@jaypie/mcp 0.8.56 → 0.8.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -9,7 +9,7 @@ import { gt } from 'semver';
9
9
  /**
10
10
  * Docs Suite - Documentation services (skill, version, release_notes)
11
11
  */
12
- const BUILD_VERSION_STRING = "@jaypie/mcp@0.8.56#4233ad47"
12
+ const BUILD_VERSION_STRING = "@jaypie/mcp@0.8.58#340296a3"
13
13
  ;
14
14
  const __filename$1 = fileURLToPath(import.meta.url);
15
15
  const __dirname$1 = path.dirname(__filename$1);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@jaypie/mcp",
3
- "version": "0.8.56",
3
+ "version": "0.8.58",
4
4
  "description": "Jaypie MCP",
5
5
  "repository": {
6
6
  "type": "git",
@@ -0,0 +1,19 @@
1
+ ---
2
+ version: 1.2.54
3
+ date: 2026-05-10
4
+ summary: JaypieMigration grants control-plane DynamoDB perms scoped to passed tables (issue #339)
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ - `JaypieMigration` now grants control-plane DynamoDB actions (`DescribeContinuousBackups`, `DescribeTable`, `DescribeTimeToLive`, `UpdateContinuousBackups`, `UpdateTable`, `UpdateTimeToLive`) on the ARNs of any tables passed via `tables`, scoped to the table ARN and its indexes (`/index/*`). Data-plane access is unchanged.
10
+
11
+ ## Motivation
12
+
13
+ The migration Lambda was previously granted only data-plane access via `grantReadWriteData`. Migrations whose entire purpose is to evolve table shape (add a GSI, change TTL, toggle streams, update backups) `AccessDenied` on the first control-plane call. Combined with `lambdaHandler`'s default soft-fail, the deploy reported `CREATE_COMPLETE` while later migrations silently never ran.
14
+
15
+ Pair this with the new `migrationHandler` in `@jaypie/lambda` (1.2.6) for end-to-end loud-fail behavior.
16
+
17
+ ## Migration
18
+
19
+ No action required. Existing migrations using only data-plane ops keep working; migrations that previously failed with `AccessDeniedException` on `dynamodb:DescribeTable` or `dynamodb:UpdateTable` should now succeed.
@@ -0,0 +1,45 @@
1
+ ---
2
+ version: 1.2.55
3
+ date: 2026-05-10
4
+ summary: JaypieMigration `timeout` prop default 15m (#341); JaypieDistribution `waf.allow` path-scoped relaxations (#342)
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ ### `JaypieMigration` — `timeout` prop, default 15 minutes (#341)
10
+
11
+ - `JaypieMigrationProps` accepts an optional `timeout?: cdk.Duration` that is forwarded to the inner `JaypieLambda`.
12
+ - The default migration Lambda timeout is now **15 minutes** (Lambda's maximum), up from 5 minutes.
13
+
14
+ ### `JaypieDistribution` — `waf.allow` (#342)
15
+
16
+ - New `waf.allow` field accepts an entry (or array of entries) shaped `{ path, AWSManagedRulesCommonRuleSet: [...], AWSManagedRulesKnownBadInputsRuleSet: [...], ... }`. Each entry flips the named sub-rules from `block` to `count` **only** on requests matching its path set; strict default action is preserved everywhere else.
17
+ - `path` accepts a string or string[]. Trailing `*` becomes WAFv2 `STARTS_WITH`; no trailing `*` becomes `EXACTLY`. Multiple paths in one entry are OR'd.
18
+ - Each managed-rule-group key accepts a string or string[] of sub-rule names.
19
+ - `waf.allow` composes with `waf.managedRuleOverrides`: the baseline override list applies to both the relaxed and strict emissions of a group; `allow` further relaxes specific (path × sub-rule) intersections. Groups not named in `allow` keep their existing single-rule emission.
20
+
21
+ ```ts
22
+ waf: {
23
+ allow: [
24
+ {
25
+ path: "/hooks/*",
26
+ AWSManagedRulesCommonRuleSet: ["ExploitablePaths_URIPATH"],
27
+ AWSManagedRulesKnownBadInputsRuleSet: ["CrossSiteScripting_BODY"],
28
+ },
29
+ ],
30
+ }
31
+ ```
32
+
33
+ ## Motivation
34
+
35
+ ### `JaypieMigration` timeout
36
+
37
+ Real-world DynamoDB migrations the construct exists to support routinely exceed five minutes: first-time GSI creation commonly takes 3–10 minutes to reach `ACTIVE`, and a backfill that scans and rewrites entities after the GSI is ready adds more. The previous 5-minute hard cap left no headroom; CloudFormation rolled back even when the underlying operation would have completed.
38
+
39
+ ### `waf.allow`
40
+
41
+ Webhook ingress paths (Datadog, GitHub, Slack, Jira) legitimately trip body- and URI-inspection rules in `AWSManagedRulesCommonRuleSet` / `AWSManagedRulesKnownBadInputsRuleSet`, while the rest of the API should keep full blocking. The previous escape hatch — distribution-wide `managedRuleOverrides` — weakened protection on every path on the host. `waf.allow` confines the relaxation to the listed paths.
42
+
43
+ ## Migration
44
+
45
+ No action required. `JaypieMigration` callers that previously relied on the 5-minute default still complete in well under 15 minutes; callers that want to keep 5 minutes can pass `timeout: Duration.minutes(5)` explicitly. `waf.allow` is opt-in — distributions that don't pass it keep their previous WebACL exactly.
@@ -0,0 +1,13 @@
1
+ ---
2
+ version: 1.2.46
3
+ date: 2026-05-10
4
+ summary: Re-export migrationHandler from @jaypie/lambda (issue #339)
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ - Re-exports `migrationHandler` from `@jaypie/lambda` 1.2.6.
10
+
11
+ ## Motivation
12
+
13
+ Migration Lambdas should fail loudly so a failed migration fails the deploy. Use `migrationHandler` instead of `lambdaHandler` in migration entrypoints — see the migrations skill for usage.
@@ -0,0 +1,9 @@
1
+ ---
2
+ version: 1.2.47
3
+ date: 2026-05-10
4
+ summary: Bump @jaypie/llm to 1.2.34 for retry-executor sibling-rejection fix (issue #336)
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ - Bumps the `@jaypie/llm` peer dependency to `^1.2.34` so the retry executor no longer crashes the host when an upstream SDK surfaces twin rejections of an already-handled error.
@@ -0,0 +1,27 @@
1
+ ---
2
+ version: 1.2.6
3
+ date: 2026-05-10
4
+ summary: Add migrationHandler that defaults throw: true so failed migrations fail the deploy (issue #339)
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ - New `migrationHandler` export. Wraps `lambdaHandler` with `throw: true` defaulted so a thrown error propagates out of the Lambda, causing the CFN custom resource (and the deploy) to fail loudly instead of swallowing the error and reporting `CREATE_COMPLETE`.
10
+ - Re-exported by `jaypie` and mocked by `@jaypie/testkit/mock`.
11
+ - Pass `{ throw: false }` to opt back into the soft-fail behavior.
12
+
13
+ ## Motivation
14
+
15
+ `JaypieMigration` runs its Lambda via a CFN custom resource provider. With `lambdaHandler`'s default `throw: false`, a thrown migration error was caught, logged as `fatal`, and returned as a successful response — CFN saw a 200-shaped response and marked the resource `CREATE_COMPLETE`. The deploy turned green while later migrations silently never ran.
16
+
17
+ ## Migration
18
+
19
+ Update migration entry points from `lambdaHandler` to `migrationHandler`:
20
+
21
+ ```typescript
22
+ import { migrationHandler } from "jaypie";
23
+
24
+ export const handler = migrationHandler(async (event) => {
25
+ // migration logic
26
+ });
27
+ ```
@@ -0,0 +1,18 @@
1
+ ---
2
+ version: 1.2.34
3
+ date: 2026-05-10
4
+ summary: Retry executor swallows sibling rejections of already-handled upstream errors (issue #336)
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ - New shared `createStaleRejectionGuard` helper records errors that the retry layer has caught and recognizes sibling unhandled rejections by reference *or* by `name + message`. When a sibling fires, the guard attaches a `.catch()` to the dangling promise so it is no longer treated as unhandled.
10
+ - `RetryExecutor` and `StreamLoop` both consume the shared guard. Transient socket teardown errors (`TypeError: terminated`, `ECONNRESET`, etc.) continue to be suppressed exactly as before.
11
+
12
+ ## Motivation
13
+
14
+ Provider SDKs occasionally surface a single upstream failure as twin promise rejections. The retry layer catches and handles the first; the second arrives on a later microtask and escaped the previous guard because that guard only matched a fixed set of transient-network patterns. A real example: OpenRouter's `matchers.js` does `JSON.parse("")` and throws `SyntaxError: Unexpected end of JSON input`. The retry executor caught it and was sleeping before the next attempt when the sibling rejection killed the host process — many hours into a long evaluation run.
15
+
16
+ ## Migration
17
+
18
+ No action required. The new guard is strictly more permissive than the old one — it swallows the same transient-network rejections plus any rejection whose error matches one the retry loop has already caught. Unrelated rejections are unaffected.
@@ -0,0 +1,9 @@
1
+ ---
2
+ version: 0.8.57
3
+ date: 2026-05-10
4
+ summary: Migrations skill recommends migrationHandler and documents control-plane perms (issue #339)
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ - `skill("migrations")` now recommends `migrationHandler` for the Lambda entrypoint and documents the control-plane DynamoDB permissions added by `JaypieMigration` 1.2.54.
@@ -0,0 +1,9 @@
1
+ ---
2
+ version: 0.8.58
3
+ date: 2026-05-10
4
+ summary: Release notes for @jaypie/constructs 1.2.55 and @jaypie/llm 1.2.34
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ - Adds release notes for `@jaypie/constructs` 1.2.55 (`JaypieMigration` `timeout` prop default 15 minutes — issue #341; `JaypieDistribution` `waf.allow` path-scoped relaxations — issue #342) and `@jaypie/llm` 1.2.34 (retry executor swallows sibling rejections — issue #336), plus the corresponding `jaypie` 1.2.47 dependency bump.
@@ -0,0 +1,9 @@
1
+ ---
2
+ version: 1.2.37
3
+ date: 2026-05-10
4
+ summary: Mock migrationHandler from @jaypie/lambda (issue #339)
5
+ ---
6
+
7
+ ## Changes
8
+
9
+ - Adds `migrationHandler` mock that mirrors the real handler — defaults `throw: true` so thrown errors surface in tests.
@@ -44,16 +44,18 @@ new JaypieMigration(this, "SeedData", {
44
44
  - **Role**: Tagged as `CDK.ROLE.PROCESSING`
45
45
  - **Execution**: Runs on every deploy via CloudFormation custom resource (uses a deploy nonce to force re-invocation even when only Lambda code changes)
46
46
  - **Dependencies**: Use `dependencies` to ensure tables and other resources exist before the migration executes
47
+ - **Permissions**: Tables passed via `tables` get data-plane (`grantReadWriteData`) plus control-plane access (`DescribeTable`, `UpdateTable`, `UpdateTimeToLive`, `UpdateContinuousBackups`) scoped to the table ARN and its indexes — migrations that add GSIs, toggle TTL, or change backups work without extra IAM
47
48
 
48
49
  ## Migration Lambda Handler
49
50
 
50
- The migration Lambda receives a CloudFormation custom resource event. Return a result to signal success; throw to signal failure and roll back the stack.
51
+ The migration Lambda receives a CloudFormation custom resource event. Use `migrationHandler` so a thrown error fails the CFN custom resource (and the deploy) — `lambdaHandler`'s default `throw: false` returns a success-shaped response on error and CFN reports `CREATE_COMPLETE` even when the migration failed.
51
52
 
52
53
  ```typescript
53
54
  // src/migrations/seed/index.ts
54
55
  import { initClient, seedEntities, APEX } from "@jaypie/dynamodb";
56
+ import { migrationHandler } from "jaypie";
55
57
 
56
- export const handler = async (event: any) => {
58
+ export const handler = migrationHandler(async (event) => {
57
59
  await initClient();
58
60
 
59
61
  await seedEntities([
@@ -62,9 +64,11 @@ export const handler = async (event: any) => {
62
64
  ]);
63
65
 
64
66
  return { status: "complete" };
65
- };
67
+ });
66
68
  ```
67
69
 
70
+ `migrationHandler` is `lambdaHandler` with `throw: true` defaulted. Pass `{ throw: false }` to opt back into soft-fail behavior.
71
+
68
72
  ## Building Migration Code
69
73
 
70
74
  Bundle migrations separately using esbuild, then reference the output directory: