npm - @go-to-k/cdkd - Versions diffs - 0.132.4 → 0.134.0 - Mend

@go-to-k/cdkd 0.132.4 → 0.134.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js +108 -81
package/dist/cli.js.map +1 -1
package/dist/deploy-engine-Dn7oV5rA.js.map +1 -1
package/dist/index.d.ts.map +1 -1
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -34750,6 +34750,31 @@ function createStateCommand() {
 	return cmd;
 }
+//#endregion
+//#region src/cli/cfn-stack-states.ts
+/**
+* Stable terminal CloudFormation stack states.
+*
+* Sourced from the AWS CloudFormation API documentation: a stack in any
+* of these states has settled (success or rolled-back) and is safe to
+* read / mutate. Every other status (`*_IN_PROGRESS`, `*_FAILED`,
+* `REVIEW_IN_PROGRESS`) means the stack is mid-operation or in an
+* unhealthy state — callers gate AWS-side mutations behind this set so
+* the user can settle the source before paying for further work.
+*
+* Single source of truth — consumed by both `cdkd migrate`'s pre-flight
+* check (`src/cli/commands/migrate/cfn-stack-prefetch.ts`) and the
+* `cdkd import --migrate-from-cloudformation` retirement flow
+* (`src/cli/commands/retire-cfn-stack.ts`).
+*/
+const STABLE_TERMINAL_STATUSES = new Set([
+	"CREATE_COMPLETE",
+	"UPDATE_COMPLETE",
+	"UPDATE_ROLLBACK_COMPLETE",
+	"IMPORT_COMPLETE",
+	"IMPORT_ROLLBACK_COMPLETE"
+]);
 //#endregion
 //#region src/cli/upload-cfn-template.ts
 /**
@@ -35191,18 +35216,6 @@ function parseCfnTemplateWithFormat(text) {
 //#endregion
 //#region src/cli/commands/retire-cfn-stack.ts
 /**
-* Stack states from which an UpdateStack call is safe. Anything else (an
-* IN_PROGRESS, FAILED, or REVIEW_IN_PROGRESS state) means the stack is
-* mid-operation or in an unhealthy state we should not touch.
-*/
-const STABLE_TERMINAL_STATUSES = new Set([
-	"CREATE_COMPLETE",
-	"UPDATE_COMPLETE",
-	"UPDATE_ROLLBACK_COMPLETE",
-	"IMPORT_COMPLETE",
-	"IMPORT_ROLLBACK_COMPLETE"
-]);
-/**
 * UpdateStack TemplateBody hard limit (51,200 bytes). Templates larger than
 * this are uploaded to cdkd's state S3 bucket and submitted via `TemplateURL`
 * instead — see {@link uploadTemplateForUpdateStack}.
@@ -44085,7 +44098,7 @@ function attachAuthorizers(stacks, routes) {
 	const out = [];
 	const errors = [];
 	for (const route of routes) {
-		if (route.unsupported || route.mockCors || route.serviceIntegration) {
+		if (route.unsupported || route.mockCors) {
 			out.push({ route });
 			continue;
 		}
@@ -44115,45 +44128,6 @@ function attachAuthorizers(stacks, routes) {
 	return out;
 }
 /**
-* Walk every discovered route and return the service-integration routes
-* whose source CFn resource declares an authorizer (HTTP API v2 routes
-* with `AuthorizationType !== 'NONE'`). Service-integration routes only
-* exist on `AWS::ApiGatewayV2::Route`; REST v1 service integrations are
-* a different shape and not yet supported.
-*/
-function findIgnoredServiceIntegrationAuthorizers(stacks, routes) {
-	const stackByRoute = /* @__PURE__ */ new Map();
-	for (const stack of stacks) {
-		const prefix = `${stack.stackName}/`;
-		for (const route of routes) if (route.declaredAt.startsWith(prefix)) stackByRoute.set(route.declaredAt, stack);
-	}
-	const out = [];
-	for (const route of routes) {
-		if (!route.serviceIntegration) continue;
-		const stack = stackByRoute.get(route.declaredAt);
-		if (!stack) continue;
-		const slash = route.declaredAt.indexOf("/");
-		if (slash < 0) continue;
-		const logicalId = route.declaredAt.slice(slash + 1);
-		const resource = stack.template.Resources?.[logicalId];
-		if (!resource || resource.Type !== "AWS::ApiGatewayV2::Route") continue;
-		const props = resource.Properties ?? {};
-		const authType = props["AuthorizationType"];
-		if (typeof authType !== "string" || authType === "" || authType.toUpperCase() === "NONE") continue;
-		let authorizerName;
-		if (authType === "AWS_IAM") authorizerName = "AWS_IAM";
-		else {
-			const ref = props["AuthorizerId"];
-			authorizerName = (ref && typeof ref === "object" && "Ref" in ref && typeof ref.Ref === "string" ? ref.Ref : void 0) ?? `<authType=${authType}, AuthorizerId malformed>`;
-		}
-		out.push({
-			declaredAt: route.declaredAt,
-			authorizerName
-		});
-	}
-	return out;
-}
-/**
 * Detect the authorizer (if any) attached to a discovered route.
 * Walks the original CFn resource for the route in `stack.template`.
 */
@@ -45424,6 +45398,11 @@ function resolveSingleReference(ref, ctx) {
 	}
 	if (ref.startsWith("$context.")) {
 		const key = ref.substring(9);
+		if (key === "authorizer" || key.startsWith("authorizer.")) {
+			if (!ctx.authorizer) return "";
+			if (key === "authorizer") return JSON.stringify(ctx.authorizer);
+			return resolveAuthorizerPath(ctx.authorizer, key.substring(11));
+		}
 		return ctx.context[key] ?? "";
 	}
 	if (ref.startsWith("$stageVariables.")) {
@@ -45467,6 +45446,36 @@ function resolveBodyJsonPath(body, path) {
 	if (typeof cursor === "string") return cursor;
 	return JSON.stringify(cursor);
 }
+/**
+* Walk a dot-separated path against the authorizer verdict map (#502).
+* Used by `$context.authorizer.X` selection expressions on
+* service-integration routes. Mirrors `resolveBodyJsonPath`'s shape:
+*   - Empty leaf / undefined → `""`.
+*   - String leaf → returned verbatim.
+*   - Non-string leaf → `JSON.stringify`'d (matches AWS-deployed
+*     behavior; `$context.authorizer.jwt.claims` resolves to the JSON
+*     object as a string).
+*
+* Array indexing via `[N]` is supported (rare for authorizer
+* verdicts but cheap to support).
+*/
+function resolveAuthorizerPath(authorizer, path) {
+	if (path === "") return "";
+	const segments = path.split(/\.|\[(\d+)\]/).filter((s) => s !== void 0 && s !== "");
+	let cursor = authorizer;
+	for (const seg of segments) {
+		if (cursor === null || cursor === void 0) return "";
+		if (typeof cursor !== "object") return "";
+		if (Array.isArray(cursor)) {
+			const idx = Number(seg);
+			if (!Number.isInteger(idx)) return "";
+			cursor = cursor[idx];
+		} else cursor = cursor[seg];
+	}
+	if (cursor === void 0 || cursor === null) return "";
+	if (typeof cursor === "string") return cursor;
+	return JSON.stringify(cursor);
+}
 //#endregion
 //#region src/local/http-server.ts
@@ -45568,10 +45577,6 @@ async function handleRequest(req, res, state, opts) {
 		writeNotImplemented(res, match.route.unsupported.reason);
 		return;
 	}
-	if (match.route.serviceIntegration) {
-		await handleServiceIntegrationRequest(req, res, match, bodyBuf, opts);
-		return;
-	}
 	const authorizer = state.routes.find((r) => r.route.declaredAt === match.route.declaredAt && r.route.method === match.route.method)?.authorizer;
 	const clientCert = opts.mtls ? extractClientCert(req) : void 0;
 	const snapshot = {
@@ -45606,6 +45611,10 @@ async function handleRequest(req, res, state, opts) {
 		const overlay = buildOverlay(authorizer, authResult);
 		if (overlay) baseEvent = applyAuthorizerOverlay(baseEvent, overlay);
 	}
+	if (match.route.serviceIntegration) {
+		await handleServiceIntegrationRequest(req, res, match, bodyBuf, opts, authorizer, authResult);
+		return;
+	}
 	if (match.route.restV1Integration) {
 		try {
 			writeIntegrationOutcome(res, await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts));
@@ -46171,7 +46180,7 @@ function writeError(res, statusCode, body = "{\"message\":\"Internal server erro
 * auth pass. A follow-up PR can hoist the auth pass earlier — keeping it
 * out of this PR limits the blast radius.
 */
-async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts) {
+async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts, authorizer, authResult) {
 	const route = match.route;
 	const svc = route.serviceIntegration;
 	if (!svc) {
@@ -46183,6 +46192,7 @@ async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts) {
 	const queryString = parseQueryStringSingular(rawUrl);
 	const requestPath = rawUrl.split("?")[0] ?? "/";
 	const context = buildServiceIntegrationContextVars(req, route);
+	const authorizerCtx = buildAuthorizerContextForServiceIntegration(authorizer, authResult);
 	const ctx = {
 		headers: headersFlat,
 		queryString,
@@ -46190,7 +46200,8 @@ async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts) {
 		requestPath,
 		body: bodyBuf.toString("utf8"),
 		context,
-		stageVariables: route.stageVariables ?? {}
+		stageVariables: route.stageVariables ?? {},
+		...authorizerCtx && { authorizer: authorizerCtx }
 	};
 	const outcome = resolveServiceIntegrationParameters(svc.requestParameters, ctx);
 	if (outcome.kind === "error") {
@@ -46261,6 +46272,44 @@ function buildServiceIntegrationContextVars(req, route) {
 	};
 }
 /**
+* Build the `authorizer` field for the parameter-mapping context on
+* service-integration routes (#502). Surfaces the authorizer's verdict
+* in the same shape `applyAuthorizerOverlay` writes onto the Lambda
+* event so users can reference `$context.authorizer.X` /
+* `$context.authorizer.jwt.claims.X` / `$context.authorizer.claims.X`
+* in `RequestParameters`.
+*
+* Per-kind shape:
+*   - Lambda authorizers (`lambda-token` / `lambda-request` / `iam`):
+*     `principalId` + flat `context` fields land at the top level
+*     (`$context.authorizer.principalId`, `$context.authorizer.<key>`).
+*   - Cognito (REST v1): claims under `$context.authorizer.claims.X`.
+*   - JWT (HTTP v2): claims under `$context.authorizer.jwt.claims.X` +
+*     `$context.authorizer.jwt.scopes`.
+*
+* Returns `undefined` when no authorizer fired (route had
+* `AuthorizationType: NONE` / no authorizer attached).
+*/
+function buildAuthorizerContextForServiceIntegration(authorizer, result) {
+	if (!authorizer || !result) return void 0;
+	if (authorizer.kind === "lambda-token" || authorizer.kind === "lambda-request") {
+		const ctx = {};
+		if (result.principalId !== void 0) ctx["principalId"] = result.principalId;
+		if (result.context) Object.assign(ctx, result.context);
+		return ctx;
+	}
+	if (authorizer.kind === "iam") {
+		const ctx = {};
+		if (result.principalId !== void 0) ctx["principalId"] = result.principalId;
+		return ctx;
+	}
+	if (authorizer.kind === "cognito") return { claims: { ...result.context ?? {} } };
+	return { jwt: {
+		claims: { ...result.context ?? {} },
+		scopes: []
+	} };
+}
+/**
 * Write the 501 Not Implemented response surfaced for routes the
 * discovery layer flagged as `unsupported`. The integration's reason
 * (e.g. "MOCK integration is not emulated", "WebSocket APIs are not
@@ -47022,7 +47071,6 @@ async function localStartApiCommand(target, options) {
 	warnVpcConfigLambdas(initialMaterial.routes, initialMaterial.stacks ?? []);
 	sigV4CredentialsLoader = defaultCredentialsLoader();
 	warnIamRoutes(initialMaterial.routes);
-	warnIgnoredServiceIntegrationAuthorizers(initialMaterial.routes, initialMaterial.stacks ?? []);
 	let maxTimeoutSec = 0;
 	for (const spec of initialMaterial.specs.values()) if (spec.lambda.timeoutSec > maxTimeoutSec) maxTimeoutSec = spec.lambda.timeoutSec;
 	const rieTimeoutMs = Math.max(3e4, maxTimeoutSec * 2 * 1e3);
@@ -47284,27 +47332,6 @@ function warnIamRoutes(routesWithAuth) {
 	return true;
 }
 /**
-* #458 / PR #500 review: emit a one-line warn naming every service-
-* integration route whose source CFn resource declares an authorizer
-* (HTTP API v2 routes with `AuthorizationType !== 'NONE'`). The
-* dispatcher in `http-server.ts` runs the SDK call BEFORE the
-* authorizer pass would fire, so without this warn a CDK app that
-* wires JWT / Lambda / Cognito / IAM authorizers onto service
-* integrations would silently let every local request reach the SDK
-* call without auth. Threading the auth pass through the
-* service-integration dispatcher is a follow-up issue. Returns the
-* number of warned routes so tests can assert the firing path; the
-* value is otherwise unused.
-*/
-function warnIgnoredServiceIntegrationAuthorizers(routesWithAuth, stacks) {
-	const logger = getLogger();
-	const ignored = findIgnoredServiceIntegrationAuthorizers(stacks, routesWithAuth.map((entry) => entry.route));
-	if (ignored.length === 0) return 0;
-	logger.warn(`${ignored.length} HTTP API v2 service-integration route(s) declare an authorizer but cdkd local start-api dispatches the SDK call BEFORE the authorizer pass — every local request reaches the SDK call WITHOUT authentication. This is a deferred feature; see https://github.com/go-to-k/cdkd/issues/502 for the follow-up tracking issue.`);
-	for (const entry of ignored) logger.warn(`  - ${entry.declaredAt}: authorizer '${entry.authorizerName}' is configured but ignored`);
-	return ignored.length;
-}
-/**
 * Build the per-Lambda container spec — code dir, env vars (template +
 * --env-vars overlay), STS-issued creds when --assume-role names this
 * Lambda, optional --debug-port reservation. Errors out with a clear
@@ -51873,7 +51900,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.132.4");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.134.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());