@pipeline-builder/pipeline-core 3.1.1

package/lib/config/config-types.d.ts

@@ -0,0 +1,213 @@
+import type { QuotaTier } from '@pipeline-builder/api-core';
+import type { Duration, RemovalPolicy } from 'aws-cdk-lib';
+import type { ComputeType } from 'aws-cdk-lib/aws-codebuild';
+import type { Architecture, Runtime } from 'aws-cdk-lib/aws-lambda';
+import type { RetentionDays } from 'aws-cdk-lib/aws-logs';
+import type { Algorithm } from 'jsonwebtoken';
+/**
+ * Type-safe configuration interface
+ */
+export interface AppConfig {
+    readonly server: ServerConfig;
+    readonly auth: AuthConfig;
+    readonly database: DatabaseConfig;
+    readonly registry: RegistryConfig;
+    readonly redis: RedisConfig;
+    readonly pluginBuild: PluginBuildConfig;
+    readonly dockerConfig: BuildConfig;
+    readonly observability: ObservabilityConfig;
+    readonly compliance: ComplianceConfig;
+    readonly aws: AWSConfig;
+    readonly rateLimit: RateLimitConfig;
+    readonly billing: BillingConfig;
+}
+/** Express server configuration. */
+export interface ServerConfig {
+    /** HTTP listen port (env: `PORT`). */
+    readonly port: number;
+    readonly cors: {
+        /** Whether to include credentials in CORS responses (env: `CORS_CREDENTIALS`). */
+        readonly credentials: boolean;
+        /** Allowed origin(s) — single string, array, or `'*'` (env: `CORS_ORIGIN`). */
+        readonly origin: string | string[];
+    };
+    /** Number of reverse proxy hops to trust (env: `TRUST_PROXY`). */
+    readonly trustProxy: number;
+    /** Frontend base URL, used as CORS fallback (env: `PLATFORM_BASE_URL`). */
+    readonly platformUrl: string;
+    readonly httpClient: {
+        /** Default HTTP request timeout in ms (env: `HTTP_CLIENT_TIMEOUT`). */
+        readonly timeout: number;
+        /** Maximum retry attempts for failed requests (env: `HTTP_CLIENT_MAX_RETRIES`). */
+        readonly maxRetries: number;
+        /** Base delay between retries in ms (env: `HTTP_CLIENT_RETRY_DELAY_MS`). */
+        readonly retryDelayMs: number;
+    };
+    readonly sse: {
+        /** Max SSE clients per request (env: `SSE_MAX_CLIENTS_PER_REQUEST`). */
+        readonly maxClientsPerRequest: number;
+        /** SSE client timeout in ms (env: `SSE_CLIENT_TIMEOUT_MS`). */
+        readonly clientTimeoutMs: number;
+        /** SSE cleanup interval in ms (env: `SSE_CLEANUP_INTERVAL_MS`). */
+        readonly cleanupIntervalMs: number;
+    };
+    readonly services: {
+        readonly pluginHost: string;
+        readonly pluginPort: number;
+        readonly pipelineHost: string;
+        readonly pipelinePort: number;
+        readonly messageHost: string;
+        readonly messagePort: number;
+        readonly complianceHost: string;
+        readonly compliancePort: number;
+        readonly billingHost: string;
+        readonly billingPort: number;
+        readonly billingTimeout: number;
+    };
+}
+/** JWT and refresh token authentication configuration. */
+export interface AuthConfig {
+    readonly jwt: {
+        /** Signing secret for access tokens (env: `JWT_SECRET`). */
+        readonly secret: string;
+        /** Token lifetime in seconds (env: `JWT_EXPIRES_IN`). */
+        readonly expiresIn: number;
+        /** Signing algorithm, e.g. `'HS256'` (env: `JWT_ALGORITHM`). */
+        readonly algorithm: Algorithm;
+        /** bcrypt salt rounds for password hashing (env: `JWT_SALT_ROUNDS`). */
+        readonly saltRounds: number;
+    };
+    readonly refreshToken: {
+        /** Signing secret for refresh tokens (env: `REFRESH_TOKEN_SECRET`). */
+        readonly secret: string;
+        /** Token lifetime in seconds (env: `REFRESH_TOKEN_EXPIRES_IN`). */
+        readonly expiresIn: number;
+    };
+}
+/** PostgreSQL and Drizzle ORM database configuration. */
+export interface DatabaseConfig {
+    readonly postgres: {
+        /** PostgreSQL host (env: `DB_HOST`). */
+        readonly host: string;
+        /** PostgreSQL port (env: `DB_PORT`). */
+        readonly port: number;
+        /** Database name (env: `DATABASE`). */
+        readonly database: string;
+        /** Database user (env: `DB_USER`). */
+        readonly user: string;
+        /** Database password (env: `DB_PASSWORD`). */
+        readonly password: string;
+    };
+    readonly drizzle: {
+        /** Maximum connection pool size (env: `DRIZZLE_MAX_POOL_SIZE`). */
+        readonly maxPoolSize: number;
+        /** Idle connection timeout in ms (env: `DRIZZLE_IDLE_TIMEOUT_MILLIS`). */
+        readonly idleTimeoutMillis: number;
+        /** New connection timeout in ms (env: `DRIZZLE_CONNECTION_TIMEOUT_MILLIS`). */
+        readonly connectionTimeoutMillis: number;
+    };
+}
+export interface RegistryConfig {
+    readonly host: string;
+    readonly port: number;
+    readonly user: string;
+    readonly token: string;
+    /** Docker network for build/push (empty string = default). */
+    readonly network: string;
+    /** Use plain HTTP instead of HTTPS (env: `DOCKER_REGISTRY_HTTP`). Defaults to true. */
+    readonly http: boolean;
+    /** Skip TLS certificate verification for self-signed certs (env: `DOCKER_REGISTRY_INSECURE`). Defaults to true. */
+    readonly insecure: boolean;
+}
+export interface RedisConfig {
+    readonly host: string;
+    readonly port: number;
+}
+export interface PluginBuildConfig {
+    readonly concurrency: number;
+    readonly maxAttempts: number;
+    readonly backoffDelayMs: number;
+    readonly workerTimeoutMs: number;
+    readonly tempDirMaxAgeMs: number;
+    readonly dlqMaxAttempts: number;
+    readonly dlqBackoffBaseMs: number;
+    readonly dlqMaxSize: number;
+}
+export interface BuildConfig {
+    /** Build strategy: 'podman' (default), 'docker', or 'kaniko'. */
+    readonly strategy: 'docker' | 'kaniko' | 'podman';
+    /** Root directory for build temp files. */
+    readonly tempRoot: string;
+    /** Build timeout in milliseconds. */
+    readonly timeoutMs: number;
+    /** Push timeout in milliseconds. */
+    readonly pushTimeoutMs: number;
+    /** Path to Kaniko executor binary (only used when strategy=kaniko). */
+    readonly kanikoExecutor: string;
+    /** Kaniko layer cache directory (only used when strategy=kaniko). */
+    readonly kanikoCacheDir: string;
+}
+export interface ObservabilityConfig {
+    readonly logLevel: string;
+    readonly logFormat: string;
+    readonly serviceName: string;
+    readonly tracing: {
+        readonly enabled: boolean;
+        readonly endpoint: string;
+    };
+}
+export interface ComplianceConfig {
+    readonly scanSchedulerIntervalMs: number;
+}
+export interface AWSConfig {
+    readonly lambda: {
+        readonly runtime: Runtime;
+        readonly timeout: Duration;
+        readonly memorySize: number;
+        readonly architecture: Architecture;
+        readonly reservedConcurrentExecutions?: number;
+    };
+    readonly logging: {
+        readonly groupName: string;
+        readonly retention: RetentionDays;
+        readonly removalPolicy: RemovalPolicy;
+    };
+    readonly codeBuild: {
+        readonly computeType: ComputeType;
+    };
+    /** When true, resolve synth plugin via custom resource Lambda at deploy time.
+     *  When false (default), use fallback synth commands (pipeline-manager synth). */
+    readonly resolvedSynthPlugin: boolean;
+}
+/** Express rate limiting configuration. */
+export interface RateLimitConfig {
+    /** Maximum requests per window (env: `LIMITER_MAX`). */
+    readonly max: number;
+    /** Rate limit window in milliseconds (env: `LIMITER_WINDOWMS`). */
+    readonly windowMs: number;
+    /** Include legacy `X-RateLimit-*` headers. */
+    readonly legacyHeaders: boolean;
+    /** Include standard `RateLimit-*` headers (RFC 6585). */
+    readonly standardHeaders: boolean;
+}
+/** Price configuration for a single billing plan (in cents). */
+export interface BillingPlanPrices {
+    readonly monthly: number;
+    readonly annual: number;
+}
+/** Full billing plan definition used for seeding and runtime configuration. */
+export interface BillingPlanConfig {
+    readonly id: string;
+    readonly name: string;
+    readonly description: string;
+    readonly tier: QuotaTier;
+    readonly prices: BillingPlanPrices;
+    readonly features: readonly string[];
+    readonly isActive: boolean;
+    readonly isDefault: boolean;
+    readonly sortOrder: number;
+}
+/** Billing plans configuration. */
+export interface BillingConfig {
+    readonly plans: readonly BillingPlanConfig[];
+}

package/lib/config/config-types.js

@@ -0,0 +1,5 @@
+"use strict";
+// Copyright 2026 Pipeline Builder Contributors
+// SPDX-License-Identifier: Apache-2.0
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLXR5cGVzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2NvbmZpZy9jb25maWctdHlwZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBLCtDQUErQztBQUMvQyxzQ0FBc0MiLCJzb3VyY2VzQ29udGVudCI6WyIvLyBDb3B5cmlnaHQgMjAyNiBQaXBlbGluZSBCdWlsZGVyIENvbnRyaWJ1dG9yc1xuLy8gU1BEWC1MaWNlbnNlLUlkZW50aWZpZXI6IEFwYWNoZS0yLjBcblxuaW1wb3J0IHR5cGUgeyBRdW90YVRpZXIgfSBmcm9tICdAcGlwZWxpbmUtYnVpbGRlci9hcGktY29yZSc7XG5pbXBvcnQgdHlwZSB7IER1cmF0aW9uLCBSZW1vdmFsUG9saWN5IH0gZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0IHR5cGUgeyBDb21wdXRlVHlwZSB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1jb2RlYnVpbGQnO1xuaW1wb3J0IHR5cGUgeyBBcmNoaXRlY3R1cmUsIFJ1bnRpbWUgfSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtbGFtYmRhJztcbmltcG9ydCB0eXBlIHsgUmV0ZW50aW9uRGF5cyB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1sb2dzJztcbmltcG9ydCB0eXBlIHsgQWxnb3JpdGhtIH0gZnJvbSAnanNvbndlYnRva2VuJztcblxuLyoqXG4gKiBUeXBlLXNhZmUgY29uZmlndXJhdGlvbiBpbnRlcmZhY2VcbiAqL1xuZXhwb3J0IGludGVyZmFjZSBBcHBDb25maWcge1xuICByZWFkb25seSBzZXJ2ZXI6IFNlcnZlckNvbmZpZztcbiAgcmVhZG9ubHkgYXV0aDogQXV0aENvbmZpZztcbiAgcmVhZG9ubHkgZGF0YWJhc2U6IERhdGFiYXNlQ29uZmlnO1xuICByZWFkb25seSByZWdpc3RyeTogUmVnaXN0cnlDb25maWc7XG4gIHJlYWRvbmx5IHJlZGlzOiBSZWRpc0NvbmZpZztcbiAgcmVhZG9ubHkgcGx1Z2luQnVpbGQ6IFBsdWdpbkJ1aWxkQ29uZmlnO1xuICByZWFkb25seSBkb2NrZXJDb25maWc6IEJ1aWxkQ29uZmlnO1xuICByZWFkb25seSBvYnNlcnZhYmlsaXR5OiBPYnNlcnZhYmlsaXR5Q29uZmlnO1xuICByZWFkb25seSBjb21wbGlhbmNlOiBDb21wbGlhbmNlQ29uZmlnO1xuICByZWFkb25seSBhd3M6IEFXU0NvbmZpZztcbiAgcmVhZG9ubHkgcmF0ZUxpbWl0OiBSYXRlTGltaXRDb25maWc7XG4gIHJlYWRvbmx5IGJpbGxpbmc6IEJpbGxpbmdDb25maWc7XG59XG5cbi8qKiBFeHByZXNzIHNlcnZlciBjb25maWd1cmF0aW9uLiAqL1xuZXhwb3J0IGludGVyZmFjZSBTZXJ2ZXJDb25maWcge1xuICAvKiogSFRUUCBsaXN0ZW4gcG9ydCAoZW52OiBgUE9SVGApLiAqL1xuICByZWFkb25seSBwb3J0OiBudW1iZXI7XG4gIHJlYWRvbmx5IGNvcnM6IHtcbiAgICAvKiogV2hldGhlciB0byBpbmNsdWRlIGNyZWRlbnRpYWxzIGluIENPUlMgcmVzcG9uc2VzIChlbnY6IGBDT1JTX0NSRURFTlRJQUxTYCkuICovXG4gICAgcmVhZG9ubHkgY3JlZGVudGlhbHM6IGJvb2xlYW47XG4gICAgLyoqIEFsbG93ZWQgb3JpZ2luKHMpIOKAlCBzaW5nbGUgc3RyaW5nLCBhcnJheSwgb3IgYCcqJ2AgKGVudjogYENPUlNfT1JJR0lOYCkuICovXG4gICAgcmVhZG9ubHkgb3JpZ2luOiBzdHJpbmcgfCBzdHJpbmdbXTtcbiAgfTtcbiAgLyoqIE51bWJlciBvZiByZXZlcnNlIHByb3h5IGhvcHMgdG8gdHJ1c3QgKGVudjogYFRSVVNUX1BST1hZYCkuICovXG4gIHJlYWRvbmx5IHRydXN0UHJveHk6IG51bWJlcjtcbiAgLyoqIEZyb250ZW5kIGJhc2UgVVJMLCB1c2VkIGFzIENPUlMgZmFsbGJhY2sgKGVudjogYFBMQVRGT1JNX0JBU0VfVVJMYCkuICovXG4gIHJlYWRvbmx5IHBsYXRmb3JtVXJsOiBzdHJpbmc7XG4gIHJlYWRvbmx5IGh0dHBDbGllbnQ6IHtcbiAgICAvKiogRGVmYXVsdCBIVFRQIHJlcXVlc3QgdGltZW91dCBpbiBtcyAoZW52OiBgSFRUUF9DTElFTlRfVElNRU9VVGApLiAqL1xuICAgIHJlYWRvbmx5IHRpbWVvdXQ6IG51bWJlcjtcbiAgICAvKiogTWF4aW11bSByZXRyeSBhdHRlbXB0cyBmb3IgZmFpbGVkIHJlcXVlc3RzIChlbnY6IGBIVFRQX0NMSUVOVF9NQVhfUkVUUklFU2ApLiAqL1xuICAgIHJlYWRvbmx5IG1heFJldHJpZXM6IG51bWJlcjtcbiAgICAvKiogQmFzZSBkZWxheSBiZXR3ZWVuIHJldHJpZXMgaW4gbXMgKGVudjogYEhUVFBfQ0xJRU5UX1JFVFJZX0RFTEFZX01TYCkuICovXG4gICAgcmVhZG9ubHkgcmV0cnlEZWxheU1zOiBudW1iZXI7XG4gIH07XG4gIHJlYWRvbmx5IHNzZToge1xuICAgIC8qKiBNYXggU1NFIGNsaWVudHMgcGVyIHJlcXVlc3QgKGVudjogYFNTRV9NQVhfQ0xJRU5UU19QRVJfUkVRVUVTVGApLiAqL1xuICAgIHJlYWRvbmx5IG1heENsaWVudHNQZXJSZXF1ZXN0OiBudW1iZXI7XG4gICAgLyoqIFNTRSBjbGllbnQgdGltZW91dCBpbiBtcyAoZW52OiBgU1NFX0NMSUVOVF9USU1FT1VUX01TYCkuICovXG4gICAgcmVhZG9ubHkgY2xpZW50VGltZW91dE1zOiBudW1iZXI7XG4gICAgLyoqIFNTRSBjbGVhbnVwIGludGVydmFsIGluIG1zIChlbnY6IGBTU0VfQ0xFQU5VUF9JTlRFUlZBTF9NU2ApLiAqL1xuICAgIHJlYWRvbmx5IGNsZWFudXBJbnRlcnZhbE1zOiBudW1iZXI7XG4gIH07XG4gIHJlYWRvbmx5IHNlcnZpY2VzOiB7XG4gICAgcmVhZG9ubHkgcGx1Z2luSG9zdDogc3RyaW5nO1xuICAgIHJlYWRvbmx5IHBsdWdpblBvcnQ6IG51bWJlcjtcbiAgICByZWFkb25seSBwaXBlbGluZUhvc3Q6IHN0cmluZztcbiAgICByZWFkb25seSBwaXBlbGluZVBvcnQ6IG51bWJlcjtcbiAgICByZWFkb25seSBtZXNzYWdlSG9zdDogc3RyaW5nO1xuICAgIHJlYWRvbmx5IG1lc3NhZ2VQb3J0OiBudW1iZXI7XG4gICAgcmVhZG9ubHkgY29tcGxpYW5jZUhvc3Q6IHN0cmluZztcbiAgICByZWFkb25seSBjb21wbGlhbmNlUG9ydDogbnVtYmVyO1xuICAgIHJlYWRvbmx5IGJpbGxpbmdIb3N0OiBzdHJpbmc7XG4gICAgcmVhZG9ubHkgYmlsbGluZ1BvcnQ6IG51bWJlcjtcbiAgICByZWFkb25seSBiaWxsaW5nVGltZW91dDogbnVtYmVyO1xuICB9O1xufVxuXG4vKiogSldUIGFuZCByZWZyZXNoIHRva2VuIGF1dGhlbnRpY2F0aW9uIGNvbmZpZ3VyYXRpb24uICovXG5leHBvcnQgaW50ZXJmYWNlIEF1dGhDb25maWcge1xuICByZWFkb25seSBqd3Q6IHtcbiAgICAvKiogU2lnbmluZyBzZWNyZXQgZm9yIGFjY2VzcyB0b2tlbnMgKGVudjogYEpXVF9TRUNSRVRgKS4gKi9cbiAgICByZWFkb25seSBzZWNyZXQ6IHN0cmluZztcbiAgICAvKiogVG9rZW4gbGlmZXRpbWUgaW4gc2Vjb25kcyAoZW52OiBgSldUX0VYUElSRVNfSU5gKS4gKi9cbiAgICByZWFkb25seSBleHBpcmVzSW46IG51bWJlcjtcbiAgICAvKiogU2lnbmluZyBhbGdvcml0aG0sIGUuZy4gYCdIUzI1NidgIChlbnY6IGBKV1RfQUxHT1JJVEhNYCkuICovXG4gICAgcmVhZG9ubHkgYWxnb3JpdGhtOiBBbGdvcml0aG07XG4gICAgLyoqIGJjcnlwdCBzYWx0IHJvdW5kcyBmb3IgcGFzc3dvcmQgaGFzaGluZyAoZW52OiBgSldUX1NBTFRfUk9VTkRTYCkuICovXG4gICAgcmVhZG9ubHkgc2FsdFJvdW5kczogbnVtYmVyO1xuICB9O1xuICByZWFkb25seSByZWZyZXNoVG9rZW46IHtcbiAgICAvKiogU2lnbmluZyBzZWNyZXQgZm9yIHJlZnJlc2ggdG9rZW5zIChlbnY6IGBSRUZSRVNIX1RPS0VOX1NFQ1JFVGApLiAqL1xuICAgIHJlYWRvbmx5IHNlY3JldDogc3RyaW5nO1xuICAgIC8qKiBUb2tlbiBsaWZldGltZSBpbiBzZWNvbmRzIChlbnY6IGBSRUZSRVNIX1RPS0VOX0VYUElSRVNfSU5gKS4gKi9cbiAgICByZWFkb25seSBleHBpcmVzSW46IG51bWJlcjtcbiAgfTtcbn1cblxuLyoqIFBvc3RncmVTUUwgYW5kIERyaXp6bGUgT1JNIGRhdGFiYXNlIGNvbmZpZ3VyYXRpb24uICovXG5leHBvcnQgaW50ZXJmYWNlIERhdGFiYXNlQ29uZmlnIHtcbiAgcmVhZG9ubHkgcG9zdGdyZXM6IHtcbiAgICAvKiogUG9zdGdyZVNRTCBob3N0IChlbnY6IGBEQl9IT1NUYCkuICovXG4gICAgcmVhZG9ubHkgaG9zdDogc3RyaW5nO1xuICAgIC8qKiBQb3N0Z3JlU1FMIHBvcnQgKGVudjogYERCX1BPUlRgKS4gKi9cbiAgICByZWFkb25seSBwb3J0OiBudW1iZXI7XG4gICAgLyoqIERhdGFiYXNlIG5hbWUgKGVudjogYERBVEFCQVNFYCkuICovXG4gICAgcmVhZG9ubHkgZGF0YWJhc2U6IHN0cmluZztcbiAgICAvKiogRGF0YWJhc2UgdXNlciAoZW52OiBgREJfVVNFUmApLiAqL1xuICAgIHJlYWRvbmx5IHVzZXI6IHN0cmluZztcbiAgICAvKiogRGF0YWJhc2UgcGFzc3dvcmQgKGVudjogYERCX1BBU1NXT1JEYCkuICovXG4gICAgcmVhZG9ubHkgcGFzc3dvcmQ6IHN0cmluZztcbiAgfTtcbiAgcmVhZG9ubHkgZHJpenpsZToge1xuICAgIC8qKiBNYXhpbXVtIGNvbm5lY3Rpb24gcG9vbCBzaXplIChlbnY6IGBEUklaWkxFX01BWF9QT09MX1NJWkVgKS4gKi9cbiAgICByZWFkb25seSBtYXhQb29sU2l6ZTogbnVtYmVyO1xuICAgIC8qKiBJZGxlIGNvbm5lY3Rpb24gdGltZW91dCBpbiBtcyAoZW52OiBgRFJJWlpMRV9JRExFX1RJTUVPVVRfTUlMTElTYCkuICovXG4gICAgcmVhZG9ubHkgaWRsZVRpbWVvdXRNaWxsaXM6IG51bWJlcjtcbiAgICAvKiogTmV3IGNvbm5lY3Rpb24gdGltZW91dCBpbiBtcyAoZW52OiBgRFJJWlpMRV9DT05ORUNUSU9OX1RJTUVPVVRfTUlMTElTYCkuICovXG4gICAgcmVhZG9ubHkgY29ubmVjdGlvblRpbWVvdXRNaWxsaXM6IG51bWJlcjtcbiAgfTtcbn1cblxuZXhwb3J0IGludGVyZmFjZSBSZWdpc3RyeUNvbmZpZyB7XG4gIHJlYWRvbmx5IGhvc3Q6IHN0cmluZztcbiAgcmVhZG9ubHkgcG9ydDogbnVtYmVyO1xuICByZWFkb25seSB1c2VyOiBzdHJpbmc7XG4gIHJlYWRvbmx5IHRva2VuOiBzdHJpbmc7XG4gIC8qKiBEb2NrZXIgbmV0d29yayBmb3IgYnVpbGQvcHVzaCAoZW1wdHkgc3RyaW5nID0gZGVmYXVsdCkuICovXG4gIHJlYWRvbmx5IG5ldHdvcms6IHN0cmluZztcbiAgLyoqIFVzZSBwbGFpbiBIVFRQIGluc3RlYWQgb2YgSFRUUFMgKGVudjogYERPQ0tFUl9SRUdJU1RSWV9IVFRQYCkuIERlZmF1bHRzIHRvIHRydWUuICovXG4gIHJlYWRvbmx5IGh0dHA6IGJvb2xlYW47XG4gIC8qKiBTa2lwIFRMUyBjZXJ0aWZpY2F0ZSB2ZXJpZmljYXRpb24gZm9yIHNlbGYtc2lnbmVkIGNlcnRzIChlbnY6IGBET0NLRVJfUkVHSVNUUllfSU5TRUNVUkVgKS4gRGVmYXVsdHMgdG8gdHJ1ZS4gKi9cbiAgcmVhZG9ubHkgaW5zZWN1cmU6IGJvb2xlYW47XG59XG5cbmV4cG9ydCBpbnRlcmZhY2UgUmVkaXNDb25maWcge1xuICByZWFkb25seSBob3N0OiBzdHJpbmc7XG4gIHJlYWRvbmx5IHBvcnQ6IG51bWJlcjtcbn1cblxuZXhwb3J0IGludGVyZmFjZSBQbHVnaW5CdWlsZENvbmZpZyB7XG4gIHJlYWRvbmx5IGNvbmN1cnJlbmN5OiBudW1iZXI7XG4gIHJlYWRvbmx5IG1heEF0dGVtcHRzOiBudW1iZXI7XG4gIHJlYWRvbmx5IGJhY2tvZmZEZWxheU1zOiBudW1iZXI7XG4gIHJlYWRvbmx5IHdvcmtlclRpbWVvdXRNczogbnVtYmVyO1xuICByZWFkb25seSB0ZW1wRGlyTWF4QWdlTXM6IG51bWJlcjtcbiAgcmVhZG9ubHkgZGxxTWF4QXR0ZW1wdHM6IG51bWJlcjtcbiAgcmVhZG9ubHkgZGxxQmFja29mZkJhc2VNczogbnVtYmVyO1xuICByZWFkb25seSBkbHFNYXhTaXplOiBudW1iZXI7XG59XG5cbmV4cG9ydCBpbnRlcmZhY2UgQnVpbGRDb25maWcge1xuICAvKiogQnVpbGQgc3RyYXRlZ3k6ICdwb2RtYW4nIChkZWZhdWx0KSwgJ2RvY2tlcicsIG9yICdrYW5pa28nLiAqL1xuICByZWFkb25seSBzdHJhdGVneTogJ2RvY2tlcicgfCAna2FuaWtvJyB8ICdwb2RtYW4nO1xuICAvKiogUm9vdCBkaXJlY3RvcnkgZm9yIGJ1aWxkIHRlbXAgZmlsZXMuICovXG4gIHJlYWRvbmx5IHRlbXBSb290OiBzdHJpbmc7XG4gIC8qKiBCdWlsZCB0aW1lb3V0IGluIG1pbGxpc2Vjb25kcy4gKi9cbiAgcmVhZG9ubHkgdGltZW91dE1zOiBudW1iZXI7XG4gIC8qKiBQdXNoIHRpbWVvdXQgaW4gbWlsbGlzZWNvbmRzLiAqL1xuICByZWFkb25seSBwdXNoVGltZW91dE1zOiBudW1iZXI7XG4gIC8qKiBQYXRoIHRvIEthbmlrbyBleGVjdXRvciBiaW5hcnkgKG9ubHkgdXNlZCB3aGVuIHN0cmF0ZWd5PWthbmlrbykuICovXG4gIHJlYWRvbmx5IGthbmlrb0V4ZWN1dG9yOiBzdHJpbmc7XG4gIC8qKiBLYW5pa28gbGF5ZXIgY2FjaGUgZGlyZWN0b3J5IChvbmx5IHVzZWQgd2hlbiBzdHJhdGVneT1rYW5pa28pLiAqL1xuICByZWFkb25seSBrYW5pa29DYWNoZURpcjogc3RyaW5nO1xufVxuXG5leHBvcnQgaW50ZXJmYWNlIE9ic2VydmFiaWxpdHlDb25maWcge1xuICByZWFkb25seSBsb2dMZXZlbDogc3RyaW5nO1xuICByZWFkb25seSBsb2dGb3JtYXQ6IHN0cmluZztcbiAgcmVhZG9ubHkgc2VydmljZU5hbWU6IHN0cmluZztcbiAgcmVhZG9ubHkgdHJhY2luZzoge1xuICAgIHJlYWRvbmx5IGVuYWJsZWQ6IGJvb2xlYW47XG4gICAgcmVhZG9ubHkgZW5kcG9pbnQ6IHN0cmluZztcbiAgfTtcbn1cblxuZXhwb3J0IGludGVyZmFjZSBDb21wbGlhbmNlQ29uZmlnIHtcbiAgcmVhZG9ubHkgc2NhblNjaGVkdWxlckludGVydmFsTXM6IG51bWJlcjtcbn1cblxuZXhwb3J0IGludGVyZmFjZSBBV1NDb25maWcge1xuICByZWFkb25seSBsYW1iZGE6IHtcbiAgICByZWFkb25seSBydW50aW1lOiBSdW50aW1lO1xuICAgIHJlYWRvbmx5IHRpbWVvdXQ6IER1cmF0aW9uO1xuICAgIHJlYWRvbmx5IG1lbW9yeVNpemU6IG51bWJlcjtcbiAgICByZWFkb25seSBhcmNoaXRlY3R1cmU6IEFyY2hpdGVjdHVyZTtcbiAgICByZWFkb25seSByZXNlcnZlZENvbmN1cnJlbnRFeGVjdXRpb25zPzogbnVtYmVyO1xuICB9O1xuICByZWFkb25seSBsb2dnaW5nOiB7XG4gICAgcmVhZG9ubHkgZ3JvdXBOYW1lOiBzdHJpbmc7XG4gICAgcmVhZG9ubHkgcmV0ZW50aW9uOiBSZXRlbnRpb25EYXlzO1xuICAgIHJlYWRvbmx5IHJlbW92YWxQb2xpY3k6IFJlbW92YWxQb2xpY3k7XG4gIH07XG4gIHJlYWRvbmx5IGNvZGVCdWlsZDoge1xuICAgIHJlYWRvbmx5IGNvbXB1dGVUeXBlOiBDb21wdXRlVHlwZTtcbiAgfTtcbiAgLyoqIFdoZW4gdHJ1ZSwgcmVzb2x2ZSBzeW50aCBwbHVnaW4gdmlhIGN1c3RvbSByZXNvdXJjZSBMYW1iZGEgYXQgZGVwbG95IHRpbWUuXG4gICAqICBXaGVuIGZhbHNlIChkZWZhdWx0KSwgdXNlIGZhbGxiYWNrIHN5bnRoIGNvbW1hbmRzIChwaXBlbGluZS1tYW5hZ2VyIHN5bnRoKS4gKi9cbiAgcmVhZG9ubHkgcmVzb2x2ZWRTeW50aFBsdWdpbjogYm9vbGVhbjtcbn1cblxuLyoqIEV4cHJlc3MgcmF0ZSBsaW1pdGluZyBjb25maWd1cmF0aW9uLiAqL1xuZXhwb3J0IGludGVyZmFjZSBSYXRlTGltaXRDb25maWcge1xuICAvKiogTWF4aW11bSByZXF1ZXN0cyBwZXIgd2luZG93IChlbnY6IGBMSU1JVEVSX01BWGApLiAqL1xuICByZWFkb25seSBtYXg6IG51bWJlcjtcbiAgLyoqIFJhdGUgbGltaXQgd2luZG93IGluIG1pbGxpc2Vjb25kcyAoZW52OiBgTElNSVRFUl9XSU5ET1dNU2ApLiAqL1xuICByZWFkb25seSB3aW5kb3dNczogbnVtYmVyO1xuICAvKiogSW5jbHVkZSBsZWdhY3kgYFgtUmF0ZUxpbWl0LSpgIGhlYWRlcnMuICovXG4gIHJlYWRvbmx5IGxlZ2FjeUhlYWRlcnM6IGJvb2xlYW47XG4gIC8qKiBJbmNsdWRlIHN0YW5kYXJkIGBSYXRlTGltaXQtKmAgaGVhZGVycyAoUkZDIDY1ODUpLiAqL1xuICByZWFkb25seSBzdGFuZGFyZEhlYWRlcnM6IGJvb2xlYW47XG59XG5cbi8qKiBQcmljZSBjb25maWd1cmF0aW9uIGZvciBhIHNpbmdsZSBiaWxsaW5nIHBsYW4gKGluIGNlbnRzKS4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgQmlsbGluZ1BsYW5QcmljZXMge1xuICByZWFkb25seSBtb250aGx5OiBudW1iZXI7XG4gIHJlYWRvbmx5IGFubnVhbDogbnVtYmVyO1xufVxuXG4vKiogRnVsbCBiaWxsaW5nIHBsYW4gZGVmaW5pdGlvbiB1c2VkIGZvciBzZWVkaW5nIGFuZCBydW50aW1lIGNvbmZpZ3VyYXRpb24uICovXG5leHBvcnQgaW50ZXJmYWNlIEJpbGxpbmdQbGFuQ29uZmlnIHtcbiAgcmVhZG9ubHkgaWQ6IHN0cmluZztcbiAgcmVhZG9ubHkgbmFtZTogc3RyaW5nO1xuICByZWFkb25seSBkZXNjcmlwdGlvbjogc3RyaW5nO1xuICByZWFkb25seSB0aWVyOiBRdW90YVRpZXI7XG4gIHJlYWRvbmx5IHByaWNlczogQmlsbGluZ1BsYW5QcmljZXM7XG4gIHJlYWRvbmx5IGZlYXR1cmVzOiByZWFkb25seSBzdHJpbmdbXTtcbiAgcmVhZG9ubHkgaXNBY3RpdmU6IGJvb2xlYW47XG4gIHJlYWRvbmx5IGlzRGVmYXVsdDogYm9vbGVhbjtcbiAgcmVhZG9ubHkgc29ydE9yZGVyOiBudW1iZXI7XG59XG5cbi8qKiBCaWxsaW5nIHBsYW5zIGNvbmZpZ3VyYXRpb24uICovXG5leHBvcnQgaW50ZXJmYWNlIEJpbGxpbmdDb25maWcge1xuICByZWFkb25seSBwbGFuczogcmVhZG9ubHkgQmlsbGluZ1BsYW5Db25maWdbXTtcbn1cbiJdfQ==

package/lib/config/infrastructure-config.d.ts

@@ -0,0 +1,55 @@
+import type { AWSConfig, BuildConfig, ComplianceConfig, DatabaseConfig, ObservabilityConfig, PluginBuildConfig, RedisConfig, RegistryConfig } from './config-types';
+/**
+ * Load Docker registry configuration from environment variables.
+ *
+ * Environment variables:
+ * - `IMAGE_REGISTRY_HOST` — Registry hostname (default: `'registry'`)
+ * - `IMAGE_REGISTRY_PORT` — Registry port (default: `5000`)
+ * - `IMAGE_REGISTRY_USER` — Registry username (default: `'admin'`)
+ * - `IMAGE_REGISTRY_TOKEN` — Registry auth token (default: `'password'`)
+ * - `DOCKER_NETWORK` — Docker network for build/push (default: `''`)
+ * - `DOCKER_REGISTRY_HTTP` — Use plain HTTP (default: `true`). Set `false` for HTTPS.
+ * - `DOCKER_REGISTRY_INSECURE` — Skip TLS verification (default: `true`). Set `false` for production.
+ *
+ * @returns Registry configuration
+ */
+export declare function loadRegistryConfig(): RegistryConfig;
+export declare function loadRedisConfig(): RedisConfig;
+/**
+ * Load plugin build queue configuration.
+ *
+ * Environment variables:
+ * - `PLUGIN_BUILD_CONCURRENCY` — Max concurrent plugin builds (default: `1`)
+ */
+export declare function loadPluginBuildConfig(): PluginBuildConfig;
+export declare function loadDatabaseConfig(): DatabaseConfig;
+export declare function loadObservabilityConfig(): ObservabilityConfig;
+export declare function loadComplianceConfig(): ComplianceConfig;
+/**
+ * Load Docker/Podman/Kaniko build configuration.
+ *
+ * Environment variables:
+ * - `DOCKER_BUILD_STRATEGY` — Build strategy: `podman`, `docker`, or `kaniko` (default: `podman`)
+ * - `DOCKER_BUILD_TEMP_ROOT` — Temp directory for build contexts (default: `<cwd>/tmp`)
+ * - `DOCKER_BUILD_TIMEOUT_MS` — Build timeout in milliseconds (default: `900000` / 15 min)
+ * - `DOCKER_PUSH_TIMEOUT_MS` — Push timeout in milliseconds (default: `300000` / 5 min)
+ * - `KANIKO_EXECUTOR_PATH` — Path to Kaniko executor binary (default: `/kaniko/executor`)
+ * - `KANIKO_CACHE_DIR` — Kaniko layer cache directory (default: `/kaniko/cache`)
+ */
+export declare function loadDockerConfig(): BuildConfig;
+/**
+ * Load AWS infrastructure configuration from environment variables.
+ *
+ * Environment variables:
+ * - `LAMBDA_RUNTIME` — Lambda runtime (default: `'nodejs24.x'`; supports nodejs22.x, nodejs24.x)
+ * - `LAMBDA_TIMEOUT` — Lambda timeout in seconds (default: `900`)
+ * - `LAMBDA_MEMORY_SIZE` — Lambda memory in MB (default: `128`)
+ * - `LAMBDA_ARCHITECTURE` — `'x86_64'` or ARM (default: ARM_64)
+ * - `LOG_GROUP_NAME` — CloudWatch log group (default: `'/pipeline-builder/logs'`)
+ * - `LOG_RETENTION` — Log retention in days (default: `7`)
+ * - `LOG_REMOVAL_POLICY` — `'RETAIN'` or destroy (default: DESTROY)
+ * - `CODEBUILD_COMPUTE_TYPE` — CodeBuild compute type (default: `'SMALL'`)
+ *
+ * @returns AWS infrastructure configuration
+ */
+export declare function loadAWSConfig(): AWSConfig;

package/lib/config/infrastructure-config.js

@@ -0,0 +1,200 @@
+"use strict";
+// Copyright 2026 Pipeline Builder Contributors
+// SPDX-License-Identifier: Apache-2.0
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadRegistryConfig = loadRegistryConfig;
+exports.loadRedisConfig = loadRedisConfig;
+exports.loadPluginBuildConfig = loadPluginBuildConfig;
+exports.loadDatabaseConfig = loadDatabaseConfig;
+exports.loadObservabilityConfig = loadObservabilityConfig;
+exports.loadComplianceConfig = loadComplianceConfig;
+exports.loadDockerConfig = loadDockerConfig;
+exports.loadAWSConfig = loadAWSConfig;
+const path_1 = __importDefault(require("path"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
+const aws_logs_1 = require("aws-cdk-lib/aws-logs");
+const pipeline_helpers_1 = require("../core/pipeline-helpers");
+function requireInProduction(envVar, devDefault) {
+    const value = process.env[envVar];
+    if (value)
+        return value;
+    if (process.env.NODE_ENV === 'production') {
+        throw new Error(`${envVar} is required in production`);
+    }
+    return devDefault;
+}
+/**
+ * Load Docker registry configuration from environment variables.
+ *
+ * Environment variables:
+ * - `IMAGE_REGISTRY_HOST` — Registry hostname (default: `'registry'`)
+ * - `IMAGE_REGISTRY_PORT` — Registry port (default: `5000`)
+ * - `IMAGE_REGISTRY_USER` — Registry username (default: `'admin'`)
+ * - `IMAGE_REGISTRY_TOKEN` — Registry auth token (default: `'password'`)
+ * - `DOCKER_NETWORK` — Docker network for build/push (default: `''`)
+ * - `DOCKER_REGISTRY_HTTP` — Use plain HTTP (default: `true`). Set `false` for HTTPS.
+ * - `DOCKER_REGISTRY_INSECURE` — Skip TLS verification (default: `true`). Set `false` for production.
+ *
+ * @returns Registry configuration
+ */
+function loadRegistryConfig() {
+    return {
+        host: process.env.IMAGE_REGISTRY_HOST || 'registry',
+        port: parseInt(process.env.IMAGE_REGISTRY_PORT || '5000', 10),
+        user: requireInProduction('IMAGE_REGISTRY_USER', 'admin'),
+        token: requireInProduction('IMAGE_REGISTRY_TOKEN', 'password'),
+        network: process.env.DOCKER_NETWORK || '',
+        http: process.env.DOCKER_REGISTRY_HTTP !== 'false',
+        insecure: process.env.DOCKER_REGISTRY_INSECURE !== 'false',
+    };
+}
+function loadRedisConfig() {
+    return {
+        host: process.env.REDIS_HOST || 'localhost',
+        port: parseInt(process.env.REDIS_PORT || '6379', 10),
+    };
+}
+/**
+ * Load plugin build queue configuration.
+ *
+ * Environment variables:
+ * - `PLUGIN_BUILD_CONCURRENCY` — Max concurrent plugin builds (default: `1`)
+ */
+function loadPluginBuildConfig() {
+    return {
+        concurrency: parseInt(process.env.PLUGIN_BUILD_CONCURRENCY || '1', 10),
+        maxAttempts: parseInt(process.env.PLUGIN_BUILD_MAX_ATTEMPTS || '2', 10),
+        backoffDelayMs: parseInt(process.env.PLUGIN_BUILD_BACKOFF_DELAY_MS || '5000', 10),
+        workerTimeoutMs: parseInt(process.env.PLUGIN_BUILD_WORKER_TIMEOUT_MS || '10000', 10),
+        tempDirMaxAgeMs: parseInt(process.env.TEMP_DIR_MAX_AGE_MS || '14400000', 10),
+        dlqMaxAttempts: parseInt(process.env.PLUGIN_DLQ_MAX_ATTEMPTS || '3', 10),
+        dlqBackoffBaseMs: parseInt(process.env.PLUGIN_DLQ_BACKOFF_BASE_MS || '300000', 10),
+        dlqMaxSize: parseInt(process.env.PLUGIN_DLQ_MAX_SIZE || '20', 10),
+    };
+}
+function loadDatabaseConfig() {
+    return {
+        postgres: {
+            host: process.env.DB_HOST || 'postgres',
+            port: parseInt(process.env.DB_PORT || '5432', 10),
+            database: process.env.DATABASE || 'pipeline_builder',
+            user: process.env.DB_USER || 'postgres',
+            password: process.env.DB_PASSWORD || '',
+        },
+        drizzle: {
+            maxPoolSize: parseInt(process.env.DRIZZLE_MAX_POOL_SIZE || '20', 10),
+            idleTimeoutMillis: parseInt(process.env.DRIZZLE_IDLE_TIMEOUT_MILLIS || '30000', 10),
+            connectionTimeoutMillis: parseInt(process.env.DRIZZLE_CONNECTION_TIMEOUT_MILLIS || '10000', 10),
+        },
+    };
+}
+function loadObservabilityConfig() {
+    return {
+        logLevel: process.env.LOG_LEVEL || 'info',
+        logFormat: process.env.LOG_FORMAT || 'json',
+        serviceName: process.env.SERVICE_NAME || 'api',
+        tracing: {
+            enabled: process.env.OTEL_TRACING_ENABLED === 'true',
+            endpoint: process.env.OTEL_EXPORTER_OTLP_ENDPOINT || 'http://localhost:4318/v1/traces',
+        },
+    };
+}
+function loadComplianceConfig() {
+    return {
+        scanSchedulerIntervalMs: parseInt(process.env.SCAN_SCHEDULER_INTERVAL_MS || '60000', 10),
+    };
+}
+/**
+ * Load Docker/Podman/Kaniko build configuration.
+ *
+ * Environment variables:
+ * - `DOCKER_BUILD_STRATEGY` — Build strategy: `podman`, `docker`, or `kaniko` (default: `podman`)
+ * - `DOCKER_BUILD_TEMP_ROOT` — Temp directory for build contexts (default: `<cwd>/tmp`)
+ * - `DOCKER_BUILD_TIMEOUT_MS` — Build timeout in milliseconds (default: `900000` / 15 min)
+ * - `DOCKER_PUSH_TIMEOUT_MS` — Push timeout in milliseconds (default: `300000` / 5 min)
+ * - `KANIKO_EXECUTOR_PATH` — Path to Kaniko executor binary (default: `/kaniko/executor`)
+ * - `KANIKO_CACHE_DIR` — Kaniko layer cache directory (default: `/kaniko/cache`)
+ */
+function loadDockerConfig() {
+    const validStrategies = new Set(['docker', 'kaniko', 'podman']);
+    const strategyEnv = (process.env.DOCKER_BUILD_STRATEGY || '').toLowerCase();
+    return {
+        strategy: validStrategies.has(strategyEnv) ? strategyEnv : 'docker',
+        tempRoot: process.env.DOCKER_BUILD_TEMP_ROOT || path_1.default.join(process.cwd(), 'tmp'),
+        timeoutMs: parseInt(process.env.DOCKER_BUILD_TIMEOUT_MS || '900000', 10),
+        pushTimeoutMs: parseInt(process.env.DOCKER_PUSH_TIMEOUT_MS || '300000', 10),
+        kanikoExecutor: process.env.KANIKO_EXECUTOR_PATH || '/kaniko/executor',
+        kanikoCacheDir: process.env.KANIKO_CACHE_DIR || '/kaniko/cache',
+    };
+}
+/**
+ * Load AWS infrastructure configuration from environment variables.
+ *
+ * Environment variables:
+ * - `LAMBDA_RUNTIME` — Lambda runtime (default: `'nodejs24.x'`; supports nodejs22.x, nodejs24.x)
+ * - `LAMBDA_TIMEOUT` — Lambda timeout in seconds (default: `900`)
+ * - `LAMBDA_MEMORY_SIZE` — Lambda memory in MB (default: `128`)
+ * - `LAMBDA_ARCHITECTURE` — `'x86_64'` or ARM (default: ARM_64)
+ * - `LOG_GROUP_NAME` — CloudWatch log group (default: `'/pipeline-builder/logs'`)
+ * - `LOG_RETENTION` — Log retention in days (default: `7`)
+ * - `LOG_REMOVAL_POLICY` — `'RETAIN'` or destroy (default: DESTROY)
+ * - `CODEBUILD_COMPUTE_TYPE` — CodeBuild compute type (default: `'SMALL'`)
+ *
+ * @returns AWS infrastructure configuration
+ */
+function loadAWSConfig() {
+    return {
+        lambda: {
+            runtime: parseRuntime(process.env.LAMBDA_RUNTIME || 'nodejs24.x'),
+            timeout: aws_cdk_lib_1.Duration.seconds(parseInt(process.env.LAMBDA_TIMEOUT || '900', 10)),
+            memorySize: parseInt(process.env.LAMBDA_MEMORY_SIZE || '512', 10),
+            architecture: process.env.LAMBDA_ARCHITECTURE === 'x86_64'
+                ? aws_lambda_1.Architecture.X86_64
+                : aws_lambda_1.Architecture.ARM_64,
+            reservedConcurrentExecutions: process.env.LAMBDA_RESERVED_CONCURRENCY
+                ? parseInt(process.env.LAMBDA_RESERVED_CONCURRENCY, 10)
+                : undefined,
+        },
+        logging: {
+            groupName: process.env.LOG_GROUP_NAME || '/pipeline-builder/logs',
+            retention: parseRetention(process.env.LOG_RETENTION || '7'),
+            removalPolicy: process.env.LOG_REMOVAL_POLICY === 'RETAIN'
+                ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+                : aws_cdk_lib_1.RemovalPolicy.DESTROY,
+        },
+        codeBuild: {
+            computeType: (0, pipeline_helpers_1.getComputeType)(process.env.CODEBUILD_COMPUTE_TYPE || 'SMALL'),
+        },
+        resolvedSynthPlugin: process.env.RESOLVED_SYNTH_PLUGIN === 'true',
+    };
+}
+/**
+ * Parse Lambda runtime string into a CDK Runtime enum value.
+ *
+ * @param runtime - Runtime string (e.g. `'nodejs24.x'`)
+ * @returns CDK Runtime enum; falls back to NODEJS_24_X for unknown values
+ */
+function parseRuntime(runtime) {
+    const runtimeMap = {
+        'nodejs24.x': aws_lambda_1.Runtime.NODEJS_24_X,
+    };
+    return runtimeMap[runtime] || aws_lambda_1.Runtime.NODEJS_24_X;
+}
+/**
+ * Parse log retention days string into a CDK RetentionDays enum value.
+ * RetentionDays enum values are the numeric day counts themselves,
+ * so we parse the string and check if it's a valid enum member.
+ *
+ * @param days - Retention period in days as a string (e.g. `'30'`)
+ * @returns CDK RetentionDays enum; falls back to ONE_DAY for unknown values
+ */
+const VALID_RETENTION_DAYS = new Set(Object.values(aws_logs_1.RetentionDays).filter((v) => typeof v === 'number'));
+function parseRetention(days) {
+    const parsed = parseInt(days, 10);
+    return VALID_RETENTION_DAYS.has(parsed) ? parsed : aws_logs_1.RetentionDays.ONE_DAY;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5mcmFzdHJ1Y3R1cmUtY29uZmlnLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2NvbmZpZy9pbmZyYXN0cnVjdHVyZS1jb25maWcudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBLCtDQUErQztBQUMvQyxzQ0FBc0M7Ozs7O0FBZ0N0QyxnREFVQztBQUVELDBDQUtDO0FBUUQsc0RBV0M7QUFFRCxnREFlQztBQUVELDBEQVVDO0FBRUQsb0RBSUM7QUFhRCw0Q0FXQztBQWlCRCxzQ0E0QkM7QUExS0QsZ0RBQXdCO0FBQ3hCLDZDQUFzRDtBQUN0RCx1REFBK0Q7QUFDL0QsbURBQXFEO0FBRXJELCtEQUEwRDtBQUUxRCxTQUFTLG1CQUFtQixDQUFDLE1BQWMsRUFBRSxVQUFrQjtJQUM3RCxNQUFNLEtBQUssR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ2xDLElBQUksS0FBSztRQUFFLE9BQU8sS0FBSyxDQUFDO0lBQ3hCLElBQUksT0FBTyxDQUFDLEdBQUcsQ0FBQyxRQUFRLEtBQUssWUFBWSxFQUFFLENBQUM7UUFDMUMsTUFBTSxJQUFJLEtBQUssQ0FBQyxHQUFHLE1BQU0sNEJBQTRCLENBQUMsQ0FBQztJQUN6RCxDQUFDO0lBQ0QsT0FBTyxVQUFVLENBQUM7QUFDcEIsQ0FBQztBQUVEOzs7Ozs7Ozs7Ozs7O0dBYUc7QUFDSCxTQUFnQixrQkFBa0I7SUFDaEMsT0FBTztRQUNMLElBQUksRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixJQUFJLFVBQVU7UUFDbkQsSUFBSSxFQUFFLFFBQVEsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixJQUFJLE1BQU0sRUFBRSxFQUFFLENBQUM7UUFDN0QsSUFBSSxFQUFFLG1CQUFtQixDQUFDLHFCQUFxQixFQUFFLE9BQU8sQ0FBQztRQUN6RCxLQUFLLEVBQUUsbUJBQW1CLENBQUMsc0JBQXNCLEVBQUUsVUFBVSxDQUFDO1FBQzlELE9BQU8sRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLGNBQWMsSUFBSSxFQUFFO1FBQ3pDLElBQUksRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLG9CQUFvQixLQUFLLE9BQU87UUFDbEQsUUFBUSxFQUFFLE9BQU8sQ0FBQyxHQUFHLENBQUMsd0JBQXdCLEtBQUssT0FBTztLQUMzRCxDQUFDO0FBQ0osQ0FBQztBQUVELFNBQWdCLGVBQWU7SUFDN0IsT0FBTztRQUNMLElBQUksRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLFVBQVUsSUFBSSxXQUFXO1FBQzNDLElBQUksRUFBRSxRQUFRLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxVQUFVLElBQUksTUFBTSxFQUFFLEVBQUUsQ0FBQztLQUNyRCxDQUFDO0FBQ0osQ0FBQztBQUVEOzs7OztHQUtHO0FBQ0gsU0FBZ0IscUJBQXFCO0lBQ25DLE9BQU87UUFDTCxXQUFXLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsd0JBQXdCLElBQUksR0FBRyxFQUFFLEVBQUUsQ0FBQztRQUN0RSxXQUFXLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMseUJBQXlCLElBQUksR0FBRyxFQUFFLEVBQUUsQ0FBQztRQUN2RSxjQUFjLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsNkJBQTZCLElBQUksTUFBTSxFQUFFLEVBQUUsQ0FBQztRQUNqRixlQUFlLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsOEJBQThCLElBQUksT0FBTyxFQUFFLEVBQUUsQ0FBQztRQUNwRixlQUFlLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsbUJBQW1CLElBQUksVUFBVSxFQUFFLEVBQUUsQ0FBQztRQUM1RSxjQUFjLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsdUJBQXVCLElBQUksR0FBRyxFQUFFLEVBQUUsQ0FBQztRQUN4RSxnQkFBZ0IsRUFBRSxRQUFRLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQywwQkFBMEIsSUFBSSxRQUFRLEVBQUUsRUFBRSxDQUFDO1FBQ2xGLFVBQVUsRUFBRSxRQUFRLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxtQkFBbUIsSUFBSSxJQUFJLEVBQUUsRUFBRSxDQUFDO0tBQ2xFLENBQUM7QUFDSixDQUFDO0FBRUQsU0FBZ0Isa0JBQWtCO0lBQ2hDLE9BQU87UUFDTCxRQUFRLEVBQUU7WUFDUixJQUFJLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxPQUFPLElBQUksVUFBVTtZQUN2QyxJQUFJLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsT0FBTyxJQUFJLE1BQU0sRUFBRSxFQUFFLENBQUM7WUFDakQsUUFBUSxFQUFFLE9BQU8sQ0FBQyxHQUFHLENBQUMsUUFBUSxJQUFJLGtCQUFrQjtZQUNwRCxJQUFJLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxPQUFPLElBQUksVUFBVTtZQUN2QyxRQUFRLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxXQUFXLElBQUksRUFBRTtTQUN4QztRQUNELE9BQU8sRUFBRTtZQUNQLFdBQVcsRUFBRSxRQUFRLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxxQkFBcUIsSUFBSSxJQUFJLEVBQUUsRUFBRSxDQUFDO1lBQ3BFLGlCQUFpQixFQUFFLFFBQVEsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLDJCQUEyQixJQUFJLE9BQU8sRUFBRSxFQUFFLENBQUM7WUFDbkYsdUJBQXVCLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsaUNBQWlDLElBQUksT0FBTyxFQUFFLEVBQUUsQ0FBQztTQUNoRztLQUNGLENBQUM7QUFDSixDQUFDO0FBRUQsU0FBZ0IsdUJBQXVCO0lBQ3JDLE9BQU87UUFDTCxRQUFRLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxTQUFTLElBQUksTUFBTTtRQUN6QyxTQUFTLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxVQUFVLElBQUksTUFBTTtRQUMzQyxXQUFXLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxZQUFZLElBQUksS0FBSztRQUM5QyxPQUFPLEVBQUU7WUFDUCxPQUFPLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxvQkFBb0IsS0FBSyxNQUFNO1lBQ3BELFFBQVEsRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLDJCQUEyQixJQUFJLGlDQUFpQztTQUN2RjtLQUNGLENBQUM7QUFDSixDQUFDO0FBRUQsU0FBZ0Isb0JBQW9CO0lBQ2xDLE9BQU87UUFDTCx1QkFBdUIsRUFBRSxRQUFRLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQywwQkFBMEIsSUFBSSxPQUFPLEVBQUUsRUFBRSxDQUFDO0tBQ3pGLENBQUM7QUFDSixDQUFDO0FBRUQ7Ozs7Ozs7Ozs7R0FVRztBQUNILFNBQWdCLGdCQUFnQjtJQUM5QixNQUFNLGVBQWUsR0FBRyxJQUFJLEdBQUcsQ0FBQyxDQUFDLFFBQVEsRUFBRSxRQUFRLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQztJQUNoRSxNQUFNLFdBQVcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMscUJBQXFCLElBQUksRUFBRSxDQUFDLENBQUMsV0FBVyxFQUFFLENBQUM7SUFDNUUsT0FBTztRQUNMLFFBQVEsRUFBRSxlQUFlLENBQUMsR0FBRyxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxXQUFzQyxDQUFDLENBQUMsQ0FBQyxRQUFRO1FBQzlGLFFBQVEsRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLHNCQUFzQixJQUFJLGNBQUksQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsRUFBRSxFQUFFLEtBQUssQ0FBQztRQUMvRSxTQUFTLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsdUJBQXVCLElBQUksUUFBUSxFQUFFLEVBQUUsQ0FBQztRQUN4RSxhQUFhLEVBQUUsUUFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsc0JBQXNCLElBQUksUUFBUSxFQUFFLEVBQUUsQ0FBQztRQUMzRSxjQUFjLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxvQkFBb0IsSUFBSSxrQkFBa0I7UUFDdEUsY0FBYyxFQUFFLE9BQU8sQ0FBQyxHQUFHLENBQUMsZ0JBQWdCLElBQUksZUFBZTtLQUNoRSxDQUFDO0FBQ0osQ0FBQztBQUVEOzs7Ozs7Ozs7Ozs7OztHQWNHO0FBQ0gsU0FBZ0IsYUFBYTtJQUMzQixPQUFPO1FBQ0wsTUFBTSxFQUFFO1lBQ04sT0FBTyxFQUFFLFlBQVksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLGNBQWMsSUFBSSxZQUFZLENBQUM7WUFDakUsT0FBTyxFQUFFLHNCQUFRLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLGNBQWMsSUFBSSxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7WUFDNUUsVUFBVSxFQUFFLFFBQVEsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLGtCQUFrQixJQUFJLEtBQUssRUFBRSxFQUFFLENBQUM7WUFDakUsWUFBWSxFQUFFLE9BQU8sQ0FBQyxHQUFHLENBQUMsbUJBQW1CLEtBQUssUUFBUTtnQkFDeEQsQ0FBQyxDQUFDLHlCQUFZLENBQUMsTUFBTTtnQkFDckIsQ0FBQyxDQUFDLHlCQUFZLENBQUMsTUFBTTtZQUN2Qiw0QkFBNEIsRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLDJCQUEyQjtnQkFDbkUsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLDJCQUEyQixFQUFFLEVBQUUsQ0FBQztnQkFDdkQsQ0FBQyxDQUFDLFNBQVM7U0FDZDtRQUVELE9BQU8sRUFBRTtZQUNQLFNBQVMsRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLGNBQWMsSUFBSSx3QkFBd0I7WUFDakUsU0FBUyxFQUFFLGNBQWMsQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLGFBQWEsSUFBSSxHQUFHLENBQUM7WUFDM0QsYUFBYSxFQUFFLE9BQU8sQ0FBQyxHQUFHLENBQUMsa0JBQWtCLEtBQUssUUFBUTtnQkFDeEQsQ0FBQyxDQUFDLDJCQUFhLENBQUMsTUFBTTtnQkFDdEIsQ0FBQyxDQUFDLDJCQUFhLENBQUMsT0FBTztTQUMxQjtRQUVELFNBQVMsRUFBRTtZQUNULFdBQVcsRUFBRSxJQUFBLGlDQUFjLEVBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxzQkFBc0IsSUFBSSxPQUFPLENBQUM7U0FDM0U7UUFFRCxtQkFBbUIsRUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLHFCQUFxQixLQUFLLE1BQU07S0FDbEUsQ0FBQztBQUNKLENBQUM7QUFFRDs7Ozs7R0FLRztBQUNILFNBQVMsWUFBWSxDQUFDLE9BQWU7SUFDbkMsTUFBTSxVQUFVLEdBQTRCO1FBQzFDLFlBQVksRUFBRSxvQkFBTyxDQUFDLFdBQVc7S0FDbEMsQ0FBQztJQUNGLE9BQU8sVUFBVSxDQUFDLE9BQU8sQ0FBQyxJQUFJLG9CQUFPLENBQUMsV0FBVyxDQUFDO0FBQ3BELENBQUM7QUFFRDs7Ozs7OztHQU9HO0FBQ0gsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLEdBQUcsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLHdCQUFhLENBQUMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQWUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUM7QUFFckgsU0FBUyxjQUFjLENBQUMsSUFBWTtJQUNsQyxNQUFNLE1BQU0sR0FBRyxRQUFRLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQ2xDLE9BQU8sb0JBQW9CLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxNQUF1QixDQUFDLENBQUMsQ0FBQyx3QkFBYSxDQUFDLE9BQU8sQ0FBQztBQUM1RixDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiLy8gQ29weXJpZ2h0IDIwMjYgUGlwZWxpbmUgQnVpbGRlciBDb250cmlidXRvcnNcbi8vIFNQRFgtTGljZW5zZS1JZGVudGlmaWVyOiBBcGFjaGUtMi4wXG5cbmltcG9ydCBwYXRoIGZyb20gJ3BhdGgnO1xuaW1wb3J0IHsgRHVyYXRpb24sIFJlbW92YWxQb2xpY3kgfSBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQgeyBBcmNoaXRlY3R1cmUsIFJ1bnRpbWUgfSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtbGFtYmRhJztcbmltcG9ydCB7IFJldGVudGlvbkRheXMgfSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtbG9ncyc7XG5pbXBvcnQgdHlwZSB7IEFXU0NvbmZpZywgQnVpbGRDb25maWcsIENvbXBsaWFuY2VDb25maWcsIERhdGFiYXNlQ29uZmlnLCBPYnNlcnZhYmlsaXR5Q29uZmlnLCBQbHVnaW5CdWlsZENvbmZpZywgUmVkaXNDb25maWcsIFJlZ2lzdHJ5Q29uZmlnIH0gZnJvbSAnLi9jb25maWctdHlwZXMnO1xuaW1wb3J0IHsgZ2V0Q29tcHV0ZVR5cGUgfSBmcm9tICcuLi9jb3JlL3BpcGVsaW5lLWhlbHBlcnMnO1xuXG5mdW5jdGlvbiByZXF1aXJlSW5Qcm9kdWN0aW9uKGVudlZhcjogc3RyaW5nLCBkZXZEZWZhdWx0OiBzdHJpbmcpOiBzdHJpbmcge1xuICBjb25zdCB2YWx1ZSA9IHByb2Nlc3MuZW52W2VudlZhcl07XG4gIGlmICh2YWx1ZSkgcmV0dXJuIHZhbHVlO1xuICBpZiAocHJvY2Vzcy5lbnYuTk9ERV9FTlYgPT09ICdwcm9kdWN0aW9uJykge1xuICAgIHRocm93IG5ldyBFcnJvcihgJHtlbnZWYXJ9IGlzIHJlcXVpcmVkIGluIHByb2R1Y3Rpb25gKTtcbiAgfVxuICByZXR1cm4gZGV2RGVmYXVsdDtcbn1cblxuLyoqXG4gKiBMb2FkIERvY2tlciByZWdpc3RyeSBjb25maWd1cmF0aW9uIGZyb20gZW52aXJvbm1lbnQgdmFyaWFibGVzLlxuICpcbiAqIEVudmlyb25tZW50IHZhcmlhYmxlczpcbiAqIC0gYElNQUdFX1JFR0lTVFJZX0hPU1RgIOKAlCBSZWdpc3RyeSBob3N0bmFtZSAoZGVmYXVsdDogYCdyZWdpc3RyeSdgKVxuICogLSBgSU1BR0VfUkVHSVNUUllfUE9SVGAg4oCUIFJlZ2lzdHJ5IHBvcnQgKGRlZmF1bHQ6IGA1MDAwYClcbiAqIC0gYElNQUdFX1JFR0lTVFJZX1VTRVJgIOKAlCBSZWdpc3RyeSB1c2VybmFtZSAoZGVmYXVsdDogYCdhZG1pbidgKVxuICogLSBgSU1BR0VfUkVHSVNUUllfVE9LRU5gIOKAlCBSZWdpc3RyeSBhdXRoIHRva2VuIChkZWZhdWx0OiBgJ3Bhc3N3b3JkJ2ApXG4gKiAtIGBET0NLRVJfTkVUV09SS2Ag4oCUIERvY2tlciBuZXR3b3JrIGZvciBidWlsZC9wdXNoIChkZWZhdWx0OiBgJydgKVxuICogLSBgRE9DS0VSX1JFR0lTVFJZX0hUVFBgIOKAlCBVc2UgcGxhaW4gSFRUUCAoZGVmYXVsdDogYHRydWVgKS4gU2V0IGBmYWxzZWAgZm9yIEhUVFBTLlxuICogLSBgRE9DS0VSX1JFR0lTVFJZX0lOU0VDVVJFYCDigJQgU2tpcCBUTFMgdmVyaWZpY2F0aW9uIChkZWZhdWx0OiBgdHJ1ZWApLiBTZXQgYGZhbHNlYCBmb3IgcHJvZHVjdGlvbi5cbiAqXG4gKiBAcmV0dXJucyBSZWdpc3RyeSBjb25maWd1cmF0aW9uXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBsb2FkUmVnaXN0cnlDb25maWcoKTogUmVnaXN0cnlDb25maWcge1xuICByZXR1cm4ge1xuICAgIGhvc3Q6IHByb2Nlc3MuZW52LklNQUdFX1JFR0lTVFJZX0hPU1QgfHwgJ3JlZ2lzdHJ5JyxcbiAgICBwb3J0OiBwYXJzZUludChwcm9jZXNzLmVudi5JTUFHRV9SRUdJU1RSWV9QT1JUIHx8ICc1MDAwJywgMTApLFxuICAgIHVzZXI6IHJlcXVpcmVJblByb2R1Y3Rpb24oJ0lNQUdFX1JFR0lTVFJZX1VTRVInLCAnYWRtaW4nKSxcbiAgICB0b2tlbjogcmVxdWlyZUluUHJvZHVjdGlvbignSU1BR0VfUkVHSVNUUllfVE9LRU4nLCAncGFzc3dvcmQnKSxcbiAgICBuZXR3b3JrOiBwcm9jZXNzLmVudi5ET0NLRVJfTkVUV09SSyB8fCAnJyxcbiAgICBodHRwOiBwcm9jZXNzLmVudi5ET0NLRVJfUkVHSVNUUllfSFRUUCAhPT0gJ2ZhbHNlJyxcbiAgICBpbnNlY3VyZTogcHJvY2Vzcy5lbnYuRE9DS0VSX1JFR0lTVFJZX0lOU0VDVVJFICE9PSAnZmFsc2UnLFxuICB9O1xufVxuXG5leHBvcnQgZnVuY3Rpb24gbG9hZFJlZGlzQ29uZmlnKCk6IFJlZGlzQ29uZmlnIHtcbiAgcmV0dXJuIHtcbiAgICBob3N0OiBwcm9jZXNzLmVudi5SRURJU19IT1NUIHx8ICdsb2NhbGhvc3QnLFxuICAgIHBvcnQ6IHBhcnNlSW50KHByb2Nlc3MuZW52LlJFRElTX1BPUlQgfHwgJzYzNzknLCAxMCksXG4gIH07XG59XG5cbi8qKlxuICogTG9hZCBwbHVnaW4gYnVpbGQgcXVldWUgY29uZmlndXJhdGlvbi5cbiAqXG4gKiBFbnZpcm9ubWVudCB2YXJpYWJsZXM6XG4gKiAtIGBQTFVHSU5fQlVJTERfQ09OQ1VSUkVOQ1lgIOKAlCBNYXggY29uY3VycmVudCBwbHVnaW4gYnVpbGRzIChkZWZhdWx0OiBgMWApXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBsb2FkUGx1Z2luQnVpbGRDb25maWcoKTogUGx1Z2luQnVpbGRDb25maWcge1xuICByZXR1cm4ge1xuICAgIGNvbmN1cnJlbmN5OiBwYXJzZUludChwcm9jZXNzLmVudi5QTFVHSU5fQlVJTERfQ09OQ1VSUkVOQ1kgfHwgJzEnLCAxMCksXG4gICAgbWF4QXR0ZW1wdHM6IHBhcnNlSW50KHByb2Nlc3MuZW52LlBMVUdJTl9CVUlMRF9NQVhfQVRURU1QVFMgfHwgJzInLCAxMCksXG4gICAgYmFja29mZkRlbGF5TXM6IHBhcnNlSW50KHByb2Nlc3MuZW52LlBMVUdJTl9CVUlMRF9CQUNLT0ZGX0RFTEFZX01TIHx8ICc1MDAwJywgMTApLFxuICAgIHdvcmtlclRpbWVvdXRNczogcGFyc2VJbnQocHJvY2Vzcy5lbnYuUExVR0lOX0JVSUxEX1dPUktFUl9USU1FT1VUX01TIHx8ICcxMDAwMCcsIDEwKSxcbiAgICB0ZW1wRGlyTWF4QWdlTXM6IHBhcnNlSW50KHByb2Nlc3MuZW52LlRFTVBfRElSX01BWF9BR0VfTVMgfHwgJzE0NDAwMDAwJywgMTApLFxuICAgIGRscU1heEF0dGVtcHRzOiBwYXJzZUludChwcm9jZXNzLmVudi5QTFVHSU5fRExRX01BWF9BVFRFTVBUUyB8fCAnMycsIDEwKSxcbiAgICBkbHFCYWNrb2ZmQmFzZU1zOiBwYXJzZUludChwcm9jZXNzLmVudi5QTFVHSU5fRExRX0JBQ0tPRkZfQkFTRV9NUyB8fCAnMzAwMDAwJywgMTApLFxuICAgIGRscU1heFNpemU6IHBhcnNlSW50KHByb2Nlc3MuZW52LlBMVUdJTl9ETFFfTUFYX1NJWkUgfHwgJzIwJywgMTApLFxuICB9O1xufVxuXG5leHBvcnQgZnVuY3Rpb24gbG9hZERhdGFiYXNlQ29uZmlnKCk6IERhdGFiYXNlQ29uZmlnIHtcbiAgcmV0dXJuIHtcbiAgICBwb3N0Z3Jlczoge1xuICAgICAgaG9zdDogcHJvY2Vzcy5lbnYuREJfSE9TVCB8fCAncG9zdGdyZXMnLFxuICAgICAgcG9ydDogcGFyc2VJbnQocHJvY2Vzcy5lbnYuREJfUE9SVCB8fCAnNTQzMicsIDEwKSxcbiAgICAgIGRhdGFiYXNlOiBwcm9jZXNzLmVudi5EQVRBQkFTRSB8fCAncGlwZWxpbmVfYnVpbGRlcicsXG4gICAgICB1c2VyOiBwcm9jZXNzLmVudi5EQl9VU0VSIHx8ICdwb3N0Z3JlcycsXG4gICAgICBwYXNzd29yZDogcHJvY2Vzcy5lbnYuREJfUEFTU1dPUkQgfHwgJycsXG4gICAgfSxcbiAgICBkcml6emxlOiB7XG4gICAgICBtYXhQb29sU2l6ZTogcGFyc2VJbnQocHJvY2Vzcy5lbnYuRFJJWlpMRV9NQVhfUE9PTF9TSVpFIHx8ICcyMCcsIDEwKSxcbiAgICAgIGlkbGVUaW1lb3V0TWlsbGlzOiBwYXJzZUludChwcm9jZXNzLmVudi5EUklaWkxFX0lETEVfVElNRU9VVF9NSUxMSVMgfHwgJzMwMDAwJywgMTApLFxuICAgICAgY29ubmVjdGlvblRpbWVvdXRNaWxsaXM6IHBhcnNlSW50KHByb2Nlc3MuZW52LkRSSVpaTEVfQ09OTkVDVElPTl9USU1FT1VUX01JTExJUyB8fCAnMTAwMDAnLCAxMCksXG4gICAgfSxcbiAgfTtcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIGxvYWRPYnNlcnZhYmlsaXR5Q29uZmlnKCk6IE9ic2VydmFiaWxpdHlDb25maWcge1xuICByZXR1cm4ge1xuICAgIGxvZ0xldmVsOiBwcm9jZXNzLmVudi5MT0dfTEVWRUwgfHwgJ2luZm8nLFxuICAgIGxvZ0Zvcm1hdDogcHJvY2Vzcy5lbnYuTE9HX0ZPUk1BVCB8fCAnanNvbicsXG4gICAgc2VydmljZU5hbWU6IHByb2Nlc3MuZW52LlNFUlZJQ0VfTkFNRSB8fCAnYXBpJyxcbiAgICB0cmFjaW5nOiB7XG4gICAgICBlbmFibGVkOiBwcm9jZXNzLmVudi5PVEVMX1RSQUNJTkdfRU5BQkxFRCA9PT0gJ3RydWUnLFxuICAgICAgZW5kcG9pbnQ6IHByb2Nlc3MuZW52Lk9URUxfRVhQT1JURVJfT1RMUF9FTkRQT0lOVCB8fCAnaHR0cDovL2xvY2FsaG9zdDo0MzE4L3YxL3RyYWNlcycsXG4gICAgfSxcbiAgfTtcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIGxvYWRDb21wbGlhbmNlQ29uZmlnKCk6IENvbXBsaWFuY2VDb25maWcge1xuICByZXR1cm4ge1xuICAgIHNjYW5TY2hlZHVsZXJJbnRlcnZhbE1zOiBwYXJzZUludChwcm9jZXNzLmVudi5TQ0FOX1NDSEVEVUxFUl9JTlRFUlZBTF9NUyB8fCAnNjAwMDAnLCAxMCksXG4gIH07XG59XG5cbi8qKlxuICogTG9hZCBEb2NrZXIvUG9kbWFuL0thbmlrbyBidWlsZCBjb25maWd1cmF0aW9uLlxuICpcbiAqIEVudmlyb25tZW50IHZhcmlhYmxlczpcbiAqIC0gYERPQ0tFUl9CVUlMRF9TVFJBVEVHWWAg4oCUIEJ1aWxkIHN0cmF0ZWd5OiBgcG9kbWFuYCwgYGRvY2tlcmAsIG9yIGBrYW5pa29gIChkZWZhdWx0OiBgcG9kbWFuYClcbiAqIC0gYERPQ0tFUl9CVUlMRF9URU1QX1JPT1RgIOKAlCBUZW1wIGRpcmVjdG9yeSBmb3IgYnVpbGQgY29udGV4dHMgKGRlZmF1bHQ6IGA8Y3dkPi90bXBgKVxuICogLSBgRE9DS0VSX0JVSUxEX1RJTUVPVVRfTVNgIOKAlCBCdWlsZCB0aW1lb3V0IGluIG1pbGxpc2Vjb25kcyAoZGVmYXVsdDogYDkwMDAwMGAgLyAxNSBtaW4pXG4gKiAtIGBET0NLRVJfUFVTSF9USU1FT1VUX01TYCDigJQgUHVzaCB0aW1lb3V0IGluIG1pbGxpc2Vjb25kcyAoZGVmYXVsdDogYDMwMDAwMGAgLyA1IG1pbilcbiAqIC0gYEtBTklLT19FWEVDVVRPUl9QQVRIYCDigJQgUGF0aCB0byBLYW5pa28gZXhlY3V0b3IgYmluYXJ5IChkZWZhdWx0OiBgL2thbmlrby9leGVjdXRvcmApXG4gKiAtIGBLQU5JS09fQ0FDSEVfRElSYCDigJQgS2FuaWtvIGxheWVyIGNhY2hlIGRpcmVjdG9yeSAoZGVmYXVsdDogYC9rYW5pa28vY2FjaGVgKVxuICovXG5leHBvcnQgZnVuY3Rpb24gbG9hZERvY2tlckNvbmZpZygpOiBCdWlsZENvbmZpZyB7XG4gIGNvbnN0IHZhbGlkU3RyYXRlZ2llcyA9IG5ldyBTZXQoWydkb2NrZXInLCAna2FuaWtvJywgJ3BvZG1hbiddKTtcbiAgY29uc3Qgc3RyYXRlZ3lFbnYgPSAocHJvY2Vzcy5lbnYuRE9DS0VSX0JVSUxEX1NUUkFURUdZIHx8ICcnKS50b0xvd2VyQ2FzZSgpO1xuICByZXR1cm4ge1xuICAgIHN0cmF0ZWd5OiB2YWxpZFN0cmF0ZWdpZXMuaGFzKHN0cmF0ZWd5RW52KSA/IHN0cmF0ZWd5RW52IGFzIEJ1aWxkQ29uZmlnWydzdHJhdGVneSddIDogJ2RvY2tlcicsXG4gICAgdGVtcFJvb3Q6IHByb2Nlc3MuZW52LkRPQ0tFUl9CVUlMRF9URU1QX1JPT1QgfHwgcGF0aC5qb2luKHByb2Nlc3MuY3dkKCksICd0bXAnKSxcbiAgICB0aW1lb3V0TXM6IHBhcnNlSW50KHByb2Nlc3MuZW52LkRPQ0tFUl9CVUlMRF9USU1FT1VUX01TIHx8ICc5MDAwMDAnLCAxMCksXG4gICAgcHVzaFRpbWVvdXRNczogcGFyc2VJbnQocHJvY2Vzcy5lbnYuRE9DS0VSX1BVU0hfVElNRU9VVF9NUyB8fCAnMzAwMDAwJywgMTApLFxuICAgIGthbmlrb0V4ZWN1dG9yOiBwcm9jZXNzLmVudi5LQU5JS09fRVhFQ1VUT1JfUEFUSCB8fCAnL2thbmlrby9leGVjdXRvcicsXG4gICAga2FuaWtvQ2FjaGVEaXI6IHByb2Nlc3MuZW52LktBTklLT19DQUNIRV9ESVIgfHwgJy9rYW5pa28vY2FjaGUnLFxuICB9O1xufVxuXG4vKipcbiAqIExvYWQgQVdTIGluZnJhc3RydWN0dXJlIGNvbmZpZ3VyYXRpb24gZnJvbSBlbnZpcm9ubWVudCB2YXJpYWJsZXMuXG4gKlxuICogRW52aXJvbm1lbnQgdmFyaWFibGVzOlxuICogLSBgTEFNQkRBX1JVTlRJTUVgIOKAlCBMYW1iZGEgcnVudGltZSAoZGVmYXVsdDogYCdub2RlanMyNC54J2A7IHN1cHBvcnRzIG5vZGVqczIyLngsIG5vZGVqczI0LngpXG4gKiAtIGBMQU1CREFfVElNRU9VVGAg4oCUIExhbWJkYSB0aW1lb3V0IGluIHNlY29uZHMgKGRlZmF1bHQ6IGA5MDBgKVxuICogLSBgTEFNQkRBX01FTU9SWV9TSVpFYCDigJQgTGFtYmRhIG1lbW9yeSBpbiBNQiAoZGVmYXVsdDogYDEyOGApXG4gKiAtIGBMQU1CREFfQVJDSElURUNUVVJFYCDigJQgYCd4ODZfNjQnYCBvciBBUk0gKGRlZmF1bHQ6IEFSTV82NClcbiAqIC0gYExPR19HUk9VUF9OQU1FYCDigJQgQ2xvdWRXYXRjaCBsb2cgZ3JvdXAgKGRlZmF1bHQ6IGAnL3BpcGVsaW5lLWJ1aWxkZXIvbG9ncydgKVxuICogLSBgTE9HX1JFVEVOVElPTmAg4oCUIExvZyByZXRlbnRpb24gaW4gZGF5cyAoZGVmYXVsdDogYDdgKVxuICogLSBgTE9HX1JFTU9WQUxfUE9MSUNZYCDigJQgYCdSRVRBSU4nYCBvciBkZXN0cm95IChkZWZhdWx0OiBERVNUUk9ZKVxuICogLSBgQ09ERUJVSUxEX0NPTVBVVEVfVFlQRWAg4oCUIENvZGVCdWlsZCBjb21wdXRlIHR5cGUgKGRlZmF1bHQ6IGAnU01BTEwnYClcbiAqXG4gKiBAcmV0dXJucyBBV1MgaW5mcmFzdHJ1Y3R1cmUgY29uZmlndXJhdGlvblxuICovXG5leHBvcnQgZnVuY3Rpb24gbG9hZEFXU0NvbmZpZygpOiBBV1NDb25maWcge1xuICByZXR1cm4ge1xuICAgIGxhbWJkYToge1xuICAgICAgcnVudGltZTogcGFyc2VSdW50aW1lKHByb2Nlc3MuZW52LkxBTUJEQV9SVU5USU1FIHx8ICdub2RlanMyNC54JyksXG4gICAgICB0aW1lb3V0OiBEdXJhdGlvbi5zZWNvbmRzKHBhcnNlSW50KHByb2Nlc3MuZW52LkxBTUJEQV9USU1FT1VUIHx8ICc5MDAnLCAxMCkpLFxuICAgICAgbWVtb3J5U2l6ZTogcGFyc2VJbnQocHJvY2Vzcy5lbnYuTEFNQkRBX01FTU9SWV9TSVpFIHx8ICc1MTInLCAxMCksXG4gICAgICBhcmNoaXRlY3R1cmU6IHByb2Nlc3MuZW52LkxBTUJEQV9BUkNISVRFQ1RVUkUgPT09ICd4ODZfNjQnXG4gICAgICAgID8gQXJjaGl0ZWN0dXJlLlg4Nl82NFxuICAgICAgICA6IEFyY2hpdGVjdHVyZS5BUk1fNjQsXG4gICAgICByZXNlcnZlZENvbmN1cnJlbnRFeGVjdXRpb25zOiBwcm9jZXNzLmVudi5MQU1CREFfUkVTRVJWRURfQ09OQ1VSUkVOQ1lcbiAgICAgICAgPyBwYXJzZUludChwcm9jZXNzLmVudi5MQU1CREFfUkVTRVJWRURfQ09OQ1VSUkVOQ1ksIDEwKVxuICAgICAgICA6IHVuZGVmaW5lZCxcbiAgICB9LFxuXG4gICAgbG9nZ2luZzoge1xuICAgICAgZ3JvdXBOYW1lOiBwcm9jZXNzLmVudi5MT0dfR1JPVVBfTkFNRSB8fCAnL3BpcGVsaW5lLWJ1aWxkZXIvbG9ncycsXG4gICAgICByZXRlbnRpb246IHBhcnNlUmV0ZW50aW9uKHByb2Nlc3MuZW52LkxPR19SRVRFTlRJT04gfHwgJzcnKSxcbiAgICAgIHJlbW92YWxQb2xpY3k6IHByb2Nlc3MuZW52LkxPR19SRU1PVkFMX1BPTElDWSA9PT0gJ1JFVEFJTidcbiAgICAgICAgPyBSZW1vdmFsUG9saWN5LlJFVEFJTlxuICAgICAgICA6IFJlbW92YWxQb2xpY3kuREVTVFJPWSxcbiAgICB9LFxuXG4gICAgY29kZUJ1aWxkOiB7XG4gICAgICBjb21wdXRlVHlwZTogZ2V0Q29tcHV0ZVR5cGUocHJvY2Vzcy5lbnYuQ09ERUJVSUxEX0NPTVBVVEVfVFlQRSB8fCAnU01BTEwnKSxcbiAgICB9LFxuXG4gICAgcmVzb2x2ZWRTeW50aFBsdWdpbjogcHJvY2Vzcy5lbnYuUkVTT0xWRURfU1lOVEhfUExVR0lOID09PSAndHJ1ZScsXG4gIH07XG59XG5cbi8qKlxuICogUGFyc2UgTGFtYmRhIHJ1bnRpbWUgc3RyaW5nIGludG8gYSBDREsgUnVudGltZSBlbnVtIHZhbHVlLlxuICpcbiAqIEBwYXJhbSBydW50aW1lIC0gUnVudGltZSBzdHJpbmcgKGUuZy4gYCdub2RlanMyNC54J2ApXG4gKiBAcmV0dXJucyBDREsgUnVudGltZSBlbnVtOyBmYWxscyBiYWNrIHRvIE5PREVKU18yNF9YIGZvciB1bmtub3duIHZhbHVlc1xuICovXG5mdW5jdGlvbiBwYXJzZVJ1bnRpbWUocnVudGltZTogc3RyaW5nKTogUnVudGltZSB7XG4gIGNvbnN0IHJ1bnRpbWVNYXA6IFJlY29yZDxzdHJpbmcsIFJ1bnRpbWU+ID0ge1xuICAgICdub2RlanMyNC54JzogUnVudGltZS5OT0RFSlNfMjRfWCxcbiAgfTtcbiAgcmV0dXJuIHJ1bnRpbWVNYXBbcnVudGltZV0gfHwgUnVudGltZS5OT0RFSlNfMjRfWDtcbn1cblxuLyoqXG4gKiBQYXJzZSBsb2cgcmV0ZW50aW9uIGRheXMgc3RyaW5nIGludG8gYSBDREsgUmV0ZW50aW9uRGF5cyBlbnVtIHZhbHVlLlxuICogUmV0ZW50aW9uRGF5cyBlbnVtIHZhbHVlcyBhcmUgdGhlIG51bWVyaWMgZGF5IGNvdW50cyB0aGVtc2VsdmVzLFxuICogc28gd2UgcGFyc2UgdGhlIHN0cmluZyBhbmQgY2hlY2sgaWYgaXQncyBhIHZhbGlkIGVudW0gbWVtYmVyLlxuICpcbiAqIEBwYXJhbSBkYXlzIC0gUmV0ZW50aW9uIHBlcmlvZCBpbiBkYXlzIGFzIGEgc3RyaW5nIChlLmcuIGAnMzAnYClcbiAqIEByZXR1cm5zIENESyBSZXRlbnRpb25EYXlzIGVudW07IGZhbGxzIGJhY2sgdG8gT05FX0RBWSBmb3IgdW5rbm93biB2YWx1ZXNcbiAqL1xuY29uc3QgVkFMSURfUkVURU5USU9OX0RBWVMgPSBuZXcgU2V0KE9iamVjdC52YWx1ZXMoUmV0ZW50aW9uRGF5cykuZmlsdGVyKCh2KTogdiBpcyBudW1iZXIgPT4gdHlwZW9mIHYgPT09ICdudW1iZXInKSk7XG5cbmZ1bmN0aW9uIHBhcnNlUmV0ZW50aW9uKGRheXM6IHN0cmluZyk6IFJldGVudGlvbkRheXMge1xuICBjb25zdCBwYXJzZWQgPSBwYXJzZUludChkYXlzLCAxMCk7XG4gIHJldHVybiBWQUxJRF9SRVRFTlRJT05fREFZUy5oYXMocGFyc2VkKSA/IHBhcnNlZCBhcyBSZXRlbnRpb25EYXlzIDogUmV0ZW50aW9uRGF5cy5PTkVfREFZO1xufVxuIl19

package/lib/config/server-config.d.ts

@@ -0,0 +1,53 @@
+import type { ServerConfig, AuthConfig, RateLimitConfig } from './config-types';
+/**
+ * Load server configuration from environment variables.
+ *
+ * Environment variables:
+ * - `PORT` — HTTP listen port (default: `3000`)
+ * - `CORS_ORIGIN` — Comma-separated allowed origins (default: `PLATFORM_BASE_URL`)
+ * - `CORS_CREDENTIALS` — Allow credentials; set to `'false'` to disable (default: `true`)
+ * - `TRUST_PROXY` — Express trust proxy hops (default: `1`)
+ * - `PLATFORM_BASE_URL` — Frontend URL used as CORS fallback (default: `'https://localhost:8443'`)
+ *
+ * @returns Server configuration with port, CORS, trust proxy, and platform URL
+ */
+export declare function loadServerConfig(): ServerConfig;
+/**
+ * Load authentication configuration from environment variables.
+ *
+ * Environment variables:
+ * - `JWT_SECRET` — **Required.** Secret key for signing JWTs
+ * - `REFRESH_TOKEN_SECRET` — **Required.** Secret key for signing refresh tokens
+ * - `JWT_EXPIRES_IN` — JWT lifetime in seconds (default: `7200` = 2 hours)
+ * - `JWT_ALGORITHM` — JWT signing algorithm (default: `'HS256'`)
+ * - `JWT_SALT_ROUNDS` — bcrypt salt rounds for password hashing (default: `12`)
+ * - `REFRESH_TOKEN_EXPIRES_IN` — Refresh token lifetime in seconds (default: `2592000` = 30 days)
+ *
+ * @returns Authentication configuration with safe defaults (empty strings when env vars are unset).
+ * Call {@link validateAuthConfig} at server startup to enforce required secrets.
+ */
+export declare function loadAuthConfig(): AuthConfig;
+/**
+ * Load rate limiting configuration from environment variables.
+ *
+ * Environment variables:
+ * - `LIMITER_MAX` — Max requests per window (default: `100`)
+ * - `LIMITER_WINDOWMS` — Rate limit window in ms (default: `900000` = 15 minutes)
+ *
+ * @returns Rate limit configuration
+ */
+export declare function loadRateLimitConfig(): RateLimitConfig;
+/**
+ * Validate server configuration and log warnings for insecure settings.
+ *
+ * @param config - Server configuration to validate
+ */
+export declare function validateServerConfig(config: ServerConfig): void;
+/**
+ * Validate authentication configuration (JWT secrets, algorithms, expiration).
+ * Call this at server startup, not during CDK synthesis.
+ *
+ * @param config - Auth configuration to validate
+ * @throws {Error} If secrets are insecure, too short (<32 chars), or use disallowed algorithms
+ */
+export declare function validateAuthConfig(config: AuthConfig): void;