@fjall/generator 0.88.4 → 0.89.4

package/dist/src/schemas/applicationSchemas.js

@@ -0,0 +1,80 @@
+import { z } from "zod";
+import { VALIDATION_MESSAGES } from "../validation/patterns.js";
+import { AppNameSchema, AppTypeSchema, PatternSchema, CustomCodeBlockSchema, BackupConfigSchema, TunnelConfigSchema, } from "./baseSchemas.js";
+import { DatabaseResourcePlanSchema } from "./databaseSchemas.js";
+import { NetworkResourcePlanSchema, AdditionalNetworkResourcePlanSchema, NetworkConfigSchema, } from "./networkSchemas.js";
+import { S3ResourcePlanSchema } from "./storageSchemas.js";
+import { SQSResourcePlanSchema } from "./messagingSchemas.js";
+import { CDNResourcePlanSchema } from "./cdnSchemas.js";
+import { ComputeResourcePlanSchema, ApplicationServiceConfigSchema, } from "./computeSchemas.js";
+import { DynamoDBResourcePlanSchema } from "./databaseSchemas.js";
+import { PatternConfigSchema, PatternTierSchema, CustomPatternDatabaseSchema, CustomPatternComputeSchema, } from "./patternSchemas.js";
+// ─── Application resource plan ───────────────────────────────────────────────
+/**
+ * Application resource plan schema.
+ * Represents the complete plan for an application's infrastructure.
+ * Must be defined after ComputeResourcePlanSchema due to declaration order.
+ */
+export const ApplicationResourcePlanSchema = z
+    .object({
+    appName: AppNameSchema,
+    type: AppTypeSchema,
+    pattern: PatternSchema.optional(),
+    /** Pattern configuration for high-level infrastructure patterns (Payload, etc.) */
+    patternConfig: PatternConfigSchema.optional(),
+    owner: z.string().optional(),
+    tags: z.record(z.string(), z.string()).optional(),
+    vpcId: z.string().optional(),
+    network: NetworkResourcePlanSchema.optional(),
+    backup: BackupConfigSchema.optional(),
+    tunnel: TunnelConfigSchema.optional(),
+    additionalNetworks: z.array(AdditionalNetworkResourcePlanSchema).optional(),
+    database: z.array(DatabaseResourcePlanSchema),
+    s3: z.array(S3ResourcePlanSchema),
+    compute: z.array(ComputeResourcePlanSchema),
+    dynamodb: z.array(DynamoDBResourcePlanSchema).optional(),
+    sqs: z.array(SQSResourcePlanSchema).optional(),
+    cdn: CDNResourcePlanSchema.optional(),
+    /** Custom code blocks to preserve during regeneration */
+    customCodeBlocks: z.array(CustomCodeBlockSchema).optional(),
+    /** Additional managed imports to preserve during round-trip (non-standard imports from managed modules) */
+    additionalManagedImports: z
+        .array(z
+        .object({
+        moduleSpecifier: z.string(),
+        namedImports: z.array(z.string()),
+        defaultImport: z.string().optional(),
+    })
+        .strict())
+        .optional(),
+})
+    .strict();
+// ─── Application generator schema ────────────────────────────────────────────
+export const ApplicationGeneratorSchema = z
+    .object({
+    name: AppNameSchema,
+    type: AppTypeSchema,
+    pattern: PatternSchema.optional(),
+    /** Pattern tier: lightweight, standard, resilient, or custom */
+    patternTier: PatternTierSchema.optional(),
+    /** Custom domain for pattern (e.g., cms.example.com) */
+    patternDomain: z.string().optional(),
+    /** Custom database configuration (only used when patternTier is "custom") */
+    customDatabase: CustomPatternDatabaseSchema.optional(),
+    /** Custom compute configuration (only used when patternTier is "custom") */
+    customCompute: CustomPatternComputeSchema.optional(),
+    region: z.string().optional(),
+    owner: z.string().optional(),
+    includeDatabase: z.boolean().optional(),
+    databaseName: z
+        .string()
+        .min(1, VALIDATION_MESSAGES.DATABASE.NAME.REQUIRED)
+        .max(63, VALIDATION_MESSAGES.DATABASE.NAME.MAX_LENGTH)
+        .optional(),
+    vpcId: z.string().optional(),
+    network: NetworkConfigSchema.optional(),
+    services: z.array(ApplicationServiceConfigSchema).optional(),
+    snapshotIdentifier: z.string().optional(),
+    snapshotUsername: z.string().optional(),
+})
+    .strict();

package/dist/src/schemas/baseSchemas.d.ts

@@ -0,0 +1,206 @@
+import { z } from "zod";
+export declare const optionalOrDisabled: <T extends z.ZodTypeAny>(schema: T) => z.ZodUnion<[z.ZodLiteral<false>, T]>;
+/** Reusable capacity validation: ensures minCapacity <= maxCapacity. */
+export declare const CAPACITY_REFINEMENT: {
+    check: (data: {
+        minCapacity?: number;
+        maxCapacity?: number;
+    }) => boolean;
+    params: {
+        message: "minCapacity must be less than or equal to maxCapacity";
+        path: string[];
+    };
+};
+/** Reusable memory limit schema. EC2 allows 128 MiB min; ECS/containers require 512 MiB min. */
+export declare const memoryLimitMiBSchema: (min: 128 | 512) => z.ZodNumber;
+export declare const ResourceNameSchema: z.ZodString;
+export declare const BucketNameSchema: z.ZodString;
+export declare const DatabaseNameSchema: z.ZodString;
+export declare const AppNameSchema: z.ZodString;
+export declare const PortSchema: z.ZodNumber;
+/**
+ * Extra property preserved verbatim during round-trip.
+ * Captures properties inside managed factory calls that the parser
+ * does not specifically handle (e.g. CDK PolicyStatement[], custom configs).
+ */
+export declare const ExtraPropertySchema: z.ZodObject<{
+    key: z.ZodString;
+    sourceText: z.ZodString;
+}, z.core.$strict>;
+export declare const IdentifierValueSchema: z.ZodObject<{
+    __identifier: z.ZodString;
+}, z.core.$strict>;
+export declare const ExpressionValueSchema: z.ZodObject<{
+    __expression: z.ZodString;
+}, z.core.$strict>;
+export declare const CallValueSchema: z.ZodObject<{
+    __call: z.ZodString;
+}, z.core.$strict>;
+export declare const SpecialValueSchema: z.ZodUnion<readonly [z.ZodObject<{
+    __identifier: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    __expression: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    __call: z.ZodString;
+}, z.core.$strict>]>;
+/**
+ * Schema for environment variable values.
+ * Supports literal values and special code generation values.
+ */
+export declare const EnvironmentValueSchema: z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodUnion<readonly [z.ZodObject<{
+    __identifier: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    __expression: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    __call: z.ZodString;
+}, z.core.$strict>]>]>;
+export declare const EnvironmentRecordSchema: z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodUnion<readonly [z.ZodObject<{
+    __identifier: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    __expression: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    __call: z.ZodString;
+}, z.core.$strict>]>]>>;
+/**
+ * Schema for importing secrets from AWS Secrets Manager.
+ * Matches the SecretImport type in infrastructure.
+ */
+export declare const SecretImportSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    field: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+/**
+ * Record of secret imports keyed by environment variable name.
+ */
+export declare const SecretsImportRecordSchema: z.ZodRecord<z.ZodString, z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    field: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>>;
+/**
+ * Schema for metadata values.
+ * Supports simple types and complex AWS SDK types (VpcConfigResponse, Date, etc.)
+ * Uses z.unknown() for flexibility with AWS resource properties whilst avoiding z.any().
+ */
+export declare const MetadataRecordSchema: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+export declare const AppTypeSchema: z.ZodEnum<{
+    custom: "custom";
+    standard: "standard";
+    resilient: "resilient";
+    enterprise: "enterprise";
+    tinkerer: "tinkerer";
+    lightweight: "lightweight";
+}>;
+export declare const PatternSchema: z.ZodEnum<{
+    payload: "payload";
+    nextjs: "nextjs";
+}>;
+/**
+ * Custom code block position type.
+ * Defines where a custom code block appears relative to managed code.
+ */
+export declare const CustomCodePositionSchema: z.ZodEnum<{
+    "before-imports": "before-imports";
+    "after-imports": "after-imports";
+    "after-app-init": "after-app-init";
+    "after-tags": "after-tags";
+    "after-resource": "after-resource";
+    "end-of-file": "end-of-file";
+}>;
+/**
+ * Statement type for managed resources.
+ */
+export declare const StatementTypeSchema: z.ZodEnum<{
+    custom: "custom";
+    pattern: "pattern";
+    storage: "storage";
+    database: "database";
+    compute: "compute";
+    import: "import";
+    "app-init": "app-init";
+    tags: "tags";
+    network: "network";
+    messaging: "messaging";
+    cdn: "cdn";
+}>;
+/**
+ * Custom code block schema.
+ * Represents user-written code that should be preserved during regeneration.
+ * Used by the hybrid parse-preserve-generate approach.
+ */
+export declare const CustomCodeBlockSchema: z.ZodObject<{
+    sourceText: z.ZodString;
+    position: z.ZodEnum<{
+        "before-imports": "before-imports";
+        "after-imports": "after-imports";
+        "after-app-init": "after-app-init";
+        "after-tags": "after-tags";
+        "after-resource": "after-resource";
+        "end-of-file": "end-of-file";
+    }>;
+    afterManagedResource: z.ZodOptional<z.ZodObject<{
+        type: z.ZodEnum<{
+            custom: "custom";
+            pattern: "pattern";
+            storage: "storage";
+            database: "database";
+            compute: "compute";
+            import: "import";
+            "app-init": "app-init";
+            tags: "tags";
+            network: "network";
+            messaging: "messaging";
+            cdn: "cdn";
+        }>;
+        name: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>>;
+    originalLine: z.ZodOptional<z.ZodNumber>;
+    leadingComments: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    orphaned: z.ZodOptional<z.ZodBoolean>;
+    orphanedComment: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+/**
+ * Backup configuration schema.
+ * Controls automatic AWS Backup enrolment via tier presets.
+ * - Object with tier: Tags all resources with `fjall:disasterRecovery:tier`
+ * - false: Explicitly disabled (no backup tag applied)
+ */
+export declare const BackupConfigSchema: z.ZodUnion<readonly [z.ZodObject<{
+    tier: z.ZodEnum<{
+        standard: "standard";
+        resilient: "resilient";
+        enterprise: "enterprise";
+    }>;
+}, z.core.$strict>, z.ZodLiteral<false>]>;
+/**
+ * Tunnel configuration schema.
+ * Controls bastion host creation for secure SSM database access.
+ * - Object with optional instanceType: Create bastion with custom config
+ * - false: Explicitly disabled (no bastion)
+ */
+export declare const TunnelConfigSchema: z.ZodUnion<readonly [z.ZodObject<{
+    instanceType: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>, z.ZodLiteral<false>]>;
+export declare const OrganisationNameSchema: z.ZodString;
+export declare const EmailSchema: z.ZodString;
+export declare const RegionSchema: z.ZodString;
+export declare const OrganisationGeneratorSchema: z.ZodObject<{
+    name: z.ZodString;
+    email: z.ZodString;
+    accountName: z.ZodOptional<z.ZodString>;
+    primaryRegion: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+    secondaryRegions: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    force: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>;
+export declare function getZodErrorMessage(error: z.ZodError<unknown>): string;
+export type IdentifierValue = z.infer<typeof IdentifierValueSchema>;
+export type ExpressionValue = z.infer<typeof ExpressionValueSchema>;
+export type CallValue = z.infer<typeof CallValueSchema>;
+export type SpecialValue = z.infer<typeof SpecialValueSchema>;
+export type EnvironmentValue = z.infer<typeof EnvironmentValueSchema>;
+export type CustomCodePosition = z.infer<typeof CustomCodePositionSchema>;
+export type StatementType = z.infer<typeof StatementTypeSchema>;
+export type CustomCodeBlock = z.infer<typeof CustomCodeBlockSchema>;
+export type ExtraProperty = z.infer<typeof ExtraPropertySchema>;
+export type OrganisationGeneratorOptions = z.infer<typeof OrganisationGeneratorSchema>;

package/dist/src/schemas/baseSchemas.js

@@ -0,0 +1,248 @@
+import { z } from "zod";
+import { VALIDATION_PATTERNS, VALIDATION_MESSAGES, } from "../validation/patterns.js";
+import { APP_TYPES, PATTERN_TYPE_VALUES, MIN_PORT, MAX_PORT, BACKUP_VAULT_TIERS, } from "./constants.js";
+import { regions } from "../aws/regions.js";
+// ─── Shared utility ──────────────────────────────────────────────────────────
+export const optionalOrDisabled = (schema) => z.union([z.literal(false), schema]);
+/** Reusable capacity validation: ensures minCapacity <= maxCapacity. */
+export const CAPACITY_REFINEMENT = {
+    check: (data) => {
+        if (data.minCapacity !== undefined && data.maxCapacity !== undefined) {
+            return data.minCapacity <= data.maxCapacity;
+        }
+        return true;
+    },
+    params: {
+        message: VALIDATION_MESSAGES.CAPACITY_CONSTRAINT.MIN_LTE_MAX,
+        path: ["maxCapacity"],
+    },
+};
+/** Reusable memory limit schema. EC2 allows 128 MiB min; ECS/containers require 512 MiB min. */
+export const memoryLimitMiBSchema = (min) => z
+    .number()
+    .int(VALIDATION_MESSAGES.MEMORY_LIMIT.INTEGER)
+    .min(min, min === 128
+    ? VALIDATION_MESSAGES.MEMORY_LIMIT.MIN_128
+    : VALIDATION_MESSAGES.MEMORY_LIMIT.MIN_512)
+    .max(30720, VALIDATION_MESSAGES.MEMORY_LIMIT.MAX);
+// ─── Name / identifier schemas ───────────────────────────────────────────────
+export const ResourceNameSchema = z
+    .string()
+    .min(1, VALIDATION_MESSAGES.REQUIRED.RESOURCE_NAME)
+    .max(63, VALIDATION_MESSAGES.MAX_LENGTH.RESOURCE_NAME)
+    .regex(VALIDATION_PATTERNS.RESOURCE_NAME, VALIDATION_MESSAGES.RESOURCE_NAME);
+export const BucketNameSchema = z
+    .string()
+    .min(1, VALIDATION_MESSAGES.REQUIRED.BUCKET_NAME)
+    .max(63, VALIDATION_MESSAGES.MAX_LENGTH.BUCKET_NAME)
+    .regex(VALIDATION_PATTERNS.BUCKET_NAME, VALIDATION_MESSAGES.BUCKET_NAME);
+export const DatabaseNameSchema = z
+    .string()
+    .min(1, VALIDATION_MESSAGES.REQUIRED.DATABASE_NAME)
+    .max(63, VALIDATION_MESSAGES.MAX_LENGTH.DATABASE_NAME)
+    .regex(VALIDATION_PATTERNS.DATABASE_NAME, VALIDATION_MESSAGES.DATABASE_NAME);
+export const AppNameSchema = z
+    .string()
+    .min(2, VALIDATION_MESSAGES.IDENTIFIER_MIN_LENGTH)
+    .max(50, VALIDATION_MESSAGES.MAX_LENGTH.APP_NAME)
+    .regex(VALIDATION_PATTERNS.IDENTIFIER, VALIDATION_MESSAGES.IDENTIFIER)
+    .refine((val) => !val.endsWith("-"), {
+    message: VALIDATION_MESSAGES.IDENTIFIER_NO_TRAILING_HYPHEN,
+})
+    .refine((val) => !val.includes("--"), {
+    message: VALIDATION_MESSAGES.IDENTIFIER_NO_CONSECUTIVE_HYPHENS,
+});
+export const PortSchema = z
+    .number()
+    .int(VALIDATION_MESSAGES.PORT.INTEGER)
+    .min(MIN_PORT, VALIDATION_MESSAGES.PORT.MIN)
+    .max(MAX_PORT, VALIDATION_MESSAGES.PORT.MAX);
+// ─── Special / environment value schemas ─────────────────────────────────────
+/**
+ * Extra property preserved verbatim during round-trip.
+ * Captures properties inside managed factory calls that the parser
+ * does not specifically handle (e.g. CDK PolicyStatement[], custom configs).
+ */
+export const ExtraPropertySchema = z
+    .object({
+    key: z.string(),
+    sourceText: z.string(),
+})
+    .strict();
+export const IdentifierValueSchema = z
+    .object({ __identifier: z.string() })
+    .strict();
+export const ExpressionValueSchema = z
+    .object({ __expression: z.string() })
+    .strict();
+export const CallValueSchema = z.object({ __call: z.string() }).strict();
+export const SpecialValueSchema = z.union([
+    IdentifierValueSchema,
+    ExpressionValueSchema,
+    CallValueSchema,
+]);
+/**
+ * Schema for environment variable values.
+ * Supports literal values and special code generation values.
+ */
+export const EnvironmentValueSchema = z.union([
+    z.string(),
+    z.number(),
+    z.boolean(),
+    SpecialValueSchema,
+]);
+export const EnvironmentRecordSchema = z.record(z.string(), EnvironmentValueSchema);
+/**
+ * Schema for importing secrets from AWS Secrets Manager.
+ * Matches the SecretImport type in infrastructure.
+ */
+export const SecretImportSchema = z
+    .object({
+    /** Secret construct ID */
+    id: z.string(),
+    /** Secret name in Secrets Manager */
+    name: z.string(),
+    /** Optional field to extract from the secret */
+    field: z.string().optional(),
+})
+    .strict();
+/**
+ * Record of secret imports keyed by environment variable name.
+ */
+export const SecretsImportRecordSchema = z.record(z.string(), SecretImportSchema);
+/**
+ * Schema for metadata values.
+ * Supports simple types and complex AWS SDK types (VpcConfigResponse, Date, etc.)
+ * Uses z.unknown() for flexibility with AWS resource properties whilst avoiding z.any().
+ */
+export const MetadataRecordSchema = z.record(z.string(), z.unknown());
+// ─── Application-level schemas ───────────────────────────────────────────────
+export const AppTypeSchema = z
+    .enum(APP_TYPES)
+    .describe(`Application type must be one of: ${APP_TYPES.join(", ")}`);
+export const PatternSchema = z
+    .enum(PATTERN_TYPE_VALUES)
+    .describe(`OpenNext deployment pattern: ${PATTERN_TYPE_VALUES.join(", ")}`);
+// ─── Custom code preservation schemas ────────────────────────────────────────
+/**
+ * Custom code block position type.
+ * Defines where a custom code block appears relative to managed code.
+ */
+export const CustomCodePositionSchema = z.enum([
+    "before-imports",
+    "after-imports",
+    "after-app-init",
+    "after-tags",
+    "after-resource",
+    "end-of-file",
+]);
+/**
+ * Statement type for managed resources.
+ */
+export const StatementTypeSchema = z.enum([
+    "import",
+    "app-init",
+    "tags",
+    "database",
+    "compute",
+    "storage",
+    "network",
+    "messaging",
+    "cdn",
+    "pattern",
+    "custom",
+]);
+/**
+ * Custom code block schema.
+ * Represents user-written code that should be preserved during regeneration.
+ * Used by the hybrid parse-preserve-generate approach.
+ */
+export const CustomCodeBlockSchema = z
+    .object({
+    /** The exact source text to preserve (including leading comments) */
+    sourceText: z.string(),
+    /** Position relative to managed resources */
+    position: CustomCodePositionSchema,
+    /** For "after-resource" position, the managed resource type and name */
+    afterManagedResource: z
+        .object({
+        type: StatementTypeSchema,
+        name: z.string().optional(),
+    })
+        .strict()
+        .optional(),
+    /** Original line number in source (for debugging) */
+    originalLine: z.number().int().optional(),
+    /** Leading comments associated with this block */
+    leadingComments: z.array(z.string()).optional(),
+    /** Orphaned marker - set when the resource this block was after is deleted */
+    orphaned: z.boolean().optional(),
+    /** Orphaned warning comment to add */
+    orphanedComment: z.string().optional(),
+})
+    .strict();
+// ─── Backup / tunnel configuration ──────────────────────────────────────────
+/**
+ * Backup configuration schema.
+ * Controls automatic AWS Backup enrolment via tier presets.
+ * - Object with tier: Tags all resources with `fjall:disasterRecovery:tier`
+ * - false: Explicitly disabled (no backup tag applied)
+ */
+export const BackupConfigSchema = z.union([
+    z
+        .object({
+        tier: z.enum(BACKUP_VAULT_TIERS),
+    })
+        .strict(),
+    z.literal(false),
+]);
+/**
+ * Tunnel configuration schema.
+ * Controls bastion host creation for secure SSM database access.
+ * - Object with optional instanceType: Create bastion with custom config
+ * - false: Explicitly disabled (no bastion)
+ */
+export const TunnelConfigSchema = z.union([
+    z
+        .object({
+        instanceType: z.string().optional(),
+    })
+        .strict(),
+    z.literal(false),
+]);
+// ─── Organisation / region schemas ──────────────────────────────────────────
+export const OrganisationNameSchema = z
+    .string()
+    .min(2, VALIDATION_MESSAGES.IDENTIFIER_MIN_LENGTH)
+    .max(50, VALIDATION_MESSAGES.MAX_LENGTH.ORGANISATION_NAME)
+    .regex(VALIDATION_PATTERNS.IDENTIFIER, VALIDATION_MESSAGES.IDENTIFIER)
+    .refine((val) => !val.endsWith("-"), {
+    message: VALIDATION_MESSAGES.IDENTIFIER_NO_TRAILING_HYPHEN,
+})
+    .refine((val) => !val.includes("--"), {
+    message: VALIDATION_MESSAGES.IDENTIFIER_NO_CONSECUTIVE_HYPHENS,
+});
+export const EmailSchema = z.string().email(VALIDATION_MESSAGES.EMAIL);
+export const RegionSchema = z
+    .string()
+    .refine((region) => regions.includes(region), {
+    message: VALIDATION_MESSAGES.REGION,
+});
+export const OrganisationGeneratorSchema = z
+    .object({
+    name: OrganisationNameSchema,
+    email: EmailSchema,
+    accountName: z.string().optional(),
+    primaryRegion: RegionSchema.optional().default("us-east-1"),
+    secondaryRegions: z.array(RegionSchema).optional(),
+    force: z.boolean().optional(),
+})
+    .strict();
+// ─── Utility function ────────────────────────────────────────────────────────
+export function getZodErrorMessage(error) {
+    const messages = error.issues.map((issue) => {
+        const path = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
+        return `${path}${issue.message}`;
+    });
+    return messages.join("\n");
+}

package/dist/src/schemas/cdnSchemas.d.ts

@@ -0,0 +1,61 @@
+import { z } from "zod";
+/**
+ * Access gate configuration for CDN distributions.
+ * Extensible discriminated union — currently supports basic-auth,
+ * future types (cognito, oidc, ip-allowlist) can be added.
+ */
+export declare const AccessGateSchema: z.ZodObject<{
+    type: z.ZodLiteral<"basic-auth">;
+    username: z.ZodString;
+    password: z.ZodString;
+}, z.core.$strict>;
+export type AccessGateConfig = z.infer<typeof AccessGateSchema>;
+/**
+ * CDN resource plan schema (for OpenNext patterns)
+ */
+export declare const CDNResourcePlanSchema: z.ZodObject<{
+    name: z.ZodString;
+    defaultOriginRef: z.ZodString;
+    behaviours: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        pathPattern: z.ZodString;
+        originRef: z.ZodString;
+        cachePolicy: z.ZodOptional<z.ZodEnum<{
+            CACHING_OPTIMIZED: "CACHING_OPTIMIZED";
+            CACHING_DISABLED: "CACHING_DISABLED";
+        }>>;
+    }, z.core.$strict>>>;
+    customDomain: z.ZodOptional<z.ZodString>;
+    certificateArn: z.ZodOptional<z.ZodString>;
+    accessGate: z.ZodOptional<z.ZodUnion<readonly [z.ZodLiteral<false>, z.ZodObject<{
+        type: z.ZodLiteral<"basic-auth">;
+        username: z.ZodString;
+        password: z.ZodString;
+    }, z.core.$strict>]>>;
+    extraProperties: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        key: z.ZodString;
+        sourceText: z.ZodString;
+    }, z.core.$strict>>>;
+}, z.core.$strict>;
+export declare const CdnGeneratorSchema: z.ZodObject<{
+    appName: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+    defaultOriginRef: z.ZodString;
+    behaviours: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        pathPattern: z.ZodString;
+        originRef: z.ZodString;
+        cachePolicy: z.ZodOptional<z.ZodEnum<{
+            CACHING_OPTIMIZED: "CACHING_OPTIMIZED";
+            CACHING_DISABLED: "CACHING_DISABLED";
+        }>>;
+    }, z.core.$strict>>>;
+    customDomain: z.ZodOptional<z.ZodString>;
+    certificateArn: z.ZodOptional<z.ZodString>;
+    accessGate: z.ZodOptional<z.ZodUnion<readonly [z.ZodLiteral<false>, z.ZodObject<{
+        type: z.ZodLiteral<"basic-auth">;
+        username: z.ZodString;
+        password: z.ZodString;
+    }, z.core.$strict>]>>;
+    nameProvidedByFlag: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>;
+export type CdnGeneratorOptions = z.infer<typeof CdnGeneratorSchema>;
+export type CDNResourcePlan = z.infer<typeof CDNResourcePlanSchema>;

package/dist/src/schemas/cdnSchemas.js

@@ -0,0 +1,62 @@
+import { z } from "zod";
+import { ResourceNameSchema, ExtraPropertySchema } from "./baseSchemas.js";
+// ─── Access gate ─────────────────────────────────────────────────────────────
+/**
+ * Access gate configuration for CDN distributions.
+ * Extensible discriminated union — currently supports basic-auth,
+ * future types (cognito, oidc, ip-allowlist) can be added.
+ */
+export const AccessGateSchema = z
+    .object({
+    type: z.literal("basic-auth"),
+    username: z.string().min(1),
+    password: z.string().min(1),
+})
+    .strict();
+// ─── CDN resource plan ───────────────────────────────────────────────────────
+/**
+ * CDN resource plan schema (for OpenNext patterns)
+ */
+export const CDNResourcePlanSchema = z
+    .object({
+    name: ResourceNameSchema,
+    defaultOriginRef: z.string(),
+    behaviours: z
+        .array(z
+        .object({
+        pathPattern: z.string(),
+        originRef: z.string(),
+        cachePolicy: z
+            .enum(["CACHING_OPTIMIZED", "CACHING_DISABLED"])
+            .optional(),
+    })
+        .strict())
+        .optional(),
+    customDomain: z.string().optional(),
+    certificateArn: z.string().optional(),
+    accessGate: z.union([z.literal(false), AccessGateSchema]).optional(),
+    extraProperties: z.array(ExtraPropertySchema).optional(),
+})
+    .strict();
+export const CdnGeneratorSchema = z
+    .object({
+    appName: z.string(),
+    name: ResourceNameSchema.optional(),
+    defaultOriginRef: z.string(),
+    behaviours: z
+        .array(z
+        .object({
+        pathPattern: z.string(),
+        originRef: z.string(),
+        cachePolicy: z
+            .enum(["CACHING_OPTIMIZED", "CACHING_DISABLED"])
+            .optional(),
+    })
+        .strict())
+        .optional(),
+    customDomain: z.string().optional(),
+    certificateArn: z.string().optional(),
+    accessGate: z.union([z.literal(false), AccessGateSchema]).optional(),
+    nameProvidedByFlag: z.boolean().optional(),
+})
+    .strict();