@friggframework/devtools 2.0.0--canary.454.25d396a.0 → 2.0.0--canary.461.84ff4f5.0

package/infrastructure/aws-discovery.js

@@ -932,6 +932,8 @@ class AWSDiscovery {
             result.engine = cluster.engine;
             result.engineVersion = cluster.engineVersion;
             result.status = cluster.status;
+            result.masterUsername = cluster.masterUsername;
+            result.isFriggManaged = cluster.isFriggManaged;
 
             console.log(`\n✅ Found Aurora Cluster: ${cluster.identifier}`);
             console.log(`   Endpoint: ${cluster.endpoint}:${cluster.port}`);
@@ -982,7 +984,8 @@ class AWSDiscovery {
             databaseName: cluster.DatabaseName,
             vpcSecurityGroups: (cluster.VpcSecurityGroups || []).map(sg => sg.VpcSecurityGroupId),
             dbSubnetGroup: cluster.DBSubnetGroup,
-            arn: cluster.DBClusterArn
+            arn: cluster.DBClusterArn,
+            isFriggManaged: this._isFriggManaged(cluster.TagList || [])
         };
     }
 

package/infrastructure/scripts/build-prisma-layer.js

@@ -3,18 +3,24 @@
 /**
  * Build Prisma Lambda Layer
  *
- * Creates a Lambda Layer containing all Prisma packages and rhel-openssl-3.0.x binaries.
+ * Creates a Lambda Layer containing Prisma packages and rhel-openssl-3.0.x binaries.
  * This reduces individual Lambda function sizes by ~60% (120MB → 45MB).
  *
+ * The layer is configured based on AppDefinition database settings:
+ * - PostgreSQL: Includes PostgreSQL client + query engine
+ * - MongoDB: Includes MongoDB client + query engine (if needed)
+ * - Defaults to PostgreSQL only if not specified
+ *
  * Usage:
- *   node scripts/build-prisma-layer.js
+ *   node scripts/build-prisma-layer.js [--mongodb] [--postgresql]
  *   npm run build:prisma-layer
  *
  * Output:
  *   layers/prisma/nodejs/node_modules/
  *   ├── @prisma/client
- *   ├── @prisma-mongodb/client
- *   ├── @prisma-postgresql/client
+ *   ├── @prisma/engines
+ *   ├── generated/prisma-postgresql (if PostgreSQL enabled)
+ *   ├── generated/prisma-mongodb (if MongoDB enabled)
  *   └── prisma (CLI for migrations)
  *
  * See: LAMBDA-LAYER-PRISMA.md for complete documentation
@@ -46,6 +52,37 @@ function findCorePackage(startDir) {
     );
 }
 
+/**
+ * Determine which database clients to include based on configuration
+ * @param {Object} databaseConfig - Database configuration from AppDefinition
+ * @returns {Array} List of generated client packages to include
+ */
+function getGeneratedClientPackages(databaseConfig = {}) {
+    const packages = [];
+
+    // Check if MongoDB is enabled
+    const mongoEnabled = databaseConfig?.mongodb?.enable === true;
+    if (mongoEnabled) {
+        packages.push('generated/prisma-mongodb');
+        log('Including MongoDB client (based on AppDefinition)', 'blue');
+    }
+
+    // Check if PostgreSQL is enabled (default to true if not specified)
+    const postgresEnabled = databaseConfig?.postgres?.enable !== false;
+    if (postgresEnabled) {
+        packages.push('generated/prisma-postgresql');
+        log('Including PostgreSQL client (based on AppDefinition)', 'blue');
+    }
+
+    // If neither specified, default to PostgreSQL only
+    if (packages.length === 0) {
+        packages.push('generated/prisma-postgresql');
+        log('No database specified - defaulting to PostgreSQL', 'yellow');
+    }
+
+    return packages;
+}
+
 // Configuration
 // Script runs from integration project root (e.g., backend/)
 // and reads Prisma packages from @friggframework/core
@@ -54,14 +91,6 @@ const CORE_PACKAGE_PATH = findCorePackage(PROJECT_ROOT);
 const LAYER_OUTPUT_PATH = path.join(PROJECT_ROOT, 'layers/prisma');
 const LAYER_NODE_MODULES = path.join(LAYER_OUTPUT_PATH, 'nodejs/node_modules');
 
-// Packages to include in the layer
-const PRISMA_PACKAGES = [
-    '@prisma/client',                 // From project node_modules
-    'generated/prisma-mongodb',       // From @friggframework/core package
-    'generated/prisma-postgresql',    // From @friggframework/core package
-    'prisma',                         // CLI from project node_modules
-];
-
 // Binary patterns to remove (non-rhel)
 const BINARY_PATTERNS_TO_REMOVE = [
     '*darwin*',
@@ -71,6 +100,16 @@ const BINARY_PATTERNS_TO_REMOVE = [
     '*windows*',
 ];
 
+// Files to remove for size optimization
+const FILES_TO_REMOVE = [
+    '*.map',        // Source maps (37MB savings)
+    '*.md',         // Markdown files  
+    'LICENSE*',     // License files
+    'CHANGELOG*',   // Changelog files
+    '*.test.js',    // Test files
+    '*.spec.js',    // Spec files
+];
+
 // ANSI color codes for output
 const colors = {
     reset: '\x1b[0m',
@@ -140,12 +179,58 @@ async function createLayerStructure() {
 }
 
 /**
- * Copy Prisma packages from core to layer
+ * Install Prisma CLI and client directly into layer
+ * @param {Boolean} includeCLI - Whether to include Prisma CLI (needed for migrations)
  */
-async function copyPrismaPackages() {
-    logStep(3, 'Copying Prisma packages from @friggframework/core');
+async function installPrismaPackages(includeCLI = false) {
+    logStep(3, `Installing Prisma packages (${includeCLI ? 'with CLI' : 'runtime only'})`);
+
+    // Create a minimal package.json in the layer
+    const dependencies = {
+        '@prisma/client': '^6.16.3',
+        '@prisma/engines': '^6.16.3',
+    };
+
+    // Only include CLI if needed (saves 50MB + 32MB effect dependency)
+    if (includeCLI) {
+        dependencies['prisma'] = '^6.16.3';
+        log('  Including Prisma CLI for migrations', 'yellow');
+    } else {
+        log('  Runtime only - CLI excluded (saves ~82MB)', 'green');
+    }
+
+    const layerPackageJson = {
+        name: 'prisma-lambda-layer',
+        version: '1.0.0',
+        private: true,
+        dependencies,
+    };
 
-    // Build search paths, handling workspace hoisting
+    const packageJsonPath = path.join(LAYER_OUTPUT_PATH, 'nodejs/package.json');
+    await fs.writeJson(packageJsonPath, layerPackageJson, { spaces: 2 });
+    logSuccess('Created layer package.json');
+
+    // Install Prisma packages
+    log('Installing prisma and @prisma/client...');
+    try {
+        execSync('npm install --production --no-package-lock', {
+            cwd: path.join(LAYER_OUTPUT_PATH, 'nodejs'),
+            stdio: 'inherit'
+        });
+        logSuccess('Prisma packages installed');
+    } catch (error) {
+        throw new Error(`Failed to install Prisma packages: ${error.message}`);
+    }
+}
+
+/**
+ * Copy generated Prisma clients from @friggframework/core to layer
+ * @param {Array} clientPackages - List of generated client packages to copy
+ */
+async function copyPrismaPackages(clientPackages) {
+    logStep(4, 'Copying generated Prisma clients from @friggframework/core');
+
+    // Copy the generated clients from core based on database config
     // Packages can be in:
     // 1. Core's own node_modules (if not hoisted)
     // 2. Project root node_modules (if hoisted from project)
@@ -162,7 +247,7 @@ async function copyPrismaPackages() {
     let copiedCount = 0;
     let missingPackages = [];
 
-    for (const pkg of PRISMA_PACKAGES) {
+    for (const pkg of clientPackages) {
         let sourcePath = null;
 
         // Try to find package in search paths
@@ -186,8 +271,8 @@ async function copyPrismaPackages() {
             const fromLocation = sourcePath.includes('@friggframework/core/generated')
                 ? 'core package (generated)'
                 : sourcePath.includes('@friggframework/core/node_modules')
-                ? 'core node_modules'
-                : 'workspace';
+                    ? 'core node_modules'
+                    : 'workspace';
             logSuccess(`Copied ${pkg} (from ${fromLocation})`);
             copiedCount++;
         } else {
@@ -198,19 +283,57 @@ async function copyPrismaPackages() {
 
     if (missingPackages.length > 0) {
         throw new Error(
-            `Missing Prisma packages: ${missingPackages.join(', ')}.\n` +
-            'Ensure @friggframework/core is installed with "npm install" and Prisma clients are generated.'
+            `Missing generated Prisma clients: ${missingPackages.join(', ')}.\n` +
+            'Ensure @friggframework/core has generated Prisma clients (run "npm run prisma:generate" in core package).'
         );
     }
 
-    log(`\nCopied ${copiedCount}/${PRISMA_PACKAGES.length} packages`);
+    logSuccess(`Copied ${copiedCount} generated client packages from @friggframework/core`);
+}
+
+/**
+ * Remove unnecessary files to reduce layer size
+ */
+async function removeUnnecessaryFiles() {
+    logStep(5, 'Removing unnecessary files (source maps, docs, tests)');
+
+    let removedCount = 0;
+    let totalSize = 0;
+
+    for (const pattern of FILES_TO_REMOVE) {
+        try {
+            // Find files matching the pattern
+            const findCmd = `find "${LAYER_NODE_MODULES}" -name "${pattern}" -type f 2>/dev/null || true`;
+            const files = execSync(findCmd, { encoding: 'utf8' })
+                .split('\n')
+                .filter(f => f.trim());
+
+            for (const file of files) {
+                if (await fs.pathExists(file)) {
+                    const stats = await fs.stat(file);
+                    totalSize += stats.size;
+                    await fs.remove(file);
+                    removedCount++;
+                }
+            }
+        } catch (error) {
+            logWarning(`Error removing ${pattern}: ${error.message}`);
+        }
+    }
+
+    if (removedCount > 0) {
+        const sizeMB = (totalSize / (1024 * 1024)).toFixed(2);
+        logSuccess(`Removed ${removedCount} unnecessary files (saved ${sizeMB} MB)`);
+    } else {
+        log('No unnecessary files found to remove');
+    }
 }
 
 /**
  * Remove non-rhel engine binaries to reduce layer size
  */
 async function removeNonRhelBinaries() {
-    logStep(4, 'Removing non-rhel engine binaries');
+    logStep(6, 'Removing non-rhel engine binaries');
 
     let removedCount = 0;
     let totalSize = 0;
@@ -246,9 +369,10 @@ async function removeNonRhelBinaries() {
 
 /**
  * Verify rhel binaries are present
+ * @param {Array} expectedClients - List of client packages that should have binaries
  */
-async function verifyRhelBinaries() {
-    logStep(5, 'Verifying rhel-openssl-3.0.x binaries are present');
+async function verifyRhelBinaries(expectedClients) {
+    logStep(7, 'Verifying rhel-openssl-3.0.x binaries are present');
 
     try {
         const findCmd = `find "${LAYER_NODE_MODULES}" -name "*rhel-openssl-3.0.x*" 2>/dev/null || true`;
@@ -263,7 +387,8 @@ async function verifyRhelBinaries() {
             );
         }
 
-        logSuccess(`Found ${rhelFiles.length} rhel-openssl-3.0.x binaries`);
+        const expectedCount = expectedClients.length;
+        logSuccess(`Found ${rhelFiles.length} rhel-openssl-3.0.x ${rhelFiles.length === 1 ? 'binary' : 'binaries'} (expected ${expectedCount})`);
 
         // Show the binaries found
         rhelFiles.forEach(file => {
@@ -277,18 +402,24 @@ async function verifyRhelBinaries() {
 
 /**
  * Verify required files exist
+ * @param {Boolean} includeCLI - Whether CLI files should be present
  */
-async function verifyLayerStructure() {
-    logStep(6, 'Verifying layer structure');
+async function verifyLayerStructure(includeCLI) {
+    logStep(8, 'Verifying layer structure');
 
     const requiredPaths = [
         '@prisma/client/runtime',
         '@prisma/client/index.d.ts',
-        'generated/prisma-mongodb/schema.prisma',
-        'generated/prisma-postgresql/schema.prisma',
-        'prisma/build',
+        '@prisma/engines',
+        'generated/prisma-postgresql/schema.prisma',  // PostgreSQL
     ];
 
+    // Only check for CLI files if CLI was included
+    if (includeCLI) {
+        requiredPaths.push('prisma/build');
+        requiredPaths.push('.bin/prisma');
+    }
+
     let allPresent = true;
 
     for (const requiredPath of requiredPaths) {
@@ -312,7 +443,7 @@ async function verifyLayerStructure() {
  * Calculate and display final layer size
  */
 async function displayLayerSummary() {
-    logStep(7, 'Layer build summary');
+    logStep(9, 'Layer build summary');
 
     const layerSizeMB = getDirectorySize(LAYER_OUTPUT_PATH);
 
@@ -324,9 +455,11 @@ async function displayLayerSummary() {
     log(`Layer size: ~${layerSizeMB} MB`, 'green');
 
     log('\nPackages included:', 'bright');
-    PRISMA_PACKAGES.forEach(pkg => {
-        log(`  - ${pkg}`, 'reset');
-    });
+    log('  - prisma (CLI - installed)', 'reset');
+    log('  - @prisma/client (runtime - installed)', 'reset');
+    log('  - @prisma/engines (binaries - installed)', 'reset');
+    log('  - generated/prisma-postgresql (PostgreSQL only)', 'reset');
+    log('\nNote: MongoDB support excluded (not used in this project)', 'yellow');
 
     log('\nNext steps:', 'bright');
     log('  1. Verify layer structure: ls -lah layers/prisma/nodejs/node_modules/', 'reset');
@@ -339,12 +472,14 @@ async function displayLayerSummary() {
 
 /**
  * Main build function
+ * @param {Object} databaseConfig - Database configuration from AppDefinition.database
+ * @param {Boolean} includeCLI - Whether to include Prisma CLI (false = runtime only)
  */
-async function buildPrismaLayer() {
+async function buildPrismaLayer(databaseConfig = {}, includeCLI = false) {
     const startTime = Date.now();
 
     log('\n' + '='.repeat(60), 'bright');
-    log('  Building Prisma Lambda Layer', 'bright');
+    log(`  Building Prisma Lambda Layer ${includeCLI ? '(with CLI)' : '(runtime only)'}`, 'bright');
     log('='.repeat(60) + '\n', 'bright');
 
     // Log paths
@@ -352,13 +487,18 @@ async function buildPrismaLayer() {
     log(`Core package: ${CORE_PACKAGE_PATH}`, 'reset');
     log(`Layer output: ${LAYER_OUTPUT_PATH}\n`, 'reset');
 
+    // Determine which database clients to include
+    const clientPackages = getGeneratedClientPackages(databaseConfig);
+
     try {
         await cleanLayerDirectory();
         await createLayerStructure();
-        await copyPrismaPackages();
-        await removeNonRhelBinaries();
-        await verifyRhelBinaries();
-        await verifyLayerStructure();
+        await installPrismaPackages(includeCLI);    // Install Prisma packages (CLI optional)
+        await copyPrismaPackages(clientPackages);   // Copy generated clients from core
+        await removeUnnecessaryFiles();             // Remove source maps, docs, tests (37MB+)
+        await removeNonRhelBinaries();              // Remove non-Linux binaries
+        await verifyRhelBinaries(clientPackages);   // Verify query engines present
+        await verifyLayerStructure(includeCLI);     // Verify structure (conditional on CLI)
         await displayLayerSummary();
 
         const duration = ((Date.now() - startTime) / 1000).toFixed(2);

package/infrastructure/serverless-template.js

@@ -554,6 +554,7 @@ const gatherDiscoveredResources = async (AppDefinition) => {
             vpc: AppDefinition.vpc || {},
             encryption: AppDefinition.encryption || {},
             ssm: AppDefinition.ssm || {},
+            database: AppDefinition.database || {},
             serviceName: AppDefinition.name || 'create-frigg-app',
             stage: stage,
         };
@@ -637,26 +638,66 @@ const createBaseDefinition = (
 ) => {
     const region = process.env.AWS_REGION || 'us-east-1';
 
+    // Function-level package config to exclude Prisma and AWS SDK
+    // Uses native Serverless package.exclude since jetpack function-level config isn't supported in v3
+    const functionPackageConfig = {
+        exclude: [
+            // Exclude AWS SDK (already in Lambda runtime)
+            'node_modules/aws-sdk/**',
+            'node_modules/@aws-sdk/**',
+
+            // Exclude Prisma (provided via Lambda Layer)
+            'node_modules/@prisma/**',
+            'node_modules/.prisma/**',
+            'node_modules/prisma/**',
+            'node_modules/@friggframework/core/generated/**',
+        ],
+    };
+
     return {
         frameworkVersion: '>=3.17.0',
         service: AppDefinition.name || 'create-frigg-app',
         package: {
             individually: true,
+            // NOTE: These patterns are NOT used when serverless-jetpack is enabled with trace mode
+            // Jetpack's trace mode completely overrides package.patterns during dependency resolution
+            // These are kept commented out as a fallback if Jetpack needs to be disabled
             patterns: [
-                // Existing AWS SDK exclusions
-                '!**/node_modules/aws-sdk/**',
-                '!**/node_modules/@aws-sdk/**',
-                '!package.json',
-
-                // GLOBAL Prisma exclusions - all Prisma packages moved to Lambda Layer
-                // This reduces each function from ~120MB to ~45MB (60% reduction)
-                '!node_modules/@prisma/**',
-                '!node_modules/.prisma/**',
-                '!node_modules/@prisma-mongodb/**',
-                '!node_modules/@prisma-postgresql/**',
-                '!node_modules/prisma/**',
-                // Prisma packages will be provided at runtime via Lambda Layer
-                // See: LAMBDA-LAYER-PRISMA.md for complete documentation
+                // AWS SDK exclusions (already in Lambda runtime)
+                // '!**/node_modules/aws-sdk/**',
+                // '!**/node_modules/@aws-sdk/**',
+
+                // Prisma exclusions (provided via Lambda Layer)
+                // '!**/node_modules/@prisma/**',
+                // '!**/node_modules/.prisma/**',
+                // '!**/node_modules/@prisma-mongodb/**',
+                // '!**/node_modules/@prisma-postgresql/**',
+                // '!**/node_modules/prisma/**',
+
+                // Exclude Prisma generated clients from @friggframework/core
+                // '!**/node_modules/@friggframework/core/generated/**',
+
+                // Exclude development and test files
+                // '!**/test/**',
+                // '!**/tests/**',
+                // '!**/*.test.js',
+                // '!**/*.spec.js',
+                // '!**/*.map',
+                // '!**/jest.config.js',
+                // '!**/jest.unit.config.js',
+                // '!**/.eslintrc.json',
+                // '!**/.prettierrc',
+                // '!**/.prettierignore',
+                // '!**/.markdownlintignore',
+                // '!**/docker-compose.yml',
+                // '!**/package.json',
+                // '!**/README.md',
+                // '!**/*.md',
+
+                // Exclude .DS_Store and other OS files
+                // '!**/.DS_Store',
+                // '!**/.git/**',
+                // '!**/.claude-flow/**',
             ],
         },
         useDotenv: true,
@@ -711,8 +752,7 @@ const createBaseDefinition = (
             },
         },
         plugins: [
-            // Temporarily disabled Jetpack - it ignores package.patterns in dependency mode
-            // 'serverless-jetpack',
+            'serverless-jetpack',
             'serverless-dotenv-plugin',
             'serverless-offline-sqs',
             'serverless-offline',
@@ -733,15 +773,18 @@ const createBaseDefinition = (
                 secretAccessKey: 'root',
                 skipCacheInvalidation: false,
             },
-            // Jetpack config removed - testing with standard Serverless packaging
-            // jetpack: {
-            //     base: '..',
-            // },
+            jetpack: {
+                base: '..',  // Essential for reaching handlers in node_modules/@friggframework
+                // NOTE: Service-level preInclude applies to EVERYTHING (functions + layers)
+                // We need to ONLY exclude from functions, not from the Prisma layer
+                // Solution: Apply exclusions at function level instead
+            },
         },
         functions: {
             auth: {
                 handler: 'node_modules/@friggframework/core/handlers/routers/auth.handler',
                 layers: [{ Ref: 'PrismaLambdaLayer' }],
+                package: functionPackageConfig,
                 events: [
                     { httpApi: { path: '/api/integrations', method: 'ANY' } },
                     {
@@ -756,11 +799,13 @@ const createBaseDefinition = (
             user: {
                 handler: 'node_modules/@friggframework/core/handlers/routers/user.handler',
                 layers: [{ Ref: 'PrismaLambdaLayer' }],
+                package: functionPackageConfig,
                 events: [{ httpApi: { path: '/user/{proxy+}', method: 'ANY' } }],
             },
             health: {
                 handler: 'node_modules/@friggframework/core/handlers/routers/health.handler',
                 layers: [{ Ref: 'PrismaLambdaLayer' }],
+                package: functionPackageConfig,
                 events: [
                     { httpApi: { path: '/health', method: 'GET' } },
                     { httpApi: { path: '/health/{proxy+}', method: 'GET' } },
@@ -768,11 +813,13 @@ const createBaseDefinition = (
             },
             dbMigrate: {
                 handler: 'node_modules/@friggframework/core/handlers/workers/db-migration.handler',
+                // Uses Prisma Layer (includes CLI) - simpler than standalone packaging
                 layers: [{ Ref: 'PrismaLambdaLayer' }],
                 timeout: 300,  // 5 minutes for long-running migrations
                 memorySize: 512,  // Extra memory for Prisma CLI operations
                 reservedConcurrency: 1,  // Prevent concurrent migrations
-                description: 'Runs database migrations via Prisma (invoke manually from CI/CD)',
+                description: 'Runs database migrations via Prisma (invoke manually from CI/CD). Uses Prisma layer with CLI.',
+                package: functionPackageConfig,  // Use same exclusions as other functions
                 // No events - this function is invoked manually via AWS CLI
                 maximumEventAge: 60,  // Don't retry old migration requests (60 seconds)
                 maximumRetryAttempts: 0,  // Don't auto-retry failed migrations
@@ -786,22 +833,13 @@ const createBaseDefinition = (
                     PRISMA_HIDE_UPDATE_MESSAGE: '1',  // Suppress update messages
                     PRISMA_MIGRATE_SKIP_SEED: '1',  // Skip seeding during migrations
                 },
-                // Function-specific packaging: Include Prisma schemas (CLI from layer)
-                package: {
-                    patterns: [
-                        // Include Prisma schemas from @friggframework/core
-                        // Note: Prisma CLI and clients come from Lambda Layer
-                        'node_modules/@friggframework/core/prisma-mongodb/**',
-                        'node_modules/@friggframework/core/prisma-postgresql/**',
-                    ],
-                },
             },
         },
         layers: {
             prisma: {
                 path: 'layers/prisma',
                 name: '${self:service}-prisma-${sls:stage}',
-                description: 'Prisma ORM clients for MongoDB and PostgreSQL with rhel-openssl-3.0.x binaries. Reduces function sizes by ~60% (120MB → 45MB). See LAMBDA-LAYER-PRISMA.md for details.',
+                description: 'Prisma ORM client with CLI and rhel-openssl-3.0.x binaries. Configured based on AppDefinition database settings. Used by all functions.',
                 compatibleRuntimes: ['nodejs18.x', 'nodejs20.x'],
                 retain: false,  // Don't retain old layer versions
             },
@@ -2158,8 +2196,13 @@ const createAuroraInfrastructure = (definition, AppDefinition, discoveredResourc
 
 const useExistingAurora = (definition, AppDefinition, discoveredResources) => {
     const dbConfig = AppDefinition.database.postgres;
+    const selfHeal = AppDefinition.database?.postgres?.selfHeal !== false; // Default to true
 
     console.log(`🔗 Using existing Aurora cluster: ${discoveredResources.aurora.clusterIdentifier}`);
+    console.log(`[DEBUG] discoveredResources.aurora.isFriggManaged: ${discoveredResources.aurora.isFriggManaged}`);
+    console.log(`[DEBUG] selfHeal: ${selfHeal}`);
+    console.log(`[DEBUG] discoveredResources.aurora.secretArn: ${discoveredResources.aurora.secretArn}`);
+    console.log(`[DEBUG] dbConfig.secretArn: ${dbConfig.secretArn}`);
 
     // Add IAM permissions for Secrets Manager if secret exists
     if (discoveredResources.aurora.secretArn) {
@@ -2208,8 +2251,84 @@ const useExistingAurora = (definition, AppDefinition, discoveredResources) => {
                 }
             ]
         };
+    } else if (selfHeal && discoveredResources.aurora?.isFriggManaged) {
+        // Self-healing mode: recreate missing secret for Frigg-managed cluster
+        console.log('⚠️  No database secret found for Frigg-managed cluster');
+        console.log('🔧 Self-healing enabled: Creating new database secret with automatic password rotation');
+
+        // Get the current master username from the cluster
+        const currentUsername = discoveredResources.aurora.masterUsername || dbConfig.masterUsername || 'frigg_admin';
+
+        // Create Secrets Manager Secret (database credentials)
+        // Note: We generate a NEW password, which will be synced to the cluster via SecretTargetAttachment
+        definition.resources.Resources.FriggDatabaseSecret = {
+            Type: 'AWS::SecretsManager::Secret',
+            Properties: {
+                Name: '${self:service}-${self:provider.stage}-aurora-credentials',
+                Description: 'Aurora PostgreSQL credentials for Frigg application (auto-healed)',
+                GenerateSecretString: {
+                    SecretStringTemplate: JSON.stringify({
+                        username: currentUsername
+                    }),
+                    GenerateStringKey: 'password',
+                    PasswordLength: 32,
+                    ExcludeCharacters: '"@/\\`\''
+                },
+                Tags: [
+                    { Key: 'ManagedBy', Value: 'Frigg' },
+                    { Key: 'Service', Value: '${self:service}' },
+                    { Key: 'Stage', Value: '${self:provider.stage}' },
+                    { Key: 'AutoHealed', Value: 'true' }
+                ]
+            }
+        };
+
+        // Create SecretTargetAttachment to link secret to existing cluster
+        // This will automatically rotate the cluster password to match the secret!
+        definition.resources.Resources.FriggSecretAttachment = {
+            Type: 'AWS::SecretsManager::SecretTargetAttachment',
+            Properties: {
+                SecretId: { Ref: 'FriggDatabaseSecret' },
+                TargetId: discoveredResources.aurora.clusterIdentifier,
+                TargetType: 'AWS::RDS::DBCluster'
+            }
+        };
+
+        // Add IAM permissions for the new secret
+        definition.provider.iamRoleStatements.push({
+            Effect: 'Allow',
+            Action: [
+                'secretsmanager:GetSecretValue',
+                'secretsmanager:DescribeSecret'
+            ],
+            Resource: { Ref: 'FriggDatabaseSecret' }
+        });
+
+        // Set DATABASE_URL from new secret
+        definition.provider.environment.DATABASE_URL = {
+            'Fn::Sub': [
+                'postgresql://${Username}:${Password}@${Endpoint}:${Port}/${DatabaseName}',
+                {
+                    Username: { 'Fn::Sub': '{{resolve:secretsmanager:${FriggDatabaseSecret}:SecretString:username}}' },
+                    Password: { 'Fn::Sub': '{{resolve:secretsmanager:${FriggDatabaseSecret}:SecretString:password}}' },
+                    Endpoint: discoveredResources.aurora.endpoint,
+                    Port: discoveredResources.aurora.port,
+                    DatabaseName: dbConfig.databaseName || 'frigg_db'
+                }
+            ]
+        };
+
+        console.log('✅ Self-healing configuration complete:');
+        console.log('   - New secret will be created with auto-generated password');
+        console.log('   - SecretTargetAttachment will automatically update cluster password');
+        console.log('   - No manual password sync required!');
     } else {
-        throw new Error('No database secret found. Provide secretArn in database.postgres configuration or ensure Secrets Manager secret exists.');
+        throw new Error(
+            'No database secret found. Options:\n' +
+            '  1. Provide secretArn in database.postgres configuration\n' +
+            '  2. Ensure Secrets Manager secret exists\n' +
+            '  3. Enable self-healing: set database.postgres.selfHeal to true (for Frigg-managed clusters only)'
+        );
     }
 
     // Set DB_TYPE for Prisma client selection
@@ -2306,6 +2425,18 @@ const attachIntegrations = (definition, AppDefinition) => {
         `Processing ${AppDefinition.integrations.length} integrations...`
     );
 
+    // Get the functionPackageConfig from the definition (defined in createBaseDefinition)
+    const functionPackageConfig = {
+        exclude: [
+            'node_modules/aws-sdk/**',
+            'node_modules/@aws-sdk/**',
+            'node_modules/@prisma/**',
+            'node_modules/.prisma/**',
+            'node_modules/prisma/**',
+            'node_modules/@friggframework/core/generated/**',
+        ],
+    };
+
     for (const integration of AppDefinition.integrations) {
         if (!integration?.Definition?.name) {
             throw new Error('Invalid integration: missing Definition or name');
@@ -2318,6 +2449,7 @@ const attachIntegrations = (definition, AppDefinition) => {
 
         definition.functions[integrationName] = {
             handler: `node_modules/@friggframework/core/handlers/routers/integration-defined-routers.handlers.${integrationName}.handler`,
+            package: functionPackageConfig,
             events: [
                 {
                     httpApi: {
@@ -2346,6 +2478,7 @@ const attachIntegrations = (definition, AppDefinition) => {
         const queueWorkerName = `${integrationName}QueueWorker`;
         definition.functions[queueWorkerName] = {
             handler: `node_modules/@friggframework/core/handlers/workers/integration-defined-workers.handlers.${integrationName}.queueWorker`,
+            package: functionPackageConfig,
             reservedConcurrency: 5,
             events: [
                 {
@@ -2412,8 +2545,9 @@ const configureWebsockets = (definition, AppDefinition) => {
 /**
  * Ensure Prisma Lambda Layer exists
  * Automatically builds the layer if it doesn't exist in the project root
+ * @param {Object} databaseConfig - Database configuration from AppDefinition.database
  */
-async function ensurePrismaLayerExists() {
+async function ensurePrismaLayerExists(databaseConfig = {}) {
     const projectRoot = process.cwd();
     const layerPath = path.join(projectRoot, 'layers/prisma');
 
@@ -2425,10 +2559,12 @@ async function ensurePrismaLayerExists() {
 
     // Layer doesn't exist - build it automatically
     console.log('📦 Prisma Lambda Layer not found - building automatically...');
+    console.log('   Building layer with CLI (used by all functions including dbMigrate)');
     console.log('   This may take a minute on first deployment.\n');
 
     try {
-        await buildPrismaLayer();
+        // Build layer WITH CLI (includeCLI = true) - all functions use same layer
+        await buildPrismaLayer(databaseConfig, true);
         console.log('✓ Prisma Lambda Layer built successfully\n');
     } catch (error) {
         console.error('✗ Failed to build Prisma Lambda Layer:', error.message);
@@ -2441,7 +2577,8 @@ const composeServerlessDefinition = async (AppDefinition) => {
     console.log('composeServerlessDefinition', AppDefinition);
 
     // Ensure Prisma layer exists before generating serverless config
-    await ensurePrismaLayerExists();
+    // Pass database config so layer only includes needed database clients
+    await ensurePrismaLayerExists(AppDefinition.database || {});
 
     const discoveredResources = await gatherDiscoveredResources(AppDefinition);
     const appEnvironmentVars = getAppEnvironmentVars(AppDefinition);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.454.25d396a.0",
+  "version": "2.0.0--canary.461.84ff4f5.0",
   "dependencies": {
     "@aws-sdk/client-ec2": "^3.835.0",
     "@aws-sdk/client-kms": "^3.835.0",
@@ -11,8 +11,8 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/schemas": "2.0.0--canary.454.25d396a.0",
-    "@friggframework/test": "2.0.0--canary.454.25d396a.0",
+    "@friggframework/schemas": "2.0.0--canary.461.84ff4f5.0",
+    "@friggframework/test": "2.0.0--canary.461.84ff4f5.0",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -34,8 +34,8 @@
     "serverless-http": "^2.7.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.454.25d396a.0",
-    "@friggframework/prettier-config": "2.0.0--canary.454.25d396a.0",
+    "@friggframework/eslint-config": "2.0.0--canary.461.84ff4f5.0",
+    "@friggframework/prettier-config": "2.0.0--canary.461.84ff4f5.0",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
     "jest": "^30.1.3",
@@ -70,5 +70,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "25d396ab0d73094bfab4853f9ff15a5500174ca7"
+  "gitHead": "84ff4f5a8ab85a143a491d4337965e534c1a73fb"
 }