENGTH)
-    .max(50, VALIDATION_MESSAGES.MAX_LENGTH.APP_NAME)
-    .regex(VALIDATION_PATTERNS.IDENTIFIER, VALIDATION_MESSAGES.IDENTIFIER)
-    .refine((val) => !val.endsWith("-"), {
-    message: VALIDATION_MESSAGES.IDENTIFIER_NO_TRAILING_HYPHEN,
-})
-    .refine((val) => !val.includes("--"), {
-    message: VALIDATION_MESSAGES.IDENTIFIER_NO_CONSECUTIVE_HYPHENS,
-});
-export const PortSchema = z
-    .number()
-    .int(VALIDATION_MESSAGES.PORT.INTEGER)
-    .min(MIN_PORT, VALIDATION_MESSAGES.PORT.MIN)
-    .max(MAX_PORT, VALIDATION_MESSAGES.PORT.MAX);
-const optionalOrDisabled = (schema) => z.union([z.literal(false), schema]);
 /**
- * Extra property preserved verbatim during round-trip.
- * Captures properties inside managed factory calls that the parser
- * does not specifically handle (e.g. CDK PolicyStatement[], custom configs).
- */
-export const ExtraPropertySchema = z
-    .object({
-    key: z.string(),
-    sourceText: z.string(),
-})
-    .strict();
-/** Reusable capacity validation: ensures minCapacity <= maxCapacity. */
-const CAPACITY_REFINEMENT = {
-    check: (data) => {
-        if (data.minCapacity !== undefined && data.maxCapacity !== undefined) {
-            return data.minCapacity <= data.maxCapacity;
-        }
-        return true;
-    },
-    params: {
-        message: VALIDATION_MESSAGES.CAPACITY_CONSTRAINT.MIN_LTE_MAX,
-        path: ["maxCapacity"],
-    },
-};
-/** Reusable memory limit schema. EC2 allows 128 MiB min; ECS/containers require 512 MiB min. */
-const memoryLimitMiBSchema = (min) => z
-    .number()
-    .int(VALIDATION_MESSAGES.MEMORY_LIMIT.INTEGER)
-    .min(min, min === 128
-    ? VALIDATION_MESSAGES.MEMORY_LIMIT.MIN_128
-    : VALIDATION_MESSAGES.MEMORY_LIMIT.MIN_512)
-    .max(30720, VALIDATION_MESSAGES.MEMORY_LIMIT.MAX);
-/** Reusable backup retention validation. Range: 1-35 days. */
-const BackupRetentionSchema = z
-    .number()
-    .int(VALIDATION_MESSAGES.BACKUP_RETENTION.INTEGER)
-    .min(1, VALIDATION_MESSAGES.BACKUP_RETENTION.MIN)
-    .max(35, VALIDATION_MESSAGES.BACKUP_RETENTION.MAX);
-/** Reusable monitoring interval validation. Must be one of: 0, 1, 5, 10, 15, 30, 60. */
-const MonitoringIntervalSchema = z
-    .number()
-    .int(VALIDATION_MESSAGES.MONITORING_INTERVAL.INTEGER)
-    .refine((val) => constIncludes(VALID_MONITORING_INTERVALS, val), {
-    message: VALIDATION_MESSAGES.MONITORING_INTERVAL.VALUES,
-});
-/** Reusable database port validation. Range: 1024-65535. */
-const DatabasePortSchema = z
-    .number()
-    .int(VALIDATION_MESSAGES.DATABASE.PORT.INTEGER)
-    .min(1024, VALIDATION_MESSAGES.DATABASE.PORT.MIN)
-    .max(65535, VALIDATION_MESSAGES.DATABASE.PORT.MAX);
-/** Reusable generator capacity schemas for min/max capacity. */
-const GeneratorMinCapacitySchema = z
-    .number()
-    .int(VALIDATION_MESSAGES.CAPACITY.MIN.INTEGER)
-    .min(MIN_ECS_CAPACITY, VALIDATION_MESSAGES.GENERATOR_CAPACITY.MIN.MIN)
-    .max(MAX_ECS_CAPACITY, VALIDATION_MESSAGES.GENERATOR_CAPACITY.MIN.MAX);
-const GeneratorMaxCapacitySchema = z
-    .number()
-    .int(VALIDATION_MESSAGES.CAPACITY.MAX.INTEGER)
-    .min(MIN_ECS_CAPACITY, VALIDATION_MESSAGES.GENERATOR_CAPACITY.MAX.MIN)
-    .max(MAX_ECS_CAPACITY, VALIDATION_MESSAGES.GENERATOR_CAPACITY.MAX.MAX);
-/** Reusable Lambda memory validation with multiple-of-64 constraint. */
-const LambdaMemorySchema = z
-    .number()
-    .int(VALIDATION_MESSAGES.LAMBDA.MEMORY.INTEGER)
-    .min(MIN_LAMBDA_MEMORY, VALIDATION_MESSAGES.LAMBDA.MEMORY.MIN)
-    .max(MAX_LAMBDA_MEMORY, VALIDATION_MESSAGES.LAMBDA.MEMORY.MAX)
-    .refine((mem) => mem === 128 || mem % 64 === 0, VALIDATION_MESSAGES.LAMBDA.MEMORY.MULTIPLE);
-/**
- * Schema for special values used in code generation.
- * These represent dynamic code references rather than literal values.
- */
-export const IdentifierValueSchema = z
-    .object({ __identifier: z.string() })
-    .strict();
-export const ExpressionValueSchema = z
-    .object({ __expression: z.string() })
-    .strict();
-export const CallValueSchema = z.object({ __call: z.string() }).strict();
-export const SpecialValueSchema = z.union([
-    IdentifierValueSchema,
-    ExpressionValueSchema,
-    CallValueSchema,
-]);
-/**
- * Schema for environment variable values.
- * Supports literal values and special code generation values.
- */
-export const EnvironmentValueSchema = z.union([
-    z.string(),
-    z.number(),
-    z.boolean(),
-    SpecialValueSchema,
-]);
-export const EnvironmentRecordSchema = z.record(z.string(), EnvironmentValueSchema);
-/**
- * Schema for importing secrets from AWS Secrets Manager.
- * Matches the SecretImport type in infrastructure.
- */
-export const SecretImportSchema = z
-    .object({
-    /** Secret construct ID */
-    id: z.string(),
-    /** Secret name in Secrets Manager */
-    name: z.string(),
-    /** Optional field to extract from the secret */
-    field: z.string().optional(),
-})
-    .strict();
-/**
- * Record of secret imports keyed by environment variable name.
- */
-export const SecretsImportRecordSchema = z.record(z.string(), SecretImportSchema);
-/**
- * Schema for metadata values.
- * Supports simple types and complex AWS SDK types (VpcConfigResponse, Date, etc.)
- * Uses z.unknown() for flexibility with AWS resource properties whilst avoiding z.any().
- */
-export const MetadataRecordSchema = z.record(z.string(), z.unknown());
-export const Ec2ConfigSchema = z
-    .object({
-    instanceType: z.string().optional(),
-    amiHardwareType: z.enum(["ARM", "STANDARD"]).optional(),
-    minCapacity: z
-        .number()
-        .int(VALIDATION_MESSAGES.CAPACITY.MIN.INTEGER)
-        .min(1, VALIDATION_MESSAGES.CAPACITY.MIN.MIN_1)
-        .max(100, VALIDATION_MESSAGES.CAPACITY.MIN.MAX)
-        .optional(),
-    maxCapacity: z
-        .number()
-        .int(VALIDATION_MESSAGES.CAPACITY.MAX.INTEGER)
-        .min(1, VALIDATION_MESSAGES.CAPACITY.MAX.MIN_1)
-        .max(100, VALIDATION_MESSAGES.CAPACITY.MAX.MAX)
-        .optional(),
-    memoryLimitMiB: memoryLimitMiBSchema(128).optional(),
-})
-    .strict()
-    .superRefine((data, ctx) => {
-    if (!data.instanceType || !data.amiHardwareType)
-        return;
-    const result = validateArchitectureMatch(data.instanceType, data.amiHardwareType);
-    if (!result.valid) {
-        ctx.addIssue({
-            code: "custom",
-            message: result.message ?? VALIDATION_MESSAGES.ARCHITECTURE_MISMATCH,
-            path: ["instanceType"],
-        });
-    }
-});
-// Database schemas
-export const DatabaseTypeSchema = z
-    .enum(DATABASE_TYPES)
-    .describe(`Database type must be one of: ${DATABASE_TYPES.join(", ")}`);
-// Nested configuration schemas for database sub-resources
-export const ProxyConfigSchema = z
-    .object({
-    maxConnections: z
-        .number()
-        .int(VALIDATION_MESSAGES.MAX_CONNECTIONS.INTEGER)
-        .min(1, VALIDATION_MESSAGES.MAX_CONNECTIONS.MIN)
-        .max(100, VALIDATION_MESSAGES.MAX_CONNECTIONS.MAX)
-        .optional(),
-    maxIdleConnections: z
-        .number()
-        .int(VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.INTEGER)
-        .min(0, VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.MIN)
-        .max(100, VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.MAX)
-        .optional(),
-    connectionBorrowTimeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.INTEGER)
-        .min(1, VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.MIN)
-        .max(3600, VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.MAX)
-        .optional(),
-    requireTLS: z.boolean().optional(),
-})
-    .strict()
-    .describe("RDS Proxy configuration");
-export const ReadReplicaConfigSchema = z
-    .object({
-    instanceType: z.string().optional(),
-    availabilityZone: z.string().optional(),
-})
-    .strict()
-    .describe("Read replica configuration");
-export const SecretRotationConfigSchema = z
-    .object({
-    automaticallyAfterDays: z
-        .number()
-        .int(VALIDATION_MESSAGES.ROTATION.INTEGER)
-        .min(1, VALIDATION_MESSAGES.ROTATION.MIN)
-        .max(365, VALIDATION_MESSAGES.ROTATION.MAX)
-        .optional(),
-})
-    .strict()
-    .describe("Secret rotation configuration");
-export const CredentialsConfigSchema = z
-    .object({
-    username: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.REQUIRED.USERNAME)
-        .max(63, VALIDATION_MESSAGES.USERNAME.MAX_LENGTH)
-        .optional(),
-    secretRotation: SecretRotationConfigSchema.optional(),
-})
-    .strict()
-    .describe("Database credentials configuration");
-// Combined nested config schema (accepts object or false for explicit disable)
-export const ProxyConfigOrFalseSchema = optionalOrDisabled(ProxyConfigSchema);
-export const ReadReplicaConfigOrFalseSchema = optionalOrDisabled(ReadReplicaConfigSchema);
-// Aurora-specific nested configuration schemas
-export const AuroraReaderConfigSchema = z
-    .object({
-    scaleWithWriter: z.boolean().optional(),
-    enableDatabaseInsights: z.boolean().optional(),
-    identifierSuffix: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.IDENTIFIER_SUFFIX.REQUIRED)
-        .max(50, VALIDATION_MESSAGES.IDENTIFIER_SUFFIX.MAX_LENGTH)
-        .optional(),
-    availabilityZone: z.string().optional(),
-})
-    .strict()
-    .describe("Configuration for a single Aurora reader instance");
-export const AuroraWriterConfigSchema = z
-    .object({
-    enableDatabaseInsights: z.boolean().optional(),
-    identifierSuffix: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.IDENTIFIER_SUFFIX.REQUIRED)
-        .max(50, VALIDATION_MESSAGES.IDENTIFIER_SUFFIX.MAX_LENGTH)
-        .optional(),
-    availabilityZone: z.string().optional(),
-})
-    .strict()
-    .describe("Configuration for Aurora writer instance");
-export const AuroraReadersConfigSchema = z
-    .object({
-    count: z
-        .number()
-        .int(VALIDATION_MESSAGES.READER.COUNT.INTEGER)
-        .min(0, VALIDATION_MESSAGES.READER.COUNT.MIN)
-        .max(15, VALIDATION_MESSAGES.READER.COUNT.MAX)
-        .optional(),
-    instances: z
-        .array(AuroraReaderConfigSchema)
-        .max(15, VALIDATION_MESSAGES.READER_INSTANCES.MAX)
-        .optional(),
-    defaultEnableDatabaseInsights: z.boolean().optional(),
-})
-    .strict()
-    .refine((data) => !(data.count !== undefined && data.instances !== undefined), {
-    message: VALIDATION_MESSAGES.READER_INSTANCES.COUNT_OR_INSTANCES,
-    path: ["count"],
-})
-    .describe("Aurora readers configuration");
-export const AuroraReadersConfigOrFalseSchema = optionalOrDisabled(AuroraReadersConfigSchema);
-export const AwsManagedKeySchema = z
-    .object({
-    awsManaged: z.literal(true),
-})
-    .strict();
-export const CustomerManagedKeyMarkerSchema = z
-    .object({
-    useCMK: z.literal(true),
-})
-    .strict();
-// Encryption key specification for generator/tier preset contexts.
-export const EncryptionKeySpecSchema = z.union([
-    AwsManagedKeySchema,
-    CustomerManagedKeyMarkerSchema,
-]);
-export const DatabaseInsightsConfigSchema = z
-    .object({
-    mode: z.enum(["standard", "advanced"]).optional(),
-    encryptionKey: EncryptionKeySpecSchema.optional(),
-})
-    .strict()
-    .describe("Database Insights configuration");
-export const DatabaseInsightsConfigOrFalseSchema = optionalOrDisabled(DatabaseInsightsConfigSchema);
-export const EncryptionConfigSchema = z
-    .object({
-    storageKey: EncryptionKeySpecSchema.optional(),
-})
-    .strict()
-    .describe("Encryption configuration (DESTRUCTIVE to change storageKey)");
-export const DatabaseResourcePlanSchema = z
-    .object({
-    name: ResourceNameSchema,
-    type: DatabaseTypeSchema,
-    databaseName: z.string().min(1, VALIDATION_MESSAGES.REQUIRED.DATABASE_NAME),
-    // Instance-specific props (only apply when type is "Instance")
-    instanceType: z.string().optional(),
-    multiAz: z.boolean().optional(),
-    publiclyAccessible: z.boolean().optional(),
-    enableSecretRotation: z.boolean().optional(),
-    // Shared props (Instance and Aurora)
-    databaseInsights: DatabaseInsightsConfigOrFalseSchema.optional(),
-    port: DatabasePortSchema.optional(),
-    deletionProtection: z.boolean().optional(),
-    // Nested configurations (presence-based: object = enabled, false = disabled)
-    proxy: ProxyConfigOrFalseSchema.optional(),
-    credentials: CredentialsConfigSchema.optional(),
-    // Instance-specific nested config
-    readReplica: ReadReplicaConfigOrFalseSchema.optional(),
-    // Shared encryption config (Instance and Aurora)
-    encryption: EncryptionConfigSchema.optional(),
-    // Aurora/GlobalAurora-specific props
-    writer: AuroraWriterConfigSchema.optional(),
-    readers: AuroraReadersConfigOrFalseSchema.optional(),
-    // Shared operational props (Instance, Aurora, GlobalAurora)
-    backupRetention: BackupRetentionSchema.optional(),
-    preferredMaintenanceWindow: z.string().optional(),
-    monitoringInterval: MonitoringIntervalSchema.optional(),
-    // GlobalAurora-specific props
-    primaryRegion: z.string().optional(),
-    secondaryRegions: z.array(z.string()).optional(),
-    globalClusterIdentifier: z.string().optional(),
-    enableGlobalWriteForwarding: z.boolean().optional(),
-    // Shared restore/snapshot props
-    snapshotIdentifier: z.string().optional(),
-    snapshotUsername: z.string().optional(),
-    // Round-trip preservation fields (set by AST parser, used by generator)
-    databaseEngine: z.enum(["postgresql", "mysql"]).optional(),
-    engineExpression: z.string().optional(),
-    variableName: z.string().optional(),
-    extraProperties: z.array(ExtraPropertySchema).optional(),
-})
-    .strict();
-/**
- * Stack placement options for S3 buckets.
- * - "storage" (default): Created via app.addStorage() in Storage stack
- * - "cdn": Created in CDN stack for CloudFront-consumed buckets (avoids circular dependencies)
- * - "compute": Created in Compute stack for Lambda-consumed buckets
- */
-export const S3_STACK_PLACEMENTS = ["storage", "cdn", "compute"];
-export const S3ResourcePlanSchema = z
-    .object({
-    name: ResourceNameSchema,
-    // Explicit S3 bucket name (user-provided, kebab-case)
-    bucketName: z.string().optional(),
-    // Access control (replaces bucketType)
-    publicReadAccess: z.boolean().optional(),
-    // Website hosting (presence-based)
-    websiteHosting: z
-        .object({
-        indexDocument: z.string(),
-        errorDocument: z.string().optional(),
-    })
-        .strict()
-        .optional(),
-    // Core
-    backupVaultTier: z.enum(BACKUP_VAULT_TIERS).optional(),
-    versioned: z.boolean().optional(),
-    encryption: z.enum(S3_ENCRYPTION_TYPES).optional(),
-    kmsKeyArn: z.string().optional(),
-    // CORS (any bucket)
-    cors: z
-        .array(z
-        .object({
-        allowedOrigins: z.array(z.string()),
-        allowedMethods: z.array(z.string()),
-    })
-        .strict())
-        .optional(),
-    // Deployment (any bucket)
-    deployment: z
-        .object({
-        source: z.string(),
-        prune: z.boolean().optional(),
-        cacheControl: z
-            .object({
-            maxAge: z.number().optional(),
-            immutable: z.boolean().optional(),
-        })
-            .strict()
-            .optional(),
-    })
-        .strict()
-        .optional(),
-    // Stack placement
-    stackPlacement: z.enum(S3_STACK_PLACEMENTS).optional(),
-    // Round-trip preservation
-    variableName: z.string().optional(),
-    extraProperties: z.array(ExtraPropertySchema).optional(),
-})
-    .strict()
-    .refine((data) => data.encryption !== "KMS" || !!data.kmsKeyArn, {
-    message: VALIDATION_MESSAGES.KMS.KEY_REQUIRED,
-});
-// Network schemas
-export const NatConfigSchema = z
-    .object({
-    count: z
-        .number()
-        .int(VALIDATION_MESSAGES.NAT_GATEWAY.INTEGER)
-        .min(0, VALIDATION_MESSAGES.NAT_GATEWAY.MIN)
-        .max(3, VALIDATION_MESSAGES.NAT_GATEWAY.MAX)
-        .optional(),
-})
-    .strict()
-    .describe("NAT gateway configuration");
-export const NatConfigOrFalseSchema = optionalOrDisabled(NatConfigSchema);
-export const FlowLogConfigSchema = z
-    .object({
-    destination: z.enum(["cloudwatch", "s3"]).optional(),
-    retentionDays: z
-        .number()
-        .int(VALIDATION_MESSAGES.RETENTION_DAYS.INTEGER)
-        .min(1, VALIDATION_MESSAGES.RETENTION_DAYS.MIN)
-        .max(365, VALIDATION_MESSAGES.RETENTION_DAYS.MAX)
-        .optional(),
-    trafficType: z.enum(["ALL", "ACCEPT", "REJECT"]).optional(),
-})
-    .strict()
-    .describe("VPC flow log configuration");
-export const FlowLogConfigOrFalseSchema = optionalOrDisabled(FlowLogConfigSchema);
-export const GatewayEndpointsConfigSchema = z
-    .object({
-    s3: z.boolean().optional(),
-    dynamodb: z.boolean().optional(),
-})
-    .strict()
-    .describe("Gateway VPC endpoints (FREE)");
-export const GatewayEndpointsConfigOrFalseSchema = optionalOrDisabled(GatewayEndpointsConfigSchema);
-export const InterfaceEndpointsConfigSchema = z
-    .object({
-    ecr: z.boolean().optional(),
-    secretsManager: z.boolean().optional(),
-    kms: z.boolean().optional(),
-    cloudwatchLogs: z.boolean().optional(),
-    ssm: z.boolean().optional(),
-    sts: z.boolean().optional(),
-})
-    .strict()
-    .describe("Interface VPC endpoints (cost per hour)");
-export const InterfaceEndpointsConfigOrFalseSchema = optionalOrDisabled(InterfaceEndpointsConfigSchema);
-export const VpcEndpointsConfigSchema = z
-    .object({
-    gateway: GatewayEndpointsConfigOrFalseSchema.optional(),
-    interface: InterfaceEndpointsConfigOrFalseSchema.optional(),
-})
-    .strict()
-    .describe("VPC endpoints configuration");
-export const VpcEndpointsConfigOrFalseSchema = optionalOrDisabled(VpcEndpointsConfigSchema);
-export const NetworkResourcePlanSchema = z
-    .object({
-    maxAzs: z
-        .number()
-        .int(VALIDATION_MESSAGES.MAX_AZS.INTEGER)
-        .min(1, VALIDATION_MESSAGES.MAX_AZS.MIN)
-        .max(3, VALIDATION_MESSAGES.MAX_AZS.MAX)
-        .optional(),
-    natGateways: NatConfigOrFalseSchema.optional(),
-    flowLogs: FlowLogConfigOrFalseSchema.optional(),
-    vpcEndpoints: VpcEndpointsConfigOrFalseSchema.optional(),
-    cidrMask: z
-        .number()
-        .int(VALIDATION_MESSAGES.CIDR_MASK.INTEGER)
-        .min(16, VALIDATION_MESSAGES.CIDR_MASK.MIN)
-        .max(28, VALIDATION_MESSAGES.CIDR_MASK.MAX)
-        .optional(),
-})
-    .strict();
-/**
- * Additional network resource plan schema for app.addNetwork() VPCs.
- * Extends NetworkResourcePlanSchema with a required name field.
- */
-export const AdditionalNetworkResourcePlanSchema = NetworkResourcePlanSchema.extend({
-    name: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.REQUIRED.NETWORK_NAME)
-        .max(50, VALIDATION_MESSAGES.MAX_LENGTH.NETWORK_NAME),
-}).strict();
-/**
- * Network configuration for App.getApp() options.
- * - false: No network (S3-only apps)
- * - object: Create VPC with specified configuration
- */
-export const NetworkConfigSchema = optionalOrDisabled(NetworkResourcePlanSchema);
-/**
- * Network name schema for additional VPCs.
- * Must be PascalCase as it's used as a CDK construct ID.
- */
-export const NetworkNameSchema = z
-    .string()
-    .min(1, VALIDATION_MESSAGES.REQUIRED.NETWORK_NAME)
-    .max(50, VALIDATION_MESSAGES.MAX_LENGTH.NETWORK_NAME)
-    .regex(VALIDATION_PATTERNS.RESOURCE_NAME, VALIDATION_MESSAGES.RESOURCE_NAME);
-/**
- * Network generator schema for configuring network infrastructure.
- *
- * Behaviour depends on whether networkName is provided:
- * - With networkName: Adds an additional VPC via app.addNetwork()
- * - Without networkName: Updates the primary network config in App.getApp()
- */
-export const NetworkGeneratorSchema = z
-    .object({
-    appName: AppNameSchema,
-    networkName: NetworkNameSchema.optional(),
-    maxAzs: z
-        .number()
-        .int(VALIDATION_MESSAGES.MAX_AZS.INTEGER)
-        .min(1, VALIDATION_MESSAGES.MAX_AZS.MIN)
-        .max(3, VALIDATION_MESSAGES.MAX_AZS.MAX)
-        .optional(),
-    natGateways: NatConfigOrFalseSchema.optional(),
-    flowLogs: FlowLogConfigOrFalseSchema.optional(),
-    vpcEndpoints: VpcEndpointsConfigOrFalseSchema.optional(),
-})
-    .strict();
-// Lambda event source schemas
-export const LambdaEventSourceSchema = z
-    .object({
-    sourceType: z.enum(["sqs", "dynamodb", "eventbridge"]),
-    sourceRef: z.string().describe("Name of the source resource"),
-    batchSize: z
-        .number()
-        .int(VALIDATION_MESSAGES.BATCH_SIZE.INTEGER)
-        .min(1, VALIDATION_MESSAGES.BATCH_SIZE.MIN)
-        .max(10000, VALIDATION_MESSAGES.BATCH_SIZE.MAX)
-        .optional(),
-    startingPosition: z.enum(["TRIM_HORIZON", "LATEST"]).optional(),
-    maxBatchingWindow: z
-        .number()
-        .int(VALIDATION_MESSAGES.BATCHING_WINDOW.INTEGER)
-        .min(0, VALIDATION_MESSAGES.BATCHING_WINDOW.MIN)
-        .max(300, VALIDATION_MESSAGES.BATCHING_WINDOW.MAX)
-        .optional(),
-    reportBatchItemFailures: z.boolean().optional(),
-})
-    .strict();
-// Compute schemas
-export const ComputeTypeSchema = z
-    .enum(COMPUTE_TYPES)
-    .describe(`Compute type must be one of: ${COMPUTE_TYPES.join(", ")}`);
-export const EcsCapacityProviderSchema = z
-    .enum(ECS_CAPACITY_PROVIDERS)
-    .describe(`ECS capacity provider must be one of: ${ECS_CAPACITY_PROVIDERS.join(", ")}`);
-export const InstanceTypeSchema = z
-    .string()
-    .refine((type) => constIncludes(EC2_INSTANCE_TYPES, type), {
-    message: VALIDATION_MESSAGES.INSTANCE_TYPE,
-});
-/**
- * Container configuration for ECS tasks.
- * For single-container services, name is optional and auto-generated.
- * For multi-container tasks, first container with a port gets load balancer registration.
- */
-export const ContainerConfigSchema = z
-    .object({
-    /** Container name. Optional for single-container services (auto-generated). */
-    name: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.REQUIRED.CONTAINER_NAME)
-        .optional(),
-    /** Container image (ECR repo name or public image URL) */
-    image: z.string().optional(),
-    /** Port the container listens on */
-    port: PortSchema.optional(),
-    /** Environment variables */
-    environment: EnvironmentRecordSchema.optional(),
-    /** Secrets imported from AWS Secrets Manager */
-    secretsImport: SecretsImportRecordSchema.optional(),
-    /** Command to run in the container */
-    command: z.array(z.string()).optional(),
-    /** Entry point for the container */
-    entryPoint: z.array(z.string()).optional(),
-    /** Whether this container is essential (default: true) */
-    essential: z.boolean().optional(),
-    /** Health check configuration */
-    healthCheck: z
-        .object({
-        command: z.array(z.string()),
-        interval: z
-            .number()
-            .int(VALIDATION_MESSAGES.HEALTH_CHECK.INTERVAL.INTEGER)
-            .min(5, VALIDATION_MESSAGES.HEALTH_CHECK.INTERVAL.MIN)
-            .max(300, VALIDATION_MESSAGES.HEALTH_CHECK.INTERVAL.MAX)
-            .optional(),
-        timeout: z
-            .number()
-            .int(VALIDATION_MESSAGES.HEALTH_CHECK.TIMEOUT.INTEGER)
-            .min(2, VALIDATION_MESSAGES.HEALTH_CHECK.TIMEOUT.MIN)
-            .max(60, VALIDATION_MESSAGES.HEALTH_CHECK.TIMEOUT.MAX)
-            .optional(),
-        retries: z
-            .number()
-            .int(VALIDATION_MESSAGES.HEALTH_CHECK.RETRIES.INTEGER)
-            .min(1, VALIDATION_MESSAGES.HEALTH_CHECK.RETRIES.MIN)
-            .max(10, VALIDATION_MESSAGES.HEALTH_CHECK.RETRIES.MAX)
-            .optional(),
-        startPeriod: z
-            .number()
-            .int(VALIDATION_MESSAGES.HEALTH_CHECK.START_PERIOD.INTEGER)
-            .min(0, VALIDATION_MESSAGES.HEALTH_CHECK.START_PERIOD.MIN)
-            .max(300, VALIDATION_MESSAGES.HEALTH_CHECK.START_PERIOD.MAX)
-            .optional(),
-    })
-        .strict()
-        .optional(),
-    /**
-     * SSM secrets to inject into the container.
-     * Secret names must start with a letter or underscore (e.g., API_KEY, db.password).
-     * Used with ssmSecretsPath on the service to construct full SSM parameter paths.
-     */
-    ssmSecrets: z
-        .array(z
-        .string()
-        .regex(VALIDATION_PATTERNS.SECRET_NAME, VALIDATION_MESSAGES.SECRET_NAME))
-        .optional(),
-    extraProperties: z.array(ExtraPropertySchema).optional(),
-})
-    .strict();
-/**
- * TODO: CRITICAL - Zod schema for ImportedResourcePlan interface
+ * Re-export barrel for all resource schemas.
  *
- * This schema validates the ImportedResourcePlan interface and is preserved
- * for future pure AST implementation of import functionality.
+ * This file previously contained ~2,400 lines of Zod schemas. They have been
+ * split into focused domain-specific modules:
  *
- * When re-enabling import with pure AST:
- * - Remove cdkCode field (string manipulation anti-pattern)
- * - Remove imports field (will be handled by AST)
- * - Align with factory pattern for resource creation
+ *   baseSchemas.ts        — Shared utilities, name/port/env schemas, custom code, backup/tunnel
+ *   databaseSchemas.ts    — RDS, Aurora, DynamoDB, proxy, credentials, encryption
+ *   networkSchemas.ts     — VPC, NAT, flow logs, endpoints
+ *   storageSchemas.ts     — S3 resource plan and generator
+ *   messagingSchemas.ts   — SQS resource plan
+ *   cdnSchemas.ts         — CloudFront CDN resource plan and generator
+ *   computeSchemas.ts     — EC2, Lambda, ECS, container, service configs
+ *   patternSchemas.ts     — Payload/NextJS pattern configs, tier schemas
+ *   applicationSchemas.ts — ApplicationResourcePlan, ApplicationGenerator
  *
- * See resourcePlanning.ts ImportedResourcePlan interface for full documentation.
- */
-export const ImportedResourcePlanSchema = z
-    .object({
-    id: z.string(),
-    type: z.enum([
-        "s3",
-        "ec2",
-        "lambda",
-        "rds",
-        "aurora",
-        "vpc",
-        "ecs",
-        "elasticache",
-    ]),
-    name: z.string(),
-    physicalId: z.string(),
-    stack: z.enum(["network", "storage", "compute"]),
-    cdkCode: z.string(),
-    imports: z.array(z.string()),
-    metadata: MetadataRecordSchema.optional(),
-})
-    .strict();
-// Application schemas
-export const AppTypeSchema = z
-    .enum(APP_TYPES)
-    .describe(`Application type must be one of: ${APP_TYPES.join(", ")}`);
-// OpenNext pattern schemas
-export const PatternSchema = z
-    .enum(PATTERN_TYPE_VALUES)
-    .describe(`OpenNext deployment pattern: ${PATTERN_TYPE_VALUES.join(", ")}`);
-// Generator option schemas
-export const ECSGeneratorSchema = z
-    .object({
-    appName: AppNameSchema,
-    clusterName: ResourceNameSchema,
-    containerPort: PortSchema,
-    nameProvidedByFlag: z.boolean().optional(),
-    ecrRepository: z.string().optional(),
-    capacityProvider: EcsCapacityProviderSchema.optional(),
-    useAppEcr: z.boolean().optional(),
-    desiredCount: z
-        .number()
-        .int(VALIDATION_MESSAGES.CAPACITY.DESIRED.INTEGER)
-        .min(0, VALIDATION_MESSAGES.CAPACITY.DESIRED.MIN)
-        .max(100, VALIDATION_MESSAGES.CAPACITY.DESIRED.MAX)
-        .optional(),
-    cpu: z
-        .number()
-        .int(VALIDATION_MESSAGES.CPU.INTEGER)
-        .min(256, VALIDATION_MESSAGES.CPU.MIN)
-        .max(4096, VALIDATION_MESSAGES.CPU.MAX)
-        .optional(),
-    memoryLimitMiB: memoryLimitMiBSchema(512).optional(),
-    minCapacity: GeneratorMinCapacitySchema.optional(),
-    maxCapacity: GeneratorMaxCapacitySchema.optional(),
-    ec2Config: Ec2ConfigSchema.optional(),
-    connectionConfig: z
-        .object({
-        connectToDatabase: z.array(z.string()).optional(),
-    })
-        .strict()
-        .optional(),
-})
-    .strict()
-    .refine(CAPACITY_REFINEMENT.check, CAPACITY_REFINEMENT.params);
-export const LambdaGeneratorSchema = z
-    .object({
-    appName: AppNameSchema,
-    functionName: ResourceNameSchema,
-    nameProvidedByFlag: z.boolean().optional(),
-    lambdaType: z.enum(["basic", "web", "custom"]).optional(),
-    ecrRepository: z.string().optional(),
-    timeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.LAMBDA.TIMEOUT.INTEGER)
-        .min(MIN_LAMBDA_TIMEOUT, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MIN)
-        .max(MAX_LAMBDA_TIMEOUT, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MAX)
-        .optional(),
-    memory: LambdaMemorySchema.optional(),
-    enableFunctionUrl: z.boolean().optional(),
-    description: z.string().optional(),
-    enableCors: z.boolean().optional(),
-    corsOrigins: z.string().optional(),
-    corsHeaders: z.string().optional(),
-    corsMethods: z.array(z.enum(HTTP_METHODS)).optional(),
-    corsCredentials: z.boolean().optional(),
-    connectionConfig: z
-        .object({
-        connectToDatabase: z.array(z.string()).optional(),
-    })
-        .strict()
-        .optional(),
-})
-    .strict();
-export const EC2GeneratorSchema = z
-    .object({
-    appName: AppNameSchema,
-    instanceName: ResourceNameSchema,
-    nameProvidedByFlag: z.boolean().optional(),
-    instanceType: InstanceTypeSchema.optional(),
-    enableSSH: z.boolean().optional(),
-    minCapacity: GeneratorMinCapacitySchema.optional(),
-    maxCapacity: GeneratorMaxCapacitySchema.optional(),
-    connectionConfig: z
-        .object({
-        connectToDatabase: z.array(z.string()).optional(),
-    })
-        .strict()
-        .optional(),
-})
-    .strict()
-    .refine(CAPACITY_REFINEMENT.check, CAPACITY_REFINEMENT.params);
-// Common fields shared across all database types
-const DatabaseGeneratorBaseSchema = z
-    .object({
-    appName: AppNameSchema,
-    nameProvidedByFlag: z.boolean().optional(),
-    databaseName: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.REQUIRED.DATABASE_NAME)
-        .max(63, VALIDATION_MESSAGES.MAX_LENGTH.DATABASE_NAME)
-        .regex(VALIDATION_PATTERNS.DATABASE_NAME, VALIDATION_MESSAGES.DATABASE_NAME),
-    resourceName: ResourceNameSchema.optional(),
-    connectionConfig: z
-        .object({
-        /** Connect to entire compute resources (legacy, cluster-level) */
-        connectToCompute: z.array(z.string()).optional(),
-        /** Connect to specific ECS services (format: "ClusterName/ServiceName") */
-        connectToServices: z.array(z.string()).optional(),
-    })
-        .strict()
-        .optional(),
-    // Shared fields (all database types)
-    databaseInsights: DatabaseInsightsConfigOrFalseSchema.optional(),
-    port: DatabasePortSchema.optional(),
-    proxy: ProxyConfigOrFalseSchema.optional(),
-    credentials: CredentialsConfigSchema.optional(),
-    encryption: EncryptionConfigSchema.optional(),
-    deletionProtection: z.boolean().optional(),
-})
-    .strict();
-// Type-specific field definitions shared between CLI and UI schemas
-const instanceSpecificFields = {
-    databaseType: z.literal("Instance"),
-    instanceType: z.string().optional(),
-    multiAz: z.boolean().optional(),
-    readReplica: ReadReplicaConfigOrFalseSchema.optional(),
-    publiclyAccessible: z.boolean().optional(),
-    backupRetention: BackupRetentionSchema.optional(),
-    allocatedStorage: z.number().optional(),
-    snapshotIdentifier: z.string().optional(),
-    snapshotUsername: z.string().optional(),
-};
-const auroraSpecificFields = {
-    databaseType: z.literal("Aurora"),
-    writer: AuroraWriterConfigSchema.optional(),
-    readers: AuroraReadersConfigOrFalseSchema.optional(),
-    backupRetention: BackupRetentionSchema.optional(),
-    preferredMaintenanceWindow: z.string().optional(),
-    monitoringInterval: MonitoringIntervalSchema.optional(),
-    snapshotIdentifier: z.string().optional(),
-    snapshotUsername: z.string().optional(),
-};
-const globalAuroraSpecificFields = {
-    databaseType: z.literal("GlobalAurora"),
-    primaryRegion: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.GLOBAL_AURORA.PRIMARY_REGION_REQUIRED),
-    secondaryRegions: z.array(z.string()).optional(),
-    globalClusterIdentifier: z.string().optional(),
-    enableGlobalWriteForwarding: z.boolean().optional(),
-    writer: AuroraWriterConfigSchema.optional(),
-    readers: AuroraReadersConfigOrFalseSchema.optional(),
-    backupRetention: BackupRetentionSchema.optional(),
-    preferredMaintenanceWindow: z.string().optional(),
-    monitoringInterval: MonitoringIntervalSchema.optional(),
-    snapshotIdentifier: z.string().optional(),
-    snapshotUsername: z.string().optional(),
-};
-const InstanceDatabaseGeneratorSchema = DatabaseGeneratorBaseSchema.extend(instanceSpecificFields).strict();
-const AuroraDatabaseGeneratorSchema = DatabaseGeneratorBaseSchema.extend(auroraSpecificFields).strict();
-const GlobalAuroraDatabaseGeneratorSchema = DatabaseGeneratorBaseSchema.extend(globalAuroraSpecificFields).strict();
-/**
- * Database generator schema using discriminated union.
- * This ensures type-specific fields are only allowed for the correct database type:
- * - Instance: instanceType, multiAz, readReplica
- * - Aurora: writer, readers, backupRetention
- * - GlobalAurora: primaryRegion (required!), secondaryRegions, enableGlobalWriteForwarding
- */
-export const DatabaseGeneratorSchema = z.discriminatedUnion("databaseType", [
-    InstanceDatabaseGeneratorSchema,
-    AuroraDatabaseGeneratorSchema,
-    GlobalAuroraDatabaseGeneratorSchema,
-]);
-// Base schema with required resourceName for UI
-const DatabaseGeneratorBaseSchemaFromUI = DatabaseGeneratorBaseSchema.extend({
-    resourceName: ResourceNameSchema,
-}).strict();
-/**
- * Stricter schema for UI-originated database creation.
- * Requires resourceName to prevent silent failures where
- * the generator falls back to a default name that may conflict.
- */
-const InstanceDatabaseGeneratorSchemaFromUI = DatabaseGeneratorBaseSchemaFromUI.extend(instanceSpecificFields).strict();
-const AuroraDatabaseGeneratorSchemaFromUI = DatabaseGeneratorBaseSchemaFromUI.extend(auroraSpecificFields).strict();
-const GlobalAuroraDatabaseGeneratorSchemaFromUI = DatabaseGeneratorBaseSchemaFromUI.extend(globalAuroraSpecificFields).strict();
-export const DatabaseGeneratorSchemaFromUI = z.discriminatedUnion("databaseType", [
-    InstanceDatabaseGeneratorSchemaFromUI,
-    AuroraDatabaseGeneratorSchemaFromUI,
-    GlobalAuroraDatabaseGeneratorSchemaFromUI,
-]);
-/**
- * Service name schema.
- * Must be a valid identifier for ECS services.
- */
-export const EcsServiceNameSchema = z
-    .string()
-    .min(1, VALIDATION_MESSAGES.REQUIRED.SERVICE_NAME)
-    .max(255, VALIDATION_MESSAGES.MAX_LENGTH.SERVICE_NAME)
-    .regex(VALIDATION_PATTERNS.ECS_SERVICE_NAME, VALIDATION_MESSAGES.ECS_SERVICE_NAME);
-/**
- * Cluster-level configuration.
- * Controls the shared ALB for all services.
- */
-export const EcsClusterConfigSchema = z
-    .object({
-    /** Domain for HTTPS access. Creates ACM certificate + Route53 DNS. */
-    domain: z.string().optional(),
-    /**
-     * Load balancer configuration.
-     * - false: No ALB (for workers/internal services)
-     * - "public": Internet-facing ALB (default)
-     * - "internal": VPC-only ALB
-     */
-    loadBalancer: z
-        .union([z.literal(false), z.literal("public"), z.literal("internal")])
-        .optional(),
-    /** Enable direct EC2 access without ALB. Opens container ports on security group. */
-    directAccess: z.boolean().optional(),
-})
-    .strict()
-    .refine((data) => !(data.directAccess && data.domain), {
-    message: VALIDATION_MESSAGES.DIRECT_ACCESS.NO_DOMAIN,
-    path: ["directAccess"],
-})
-    .refine((data) => !(data.directAccess && typeof data.loadBalancer === "string"), {
-    message: VALIDATION_MESSAGES.DIRECT_ACCESS.NO_LOAD_BALANCER,
-})
-    .describe("Cluster-level configuration");
-/**
- * Routing configuration for path/host-based routing on the ALB.
- * Required when cluster has multiple services with ports.
- */
-export const EcsRoutingConfigSchema = z
-    .object({
-    /** Path pattern for routing (e.g., "/api/*", "/users/*") */
-    path: z.string().optional(),
-    /** Host header for routing (e.g., "api.example.com") */
-    host: z.string().optional(),
-    /** Priority for this routing rule (1-50000). Lower = higher priority. */
-    priority: z
-        .number()
-        .int(VALIDATION_MESSAGES.PRIORITY.INTEGER)
-        .min(1, VALIDATION_MESSAGES.PRIORITY.MIN)
-        .max(50000, VALIDATION_MESSAGES.PRIORITY.MAX)
-        .optional(),
-    /** Health check path for this service's target group. Default: "/" */
-    healthCheckPath: z.string().optional(),
-})
-    .strict()
-    .describe("Path/host-based routing configuration");
-/**
- * Scaling configuration for ECS services.
- */
-export const EcsScalingConfigSchema = z
-    .object({
-    desiredCount: z
-        .number()
-        .int(VALIDATION_MESSAGES.CAPACITY.DESIRED.INTEGER)
-        .min(0, VALIDATION_MESSAGES.CAPACITY.DESIRED.MIN)
-        .max(100, VALIDATION_MESSAGES.CAPACITY.DESIRED.MAX)
-        .optional(),
-    minCapacity: z
-        .number()
-        .int(VALIDATION_MESSAGES.CAPACITY.MIN.INTEGER)
-        .min(0, VALIDATION_MESSAGES.CAPACITY.MIN.MIN_0)
-        .max(100, VALIDATION_MESSAGES.CAPACITY.MIN.MAX)
-        .optional(),
-    maxCapacity: z
-        .number()
-        .int(VALIDATION_MESSAGES.CAPACITY.MAX.INTEGER)
-        .min(0, VALIDATION_MESSAGES.CAPACITY.MAX.MIN_0)
-        .max(100, VALIDATION_MESSAGES.CAPACITY.MAX.MAX)
-        .optional(),
-    scalingType: z.enum(["CPU", "MEMORY"]).optional(),
-})
-    .strict()
-    .refine(CAPACITY_REFINEMENT.check, CAPACITY_REFINEMENT.params)
-    .describe("ECS service scaling configuration");
-/**
- * Configuration for a service in an ECS cluster.
- * Each service gets its own task definition, scaling, and target group.
- */
-export const EcsServiceConfigSchema = z
-    .object({
-    /** Service name (unique within cluster) */
-    name: EcsServiceNameSchema,
-    /** Path to Dockerfile for this service (e.g., "./Dockerfile.frontend") */
-    dockerfilePath: z.string().optional(),
-    /** Docker build target stage for multi-stage Dockerfiles (e.g., "api", "frontend") */
-    dockerTarget: z.string().optional(),
-    /** Whether this service needs database connection */
-    needsDatabaseConnection: z.boolean().optional(),
-    /** Whether this service needs storage connection */
-    needsStorageConnection: z.boolean().optional(),
-    /** Container image (ECR repo name or public image URL) */
-    image: z.string().optional(),
-    /**
-     * Container configuration(s) for this service.
-     * For single-container services, container name is optional and auto-generated.
-     * For multi-container tasks, first container with a port is the primary container.
-     */
-    containers: z.array(ContainerConfigSchema).optional(),
-    /** Routing rules for this service on the cluster's ALB. Single rule or array of rules. */
-    routing: z
-        .union([EcsRoutingConfigSchema, z.array(EcsRoutingConfigSchema).min(1)])
-        .optional(),
-    /** CPU units for this service's tasks (256-4096) */
-    cpu: z
-        .number()
-        .int(VALIDATION_MESSAGES.CPU.INTEGER)
-        .min(256, VALIDATION_MESSAGES.CPU.MIN)
-        .max(4096, VALIDATION_MESSAGES.CPU.MAX)
-        .optional(),
-    /** Memory in MiB for this service's tasks (512-30720) */
-    memoryLimitMiB: memoryLimitMiBSchema(512).optional(),
-    /** Desired number of tasks. Default: 2 */
-    desiredCount: z
-        .number()
-        .int(VALIDATION_MESSAGES.CAPACITY.DESIRED.INTEGER)
-        .min(0, VALIDATION_MESSAGES.CAPACITY.DESIRED.MIN)
-        .max(100, VALIDATION_MESSAGES.CAPACITY.DESIRED.MAX)
-        .optional(),
-    /**
-     * Scaling configuration.
-     * - Omit: enabled with defaults
-     * - false: disabled
-     */
-    scaling: optionalOrDisabled(EcsScalingConfigSchema).optional(),
-    /**
-     * Capacity provider for this service. REQUIRED.
-     * - "FARGATE": Serverless containers (default for most tiers)
-     * - "FARGATE_SPOT": Serverless with Spot pricing (cost savings)
-     * - "EC2": EC2-backed containers (for tinkerer tier or specific needs)
-     */
-    capacityProvider: EcsCapacityProviderSchema,
-    /**
-     * EC2 capacity configuration for this service.
-     * Only used when service capacityProvider is "EC2".
-     * Creates a dedicated ASG if config differs from existing ASGs.
-     */
-    ec2Config: Ec2ConfigSchema.optional(),
-    /**
-     * SSM Parameter Store path for secrets.
-     * If containers have ssmSecrets defined, this path is used as the base path.
-     * Format: /<app>/<cluster>/<service>
-     */
-    ssmSecretsPath: z
-        .string()
-        .regex(VALIDATION_PATTERNS.SSM_PATH, VALIDATION_MESSAGES.SSM_PATH)
-        .optional(),
-    extraProperties: z.array(ExtraPropertySchema).optional(),
-})
-    .strict()
-    .describe("Configuration for a service in an ECS cluster");
-/**
- * Compute resource plan schema.
- * Used by the code generator to produce infrastructure code.
- */
-export const ComputeResourcePlanSchema = z
-    .object({
-    name: ResourceNameSchema,
-    type: ComputeTypeSchema,
-    needsConnection: z.boolean(),
-    connectedDatabase: z.array(z.string()).optional(),
-    connectedStorage: z.array(z.string()).optional(),
-    // ECS-specific (multi-service structure)
-    /** Cluster configuration (domain, loadBalancer, directAccess) */
-    cluster: EcsClusterConfigSchema.optional(),
-    /** Services in this cluster. Each service specifies its own capacityProvider. */
-    services: z.array(EcsServiceConfigSchema).optional(),
-    dockerfilePath: z.string().optional(),
-    // Lambda-specific
-    /** Deployment type: "container" (ECR image) or "code" (Code.fromAsset) */
-    deployment: z.enum(["container", "code"]).optional(),
-    /** Path to Lambda code directory (for code deployment) */
-    codePath: z.string().optional(),
-    timeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.LAMBDA.TIMEOUT.INTEGER)
-        .min(1, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MIN)
-        .max(900, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MAX)
-        .optional(),
-    memory: z
-        .number()
-        .int(VALIDATION_MESSAGES.LAMBDA.MEMORY.INTEGER)
-        .min(128, VALIDATION_MESSAGES.LAMBDA.MEMORY.MIN)
-        .max(10240, VALIDATION_MESSAGES.LAMBDA.MEMORY.MAX)
-        .optional(),
-    handler: z.string().optional(),
-    runtime: z.string().optional(),
-    environment: EnvironmentRecordSchema.optional(),
-    secrets: EnvironmentRecordSchema.optional(),
-    eventSources: z.array(LambdaEventSourceSchema).optional(),
-    /** Lambda function URL configuration for direct HTTP access */
-    functionUrl: z
-        .object({
-        authType: z.enum(["NONE", "AWS_IAM"]),
-    })
-        .strict()
-        .optional(),
-    /** Lambda function description */
-    description: z.string().optional(),
-    /** EventBridge schedule expression (e.g. "rate(5 minutes)") */
-    scheduleExpression: z.string().optional(),
-    /** CPU architecture (e.g. "ARM_64", "X86_64") */
-    architecture: z.enum(COMPUTE_ARCHITECTURES).optional(),
-    /** Ephemeral storage size in MiB (512-10240) */
-    ephemeralStorageSize: z.number().int().min(512).max(10240).optional(),
-    /** Override auto-generated function name */
-    functionName: z.string().optional(),
-    /** SSM Parameter Store secret names (Lambda-specific, string array) */
-    ssmSecrets: z.array(z.string()).optional(),
-    /** SSM Parameter Store path prefix for secrets */
-    ssmSecretsPath: z.string().optional(),
-    // EC2-specific (standalone EC2, not ECS EC2)
-    instanceType: InstanceTypeSchema.optional(),
-    enableSSH: z.boolean().optional(),
-    keyName: z.string().optional(),
-    userData: z.string().optional(),
-    securityGroups: z.array(z.string()).optional(),
-    // Round-trip preservation
-    variableName: z.string().optional(),
-    extraProperties: z.array(ExtraPropertySchema).optional(),
-})
-    .strict()
-    .superRefine((data, ctx) => {
-    // ECS with EC2 services: validate instance types match ARM architecture for Docker builds.
-    // Skip when amiHardwareType is explicitly set — the user is deliberately choosing the architecture.
-    if (data.type === "ecs" && data.services) {
-        for (let i = 0; i < data.services.length; i++) {
-            const service = data.services[i];
-            if (service?.ec2Config?.instanceType &&
-                !service.ec2Config.amiHardwareType) {
-                const arch = getArchitectureForInstanceType(service.ec2Config.instanceType);
-                if (arch !== "ARM") {
-                    ctx.addIssue({
-                        code: "custom",
-                        message: `Service '${service.name ?? i}' uses instance type '${service.ec2Config.instanceType}' (x86), ` +
-                            `which requires Docker images built for linux/amd64. The default build targets linux/arm64 (Graviton). ` +
-                            `Use a Graviton instance type (t4g, c6g, r6g, m6g, etc.) or set amiHardwareType: "STANDARD" to acknowledge x86.`,
-                        path: ["services", i, "ec2Config", "instanceType"],
-                    });
-                }
-            }
-        }
-    }
-    // Container Lambda: warn when explicit X86_64 is set without the matching Docker platform
-    if (data.type === "lambda" &&
-        data.deployment === "container" &&
-        data.architecture === "X86_64") {
-        ctx.addIssue({
-            code: "custom",
-            message: `Lambda architecture 'X86_64' requires Docker images built for linux/amd64, ` +
-                `but the default build targets linux/arm64. Use 'ARM_64' for Graviton Lambdas (recommended) ` +
-                `or ensure your build pipeline targets linux/amd64.`,
-            path: ["architecture"],
-        });
-    }
-});
-const DYNAMODB_ATTRIBUTE_TYPES = ["S", "N", "B"];
-const DynamoDBKeySchema = z
-    .object({
-    name: z.string(),
-    type: z.enum(DYNAMODB_ATTRIBUTE_TYPES),
-})
-    .strict();
-/**
- * DynamoDB table resource plan schema (for OpenNext patterns)
- */
-export const DynamoDBResourcePlanSchema = z
-    .object({
-    name: ResourceNameSchema,
-    partitionKey: DynamoDBKeySchema,
-    sortKey: DynamoDBKeySchema.optional(),
-    globalSecondaryIndexes: z
-        .array(z
-        .object({
-        indexName: z.string(),
-        partitionKey: DynamoDBKeySchema,
-        sortKey: DynamoDBKeySchema.optional(),
-    })
-        .strict())
-        .optional(),
-    ttlAttribute: z.string().optional(),
-    stream: z.boolean().optional(),
-    // Round-trip preservation
-    variableName: z.string().optional(),
-    extraProperties: z.array(ExtraPropertySchema).optional(),
-})
-    .strict();
-/**
- * SQS queue resource plan schema (for OpenNext patterns)
- */
-export const SQSResourcePlanSchema = z
-    .object({
-    name: ResourceNameSchema,
-    queueType: z.enum(["standard", "fifo"]).default("standard"),
-    visibilityTimeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.INTEGER)
-        .min(0, VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.MIN)
-        .max(43200, VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.MAX)
-        .optional(),
-    retentionPeriod: z
-        .number()
-        .int(VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.INTEGER)
-        .min(60, VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.MIN)
-        .max(1209600, VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.MAX)
-        .optional(),
-    contentBasedDeduplication: z.boolean().optional(),
-    // Round-trip preservation
-    variableName: z.string().optional(),
-    extraProperties: z.array(ExtraPropertySchema).optional(),
-})
-    .strict();
-/**
- * Access gate configuration for CDN distributions.
- * Extensible discriminated union — currently supports basic-auth,
- * future types (cognito, oidc, ip-allowlist) can be added.
- */
-export const AccessGateSchema = z
-    .object({
-    type: z.literal("basic-auth"),
-    username: z.string().min(1),
-    password: z.string().min(1),
-})
-    .strict();
-/**
- * CDN resource plan schema (for OpenNext patterns)
- */
-export const CDNResourcePlanSchema = z
-    .object({
-    name: ResourceNameSchema,
-    defaultOriginRef: z.string(),
-    behaviours: z
-        .array(z
-        .object({
-        pathPattern: z.string(),
-        originRef: z.string(),
-        cachePolicy: z
-            .enum(["CACHING_OPTIMIZED", "CACHING_DISABLED"])
-            .optional(),
-    })
-        .strict())
-        .optional(),
-    customDomain: z.string().optional(),
-    certificateArn: z.string().optional(),
-    accessGate: z.union([z.literal(false), AccessGateSchema]).optional(),
-    extraProperties: z.array(ExtraPropertySchema).optional(),
-})
-    .strict();
-export const CdnGeneratorSchema = z
-    .object({
-    appName: z.string(),
-    name: ResourceNameSchema.optional(),
-    defaultOriginRef: z.string(),
-    behaviours: z
-        .array(z
-        .object({
-        pathPattern: z.string(),
-        originRef: z.string(),
-        cachePolicy: z
-            .enum(["CACHING_OPTIMIZED", "CACHING_DISABLED"])
-            .optional(),
-    })
-        .strict())
-        .optional(),
-    customDomain: z.string().optional(),
-    certificateArn: z.string().optional(),
-    accessGate: z.union([z.literal(false), AccessGateSchema]).optional(),
-    nameProvidedByFlag: z.boolean().optional(),
-})
-    .strict();
-/**
- * Schema for adding a service to an existing ECS cluster.
- * Used by the `fjall add service` command.
- */
-export const AddServiceGeneratorSchema = z
-    .object({
-    appName: AppNameSchema,
-    clusterName: ResourceNameSchema,
-    serviceName: EcsServiceNameSchema,
-    capacityProvider: EcsCapacityProviderSchema,
-    containerPort: PortSchema.optional(),
-    cpu: z
-        .number()
-        .int(VALIDATION_MESSAGES.CPU.INTEGER)
-        .min(256, VALIDATION_MESSAGES.CPU.MIN)
-        .max(4096, VALIDATION_MESSAGES.CPU.MAX)
-        .optional(),
-    memoryLimitMiB: memoryLimitMiBSchema(512).optional(),
-    desiredCount: z
-        .number()
-        .int(VALIDATION_MESSAGES.CAPACITY.DESIRED.INTEGER)
-        .min(0, VALIDATION_MESSAGES.CAPACITY.DESIRED.MIN)
-        .max(100, VALIDATION_MESSAGES.CAPACITY.DESIRED.MAX)
-        .optional(),
-    ec2Config: Ec2ConfigSchema.optional(),
-    routing: z
-        .union([EcsRoutingConfigSchema, z.array(EcsRoutingConfigSchema).min(1)])
-        .optional(),
-    dockerfilePath: z.string().optional(),
-    dockerTarget: z.string().optional(),
-    nameProvidedByFlag: z.boolean().optional(),
-    connectionConfig: z
-        .object({
-        connectToDatabase: z.array(z.string()).optional(),
-    })
-        .strict()
-        .optional(),
-})
-    .strict();
-/**
- * Schema for adding RDS Proxy to an existing database.
- * Used by the `fjall add proxy` command.
- */
-export const AddProxyGeneratorSchema = z
-    .object({
-    appName: AppNameSchema,
-    databaseName: z.string().min(1, VALIDATION_MESSAGES.REQUIRED.DATABASE_NAME),
-    maxConnections: z
-        .number()
-        .int(VALIDATION_MESSAGES.MAX_CONNECTIONS.INTEGER)
-        .min(1, VALIDATION_MESSAGES.MAX_CONNECTIONS.MIN)
-        .max(100, VALIDATION_MESSAGES.MAX_CONNECTIONS.MAX)
-        .optional(),
-    maxIdleConnections: z
-        .number()
-        .int(VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.INTEGER)
-        .min(0, VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.MIN)
-        .max(100, VALIDATION_MESSAGES.PROXY_CONFIG.MAX_IDLE_CONNECTIONS.MAX)
-        .optional(),
-    connectionBorrowTimeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.INTEGER)
-        .min(1, VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.MIN)
-        .max(3600, VALIDATION_MESSAGES.PROXY_CONFIG.BORROW_TIMEOUT.MAX)
-        .optional(),
-    requireTLS: z.boolean().optional(),
-    nameProvidedByFlag: z.boolean().optional(),
-})
-    .strict();
-/**
- * Pattern Lambda configuration for individual functions.
- */
-export const PatternLambdaConfigSchema = z
-    .object({
-    /** Memory size in MB. Range: 128-10240. */
-    memorySize: LambdaMemorySchema.optional(),
-    /** Timeout in seconds. Range: 1-900. */
-    timeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.LAMBDA.TIMEOUT.INTEGER)
-        .min(1, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MIN)
-        .max(900, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MAX)
-        .optional(),
-    /** Ephemeral storage size in MB. Range: 512-10240. Default: 512. */
-    ephemeralStorageSize: z
-        .number()
-        .int(VALIDATION_MESSAGES.EPHEMERAL_STORAGE.INTEGER)
-        .min(512, VALIDATION_MESSAGES.EPHEMERAL_STORAGE.MIN)
-        .max(10240, VALIDATION_MESSAGES.EPHEMERAL_STORAGE.MAX)
-        .optional(),
-})
-    .strict();
-/**
- * Full Payload database configuration for pattern.
- * Exposes ALL underlying DatabaseFactory props with pattern-specific defaults.
- */
-export const PayloadDatabaseConfigSchema = z
-    .object({
-    /** Database type: "Instance" (RDS Instance) or "Aurora". Default: "Instance" */
-    type: z.enum(["Instance", "Aurora"]).optional(),
-    /** Database name. Default: derived from pattern name */
-    databaseName: z.string().optional(),
-    /** Database engine. Default: "postgresql" */
-    databaseEngine: z.enum(["postgresql", "mysql"]).optional(),
-    /** Enable deletion protection. Default: true */
-    deletionProtection: z.boolean().optional(),
-    /** Backup retention in days. Default: 7 */
-    backupRetention: BackupRetentionSchema.optional(),
-    /** Database port. Default: engine-specific (5432 for PostgreSQL) */
-    port: DatabasePortSchema.optional(),
-    /** Make database publicly accessible (for local development). Default: false */
-    publiclyAccessible: z.boolean().optional(),
-    /** IP CIDR to allow when publicly accessible */
-    allowedIpCidr: z.string().optional(),
-    /** Instance type for RDS Instance databases (e.g., "t4g.small", "t4g.large") */
-    instanceType: z.string().optional(),
-    /** Allocated storage in GB for RDS Instance. Default: 20 */
-    allocatedStorage: z
-        .number()
-        .int(VALIDATION_MESSAGES.ALLOCATED_STORAGE.INTEGER)
-        .min(20, VALIDATION_MESSAGES.ALLOCATED_STORAGE.MIN)
-        .max(65536, VALIDATION_MESSAGES.ALLOCATED_STORAGE.MAX)
-        .optional(),
-    /** Enable Multi-AZ deployment for high availability. */
-    multiAz: z.boolean().optional(),
-    /** Read replica configuration for RDS Instance. Set to false to explicitly disable. */
-    readReplica: ReadReplicaConfigOrFalseSchema.optional(),
-    /** Aurora writer instance configuration. */
-    writer: AuroraWriterConfigSchema.optional(),
-    /** Aurora reader instances configuration. Set to false to explicitly disable. */
-    readers: AuroraReadersConfigOrFalseSchema.optional(),
-    /** Allow access from VPC CIDR (avoids cross-stack cyclic dependencies). */
-    allowVpcAccess: z.boolean().optional(),
-    /** Enhanced monitoring interval in seconds. */
-    monitoringInterval: MonitoringIntervalSchema.optional(),
-    /** Preferred maintenance window (e.g., "sun:05:00-sun:06:00"). */
-    preferredMaintenanceWindow: z.string().optional(),
-    /** Database Insights configuration. Set to false to explicitly disable. */
-    databaseInsights: DatabaseInsightsConfigOrFalseSchema.optional(),
-    /** RDS Proxy configuration for connection pooling. Set to false to explicitly disable. */
-    proxy: ProxyConfigOrFalseSchema.optional(),
-    /** Credentials configuration (username, rotation). */
-    credentials: CredentialsConfigSchema.optional(),
-    /** Encryption configuration. */
-    encryption: EncryptionConfigSchema.optional(),
-    /** ARN or identifier of snapshot to restore from */
-    snapshotIdentifier: z.string().optional(),
-    /** Username from the snapshot (required when restoring) */
-    snapshotUsername: z.string().optional(),
-})
-    .strict();
-/**
- * Full Payload compute configuration for pattern.
- * Allows per-function configuration for each Lambda in the pattern.
- */
-export const PayloadComputeConfigSchema = z
-    .object({
-    /** Server Lambda configuration (handles main application requests). */
-    server: PatternLambdaConfigSchema.optional(),
-    /** Image optimisation Lambda configuration (handles Next.js image optimisation). */
-    imageOptimisation: PatternLambdaConfigSchema.optional(),
-    /** Revalidation Lambda configuration (handles ISR revalidation from SQS queue). */
-    revalidation: PatternLambdaConfigSchema.optional(),
-})
-    .strict();
-/**
- * Pattern storage bucket configuration.
- */
-export const PatternStorageBucketConfigSchema = z
-    .object({
-    /** Enable versioning. Default: false */
-    versioned: z.boolean().optional(),
-})
-    .strict();
-/**
- * Full Payload storage configuration for pattern.
- * Allows per-bucket configuration for each S3 bucket in the pattern.
- */
-export const PayloadStorageConfigSchema = z
-    .object({
-    /** Assets bucket (static files) */
-    assets: PatternStorageBucketConfigSchema.optional(),
-    /** Cache bucket (ISR cache) */
-    cache: PatternStorageBucketConfigSchema.optional(),
-    /** Media bucket (uploads) */
-    media: PatternStorageBucketConfigSchema.optional(),
-})
-    .strict();
-/**
- * Pattern queue configuration for messaging.
- */
-export const PatternQueueConfigSchema = z
-    .object({
-    /** Visibility timeout in seconds. Default: matches revalidation timeout */
-    visibilityTimeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.INTEGER)
-        .min(0, VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.MIN)
-        .max(43200, VALIDATION_MESSAGES.SQS.VISIBILITY_TIMEOUT.MAX)
-        .optional(),
-    /** Message retention period in seconds. Default: 345600 (4 days) */
-    messageRetentionPeriod: z
-        .number()
-        .int(VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.INTEGER)
-        .min(60, VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.MIN)
-        .max(1209600, VALIDATION_MESSAGES.SQS.RETENTION_PERIOD.MAX)
-        .optional(),
-    /** Maximum message size in bytes. Default: 262144 (256 KB) */
-    maxMessageSize: z
-        .number()
-        .int(VALIDATION_MESSAGES.MAX_MESSAGE_SIZE.INTEGER)
-        .min(1024, VALIDATION_MESSAGES.MAX_MESSAGE_SIZE.MIN)
-        .max(262144, VALIDATION_MESSAGES.MAX_MESSAGE_SIZE.MAX)
-        .optional(),
-    /** Dead letter queue configuration. Set to false to explicitly disable. */
-    deadLetterQueue: z
-        .union([
-        z.literal(false),
-        z
-            .object({
-            enabled: z.boolean().optional(),
-            maxReceiveCount: z
-                .number()
-                .int(VALIDATION_MESSAGES.DLQ.MAX_RECEIVE_COUNT.INTEGER)
-                .min(1, VALIDATION_MESSAGES.DLQ.MAX_RECEIVE_COUNT.MIN)
-                .max(1000, VALIDATION_MESSAGES.DLQ.MAX_RECEIVE_COUNT.MAX)
-                .optional(),
-        })
-            .strict(),
-    ])
-        .optional(),
-})
-    .strict();
-/**
- * Full Payload messaging configuration for pattern.
- */
-export const PayloadMessagingConfigSchema = z
-    .object({
-    /** Revalidation queue configuration */
-    revalidationQueue: PatternQueueConfigSchema.optional(),
-})
-    .strict();
-/**
- * Payload CDN configuration for pattern.
- */
-export const PayloadCdnConfigSchema = z
-    .object({
-    /** Custom domain names for CloudFront */
-    domainNames: z.array(z.string()).optional(),
-    /** ACM certificate ARN for custom domains (must be in us-east-1) */
-    certificateArn: z.string().optional(),
-})
-    .strict();
-/**
- * Payload pattern configuration.
- */
-export const PayloadPatternConfigSchema = z
-    .object({
-    type: z.literal("payload"),
-    /** Pattern name (used for resource naming) */
-    name: z.string().min(1, VALIDATION_MESSAGES.REQUIRED.PATTERN_NAME),
-    /** Custom domain (auto-creates certificate + DNS) */
-    domain: z.string().optional(),
-    /** Database configuration */
-    database: PayloadDatabaseConfigSchema.optional(),
-    /** Compute (Lambda) configuration */
-    compute: PayloadComputeConfigSchema.optional(),
-    /** Storage (S3) configuration */
-    storage: PayloadStorageConfigSchema.optional(),
-    /** Messaging (SQS) configuration */
-    messaging: PayloadMessagingConfigSchema.optional(),
-    /** CDN (CloudFront) configuration - advanced use, prefer `domain` for simple setup */
-    cdn: PayloadCdnConfigSchema.optional(),
-    /** Additional environment variables for server Lambda */
-    environment: z.record(z.string(), z.string()).optional(),
-})
-    .strict();
-/**
- * Next.js pattern configuration.
- * Shares the same OpenNext infrastructure as Payload but without
- * requiring a database by default (pure Next.js with optional database).
- */
-export const NextJSPatternConfigSchema = z
-    .object({
-    type: z.literal("nextjs"),
-    /** Pattern name (used for resource naming) */
-    name: z.string().min(1, VALIDATION_MESSAGES.REQUIRED.PATTERN_NAME),
-    /** Custom domain (auto-creates certificate + DNS) */
-    domain: z.string().optional(),
-    /** Database configuration */
-    database: PayloadDatabaseConfigSchema.optional(),
-    /** Compute (Lambda) configuration */
-    compute: PayloadComputeConfigSchema.optional(),
-    /** Storage (S3) configuration */
-    storage: PayloadStorageConfigSchema.optional(),
-    /** Messaging (SQS) configuration */
-    messaging: PayloadMessagingConfigSchema.optional(),
-    /** CDN (CloudFront) configuration - advanced use, prefer `domain` for simple setup */
-    cdn: PayloadCdnConfigSchema.optional(),
-    /** Additional environment variables for server Lambda */
-    environment: z.record(z.string(), z.string()).optional(),
-})
-    .strict();
-/**
- * Pattern configuration discriminated union.
- * Extensible for future patterns (Remix, etc.)
- */
-export const PatternConfigSchema = z.discriminatedUnion("type", [
-    PayloadPatternConfigSchema,
-    NextJSPatternConfigSchema,
-]);
-/**
- * Custom code block position type.
- * Defines where a custom code block appears relative to managed code.
- */
-export const CustomCodePositionSchema = z.enum([
-    "before-imports",
-    "after-imports",
-    "after-app-init",
-    "after-tags",
-    "after-resource",
-    "end-of-file",
-]);
-/**
- * Statement type for managed resources.
- */
-export const StatementTypeSchema = z.enum([
-    "import",
-    "app-init",
-    "tags",
-    "database",
-    "compute",
-    "storage",
-    "network",
-    "messaging",
-    "cdn",
-    "pattern",
-    "custom",
-]);
-/**
- * Custom code block schema.
- * Represents user-written code that should be preserved during regeneration.
- * Used by the hybrid parse-preserve-generate approach.
- */
-export const CustomCodeBlockSchema = z
-    .object({
-    /** The exact source text to preserve (including leading comments) */
-    sourceText: z.string(),
-    /** Position relative to managed resources */
-    position: CustomCodePositionSchema,
-    /** For "after-resource" position, the managed resource type and name */
-    afterManagedResource: z
-        .object({
-        type: StatementTypeSchema,
-        name: z.string().optional(),
-    })
-        .strict()
-        .optional(),
-    /** Original line number in source (for debugging) */
-    originalLine: z.number().int().optional(),
-    /** Leading comments associated with this block */
-    leadingComments: z.array(z.string()).optional(),
-    /** Orphaned marker - set when the resource this block was after is deleted */
-    orphaned: z.boolean().optional(),
-    /** Orphaned warning comment to add */
-    orphanedComment: z.string().optional(),
-})
-    .strict();
-/**
- * Backup configuration schema.
- * Controls automatic AWS Backup enrolment via tier presets.
- * - Object with tier: Tags all resources with `fjall:disasterRecovery:tier`
- * - false: Explicitly disabled (no backup tag applied)
- */
-export const BackupConfigSchema = z.union([
-    z
-        .object({
-        tier: z.enum(BACKUP_VAULT_TIERS),
-    })
-        .strict(),
-    z.literal(false),
-]);
-/**
- * Tunnel configuration schema.
- * Controls bastion host creation for secure SSM database access.
- * - Object with optional instanceType: Create bastion with custom config
- * - false: Explicitly disabled (no bastion)
- */
-export const TunnelConfigSchema = z.union([
-    z
-        .object({
-        instanceType: z.string().optional(),
-    })
-        .strict(),
-    z.literal(false),
-]);
-/**
- * Application resource plan schema.
- * Represents the complete plan for an application's infrastructure.
- * Must be defined after ComputeResourcePlanSchema due to declaration order.
- */
-export const ApplicationResourcePlanSchema = z
-    .object({
-    appName: AppNameSchema,
-    type: AppTypeSchema,
-    pattern: PatternSchema.optional(),
-    /** Pattern configuration for high-level infrastructure patterns (Payload, etc.) */
-    patternConfig: PatternConfigSchema.optional(),
-    owner: z.string().optional(),
-    tags: z.record(z.string(), z.string()).optional(),
-    vpcId: z.string().optional(),
-    network: NetworkResourcePlanSchema.optional(),
-    backup: BackupConfigSchema.optional(),
-    tunnel: TunnelConfigSchema.optional(),
-    additionalNetworks: z.array(AdditionalNetworkResourcePlanSchema).optional(),
-    database: z.array(DatabaseResourcePlanSchema),
-    s3: z.array(S3ResourcePlanSchema),
-    compute: z.array(ComputeResourcePlanSchema),
-    dynamodb: z.array(DynamoDBResourcePlanSchema).optional(),
-    sqs: z.array(SQSResourcePlanSchema).optional(),
-    cdn: CDNResourcePlanSchema.optional(),
-    importedResources: z.array(ImportedResourcePlanSchema).default([]),
-    /** Custom code blocks to preserve during regeneration */
-    customCodeBlocks: z.array(CustomCodeBlockSchema).optional(),
-    /** Additional managed imports to preserve during round-trip (non-standard imports from managed modules) */
-    additionalManagedImports: z
-        .array(z
-        .object({
-        moduleSpecifier: z.string(),
-        namedImports: z.array(z.string()),
-        defaultImport: z.string().optional(),
-    })
-        .strict())
-        .optional(),
-})
-    .strict();
-// Compute generator schemas - discriminated union by type
-const ComputeGeneratorBaseSchema = z
-    .object({
-    appName: AppNameSchema,
-    computeName: ResourceNameSchema,
-    nameProvidedByFlag: z.boolean().optional(),
-    connectionConfig: z
-        .object({
-        connectToDatabase: z.array(z.string()).optional(),
-    })
-        .strict()
-        .optional(),
-})
-    .strict();
-/**
- * ECS-specific schema.
- * Supports multi-service clusters with shared ALB.
- *
- * @example
- * // Single service
- * { type: "ecs", services: [{ name: "web", containers: [{ port: 3000 }] }] }
- *
- * @example
- * // Multi-service with routing
- * {
- *   type: "ecs",
- *   cluster: { domain: "api.example.com" },
- *   services: [
- *     { name: "users", containers: [{ port: 3000 }], routing: { path: "/users/*" } },
- *     { name: "orders", containers: [{ port: 3001 }], routing: { path: "/orders/*" } }
- *   ]
- * }
- *
- * @example
- * // Worker cluster (no ALB)
- * {
- *   type: "ecs",
- *   cluster: { loadBalancer: false },
- *   services: [{ name: "processor" }]
- * }
- */
-const EcsComputeGeneratorSchema = ComputeGeneratorBaseSchema.extend({
-    type: z.literal("ecs"),
-    /**
-     * Cluster configuration.
-     * Controls the shared ALB for all services.
-     */
-    cluster: EcsClusterConfigSchema.optional(),
-    /**
-     * Services in this cluster.
-     * Each service gets its own task definition, scaling, and target group.
-     * Each service MUST specify its own capacityProvider.
-     */
-    services: z
-        .array(EcsServiceConfigSchema)
-        .min(1, VALIDATION_MESSAGES.SERVICE.MIN_REQUIRED),
-    /** Path to Dockerfile for building custom image */
-    dockerfilePath: z.string().optional(),
-})
-    .strict()
-    .refine((data) => {
-    // Validate: multiple services with ports require routing config
-    const servicesWithPorts = data.services.filter((s) => s.containers?.some((c) => c.port));
-    if (servicesWithPorts.length > 1) {
-        return servicesWithPorts.every((s) => {
-            const rules = Array.isArray(s.routing)
-                ? s.routing
-                : s.routing
-                    ? [s.routing]
-                    : [];
-            return rules.some((r) => r.path || r.host);
-        });
-    }
-    return true;
-}, { message: VALIDATION_MESSAGES.SERVICE.ROUTING_REQUIRED })
-    .refine((data) => {
-    // Validate: unique service names
-    const names = data.services.map((s) => s.name);
-    return new Set(names).size === names.length;
-}, { message: VALIDATION_MESSAGES.SERVICE.UNIQUE_WITHIN_CLUSTER });
-/**
- * Lambda-specific schema.
- */
-const LambdaComputeGeneratorSchema = ComputeGeneratorBaseSchema.extend({
-    type: z.literal("lambda"),
-    timeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.LAMBDA.TIMEOUT.INTEGER)
-        .min(1, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MIN)
-        .max(900, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MAX)
-        .optional(),
-    memory: LambdaMemorySchema.optional(),
-    handler: z.string().optional(),
-    runtime: z.string().optional(),
-    environment: EnvironmentRecordSchema.optional(),
-    secrets: EnvironmentRecordSchema.optional(),
-    description: z.string().optional(),
-    functionUrl: z
-        .union([
-        z.object({ authType: z.enum(["AWS_IAM", "NONE"]).optional() }).strict(),
-        z.literal(false),
-    ])
-        .optional(),
-    eventSources: z.array(LambdaEventSourceSchema).optional(),
-}).strict();
-/**
- * EC2 (standalone instance) specific schema.
- */
-const Ec2ComputeGeneratorSchema = ComputeGeneratorBaseSchema.extend({
-    type: z.literal("ec2"),
-    instanceType: InstanceTypeSchema.optional(),
-    enableSSH: z.boolean().optional(),
-    keyName: z.string().optional(),
-    userData: z.string().optional(),
-    securityGroups: z.array(z.string()).optional(),
-}).strict();
-/**
- * Compute generator schema using discriminated union.
- * Ensures type-specific fields are only allowed for the correct compute type.
- */
-export const ComputeGeneratorSchema = z.discriminatedUnion("type", [
-    EcsComputeGeneratorSchema,
-    LambdaComputeGeneratorSchema,
-    Ec2ComputeGeneratorSchema,
-]);
-export const S3GeneratorSchema = z
-    .object({
-    appName: AppNameSchema,
-    bucketName: BucketNameSchema,
-    nameProvidedByFlag: z.boolean().optional(),
-    // Preset (generator-only -- resolved to params before plan creation)
-    storagePreset: z.enum(STORAGE_PRESET_TYPES).optional(),
-    // Explicit overrides
-    publicReadAccess: z.boolean().optional(),
-    websiteHosting: z
-        .object({
-        indexDocument: z.string(),
-        errorDocument: z.string().optional(),
-    })
-        .strict()
-        .optional(),
-    // Core
-    backupVaultTier: z.enum(BACKUP_VAULT_TIERS).optional(),
-    versioned: z.boolean().optional(),
-    encryption: z.enum(S3_ENCRYPTION_TYPES).optional(),
-    kmsKeyArn: z.string().optional(),
-    // CORS
-    cors: z
-        .array(z
-        .object({
-        allowedOrigins: z.array(z.string()),
-        allowedMethods: z.array(z.string()),
-    })
-        .strict())
-        .optional(),
-    // Connection config (non-interactive mode)
-    connectionConfig: z
-        .object({
-        /** Connect to entire compute resources */
-        connectToCompute: z.array(z.string()).optional(),
-        /** Connect to specific ECS services (format: "ClusterName/ServiceName") */
-        connectToServices: z.array(z.string()).optional(),
-    })
-        .strict()
-        .optional(),
-})
-    .strict()
-    .refine((data) => data.encryption !== "KMS" || !!data.kmsKeyArn, {
-    message: VALIDATION_MESSAGES.KMS.KEY_REQUIRED,
-    path: ["kmsKeyArn"],
-});
-/**
- * Simple routing configuration for application generator services.
- * Matches what the UI sends (path is required, priority optional).
- */
-export const ApplicationServiceRoutingSchema = z
-    .object({
-    /** Path pattern for routing (e.g., "/api/*", "/*") */
-    path: z.string().min(1, VALIDATION_MESSAGES.REQUIRED.ROUTING_PATH),
-    /** Priority for this routing rule (lower = higher precedence) */
-    priority: z
-        .number()
-        .int(VALIDATION_MESSAGES.PRIORITY.INTEGER)
-        .min(1, VALIDATION_MESSAGES.PRIORITY.MIN)
-        .max(50000, VALIDATION_MESSAGES.PRIORITY.MAX)
-        .optional(),
-})
-    .strict();
-/**
- * Service configuration for application generator.
- * Used to configure multi-service ECS applications.
- */
-export const ApplicationServiceConfigSchema = z
-    .object({
-    name: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.REQUIRED.SERVICE_NAME)
-        .max(255, VALIDATION_MESSAGES.MAX_LENGTH.SERVICE_NAME)
-        .regex(VALIDATION_PATTERNS.RESOURCE_NAME, VALIDATION_MESSAGES.RESOURCE_NAME),
-    dockerfilePath: z.string().optional(),
-    containerPort: PortSchema.optional(),
-    needsDatabaseConnection: z.boolean().optional(),
-    routing: z
-        .union([
-        ApplicationServiceRoutingSchema,
-        z.array(ApplicationServiceRoutingSchema).min(1),
-    ])
-        .optional(),
-})
-    .strict();
-/**
- * Pattern tier schema for OpenNext patterns (Payload, Next.js).
- * Defines configuration tiers: lightweight, standard, resilient, custom.
- */
-export const PatternTierSchema = z.enum([
-    "lightweight",
-    "standard",
-    "resilient",
-    "custom",
-]);
-/**
- * Custom database configuration for patterns.
- * Used when patternTier is "custom".
- */
-export const CustomPatternDatabaseSchema = z
-    .object({
-    type: z.enum(["Instance", "Aurora"]),
-    instanceType: z.string().optional(),
-    backupRetention: BackupRetentionSchema.optional(),
-    deletionProtection: z.boolean().optional(),
-    encryption: z
-        .union([z.object({ useCMK: z.literal(true) }).strict(), z.literal(false)])
-        .optional(),
-})
-    .strict();
-/**
- * Custom compute configuration for patterns.
- * Used when patternTier is "custom".
- */
-export const CustomPatternComputeSchema = z
-    .object({
-    memorySize: LambdaMemorySchema.optional(),
-    timeout: z
-        .number()
-        .int(VALIDATION_MESSAGES.LAMBDA.TIMEOUT.INTEGER)
-        .min(1, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MIN)
-        .max(900, VALIDATION_MESSAGES.LAMBDA.TIMEOUT.MAX)
-        .optional(),
-})
-    .strict();
-export const ApplicationGeneratorSchema = z
-    .object({
-    name: AppNameSchema,
-    type: AppTypeSchema,
-    pattern: PatternSchema.optional(),
-    /** Pattern tier: lightweight, standard, resilient, or custom */
-    patternTier: PatternTierSchema.optional(),
-    /** Custom domain for pattern (e.g., cms.example.com) */
-    patternDomain: z.string().optional(),
-    /** Custom database configuration (only used when patternTier is "custom") */
-    customDatabase: CustomPatternDatabaseSchema.optional(),
-    /** Custom compute configuration (only used when patternTier is "custom") */
-    customCompute: CustomPatternComputeSchema.optional(),
-    region: z.string().optional(),
-    owner: z.string().optional(),
-    includeDatabase: z.boolean().optional(),
-    databaseName: z
-        .string()
-        .min(1, VALIDATION_MESSAGES.DATABASE.NAME.REQUIRED)
-        .max(63, VALIDATION_MESSAGES.DATABASE.NAME.MAX_LENGTH)
-        .optional(),
-    vpcId: z.string().optional(),
-    network: NetworkConfigSchema.optional(),
-    services: z.array(ApplicationServiceConfigSchema).optional(),
-    snapshotIdentifier: z.string().optional(),
-    snapshotUsername: z.string().optional(),
-})
-    .strict();
-export const OrganisationNameSchema = z
-    .string()
-    .min(2, VALIDATION_MESSAGES.IDENTIFIER_MIN_LENGTH)
-    .max(50, VALIDATION_MESSAGES.MAX_LENGTH.ORGANISATION_NAME)
-    .regex(VALIDATION_PATTERNS.IDENTIFIER, VALIDATION_MESSAGES.IDENTIFIER)
-    .refine((val) => !val.endsWith("-"), {
-    message: VALIDATION_MESSAGES.IDENTIFIER_NO_TRAILING_HYPHEN,
-})
-    .refine((val) => !val.includes("--"), {
-    message: VALIDATION_MESSAGES.IDENTIFIER_NO_CONSECUTIVE_HYPHENS,
-});
-export const EmailSchema = z.string().email(VALIDATION_MESSAGES.EMAIL);
-export const RegionSchema = z
-    .string()
-    .refine((region) => regions.includes(region), {
-    message: VALIDATION_MESSAGES.REGION,
-});
-export const OrganisationGeneratorSchema = z
-    .object({
-    name: OrganisationNameSchema,
-    email: EmailSchema,
-    accountName: z.string().optional(),
-    primaryRegion: RegionSchema.optional().default("us-east-1"),
-    secondaryRegions: z.array(RegionSchema).optional(),
-    force: z.boolean().optional(),
-})
-    .strict();
-export function getZodErrorMessage(error) {
-    const messages = error.issues.map((issue) => {
-        const path = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
-        return `${path}${issue.message}`;
-    });
-    return messages.join("\n");
-}
-// Tunnel generator schema
-export const TunnelGeneratorSchema = z
-    .object({
-    appName: AppNameSchema,
-    instanceType: z.string().optional(),
-})
-    .strict();
+ * All exports are re-exported here so existing consumers continue to work
+ * without any import path changes.
+ */
+export * from "./baseSchemas.js";
+export * from "./databaseSchemas.js";
+export * from "./networkSchemas.js";
+export * from "./storageSchemas.js";
+export * from "./messagingSchemas.js";
+export * from "./cdnSchemas.js";
+export * from "./computeSchemas.js";
+export * from "./patternSchemas.js";
+export * from "./applicationSchemas.js";