@lsts_tech/infra 1.0.0 → 1.0.2

package/templates/infra.config.expo-web.ts

@@ -0,0 +1,153 @@
+/**
+ * Template: infra.config.ts (profile: expo-web)
+ */
+
+/// <reference path="./sst-env.d.ts" />
+
+import { resolveDomain, createExpoSite, createPipeline } from "@lsts_tech/infra";
+
+type PipelineStage = "production" | "dev" | "mobile";
+
+const profile = process.env.INFRA_PROFILE ?? "__PROFILE__";
+const rootDomain = process.env.INFRA_ROOT_DOMAIN ?? "__ROOT_DOMAIN__";
+const pipelineRepo = process.env.INFRA_PIPELINE_REPO ?? "__PIPELINE_REPO__";
+const pipelinePrefix = process.env.INFRA_PIPELINE_PREFIX ?? "__PROJECT_PREFIX__";
+const pipelineProjectTag = process.env.INFRA_PROJECT_TAG ?? "__PROJECT_PREFIX__";
+const appName = process.env.INFRA_APP_NAME ?? "__APP_NAME__";
+const selectedPipelinesRaw = process.env.INFRA_PIPELINES ?? "__PIPELINES_DEFAULT__";
+const createPipelines = (process.env.INFRA_CREATE_PIPELINES ?? "__CREATE_PIPELINES_DEFAULT__") === "true";
+const hostedZoneDomain = process.env.INFRA_HOSTED_ZONE_DOMAIN || undefined;
+
+const pipelinePermissionsMode =
+  (process.env.INFRA_PIPELINE_PERMISSIONS_MODE ?? "__PIPELINE_PERMISSIONS_MODE__") === "least-privilege"
+    ? "least-privilege"
+    : "admin";
+
+const expoStageMap: Record<string, string> = {
+  production: process.env.INFRA_EXPO_DOMAIN_PRODUCTION ?? `mobile.${rootDomain}`,
+  dev: process.env.INFRA_EXPO_DOMAIN_DEV ?? `dev.mobile.${rootDomain}`,
+  mobile: process.env.INFRA_EXPO_DOMAIN_MOBILE ?? `preview.mobile.${rootDomain}`,
+};
+
+const expoCerts: Record<string, string | undefined> = {
+  production: process.env.INFRA_EXPO_CERT_ARN_PRODUCTION,
+  dev: process.env.INFRA_EXPO_CERT_ARN_DEV,
+  mobile: process.env.INFRA_EXPO_CERT_ARN_MOBILE,
+};
+
+const commonBuildEnv = {
+  INFRA_PROFILE: profile,
+  INFRA_APP_NAME: appName,
+  INFRA_ROOT_DOMAIN: rootDomain,
+  INFRA_HOSTED_ZONE_DOMAIN: hostedZoneDomain ?? "",
+  INFRA_PIPELINE_REPO: pipelineRepo,
+  INFRA_PIPELINE_PREFIX: pipelinePrefix,
+  INFRA_PROJECT_TAG: pipelineProjectTag,
+  INFRA_PIPELINE_BRANCH_PROD: process.env.INFRA_PIPELINE_BRANCH_PROD ?? "__BRANCH_PROD__",
+  INFRA_PIPELINE_BRANCH_DEV: process.env.INFRA_PIPELINE_BRANCH_DEV ?? "__BRANCH_DEV__",
+  INFRA_PIPELINE_BRANCH_MOBILE: process.env.INFRA_PIPELINE_BRANCH_MOBILE ?? "__BRANCH_MOBILE__",
+  INFRA_PIPELINES_CONFIG_PATH: process.env.INFRA_PIPELINES_CONFIG_PATH ?? "config/pipelines.json",
+  INFRA_PIPELINE_PERMISSIONS_MODE: pipelinePermissionsMode,
+  INFRA_CREATE_PIPELINES: "false",
+  INFRA_ENABLE_EXPO_SITE: "true",
+  INFRA_EXPO_DOMAIN_PRODUCTION: expoStageMap.production,
+  INFRA_EXPO_DOMAIN_DEV: expoStageMap.dev,
+  INFRA_EXPO_DOMAIN_MOBILE: expoStageMap.mobile,
+  INFRA_EXPO_CERT_ARN_PRODUCTION: expoCerts.production ?? "",
+  INFRA_EXPO_CERT_ARN_DEV: expoCerts.dev ?? "",
+  INFRA_EXPO_CERT_ARN_MOBILE: expoCerts.mobile ?? "",
+  DOMAIN_ROOT: rootDomain,
+  PROJECT_PREFIX: pipelinePrefix,
+  PREFIX: pipelinePrefix,
+  DOMAIN_PRODUCTION: expoStageMap.production,
+  DOMAIN_DEV: expoStageMap.dev,
+  DOMAIN_MOBILE: expoStageMap.mobile,
+};
+
+function parsePipelineStage(value: string): PipelineStage | undefined {
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "production" || normalized === "prod") return "production";
+  if (normalized === "dev") return "dev";
+  if (normalized === "mobile") return "mobile";
+  return undefined;
+}
+
+const selectedPipelines = new Set<PipelineStage>(
+  selectedPipelinesRaw
+    .split(",")
+    .map((value) => parsePipelineStage(value))
+    .filter((value): value is PipelineStage => value !== undefined)
+);
+
+const pipelineSpecs: Record<PipelineStage, { suffix: string; branch: string; stage: PipelineStage }> = {
+  production: {
+    suffix: "prod",
+    branch: process.env.INFRA_PIPELINE_BRANCH_PROD ?? "__BRANCH_PROD__",
+    stage: "production",
+  },
+  dev: {
+    suffix: "dev",
+    branch: process.env.INFRA_PIPELINE_BRANCH_DEV ?? "__BRANCH_DEV__",
+    stage: "dev",
+  },
+  mobile: {
+    suffix: "mobile",
+    branch: process.env.INFRA_PIPELINE_BRANCH_MOBILE ?? "__BRANCH_MOBILE__",
+    stage: "mobile",
+  },
+};
+
+export function createInfrastructure() {
+  const stage = $app.stage;
+
+  const { domain, domainName } = resolveDomain({
+    rootDomain,
+    stage,
+    stageMap: expoStageMap,
+    hostedZoneDomain,
+  });
+
+  const { url } = createExpoSite({
+    appPath: "../../apps/mobile",
+    id: `mobile-${stage}`,
+    domain,
+    certificateArn: expoCerts[stage],
+    environment: {
+      EXPO_PUBLIC_STAGE: stage,
+      EXPO_PUBLIC_SITE_URL: `https://${domainName}`,
+    },
+    invalidation: {
+      paths: ["/*"],
+      wait: stage === "production" || stage === "mobile",
+    },
+  });
+
+  const outputs: Record<string, unknown> = {
+    profile,
+    mobileUrl: url,
+    mobileDomain: domainName,
+  };
+
+  if (stage === "production" && createPipelines && selectedPipelines.size > 0) {
+    const pipelineOutputs: Record<string, string> = {};
+
+    for (const pipelineStage of selectedPipelines) {
+      const spec = pipelineSpecs[pipelineStage];
+      const pipeline = createPipeline({
+        name: `${pipelinePrefix}-${spec.suffix}`,
+        repo: pipelineRepo,
+        branch: spec.branch,
+        stage: spec.stage,
+        projectTag: pipelineProjectTag,
+        buildEnv: commonBuildEnv,
+        permissionsMode: pipelinePermissionsMode,
+      });
+
+      pipelineOutputs[`${pipelineStage}PipelineName`] = pipeline.pipelineName;
+    }
+
+    outputs.pipelines = pipelineOutputs;
+  }
+
+  return outputs;
+}

package/templates/infra.config.next-only.ts

@@ -0,0 +1,159 @@
+/**
+ * Template: infra.config.ts (profile: next-only)
+ */
+
+/// <reference path="./sst-env.d.ts" />
+
+import { resolveDomain, createNextSite, createPipeline } from "@lsts_tech/infra";
+
+type PipelineStage = "production" | "dev" | "mobile";
+
+const secrets = {
+  DatabaseUrl: new sst.Secret("DatabaseUrl"),
+  AuthSecret: new sst.Secret("AuthSecret"),
+};
+
+const profile = process.env.INFRA_PROFILE ?? "__PROFILE__";
+const rootDomain = process.env.INFRA_ROOT_DOMAIN ?? "__ROOT_DOMAIN__";
+const pipelineRepo = process.env.INFRA_PIPELINE_REPO ?? "__PIPELINE_REPO__";
+const pipelinePrefix = process.env.INFRA_PIPELINE_PREFIX ?? "__PROJECT_PREFIX__";
+const pipelineProjectTag = process.env.INFRA_PROJECT_TAG ?? "__PROJECT_PREFIX__";
+const appName = process.env.INFRA_APP_NAME ?? "__APP_NAME__";
+const selectedPipelinesRaw = process.env.INFRA_PIPELINES ?? "__PIPELINES_DEFAULT__";
+const createPipelines = (process.env.INFRA_CREATE_PIPELINES ?? "__CREATE_PIPELINES_DEFAULT__") === "true";
+const hostedZoneDomain = process.env.INFRA_HOSTED_ZONE_DOMAIN || undefined;
+
+const pipelinePermissionsMode =
+  (process.env.INFRA_PIPELINE_PERMISSIONS_MODE ?? "__PIPELINE_PERMISSIONS_MODE__") === "least-privilege"
+    ? "least-privilege"
+    : "admin";
+
+const webStageMap: Record<string, string> = {
+  production: process.env.INFRA_WEB_DOMAIN_PRODUCTION ?? rootDomain,
+  dev: process.env.INFRA_WEB_DOMAIN_DEV ?? `dev.${rootDomain}`,
+  mobile: process.env.INFRA_WEB_DOMAIN_MOBILE ?? `api.${rootDomain}`,
+};
+
+const webCerts: Record<string, string | undefined> = {
+  production: process.env.INFRA_WEB_CERT_ARN_PRODUCTION,
+  dev: process.env.INFRA_WEB_CERT_ARN_DEV,
+  mobile: process.env.INFRA_WEB_CERT_ARN_MOBILE,
+};
+
+const commonBuildEnv = {
+  INFRA_PROFILE: profile,
+  INFRA_APP_NAME: appName,
+  INFRA_ROOT_DOMAIN: rootDomain,
+  INFRA_HOSTED_ZONE_DOMAIN: hostedZoneDomain ?? "",
+  INFRA_PIPELINE_REPO: pipelineRepo,
+  INFRA_PIPELINE_PREFIX: pipelinePrefix,
+  INFRA_PROJECT_TAG: pipelineProjectTag,
+  INFRA_PIPELINE_BRANCH_PROD: process.env.INFRA_PIPELINE_BRANCH_PROD ?? "__BRANCH_PROD__",
+  INFRA_PIPELINE_BRANCH_DEV: process.env.INFRA_PIPELINE_BRANCH_DEV ?? "__BRANCH_DEV__",
+  INFRA_PIPELINE_BRANCH_MOBILE: process.env.INFRA_PIPELINE_BRANCH_MOBILE ?? "__BRANCH_MOBILE__",
+  INFRA_PIPELINES_CONFIG_PATH: process.env.INFRA_PIPELINES_CONFIG_PATH ?? "config/pipelines.json",
+  INFRA_PIPELINE_PERMISSIONS_MODE: pipelinePermissionsMode,
+  INFRA_CREATE_PIPELINES: "false",
+  INFRA_WEB_DOMAIN_PRODUCTION: webStageMap.production,
+  INFRA_WEB_DOMAIN_DEV: webStageMap.dev,
+  INFRA_WEB_DOMAIN_MOBILE: webStageMap.mobile,
+  INFRA_WEB_CERT_ARN_PRODUCTION: webCerts.production ?? "",
+  INFRA_WEB_CERT_ARN_DEV: webCerts.dev ?? "",
+  INFRA_WEB_CERT_ARN_MOBILE: webCerts.mobile ?? "",
+  DOMAIN_ROOT: rootDomain,
+  PROJECT_PREFIX: pipelinePrefix,
+  PREFIX: pipelinePrefix,
+  DOMAIN_PRODUCTION: webStageMap.production,
+  DOMAIN_DEV: webStageMap.dev,
+  DOMAIN_MOBILE: webStageMap.mobile,
+};
+
+function parsePipelineStage(value: string): PipelineStage | undefined {
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "production" || normalized === "prod") return "production";
+  if (normalized === "dev") return "dev";
+  if (normalized === "mobile") return "mobile";
+  return undefined;
+}
+
+const selectedPipelines = new Set<PipelineStage>(
+  selectedPipelinesRaw
+    .split(",")
+    .map((value) => parsePipelineStage(value))
+    .filter((value): value is PipelineStage => value !== undefined)
+);
+
+const pipelineSpecs: Record<PipelineStage, { suffix: string; branch: string; stage: PipelineStage }> = {
+  production: {
+    suffix: "prod",
+    branch: process.env.INFRA_PIPELINE_BRANCH_PROD ?? "__BRANCH_PROD__",
+    stage: "production",
+  },
+  dev: {
+    suffix: "dev",
+    branch: process.env.INFRA_PIPELINE_BRANCH_DEV ?? "__BRANCH_DEV__",
+    stage: "dev",
+  },
+  mobile: {
+    suffix: "mobile",
+    branch: process.env.INFRA_PIPELINE_BRANCH_MOBILE ?? "__BRANCH_MOBILE__",
+    stage: "mobile",
+  },
+};
+
+export function createInfrastructure() {
+  const stage = $app.stage;
+
+  const { domain, domainName } = resolveDomain({
+    rootDomain,
+    stage,
+    stageMap: webStageMap,
+    hostedZoneDomain,
+  });
+
+  const { url } = createNextSite({
+    appPath: "../../apps/web",
+    id: `web-${stage}`,
+    domain,
+    certificateArn: webCerts[stage],
+    environment: {
+      NEXT_PUBLIC_APP_URL: `https://${domainName}`,
+      DATABASE_URL: secrets.DatabaseUrl.value,
+      AUTH_SECRET: secrets.AuthSecret.value,
+    },
+    warm: stage === "production" ? 1 : 0,
+    invalidation: {
+      paths: ["/*"],
+      wait: stage === "production",
+    },
+  });
+
+  const outputs: Record<string, unknown> = {
+    profile,
+    siteUrl: url,
+    domain: domainName,
+  };
+
+  if (stage === "production" && createPipelines && selectedPipelines.size > 0) {
+    const pipelineOutputs: Record<string, string> = {};
+
+    for (const pipelineStage of selectedPipelines) {
+      const spec = pipelineSpecs[pipelineStage];
+      const pipeline = createPipeline({
+        name: `${pipelinePrefix}-${spec.suffix}`,
+        repo: pipelineRepo,
+        branch: spec.branch,
+        stage: spec.stage,
+        projectTag: pipelineProjectTag,
+        buildEnv: commonBuildEnv,
+        permissionsMode: pipelinePermissionsMode,
+      });
+
+      pipelineOutputs[`${pipelineStage}PipelineName`] = pipeline.pipelineName;
+    }
+
+    outputs.pipelines = pipelineOutputs;
+  }
+
+  return outputs;
+}

package/templates/infra.config.ts

@@ -1,8 +1,8 @@
 /**
- * Template: infra.config.ts
+ * Template: infra.config.ts (profile: next-expo)
  *
  * Generated by `npx @lsts_tech/infra init`.
- * This file is white-label and environment-driven for public repositories.
+ * White-label and environment-driven for public repositories.
  */
 
 /// <reference path="./sst-env.d.ts" />
@@ -16,13 +16,21 @@ const secrets = {
   AuthSecret: new sst.Secret("AuthSecret"),
 };
 
+const profile = process.env.INFRA_PROFILE ?? "__PROFILE__";
 const rootDomain = process.env.INFRA_ROOT_DOMAIN ?? "__ROOT_DOMAIN__";
 const pipelineRepo = process.env.INFRA_PIPELINE_REPO ?? "__PIPELINE_REPO__";
 const pipelinePrefix = process.env.INFRA_PIPELINE_PREFIX ?? "__PROJECT_PREFIX__";
 const pipelineProjectTag = process.env.INFRA_PROJECT_TAG ?? "__PROJECT_PREFIX__";
-const appName = process.env.INFRA_APP_NAME ?? "__PROJECT_PREFIX__";
+const appName = process.env.INFRA_APP_NAME ?? "__APP_NAME__";
 const selectedPipelinesRaw = process.env.INFRA_PIPELINES ?? "__PIPELINES_DEFAULT__";
+const createPipelines = (process.env.INFRA_CREATE_PIPELINES ?? "__CREATE_PIPELINES_DEFAULT__") === "true";
 const enableExpoSite = (process.env.INFRA_ENABLE_EXPO_SITE ?? "__ENABLE_EXPO_SITE__") === "true";
+const hostedZoneDomain = process.env.INFRA_HOSTED_ZONE_DOMAIN || undefined;
+
+const pipelinePermissionsMode =
+  (process.env.INFRA_PIPELINE_PERMISSIONS_MODE ?? "__PIPELINE_PERMISSIONS_MODE__") === "least-privilege"
+    ? "least-privilege"
+    : "admin";
 
 const webStageMap: Record<string, string> = {
   production: process.env.INFRA_WEB_DOMAIN_PRODUCTION ?? rootDomain,
@@ -49,14 +57,19 @@ const expoCerts: Record<string, string | undefined> = {
 };
 
 const commonBuildEnv = {
+  INFRA_PROFILE: profile,
   INFRA_APP_NAME: appName,
   INFRA_ROOT_DOMAIN: rootDomain,
+  INFRA_HOSTED_ZONE_DOMAIN: hostedZoneDomain ?? "",
   INFRA_PIPELINE_REPO: pipelineRepo,
   INFRA_PIPELINE_PREFIX: pipelinePrefix,
   INFRA_PROJECT_TAG: pipelineProjectTag,
   INFRA_PIPELINE_BRANCH_PROD: process.env.INFRA_PIPELINE_BRANCH_PROD ?? "__BRANCH_PROD__",
   INFRA_PIPELINE_BRANCH_DEV: process.env.INFRA_PIPELINE_BRANCH_DEV ?? "__BRANCH_DEV__",
   INFRA_PIPELINE_BRANCH_MOBILE: process.env.INFRA_PIPELINE_BRANCH_MOBILE ?? "__BRANCH_MOBILE__",
+  INFRA_PIPELINES_CONFIG_PATH: process.env.INFRA_PIPELINES_CONFIG_PATH ?? "config/pipelines.json",
+  INFRA_PIPELINE_PERMISSIONS_MODE: pipelinePermissionsMode,
+  INFRA_CREATE_PIPELINES: "false",
   INFRA_WEB_DOMAIN_PRODUCTION: webStageMap.production,
   INFRA_WEB_DOMAIN_DEV: webStageMap.dev,
   INFRA_WEB_DOMAIN_MOBILE: webStageMap.mobile,
@@ -117,6 +130,7 @@ export function createInfrastructure() {
     rootDomain,
     stage,
     stageMap: webStageMap,
+    hostedZoneDomain,
   });
 
   const { url } = createNextSite({
@@ -144,6 +158,7 @@ export function createInfrastructure() {
       rootDomain,
       stage,
       stageMap: expoStageMap,
+      hostedZoneDomain,
     });
 
     mobileDomainName = expoDomainResult.domainName;
@@ -166,6 +181,7 @@ export function createInfrastructure() {
   }
 
   const outputs: Record<string, unknown> = {
+    profile,
     siteUrl: url,
     domain: domainName,
   };
@@ -175,7 +191,7 @@ export function createInfrastructure() {
     outputs.mobileDomain = mobileDomainName;
   }
 
-  if (stage === "production" && selectedPipelines.size > 0) {
+  if (stage === "production" && createPipelines && selectedPipelines.size > 0) {
     const pipelineOutputs: Record<string, string> = {};
 
     for (const pipelineStage of selectedPipelines) {
@@ -187,6 +203,7 @@ export function createInfrastructure() {
         stage: spec.stage,
         projectTag: pipelineProjectTag,
         buildEnv: commonBuildEnv,
+        permissionsMode: pipelinePermissionsMode,
       });
 
       pipelineOutputs[`${pipelineStage}PipelineName`] = pipeline.pipelineName;

package/templates/pipelines.example.json

@@ -0,0 +1,19 @@
+{
+  "pipelines": {
+    "production": {
+      "enabled": true,
+      "branch": "__BRANCH_PROD__",
+      "repo": "__PIPELINE_REPO__"
+    },
+    "dev": {
+      "enabled": true,
+      "branch": "__BRANCH_DEV__",
+      "repo": "__PIPELINE_REPO__"
+    },
+    "mobile": {
+      "enabled": false,
+      "branch": "__BRANCH_MOBILE__",
+      "repo": "__PIPELINE_REPO__"
+    }
+  }
+}

package/templates/private.example.json

@@ -0,0 +1,13 @@
+{
+  "notes": "Copy this file to config/private.json and keep it untracked.",
+  "secrets": {
+    "DatabaseUrl": "postgresql://username:password@host:5432/database",
+    "AuthSecret": "replace-with-secure-random-value"
+  },
+  "deploy": {
+    "region": "us-east-1",
+    "tags": {
+      "Project": "__PROJECT_PREFIX__"
+    }
+  }
+}

package/templates/scaffold.gitignore

@@ -0,0 +1,29 @@
+# Build output
+dist/
+
+# SST state
+.sst/
+state.json
+Pulumi.*.yaml
+
+# Node
+node_modules/
+
+# Environment
+.env
+.env.*
+!.env.example
+
+# Local private config
+config/*.json
+!config/*.example.json
+
+# Editor
+.vscode/
+*.swp
+
+# OS
+.DS_Store
+
+# Tarball
+*.tgz

package/templates/scaffold.package.json

@@ -0,0 +1,25 @@
+{
+  "name": "__PROJECT_PREFIX__-infra",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "sst dev",
+    "deploy": "sst deploy",
+    "deploy:dev": "sst deploy --stage dev",
+    "deploy:prod": "sst deploy --stage production",
+    "doctor": "npx @lsts_tech/infra doctor --target .",
+    "ensure:pipelines": "APPROVE=true bash scripts/ensure-pipelines.sh",
+    "ensure:secrets": "bash scripts/ensure-secrets.sh dev"
+  },
+  "dependencies": {
+    "@lsts_tech/infra": "__INFRA_VERSION__",
+    "sst": "^3.7.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.13.9",
+    "typescript": "^5"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}

package/templates/scaffold.tsconfig.json

@@ -0,0 +1,22 @@
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "types": ["node"]
+  },
+  "include": [
+    "infra.config.ts",
+    "sst.config.ts",
+    "sst-env.d.ts"
+  ],
+  "exclude": [
+    "node_modules",
+    "dist",
+    ".sst"
+  ]
+}

package/templates/secrets.schema.expo-web.json

@@ -0,0 +1,8 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Secrets Schema",
+  "description": "Expo web profile does not require app secrets by default.",
+  "type": "object",
+  "properties": {},
+  "required": []
+}