npm - @friggframework/devtools - Versions diffs - 2.0.0--canary.463.62579dd.0 → 2.0.0--canary.461.84ff4f5.0 - Mend

@friggframework/devtools 2.0.0--canary.463.62579dd.0 → 2.0.0--canary.461.84ff4f5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/frigg-cli/__tests__/unit/commands/db-setup.test.js +1 -1
package/frigg-cli/db-setup-command/index.js +1 -1
package/infrastructure/POSTGRES-CONFIGURATION.md +630 -0
package/infrastructure/README.md +51 -0
package/infrastructure/__tests__/postgres-config.test.js +914 -0
package/infrastructure/aws-discovery.js +507 -2
package/infrastructure/aws-discovery.test.js +447 -1
package/infrastructure/scripts/build-prisma-layer.js +534 -0
package/infrastructure/serverless-template.js +602 -80
package/infrastructure/serverless-template.test.js +91 -0
package/package.json +8 -6
package/frigg-cli/__tests__/unit/utils/prisma-runner.test.js +0 -486
package/frigg-cli/utils/prisma-runner.js +0 -280

package/infrastructure/serverless-template.js CHANGED Viewed

@@ -1,6 +1,7 @@
 const path = require('path');
 const fs = require('fs');
 const { AWSDiscovery } = require('./aws-discovery');
+const { buildPrismaLayer } = require('./scripts/build-prisma-layer');
 const shouldRunDiscovery = (AppDefinition) => {
     console.log(
@@ -17,7 +18,8 @@ const shouldRunDiscovery = (AppDefinition) => {
     return (
         AppDefinition.vpc?.enable === true ||
         AppDefinition.encryption?.fieldLevelEncryptionMethod === 'kms' ||
-        AppDefinition.ssm?.enable === true
+        AppDefinition.ssm?.enable === true ||
+        AppDefinition.database?.postgres?.enable === true
     );
 };
@@ -68,8 +70,7 @@ const getAppEnvironmentVars = (AppDefinition) => {
     }
     if (skippedKeys.length > 0) {
         console.log(
-            `   ⚠️  Skipped ${
-                skippedKeys.length
+            `   ⚠️  Skipped ${skippedKeys.length
             } reserved AWS Lambda variables: ${skippedKeys.join(', ')}`
         );
     }
@@ -544,10 +545,18 @@ const gatherDiscoveredResources = async (AppDefinition) => {
     try {
         const region = process.env.AWS_REGION || 'us-east-1';
         const discovery = new AWSDiscovery(region);
+        // Use Serverless Framework's stage resolution (opt:stage with 'dev' as default)
+        // This matches how serverless.yml resolves ${opt:stage, "dev"}
+        // IMPORTANT: Use SLS_STAGE (not STAGE) to match actual deployment stage
+        const stage = process.env.SLS_STAGE || 'dev';
         const config = {
             vpc: AppDefinition.vpc || {},
             encryption: AppDefinition.encryption || {},
             ssm: AppDefinition.ssm || {},
+            database: AppDefinition.database || {},
+            serviceName: AppDefinition.name || 'create-frigg-app',
+            stage: stage,
         };
         const discoveredResources = await discovery.discoverResources(config);
@@ -603,6 +612,22 @@ const buildEnvironment = (appEnvironmentVars, discoveredResources) => {
         }
     }
+    // Add Aurora discovery mappings
+    if (discoveredResources.aurora) {
+        if (discoveredResources.aurora.clusterIdentifier) {
+            environment.AWS_DISCOVERY_AURORA_CLUSTER_ID = discoveredResources.aurora.clusterIdentifier;
+        }
+        if (discoveredResources.aurora.endpoint) {
+            environment.AWS_DISCOVERY_AURORA_ENDPOINT = discoveredResources.aurora.endpoint;
+        }
+        if (discoveredResources.aurora.port) {
+            environment.AWS_DISCOVERY_AURORA_PORT = discoveredResources.aurora.port.toString();
+        }
+        if (discoveredResources.aurora.secretArn) {
+            environment.AWS_DISCOVERY_AURORA_SECRET_ARN = discoveredResources.aurora.secretArn;
+        }
+    }
     return environment;
 };
@@ -613,20 +638,72 @@ const createBaseDefinition = (
 ) => {
     const region = process.env.AWS_REGION || 'us-east-1';
+    // Function-level package config to exclude Prisma and AWS SDK
+    // Uses native Serverless package.exclude since jetpack function-level config isn't supported in v3
+    const functionPackageConfig = {
+        exclude: [
+            // Exclude AWS SDK (already in Lambda runtime)
+            'node_modules/aws-sdk/**',
+            'node_modules/@aws-sdk/**',
+            // Exclude Prisma (provided via Lambda Layer)
+            'node_modules/@prisma/**',
+            'node_modules/.prisma/**',
+            'node_modules/prisma/**',
+            'node_modules/@friggframework/core/generated/**',
+        ],
+    };
     return {
         frameworkVersion: '>=3.17.0',
         service: AppDefinition.name || 'create-frigg-app',
         package: {
             individually: true,
-            exclude: [
-                '!**/node_modules/aws-sdk/**',
-                '!**/node_modules/@aws-sdk/**',
-                '!package.json',
+            // NOTE: These patterns are NOT used when serverless-jetpack is enabled with trace mode
+            // Jetpack's trace mode completely overrides package.patterns during dependency resolution
+            // These are kept commented out as a fallback if Jetpack needs to be disabled
+            patterns: [
+                // AWS SDK exclusions (already in Lambda runtime)
+                // '!**/node_modules/aws-sdk/**',
+                // '!**/node_modules/@aws-sdk/**',
+                // Prisma exclusions (provided via Lambda Layer)
+                // '!**/node_modules/@prisma/**',
+                // '!**/node_modules/.prisma/**',
+                // '!**/node_modules/@prisma-mongodb/**',
+                // '!**/node_modules/@prisma-postgresql/**',
+                // '!**/node_modules/prisma/**',
+                // Exclude Prisma generated clients from @friggframework/core
+                // '!**/node_modules/@friggframework/core/generated/**',
+                // Exclude development and test files
+                // '!**/test/**',
+                // '!**/tests/**',
+                // '!**/*.test.js',
+                // '!**/*.spec.js',
+                // '!**/*.map',
+                // '!**/jest.config.js',
+                // '!**/jest.unit.config.js',
+                // '!**/.eslintrc.json',
+                // '!**/.prettierrc',
+                // '!**/.prettierignore',
+                // '!**/.markdownlintignore',
+                // '!**/docker-compose.yml',
+                // '!**/package.json',
+                // '!**/README.md',
+                // '!**/*.md',
+                // Exclude .DS_Store and other OS files
+                // '!**/.DS_Store',
+                // '!**/.git/**',
+                // '!**/.claude-flow/**',
             ],
         },
         useDotenv: true,
         provider: {
             name: AppDefinition.provider || 'aws',
+            ...(process.env.AWS_PROFILE && { profile: process.env.AWS_PROFILE }),
             runtime: 'nodejs20.x',
             timeout: 30,
             region,
@@ -697,13 +774,17 @@ const createBaseDefinition = (
                 skipCacheInvalidation: false,
             },
             jetpack: {
-                base: '..',
+                base: '..',  // Essential for reaching handlers in node_modules/@friggframework
+                // NOTE: Service-level preInclude applies to EVERYTHING (functions + layers)
+                // We need to ONLY exclude from functions, not from the Prisma layer
+                // Solution: Apply exclusions at function level instead
             },
         },
         functions: {
             auth: {
-                handler:
-                    'node_modules/@friggframework/core/handlers/routers/auth.handler',
+                handler: 'node_modules/@friggframework/core/handlers/routers/auth.handler',
+                layers: [{ Ref: 'PrismaLambdaLayer' }],
+                package: functionPackageConfig,
                 events: [
                     { httpApi: { path: '/api/integrations', method: 'ANY' } },
                     {
@@ -716,20 +797,52 @@ const createBaseDefinition = (
                 ],
             },
             user: {
-                handler:
-                    'node_modules/@friggframework/core/handlers/routers/user.handler',
-                events: [
-                    { httpApi: { path: '/user/{proxy+}', method: 'ANY' } },
-                ],
+                handler: 'node_modules/@friggframework/core/handlers/routers/user.handler',
+                layers: [{ Ref: 'PrismaLambdaLayer' }],
+                package: functionPackageConfig,
+                events: [{ httpApi: { path: '/user/{proxy+}', method: 'ANY' } }],
             },
             health: {
-                handler:
-                    'node_modules/@friggframework/core/handlers/routers/health.handler',
+                handler: 'node_modules/@friggframework/core/handlers/routers/health.handler',
+                layers: [{ Ref: 'PrismaLambdaLayer' }],
+                package: functionPackageConfig,
                 events: [
                     { httpApi: { path: '/health', method: 'GET' } },
                     { httpApi: { path: '/health/{proxy+}', method: 'GET' } },
                 ],
             },
+            dbMigrate: {
+                handler: 'node_modules/@friggframework/core/handlers/workers/db-migration.handler',
+                // Uses Prisma Layer (includes CLI) - simpler than standalone packaging
+                layers: [{ Ref: 'PrismaLambdaLayer' }],
+                timeout: 300,  // 5 minutes for long-running migrations
+                memorySize: 512,  // Extra memory for Prisma CLI operations
+                reservedConcurrency: 1,  // Prevent concurrent migrations
+                description: 'Runs database migrations via Prisma (invoke manually from CI/CD). Uses Prisma layer with CLI.',
+                package: functionPackageConfig,  // Use same exclusions as other functions
+                // No events - this function is invoked manually via AWS CLI
+                maximumEventAge: 60,  // Don't retry old migration requests (60 seconds)
+                maximumRetryAttempts: 0,  // Don't auto-retry failed migrations
+                tags: {
+                    Purpose: 'DatabaseMigration',
+                    ManagedBy: 'Frigg',
+                },
+                // Environment variables for non-interactive Prisma CLI operation
+                environment: {
+                    CI: '1',  // Forces Prisma to non-interactive mode
+                    PRISMA_HIDE_UPDATE_MESSAGE: '1',  // Suppress update messages
+                    PRISMA_MIGRATE_SKIP_SEED: '1',  // Skip seeding during migrations
+                },
+            },
+        },
+        layers: {
+            prisma: {
+                path: 'layers/prisma',
+                name: '${self:service}-prisma-${sls:stage}',
+                description: 'Prisma ORM client with CLI and rhel-openssl-3.0.x binaries. Configured based on AppDefinition database settings. Used by all functions.',
+                compatibleRuntimes: ['nodejs18.x', 'nodejs20.x'],
+                retain: false,  // Don't retain old layer versions
+            },
         },
         resources: {
             Resources: {
@@ -828,18 +941,22 @@ const applyKmsConfiguration = (
     }
     if (discoveredResources.defaultKmsKeyId) {
-        console.log(
-            `Using existing KMS key: ${discoveredResources.defaultKmsKeyId}`
-        );
-        definition.resources.Resources.FriggKMSKeyAlias = {
-            Type: 'AWS::KMS::Alias',
-            DeletionPolicy: 'Retain',
-            Properties: {
-                AliasName:
-                    'alias/${self:service}-${self:provider.stage}-frigg-kms',
-                TargetKeyId: discoveredResources.defaultKmsKeyId,
-            },
-        };
+        console.log(`Using existing KMS key: ${discoveredResources.defaultKmsKeyId}`);
+        // Only create alias if it doesn't already exist
+        if (!discoveredResources.kmsAliasExists) {
+            console.log('Creating KMS alias for discovered key...');
+            definition.resources.Resources.FriggKMSKeyAlias = {
+                Type: 'AWS::KMS::Alias',
+                DeletionPolicy: 'Retain',
+                Properties: {
+                    AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
+                    TargetKeyId: discoveredResources.defaultKmsKeyId,
+                },
+            };
+        } else {
+            console.log('KMS alias already exists, skipping alias creation');
+        }
         definition.provider.iamRoleStatements.push({
             Effect: 'Allow',
@@ -850,7 +967,7 @@ const applyKmsConfiguration = (
         if (AppDefinition.encryption?.createResourceIfNoneFound !== true) {
             throw new Error(
                 'KMS field-level encryption is enabled but no KMS key was found. ' +
-                    'Either provide an existing KMS key or set encryption.createResourceIfNoneFound to true to create a new key.'
+                'Either provide an existing KMS key or set encryption.createResourceIfNoneFound to true to create a new key.'
             );
         }
@@ -889,9 +1006,8 @@ const applyKmsConfiguration = (
                             Resource: '*',
                             Condition: {
                                 StringEquals: {
-                                    'kms:ViaService': `lambda.${
-                                        process.env.AWS_REGION || 'us-east-1'
-                                    }.amazonaws.com`,
+                                    'kms:ViaService': `lambda.${process.env.AWS_REGION || 'us-east-1'
+                                        }.amazonaws.com`,
                                 },
                             },
                         },
@@ -1293,13 +1409,13 @@ const configureVpc = (definition, AppDefinition, discoveredResources) => {
             };
             definition.resources.Resources.FriggPublicSubnetRouteTableAssociation =
-                {
-                    Type: 'AWS::EC2::SubnetRouteTableAssociation',
-                    Properties: {
-                        SubnetId: { Ref: 'FriggPublicSubnet' },
-                        RouteTableId: { Ref: 'FriggPublicRouteTable' },
-                    },
-                };
+            {
+                Type: 'AWS::EC2::SubnetRouteTableAssociation',
+                Properties: {
+                    SubnetId: { Ref: 'FriggPublicSubnet' },
+                    RouteTableId: { Ref: 'FriggPublicRouteTable' },
+                },
+            };
             definition.resources.Resources.FriggLambdaRouteTable = {
                 Type: 'AWS::EC2::RouteTable',
@@ -1316,22 +1432,22 @@ const configureVpc = (definition, AppDefinition, discoveredResources) => {
             };
             definition.resources.Resources.FriggPrivateSubnet1RouteTableAssociation =
-                {
-                    Type: 'AWS::EC2::SubnetRouteTableAssociation',
-                    Properties: {
-                        SubnetId: { Ref: 'FriggPrivateSubnet1' },
-                        RouteTableId: { Ref: 'FriggLambdaRouteTable' },
-                    },
-                };
+            {
+                Type: 'AWS::EC2::SubnetRouteTableAssociation',
+                Properties: {
+                    SubnetId: { Ref: 'FriggPrivateSubnet1' },
+                    RouteTableId: { Ref: 'FriggLambdaRouteTable' },
+                },
+            };
             definition.resources.Resources.FriggPrivateSubnet2RouteTableAssociation =
-                {
-                    Type: 'AWS::EC2::SubnetRouteTableAssociation',
-                    Properties: {
-                        SubnetId: { Ref: 'FriggPrivateSubnet2' },
-                        RouteTableId: { Ref: 'FriggLambdaRouteTable' },
-                    },
-                };
+            {
+                Type: 'AWS::EC2::SubnetRouteTableAssociation',
+                Properties: {
+                    SubnetId: { Ref: 'FriggPrivateSubnet2' },
+                    RouteTableId: { Ref: 'FriggLambdaRouteTable' },
+                },
+            };
         }
     } else if (subnetManagement === 'use-existing') {
         if (
@@ -1348,12 +1464,12 @@ const configureVpc = (definition, AppDefinition, discoveredResources) => {
             AppDefinition.vpc.subnets?.ids?.length > 0
                 ? AppDefinition.vpc.subnets.ids
                 : discoveredResources.privateSubnetId1 &&
-                  discoveredResources.privateSubnetId2
-                ? [
-                      discoveredResources.privateSubnetId1,
-                      discoveredResources.privateSubnetId2,
-                  ]
-                : [];
+                    discoveredResources.privateSubnetId2
+                    ? [
+                        discoveredResources.privateSubnetId1,
+                        discoveredResources.privateSubnetId2,
+                    ]
+                    : [];
         if (vpcConfig.subnetIds.length < 2) {
             if (AppDefinition.vpc.selfHeal) {
@@ -1560,13 +1676,13 @@ const configureVpc = (definition, AppDefinition, discoveredResources) => {
                     };
                     definition.resources.Resources.FriggPublicSubnetRouteTableAssociation =
-                        {
-                            Type: 'AWS::EC2::SubnetRouteTableAssociation',
-                            Properties: {
-                                SubnetId: { Ref: 'FriggPublicSubnet' },
-                                RouteTableId: { Ref: 'FriggPublicRouteTable' },
-                            },
-                        };
+                    {
+                        Type: 'AWS::EC2::SubnetRouteTableAssociation',
+                        Properties: {
+                            SubnetId: { Ref: 'FriggPublicSubnet' },
+                            RouteTableId: { Ref: 'FriggPublicRouteTable' },
+                        },
+                    };
                 }
                 definition.resources.Resources.FriggNATGateway = {
@@ -1577,11 +1693,11 @@ const configureVpc = (definition, AppDefinition, discoveredResources) => {
                         AllocationId: useExistingEip
                             ? discoveredResources.existingElasticIpAllocationId
                             : {
-                                  'Fn::GetAtt': [
-                                      'FriggNATGatewayEIP',
-                                      'AllocationId',
-                                  ],
-                              },
+                                'Fn::GetAtt': [
+                                    'FriggNATGatewayEIP',
+                                    'AllocationId',
+                                ],
+                            },
                         SubnetId: discoveredResources.publicSubnetId || {
                             Ref: 'FriggPublicSubnet',
                         },
@@ -1894,7 +2010,9 @@ const configureVpc = (definition, AppDefinition, discoveredResources) => {
                 },
             };
-            if (AppDefinition.secretsManager?.enable === true) {
+            // Create Secrets Manager VPC Endpoint if explicitly enabled OR if Aurora is enabled
+            // (Aurora requires Secrets Manager access for credential retrieval)
+            if (AppDefinition.secretsManager?.enable === true || AppDefinition.database?.postgres?.enable === true) {
                 definition.resources.Resources.VPCEndpointSecretsManager = {
                     Type: 'AWS::EC2::VPCEndpoint',
                     Properties: {
@@ -1912,6 +2030,364 @@ const configureVpc = (definition, AppDefinition, discoveredResources) => {
     }
 };
+const createAuroraInfrastructure = (definition, AppDefinition, discoveredResources) => {
+    const dbConfig = AppDefinition.database.postgres;
+    console.log('🔧 Creating Aurora Serverless v2 infrastructure...');
+    // 1. DB Subnet Group (using Lambda private subnets)
+    definition.resources.Resources.FriggDBSubnetGroup = {
+        Type: 'AWS::RDS::DBSubnetGroup',
+        Properties: {
+            DBSubnetGroupDescription: 'Subnet group for Frigg Aurora cluster',
+            SubnetIds: [
+                discoveredResources.privateSubnetId1,
+                discoveredResources.privateSubnetId2
+            ],
+            Tags: [
+                { Key: 'Name', Value: '${self:service}-${self:provider.stage}-db-subnet-group' },
+                { Key: 'ManagedBy', Value: 'Frigg' },
+                { Key: 'Service', Value: '${self:service}' },
+                { Key: 'Stage', Value: '${self:provider.stage}' },
+            ]
+        }
+    };
+    // 2. Security Group (allow Lambda SG to access 5432)
+    // In create-new VPC mode, Lambda uses FriggLambdaSecurityGroup
+    // In other modes, use discovered default security group
+    const lambdaSecurityGroupId = AppDefinition.vpc?.management === 'create-new'
+        ? { Ref: 'FriggLambdaSecurityGroup' }
+        : discoveredResources.defaultSecurityGroupId;
+    definition.resources.Resources.FriggAuroraSecurityGroup = {
+        Type: 'AWS::EC2::SecurityGroup',
+        Properties: {
+            GroupDescription: 'Security group for Frigg Aurora PostgreSQL',
+            VpcId: discoveredResources.defaultVpcId,
+            SecurityGroupIngress: [
+                {
+                    IpProtocol: 'tcp',
+                    FromPort: 5432,
+                    ToPort: 5432,
+                    SourceSecurityGroupId: lambdaSecurityGroupId,
+                    Description: 'PostgreSQL access from Lambda functions'
+                }
+            ],
+            Tags: [
+                { Key: 'Name', Value: '${self:service}-${self:provider.stage}-aurora-sg' },
+                { Key: 'ManagedBy', Value: 'Frigg' },
+                { Key: 'Service', Value: '${self:service}' },
+                { Key: 'Stage', Value: '${self:provider.stage}' },
+            ]
+        }
+    };
+    // 3. Secrets Manager Secret (database credentials)
+    definition.resources.Resources.FriggDatabaseSecret = {
+        Type: 'AWS::SecretsManager::Secret',
+        Properties: {
+            Name: '${self:service}-${self:provider.stage}-aurora-credentials',
+            Description: 'Aurora PostgreSQL credentials for Frigg application',
+            GenerateSecretString: {
+                SecretStringTemplate: JSON.stringify({
+                    username: dbConfig.masterUsername || 'frigg_admin'
+                }),
+                GenerateStringKey: 'password',
+                PasswordLength: 32,
+                ExcludeCharacters: '"@/\\'
+            },
+            Tags: [
+                { Key: 'ManagedBy', Value: 'Frigg' },
+                { Key: 'Service', Value: '${self:service}' },
+                { Key: 'Stage', Value: '${self:provider.stage}' },
+            ]
+        }
+    };
+    // 4. Aurora Serverless v2 Cluster
+    definition.resources.Resources.FriggAuroraCluster = {
+        Type: 'AWS::RDS::DBCluster',
+        DeletionPolicy: 'Snapshot',
+        UpdateReplacePolicy: 'Snapshot',
+        Properties: {
+            Engine: 'aurora-postgresql',
+            EngineVersion: dbConfig.engineVersion || '15.3',
+            EngineMode: 'provisioned',  // Required for Serverless v2
+            DatabaseName: dbConfig.databaseName || 'frigg_db',
+            MasterUsername: { 'Fn::Sub': '{{resolve:secretsmanager:${FriggDatabaseSecret}:SecretString:username}}' },
+            MasterUserPassword: { 'Fn::Sub': '{{resolve:secretsmanager:${FriggDatabaseSecret}:SecretString:password}}' },
+            DBSubnetGroupName: { Ref: 'FriggDBSubnetGroup' },
+            VpcSecurityGroupIds: [{ Ref: 'FriggAuroraSecurityGroup' }],
+            ServerlessV2ScalingConfiguration: {
+                MinCapacity: dbConfig.scaling?.minCapacity || 0.5,
+                MaxCapacity: dbConfig.scaling?.maxCapacity || 1.0
+            },
+            BackupRetentionPeriod: dbConfig.backupRetentionDays || 7,
+            PreferredBackupWindow: dbConfig.preferredBackupWindow || '03:00-04:00',
+            DeletionProtection: dbConfig.deletionProtection !== false,
+            EnableCloudwatchLogsExports: ['postgresql'],
+            Tags: [
+                { Key: 'Name', Value: '${self:service}-${self:provider.stage}-aurora-cluster' },
+                { Key: 'ManagedBy', Value: 'Frigg' },
+                { Key: 'Service', Value: '${self:service}' },
+                { Key: 'Stage', Value: '${self:provider.stage}' },
+            ]
+        }
+    };
+    // 5. Aurora Serverless v2 Instance
+    definition.resources.Resources.FriggAuroraInstance = {
+        Type: 'AWS::RDS::DBInstance',
+        Properties: {
+            Engine: 'aurora-postgresql',
+            DBInstanceClass: 'db.serverless',
+            DBClusterIdentifier: { Ref: 'FriggAuroraCluster' },
+            PubliclyAccessible: false,
+            EnablePerformanceInsights: dbConfig.enablePerformanceInsights || false,
+            Tags: [
+                { Key: 'Name', Value: '${self:service}-${self:provider.stage}-aurora-instance' },
+                { Key: 'ManagedBy', Value: 'Frigg' },
+                { Key: 'Service', Value: '${self:service}' },
+                { Key: 'Stage', Value: '${self:provider.stage}' },
+            ]
+        }
+    };
+    // 6. Secret Attachment (links cluster to secret)
+    definition.resources.Resources.FriggSecretAttachment = {
+        Type: 'AWS::SecretsManager::SecretTargetAttachment',
+        Properties: {
+            SecretId: { Ref: 'FriggDatabaseSecret' },
+            TargetId: { Ref: 'FriggAuroraCluster' },
+            TargetType: 'AWS::RDS::DBCluster'
+        }
+    };
+    // 7. Add IAM permissions for Secrets Manager
+    definition.provider.iamRoleStatements.push({
+        Effect: 'Allow',
+        Action: [
+            'secretsmanager:GetSecretValue',
+            'secretsmanager:DescribeSecret'
+        ],
+        Resource: { Ref: 'FriggDatabaseSecret' }
+    });
+    // 8. Set DATABASE_URL environment variable
+    definition.provider.environment.DATABASE_URL = {
+        'Fn::Sub': [
+            'postgresql://${Username}:${Password}@${Endpoint}:${Port}/${DatabaseName}',
+            {
+                Username: { 'Fn::Sub': '{{resolve:secretsmanager:${FriggDatabaseSecret}:SecretString:username}}' },
+                Password: { 'Fn::Sub': '{{resolve:secretsmanager:${FriggDatabaseSecret}:SecretString:password}}' },
+                Endpoint: { 'Fn::GetAtt': ['FriggAuroraCluster', 'Endpoint'] },
+                Port: { 'Fn::GetAtt': ['FriggAuroraCluster', 'Port'] },
+                DatabaseName: dbConfig.databaseName || 'frigg_db'
+            }
+        ]
+    };
+    // 9. Set DB_TYPE for Prisma client selection
+    definition.provider.environment.DB_TYPE = 'postgresql';
+    console.log('✅ Aurora infrastructure resources created');
+};
+const useExistingAurora = (definition, AppDefinition, discoveredResources) => {
+    const dbConfig = AppDefinition.database.postgres;
+    const selfHeal = AppDefinition.database?.postgres?.selfHeal !== false; // Default to true
+    console.log(`🔗 Using existing Aurora cluster: ${discoveredResources.aurora.clusterIdentifier}`);
+    console.log(`[DEBUG] discoveredResources.aurora.isFriggManaged: ${discoveredResources.aurora.isFriggManaged}`);
+    console.log(`[DEBUG] selfHeal: ${selfHeal}`);
+    console.log(`[DEBUG] discoveredResources.aurora.secretArn: ${discoveredResources.aurora.secretArn}`);
+    console.log(`[DEBUG] dbConfig.secretArn: ${dbConfig.secretArn}`);
+    // Add IAM permissions for Secrets Manager if secret exists
+    if (discoveredResources.aurora.secretArn) {
+        definition.provider.iamRoleStatements.push({
+            Effect: 'Allow',
+            Action: [
+                'secretsmanager:GetSecretValue',
+                'secretsmanager:DescribeSecret'
+            ],
+            Resource: discoveredResources.aurora.secretArn
+        });
+        // Set DATABASE_URL from discovered secret
+        definition.provider.environment.DATABASE_URL = {
+            'Fn::Sub': [
+                'postgresql://${Username}:${Password}@${Endpoint}:${Port}/${DatabaseName}',
+                {
+                    Username: { 'Fn::Sub': `{{resolve:secretsmanager:${discoveredResources.aurora.secretArn}:SecretString:username}}` },
+                    Password: { 'Fn::Sub': `{{resolve:secretsmanager:${discoveredResources.aurora.secretArn}:SecretString:password}}` },
+                    Endpoint: discoveredResources.aurora.endpoint,
+                    Port: discoveredResources.aurora.port,
+                    DatabaseName: dbConfig.databaseName || 'frigg_db'
+                }
+            ]
+        };
+    } else if (dbConfig.secretArn) {
+        // Use user-provided secret ARN
+        definition.provider.iamRoleStatements.push({
+            Effect: 'Allow',
+            Action: [
+                'secretsmanager:GetSecretValue',
+                'secretsmanager:DescribeSecret'
+            ],
+            Resource: dbConfig.secretArn
+        });
+        definition.provider.environment.DATABASE_URL = {
+            'Fn::Sub': [
+                'postgresql://${Username}:${Password}@${Endpoint}:${Port}/${DatabaseName}',
+                {
+                    Username: { 'Fn::Sub': `{{resolve:secretsmanager:${dbConfig.secretArn}:SecretString:username}}` },
+                    Password: { 'Fn::Sub': `{{resolve:secretsmanager:${dbConfig.secretArn}:SecretString:password}}` },
+                    Endpoint: discoveredResources.aurora.endpoint,
+                    Port: discoveredResources.aurora.port,
+                    DatabaseName: dbConfig.databaseName || 'frigg_db'
+                }
+            ]
+        };
+    } else if (selfHeal && discoveredResources.aurora?.isFriggManaged) {
+        // Self-healing mode: recreate missing secret for Frigg-managed cluster
+        console.log('⚠️  No database secret found for Frigg-managed cluster');
+        console.log('🔧 Self-healing enabled: Creating new database secret with automatic password rotation');
+        // Get the current master username from the cluster
+        const currentUsername = discoveredResources.aurora.masterUsername || dbConfig.masterUsername || 'frigg_admin';
+        // Create Secrets Manager Secret (database credentials)
+        // Note: We generate a NEW password, which will be synced to the cluster via SecretTargetAttachment
+        definition.resources.Resources.FriggDatabaseSecret = {
+            Type: 'AWS::SecretsManager::Secret',
+            Properties: {
+                Name: '${self:service}-${self:provider.stage}-aurora-credentials',
+                Description: 'Aurora PostgreSQL credentials for Frigg application (auto-healed)',
+                GenerateSecretString: {
+                    SecretStringTemplate: JSON.stringify({
+                        username: currentUsername
+                    }),
+                    GenerateStringKey: 'password',
+                    PasswordLength: 32,
+                    ExcludeCharacters: '"@/\\`\''
+                },
+                Tags: [
+                    { Key: 'ManagedBy', Value: 'Frigg' },
+                    { Key: 'Service', Value: '${self:service}' },
+                    { Key: 'Stage', Value: '${self:provider.stage}' },
+                    { Key: 'AutoHealed', Value: 'true' }
+                ]
+            }
+        };
+        // Create SecretTargetAttachment to link secret to existing cluster
+        // This will automatically rotate the cluster password to match the secret!
+        definition.resources.Resources.FriggSecretAttachment = {
+            Type: 'AWS::SecretsManager::SecretTargetAttachment',
+            Properties: {
+                SecretId: { Ref: 'FriggDatabaseSecret' },
+                TargetId: discoveredResources.aurora.clusterIdentifier,
+                TargetType: 'AWS::RDS::DBCluster'
+            }
+        };
+        // Add IAM permissions for the new secret
+        definition.provider.iamRoleStatements.push({
+            Effect: 'Allow',
+            Action: [
+                'secretsmanager:GetSecretValue',
+                'secretsmanager:DescribeSecret'
+            ],
+            Resource: { Ref: 'FriggDatabaseSecret' }
+        });
+        // Set DATABASE_URL from new secret
+        definition.provider.environment.DATABASE_URL = {
+            'Fn::Sub': [
+                'postgresql://${Username}:${Password}@${Endpoint}:${Port}/${DatabaseName}',
+                {
+                    Username: { 'Fn::Sub': '{{resolve:secretsmanager:${FriggDatabaseSecret}:SecretString:username}}' },
+                    Password: { 'Fn::Sub': '{{resolve:secretsmanager:${FriggDatabaseSecret}:SecretString:password}}' },
+                    Endpoint: discoveredResources.aurora.endpoint,
+                    Port: discoveredResources.aurora.port,
+                    DatabaseName: dbConfig.databaseName || 'frigg_db'
+                }
+            ]
+        };
+        console.log('✅ Self-healing configuration complete:');
+        console.log('   - New secret will be created with auto-generated password');
+        console.log('   - SecretTargetAttachment will automatically update cluster password');
+        console.log('   - No manual password sync required!');
+    } else {
+        throw new Error(
+            'No database secret found. Options:\n' +
+            '  1. Provide secretArn in database.postgres configuration\n' +
+            '  2. Ensure Secrets Manager secret exists\n' +
+            '  3. Enable self-healing: set database.postgres.selfHeal to true (for Frigg-managed clusters only)'
+        );
+    }
+    // Set DB_TYPE for Prisma client selection
+    definition.provider.environment.DB_TYPE = 'postgresql';
+    console.log('✅ Existing Aurora cluster configured');
+};
+const useDiscoveredAurora = (definition, AppDefinition, discoveredResources) => {
+    console.log(`🔍 Using discovered Aurora cluster: ${discoveredResources.aurora.clusterIdentifier}`);
+    useExistingAurora(definition, AppDefinition, discoveredResources);
+};
+const configurePostgres = (definition, AppDefinition, discoveredResources) => {
+    if (!AppDefinition.database?.postgres?.enable) {
+        return;
+    }
+    // Validate VPC is enabled (required for Aurora deployment)
+    if (!AppDefinition.vpc?.enable) {
+        throw new Error(
+            'Aurora PostgreSQL requires VPC deployment. ' +
+            'Set vpc.enable to true in your app definition.'
+        );
+    }
+    // Validate private subnets exist (Aurora requires at least 2 subnets in different AZs)
+    // Skip validation if VPC management is 'create-new' (subnets will be created)
+    const vpcManagement = AppDefinition.vpc?.management || 'discover';
+    if (vpcManagement !== 'create-new' && (!discoveredResources.privateSubnetId1 || !discoveredResources.privateSubnetId2)) {
+        throw new Error(
+            'Aurora PostgreSQL requires at least 2 private subnets in different availability zones. ' +
+            'No private subnets were discovered in your VPC. ' +
+            'Please create private subnets or use VPC management mode "create-new".'
+        );
+    }
+    const dbConfig = AppDefinition.database.postgres;
+    const management = dbConfig.management || 'discover';
+    console.log(`\n🐘 PostgreSQL Management Mode: ${management}`);
+    if (management === 'create-new' || discoveredResources.aurora?.needsCreation) {
+        createAuroraInfrastructure(definition, AppDefinition, discoveredResources);
+    } else if (management === 'use-existing') {
+        if (!discoveredResources.aurora?.clusterIdentifier && !dbConfig.clusterIdentifier) {
+            throw new Error('PostgreSQL management is set to "use-existing" but no clusterIdentifier was found or provided');
+        }
+        useExistingAurora(definition, AppDefinition, discoveredResources);
+    } else {
+        // discover mode
+        if (discoveredResources.aurora?.clusterIdentifier) {
+            useDiscoveredAurora(definition, AppDefinition, discoveredResources);
+        } else {
+            throw new Error('No Aurora cluster found in discovery mode. Set management to "create-new" or provide clusterIdentifier with "use-existing".');
+        }
+    }
+};
 const configureSsm = (definition, AppDefinition) => {
     if (AppDefinition.ssm?.enable !== true) {
         return;
@@ -1949,19 +2425,31 @@ const attachIntegrations = (definition, AppDefinition) => {
         `Processing ${AppDefinition.integrations.length} integrations...`
     );
+    // Get the functionPackageConfig from the definition (defined in createBaseDefinition)
+    const functionPackageConfig = {
+        exclude: [
+            'node_modules/aws-sdk/**',
+            'node_modules/@aws-sdk/**',
+            'node_modules/@prisma/**',
+            'node_modules/.prisma/**',
+            'node_modules/prisma/**',
+            'node_modules/@friggframework/core/generated/**',
+        ],
+    };
     for (const integration of AppDefinition.integrations) {
         if (!integration?.Definition?.name) {
             throw new Error('Invalid integration: missing Definition or name');
         }
         const integrationName = integration.Definition.name;
-        const queueReference = `${
-            integrationName.charAt(0).toUpperCase() + integrationName.slice(1)
-        }Queue`;
+        const queueReference = `${integrationName.charAt(0).toUpperCase() + integrationName.slice(1)
+            }Queue`;
         const queueName = `\${self:service}--\${self:provider.stage}-${queueReference}`;
         definition.functions[integrationName] = {
             handler: `node_modules/@friggframework/core/handlers/routers/integration-defined-routers.handlers.${integrationName}.handler`,
+            package: functionPackageConfig,
             events: [
                 {
                     httpApi: {
@@ -1990,6 +2478,7 @@ const attachIntegrations = (definition, AppDefinition) => {
         const queueWorkerName = `${integrationName}QueueWorker`;
         definition.functions[queueWorkerName] = {
             handler: `node_modules/@friggframework/core/handlers/workers/integration-defined-workers.handlers.${integrationName}.queueWorker`,
+            package: functionPackageConfig,
             reservedConcurrency: 5,
             events: [
                 {
@@ -2013,10 +2502,7 @@ const attachIntegrations = (definition, AppDefinition) => {
         // Add webhook handler if enabled
         const webhookConfig = integration.Definition.webhooks;
-        if (
-            webhookConfig &&
-            (webhookConfig === true || webhookConfig.enabled === true)
-        ) {
+        if (webhookConfig && (webhookConfig === true || webhookConfig.enabled === true)) {
             const webhookFunctionName = `${integrationName}Webhook`;
             definition.functions[webhookFunctionName] = {
@@ -2056,9 +2542,44 @@ const configureWebsockets = (definition, AppDefinition) => {
     };
 };
+/**
+ * Ensure Prisma Lambda Layer exists
+ * Automatically builds the layer if it doesn't exist in the project root
+ * @param {Object} databaseConfig - Database configuration from AppDefinition.database
+ */
+async function ensurePrismaLayerExists(databaseConfig = {}) {
+    const projectRoot = process.cwd();
+    const layerPath = path.join(projectRoot, 'layers/prisma');
+    // Check if layer already exists
+    if (fs.existsSync(layerPath)) {
+        console.log('✓ Prisma Lambda Layer already exists at', layerPath);
+        return;
+    }
+    // Layer doesn't exist - build it automatically
+    console.log('📦 Prisma Lambda Layer not found - building automatically...');
+    console.log('   Building layer with CLI (used by all functions including dbMigrate)');
+    console.log('   This may take a minute on first deployment.\n');
+    try {
+        // Build layer WITH CLI (includeCLI = true) - all functions use same layer
+        await buildPrismaLayer(databaseConfig, true);
+        console.log('✓ Prisma Lambda Layer built successfully\n');
+    } catch (error) {
+        console.error('✗ Failed to build Prisma Lambda Layer:', error.message);
+        console.error('  You may need to run: npm install @friggframework/core\n');
+        throw error;
+    }
+}
 const composeServerlessDefinition = async (AppDefinition) => {
     console.log('composeServerlessDefinition', AppDefinition);
+    // Ensure Prisma layer exists before generating serverless config
+    // Pass database config so layer only includes needed database clients
+    await ensurePrismaLayerExists(AppDefinition.database || {});
     const discoveredResources = await gatherDiscoveredResources(AppDefinition);
     const appEnvironmentVars = getAppEnvironmentVars(AppDefinition);
     const definition = createBaseDefinition(
@@ -2080,6 +2601,7 @@ const composeServerlessDefinition = async (AppDefinition) => {
     if (!isLocalBuild) {
         applyKmsConfiguration(definition, AppDefinition, discoveredResources);
         configureVpc(definition, AppDefinition, discoveredResources);
+        configurePostgres(definition, AppDefinition, discoveredResources);
         configureSsm(definition, AppDefinition);
     } else {
         console.log(