@fjall/util 2.12.0 → 2.14.0

package/dist/.minified

@@ -1 +1 @@
-59 files minified at 2026-06-09T10:15:26.341Z
+64 files minified at 2026-06-12T01:12:20.740Z

package/dist/Config.d.ts

@@ -1,4 +1,5 @@
 import { z } from "zod";
+import { type Result } from "./docker/result.js";
 import { type AccountTier } from "./environments.js";
 /**
  * Backup Vault Lock modes for an account's DisasterRecovery vault.
@@ -13,6 +14,54 @@ export type VaultLockMode = (typeof VAULT_LOCK_MODES)[number];
  */
 export declare const S3_BPA_MODES: readonly ["enforced", "off"];
 export type S3BpaMode = (typeof S3_BPA_MODES)[number];
+/**
+ * Org-level centralised root-access management mode (ADR
+ * 2026-06-10-centralised-root-access-default-on). Absent ⇒ "centralised"
+ * (default-on); "off" maps to OrgSetupConfig.skipRootAccessManagement at the
+ * adapter boundaries (CLI buildOrgSetupConfig, webapp setup route). The
+ * webapp carries a twin of this pair at
+ * webapp/app/.server/constants/rootAccess.ts.
+ * TODO 2026-06-11, owner: paul — tracked in
+ * aiDocs/plans/tasks/2026-06-11-root-access-p2-t11-org-config-field-fjall.md:
+ * once a published @fjall/util ships this tuple, convert the webapp twin into
+ * a re-export from "@fjall/util/config" (TRAIL_LIFECYCLE_STATES precedent).
+ */
+export declare const ROOT_ACCESS_MANAGEMENT_MODES: readonly ["centralised", "off"];
+export type RootAccessManagementMode = (typeof ROOT_ACCESS_MANAGEMENT_MODES)[number];
+/**
+ * Per-account management-events-trail lifecycle for the organisation-trail
+ * migration. Absent ⇒ legacy per-account trail, auto-eligible for migration
+ * once org-trail delivery is verified. "account" pins the per-account trail
+ * (the explicit reverse path). "draining" removes the trail resource while
+ * retaining its bucket + CMK. "org" is terminal: the organisation trail
+ * covers the account and local storage has been decommissioned.
+ */
+export declare const TRAIL_LIFECYCLE_STATES: readonly ["account", "draining", "org"];
+export type TrailLifecycleState = (typeof TRAIL_LIFECYCLE_STATES)[number];
+/**
+ * Trail names shared between the CDK constructs
+ * (@fjall/components-infrastructure) and the deploy-core org-trail migration —
+ * SDK probes (DescribeTrails) must match what the constructs synthesise.
+ */
+export declare const ACCOUNT_TRAIL_NAME = "managementEvents";
+export declare const ORGANISATION_TRAIL_NAME = "organisationManagementEvents";
+/**
+ * CDK-side trail-state vocabulary (the `fjallAccountTrailState` context
+ * value), shared between the CDK constructs and deploy-core's context
+ * builders. Distinct from TRAIL_LIFECYCLE_STATES: config intent
+ * ("account"/"draining"/"org") maps onto synth behaviour
+ * ("active"/"draining"/"removed").
+ */
+export declare const ACCOUNT_TRAIL_STATES: readonly ["active", "draining", "removed"];
+export type AccountTrailState = (typeof ACCOUNT_TRAIL_STATES)[number];
+/**
+ * Stack output keys (CfnOutput key + exportName) emitted by the Account /
+ * Organisation CDK patterns and read back by the deploy-core org-trail
+ * migration reconciler — both sides must use the same literals.
+ */
+export declare const TRAIL_BUCKET_OUTPUT_KEY = "FjallTrailBucketName";
+export declare const TRAIL_KEY_ARN_OUTPUT_KEY = "FjallTrailKeyArn";
+export declare const ORG_TRAIL_BUCKET_OUTPUT_KEY = "OrganisationTrailBucketName";
 export type ProviderAccount = {
     id: string;
     name: string;
@@ -52,6 +101,17 @@ export type ProviderAccount = {
      * instead). "enforced" sets all four account-level public-access flags true.
      */
     s3BlockPublicAccess?: S3BpaMode;
+    /**
+     * Management-events-trail lifecycle for the org-trail migration. Absent ⇒
+     * legacy per-account trail (auto-eligible); see TRAIL_LIFECYCLE_STATES.
+     */
+    trailLifecycle?: TrailLifecycleState;
+    /**
+     * Explicit acknowledgement that decommissioning the per-account trail
+     * discards its retained log history. Bucket deletion never proceeds without
+     * it — back up the bucket first if the history matters.
+     */
+    acknowledgeTrailHistoryLoss?: boolean;
 };
 export type Profile = {
     type: "sso" | "oidc";
@@ -100,17 +160,50 @@ export type RootConfig = z.infer<typeof RootConfigSchema>;
 export declare class Config {
     rootConfig: RootConfig;
     private configPath;
+    /**
+     * True when the config file was FOUND on disk but could not be read.
+     * saveConfig refuses to write in that state — the in-memory config never
+     * included the real file's contents, so writing would clobber them.
+     */
+    private loadFailed;
+    /**
+     * Top-level keys explicitly cleared this session (clearActiveTarget).
+     * The disk-preserving merge in saveConfig would otherwise resurrect them
+     * from the on-disk copy.
+     */
+    private readonly clearedKeys;
     constructor(rootConfig?: RootConfig, configPath?: string);
     /**
      * Find the config directory by walking up the directory tree.
      * Looks for fjall/fjall-config.json or direct fjall-config.json.
+     * Walks up from `startDir` when provided, otherwise from process.cwd().
      */
     private static findConfigDirectory;
     private static loadConfigFile;
-    static loadConfig(): Config;
+    /**
+     * Load the config, walking up from `startDir` (default process.cwd()).
+     */
+    static loadConfig(startDir?: string): Config;
     private static formatZodError;
-    saveConfig(): void;
-    static getConfigDirectory(): string | null;
+    saveConfig(): Result<void, Error>;
+    /**
+     * Writability is checked at save time, not load time: POSIX rename replaces
+     * a read-only destination whenever the directory is writable, so without
+     * this guard the tmp-plus-rename write would silently replace a chmod-444
+     * config.
+     */
+    private static assertWritable;
+    /**
+     * Disk-preserving merge: re-reads the on-disk config immediately before
+     * writing so sibling top-level keys written by a concurrent process between
+     * this session's load and save survive. In-memory keys win at top-level-key
+     * granularity; keys explicitly cleared this session are removed even when
+     * the disk copy still carries them. Unreadable or invalid disk state falls
+     * back to the in-memory state with a warning rather than blocking the save.
+     */
+    private mergeWithDisk;
+    private static readDiskConfigForMerge;
+    static getConfigDirectory(startDir?: string): string | null;
     getActiveTarget(): string | undefined;
     setActiveTarget(name: string): void;
     clearActiveTarget(): void;

package/dist/Config.js

@@ -1 +1 @@
-import*as r from"fs";import*as s from"path";import{z as e}from"zod";import{logger as g}from"./logger.js";const l=10,h=["compliance","governance","none"],p=["enforced","off"],m=e.object({name:e.string(),type:e.enum(["apex","delegated"]),parentDomain:e.string().optional(),account:e.string().optional()}).strict(),d=e.object({activeTarget:e.string().optional(),domains:e.array(m).optional()}).strict();class a{rootConfig;configPath=null;constructor(o,t){this.rootConfig=o??{},this.configPath=t??null}static findConfigDirectory(){let o=process.cwd();for(let t=0;t<l;t++){const n=s.join(o,"fjall"),i=s.join(n,"fjall-config.json");if(r.existsSync(i))return n;const c=s.join(o,"fjall-config.json");if(r.existsSync(c))return o;const f=s.dirname(o);if(f===o)break;o=f}return null}static loadConfigFile(o){try{return r.accessSync(o,r.constants.R_OK|r.constants.W_OK),r.readFileSync(o,{encoding:"utf8"})}catch(t){return g.debug("Config","Config file not accessible",{file:o,error:t instanceof Error?t.message:String(t)}),null}}static loadConfig(){const o=a.findConfigDirectory();if(!o)return new a;const t=s.join(o,"fjall-config.json"),n=a.loadConfigFile(t);let i;if(n)try{i=d.parse(JSON.parse(n))}catch(c){throw a.formatZodError(c,"fjall-config.json")}return new a(i,t)}static formatZodError(o,t){if(o instanceof e.ZodError&&o.issues.length>0){const c=o.issues.map(f=>`${f.path.join(".")}: ${f.message}`).join("; ");return new Error(`Failed to parse ${t}: ${c}`)}const i=(o instanceof Error?o.message:String(o)).replace(/\n/g," ").substring(0,500);return new Error(`Failed to parse ${t}: ${i}`)}saveConfig(){let o=this.configPath;if(!o){const c=a.findConfigDirectory()||s.join(process.cwd(),"fjall");o=s.join(c,"fjall-config.json")}const t=s.dirname(o);r.mkdirSync(t,{recursive:!0});const n=JSON.stringify(this.rootConfig,null,2),i=`${o}.tmp`;r.writeFileSync(i,n,{mode:384}),r.renameSync(i,o)}static getConfigDirectory(){return a.findConfigDirectory()}getActiveTarget(){return this.rootConfig.activeTarget}setActiveTarget(o){this.rootConfig.activeTarget=o}clearActiveTarget(){this.rootConfig.activeTarget=void 0}getDomains(){return this.rootConfig.domains??[]}setDomains(o){this.rootConfig.domains=o}addDomain(o){this.rootConfig.domains||(this.rootConfig.domains=[]),this.rootConfig.domains.push(o)}getDomain(o){return this.rootConfig.domains?.find(t=>t.name.toLowerCase()===o.toLowerCase())}removeDomain(o){if(!this.rootConfig.domains)return!1;const t=this.rootConfig.domains.findIndex(n=>n.name.toLowerCase()===o.toLowerCase());return t===-1?!1:(this.rootConfig.domains.splice(t,1),!0)}}export{a as Config,d as RootConfigSchema,p as S3_BPA_MODES,h as VAULT_LOCK_MODES};
+import*as i from"fs";import*as f from"path";import{z as c}from"zod";import{failure as d,success as C}from"./docker/result.js";import{getErrorMessage as g}from"./errorUtils.js";import{logger as u}from"./logger.js";import{maskSensitiveOutput as l}from"./securityHelpers.js";const y=10,D=["compliance","governance","none"],_=["enforced","off"],$=["centralised","off"],x=["account","draining","org"],F="managementEvents",K="organisationManagementEvents",M=["active","draining","removed"],R="FjallTrailBucketName",b="FjallTrailKeyArn",k="OrganisationTrailBucketName",T=c.object({name:c.string(),type:c.enum(["apex","delegated"]),parentDomain:c.string().optional(),account:c.string().optional()}).strict(),m=c.object({activeTarget:c.string().optional(),domains:c.array(T).optional()}).strict(),w=m.keyof().options;function E(h,e,t){const n=e[t];n!==void 0&&(h[t]=n)}class s{rootConfig;configPath=null;loadFailed=!1;clearedKeys=new Set;constructor(e,t){this.rootConfig=e??{},this.configPath=t??null}static findConfigDirectory(e){let t=e!==void 0&&e!==""?e:process.cwd();for(let n=0;n<y;n++){const o=f.join(t,"fjall"),a=f.join(o,"fjall-config.json");if(i.existsSync(a))return o;const r=f.join(t,"fjall-config.json");if(i.existsSync(r))return t;const p=f.dirname(t);if(p===t)break;t=p}return null}static loadConfigFile(e){try{return i.accessSync(e,i.constants.R_OK),i.readFileSync(e,{encoding:"utf8"})}catch(t){return u.warn("Config",`Config file at ${e} could not be read; using defaults`,{file:e,error:l(g(t))}),null}}static loadConfig(e){const t=s.findConfigDirectory(e);if(!t)return new s;const n=f.join(t,"fjall-config.json"),o=s.loadConfigFile(n);if(o===null){const r=new s(void 0,n);return r.loadFailed=!0,r}let a;if(o!=="")try{a=m.parse(JSON.parse(o))}catch(r){throw s.formatZodError(r,"fjall-config.json")}return new s(a,n)}static formatZodError(e,t){if(e instanceof c.ZodError&&e.issues.length>0){const a=e.issues.map(r=>`${r.path.join(".")}: ${r.message}`).join("; ");return new Error(`Failed to parse ${t}: ${a}`)}const o=(e instanceof Error?e.message:String(e)).replace(/\n/g," ").substring(0,500);return new Error(`Failed to parse ${t}: ${o}`)}saveConfig(){let e=this.configPath;if(!e){const r=s.findConfigDirectory()||f.join(process.cwd(),"fjall");e=f.join(r,"fjall-config.json")}if(this.loadFailed)return d(new Error(`Refusing to save ${e}: the file exists but could not be read when this config loaded, so saving would replace its contents with state that never included them. Fix the file permissions (e.g. chmod u+rw ${e}) and retry.`));const t=f.dirname(e);try{i.mkdirSync(t,{recursive:!0})}catch(r){return d(new Error(`Cannot create config directory ${t}: ${l(g(r))}`))}const n=s.assertWritable(e,t);if(!n.success)return n;const o=JSON.stringify(this.mergeWithDisk(e),null,2),a=`${e}.tmp-${process.pid}`;try{i.writeFileSync(a,o,{mode:384}),i.renameSync(a,e)}catch(r){return d(new Error(`Failed to save ${e}: ${l(g(r))}`))}return C(void 0)}static assertWritable(e,t){if(i.existsSync(e))try{i.accessSync(e,i.constants.W_OK)}catch{return d(new Error(`Cannot save ${e}: the file is read-only. Make it writable (e.g. chmod u+w ${e}) and retry.`))}try{i.accessSync(t,i.constants.W_OK)}catch{return d(new Error(`Cannot save ${e}: the directory ${t} is not writable. Make it writable (e.g. chmod u+w ${t}) and retry.`))}return C(void 0)}mergeWithDisk(e){const t=s.readDiskConfigForMerge(e);if(t===void 0)return this.rootConfig;const n={...t};for(const o of w)E(n,this.rootConfig,o);for(const o of this.clearedKeys)delete n[o];return n}static readDiskConfigForMerge(e){if(!i.existsSync(e))return;let t;try{t=JSON.parse(i.readFileSync(e,{encoding:"utf8"}))}catch(o){u.warn("Config",`Could not re-read ${e} before saving; writing in-memory state without merging`,{file:e,error:l(g(o))});return}const n=m.safeParse(t);if(!n.success){u.warn("Config",`On-disk ${e} failed validation before saving; writing in-memory state without merging`,{file:e,error:l(n.error.message)});return}return n.data}static getConfigDirectory(e){return s.findConfigDirectory(e)}getActiveTarget(){return this.rootConfig.activeTarget}setActiveTarget(e){this.rootConfig.activeTarget=e,this.clearedKeys.delete("activeTarget")}clearActiveTarget(){this.rootConfig.activeTarget=void 0,this.clearedKeys.add("activeTarget")}getDomains(){return this.rootConfig.domains??[]}setDomains(e){this.rootConfig.domains=e}addDomain(e){this.rootConfig.domains||(this.rootConfig.domains=[]),this.rootConfig.domains.push(e)}getDomain(e){return this.rootConfig.domains?.find(t=>t.name.toLowerCase()===e.toLowerCase())}removeDomain(e){if(!this.rootConfig.domains)return!1;const t=this.rootConfig.domains.findIndex(n=>n.name.toLowerCase()===e.toLowerCase());return t===-1?!1:(this.rootConfig.domains.splice(t,1),!0)}}export{F as ACCOUNT_TRAIL_NAME,M as ACCOUNT_TRAIL_STATES,s as Config,K as ORGANISATION_TRAIL_NAME,k as ORG_TRAIL_BUCKET_OUTPUT_KEY,$ as ROOT_ACCESS_MANAGEMENT_MODES,m as RootConfigSchema,_ as S3_BPA_MODES,R as TRAIL_BUCKET_OUTPUT_KEY,b as TRAIL_KEY_ARN_OUTPUT_KEY,x as TRAIL_LIFECYCLE_STATES,D as VAULT_LOCK_MODES};

package/dist/aws/index.d.ts

@@ -1,3 +1,6 @@
 export { AWSError, NoRolesFoundError, InvalidCredentialsError, SSOTokenExpiredError, MissingRegionError, ProfileNotFoundError, CommandError, isAWSError, isNoRolesFoundError, isSSOUnauthorizedError } from "./errors.js";
 export { STACK_NOT_FOUND_PATTERN, CDK_NO_STACKS_MATCH, type ResourceEvent, isResourceEvent } from "./cloudformationTypes.js";
 export { CloudFormationFailureAnalyser, type RootCause, type FailureAnalysis } from "./CloudFormationFailureAnalyser.js";
+export { IPAM_OPERATIONS_POOL_TAG_KEY, formatIpamPairTagValue } from "./ipamTags.js";
+export { SDK_PRE_EMPTY_TAG_KEY } from "./infraTags.js";
+export { ACCOUNT_MONITORING_ROLE_NAME } from "./monitoringRole.js";

package/dist/aws/index.js

@@ -1 +1 @@
-import{AWSError as e,NoRolesFoundError as i,InvalidCredentialsError as n,SSOTokenExpiredError as E,MissingRegionError as s,ProfileNotFoundError as d,CommandError as S,isAWSError as l,isNoRolesFoundError as t,isSSOUnauthorizedError as a}from"./errors.js";import{STACK_NOT_FOUND_PATTERN as A,CDK_NO_STACKS_MATCH as C,isResourceEvent as N}from"./cloudformationTypes.js";import{CloudFormationFailureAnalyser as m}from"./CloudFormationFailureAnalyser.js";export{e as AWSError,C as CDK_NO_STACKS_MATCH,m as CloudFormationFailureAnalyser,S as CommandError,n as InvalidCredentialsError,s as MissingRegionError,i as NoRolesFoundError,d as ProfileNotFoundError,E as SSOTokenExpiredError,A as STACK_NOT_FOUND_PATTERN,l as isAWSError,t as isNoRolesFoundError,N as isResourceEvent,a as isSSOUnauthorizedError};
+import{AWSError as e,NoRolesFoundError as E,InvalidCredentialsError as _,SSOTokenExpiredError as i,MissingRegionError as T,ProfileNotFoundError as n,CommandError as A,isAWSError as O,isNoRolesFoundError as a,isSSOUnauthorizedError as t}from"./errors.js";import{STACK_NOT_FOUND_PATTERN as m,CDK_NO_STACKS_MATCH as s,isResourceEvent as S}from"./cloudformationTypes.js";import{CloudFormationFailureAnalyser as l}from"./CloudFormationFailureAnalyser.js";import{IPAM_OPERATIONS_POOL_TAG_KEY as R,formatIpamPairTagValue as f}from"./ipamTags.js";import{SDK_PRE_EMPTY_TAG_KEY as u}from"./infraTags.js";import{ACCOUNT_MONITORING_ROLE_NAME as x}from"./monitoringRole.js";export{x as ACCOUNT_MONITORING_ROLE_NAME,e as AWSError,s as CDK_NO_STACKS_MATCH,l as CloudFormationFailureAnalyser,A as CommandError,R as IPAM_OPERATIONS_POOL_TAG_KEY,_ as InvalidCredentialsError,T as MissingRegionError,E as NoRolesFoundError,n as ProfileNotFoundError,u as SDK_PRE_EMPTY_TAG_KEY,i as SSOTokenExpiredError,m as STACK_NOT_FOUND_PATTERN,f as formatIpamPairTagValue,O as isAWSError,a as isNoRolesFoundError,S as isResourceEvent,t as isSSOUnauthorizedError};

package/dist/aws/infraTags.d.ts

@@ -0,0 +1,18 @@
+/**
+ * The SDK pre-empty marker tag, shared by producer and consumer:
+ *
+ * - Producer (`@fjall/components-infrastructure`): the `S3Bucket` wrapper
+ *   (`storage/s3.ts`) tags every DESTROY-policy bucket so destroy paths
+ *   know it is safe to SDK-empty before CloudFormation delete (Phase 3
+ *   autoDeleteObjects retirement).
+ * - Consumer (`@fjall/deploy-core`): `stackCleanup/bucketOps.ts` includes
+ *   the key in `PRE_EMPTY_TAG_KEYS` — presence with value "true" opts a
+ *   stack bucket into the pre-empty pass; a bucket carrying no pre-empty
+ *   tag (Retain) is never touched.
+ *
+ * The literal is deployed infrastructure state — already-tagged buckets
+ * would silently lose pre-empty coverage (and so re-expose the quarantine
+ * window) on any rename. The pin test in `__tests__/infraTags.test.ts`
+ * guards against casual renames.
+ */
+export declare const SDK_PRE_EMPTY_TAG_KEY = "fjall:sdk-pre-empty";

package/dist/aws/infraTags.js

@@ -0,0 +1 @@
+const _="fjall:sdk-pre-empty";export{_ as SDK_PRE_EMPTY_TAG_KEY};

package/dist/aws/ipamTags.d.ts

@@ -0,0 +1,15 @@
+/**
+ * The IPAM operations-pool pair tag, shared by producer and consumer:
+ *
+ * - Producer (`@fjall/components-infrastructure`): `ipamPool.ts` tags each
+ *   account-scoped IPAM pool, and `standardTagsAspect.ts` tags each
+ *   IPAM-allocated VPC, with `formatIpamPairTagValue(accountId, region)`.
+ * - Consumer (`@fjall/deploy-core`): `targetReadiness.ts` matches the
+ *   owner-side pool for a deploy target by the same key + value.
+ *
+ * The literal shapes are deployed infrastructure state — changing either
+ * orphans every already-tagged pool and VPC. The pin test in
+ * `__tests__/ipamTags.test.ts` guards against casual renames.
+ */
+export declare const IPAM_OPERATIONS_POOL_TAG_KEY = "fjall:operations:pool";
+export declare function formatIpamPairTagValue(accountId: string, region: string): string;

package/dist/aws/ipamTags.js

@@ -0,0 +1 @@
+const r="fjall:operations:pool";function t(o,a){return`${o}-${a}`}export{r as IPAM_OPERATIONS_POOL_TAG_KEY,t as formatIpamPairTagValue};

package/dist/aws/monitoringRole.d.ts

@@ -0,0 +1,18 @@
+/**
+ * The fixed-name cross-account monitoring role, shared by producer and
+ * consumer:
+ *
+ * - Producer (`@fjall/components-infrastructure`): `AccountMonitoringRole`
+ *   (`config/aws/accountMonitoringRole.ts`) creates the role under this
+ *   name — the only resource the account-globals branch creates
+ *   unconditionally (`patterns/aws/account.ts`).
+ * - Consumer (`@fjall/deploy-core`): `accountGlobals.ts` probes the role by
+ *   name (IAM GetRole) — its presence IS "account globals deployed", the
+ *   prerequisite for a non-primary-region deploy.
+ *
+ * The literal is deployed infrastructure state — the platform assumes this
+ * exact name in every connected account, so a rename strands existing
+ * estates. The pin test in `__tests__/monitoringRole.test.ts` guards
+ * against casual renames.
+ */
+export declare const ACCOUNT_MONITORING_ROLE_NAME = "FjallMonitoring";

package/dist/aws/monitoringRole.js

@@ -0,0 +1 @@
+const o="FjallMonitoring";export{o as ACCOUNT_MONITORING_ROLE_NAME};

package/dist/backupVault.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Fixed name of the disaster-recovery backup vault. Single source of truth for
+ * the @fjall/components-infrastructure DisasterRecovery construct (which
+ * creates the vault under this name) and deploy-core's adopt-vs-create and
+ * survival probes (which look it up by the same name).
+ */
+export declare const BACKUP_VAULT_NAME = "backupVault";

package/dist/backupVault.js

@@ -0,0 +1 @@
+const t="backupVault";export{t as BACKUP_VAULT_NAME};

package/dist/connectionsWire.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Wire contract for `GET /api/connections/list` — the single shared shape
+ * between the webapp producer (`webapp/app/routes/api/connections/list.ts`)
+ * and the CLI consumer (`FjallApiClient.getConnectedAccounts`). Neither side
+ * may redeclare this record: the producer conforms at compile time via
+ * `satisfies ConnectionWire`, the consumer parses with `safeParse`.
+ */
+import { z } from "zod";
+export declare const ConnectionWireSchema: z.ZodObject<{
+    awsAccountId: z.ZodString;
+    accountName: z.ZodNullable<z.ZodString>;
+    status: z.ZodString;
+    role: z.ZodString;
+    roleArn: z.ZodString;
+    environment: z.ZodOptional<z.ZodString>;
+    connectedAt: z.ZodString;
+}, z.core.$strip>;
+export type ConnectionWire = z.infer<typeof ConnectionWireSchema>;
+export declare const ConnectionsListResponseSchema: z.ZodObject<{
+    accounts: z.ZodArray<z.ZodObject<{
+        awsAccountId: z.ZodString;
+        accountName: z.ZodNullable<z.ZodString>;
+        status: z.ZodString;
+        role: z.ZodString;
+        roleArn: z.ZodString;
+        environment: z.ZodOptional<z.ZodString>;
+        connectedAt: z.ZodString;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type ConnectionsListResponse = z.infer<typeof ConnectionsListResponseSchema>;

package/dist/connectionsWire.js

@@ -0,0 +1 @@
+import{z as n}from"zod";const t=n.object({awsAccountId:n.string(),accountName:n.string().nullable(),status:n.string(),role:n.string(),roleArn:n.string(),environment:n.string().optional(),connectedAt:n.string()}),e=n.object({accounts:n.array(t)});export{t as ConnectionWireSchema,e as ConnectionsListResponseSchema};

package/dist/environments.d.ts

@@ -2,8 +2,9 @@
  * Environment + account-axis constants shared across CLI, webapp, and
  * deploy-core. Two independent axes live here: the workload STAGE
  * ([[ACCOUNT_STAGES]]) and the structural TIER ([[ACCOUNT_TIERS]]). "root" is
- * NOT a stage — it is the management-account TIER, derived from
- * role === "organisation" and never user-selectable.
+ * NOT a stage and NOT a tier — it is the wire environment marker that decodes
+ * to tier "organisation" via [[environmentToTier]], and is never
+ * user-selectable.
  */
 import { z } from "zod";
 export declare const ACCOUNT_STAGES: readonly ["production", "staging", "development", "platform", "compliance"];
@@ -27,8 +28,12 @@ export declare const STRUCTURAL_ENVIRONMENTS: {
  * GET→PUT round-trip accept this superset, then decode "root" → null at
  * PERSISTENCE via [[stageFromWireEnvironment]] (the DB never stores structural
  * root). NOT a user-facing picker vocabulary — pickers use ACCOUNT_STAGES.
- * Retained through the old-CLI drain; wire-rejection of "root" is deferred to a
- * future follow-up. See decisions/2026-06-07-account-tier-vs-stage-separation.md.
+ * PERMANENT ingest vocabulary, not a drain-gated shim: the separate-root
+ * connect deliberately carries environment:"root" as its intent marker
+ * (solo-to-org lifecycle ADR, decision 7), so wire-rejection of "root" is
+ * unreachable; only derived-EMIT of "root" retires, per-org, behind the CLI
+ * telemetry gate. See decisions/2026-06-07-account-tier-vs-stage-separation.md
+ * § "Wire back-compat (permanent, not transitional)".
  */
 export declare const ACCOUNT_STAGES_WITH_ROOT: readonly ["production", "staging", "development", "platform", "compliance", "root"];
 export type AccountStageWithRoot = (typeof ACCOUNT_STAGES_WITH_ROOT)[number];
@@ -37,8 +42,9 @@ export declare function getEnvironmentLabel(env: string): string;
 /**
  * Structural TIER axis: an account's role in the organisation. Independent of
  * the workload STAGE axis ([[ACCOUNT_STAGES]]) — a tier is never derived from a
- * stage and vice versa. Same literals as [[ACCOUNT_ROLES]], which `satisfies`
- * this type so the two cannot drift.
+ * stage and vice versa. Same literals as [[ACCOUNT_ROLES]]: its `satisfies`
+ * clause rejects non-tier values, and [[ACCOUNT_ROLE_TIER_PRESENCE]] rejects a
+ * missing or duplicated tier, so the two cannot drift.
  */
 export declare const ACCOUNT_TIERS: readonly ["organisation", "platform", "account"];
 export type AccountTier = (typeof ACCOUNT_TIERS)[number];
@@ -47,8 +53,6 @@ export declare const AccountTierSchema: z.ZodEnum<{
     organisation: "organisation";
     account: "account";
 }>;
-/** Type guard: checks whether a string is a valid account tier. */
-export declare function isAccountTier(value: string): value is AccountTier;
 /**
  * AWS account roles in the wire format used across the CLI, webapp API
  * responses, and the Prisma `AccountRole` enum. This is the SINGLE SOURCE
@@ -69,6 +73,8 @@ export declare const ACCOUNT_ROLES: {
     readonly PLATFORM: "platform";
     readonly ACCOUNT: "account";
 };
+/** Type guard: checks whether a string is a valid account tier. */
+export declare function isAccountTier(value: string): value is AccountTier;
 /**
  * Decode an inbound wire `environment` to its structural TIER. The wire stays
  * superset-tolerant: out-of-version CLIs and the post-`fjall create org`

package/dist/environments.js

@@ -1 +1 @@
-import{z as c}from"zod";const r=["production","staging","development","platform","compliance"],i={production:"Production",staging:"Staging",development:"Development",platform:"Platform",compliance:"Compliance"},T=new Set(r);function n(t){return T.has(t)}const o={ROOT:"root",PLATFORM:"platform"},O=[...r,o.ROOT];function A(t){return n(t)?i[t]:t.charAt(0).toUpperCase()+t.slice(1)}const e=["organisation","platform","account"],l=c.enum(e),a=new Set(e);function s(t){return a.has(t)}const C={ORGANISATION:"organisation",PLATFORM:"platform",ACCOUNT:"account"};function p(t){return t===o.ROOT?"organisation":t===o.PLATFORM?"platform":"account"}function S(t){return t==null||t===""||t===o.ROOT?null:n(t)?t:null}function f(t){return t.tier??p(t.environment)}export{C as ACCOUNT_ROLES,r as ACCOUNT_STAGES,O as ACCOUNT_STAGES_WITH_ROOT,i as ACCOUNT_STAGE_LABELS,e as ACCOUNT_TIERS,l as AccountTierSchema,o as STRUCTURAL_ENVIRONMENTS,f as accountTier,p as environmentToTier,A as getEnvironmentLabel,n as isAccountStage,s as isAccountTier,S as stageFromWireEnvironment};
+import{z as c}from"zod";const n=["production","staging","development","platform","compliance"],T={production:"Production",staging:"Staging",development:"Development",platform:"Platform",compliance:"Compliance"},i=new Set(n);function e(t){return i.has(t)}const o={ROOT:"root",PLATFORM:"platform"},C=[...n,o.ROOT];function s(t){return e(t)?T[t]:t.charAt(0).toUpperCase()+t.slice(1)}const u=["organisation","platform","account"],l=c.enum(u),r={ORGANISATION:"organisation",PLATFORM:"platform",ACCOUNT:"account"},O={[r.ORGANISATION]:!0,[r.PLATFORM]:!0,[r.ACCOUNT]:!0},a=new Set(Object.keys(O));function S(t){return a.has(t)}function p(t){return t===o.ROOT?"organisation":t===o.PLATFORM?"platform":"account"}function R(t){return t==null||t===""||t===o.ROOT?null:e(t)?t:null}function E(t){return t.tier??p(t.environment)}export{r as ACCOUNT_ROLES,n as ACCOUNT_STAGES,C as ACCOUNT_STAGES_WITH_ROOT,T as ACCOUNT_STAGE_LABELS,u as ACCOUNT_TIERS,l as AccountTierSchema,o as STRUCTURAL_ENVIRONMENTS,E as accountTier,p as environmentToTier,s as getEnvironmentLabel,e as isAccountStage,S as isAccountTier,R as stageFromWireEnvironment};

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 export { DNS_APEX, getDomainExportNames, type ManagedDomainExports } from "./domainExports.js";
+export { BACKUP_VAULT_NAME } from "./backupVault.js";
 export { toPascalCase, toKebab, toValidDatabaseName, toScreamingSnake, capitalise, getSafeZoneName, accountConstructKey, hasAsciiStableConstructKey } from "./caseConversion.js";
 export { findAccountNameCollision, type AccountNameCollision } from "./accountNameCollision.js";
 export { normaliseError, getErrorMessage, hasErrorCode, getErrorCode, getErrorStack, formatErrorString } from "./errorUtils.js";
@@ -9,9 +10,10 @@ export { mapSettledWithConcurrency } from "./concurrency.js";
 export { ACCOUNT_STAGES_WITH_ROOT, STRUCTURAL_ENVIRONMENTS, ACCOUNT_STAGES, ACCOUNT_STAGE_LABELS, isAccountStage, ACCOUNT_TIERS, type AccountTier, AccountTierSchema, isAccountTier, environmentToTier, stageFromWireEnvironment, accountTier, type AccountStageWithRoot, type AccountStage, getEnvironmentLabel, ACCOUNT_ROLES } from "./environments.js";
 export { RESOURCE_CATEGORIES, type ResourceCategory, categoriseResource, getExpectedDuration, getFriendlyResourceType } from "./resourceCategorisation.js";
 export { parseGitRemoteUrl, type GitProvider, type ParsedGitRemote } from "./gitRemoteParser.js";
-export { abbreviateRegion } from "./regions.js";
+export { abbreviateRegion, AWS_REGIONS_METADATA, DEFAULT_REGION, getRegionInfo, MAX_SECONDARY_REGIONS, regions, suggestRegionForTimezone, type RegionCode, type RegionInfo } from "./regions.js";
 export { SCOPE_VALUES, type TokenScope } from "./tokenScopes.js";
-export { deriveRegionsFromOrgConfig, deriveTargets, deriveAllTargets, findTarget, generateTargetName, type OrgConfigRegions, type TargetAccount, type DerivedTarget } from "./targets.js";
+export { ConnectionWireSchema, type ConnectionWire, ConnectionsListResponseSchema, type ConnectionsListResponse } from "./connectionsWire.js";
+export { deriveRegionsFromOrgConfig, deriveTargets, deriveAllTargets, environmentOrTier, findTarget, generateTargetName, type OrgConfigRegions, type TargetAccount, type DerivedTarget } from "./targets.js";
 export { buildAppConfigPath } from "./appPath.js";
 export { type ScanPath } from "./scanTypes.js";
 export { findInfrastructurePaths, findBoundaryPath, isInfrastructureFile, type MarkerEntry, type FindInfrastructurePathsOptions } from "./findInfrastructurePaths.js";

package/dist/index.js

@@ -1 +1 @@
-import{DNS_APEX as o,getDomainExportNames as t}from"./domainExports.js";import{toPascalCase as a,toKebab as n,toValidDatabaseName as i,toScreamingSnake as S,capitalise as _,getSafeZoneName as m,accountConstructKey as s,hasAsciiStableConstructKey as A}from"./caseConversion.js";import{findAccountNameCollision as T}from"./accountNameCollision.js";import{normaliseError as N,getErrorMessage as f,hasErrorCode as R,getErrorCode as c,getErrorStack as g,formatErrorString as O}from"./errorUtils.js";import{singleton as I}from"./singleton.js";import{DANGEROUS_ENV_VARS as l,filterDangerousEnvVars as d,maskSensitiveOutput as P,parseShellArgs as M}from"./securityHelpers.js";import{sleep as D}from"./sleep.js";import{mapSettledWithConcurrency as v}from"./concurrency.js";import{ACCOUNT_STAGES_WITH_ROOT as h,STRUCTURAL_ENVIRONMENTS as G,ACCOUNT_STAGES as b,ACCOUNT_STAGE_LABELS as L,isAccountStage as y,ACCOUNT_TIERS as F,AccountTierSchema as K,isAccountTier as X,environmentToTier as W,stageFromWireEnvironment as k,accountTier as B,getEnvironmentLabel as Z,ACCOUNT_ROLES as j}from"./environments.js";import{RESOURCE_CATEGORIES as w,categoriseResource as z,getExpectedDuration as J,getFriendlyResourceType as Q}from"./resourceCategorisation.js";import{parseGitRemoteUrl as $}from"./gitRemoteParser.js";import{abbreviateRegion as re}from"./regions.js";import{SCOPE_VALUES as te}from"./tokenScopes.js";import{deriveRegionsFromOrgConfig as ae,deriveTargets as ne,deriveAllTargets as ie,findTarget as Se,generateTargetName as _e}from"./targets.js";import{buildAppConfigPath as se}from"./appPath.js";import{findInfrastructurePaths as Ce,findBoundaryPath as Te,isInfrastructureFile as pe}from"./findInfrastructurePaths.js";import{inferContainerFromCandidates as fe}from"./inferContainerFromCandidates.js";import{RESERVED_APP_NAMES as ce,isReservedAppName as ge}from"./reservedAppNames.js";import{deriveContentHashTag as xe}from"./deriveContentHashTag.js";import{MIGRATION_SNAPSHOT_NAME_PREFIX as ue,EXPECTED_SCHEMA_VERSION_ENV as le,EXPECTED_SCHEMA_VERSION_TOOL_ENV as de,EXPECTED_CH_SCHEMA_VERSION_ENV as Pe,SCHEMA_ADMIN_USER_ENV as Me,SCHEMA_ADMIN_PASSWORD_ENV as Ve,PRISMA_MIGRATION_DIR_RE as De,CLICKHOUSE_MIGRATION_SKIP_RE as Ue}from"./migration/constants.js";export{j as ACCOUNT_ROLES,b as ACCOUNT_STAGES,h as ACCOUNT_STAGES_WITH_ROOT,L as ACCOUNT_STAGE_LABELS,F as ACCOUNT_TIERS,K as AccountTierSchema,Ue as CLICKHOUSE_MIGRATION_SKIP_RE,l as DANGEROUS_ENV_VARS,o as DNS_APEX,Pe as EXPECTED_CH_SCHEMA_VERSION_ENV,le as EXPECTED_SCHEMA_VERSION_ENV,de as EXPECTED_SCHEMA_VERSION_TOOL_ENV,ue as MIGRATION_SNAPSHOT_NAME_PREFIX,De as PRISMA_MIGRATION_DIR_RE,ce as RESERVED_APP_NAMES,w as RESOURCE_CATEGORIES,Ve as SCHEMA_ADMIN_PASSWORD_ENV,Me as SCHEMA_ADMIN_USER_ENV,te as SCOPE_VALUES,G as STRUCTURAL_ENVIRONMENTS,re as abbreviateRegion,s as accountConstructKey,B as accountTier,se as buildAppConfigPath,_ as capitalise,z as categoriseResource,ie as deriveAllTargets,xe as deriveContentHashTag,ae as deriveRegionsFromOrgConfig,ne as deriveTargets,W as environmentToTier,d as filterDangerousEnvVars,T as findAccountNameCollision,Te as findBoundaryPath,Ce as findInfrastructurePaths,Se as findTarget,O as formatErrorString,_e as generateTargetName,t as getDomainExportNames,Z as getEnvironmentLabel,c as getErrorCode,f as getErrorMessage,g as getErrorStack,J as getExpectedDuration,Q as getFriendlyResourceType,m as getSafeZoneName,A as hasAsciiStableConstructKey,R as hasErrorCode,fe as inferContainerFromCandidates,y as isAccountStage,X as isAccountTier,pe as isInfrastructureFile,ge as isReservedAppName,v as mapSettledWithConcurrency,P as maskSensitiveOutput,N as normaliseError,$ as parseGitRemoteUrl,M as parseShellArgs,I as singleton,D as sleep,k as stageFromWireEnvironment,n as toKebab,a as toPascalCase,S as toScreamingSnake,i as toValidDatabaseName};
+import{DNS_APEX as o,getDomainExportNames as t}from"./domainExports.js";import{BACKUP_VAULT_NAME as n}from"./backupVault.js";import{toPascalCase as i,toKebab as S,toValidDatabaseName as A,toScreamingSnake as _,capitalise as s,getSafeZoneName as m,accountConstructKey as C,hasAsciiStableConstructKey as T}from"./caseConversion.js";import{findAccountNameCollision as N}from"./accountNameCollision.js";import{normaliseError as f,getErrorMessage as g,hasErrorCode as c,getErrorCode as O,getErrorStack as I,formatErrorString as x}from"./errorUtils.js";import{singleton as l}from"./singleton.js";import{DANGEROUS_ENV_VARS as M,filterDangerousEnvVars as D,maskSensitiveOutput as P,parseShellArgs as U}from"./securityHelpers.js";import{sleep as v}from"./sleep.js";import{mapSettledWithConcurrency as h}from"./concurrency.js";import{ACCOUNT_STAGES_WITH_ROOT as H,STRUCTURAL_ENVIRONMENTS as b,ACCOUNT_STAGES as F,ACCOUNT_STAGE_LABELS as y,isAccountStage as K,ACCOUNT_TIERS as W,AccountTierSchema as X,isAccountTier as k,environmentToTier as B,stageFromWireEnvironment as z,accountTier as Y,getEnvironmentLabel as Z,ACCOUNT_ROLES as j}from"./environments.js";import{RESOURCE_CATEGORIES as w,categoriseResource as J,getExpectedDuration as Q,getFriendlyResourceType as $}from"./resourceCategorisation.js";import{parseGitRemoteUrl as re}from"./gitRemoteParser.js";import{abbreviateRegion as te,AWS_REGIONS_METADATA as Ee,DEFAULT_REGION as ne,getRegionInfo as ae,MAX_SECONDARY_REGIONS as ie,regions as Se,suggestRegionForTimezone as Ae}from"./regions.js";import{SCOPE_VALUES as se}from"./tokenScopes.js";import{ConnectionWireSchema as Ce,ConnectionsListResponseSchema as Te}from"./connectionsWire.js";import{deriveRegionsFromOrgConfig as Ne,deriveTargets as pe,deriveAllTargets as fe,environmentOrTier as ge,findTarget as ce,generateTargetName as Oe}from"./targets.js";import{buildAppConfigPath as xe}from"./appPath.js";import{findInfrastructurePaths as le,findBoundaryPath as de,isInfrastructureFile as Me}from"./findInfrastructurePaths.js";import{inferContainerFromCandidates as Pe}from"./inferContainerFromCandidates.js";import{RESERVED_APP_NAMES as Ve,isReservedAppName as ve}from"./reservedAppNames.js";import{deriveContentHashTag as he}from"./deriveContentHashTag.js";import{MIGRATION_SNAPSHOT_NAME_PREFIX as He,EXPECTED_SCHEMA_VERSION_ENV as be,EXPECTED_SCHEMA_VERSION_TOOL_ENV as Fe,EXPECTED_CH_SCHEMA_VERSION_ENV as ye,SCHEMA_ADMIN_USER_ENV as Ke,SCHEMA_ADMIN_PASSWORD_ENV as We,PRISMA_MIGRATION_DIR_RE as Xe,CLICKHOUSE_MIGRATION_SKIP_RE as ke}from"./migration/constants.js";export{j as ACCOUNT_ROLES,F as ACCOUNT_STAGES,H as ACCOUNT_STAGES_WITH_ROOT,y as ACCOUNT_STAGE_LABELS,W as ACCOUNT_TIERS,Ee as AWS_REGIONS_METADATA,X as AccountTierSchema,n as BACKUP_VAULT_NAME,ke as CLICKHOUSE_MIGRATION_SKIP_RE,Ce as ConnectionWireSchema,Te as ConnectionsListResponseSchema,M as DANGEROUS_ENV_VARS,ne as DEFAULT_REGION,o as DNS_APEX,ye as EXPECTED_CH_SCHEMA_VERSION_ENV,be as EXPECTED_SCHEMA_VERSION_ENV,Fe as EXPECTED_SCHEMA_VERSION_TOOL_ENV,ie as MAX_SECONDARY_REGIONS,He as MIGRATION_SNAPSHOT_NAME_PREFIX,Xe as PRISMA_MIGRATION_DIR_RE,Ve as RESERVED_APP_NAMES,w as RESOURCE_CATEGORIES,We as SCHEMA_ADMIN_PASSWORD_ENV,Ke as SCHEMA_ADMIN_USER_ENV,se as SCOPE_VALUES,b as STRUCTURAL_ENVIRONMENTS,te as abbreviateRegion,C as accountConstructKey,Y as accountTier,xe as buildAppConfigPath,s as capitalise,J as categoriseResource,fe as deriveAllTargets,he as deriveContentHashTag,Ne as deriveRegionsFromOrgConfig,pe as deriveTargets,ge as environmentOrTier,B as environmentToTier,D as filterDangerousEnvVars,N as findAccountNameCollision,de as findBoundaryPath,le as findInfrastructurePaths,ce as findTarget,x as formatErrorString,Oe as generateTargetName,t as getDomainExportNames,Z as getEnvironmentLabel,O as getErrorCode,g as getErrorMessage,I as getErrorStack,Q as getExpectedDuration,$ as getFriendlyResourceType,ae as getRegionInfo,m as getSafeZoneName,T as hasAsciiStableConstructKey,c as hasErrorCode,Pe as inferContainerFromCandidates,K as isAccountStage,k as isAccountTier,Me as isInfrastructureFile,ve as isReservedAppName,h as mapSettledWithConcurrency,P as maskSensitiveOutput,f as normaliseError,re as parseGitRemoteUrl,U as parseShellArgs,Se as regions,l as singleton,v as sleep,z as stageFromWireEnvironment,Ae as suggestRegionForTimezone,S as toKebab,i as toPascalCase,_ as toScreamingSnake,A as toValidDatabaseName};

package/dist/mcpProtocol/index.d.ts

@@ -147,10 +147,9 @@ export type McpProtocolFrame = z.infer<typeof McpProtocolFrameSchema>;
  * Scaffold protocol schemas — wire types for the `plan_app_scaffold`,
  * `apply_app_scaffold`, and dry-run helper paths in `@fjall/mcp`.
  *
- * The shapes here mirror the CLI-side `DryRunArtefacts` (in
- * `cli/src/operations/types.ts`) by hand because `@fjall/util` is a leaf
- * dependency of the CLI and cannot import from it. Drift between the two
- * is a wire-level bug; both sides MUST move together.
+ * These schemas are the single source of truth: the CLI imports them from
+ * `@fjall/util/mcpProtocol` and re-exports aliases in
+ * `cli/src/operations/types.ts`.
  */
 export declare const FileToWriteSchema: z.ZodObject<{
     path: z.ZodString;

package/dist/regions.d.ts

@@ -1,8 +1,169 @@
 /**
- * Region abbreviation utilities shared across CLI, webapp, and deploy-core.
+ * Region utilities shared across CLI, webapp, generator, and deploy-core.
+ *
+ * Single source of truth for AWS region metadata (ADR
+ * decisions/2026-06-11-region-semantics-and-provisioning.md D8). The
+ * generator and CLI re-export from here; the webapp imports directly.
  */
+export interface RegionInfo {
+    code: string;
+    name: string;
+    city: string;
+    country: string;
+}
+export declare const DEFAULT_REGION = "us-east-2";
+/** Cap on Organisation.secondaryRegions — API contract shared by every write surface. */
+export declare const MAX_SECONDARY_REGIONS = 10;
+export declare const AWS_REGIONS_METADATA: readonly [{
+    readonly code: "us-east-2";
+    readonly name: "US East";
+    readonly city: "Ohio";
+    readonly country: "USA";
+}, {
+    readonly code: "us-west-2";
+    readonly name: "US West";
+    readonly city: "Oregon";
+    readonly country: "USA";
+}, {
+    readonly code: "us-east-1";
+    readonly name: "US East";
+    readonly city: "N. Virginia";
+    readonly country: "USA";
+}, {
+    readonly code: "eu-west-1";
+    readonly name: "EU West";
+    readonly city: "Ireland";
+    readonly country: "Ireland";
+}, {
+    readonly code: "eu-central-1";
+    readonly name: "EU Central";
+    readonly city: "Frankfurt";
+    readonly country: "Germany";
+}, {
+    readonly code: "ap-southeast-1";
+    readonly name: "Asia Pacific";
+    readonly city: "Singapore";
+    readonly country: "Singapore";
+}, {
+    readonly code: "ap-northeast-1";
+    readonly name: "Asia Pacific";
+    readonly city: "Tokyo";
+    readonly country: "Japan";
+}, {
+    readonly code: "ap-southeast-2";
+    readonly name: "Asia Pacific";
+    readonly city: "Sydney";
+    readonly country: "Australia";
+}, {
+    readonly code: "us-west-1";
+    readonly name: "US West";
+    readonly city: "N. California";
+    readonly country: "USA";
+}, {
+    readonly code: "ca-central-1";
+    readonly name: "Canada";
+    readonly city: "Central";
+    readonly country: "Canada";
+}, {
+    readonly code: "af-south-1";
+    readonly name: "Africa";
+    readonly city: "Cape Town";
+    readonly country: "South Africa";
+}, {
+    readonly code: "ap-east-1";
+    readonly name: "Asia Pacific";
+    readonly city: "Hong Kong";
+    readonly country: "China";
+}, {
+    readonly code: "ap-northeast-2";
+    readonly name: "Asia Pacific";
+    readonly city: "Seoul";
+    readonly country: "South Korea";
+}, {
+    readonly code: "ap-northeast-3";
+    readonly name: "Asia Pacific";
+    readonly city: "Osaka";
+    readonly country: "Japan";
+}, {
+    readonly code: "ap-south-1";
+    readonly name: "Asia Pacific";
+    readonly city: "Mumbai";
+    readonly country: "India";
+}, {
+    readonly code: "ap-south-2";
+    readonly name: "Asia Pacific";
+    readonly city: "Hyderabad";
+    readonly country: "India";
+}, {
+    readonly code: "ap-southeast-3";
+    readonly name: "Asia Pacific";
+    readonly city: "Jakarta";
+    readonly country: "Indonesia";
+}, {
+    readonly code: "ap-southeast-4";
+    readonly name: "Asia Pacific";
+    readonly city: "Melbourne";
+    readonly country: "Australia";
+}, {
+    readonly code: "eu-central-2";
+    readonly name: "EU Central";
+    readonly city: "Zurich";
+    readonly country: "Switzerland";
+}, {
+    readonly code: "eu-north-1";
+    readonly name: "EU North";
+    readonly city: "Stockholm";
+    readonly country: "Sweden";
+}, {
+    readonly code: "eu-south-1";
+    readonly name: "EU South";
+    readonly city: "Milan";
+    readonly country: "Italy";
+}, {
+    readonly code: "eu-south-2";
+    readonly name: "EU South";
+    readonly city: "Spain";
+    readonly country: "Spain";
+}, {
+    readonly code: "eu-west-2";
+    readonly name: "EU West";
+    readonly city: "London";
+    readonly country: "UK";
+}, {
+    readonly code: "eu-west-3";
+    readonly name: "EU West";
+    readonly city: "Paris";
+    readonly country: "France";
+}, {
+    readonly code: "me-central-1";
+    readonly name: "Middle East";
+    readonly city: "UAE";
+    readonly country: "UAE";
+}, {
+    readonly code: "me-south-1";
+    readonly name: "Middle East";
+    readonly city: "Bahrain";
+    readonly country: "Bahrain";
+}, {
+    readonly code: "sa-east-1";
+    readonly name: "South America";
+    readonly city: "São Paulo";
+    readonly country: "Brazil";
+}];
+/** Union of supported region codes, derived from the metadata (SSoT). */
+export type RegionCode = (typeof AWS_REGIONS_METADATA)[number]["code"];
+export declare const regions: readonly string[];
+export declare function getRegionInfo(code: string): RegionInfo | undefined;
 /**
  * Abbreviate an AWS region name to a compact form.
  * e.g. "us-east-1" → "use1", "eu-west-1" → "euw1"
  */
 export declare function abbreviateRegion(region: string): string;
+/**
+ * Suggest the geographically nearest supported AWS region for an IANA
+ * timezone (e.g. from Intl.DateTimeFormat().resolvedOptions().timeZone).
+ * Returns undefined when no sensible suggestion exists (UTC, Etc/*,
+ * unrecognised input) — callers fall back to DEFAULT_REGION without
+ * "closest to you" justification copy.
+ */
+export declare function suggestRegionForTimezone(timeZone: string): RegionCode | undefined;

package/dist/regions.js

@@ -1 +1 @@
-function n(e){const t=e.split("-");return t.length===3&&t[0]&&t[1]&&t[1].length>0&&t[2]?`${t[0]}${t[1][0]}${t[2]}`:e}export{n as abbreviateRegion};
+const i="us-east-2",n=10,o=Object.freeze([{code:"us-east-2",name:"US East",city:"Ohio",country:"USA"},{code:"us-west-2",name:"US West",city:"Oregon",country:"USA"},{code:"us-east-1",name:"US East",city:"N. Virginia",country:"USA"},{code:"eu-west-1",name:"EU West",city:"Ireland",country:"Ireland"},{code:"eu-central-1",name:"EU Central",city:"Frankfurt",country:"Germany"},{code:"ap-southeast-1",name:"Asia Pacific",city:"Singapore",country:"Singapore"},{code:"ap-northeast-1",name:"Asia Pacific",city:"Tokyo",country:"Japan"},{code:"ap-southeast-2",name:"Asia Pacific",city:"Sydney",country:"Australia"},{code:"us-west-1",name:"US West",city:"N. California",country:"USA"},{code:"ca-central-1",name:"Canada",city:"Central",country:"Canada"},{code:"af-south-1",name:"Africa",city:"Cape Town",country:"South Africa"},{code:"ap-east-1",name:"Asia Pacific",city:"Hong Kong",country:"China"},{code:"ap-northeast-2",name:"Asia Pacific",city:"Seoul",country:"South Korea"},{code:"ap-northeast-3",name:"Asia Pacific",city:"Osaka",country:"Japan"},{code:"ap-south-1",name:"Asia Pacific",city:"Mumbai",country:"India"},{code:"ap-south-2",name:"Asia Pacific",city:"Hyderabad",country:"India"},{code:"ap-southeast-3",name:"Asia Pacific",city:"Jakarta",country:"Indonesia"},{code:"ap-southeast-4",name:"Asia Pacific",city:"Melbourne",country:"Australia"},{code:"eu-central-2",name:"EU Central",city:"Zurich",country:"Switzerland"},{code:"eu-north-1",name:"EU North",city:"Stockholm",country:"Sweden"},{code:"eu-south-1",name:"EU South",city:"Milan",country:"Italy"},{code:"eu-south-2",name:"EU South",city:"Spain",country:"Spain"},{code:"eu-west-2",name:"EU West",city:"London",country:"UK"},{code:"eu-west-3",name:"EU West",city:"Paris",country:"France"},{code:"me-central-1",name:"Middle East",city:"UAE",country:"UAE"},{code:"me-south-1",name:"Middle East",city:"Bahrain",country:"Bahrain"},{code:"sa-east-1",name:"South America",city:"S\xE3o Paulo",country:"Brazil"}]),r=Object.freeze(o.map(e=>e.code));function c(e){return o.find(a=>a.code===e)}function A(e){const a=e.split("-");return a.length===3&&a[0]&&a[1]&&a[2]?`${a[0]}${a[1][0]}${a[2]}`:e}const s=Object.freeze({"Europe/London":"eu-west-2","Europe/Jersey":"eu-west-2","Europe/Guernsey":"eu-west-2","Europe/Isle_of_Man":"eu-west-2","Europe/Dublin":"eu-west-1","Europe/Paris":"eu-west-3","Europe/Berlin":"eu-central-1","Europe/Amsterdam":"eu-central-1","Europe/Brussels":"eu-central-1","Europe/Luxembourg":"eu-central-1","Europe/Vienna":"eu-central-1","Europe/Prague":"eu-central-1","Europe/Warsaw":"eu-central-1","Europe/Budapest":"eu-central-1","Europe/Zurich":"eu-central-2","Europe/Stockholm":"eu-north-1","Europe/Oslo":"eu-north-1","Europe/Copenhagen":"eu-north-1","Europe/Helsinki":"eu-north-1","Europe/Tallinn":"eu-north-1","Europe/Riga":"eu-north-1","Europe/Vilnius":"eu-north-1","Europe/Rome":"eu-south-1","Europe/Malta":"eu-south-1","Europe/Athens":"eu-south-1","Europe/Madrid":"eu-south-2","Europe/Lisbon":"eu-south-2","America/New_York":"us-east-1","America/Detroit":"us-east-1","America/Toronto":"ca-central-1","America/Montreal":"ca-central-1","America/Halifax":"ca-central-1","America/Winnipeg":"ca-central-1","America/Chicago":"us-east-2","America/Indiana/Indianapolis":"us-east-2","America/Mexico_City":"us-east-2","America/Denver":"us-west-2","America/Phoenix":"us-west-2","America/Edmonton":"us-west-2","America/Vancouver":"us-west-2","America/Los_Angeles":"us-west-1","America/Tijuana":"us-west-1","America/Sao_Paulo":"sa-east-1","America/Argentina/Buenos_Aires":"sa-east-1","America/Santiago":"sa-east-1","America/Montevideo":"sa-east-1","America/Lima":"sa-east-1","America/Bogota":"us-east-1","Asia/Tokyo":"ap-northeast-1","Asia/Seoul":"ap-northeast-2","Asia/Hong_Kong":"ap-east-1","Asia/Shanghai":"ap-east-1","Asia/Taipei":"ap-east-1","Asia/Macau":"ap-east-1","Asia/Singapore":"ap-southeast-1","Asia/Kuala_Lumpur":"ap-southeast-1","Asia/Bangkok":"ap-southeast-1","Asia/Ho_Chi_Minh":"ap-southeast-1","Asia/Manila":"ap-southeast-1","Asia/Jakarta":"ap-southeast-3","Asia/Kolkata":"ap-south-1","Asia/Calcutta":"ap-south-1","Asia/Karachi":"ap-south-1","Asia/Dhaka":"ap-south-1","Asia/Colombo":"ap-south-1","Asia/Dubai":"me-central-1","Asia/Muscat":"me-central-1","Asia/Qatar":"me-south-1","Asia/Bahrain":"me-south-1","Asia/Riyadh":"me-south-1","Asia/Kuwait":"me-south-1","Asia/Jerusalem":"me-south-1","Australia/Sydney":"ap-southeast-2","Australia/Brisbane":"ap-southeast-2","Australia/Canberra":"ap-southeast-2","Australia/Melbourne":"ap-southeast-4","Australia/Hobart":"ap-southeast-4","Australia/Adelaide":"ap-southeast-4","Pacific/Auckland":"ap-southeast-2","Pacific/Honolulu":"us-west-1","Africa/Johannesburg":"af-south-1","Africa/Casablanca":"eu-south-2","Africa/Cairo":"me-south-1","Indian/Maldives":"ap-south-1"}),u=Object.freeze({Europe:"eu-central-1",America:"us-east-1",Asia:"ap-southeast-1",Australia:"ap-southeast-2",Pacific:"ap-southeast-2",Africa:"af-south-1",Atlantic:"eu-west-1",Indian:"ap-south-1"});function p(e){if(!e)return;const a=s[e];if(a!==void 0)return a;const t=e.split("/")[0];if(t!==void 0)return u[t]}export{o as AWS_REGIONS_METADATA,i as DEFAULT_REGION,n as MAX_SECONDARY_REGIONS,A as abbreviateRegion,c as getRegionInfo,r as regions,p as suggestRegionForTimezone};

package/dist/securityHelpers.d.ts

@@ -32,8 +32,8 @@ export declare const SCOPED_TOKEN_REGEX: RegExp;
  * Mask sensitive information in output strings to prevent credential leakage.
  * Patterns: postgres://user:pass@host, password=xxx, secret=xxx, apikey=xxx,
  * GitHub tokens (ghu_/ghs_/ghp_/gho_/github_pat_), bare AWS access-key IDs
- * (AKIA-prefixed and ASIA-prefixed), AWS secret keys, ARN account IDs,
- * scoped agent tokens.
+ * (AKIA-prefixed and ASIA-prefixed), AWS secret keys (env, INI, and JSON key
+ * spellings), session tokens, ARN account IDs, scoped agent tokens.
  *
  * Single source of truth — consumer loggers (CLI, worker, webapp) MUST
  * NOT re-implement these patterns inline. See

package/dist/securityHelpers.js

@@ -1 +1 @@
-const n=new Set(["NODE_OPTIONS","NODE_PATH","NODE_EXTRA_CA_CERTS","NODE_DEBUG","NODE_PRESERVE_SYMLINKS","LD_PRELOAD","LD_LIBRARY_PATH","LD_AUDIT","LD_BIND_NOW","DYLD_INSERT_LIBRARIES","DYLD_LIBRARY_PATH","DYLD_FRAMEWORK_PATH","PYTHONPATH","PYTHONSTARTUP","PERL5LIB","PERL5OPT","RUBYLIB","RUBYOPT","HOME","XDG_CONFIG_HOME","AWS_SHARED_CREDENTIALS_FILE","AWS_CONFIG_FILE","SHELL","BASH_ENV","ENV","ZDOTDIR"]);function c(e){return Object.fromEntries(Object.entries(e).filter(([t])=>!n.has(t.toUpperCase())))}const i=/fjall_ak_[A-Z2-7]{16}\.[A-Z2-7]{40}/,l=/fjall_ak_[A-Z2-7]{16}\.[A-Z2-7]{40}/g;function o(e){return e.replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----(?:[^"\\]|\\[\\nrt"])*?-----END [A-Z ]*PRIVATE KEY-----/g,"-----BEGIN [REDACTED] PRIVATE KEY-----...-----END [REDACTED] PRIVATE KEY-----").replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,"-----BEGIN [REDACTED] PRIVATE KEY-----...-----END [REDACTED] PRIVATE KEY-----").replace(/(\w+:\/\/[^:]+:)[^@]+(@)/gi,"$1***$2").replace(/(?<![a-zA-Z])(password|passwd|secret|api[_-]?key|token|auth|credential)([=:])["']?[^\s"']+/gi,"$1$2***").replace(/\b(ghu_|ghs_|ghp_|gho_|github_pat_)[A-Za-z0-9_]+/g,"$1***").replace(/\b(sk|rk)_(live|test)_[A-Za-z0-9]{8,}/g,"$1_$2_***").replace(/\bwhsec_[A-Za-z0-9]{8,}/g,"whsec_***").replace(/(?<=Authorization:\s*Bearer\s+)[A-Za-z0-9._~+/=-]+/gi,"***").replace(/\b(AKIA|ASIA)[A-Z0-9]{12,}\b/g,"$1***").replace(/(?<=AWS_SECRET_ACCESS_KEY=|SecretAccessKey[=:]\s*|"secretAccessKey":\s*")[A-Za-z0-9/+=]{40,}/g,"***").replace(/(arn:aws[^:]*:[^:]*:[^:]*:)(\d{12})(:[^\s]*)/g,"$1***$3").replace(/(?<="(aws)?[Ss]essionToken":\s*")[^"]+/g,"***").replace(/(?<="(internal[Aa]piKey|fjallCallbackToken)":\s*")[^"]+/g,"***").replace(l,"fjall_ak_***")}function D(e){const t=[];let E="",r=!1,A=!1,_=!1,s=!1;for(const a of e){if(_){E+=a,_=!1;continue}if(a==="\\"&&!r){_=!0;continue}if(a==="'"&&!A){r=!r,s=!0;continue}if(a==='"'&&!r){A=!A,s=!0;continue}if(a===" "&&!r&&!A){(E||s)&&(t.push(E),E="",s=!1);continue}E+=a}if(r||A)throw new Error(`Unbalanced ${r?"single":"double"} quote in command: ${e.slice(0,80)}`);if(_)throw new Error(`Trailing backslash in command: ${e.slice(0,80)}`);return(E||s)&&t.push(E),t}export{n as DANGEROUS_ENV_VARS,i as SCOPED_TOKEN_REGEX,c as filterDangerousEnvVars,o as maskSensitiveOutput,D as parseShellArgs};
+const A=new Set(["NODE_OPTIONS","NODE_PATH","NODE_EXTRA_CA_CERTS","NODE_DEBUG","NODE_PRESERVE_SYMLINKS","LD_PRELOAD","LD_LIBRARY_PATH","LD_AUDIT","LD_BIND_NOW","DYLD_INSERT_LIBRARIES","DYLD_LIBRARY_PATH","DYLD_FRAMEWORK_PATH","PYTHONPATH","PYTHONSTARTUP","PERL5LIB","PERL5OPT","RUBYLIB","RUBYOPT","HOME","XDG_CONFIG_HOME","AWS_SHARED_CREDENTIALS_FILE","AWS_CONFIG_FILE","SHELL","BASH_ENV","ENV","ZDOTDIR"]);function l(e){return Object.fromEntries(Object.entries(e).filter(([r])=>!A.has(r.toUpperCase())))}const i=/fjall_ak_[A-Z2-7]{16}\.[A-Z2-7]{40}/,c=/fjall_ak_[A-Z2-7]{16}\.[A-Z2-7]{40}/g;function o(e){return e.replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----(?:[^"\\]|\\[\\nrt"])*?-----END [A-Z ]*PRIVATE KEY-----/g,"-----BEGIN [REDACTED] PRIVATE KEY-----...-----END [REDACTED] PRIVATE KEY-----").replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,"-----BEGIN [REDACTED] PRIVATE KEY-----...-----END [REDACTED] PRIVATE KEY-----").replace(/(\w+:\/\/[^:]+:)[^@]+(@)/gi,"$1***$2").replace(/(?<![a-zA-Z])(password|passwd|secret|api[_-]?key|token|auth|credential)([=:])["']?[^\s"']+/gi,"$1$2***").replace(/\b(ghu_|ghs_|ghp_|gho_|github_pat_)[A-Za-z0-9_]+/g,"$1***").replace(/\b(sk|rk)_(live|test)_[A-Za-z0-9]{8,}/g,"$1_$2_***").replace(/\bwhsec_[A-Za-z0-9]{8,}/g,"whsec_***").replace(/(?<=Authorization:\s*Bearer\s+)[A-Za-z0-9._~+/=-]+/gi,"***").replace(/\b(AKIA|ASIA)[A-Z0-9]{12,}\b/g,"$1***").replace(/(?<=aws_secret_access_key\s*=\s*["']?|SecretAccessKey[=:]\s*|"(aws)?secretAccessKey":\s*"|"aws_secret_access_key":\s*")[A-Za-z0-9/+=]{40,}/gi,"***").replace(/(arn:aws[^:]*:[^:]*:[^:]*:)(\d{12})(:[^\s]*)/g,"$1***$3").replace(/(?<="(aws)?sessionToken":\s*"|"aws_session_token":\s*")[^"]+/gi,"***").replace(/(?<=aws_session_token\s*[=:]\s*["']?|SessionToken[=:]\s*["']?)[^\s"']+/gi,"***").replace(/(?<="(internal[Aa]piKey|fjallCallbackToken)":\s*")[^"]+/g,"***").replace(c,"fjall_ak_***")}function D(e){const r=[];let s="",E=!1,_=!1,n=!1,t=!1;for(const a of e){if(n){s+=a,n=!1;continue}if(a==="\\"&&!E){n=!0;continue}if(a==="'"&&!_){E=!E,t=!0;continue}if(a==='"'&&!E){_=!_,t=!0;continue}if(a===" "&&!E&&!_){(s||t)&&(r.push(s),s="",t=!1);continue}s+=a}if(E||_)throw new Error(`Unbalanced ${E?"single":"double"} quote in command: ${e.slice(0,80)}`);if(n)throw new Error(`Trailing backslash in command: ${e.slice(0,80)}`);return(s||t)&&r.push(s),r}export{A as DANGEROUS_ENV_VARS,i as SCOPED_TOKEN_REGEX,l as filterDangerousEnvVars,o as maskSensitiveOutput,D as parseShellArgs};

package/dist/targets.d.ts

@@ -30,6 +30,15 @@ export interface DerivedTarget {
     environment: string;
     region: string;
 }
+/**
+ * Canonical stage-or-tier fallback. Structural accounts carry a null workload
+ * stage, so display/naming/OU derivation fall back to the structural tier to
+ * stay non-null. Single source for every `environment ?? tier` consumer.
+ */
+export declare function environmentOrTier(account: {
+    environment?: string | null;
+    tier?: AccountTier | null;
+}): string;
 /**
  * Generate a canonical target name from account name and region.
  * e.g. ("Production-US", "us-east-1") → "production-us-use1"

package/dist/targets.js

@@ -1 +1 @@
-import{abbreviateRegion as s}from"./regions.js";import{accountTier as c}from"./environments.js";function m(e){const r=[e.primaryRegion,...e.secondaryRegions??[],e.disasterRecoveryRegion].filter(t=>t!==void 0);return[...new Set(r)]}function u(e,r){return`${e.toLowerCase()}-${s(r)}`}function f(e,r){const t=[];for(const n of e){if(c(n)==="organisation")continue;const o=n.environment??c(n);for(const i of r)t.push({name:u(n.name,i),accountName:n.name,accountId:n.id,environment:o,region:i})}return t.sort((n,o)=>{const i=n.environment.localeCompare(o.environment);if(i!==0)return i;const a=n.accountName.localeCompare(o.accountName);return a!==0?a:n.region.localeCompare(o.region)})}function p(e){return f(e.providerAccounts,m(e))}function v(e,r){if(r.length===0)return e;const t=new Set([e.primaryRegion,e.disasterRecoveryRegion].filter(Boolean)),n=r.filter(o=>!t.has(o));return{...e,secondaryRegions:n.length>0?n:void 0}}function l(e,r){return e.find(t=>t.name===r)}export{p as deriveAllTargets,m as deriveRegionsFromOrgConfig,f as deriveTargets,l as findTarget,u as generateTargetName,v as mergeSecondaryRegions};
+import{abbreviateRegion as m}from"./regions.js";import{accountTier as c}from"./environments.js";function s(e){const r=[e.primaryRegion,...e.secondaryRegions??[],e.disasterRecoveryRegion].filter(t=>t!==void 0);return[...new Set(r)]}function u(e){return e.environment??c(e)}function f(e,r){return`${e.toLowerCase()}-${m(r)}`}function p(e,r){const t=[];for(const n of e){if(c(n)==="organisation")continue;const o=u(n);for(const i of r)t.push({name:f(n.name,i),accountName:n.name,accountId:n.id,environment:o,region:i})}return t.sort((n,o)=>{const i=n.environment.localeCompare(o.environment);if(i!==0)return i;const a=n.accountName.localeCompare(o.accountName);return a!==0?a:n.region.localeCompare(o.region)})}function v(e){return p(e.providerAccounts,s(e))}function l(e,r){if(r.length===0)return e;const t=new Set([e.primaryRegion,e.disasterRecoveryRegion].filter(Boolean)),n=r.filter(o=>!t.has(o));return{...e,secondaryRegions:n.length>0?n:void 0}}function R(e,r){return e.find(t=>t.name===r)}export{v as deriveAllTargets,s as deriveRegionsFromOrgConfig,p as deriveTargets,u as environmentOrTier,R as findTarget,f as generateTargetName,l as mergeSecondaryRegions};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/util",
-  "version": "2.12.0",
+  "version": "2.14.0",
   "description": "Common utility methods",
   "type": "module",
   "main": "dist/index.js",
@@ -117,5 +117,5 @@
   "engines": {
     "node": ">=22.0.0"
   },
-  "gitHead": "dca39a47da956d3d94c689dd782fe285d711d25e"
+  "gitHead": "ce434478f9e3d5e5ccf979c152a237c81e4acee5"
 }