@lsts_tech/infra 1.0.0

package/scripts/postdeploy-update-dns.sh

@@ -0,0 +1,158 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# postdeploy-update-dns.sh
+# After a successful infra deploy this script ensures the stage domain (dev/production)
+# Route53 alias points to the CloudFront distribution that serves it.
+#
+# Usage: postdeploy-update-dns.sh <stage> [region]
+#
+# Required environment variables:
+#   DOMAIN_ROOT — Root domain (e.g., "example.com")
+#
+# Optional stage overrides:
+#   DOMAIN_PRODUCTION, DOMAIN_DEV, DOMAIN_MOBILE, DOMAIN_CUSTOM
+
+STAGE=${1:-dev}
+REGION=${2:-us-east-1}
+
+if [ -z "${DOMAIN_ROOT:-}" ]; then
+  echo "ERROR: DOMAIN_ROOT environment variable is required (e.g., DOMAIN_ROOT=example.com)"
+  exit 1
+fi
+
+# Polling configuration (seconds)
+POLL_TIMEOUT=${POLL_TIMEOUT:-600}   # total time to wait for distribution (default 10m)
+POLL_INTERVAL=${POLL_INTERVAL:-15}  # interval between checks
+
+resolve_stage_domain() {
+  case "$STAGE" in
+    production) echo "${DOMAIN_PRODUCTION:-${DOMAIN_ROOT}}" ;;
+    dev) echo "${DOMAIN_DEV:-dev.${DOMAIN_ROOT}}" ;;
+    mobile) echo "${DOMAIN_MOBILE:-mobile.${DOMAIN_ROOT}}" ;;
+    *) echo "${DOMAIN_CUSTOM:-${STAGE}.${DOMAIN_ROOT}}" ;;
+  esac
+}
+
+DOMAIN=$(resolve_stage_domain)
+
+echo "Post-deploy DNS sync: stage=$STAGE domain=$DOMAIN region=$REGION"
+
+# Find and wait for the CloudFront distribution that has this alias
+echo "Searching for CloudFront distribution with alias ${DOMAIN} (will wait up to ${POLL_TIMEOUT}s)..."
+END=$((SECONDS + POLL_TIMEOUT))
+FOUND_DIST_ID=""
+FOUND_DIST_STATUS=""
+FOUND_DIST_DOMAIN=""
+while [ $SECONDS -le $END ]; do
+  # Query distributions and look for any that contain the alias
+  CF_JSON=$(mktemp)
+  aws cloudfront list-distributions --output json > "$CF_JSON" || true
+
+  # Find first distribution that has the alias
+  CID=$(jq -r --arg domain "$DOMAIN" '
+    (.DistributionList.Items[]? | select(.Aliases.Items? != null and (.Aliases.Items | index($domain) != null)) )
+    | .Id' "$CF_JSON" 2>/dev/null | head -n1 || true)
+
+  if [ -n "$CID" ] && [ "$CID" != "null" ]; then
+    STATUS=$(aws cloudfront get-distribution --id "$CID" --query 'Distribution.Status' --output text 2>/dev/null || echo "")
+    DOMAIN_NAME=$(aws cloudfront get-distribution --id "$CID" --query 'Distribution.DomainName' --output text 2>/dev/null || echo "")
+    echo "Found distribution $CID with status='$STATUS' and domain='$DOMAIN_NAME'"
+    if [ "$STATUS" = "Deployed" ]; then
+      FOUND_DIST_ID="$CID"
+      FOUND_DIST_STATUS="$STATUS"
+      FOUND_DIST_DOMAIN="$DOMAIN_NAME"
+      rm -f "$CF_JSON"
+      break
+    fi
+    # not yet deployed — wait and poll again
+    rm -f "$CF_JSON"
+  else
+    rm -f "$CF_JSON"
+    echo "No distribution found yet for ${DOMAIN}; retrying in ${POLL_INTERVAL}s..."
+  fi
+
+  sleep ${POLL_INTERVAL}
+done
+
+if [ -z "$FOUND_DIST_ID" ]; then
+  echo "Timed out waiting for a deployed CloudFront distribution for ${DOMAIN}. Gathering diagnostics..." >&2
+
+  # Print any distributions that reference the alias (even if not Deployed)
+  echo "\n-- Distributions mentioning ${DOMAIN} (all statuses) --"
+  aws cloudfront list-distributions --query "DistributionList.Items[?Aliases.Items!=null && contains(Aliases.Items, '${DOMAIN}')].[Id,DomainName,Status,Aliases.Items]" --output json || true
+
+  # ACM certificates in us-east-1
+  echo "\n-- ACM certificates for ${DOMAIN} (us-east-1) --"
+  aws acm list-certificates --region us-east-1 --query "CertificateSummaryList[?DomainName=='${DOMAIN}']" --output json || true
+
+  # Route53 hosted zone and apex records
+  echo "\n-- Route53 apex records for ${DOMAIN_ROOT} --"
+  HZ=$(aws route53 list-hosted-zones-by-name --dns-name "${DOMAIN_ROOT}" --query 'HostedZones[0].Id' --output text || true)
+  if [ -n "$HZ" ] && [ "$HZ" != "None" ]; then
+    HZ_ID=${HZ##*/}
+    echo "Hosted zone ID: $HZ_ID"
+    aws route53 list-resource-record-sets --hosted-zone-id "$HZ_ID" --query "ResourceRecordSets[?Name=='${DOMAIN}.']" --output json || true
+  else
+    echo "No hosted zone for ${DOMAIN_ROOT} found in this account/region"
+  fi
+
+  echo "\nIf SST reported creating a site but no distribution exists, ensure SST had permissions to create CloudFront and ACM resources and that the deploy completed successfully."
+  exit 1
+fi
+
+echo "Found distribution: $FOUND_DIST_ID"
+
+DIST_ID="$FOUND_DIST_ID"
+DIST_DOMAIN="$FOUND_DIST_DOMAIN"
+
+# If we got here but DIST_DOMAIN is empty, attempt fallback: pick any Deployed distribution
+if [ -z "$DIST_DOMAIN" ] || [ "$DIST_DOMAIN" = "null" ]; then
+  echo "Distribution had no DomainName in lookup; attempting fallback to any Deployed distribution..."
+  FALLBACK_ID=$(aws cloudfront list-distributions --query "DistributionList.Items[?Status=='Deployed'].[Id] | [0]" --output text 2>/dev/null || true)
+  if [ -n "$FALLBACK_ID" ] && [ "$FALLBACK_ID" != "None" ]; then
+    DIST_ID="$FALLBACK_ID"
+    DIST_DOMAIN=$(aws cloudfront get-distribution --id "$DIST_ID" --query 'Distribution.DomainName' --output text 2>/dev/null || echo "")
+    echo "Falling back to distribution $DIST_ID with domain $DIST_DOMAIN"
+  else
+    echo "No Deployed CloudFront distribution available to use as fallback. Exiting." >&2
+    exit 1
+  fi
+fi
+
+# Lookup hosted zone id for base domain
+HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name "${DOMAIN_ROOT}" --query 'HostedZones[0].Id' --output text)
+if [ -z "$HOSTED_ZONE_ID" ] || [ "$HOSTED_ZONE_ID" = "None" ]; then
+  echo "Hosted zone for ${DOMAIN_ROOT} not found. Exiting." >&2
+  exit 1
+fi
+
+# Strip /hostedzone/ prefix if present
+HOSTED_ZONE_ID=${HOSTED_ZONE_ID#/hostedzone/}
+
+CHANGE_BATCH=$(mktemp)
+cat > "$CHANGE_BATCH" <<EOF
+{
+  "Comment": "UPSERT ${DOMAIN} -> ${DIST_DOMAIN}",
+  "Changes": [
+    {
+      "Action": "UPSERT",
+      "ResourceRecordSet": {
+        "Name": "${DOMAIN}.",
+        "Type": "A",
+        "AliasTarget": {
+          "HostedZoneId": "Z2FDTNDATAQYW2",
+          "DNSName": "${DIST_DOMAIN}",
+          "EvaluateTargetHealth": false
+        }
+      }
+    }
+  ]
+}
+EOF
+
+echo "Submitting Route53 change to upsert alias for ${DOMAIN} -> ${DIST_DOMAIN}"
+CHANGE_RESULT=$(aws route53 change-resource-record-sets --hosted-zone-id "$HOSTED_ZONE_ID" --change-batch file://"$CHANGE_BATCH")
+echo "$CHANGE_RESULT"
+
+echo "Done. Route53 change submitted."

package/scripts/predeploy-checks.sh

@@ -0,0 +1,192 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# predeploy-checks.sh
+# Non-destructive pre-deploy checks that detect common DNS/CloudFront/ACM
+# conflicts which would cause `sst deploy` to fail. Exits non-zero with a
+# helpful diagnostic if a blocking issue is found.
+#
+# Required environment variables:
+#   DOMAIN_ROOT       — Root domain (e.g., "example.com")
+#
+# Optional environment variables:
+#   AWS_REGION        — AWS region (default: us-east-1)
+#   SST_STAGE         — SST stage name (default: production)
+#   INFRA_PATH        — Path to infra package (default: packages/infra)
+#   DOMAIN_PRODUCTION — Override domain for production stage
+#   DOMAIN_DEV        — Override domain for dev stage
+#   DOMAIN_MOBILE     — Override domain for mobile stage
+#   DOMAIN_CUSTOM     — Override domain for custom stages
+#   PROJECT_PREFIX    — Project prefix for pipeline names (e.g., "myapp")
+#   SKIP_PREDEPLOY_CHECKS — Set to "true" to skip all checks
+#   SKIP_DNS_CHECK    — Set to "true" to skip DNS conflict check
+#   AUTO_REMOVE_CONFLICTING_DNS — Set to "true" to auto-remove conflicting DNS records
+#   ALLOW_PIPELINE_DESTRUCTIVE — Set to "true" to allow pipeline deletion
+
+AWS_REGION=${AWS_REGION:-us-east-1}
+STAGE=${SST_STAGE:-${1:-production}}
+INFRA_PATH=${INFRA_PATH:-packages/infra}
+
+if [ -z "${DOMAIN_ROOT:-}" ]; then
+  echo "ERROR: DOMAIN_ROOT environment variable is required (e.g., DOMAIN_ROOT=example.com)"
+  echo "Set this in your project's environment or buildspec."
+  exit 1
+fi
+
+# Optional overrides for CI
+SKIP_PREDEPLOY_CHECKS=${SKIP_PREDEPLOY_CHECKS:-false}
+SKIP_DNS_CHECK=${SKIP_DNS_CHECK:-false}
+AUTO_REMOVE_CONFLICTING_DNS=${AUTO_REMOVE_CONFLICTING_DNS:-false}
+
+echo "Pre-deploy checks: region=$AWS_REGION stage=$STAGE domain=$DOMAIN_ROOT"
+
+check_route53_conflict() {
+  local name=$1
+  hz=$(aws route53 list-hosted-zones-by-name --dns-name "$DOMAIN_ROOT" --query 'HostedZones[0].Id' --output text 2>/dev/null || true)
+  if [ -z "$hz" ]; then
+    echo "WARN: Hosted zone for $DOMAIN_ROOT not found in $AWS_REGION"
+    return 0
+  fi
+  hz=${hz##*/}
+  hz=${hz##*/}
+  # Only treat A/AAAA/CNAME or alias records as blocking records for web deploys.
+  # Keep MX/TXT/NS/SOA since they are often required for email/zone setup and
+  # should not block CloudFront/website deploys.
+  rr=$(aws route53 list-resource-record-sets --hosted-zone-id "$hz" --query "ResourceRecordSets[?Name=='${name}.' && (Type=='A' || Type=='AAAA' || Type=='CNAME' || AliasTarget!=null)]" --output json || echo "[]")
+  if [ "$rr" != "[]" ]; then
+    echo "FAIL: Route53 A/AAAA/CNAME/ALIAS record exists for ${name} that may block deploy:"
+    echo "$rr"
+    if [ "${AUTO_REMOVE_CONFLICTING_DNS}" = "true" ]; then
+      echo "AUTO_REMOVE_CONFLICTING_DNS=true — attempting to delete conflicting records for ${name}"
+      # Delete each matching record set
+      echo "$rr" | jq -c '.[]' | while read -r rec; do
+        tmp=$(mktemp)
+        cat > "$tmp" <<EOF
+{
+  "Comment": "DELETE conflicting record for ${name}",
+  "Changes": [
+    {
+      "Action": "DELETE",
+      "ResourceRecordSet": $rec
+    }
+  ]
+}
+EOF
+        if aws route53 change-resource-record-sets --hosted-zone-id "$hz" --change-batch file://"$tmp" >/dev/null 2>&1; then
+          echo "Deleted conflicting record: $rec"
+        else
+          echo "Failed to delete conflicting record: $rec" >&2
+        fi
+        rm -f "$tmp"
+      done
+      # Give DNS a moment to settle (don't block long)
+      sleep 2
+      return 0
+    fi
+    return 2
+  fi
+  return 0
+}
+
+check_cloudfront_alias() {
+  local sub=$1
+  out=$(aws cloudfront list-distributions --query "DistributionList.Items[?Aliases.Items!=null && contains(Aliases.Items,'${sub}')].[Id,DomainName,Status,Aliases.Items]" --output json || echo "[]")
+  if [ "$out" != "[]" ]; then
+    echo "WARN: CloudFront distribution already has alias ${sub}:"
+    echo "$out"
+    echo "This is expected if the site is already deployed by this same SST project."
+    return 0
+  fi
+  return 0
+}
+
+check_acm_certificate() {
+  local sub=$1
+  certs=$(aws acm list-certificates --region "$AWS_REGION" --query "CertificateSummaryList[?DomainName=='${sub}']" --output json || echo "[]")
+  if [ "$certs" != "[]" ]; then
+    echo "NOTE: ACM certificate(s) exist for ${sub}:"
+    echo "$certs"
+  fi
+}
+
+resolve_stage_domain() {
+  case "$STAGE" in
+    production) echo "${DOMAIN_PRODUCTION:-${DOMAIN_ROOT}}" ;;
+    dev) echo "${DOMAIN_DEV:-dev.${DOMAIN_ROOT}}" ;;
+    mobile) echo "${DOMAIN_MOBILE:-mobile.${DOMAIN_ROOT}}" ;;
+    *) echo "${DOMAIN_CUSTOM:-${STAGE}.${DOMAIN_ROOT}}" ;;
+  esac
+}
+
+TARGET_DOMAIN=$(resolve_stage_domain)
+
+echo "Checking DNS records and CloudFront aliases..."
+
+if [ "${SKIP_PREDEPLOY_CHECKS}" = "true" ]; then
+  echo "SKIP_PREDEPLOY_CHECKS=true — skipping DNS/CloudFront/ACM predeploy checks."
+else
+  if [ "${SKIP_DNS_CHECK}" != "true" ]; then
+    check_route53_conflict "$TARGET_DOMAIN" || exit 2
+  elif [ "$STAGE" = "dev" ]; then
+    echo "SKIP_DNS_CHECK=true — skipping Route53 conflict check for $TARGET_DOMAIN"
+  else
+    echo "SKIP_DNS_CHECK=true — skipping Route53 conflict check for $TARGET_DOMAIN"
+  fi
+
+  check_cloudfront_alias "$TARGET_DOMAIN" || exit 2
+  check_acm_certificate "$TARGET_DOMAIN"
+fi
+
+echo "Pre-deploy checks passed."
+
+# ----- Destructive change detection (pipeline protection) -----
+echo "Running infra diff to detect potentially destructive changes..."
+DIFF_OUT=""
+if [ -d "$INFRA_PATH" ]; then
+  pushd "$INFRA_PATH" >/dev/null || true
+  if command -v npx >/dev/null 2>&1; then
+    DIFF_OUT=$(npx sst diff --stage "$STAGE" --no-color 2>&1 || true)
+  elif command -v sst >/dev/null 2>&1; then
+    DIFF_OUT=$(sst diff --stage "$STAGE" --no-color 2>&1 || true)
+  else
+    DIFF_OUT=""
+  fi
+  popd >/dev/null || true
+fi
+
+if [ -n "$DIFF_OUT" ]; then
+  echo "$DIFF_OUT" | sed -n '1,200p'
+  # detect pipeline deletion entries in the diff output
+  if echo "$DIFF_OUT" | grep -Ei 'DELETE.*(CodePipeline|AWS::CodePipeline::Pipeline|pipeline)' >/dev/null 2>&1; then
+    # compute expected pipeline name for this stage
+    PROJECT_PREFIX=${PROJECT_PREFIX:-app}
+    if [ "$STAGE" = "production" ]; then
+      PIPELINE_NAME="${PROJECT_PREFIX}-prod-pipeline"
+    elif [ "$STAGE" = "dev" ]; then
+      PIPELINE_NAME="${PROJECT_PREFIX}-dev-pipeline"
+    else
+      PIPELINE_NAME="${PROJECT_PREFIX}-${STAGE}-pipeline"
+    fi
+
+    ARN=$(aws codepipeline list-pipelines --region "$AWS_REGION" --query "pipelines[?name=='${PIPELINE_NAME}'].pipelineArn" --output text || true)
+    PROTECTED_TAG=""
+    if [ -n "$ARN" ] && [ "$ARN" != "None" ]; then
+      tags_json=$(aws codepipeline list-tags-for-resource --resource-arn "$ARN" --region "$AWS_REGION" --output json 2>/dev/null || echo "[]")
+      PROTECTED_TAG=$(echo "$tags_json" | jq -r '.tags[]? | select(.key=="Protected") | .value' 2>/dev/null || echo "")
+    fi
+
+    if [ "$PROTECTED_TAG" = "true" ]; then
+      echo "ERROR: planned changes include deletion of protected pipeline '$PIPELINE_NAME'. Aborting." >&2
+      exit 4
+    else
+      if [ "${ALLOW_PIPELINE_DESTRUCTIVE:-false}" != "true" ]; then
+        echo "FAIL: planned changes include deletion of pipeline '$PIPELINE_NAME'. To allow this set ALLOW_PIPELINE_DESTRUCTIVE=true and re-run." >&2
+        exit 4
+      else
+        echo "Warning: pipeline deletion detected but ALLOW_PIPELINE_DESTRUCTIVE=true is set — proceeding with caution."
+      fi
+    fi
+  fi
+fi
+
+exit 0

package/scripts/pulumi-deploy.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# CI-safe Pulumi deploy helper
+# - runs `pulumi preview` and exits unless `APPROVE=true` is set
+# - in CI, wire a manual approval step to set APPROVE=true before allowing `pulumi up`
+
+
+STACK=${STACK:-production}
+
+# Run from the infra package root so Pulumi (if used) finds Pulumi program files
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+INFRA_DIR=$(cd "$SCRIPT_DIR/.." && pwd)
+cd "$INFRA_DIR"
+
+echo "Selecting Pulumi stack: ${STACK} (cwd: $PWD)"
+pulumi stack select "${STACK}"
+
+echo "Running pulumi preview (non-interactive)"
+pulumi preview --non-interactive
+
+if [ "${APPROVE:-}" != "true" ]; then
+  echo "Pulumi preview completed. To apply changes set APPROVE=true and re-run this script."
+  echo "CI suggestion: add a manual approval action that sets APPROVE=true before invoking this script for production runs."
+  exit 0
+fi
+
+echo "APPROVE=true detected — running pulumi up"
+pulumi up --yes

package/scripts/sst-deploy.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# CI-safe SST deploy helper
+# - runs `npx sst diff` for a readable preview
+# - exits unless `APPROVE=true` is set (to gate destructive changes)
+
+
+STACK=${STACK:-production}
+
+# Run from the infra package root so SST finds sst.config.ts
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+INFRA_DIR=$(cd "$SCRIPT_DIR/.." && pwd)
+cd "$INFRA_DIR"
+
+echo "Using SST stack/stage: ${STACK} (cwd: $PWD)"
+
+echo "Running SST diff (preview of infra changes)"
+# Use npx so script works without a global sst install
+npx sst diff --stage "${STACK}" || true
+
+if [ "${APPROVE:-}" != "true" ]; then
+  echo "SST diff completed. To apply changes set APPROVE=true and re-run this script."
+  echo "CI suggestion: add a manual approval action that sets APPROVE=true before invoking this script for production runs."
+  exit 0
+fi
+
+echo "APPROVE=true detected — running sst deploy"
+echo "Attempting to clear any stale SST lock for stage ${STACK} (no-op if none)"
+# If a previous run left a lock, unlock it non-interactively. This is safe when you
+# have confirmed no concurrent deploy is running. In CI, ensure this only runs
+# after human approval.
+npx sst unlock --stage "${STACK}" || true
+
+# If DOMAIN is provided, check CloudFront distributions for that alias and remove it
+# so SST/Pulumi can create a distribution using the domain. CloudFront is global
+# (us-east-1) so we query there. This step is performed only when APPROVE=true.
+if [ -n "${DOMAIN:-}" ]; then
+  echo "Checking CloudFront distributions for alias: ${DOMAIN}"
+  # find distribution IDs that include the DOMAIN in their Aliases.Items
+  DIST_IDS=$(aws cloudfront list-distributions --query "DistributionList.Items[?contains(Aliases.Items, '${DOMAIN}')].Id" --output text 2>/dev/null || true)
+  if [ -n "$DIST_IDS" ]; then
+    for DIST_ID in $DIST_IDS; do
+      echo "Found CloudFront distribution $DIST_ID that contains alias ${DOMAIN}; removing alias to allow new distribution creation"
+      TMP_CFG="/tmp/cf-config-${DIST_ID}.json"
+      TMP_CFG_MOD="/tmp/cf-config-${DIST_ID}-mod.json"
+      ETAG=$(aws cloudfront get-distribution-config --id "$DIST_ID" --query 'ETag' --output text)
+      aws cloudfront get-distribution-config --id "$DIST_ID" --output json > "$TMP_CFG"
+      # Use python to safely remove the alias from the DistributionConfig and update Quantity
+      python3 - <<PY
+import json,sys
+f='''$TMP_CFG'''
+out='''$TMP_CFG_MOD'''
+domain='''$DOMAIN'''
+obj=json.load(open(f))
+cfg=obj.get('DistributionConfig', {})
+aliases=cfg.get('Aliases', {})
+items=aliases.get('Items') or []
+new_items=[i for i in items if i != domain]
+aliases['Items']=new_items
+aliases['Quantity']=len(new_items)
+cfg['Aliases']=aliases
+json.dump(cfg, open(out, 'w'))
+PY
+      # update the distribution with the modified config
+      if aws cloudfront update-distribution --id "$DIST_ID" --if-match "$ETAG" --distribution-config file://"$TMP_CFG_MOD" >/dev/null 2>&1; then
+        echo "Removed alias ${DOMAIN} from distribution $DIST_ID"
+      else
+        echo "Failed to remove alias ${DOMAIN} from distribution $DIST_ID; continue and attempt deploy (check permissions)" >&2
+      fi
+      rm -f "$TMP_CFG" "$TMP_CFG_MOD"
+    done
+  else
+    echo "No existing CloudFront distributions found with alias ${DOMAIN}"
+  fi
+fi
+
+echo "Running sst deploy"
+npx sst deploy --stage "${STACK}" --yes

package/templates/buildspec.yml

@@ -0,0 +1,77 @@
+# buildspec.yml — AWS CodeBuild specification for SST deployments (v1.0.0)
+
+version: 0.2
+
+env:
+  variables:
+    SST_STAGE: "dev"
+    NODE_VERSION: "22"
+    PNPM_VERSION: "9.15.0"
+    INFRA_PATH: "__INFRA_PATH__"
+
+    # Domain + naming defaults
+    DOMAIN_ROOT: "__ROOT_DOMAIN__"
+    PROJECT_PREFIX: "__PROJECT_PREFIX__"
+    PREFIX: "__PROJECT_PREFIX__"
+    DOMAIN_PRODUCTION: "__ROOT_DOMAIN__"
+    DOMAIN_DEV: "dev.__ROOT_DOMAIN__"
+    DOMAIN_MOBILE: "mobile.__ROOT_DOMAIN__"
+
+    # Check controls
+    SKIP_DNS_CHECK: "false"
+    AUTO_REMOVE_CONFLICTING_DNS: "true"
+    POLL_TIMEOUT: "600"
+    POLL_INTERVAL: "15"
+
+phases:
+  install:
+    runtime-versions:
+      nodejs: 22
+    commands:
+      - corepack enable pnpm
+      - corepack prepare pnpm@${PNPM_VERSION} --activate
+      - pnpm --version
+      - pnpm install --frozen-lockfile
+
+  pre_build:
+    commands:
+      - echo "Stage    = ${SST_STAGE}"
+      - echo "Node     = $(node --version)"
+      - echo "pnpm     = $(pnpm --version)"
+      - echo "Infra    = ${INFRA_PATH}"
+      - echo "Running pre-deploy checks..."
+      - |
+        if [ -f "${INFRA_PATH}/scripts/predeploy-checks.sh" ]; then
+          chmod +x "${INFRA_PATH}/scripts/predeploy-checks.sh" || true
+          "${INFRA_PATH}/scripts/predeploy-checks.sh" ${SST_STAGE}
+        elif [ -f "./node_modules/@lsts_tech/infra/scripts/predeploy-checks.sh" ]; then
+          chmod +x "./node_modules/@lsts_tech/infra/scripts/predeploy-checks.sh" || true
+          ./node_modules/@lsts_tech/infra/scripts/predeploy-checks.sh ${SST_STAGE}
+        else
+          echo "No predeploy checks script found; skipping"
+        fi
+
+  build:
+    commands:
+      - cd ${INFRA_PATH}
+      - npx sst deploy --stage ${SST_STAGE}
+
+  post_build:
+    commands:
+      - echo "SST deploy completed for stage ${SST_STAGE}"
+      - echo "Running post-deploy DNS sync"
+      - |
+        if [ -f "${INFRA_PATH}/scripts/postdeploy-update-dns.sh" ]; then
+          chmod +x "${INFRA_PATH}/scripts/postdeploy-update-dns.sh" || true
+          "${INFRA_PATH}/scripts/postdeploy-update-dns.sh" ${SST_STAGE} || echo "post-deploy DNS sync failed"
+        elif [ -f "./node_modules/@lsts_tech/infra/scripts/postdeploy-update-dns.sh" ]; then
+          chmod +x "./node_modules/@lsts_tech/infra/scripts/postdeploy-update-dns.sh" || true
+          ./node_modules/@lsts_tech/infra/scripts/postdeploy-update-dns.sh ${SST_STAGE} || echo "post-deploy DNS sync failed"
+        else
+          echo "No post-deploy DNS sync script found; skipping"
+        fi
+
+cache:
+  paths:
+    - /root/.pnpm-store/**/*
+    - __INFRA_PATH__/.sst/**/*

package/templates/ensure-pipelines.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ensure-pipelines.sh (template)
+#
+# AWS-only helper (v1.0.0) to ensure configured CodePipelines exist.
+# Missing pipelines are created by triggering an SST deploy for their mapped stage.
+#
+# Usage:
+#   APPROVE=true bash scripts/ensure-pipelines.sh
+
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+INFRA_DIR=$(cd "$SCRIPT_DIR/.." && pwd)
+
+if [ -f "$INFRA_DIR/.env" ]; then
+  set -a
+  # shellcheck disable=SC1091
+  source "$INFRA_DIR/.env"
+  set +a
+fi
+
+DOMAIN_ROOT=${DOMAIN_ROOT:-${INFRA_ROOT_DOMAIN:-}}
+if [ -z "$DOMAIN_ROOT" ]; then
+  echo "ERROR: Set DOMAIN_ROOT or INFRA_ROOT_DOMAIN (e.g., example.com)" >&2
+  exit 1
+fi
+
+REGION=${AWS_REGION:-us-east-1}
+REPO_DEFAULT=${INFRA_PIPELINE_REPO:-__PIPELINE_REPO__}
+
+# Pipeline definitions (generated by init)
+declare -A PIPELINE_STAGE=(
+__PIPELINE_STAGE_MAP__
+)
+declare -A PIPELINE_REPO=(
+__PIPELINE_REPO_MAP__
+)
+declare -A PIPELINE_BRANCH=(
+__PIPELINE_BRANCH_MAP__
+)
+
+resolve_sst_deploy_script() {
+  local candidates=(
+    "$SCRIPT_DIR/sst-deploy.sh"
+    "$INFRA_DIR/node_modules/@lsts_tech/infra/scripts/sst-deploy.sh"
+    "$INFRA_DIR/../node_modules/@lsts_tech/infra/scripts/sst-deploy.sh"
+  )
+
+  for candidate in "${candidates[@]}"; do
+    if [ -f "$candidate" ]; then
+      echo "$candidate"
+      return 0
+    fi
+  done
+
+  return 1
+}
+
+if ! command -v aws >/dev/null 2>&1; then
+  echo "aws CLI not found in PATH" >&2
+  exit 1
+fi
+
+if [ ${#PIPELINE_STAGE[@]} -eq 0 ]; then
+  echo "No pipelines configured in scripts/ensure-pipelines.sh. Nothing to do."
+  exit 0
+fi
+
+SST_DEPLOY_SCRIPT=${SST_DEPLOY_SCRIPT:-}
+if [ -z "$SST_DEPLOY_SCRIPT" ]; then
+  SST_DEPLOY_SCRIPT=$(resolve_sst_deploy_script || true)
+fi
+
+if [ -z "$SST_DEPLOY_SCRIPT" ]; then
+  echo "Could not locate sst-deploy.sh. Set SST_DEPLOY_SCRIPT explicitly." >&2
+  exit 1
+fi
+
+cd "$INFRA_DIR"
+
+MISSING=()
+for NAME in "${!PIPELINE_STAGE[@]}"; do
+  PIPELINE_NAME="${NAME}-pipeline"
+  echo "Checking for pipeline names: $NAME or $PIPELINE_NAME (region: $REGION)"
+
+  if aws codepipeline get-pipeline --name "$NAME" --region "$REGION" >/dev/null 2>&1 || \
+     aws codepipeline get-pipeline --name "$PIPELINE_NAME" --region "$REGION" >/dev/null 2>&1; then
+    echo "Pipeline exists: $PIPELINE_NAME"
+  else
+    echo "Pipeline missing: $PIPELINE_NAME"
+    MISSING+=("$NAME")
+  fi
+done
+
+if [ ${#MISSING[@]} -eq 0 ]; then
+  echo "All pipelines present; nothing to do."
+  exit 0
+fi
+
+echo "Missing pipelines: ${MISSING[*]}"
+
+if [ "${APPROVE:-}" != "true" ]; then
+  echo "To create missing pipelines, re-run with APPROVE=true."
+  exit 1
+fi
+
+for NAME in "${MISSING[@]}"; do
+  STAGE=${PIPELINE_STAGE[$NAME]:-production}
+  REPO=${PIPELINE_REPO[$NAME]:-$REPO_DEFAULT}
+  BRANCH=${PIPELINE_BRANCH[$NAME]:-main}
+
+  echo "Creating pipeline '$NAME' via SST deploy (stage: $STAGE, repo: $REPO, branch: $BRANCH)"
+  APPROVE=true STACK="$STAGE" bash "$SST_DEPLOY_SCRIPT"
+done
+
+echo "Done. Current pipelines:"
+aws codepipeline list-pipelines --region "$REGION" --query "pipelines[].name" --output table || true