@fjall/util 0.95.0 → 0.99.1

package/dist/manifest/schemas.d.ts

@@ -0,0 +1,163 @@
+/**
+ * Pure Zod schemas for the Fjall build-time manifest.
+ *
+ * This module is the canonical, environment-agnostic source of truth for:
+ *   - DockerBuild — the universal `{ path, context?, target? }` primitive
+ *     consumed by every container-image-producing role (service today,
+ *     migrations next, future sidecars and batch jobs).
+ *   - DockerBuildPartial — the all-optional variant used by `migrations.docker`
+ *     for per-field inheritance from the parent service.
+ *   - mergeDockerBuild() — single source of truth for the merge semantics
+ *     (target-only override, full override, no override → inherit).
+ *   - The full Fjall manifest schema (services, lambdas, pattern, ecr,
+ *     stacks, resourceMap).
+ *
+ * Purity: this module imports only `zod`. No `fs`, no `path`, no logger.
+ * That lets the generator (which is forbidden from doing I/O) consume
+ * docker-shape types without dragging Node-only modules into the cloud
+ * assembly. I/O helpers live in the sibling `./io` module.
+ */
+import { z } from "zod";
+/** Manifest file name — single source of truth across CLI, deploy-core, and infrastructure. */
+export declare const FJALL_MANIFEST_FILENAME = "fjall-manifest.json";
+/** Current manifest schema version. */
+export declare const MANIFEST_SCHEMA_VERSION: 1;
+/**
+ * The universal Docker-build role primitive.
+ *
+ * `path` is the Dockerfile path (absolute or relative to `context`); `context`
+ * is the build context (defaults to the directory containing `path` when
+ * absent — that default lives in the build orchestrator, not in the schema);
+ * `target` selects a multi-stage Dockerfile target; `buildArgs` are forwarded
+ * to `docker buildx build --build-arg KEY=VALUE` and are the only mechanism
+ * by which Vite-style `import.meta.env.VITE_*` variables can be baked into
+ * the production client bundle (the substitution happens at build time, not
+ * runtime, so container ENV vars cannot reach the client).
+ */
+export declare const DockerBuildSchema: z.ZodObject<{
+    path: z.ZodString;
+    context: z.ZodOptional<z.ZodString>;
+    target: z.ZodOptional<z.ZodString>;
+    buildArgs: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+}, z.core.$strict>;
+export type DockerBuild = z.infer<typeof DockerBuildSchema>;
+/**
+ * All-optional variant used by `migrations.docker` for per-field inheritance.
+ *
+ * Every field is optional; missing fields inherit from the parent service's
+ * `docker` via `mergeDockerBuild()`. A migrations override of just
+ * `{ target: "migrate" }` keeps the service's `path` and `context`.
+ */
+export declare const DockerBuildPartialSchema: z.ZodObject<{
+    path: z.ZodOptional<z.ZodString>;
+    context: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    target: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+    buildArgs: z.ZodOptional<z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>>;
+}, z.core.$strict>;
+export type DockerBuildPartial = z.infer<typeof DockerBuildPartialSchema>;
+/**
+ * Per-field merge of a service's `docker` and an optional migrations override.
+ *
+ * - When `migrationsOverride` is undefined, the service's docker is returned unchanged.
+ * - When set, each field on the override wins; missing fields inherit from the service.
+ * - The result preserves the structural mutex with `image` because callers only
+ *   invoke this when they have a service-side `docker` to merge against.
+ */
+export declare function mergeDockerBuild(service: DockerBuild, migrationsOverride: DockerBuildPartial | undefined): DockerBuild;
+declare const ManifestServiceSchema: z.ZodObject<{
+    name: z.ZodString;
+    clusterName: z.ZodOptional<z.ZodString>;
+    docker: z.ZodOptional<z.ZodObject<{
+        path: z.ZodString;
+        context: z.ZodOptional<z.ZodString>;
+        target: z.ZodOptional<z.ZodString>;
+        buildArgs: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    }, z.core.$strict>>;
+    containerPort: z.ZodOptional<z.ZodNumber>;
+    secrets: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    ssmSecretsPath: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type ManifestService = z.infer<typeof ManifestServiceSchema>;
+declare const ManifestPatternSchema: z.ZodObject<{
+    type: z.ZodEnum<{
+        payload: "payload";
+    }>;
+    name: z.ZodString;
+    source: z.ZodString;
+}, z.core.$strict>;
+export type ManifestPattern = z.infer<typeof ManifestPatternSchema>;
+declare const ManifestEcrSchema: z.ZodObject<{
+    repositoryName: z.ZodString;
+}, z.core.$strict>;
+export type ManifestEcr = z.infer<typeof ManifestEcrSchema>;
+declare const ManifestLambdaSchema: z.ZodObject<{
+    name: z.ZodString;
+    secrets: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    ssmSecretsPath: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type ManifestLambda = z.infer<typeof ManifestLambdaSchema>;
+declare const ManifestStackHashSchema: z.ZodObject<{
+    templateHash: z.ZodString;
+    synthTimestamp: z.ZodString;
+}, z.core.$strict>;
+export type ManifestStackHash = z.infer<typeof ManifestStackHashSchema>;
+/**
+ * Construct-map entry shape — duplicated structurally with `ResourceMapEntry`
+ * in `../constructMap.ts`. The two shapes must stay in lockstep; the canonical
+ * runtime type is the schema-inferred form here, and `recordToConstructMap()`
+ * produces a Map<string, ResourceMapEntry> that is structurally compatible.
+ */
+declare const ResourceMapEntrySchema: z.ZodObject<{
+    constructPath: z.ZodString;
+    group: z.ZodString;
+    resourceType: z.ZodString;
+}, z.core.$strict>;
+export type ResourceMapEntry = z.infer<typeof ResourceMapEntrySchema>;
+/**
+ * Fjall manifest schema — generated during CDK synth.
+ * Location: `<cdk.out>/fjall-manifest.json`.
+ */
+export declare const FjallManifestSchema: z.ZodObject<{
+    version: z.ZodLiteral<1>;
+    generatedAt: z.ZodString;
+    appName: z.ZodString;
+    services: z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        clusterName: z.ZodOptional<z.ZodString>;
+        docker: z.ZodOptional<z.ZodObject<{
+            path: z.ZodString;
+            context: z.ZodOptional<z.ZodString>;
+            target: z.ZodOptional<z.ZodString>;
+            buildArgs: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        }, z.core.$strict>>;
+        containerPort: z.ZodOptional<z.ZodNumber>;
+        secrets: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        ssmSecretsPath: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>>;
+    lambdas: z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        secrets: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        ssmSecretsPath: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>>;
+    pattern: z.ZodOptional<z.ZodObject<{
+        type: z.ZodEnum<{
+            payload: "payload";
+        }>;
+        name: z.ZodString;
+        source: z.ZodString;
+    }, z.core.$strict>>;
+    ecr: z.ZodOptional<z.ZodObject<{
+        repositoryName: z.ZodString;
+    }, z.core.$strict>>;
+    stacks: z.ZodRecord<z.ZodString, z.ZodObject<{
+        templateHash: z.ZodString;
+        synthTimestamp: z.ZodString;
+    }, z.core.$strict>>;
+    resourceMap: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        constructPath: z.ZodString;
+        group: z.ZodString;
+        resourceType: z.ZodString;
+    }, z.core.$strict>>>;
+}, z.core.$strict>;
+export type FjallManifest = z.infer<typeof FjallManifestSchema>;
+export { ManifestServiceSchema, ManifestPatternSchema, ManifestEcrSchema, ManifestLambdaSchema, ManifestStackHashSchema, ResourceMapEntrySchema };

package/dist/manifest/schemas.js

@@ -0,0 +1 @@
+import{z as t}from"zod";const h="fjall-manifest.json",u=1,s=t.object({path:t.string(),context:t.string().min(1,"context cannot be empty").optional(),target:t.string().min(1,"target cannot be empty").optional(),buildArgs:t.record(t.string(),t.string()).optional()}).strict(),b=s.partial();function S(e,n){if(n===void 0)return e;const r=n.context??e.context,a=n.target??e.target,o=n.buildArgs??e.buildArgs;return{path:n.path??e.path,...r!==void 0&&{context:r},...a!==void 0&&{target:a},...o!==void 0&&{buildArgs:o}}}const c=t.object({name:t.string(),clusterName:t.string().optional(),docker:s.optional(),containerPort:t.number().optional(),secrets:t.array(t.string()).optional(),ssmSecretsPath:t.string().optional()}).strict(),i=t.object({type:t.enum(["payload"]),name:t.string(),source:t.string()}).strict(),p=t.object({repositoryName:t.string()}).strict(),g=t.object({name:t.string(),secrets:t.array(t.string()).optional(),ssmSecretsPath:t.string().optional()}).strict(),m=t.object({templateHash:t.string(),synthTimestamp:t.string()}).strict(),l=t.object({constructPath:t.string().max(512),group:t.string().max(128),resourceType:t.string().max(256)}).strict(),x=t.object({version:t.literal(u),generatedAt:t.string(),appName:t.string(),services:t.array(c),lambdas:t.array(g),pattern:i.optional(),ecr:p.optional(),stacks:t.record(t.string(),m),resourceMap:t.record(t.string(),l).optional()}).strict();export{b as DockerBuildPartialSchema,s as DockerBuildSchema,h as FJALL_MANIFEST_FILENAME,x as FjallManifestSchema,u as MANIFEST_SCHEMA_VERSION,p as ManifestEcrSchema,g as ManifestLambdaSchema,i as ManifestPatternSchema,c as ManifestServiceSchema,m as ManifestStackHashSchema,l as ResourceMapEntrySchema,S as mergeDockerBuild};

package/dist/mcpProtocol/index.d.ts

@@ -0,0 +1,362 @@
+import { z } from "zod";
+export declare const MCP_PROTOCOL_VERSION: 2;
+/**
+ * Wire-format error codes emitted by `kind: "error"` frames.
+ * The CLI emitter and MCP consumer pattern-match on these strings —
+ * the codes ARE the contract.
+ */
+export declare const MCP_ERROR_CODES: {
+    readonly AUTHENTICATION_REQUIRED: "AUTHENTICATION_REQUIRED";
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+    readonly INVALID_SUBCOMMAND: "INVALID_SUBCOMMAND";
+    readonly INVALID_FRAME: "INVALID_FRAME";
+};
+export type McpErrorCode = (typeof MCP_ERROR_CODES)[keyof typeof MCP_ERROR_CODES];
+/** Maximum length of a free-form `intent` string carried on scaffold inputs. */
+export declare const INTENT_MAX_LENGTH = 1000;
+declare const stepStatusSchema: z.ZodEnum<{
+    error: "error";
+    completed: "completed";
+    skipped: "skipped";
+}>;
+export type McpStepStatus = z.infer<typeof stepStatusSchema>;
+export declare const StepStartFrameSchema: z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"step.start">;
+    stepId: z.ZodString;
+    name: z.ZodString;
+    index: z.ZodNumber;
+    total: z.ZodNumber;
+}, z.core.$strict>;
+export type StepStartFrame = z.infer<typeof StepStartFrameSchema>;
+export declare const StepCompleteFrameSchema: z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"step.complete">;
+    stepId: z.ZodString;
+    name: z.ZodString;
+    status: z.ZodEnum<{
+        error: "error";
+        completed: "completed";
+        skipped: "skipped";
+    }>;
+    index: z.ZodNumber;
+    total: z.ZodNumber;
+    errorMessage: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type StepCompleteFrame = z.infer<typeof StepCompleteFrameSchema>;
+export declare const WarningFrameSchema: z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"warning">;
+    message: z.ZodString;
+}, z.core.$strict>;
+export type WarningFrame = z.infer<typeof WarningFrameSchema>;
+declare const errorPayloadSchema: z.ZodObject<{
+    code: z.ZodString;
+    message: z.ZodString;
+    details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+export type McpErrorPayload = z.infer<typeof errorPayloadSchema>;
+export declare const ErrorFrameSchema: z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"error">;
+    error: z.ZodObject<{
+        code: z.ZodString;
+        message: z.ZodString;
+        details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type ErrorFrame = z.infer<typeof ErrorFrameSchema>;
+export declare const ResultFrameSchema: z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"result">;
+    data: z.ZodUnknown;
+}, z.core.$strict>;
+export type ResultFrame = z.infer<typeof ResultFrameSchema>;
+export declare const AuthBrowserRequiredFrameSchema: z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"auth.browser.required">;
+    url: z.ZodString;
+    externalId: z.ZodString;
+    region: z.ZodString;
+    environment: z.ZodString;
+    reason: z.ZodString;
+}, z.core.$strict>;
+export type AuthBrowserRequiredFrame = z.infer<typeof AuthBrowserRequiredFrameSchema>;
+export declare const AuthBrowserCompleteFrameSchema: z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"auth.browser.complete">;
+    awsAccountId: z.ZodString;
+    accountName: z.ZodString;
+    roleArn: z.ZodString;
+}, z.core.$strict>;
+export type AuthBrowserCompleteFrame = z.infer<typeof AuthBrowserCompleteFrameSchema>;
+export declare const McpProtocolFrameSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"step.start">;
+    stepId: z.ZodString;
+    name: z.ZodString;
+    index: z.ZodNumber;
+    total: z.ZodNumber;
+}, z.core.$strict>, z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"step.complete">;
+    stepId: z.ZodString;
+    name: z.ZodString;
+    status: z.ZodEnum<{
+        error: "error";
+        completed: "completed";
+        skipped: "skipped";
+    }>;
+    index: z.ZodNumber;
+    total: z.ZodNumber;
+    errorMessage: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>, z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"warning">;
+    message: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"error">;
+    error: z.ZodObject<{
+        code: z.ZodString;
+        message: z.ZodString;
+        details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strict>;
+}, z.core.$strict>, z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"result">;
+    data: z.ZodUnknown;
+}, z.core.$strict>, z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"auth.browser.required">;
+    url: z.ZodString;
+    externalId: z.ZodString;
+    region: z.ZodString;
+    environment: z.ZodString;
+    reason: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    v: z.ZodLiteral<2>;
+    kind: z.ZodLiteral<"auth.browser.complete">;
+    awsAccountId: z.ZodString;
+    accountName: z.ZodString;
+    roleArn: z.ZodString;
+}, z.core.$strict>], "kind">;
+export type McpProtocolFrame = z.infer<typeof McpProtocolFrameSchema>;
+/**
+ * Scaffold protocol schemas — wire types for the `plan_app_scaffold`,
+ * `apply_app_scaffold`, and dry-run helper paths in `@fjall/mcp`.
+ *
+ * The shapes here mirror the CLI-side `DryRunArtefacts` (in
+ * `cli/src/operations/types.ts`) by hand because `@fjall/util` is a leaf
+ * dependency of the CLI and cannot import from it. Drift between the two
+ * is a wire-level bug; both sides MUST move together.
+ */
+export declare const FileToWriteSchema: z.ZodObject<{
+    path: z.ZodString;
+    sizeBytes: z.ZodNumber;
+    collisionMode: z.ZodEnum<{
+        create: "create";
+        overwrite: "overwrite";
+    }>;
+}, z.core.$strict>;
+export type ScaffoldFileToWrite = z.infer<typeof FileToWriteSchema>;
+export declare const RegistryActionSchema: z.ZodObject<{
+    type: z.ZodEnum<{
+        "register-application": "register-application";
+        "create-activity": "create-activity";
+        "auto-link-repository": "auto-link-repository";
+        "writeback-config-path": "writeback-config-path";
+    }>;
+    description: z.ZodString;
+}, z.core.$strict>;
+export type ScaffoldRegistryAction = z.infer<typeof RegistryActionSchema>;
+export declare const TargetAccountSchema: z.ZodObject<{
+    name: z.ZodString;
+    environment: z.ZodString;
+    source: z.ZodString;
+}, z.core.$strict>;
+export type TargetAccount = z.infer<typeof TargetAccountSchema>;
+export declare const ResolvedInputsSchema: z.ZodObject<{
+    name: z.ZodString;
+    pattern: z.ZodOptional<z.ZodString>;
+    patternTier: z.ZodOptional<z.ZodEnum<{
+        tinkerer: "tinkerer";
+        lightweight: "lightweight";
+        standard: "standard";
+        resilient: "resilient";
+        enterprise: "enterprise";
+    }>>;
+    patternDomain: z.ZodOptional<z.ZodString>;
+    network: z.ZodOptional<z.ZodEnum<{
+        lightweight: "lightweight";
+        standard: "standard";
+        resilient: "resilient";
+        enterprise: "enterprise";
+        none: "none";
+    }>>;
+    template: z.ZodOptional<z.ZodString>;
+    docker: z.ZodOptional<z.ZodObject<{
+        path: z.ZodOptional<z.ZodString>;
+        context: z.ZodOptional<z.ZodString>;
+        target: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>>;
+    git: z.ZodOptional<z.ZodBoolean>;
+    github: z.ZodOptional<z.ZodBoolean>;
+    repoVisibility: z.ZodOptional<z.ZodEnum<{
+        private: "private";
+        public: "public";
+    }>>;
+    intent: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type ResolvedInputs = z.infer<typeof ResolvedInputsSchema>;
+export declare const ScaffoldPlanSchema: z.ZodObject<{
+    planId: z.ZodString;
+    normalisedPath: z.ZodString;
+    resolvedInputs: z.ZodObject<{
+        name: z.ZodString;
+        pattern: z.ZodOptional<z.ZodString>;
+        patternTier: z.ZodOptional<z.ZodEnum<{
+            tinkerer: "tinkerer";
+            lightweight: "lightweight";
+            standard: "standard";
+            resilient: "resilient";
+            enterprise: "enterprise";
+        }>>;
+        patternDomain: z.ZodOptional<z.ZodString>;
+        network: z.ZodOptional<z.ZodEnum<{
+            lightweight: "lightweight";
+            standard: "standard";
+            resilient: "resilient";
+            enterprise: "enterprise";
+            none: "none";
+        }>>;
+        template: z.ZodOptional<z.ZodString>;
+        docker: z.ZodOptional<z.ZodObject<{
+            path: z.ZodOptional<z.ZodString>;
+            context: z.ZodOptional<z.ZodString>;
+            target: z.ZodOptional<z.ZodString>;
+        }, z.core.$strict>>;
+        git: z.ZodOptional<z.ZodBoolean>;
+        github: z.ZodOptional<z.ZodBoolean>;
+        repoVisibility: z.ZodOptional<z.ZodEnum<{
+            private: "private";
+            public: "public";
+        }>>;
+        intent: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>;
+    targetAccount: z.ZodNullable<z.ZodObject<{
+        name: z.ZodString;
+        environment: z.ZodString;
+        source: z.ZodString;
+    }, z.core.$strict>>;
+    targetAccountCandidates: z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        environment: z.ZodString;
+        source: z.ZodString;
+    }, z.core.$strict>>;
+    filesToWrite: z.ZodArray<z.ZodObject<{
+        path: z.ZodString;
+        sizeBytes: z.ZodNumber;
+        collisionMode: z.ZodEnum<{
+            create: "create";
+            overwrite: "overwrite";
+        }>;
+    }, z.core.$strict>>;
+    npmPackages: z.ZodArray<z.ZodString>;
+    registryActions: z.ZodArray<z.ZodObject<{
+        type: z.ZodEnum<{
+            "register-application": "register-application";
+            "create-activity": "create-activity";
+            "auto-link-repository": "auto-link-repository";
+            "writeback-config-path": "writeback-config-path";
+        }>;
+        description: z.ZodString;
+    }, z.core.$strict>>;
+    patternUnsupportedForDryRun: z.ZodOptional<z.ZodBoolean>;
+    intent: z.ZodOptional<z.ZodString>;
+    framework: z.ZodOptional<z.ZodString>;
+    summary: z.ZodString;
+}, z.core.$strict>;
+export type ScaffoldPlan = z.infer<typeof ScaffoldPlanSchema>;
+export declare const DryRunArtefactsSchema: z.ZodObject<{
+    filesToWrite: z.ZodArray<z.ZodObject<{
+        path: z.ZodString;
+        sizeBytes: z.ZodNumber;
+        collisionMode: z.ZodEnum<{
+            create: "create";
+            overwrite: "overwrite";
+        }>;
+    }, z.core.$strict>>;
+    npmPackages: z.ZodArray<z.ZodString>;
+    registryActions: z.ZodArray<z.ZodObject<{
+        type: z.ZodEnum<{
+            "register-application": "register-application";
+            "create-activity": "create-activity";
+            "auto-link-repository": "auto-link-repository";
+            "writeback-config-path": "writeback-config-path";
+        }>;
+        description: z.ZodString;
+    }, z.core.$strict>>;
+    patternUnsupportedForDryRun: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strict>;
+export type ScaffoldDryRunArtefacts = z.infer<typeof DryRunArtefactsSchema>;
+export declare const ScaffoldResultDataSchema: z.ZodObject<{
+    path: z.ZodString;
+    name: z.ZodString;
+    mode: z.ZodEnum<{
+        pattern: "pattern";
+        application: "application";
+    }>;
+    dependenciesInstalled: z.ZodOptional<z.ZodBoolean>;
+    warning: z.ZodOptional<z.ZodString>;
+    dryRunArtefacts: z.ZodOptional<z.ZodObject<{
+        filesToWrite: z.ZodArray<z.ZodObject<{
+            path: z.ZodString;
+            sizeBytes: z.ZodNumber;
+            collisionMode: z.ZodEnum<{
+                create: "create";
+                overwrite: "overwrite";
+            }>;
+        }, z.core.$strict>>;
+        npmPackages: z.ZodArray<z.ZodString>;
+        registryActions: z.ZodArray<z.ZodObject<{
+            type: z.ZodEnum<{
+                "register-application": "register-application";
+                "create-activity": "create-activity";
+                "auto-link-repository": "auto-link-repository";
+                "writeback-config-path": "writeback-config-path";
+            }>;
+            description: z.ZodString;
+        }, z.core.$strict>>;
+        patternUnsupportedForDryRun: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type ScaffoldResultData = z.infer<typeof ScaffoldResultDataSchema>;
+/**
+ * Progress frame emitted via MCP `notifications/progress` during
+ * `apply_app_scaffold`. `total` is omitted for unbounded streams (warnings).
+ */
+export declare const ScaffoldProgressFrameSchema: z.ZodObject<{
+    step: z.ZodString;
+    current: z.ZodNumber;
+    total: z.ZodOptional<z.ZodNumber>;
+    message: z.ZodString;
+}, z.core.$strict>;
+export type ScaffoldProgressFrame = z.infer<typeof ScaffoldProgressFrameSchema>;
+export type ParseFrameResult = {
+    ok: true;
+    frame: McpProtocolFrame;
+} | {
+    ok: false;
+    reason: "json";
+    raw: string;
+    error: string;
+} | {
+    ok: false;
+    reason: "schema";
+    raw: string;
+    error: string;
+};
+export declare function parseFrame(line: string): ParseFrameResult;
+export {};

package/dist/mcpProtocol/index.js

@@ -0,0 +1 @@
+import{z as t}from"zod";const p=2,f={AUTHENTICATION_REQUIRED:"AUTHENTICATION_REQUIRED",VALIDATION_ERROR:"VALIDATION_ERROR",INTERNAL_ERROR:"INTERNAL_ERROR",INVALID_SUBCOMMAND:"INVALID_SUBCOMMAND",INVALID_FRAME:"INVALID_FRAME"},a=1e3,e=t.literal(p),l=t.enum(["completed","error","skipped"]),g=t.object({v:e,kind:t.literal("step.start"),stepId:t.string().min(1),name:t.string().min(1),index:t.number().int().min(0),total:t.number().int().min(1)}).strict(),u=t.object({v:e,kind:t.literal("step.complete"),stepId:t.string().min(1),name:t.string().min(1),status:l,index:t.number().int().min(0),total:t.number().int().min(1),errorMessage:t.string().optional()}).strict(),d=t.object({v:e,kind:t.literal("warning"),message:t.string().min(1)}).strict(),b=t.object({code:t.string().min(1),message:t.string().min(1),details:t.record(t.string(),t.unknown()).optional()}).strict(),h=t.object({v:e,kind:t.literal("error"),error:b}).strict(),R=t.object({v:e,kind:t.literal("result"),data:t.unknown()}).strict(),A=t.object({v:e,kind:t.literal("auth.browser.required"),url:t.string().url(),externalId:t.string().min(1),region:t.string().min(1),environment:t.string().min(1),reason:t.string().min(1)}).strict(),S=t.object({v:e,kind:t.literal("auth.browser.complete"),awsAccountId:t.string().min(1),accountName:t.string().min(1),roleArn:t.string().min(1)}).strict(),I=t.discriminatedUnion("kind",[g,u,d,h,R,A,S]),s=t.object({path:t.string().min(1),sizeBytes:t.number().int().nonnegative(),collisionMode:t.enum(["create","overwrite"])}).strict(),c=t.object({type:t.enum(["register-application","create-activity","auto-link-repository","writeback-config-path"]),description:t.string().min(1)}).strict(),x=t.enum(["tinkerer","lightweight","standard","resilient","enterprise"]),k=t.enum(["lightweight","standard","resilient","enterprise","none"]),m=t.object({name:t.string().min(1),environment:t.string().min(1),source:t.string().min(1)}).strict(),E=t.object({name:t.string().min(1),pattern:t.string().min(1).optional(),patternTier:x.optional(),patternDomain:t.string().min(1).optional(),network:k.optional(),template:t.string().min(1).optional(),docker:t.object({path:t.string().min(1).optional(),context:t.string().min(1).optional(),target:t.string().min(1).optional()}).strict().optional(),git:t.boolean().optional(),github:t.boolean().optional(),repoVisibility:t.enum(["private","public"]).optional(),intent:t.string().max(a).optional()}).strict(),T=t.object({planId:t.string().regex(/^[0-9a-f]{32}$/),normalisedPath:t.string().min(1),resolvedInputs:E,targetAccount:m.nullable(),targetAccountCandidates:t.array(m),filesToWrite:t.array(s),npmPackages:t.array(t.string().min(1)),registryActions:t.array(c),patternUnsupportedForDryRun:t.boolean().optional(),intent:t.string().max(a).optional(),framework:t.string().min(1).optional(),summary:t.string().min(1)}).strict(),N=t.object({filesToWrite:t.array(s),npmPackages:t.array(t.string().min(1)),registryActions:t.array(c),patternUnsupportedForDryRun:t.boolean().optional()}).strict(),j=t.object({path:t.string().min(1),name:t.string().min(1),mode:t.enum(["application","pattern"]),dependenciesInstalled:t.boolean().optional(),warning:t.string().optional(),dryRunArtefacts:N.optional()}).strict(),v=t.object({step:t.string().min(1),current:t.number().int().nonnegative(),total:t.number().int().positive().optional(),message:t.string().min(1)}).strict();function w(n){let o;try{o=JSON.parse(n)}catch(i){return{ok:!1,reason:"json",raw:n,error:i instanceof Error?i.message:String(i)}}const r=I.safeParse(o);return r.success?{ok:!0,frame:r.data}:{ok:!1,reason:"schema",raw:n,error:r.error.message}}export{S as AuthBrowserCompleteFrameSchema,A as AuthBrowserRequiredFrameSchema,N as DryRunArtefactsSchema,h as ErrorFrameSchema,s as FileToWriteSchema,a as INTENT_MAX_LENGTH,f as MCP_ERROR_CODES,p as MCP_PROTOCOL_VERSION,I as McpProtocolFrameSchema,c as RegistryActionSchema,E as ResolvedInputsSchema,R as ResultFrameSchema,T as ScaffoldPlanSchema,v as ScaffoldProgressFrameSchema,j as ScaffoldResultDataSchema,u as StepCompleteFrameSchema,g as StepStartFrameSchema,m as TargetAccountSchema,d as WarningFrameSchema,w as parseFrame};

package/dist/migration/clickhouseSqlUsers.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Cross-package contract for the ClickHouse managed-users manifest.
+ *
+ * Producer: `ClickHouseDatabase.getMigrationContributions()` emits the
+ * managed-password user names (every entry in the construct's
+ * `managedPasswords:` prop, plus the `schemaAdmin.name`) as a JSON-stringified
+ * array of strings on the migration container's env, plus per-user
+ * `USER_<NAME>_PASSWORD` secretsImport entries.
+ *
+ * Consumer: `@fjall/clickhouse-migrations § provisionUsersFromEnv` parses the
+ * env, reads each password from `process.env[USER_<NAME>_PASSWORD]` (injected
+ * by ECS executionRole — no runtime SDK call), and issues
+ * `CREATE USER IF NOT EXISTS … IDENTIFIED WITH sha256_password BY '<pw>'`
+ * followed by `ALTER USER …`. Profile binding is NOT performed by the helper
+ * — profiles are bound by customer SQL migrations via
+ * `ALTER USER <name> SETTINGS PROFILE '<profile>'`.
+ *
+ * Coupled values — must move together per
+ * `.claude/rules/code-quality.md § "Coupled values: shared source at 2
+ * occurrences"`. Lives in `@fjall/util` so the runtime Docker image picks the
+ * constant + schema up without pulling `aws-cdk-lib`.
+ */
+import { z } from "zod";
+/**
+ * Container env var name carrying the JSON-stringified manifest of managed
+ * users (just names — no profile binding). Set by
+ * `getMigrationContributions()` at synth; consumed by the migration helper at
+ * runtime.
+ */
+export declare const CLICKHOUSE_MANAGED_USERS_ENV: "CLICKHOUSE_MANAGED_USERS";
+/**
+ * ECS-injected env var name carrying a managed user's plaintext password.
+ *
+ * Producer: `ClickHouseDatabase.getMigrationContributions()` populates
+ * `secretsImport[userPasswordEnvName(name)] = secret.getImport("password")`
+ * (the framework wires the executionRole `secretsmanager:GetSecretValue` grant
+ * via the standard `secretsImport` path).
+ *
+ * Consumer: `@fjall/clickhouse-migrations § provisionUsersFromEnv` reads
+ * `process.env[userPasswordEnvName(name)]` for each entry in the manifest —
+ * no runtime SDK call.
+ *
+ * Coupled values — must move together per
+ * `.claude/rules/code-quality.md § "Coupled values: shared source at 2
+ * occurrences"`. Single source-of-truth here so a future shape change
+ * (`USER_<NAME>_SECRET`, lower-case, prefixed) lands at one site, not three.
+ */
+export declare function userPasswordEnvName(userName: string): string;
+/**
+ * Lowercase snake_case name regex. Mirrors the construct's `NAME_PATTERN` at
+ * `fjall/components/infrastructure/lib/resources/aws/database/clickhouseSchemas.ts § NAME_PATTERN`.
+ * Drift between the two surfaces as a parse failure in the runner.
+ */
+export declare const MANAGED_USER_NAME_PATTERN: RegExp;
+/**
+ * One managed user — just the name. Passwords flow via the sibling
+ * `USER_<NAME>_PASSWORD` env vars injected by ECS executionRole; profiles
+ * flow via customer SQL (`ALTER USER … SETTINGS PROFILE …`), not via this
+ * manifest.
+ */
+export declare const ManagedUserNameSchema: z.ZodString;
+export type ManagedUserName = z.infer<typeof ManagedUserNameSchema>;
+/**
+ * Manifest = ordered array of managed user names. Order matches the
+ * construct's `[schemaAdmin.name, ...managedPasswords]` order so provisioning
+ * is deterministic across deploys.
+ */
+export declare const ManagedUserNamesSchema: z.ZodArray<z.ZodString>;
+export type ManagedUserNames = z.infer<typeof ManagedUserNamesSchema>;

package/dist/migration/clickhouseSqlUsers.js

@@ -0,0 +1 @@
+import{z as e}from"zod";const t="CLICKHOUSE_MANAGED_USERS";function n(a){return`USER_${a.toUpperCase()}_PASSWORD`}const r=/^[a-z][a-z0-9_]*$/,s=e.string().min(1).max(63).regex(r,"Must be lowercase snake_case"),E=e.array(s).min(0);export{t as CLICKHOUSE_MANAGED_USERS_ENV,r as MANAGED_USER_NAME_PATTERN,s as ManagedUserNameSchema,E as ManagedUserNamesSchema,n as userPasswordEnvName};

package/dist/migration/constants.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Cross-package contract constants for the migration runner. Imported by both
+ * `@fjall/components-infrastructure` (CDK synth, IAM globs, env-var injection)
+ * and `webapp/scripts/migration-runner.mjs` (runtime, snapshot naming, gate).
+ * Coupled values — must move together (Code Quality § "Coupled values: shared
+ * source at 2 occurrences"). Live in `@fjall/util` so the runtime Docker image
+ * picks them up without pulling `aws-cdk-lib`.
+ */
+/**
+ * Snapshot-name prefix shared between the IAM glob in
+ * `IRelationalDatabaseBase.getMigrationSnapshotPolicy()` and the runner's
+ * `DBSnapshotIdentifier`. Both sites import this so a renamed prefix can't
+ * leave the IAM glob granting access to a name the runner no longer emits.
+ */
+export declare const MIGRATION_SNAPSHOT_NAME_PREFIX: "fjall-premigrate";
+/**
+ * Container env var name for the schema-version fail-fast gate. Every
+ * container of every service whose `connections:` includes a relational DB
+ * declaring `migrations:` receives this env baked in at synth time. The
+ * booting service reads it at runtime and refuses to start when the actual
+ * schema version trails the expected.
+ */
+export declare const EXPECTED_SCHEMA_VERSION_ENV: "EXPECTED_SCHEMA_VERSION";
+/**
+ * Sibling env carrying the producing `MigrationsConfig.tool` discriminator
+ * (`"prisma" | "custom"`). Emitted alongside `EXPECTED_SCHEMA_VERSION` so the
+ * runtime gate can dispatch to the matching consumer-side resolver.
+ */
+export declare const EXPECTED_SCHEMA_VERSION_TOOL_ENV: "EXPECTED_SCHEMA_VERSION_TOOL";
+/**
+ * Prisma migration directory pattern: 14-digit timestamp + underscore prefix.
+ * Sortable alphanumerically because the timestamp is fixed-width.
+ */
+export declare const PRISMA_MIGRATION_DIR_RE: RegExp;

package/dist/migration/constants.js

@@ -0,0 +1 @@
+const E="fjall-premigrate",_="EXPECTED_SCHEMA_VERSION",I="EXPECTED_SCHEMA_VERSION_TOOL",O=/^\d{14}_/;export{_ as EXPECTED_SCHEMA_VERSION_ENV,I as EXPECTED_SCHEMA_VERSION_TOOL_ENV,E as MIGRATION_SNAPSHOT_NAME_PREFIX,O as PRISMA_MIGRATION_DIR_RE};

package/dist/migration/index.d.ts

@@ -0,0 +1,3 @@
+export { MIGRATION_SNAPSHOT_NAME_PREFIX, EXPECTED_SCHEMA_VERSION_ENV, EXPECTED_SCHEMA_VERSION_TOOL_ENV, PRISMA_MIGRATION_DIR_RE } from "./constants.js";
+export { pickLatestPrismaMigration } from "./pickLatestPrismaMigration.js";
+export { CLICKHOUSE_MANAGED_USERS_ENV, MANAGED_USER_NAME_PATTERN, userPasswordEnvName, ManagedUserNameSchema, ManagedUserNamesSchema, type ManagedUserName, type ManagedUserNames } from "./clickhouseSqlUsers.js";

package/dist/migration/index.js

@@ -0,0 +1 @@
+import{MIGRATION_SNAPSHOT_NAME_PREFIX as N,EXPECTED_SCHEMA_VERSION_ENV as e,EXPECTED_SCHEMA_VERSION_TOOL_ENV as a,PRISMA_MIGRATION_DIR_RE as A}from"./constants.js";import{pickLatestPrismaMigration as r}from"./pickLatestPrismaMigration.js";import{CLICKHOUSE_MANAGED_USERS_ENV as R,MANAGED_USER_NAME_PATTERN as I,userPasswordEnvName as m,ManagedUserNameSchema as o,ManagedUserNamesSchema as s}from"./clickhouseSqlUsers.js";export{R as CLICKHOUSE_MANAGED_USERS_ENV,e as EXPECTED_SCHEMA_VERSION_ENV,a as EXPECTED_SCHEMA_VERSION_TOOL_ENV,I as MANAGED_USER_NAME_PATTERN,N as MIGRATION_SNAPSHOT_NAME_PREFIX,o as ManagedUserNameSchema,s as ManagedUserNamesSchema,A as PRISMA_MIGRATION_DIR_RE,r as pickLatestPrismaMigration,m as userPasswordEnvName};

package/dist/migration/pickLatestPrismaMigration.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Returns the lexicographically-latest Prisma migration directory name
+ * under `prismaRoot` (e.g. `"20260201000000_add_users"`). Lexicographic
+ * order equals chronological order because of the fixed-width timestamp.
+ *
+ * Synchronous I/O — safe at both CDK synth time (the original use site) and
+ * inside the migration runner script (the new use site). Throws when the
+ * directory contains no entries matching `PRISMA_MIGRATION_DIR_RE`.
+ */
+export declare function pickLatestPrismaMigration(prismaRoot: string): string;