@jaypie/mcp 0.7.6 → 0.7.8

package/dist/suites/docs/index.js

@@ -9,7 +9,7 @@ import { gt } from 'semver';
 /**
  * Docs Suite - Documentation services (skill, version, release_notes)
  */
-const BUILD_VERSION_STRING = "@jaypie/mcp@0.7.6#2f4ca154"
+const BUILD_VERSION_STRING = "@jaypie/mcp@0.7.8#f1eb1726"
     ;
 const __filename$1 = fileURLToPath(import.meta.url);
 const __dirname$1 = path.dirname(__filename$1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jaypie/mcp",
-  "version": "0.7.6",
+  "version": "0.7.8",
   "description": "Jaypie MCP",
   "repository": {
     "type": "git",

package/release-notes/constructs/1.2.28.md

@@ -0,0 +1,12 @@
+---
+version: 1.2.28
+date: 2025-02-01
+summary: Expand JaypieGitHubDeployRole permissions for CDK context lookups
+---
+
+## Changes
+
+- Use `ec2:Describe*` wildcard for all EC2 describe operations (VPCs, subnets, VPN gateways, etc.)
+- Use `cloudformation:Describe*` wildcard for CloudFormation lookups
+- Add `cdk-hnb659fds-lookup-role-*` to assumable roles for CDK context provider
+- Include SSM parameter read permissions (`ssm:GetParameter`, `ssm:GetParameters`)

package/release-notes/express/1.2.10.md

@@ -0,0 +1,12 @@
+---
+version: 1.2.10
+date: 2026-02-02
+summary: Fix Lambda streaming NO_CONTENT detection using Symbol marker
+---
+
+## Bug Fixes
+
+- **#178**: Fixed Lambda streaming NO_CONTENT responses still hanging after previous fix
+  - The `_responseStream` property check failed after Express's prototype manipulation
+  - Now uses `JAYPIE_LAMBDA_STREAMING` Symbol marker for reliable detection
+  - Matches the pattern used for `JAYPIE_LAMBDA_MOCK` in buffered responses

package/release-notes/express/1.2.8.md

@@ -0,0 +1,34 @@
+---
+version: 1.2.8
+date: 2025-02-01
+summary: Fix CORS OPTIONS by calling flushHeaders() before res.end()
+---
+
+## Bug Fix
+
+Fixed CORS OPTIONS preflight requests still hanging with Lambda streaming by calling `flushHeaders()` before `res.end()`.
+
+### Problem
+
+The fix in v1.2.7 called `res.end()` for OPTIONS requests but didn't explicitly flush headers first. In Lambda streaming mode:
+
+1. `LambdaResponseStreaming._final()` closes the stream via `_wrappedStream.end()`
+2. `_wrappedStream` is only created when `flushHeaders()` is called
+3. Without explicit `flushHeaders()`, `_wrappedStream` could be null
+4. The Lambda stream never closes, causing the response to hang
+
+### Solution
+
+Added explicit `res.flushHeaders()` call before `res.end()` in the CORS OPTIONS handler to ensure the Lambda stream wrapper is initialized before ending the response.
+
+```typescript
+res.statusCode = 204;
+res.setHeader("Content-Length", "0");
+res.flushHeaders();  // Initialize _wrappedStream before ending
+res.end();
+```
+
+### Related
+
+- GitHub Issue: [#178](https://github.com/finlaysonstudio/jaypie/issues/178)
+- Follow-up to: [#174](https://github.com/finlaysonstudio/jaypie/issues/174)

package/release-notes/express/1.2.9.md

@@ -0,0 +1,22 @@
+---
+version: 1.2.9
+date: 2026-02-02
+summary: Fix Lambda streaming hang for NO_CONTENT responses via expressHandler
+---
+
+# @jaypie/express 1.2.9
+
+## Bug Fixes
+
+- **Lambda streaming NO_CONTENT hang**: Fixed issue where `httpHandler(HTTP.CODE.NO_CONTENT)` routes would hang when using Lambda streaming. The previous fix (1.2.8) only addressed CORS OPTIONS requests; this extends the solution to all responses going through `expressHandler`.
+
+## Technical Details
+
+For Lambda streaming responses, `flushHeaders()` must be called before `send()`/`json()` to initialize `_wrappedStream`. Without this, the async `_final()` callback finds `_wrappedStream` null and the Lambda hangs.
+
+The fix detects Lambda streaming responses by checking for `"_responseStream" in res`, which is unique to `LambdaResponseStreaming`.
+
+## Related
+
+- Fixes GitHub issue #178
+- Builds on fix from 1.2.8 (96dce858)

package/skills/agents.md

@@ -24,12 +24,16 @@ Complete stack styles, techniques, and traditions.
 - Check ~tools (`mcp__jaypie__skill("tools")`) for all tools or ~tools-aws, ~tools-datadog, and ~tools-dynamodb individually
 - File bugs, documentation, features, and other issues with `mcp__jaypie__skill("issues")`
 
+### Code
+
+- `log.trace` happy path, `log.debug` things that should stand out. Avoid info. Use warn when recoverable. Use error when unrecoverable or "really bad"
+
 ### Skills
 
 `mcp__jaypie__skill(alias: String)`
 
 Contents: index, releasenotes
-Development: documentation, errors, logs, mocks, monorepo, style, subpackages, tests
+Development: documentation, errors, llm, logs, mocks, monorepo, style, subpackages, tests
 Infrastructure: aws, cdk, cicd, datadog, dns, dynamodb, express, lambda, secrets, streaming, variables, websockets
 Patterns: fabric, handlers, models, services, vocabulary
 Meta: issues, jaypie, skills, tools

package/skills/secrets.md

@@ -5,190 +5,188 @@ related: aws, cdk, variables
 
 # Secret Management
 
-Jaypie uses AWS Secrets Manager for secure credential storage, with environment-aware resolution that works seamlessly in both local development and Lambda.
+Jaypie uses AWS Secrets Manager for secure credential storage. The `JaypieEnvSecret` construct creates secrets at deploy time from environment variables, and `getEnvSecret` retrieves them at runtime.
 
-## Basic Usage
+## The Pattern
 
-Use `getEnvSecret` for environment-aware secret resolution:
+1. **Deploy time**: Set environment variables in CI/CD (e.g., `MONGODB_URI=mongodb+srv://...`)
+2. **CDK**: `JaypieEnvSecret` reads the env var and creates/updates an AWS secret
+3. **Runtime**: `getEnvSecret("MONGODB_URI")` fetches from Secrets Manager
+
+This keeps secrets out of code and config files while enabling environment-specific values.
+
+## CDK: Creating Secrets with JaypieEnvSecret
+
+The simplest pattern uses the environment variable name as the construct ID:
 
 ```typescript
-import { getEnvSecret } from "jaypie";
+import { JaypieEnvSecret, JaypieLambda } from "@jaypie/constructs";
 
-const apiKey = await getEnvSecret("ANTHROPIC_API_KEY");
-const dbUri = await getEnvSecret("MONGODB_URI");
+// Creates secret from process.env.MONGODB_URI at deploy time
+const mongoSecret = new JaypieEnvSecret(this, "MONGODB_URI");
+const anthropicSecret = new JaypieEnvSecret(this, "ANTHROPIC_API_KEY");
+
+// Lambda with secrets array (auto-creates JaypieEnvSecret instances)
+new JaypieLambda(this, "Handler", {
+  code: "dist/lambda",
+  handler: "index.handler",
+  secrets: ["MONGODB_URI", "ANTHROPIC_API_KEY"],
+});
 ```
 
-### How getEnvSecret Works
+When the construct ID matches an environment variable name, `JaypieEnvSecret` automatically:
+- Uses that env var's value as the secret content
+- Sets `envKey` to the ID for later reference
 
-`getEnvSecret` checks environment variables in order:
+### CI/CD Setup
 
-1. `SECRET_{name}` - If found, fetches from AWS Secrets Manager
-2. `{name}_SECRET` - If found, fetches from AWS Secrets Manager
-3. `{name}` - Returns direct value without AWS call
+Set secrets as environment variables in your deployment pipeline:
 
-This allows the same code to work locally (with direct env values) and in Lambda (with secret references).
+```yaml
+# GitHub Actions example
+jobs:
+  deploy:
+    env:
+      MONGODB_URI: ${{ secrets.MONGODB_URI }}
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+    steps:
+      - run: npx cdk deploy
+```
 
-## Loading Multiple Secrets
+## Runtime: Retrieving Secrets
 
-Use `loadEnvSecrets` during handler initialization:
+Use `getEnvSecret` to fetch secrets in Lambda:
 
 ```typescript
-import { loadEnvSecrets } from "jaypie";
-
-// Load secrets and set in process.env
-await loadEnvSecrets("ANTHROPIC_API_KEY", "OPENAI_API_KEY", "MONGODB_URI");
+import { getEnvSecret } from "jaypie";
 
-// Now available as process.env.ANTHROPIC_API_KEY, etc.
+const mongoUri = await getEnvSecret("MONGODB_URI");
+const apiKey = await getEnvSecret("ANTHROPIC_API_KEY");
 ```
 
-## CDK Configuration
+### Loading Multiple Secrets
 
-Reference secrets via environment variables in CDK:
+Use `loadEnvSecrets` during handler initialization to populate `process.env`:
 
 ```typescript
-const handler = new JaypieLambda(this, "Handler", {
-  environment: {
-    // SECRET_ prefix triggers AWS Secrets Manager fetch
-    SECRET_MONGODB_URI: "my-project/mongodb-uri",
-    SECRET_API_KEY: "my-project/third-party-api-key",
-  },
-});
-```
+import { loadEnvSecrets } from "jaypie";
 
-In code:
+await loadEnvSecrets("ANTHROPIC_API_KEY", "OPENAI_API_KEY", "MONGODB_URI");
 
-```typescript
-// getEnvSecret sees SECRET_MONGODB_URI and fetches from Secrets Manager
-const mongoUri = await getEnvSecret("MONGODB_URI");
+// Now available as process.env.ANTHROPIC_API_KEY, etc.
 ```
 
-## Direct Secret Access
+## Provider/Consumer Pattern
 
-Use `getSecret` when you need to fetch by exact AWS secret name:
+For shared secrets across environments (e.g., sandbox providing to personal builds):
 
 ```typescript
-import { getSecret } from "jaypie";
+// Sandbox stack (provider) - exports the secret name
+new JaypieEnvSecret(this, "SHARED_API_KEY", { provider: true });
 
-// Fetch by exact AWS secret name
-const secret = await getSecret("my-project/production/api-key");
+// Personal build (consumer) - imports from sandbox
+new JaypieEnvSecret(this, "SHARED_API_KEY"); // consumer auto-detected
 ```
 
-Note: `getSecret` requires `AWS_SESSION_TOKEN` and always calls Secrets Manager. Prefer `getEnvSecret` for typical use cases.
+The construct auto-detects consumer mode for personal/ephemeral environments (`PROJECT_ENV=personal` or `CDK_ENV_PERSONAL=true`).
 
-## Creating Secrets
+## Generated Secrets
 
-### Via CDK
+For secrets without a source value (e.g., database passwords):
 
 ```typescript
-import { Secret } from "aws-cdk-lib/aws-secretsmanager";
-
-const secret = new Secret(this, "ApiKey", {
-  secretName: `${projectKey}/api-key`,
-  description: "Third-party API key",
+new JaypieEnvSecret(this, "DB_PASSWORD", {
+  generateSecretString: {
+    excludePunctuation: true,
+    passwordLength: 32,
+  },
 });
-
-// Grant read access
-secret.grantRead(lambdaFunction);
 ```
 
-### Via AWS CLI
+## Tagging
 
-```bash
-aws secretsmanager create-secret \
-  --name "my-project/api-key" \
-  --secret-string "sk_live_abc123"
+Apply standard tags for organization:
+
+```typescript
+new JaypieEnvSecret(this, "STRIPE_KEY", {
+  roleTag: CDK.ROLE.PAYMENT,
+  vendorTag: CDK.VENDOR.STRIPE,
+});
 ```
 
-## Secret Naming Convention
+## Local Development
 
-Use project-prefixed names:
+For local development, set environment variables directly in `.env.local`:
 
+```bash
+# .env.local (not committed)
+ANTHROPIC_API_KEY=sk-ant-test123
+MONGODB_URI=mongodb://localhost:27017/dev
 ```
-{project-key}/{secret-name}
 
-Examples:
-- my-api/mongodb-uri
-- my-api/stripe-key
-- my-api/auth0-secret
-```
+`getEnvSecret` returns these values directly without AWS calls when no `SECRET_` prefix is present.
 
-## JSON Secrets
+## Alternative Approaches
 
-Store structured data:
+### Explicit Value
 
-```bash
-aws secretsmanager create-secret \
-  --name "my-project/db-credentials" \
-  --secret-string '{"username":"admin","password":"secret123"}'
+Pass a value directly instead of reading from environment:
+
+```typescript
+new JaypieEnvSecret(this, "ApiKey", {
+  value: "sk_live_abc123", // Not recommended - prefer env vars
+});
 ```
 
-Retrieve in code:
+### Manual SECRET_ Linking
+
+For non-JaypieEnvSecret secrets, manually set the `SECRET_` prefix:
 
 ```typescript
-const credentialsJson = await getEnvSecret("DB_CREDENTIALS");
-const credentials = JSON.parse(credentialsJson);
+new JaypieLambda(this, "Handler", {
+  environment: {
+    SECRET_MONGODB_URI: "my-project/mongodb-uri", // AWS secret name
+  },
+});
 ```
 
-## Caching
+At runtime, `getEnvSecret("MONGODB_URI")` sees `SECRET_MONGODB_URI` and fetches from that AWS secret name.
 
-Secrets are cached by default to reduce API calls:
+The `_SECRET` suffix also works:
 
 ```typescript
-// First call: fetches from Secrets Manager
-const key1 = await getEnvSecret("API_KEY");
-
-// Second call: returns cached value
-const key2 = await getEnvSecret("API_KEY");
+environment: {
+  MONGODB_URI_SECRET: "my-project/mongodb-uri",
+}
 ```
 
-Cache is scoped to Lambda execution context (warm starts reuse cache).
+### Direct Secret Access
 
-## Rotation
-
-Configure automatic rotation for supported secrets:
+Use `getSecret` when you need to fetch by exact AWS secret name:
 
 ```typescript
-const secret = new Secret(this, "DbPassword", {
-  secretName: "my-project/db-password",
-  generateSecretString: {
-    excludePunctuation: true,
-    passwordLength: 32,
-  },
-});
+import { getSecret } from "jaypie";
 
-secret.addRotationSchedule("Rotation", {
-  automaticallyAfter: Duration.days(30),
-  rotationLambda: rotationFunction,
-});
+const secret = await getSecret("my-project/production/api-key");
 ```
 
-## Local Development
-
-For local development, set environment variables directly:
+Note: `getSecret` requires `AWS_SESSION_TOKEN` and always calls Secrets Manager.
 
-```bash
-# .env.local (not committed)
-ANTHROPIC_API_KEY=sk-ant-test123
-MONGODB_URI=mongodb://localhost:27017/dev
-API_KEY=test_key_123
-```
+## Caching
 
-`getEnvSecret` automatically returns these values without AWS calls since there's no `SECRET_` prefix.
+Secrets are cached by default to reduce API calls. Cache is scoped to Lambda execution context (warm starts reuse cache).
 
 ## IAM Permissions
 
-Lambda needs `secretsmanager:GetSecretValue`:
+`JaypieEnvSecret` implements `ISecret`, so grant access directly:
 
 ```typescript
+const secret = new JaypieEnvSecret(this, "API_KEY");
 secret.grantRead(lambdaFunction);
-
-// Or via policy
-lambdaFunction.addToRolePolicy(new PolicyStatement({
-  actions: ["secretsmanager:GetSecretValue"],
-  resources: [secret.secretArn],
-}));
 ```
 
+Or use the `secrets` array on `JaypieLambda`, which handles permissions automatically.
+
 ## Testing
 
 Mock secret functions in tests:

package/skills/skills.md

@@ -16,7 +16,7 @@ Look up skills by alias: `mcp__jaypie__skill(alias)`
 | Category | Skills |
 |----------|--------|
 | contents | index, releasenotes |
-| development | documentation, errors, logs, mocks, monorepo, style, subpackages, tests |
+| development | documentation, errors, llm, logs, mocks, monorepo, style, subpackages, tests |
 | infrastructure | aws, cdk, cicd, datadog, dns, dynamodb, express, lambda, secrets, streaming, variables, websockets |
 | patterns | fabric, handlers, models, services, vocabulary |
 | meta | issues, jaypie, skills, tools |