@friggframework/devtools 2.0.0--canary.490.7d57f02.0 → 2.0.0--canary.490.56e2519.0

package/infrastructure/domains/networking/vpc-resolver.js

@@ -54,9 +54,10 @@ class VpcResourceResolver extends BaseResourceResolver {
     /**
      * Resolve Security Group ownership
      *
-     * Special logic: We ALWAYS create our own FriggLambdaSecurityGroup with specific
-     * rules unless the user explicitly provides external SG IDs. The discovered
-     * defaultSecurityGroupId is the VPC's default SG, but we need our own Lambda SG.
+     * Logic:
+     * - If FriggLambdaSecurityGroup exists in stack → STACK (keep it)
+     * - If default SG discovered from VPC → EXTERNAL (use it)
+     * - Otherwise → STACK (create FriggLambdaSecurityGroup)
      *
      * @param {Object} appDefinition - App definition
      * @param {Object} discovery - Discovery result
@@ -65,7 +66,7 @@ class VpcResourceResolver extends BaseResourceResolver {
     resolveSecurityGroup(appDefinition, discovery) {
         const userIntent = appDefinition.vpc?.ownership?.securityGroup || 'auto';
 
-        // Explicit external - only use external SGs if user explicitly provides them
+        // Explicit external - use provided SG IDs
         if (userIntent === 'external') {
             this.requireExternalIds(
                 appDefinition.vpc?.external?.securityGroupIds,
@@ -77,21 +78,42 @@ class VpcResourceResolver extends BaseResourceResolver {
             );
         }
 
-        // For stack or auto: check if FriggLambdaSecurityGroup exists in stack
-        // If it does, reuse it. If not, create it. Never use discovered default SG.
+        // Explicit stack - always create FriggLambdaSecurityGroup
+        if (userIntent === 'stack') {
+            const inStack = this.findInStack('FriggLambdaSecurityGroup', discovery);
+            return this.createStackDecision(
+                inStack?.physicalId,
+                inStack 
+                    ? 'Found FriggLambdaSecurityGroup in CloudFormation stack'
+                    : 'User specified ownership=stack - will create FriggLambdaSecurityGroup'
+            );
+        }
+
+        // Auto mode: Check stack first, then check for discovered default SG
         const inStack = this.findInStack('FriggLambdaSecurityGroup', discovery);
 
         if (inStack) {
             return this.createStackDecision(
                 inStack.physicalId,
-                'Found FriggLambdaSecurityGroup in CloudFormation stack'
+                'Found FriggLambdaSecurityGroup in CloudFormation stack - must keep in template'
+            );
+        }
+
+        // Check for discovered default security group (from old canary pattern)
+        const structured = discovery._structured || discovery;
+        const defaultSgId = structured.defaultSecurityGroupId || discovery.defaultSecurityGroupId;
+        
+        if (defaultSgId) {
+            return this.createExternalDecision(
+                [defaultSgId],
+                'Found default security group via discovery - will reuse (matches canary behavior)'
             );
         }
 
-        // Create new FriggLambdaSecurityGroup in stack
+        // No SG found anywhere - create new FriggLambdaSecurityGroup
         return this.createStackDecision(
             null,
-            'No existing FriggLambdaSecurityGroup - will create in stack'
+            'No security group found - will create FriggLambdaSecurityGroup in stack'
         );
     }
 

package/infrastructure/domains/shared/cloudformation-discovery.js

@@ -169,6 +169,26 @@ class CloudFormationDiscovery {
                             discovered.privateSubnetId2 = subnetAssociations[1].SubnetId;
                             console.log(`  ✓ Extracted private subnet 2 from associations: ${subnetAssociations[1].SubnetId}`);
                         }
+
+                        // Query for default security group in the VPC (matches canary behavior)
+                        if (routeTable.VpcId && !discovered.defaultSecurityGroupId) {
+                            try {
+                                const { DescribeSecurityGroupsCommand } = require('@aws-sdk/client-ec2');
+                                const sgResponse = await ec2.send(new DescribeSecurityGroupsCommand({
+                                    Filters: [
+                                        { Name: 'vpc-id', Values: [routeTable.VpcId] },
+                                        { Name: 'group-name', Values: ['default'] }
+                                    ]
+                                }));
+                                
+                                if (sgResponse.SecurityGroups && sgResponse.SecurityGroups.length > 0) {
+                                    discovered.defaultSecurityGroupId = sgResponse.SecurityGroups[0].GroupId;
+                                    console.log(`  ✓ Extracted default security group: ${discovered.defaultSecurityGroupId}`);
+                                }
+                            } catch (error) {
+                                console.warn(`  ⚠️  Could not query default security group: ${error.message}`);
+                            }
+                        }
                     }
                 } catch (error) {
                     console.warn(`  ⚠️  Could not query route table for external references: ${error.message}`);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.490.7d57f02.0",
+  "version": "2.0.0--canary.490.56e2519.0",
   "bin": {
     "frigg": "./frigg-cli/index.js"
   },
@@ -16,9 +16,9 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/core": "2.0.0--canary.490.7d57f02.0",
-    "@friggframework/schemas": "2.0.0--canary.490.7d57f02.0",
-    "@friggframework/test": "2.0.0--canary.490.7d57f02.0",
+    "@friggframework/core": "2.0.0--canary.490.56e2519.0",
+    "@friggframework/schemas": "2.0.0--canary.490.56e2519.0",
+    "@friggframework/test": "2.0.0--canary.490.56e2519.0",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -46,8 +46,8 @@
     "validate-npm-package-name": "^5.0.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.490.7d57f02.0",
-    "@friggframework/prettier-config": "2.0.0--canary.490.7d57f02.0",
+    "@friggframework/eslint-config": "2.0.0--canary.490.56e2519.0",
+    "@friggframework/prettier-config": "2.0.0--canary.490.56e2519.0",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
     "jest": "^30.1.3",
@@ -79,5 +79,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "7d57f02625ea51ce9dadd5e1535aac1c4491b9da"
+  "gitHead": "56e2519bb620b497d18bb354b8905e8a6c343a58"
 }