@stacksjs/ts-cloud 0.1.2 → 0.1.5

package/src/generators/infrastructure.ts

@@ -1,1660 +0,0 @@
-/**
- * Infrastructure Generator
- * Generates CloudFormation templates from cloud.config.ts using all Phase 2 modules
- */
-
-import type { CloudConfig } from '@stacksjs/ts-cloud-types'
-import {
-  Storage,
-  CDN,
-  DNS,
-  Security,
-  Compute,
-  Network,
-  FileSystem,
-  Email,
-  Queue,
-  AI,
-  Database,
-  Cache,
-  Permissions,
-  ApiGateway,
-  Messaging,
-  Workflow,
-  Monitoring,
-  Auth,
-  Deployment,
-  TemplateBuilder,
-} from '@stacksjs/ts-cloud-core'
-
-export interface GenerationOptions {
-  config: CloudConfig
-  environment: 'production' | 'staging' | 'development'
-  modules?: string[]
-}
-
-export class InfrastructureGenerator {
-  private builder: TemplateBuilder
-  private config: CloudConfig
-  private environment: 'production' | 'staging' | 'development'
-  private mergedConfig: CloudConfig
-
-  constructor(options: GenerationOptions) {
-    this.config = options.config
-    this.environment = options.environment
-    this.builder = new TemplateBuilder(
-      `${this.config.project.name} - ${this.environment}`,
-    )
-
-    // Merge environment-specific infrastructure overrides
-    this.mergedConfig = this.mergeEnvironmentConfig()
-  }
-
-  /**
-   * Merge base config with environment-specific overrides
-   */
-  private mergeEnvironmentConfig(): CloudConfig {
-    const envConfig = this.config.environments[this.environment]
-    const envInfra = envConfig?.infrastructure
-
-    if (!envInfra) {
-      return this.config
-    }
-
-    return {
-      ...this.config,
-      infrastructure: {
-        ...this.config.infrastructure,
-        ...envInfra,
-        // Deep merge for nested objects
-        storage: { ...this.config.infrastructure?.storage, ...envInfra.storage },
-        functions: { ...this.config.infrastructure?.functions, ...envInfra.functions },
-        servers: { ...this.config.infrastructure?.servers, ...envInfra.servers },
-        databases: { ...this.config.infrastructure?.databases, ...envInfra.databases },
-        cdn: { ...this.config.infrastructure?.cdn, ...envInfra.cdn },
-        queues: { ...this.config.infrastructure?.queues, ...envInfra.queues },
-        realtime: { ...this.config.infrastructure?.realtime, ...envInfra.realtime },
-      },
-    }
-  }
-
-  /**
-   * Check if a resource should be deployed based on conditions
-   */
-  private shouldDeploy(resource: any): boolean {
-    // Check environment conditions
-    if (resource.environments && !resource.environments.includes(this.environment)) {
-      return false
-    }
-
-    // Check feature flag requirements
-    if (resource.requiresFeatures) {
-      const features = this.config.features || {}
-      const hasRequiredFeatures = resource.requiresFeatures.every(
-        (feature: string) => features[feature] === true
-      )
-      if (!hasRequiredFeatures) {
-        return false
-      }
-    }
-
-    // Check region conditions
-    if (resource.regions) {
-      const currentRegion = this.config.environments[this.environment]?.region || this.config.project.region
-      if (!resource.regions.includes(currentRegion)) {
-        return false
-      }
-    }
-
-    // Check custom condition function
-    if (resource.condition && typeof resource.condition === 'function') {
-      return resource.condition(this.config, this.environment)
-    }
-
-    return true
-  }
-
-  /**
-   * Generate complete infrastructure
-   * Auto-detects what to generate based on configuration
-   */
-  generate(): this {
-    const slug = this.mergedConfig.project.slug
-    const env = this.environment
-
-    // Auto-detect and generate based on what's configured (using merged config)
-    // If functions or API are defined, generate serverless resources
-    const hasServerlessConfig = !!(
-      this.mergedConfig.infrastructure?.functions
-      || this.mergedConfig.infrastructure?.api
-    )
-
-    // If servers are defined, generate server resources
-    const hasServerConfig = !!(
-      this.mergedConfig.infrastructure?.servers
-    )
-
-    if (hasServerlessConfig) {
-      this.generateServerless(slug, env)
-    }
-
-    if (hasServerConfig) {
-      this.generateServer(slug, env)
-    }
-
-    // Always generate shared infrastructure (storage, CDN, databases, etc.)
-    this.generateSharedInfrastructure(slug, env)
-
-    // Apply global tags if specified
-    if (this.config.tags) {
-      this.applyGlobalTags(this.config.tags)
-    }
-
-    return this
-  }
-
-  /**
-   * Apply global tags to all resources
-   */
-  private applyGlobalTags(tags: Record<string, string>): void {
-    // This would iterate through all resources in the builder and add tags
-    // Implementation depends on TemplateBuilder structure
-  }
-
-  /**
-   * Generate serverless infrastructure (Lambda, ECS Fargate)
-   */
-  private generateServerless(slug: string, env: typeof this.environment): void {
-    // Example: Lambda function
-    if (this.mergedConfig.infrastructure?.functions) {
-      for (const [name, fnConfig] of Object.entries(this.mergedConfig.infrastructure.functions)) {
-        // Check if this function should be deployed
-        if (!this.shouldDeploy(fnConfig)) {
-          continue
-        }
-        // Create Lambda execution role
-        const { role, logicalId: roleLogicalId } = Permissions.createRole({
-          slug,
-          environment: env,
-          roleName: `${slug}-${env}-${name}-role`,
-          servicePrincipal: 'lambda.amazonaws.com',
-          managedPolicyArns: [
-            'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
-          ],
-        })
-
-        this.builder.addResource(roleLogicalId, role)
-
-        const { lambdaFunction, logicalId } = Compute.createLambdaFunction({
-          slug,
-          environment: env,
-          functionName: `${slug}-${env}-${name}`,
-          handler: fnConfig.handler || 'index.handler',
-          runtime: fnConfig.runtime || 'nodejs20.x',
-          code: {
-            zipFile: fnConfig.code || 'export const handler = async () => ({ statusCode: 200 });',
-          },
-          role: roleLogicalId,
-          timeout: fnConfig.timeout,
-          memorySize: fnConfig.memorySize,
-        })
-
-        this.builder.addResource(logicalId, lambdaFunction)
-      }
-    }
-
-    // Example: API Gateway
-    if (this.config.infrastructure?.api) {
-      const { restApi, logicalId } = ApiGateway.createRestApi({
-        slug,
-        environment: env,
-        apiName: `${slug}-${env}-api`,
-      })
-
-      this.builder.addResource(logicalId, restApi)
-    }
-  }
-
-  /**
-   * Generate server infrastructure (EC2)
-   */
-  private generateServer(slug: string, env: typeof this.environment): void {
-    // Example: EC2 instance
-    if (this.config.infrastructure?.servers) {
-      for (const [name, serverConfig] of Object.entries(this.config.infrastructure.servers)) {
-        const { instance, logicalId } = Compute.createServer({
-          slug,
-          environment: env,
-          instanceType: serverConfig.size || 't3.micro',
-          imageId: serverConfig.image || 'ami-0c55b159cbfafe1f0',
-          userData: serverConfig.startupScript,
-        })
-
-        this.builder.addResource(logicalId, instance)
-      }
-    }
-  }
-
-  /**
-   * Generate shared infrastructure (storage, database, etc.)
-   */
-  private generateSharedInfrastructure(slug: string, env: typeof this.environment): void {
-    // Storage buckets
-    if (this.config.infrastructure?.storage) {
-      for (const [name, storageConfig] of Object.entries(this.config.infrastructure.storage)) {
-        const { bucket, logicalId } = Storage.createBucket({
-          slug,
-          environment: env,
-          bucketName: `${slug}-${env}-${name}`,
-          versioning: storageConfig.versioning,
-          encryption: storageConfig.encryption,
-        })
-
-        this.builder.addResource(logicalId, bucket)
-
-        // Enable website hosting if configured
-        if (storageConfig.website) {
-          const websiteConfig = typeof storageConfig.website === 'object' ? storageConfig.website : {}
-          const enhanced = Storage.enableWebsiteHosting(
-            bucket,
-            websiteConfig.indexDocument || 'index.html',
-            websiteConfig.errorDocument,
-          )
-          this.builder.addResource(logicalId, enhanced)
-        }
-      }
-    }
-
-    // Databases
-    if (this.config.infrastructure?.databases) {
-      for (const [name, dbConfig] of Object.entries(this.config.infrastructure.databases)) {
-        if (dbConfig.engine === 'dynamodb') {
-          const { table, logicalId } = Database.createTable({
-            slug,
-            environment: env,
-            tableName: `${slug}-${env}-${name}`,
-            partitionKey: (dbConfig.partitionKey || { name: 'id', type: 'S' }) as { name: string; type: 'S' | 'N' | 'B' },
-            sortKey: dbConfig.sortKey as any,
-          })
-
-          this.builder.addResource(logicalId, table)
-        }
-        else if (dbConfig.engine === 'postgres') {
-          const { dbInstance, logicalId } = Database.createPostgres({
-            slug,
-            environment: env,
-            dbInstanceIdentifier: `${slug}-${env}-${name}`,
-            masterUsername: dbConfig.username || 'admin',
-            masterUserPassword: dbConfig.password || 'changeme123',
-            allocatedStorage: dbConfig.storage || 20,
-            dbInstanceClass: dbConfig.instanceClass || 'db.t3.micro',
-          })
-
-          this.builder.addResource(logicalId, dbInstance)
-        }
-        else if (dbConfig.engine === 'mysql') {
-          const { dbInstance, logicalId } = Database.createMysql({
-            slug,
-            environment: env,
-            dbInstanceIdentifier: `${slug}-${env}-${name}`,
-            masterUsername: dbConfig.username || 'admin',
-            masterUserPassword: dbConfig.password || 'changeme123',
-            allocatedStorage: dbConfig.storage || 20,
-            dbInstanceClass: dbConfig.instanceClass || 'db.t3.micro',
-          })
-
-          this.builder.addResource(logicalId, dbInstance)
-        }
-      }
-    }
-
-    // CDN
-    if (this.config.infrastructure?.cdn) {
-      for (const [name, cdnConfig] of Object.entries(this.config.infrastructure.cdn)) {
-        const { distribution, logicalId } = CDN.createDistribution({
-          slug,
-          environment: env,
-          origin: {
-            domainName: cdnConfig.origin,
-            originId: `${slug}-origin`,
-          },
-        })
-
-        this.builder.addResource(logicalId, distribution)
-      }
-    }
-
-    // Queues (SQS)
-    if (this.mergedConfig.infrastructure?.queues) {
-      for (const [name, queueConfig] of Object.entries(this.mergedConfig.infrastructure.queues)) {
-        // Check if this queue should be deployed
-        if (!this.shouldDeploy(queueConfig)) {
-          continue
-        }
-
-        // Create the main queue
-        const { queue, logicalId } = Queue.createQueue({
-          slug,
-          environment: env,
-          name: `${slug}-${env}-${name}`,
-          fifo: queueConfig.fifo,
-          visibilityTimeout: queueConfig.visibilityTimeout,
-          messageRetentionPeriod: queueConfig.messageRetentionPeriod,
-          delaySeconds: queueConfig.delaySeconds,
-          maxMessageSize: queueConfig.maxMessageSize,
-          receiveMessageWaitTime: queueConfig.receiveMessageWaitTime,
-          contentBasedDeduplication: queueConfig.contentBasedDeduplication,
-          encrypted: queueConfig.encrypted,
-          kmsKeyId: queueConfig.kmsKeyId,
-        })
-
-        this.builder.addResource(logicalId, queue)
-
-        // Create dead letter queue if enabled
-        let dlqLogicalId: string | undefined
-        if (queueConfig.deadLetterQueue) {
-          const {
-            deadLetterQueue,
-            updatedSourceQueue,
-            deadLetterLogicalId,
-          } = Queue.createDeadLetterQueue(logicalId, {
-            slug,
-            environment: env,
-            maxReceiveCount: queueConfig.maxReceiveCount,
-          })
-
-          dlqLogicalId = deadLetterLogicalId
-          this.builder.addResource(deadLetterLogicalId, deadLetterQueue)
-
-          // Update the main queue with redrive policy
-          const resources = this.builder.getResources()
-          const existingQueue = resources[logicalId]
-          if (existingQueue?.Properties) {
-            existingQueue.Properties.RedrivePolicy = updatedSourceQueue.Properties?.RedrivePolicy
-          }
-        }
-
-        // Lambda trigger (Event Source Mapping)
-        if (queueConfig.trigger) {
-          const triggerConfig = queueConfig.trigger
-          const functionLogicalId = `${slug}${env}${triggerConfig.functionName}`.replace(/[^a-zA-Z0-9]/g, '')
-
-          const eventSourceMapping = {
-            Type: 'AWS::Lambda::EventSourceMapping',
-            Properties: {
-              EventSourceArn: { 'Fn::GetAtt': [logicalId, 'Arn'] },
-              FunctionName: { Ref: functionLogicalId },
-              BatchSize: triggerConfig.batchSize || 10,
-              MaximumBatchingWindowInSeconds: triggerConfig.batchWindow || 0,
-              Enabled: true,
-              ...(triggerConfig.reportBatchItemFailures !== false && {
-                FunctionResponseTypes: ['ReportBatchItemFailures'],
-              }),
-              ...(triggerConfig.maxConcurrency && {
-                ScalingConfig: {
-                  MaximumConcurrency: triggerConfig.maxConcurrency,
-                },
-              }),
-              ...(triggerConfig.filterPattern && {
-                FilterCriteria: {
-                  Filters: [{ Pattern: JSON.stringify(triggerConfig.filterPattern) }],
-                },
-              }),
-            },
-            DependsOn: [logicalId, functionLogicalId],
-          }
-
-          this.builder.addResource(`${logicalId}Trigger`, eventSourceMapping as any)
-        }
-
-        // CloudWatch Alarms
-        if (queueConfig.alarms?.enabled) {
-          const alarmsConfig = queueConfig.alarms
-
-          // Create SNS topic for notifications if emails are provided
-          let alarmTopicArn = alarmsConfig.notificationTopicArn
-          if (!alarmTopicArn && alarmsConfig.notificationEmails?.length) {
-            const topicLogicalId = `${logicalId}AlarmTopic`
-            this.builder.addResource(topicLogicalId, {
-              Type: 'AWS::SNS::Topic',
-              Properties: {
-                TopicName: `${slug}-${env}-${name}-alarms`,
-                DisplayName: `${name} Queue Alarms`,
-              },
-            } as any)
-
-            // Add email subscriptions
-            alarmsConfig.notificationEmails.forEach((email, idx) => {
-              this.builder.addResource(`${topicLogicalId}Sub${idx}`, {
-                Type: 'AWS::SNS::Subscription',
-                Properties: {
-                  TopicArn: { Ref: topicLogicalId },
-                  Protocol: 'email',
-                  Endpoint: email,
-                },
-              } as any)
-            })
-
-            alarmTopicArn = { Ref: topicLogicalId } as any
-          }
-
-          // Queue depth alarm
-          const depthThreshold = alarmsConfig.queueDepthThreshold || 1000
-          this.builder.addResource(`${logicalId}DepthAlarm`, {
-            Type: 'AWS::CloudWatch::Alarm',
-            Properties: {
-              AlarmName: `${slug}-${env}-${name}-queue-depth`,
-              AlarmDescription: `Queue ${name} depth exceeds ${depthThreshold} messages`,
-              MetricName: 'ApproximateNumberOfMessagesVisible',
-              Namespace: 'AWS/SQS',
-              Statistic: 'Average',
-              Period: 300,
-              EvaluationPeriods: 2,
-              Threshold: depthThreshold,
-              ComparisonOperator: 'GreaterThanThreshold',
-              Dimensions: [{ Name: 'QueueName', Value: { 'Fn::GetAtt': [logicalId, 'QueueName'] } }],
-              ...(alarmTopicArn && { AlarmActions: [alarmTopicArn], OKActions: [alarmTopicArn] }),
-            },
-          } as any)
-
-          // Message age alarm
-          const ageThreshold = alarmsConfig.messageAgeThreshold || 3600
-          this.builder.addResource(`${logicalId}AgeAlarm`, {
-            Type: 'AWS::CloudWatch::Alarm',
-            Properties: {
-              AlarmName: `${slug}-${env}-${name}-message-age`,
-              AlarmDescription: `Queue ${name} oldest message exceeds ${ageThreshold} seconds`,
-              MetricName: 'ApproximateAgeOfOldestMessage',
-              Namespace: 'AWS/SQS',
-              Statistic: 'Maximum',
-              Period: 300,
-              EvaluationPeriods: 2,
-              Threshold: ageThreshold,
-              ComparisonOperator: 'GreaterThanThreshold',
-              Dimensions: [{ Name: 'QueueName', Value: { 'Fn::GetAtt': [logicalId, 'QueueName'] } }],
-              ...(alarmTopicArn && { AlarmActions: [alarmTopicArn], OKActions: [alarmTopicArn] }),
-            },
-          } as any)
-
-          // DLQ alarm (if DLQ is enabled)
-          if (dlqLogicalId && alarmsConfig.dlqAlarm !== false) {
-            this.builder.addResource(`${dlqLogicalId}Alarm`, {
-              Type: 'AWS::CloudWatch::Alarm',
-              Properties: {
-                AlarmName: `${slug}-${env}-${name}-dlq-messages`,
-                AlarmDescription: `Dead letter queue for ${name} has messages`,
-                MetricName: 'ApproximateNumberOfMessagesVisible',
-                Namespace: 'AWS/SQS',
-                Statistic: 'Sum',
-                Period: 300,
-                EvaluationPeriods: 1,
-                Threshold: 0,
-                ComparisonOperator: 'GreaterThanThreshold',
-                Dimensions: [{ Name: 'QueueName', Value: { 'Fn::GetAtt': [dlqLogicalId, 'QueueName'] } }],
-                ...(alarmTopicArn && { AlarmActions: [alarmTopicArn] }),
-              },
-            } as any)
-          }
-        }
-
-        // SNS Subscription
-        if (queueConfig.subscribe) {
-          const subConfig = queueConfig.subscribe
-
-          // Determine topic ARN
-          let topicArn = subConfig.topicArn
-          if (!topicArn && subConfig.topicName) {
-            // Reference existing topic in the stack
-            topicArn = { Ref: subConfig.topicName } as any
-          }
-
-          if (topicArn) {
-            // Queue policy to allow SNS to send messages
-            this.builder.addResource(`${logicalId}SnsPolicy`, {
-              Type: 'AWS::SQS::QueuePolicy',
-              Properties: {
-                Queues: [{ Ref: logicalId }],
-                PolicyDocument: {
-                  Version: '2012-10-17',
-                  Statement: [{
-                    Effect: 'Allow',
-                    Principal: { Service: 'sns.amazonaws.com' },
-                    Action: 'sqs:SendMessage',
-                    Resource: { 'Fn::GetAtt': [logicalId, 'Arn'] },
-                    Condition: {
-                      ArnEquals: { 'aws:SourceArn': topicArn },
-                    },
-                  }],
-                },
-              },
-            } as any)
-
-            // SNS Subscription
-            const subscriptionProps: Record<string, any> = {
-              TopicArn: topicArn,
-              Protocol: 'sqs',
-              Endpoint: { 'Fn::GetAtt': [logicalId, 'Arn'] },
-              RawMessageDelivery: subConfig.rawMessageDelivery || false,
-            }
-
-            if (subConfig.filterPolicy) {
-              subscriptionProps.FilterPolicy = subConfig.filterPolicy
-              subscriptionProps.FilterPolicyScope = subConfig.filterPolicyScope || 'MessageAttributes'
-            }
-
-            this.builder.addResource(`${logicalId}SnsSub`, {
-              Type: 'AWS::SNS::Subscription',
-              Properties: subscriptionProps,
-              DependsOn: `${logicalId}SnsPolicy`,
-            } as any)
-          }
-        }
-      }
-    }
-
-    // Realtime (WebSocket)
-    if (this.mergedConfig.infrastructure?.realtime?.enabled) {
-      const realtimeMode = this.mergedConfig.infrastructure.realtime.mode || 'serverless'
-      if (realtimeMode === 'server') {
-        this.generateRealtimeServerResources(slug, env)
-      }
-      else {
-        this.generateRealtimeResources(slug, env)
-      }
-    }
-
-    // Monitoring
-    if (this.config.infrastructure?.monitoring?.alarms) {
-      for (const [name, alarmConfig] of Object.entries(this.config.infrastructure.monitoring.alarms)) {
-        const { alarm, logicalId } = Monitoring.createAlarm({
-          slug,
-          environment: env,
-          alarmName: `${slug}-${env}-${name}`,
-          metricName: alarmConfig.metricName || 'Errors',
-          namespace: alarmConfig.namespace || 'AWS/Lambda',
-          threshold: alarmConfig.threshold || 1,
-          comparisonOperator: (alarmConfig.comparisonOperator || 'GreaterThanThreshold') as 'GreaterThanThreshold',
-        })
-
-        this.builder.addResource(logicalId, alarm)
-      }
-    }
-  }
-
-  /**
-   * Generate Realtime (WebSocket) infrastructure
-   * Creates API Gateway WebSocket API, Lambda handlers, DynamoDB tables
-   */
-  private generateRealtimeResources(slug: string, env: typeof this.environment): void {
-    const config = this.mergedConfig.infrastructure?.realtime
-    if (!config) return
-
-    const apiName = config.name || `${slug}-${env}-realtime`
-    const scalingConfig = config.scaling || {}
-    const storageConfig = config.storage || { type: 'dynamodb' }
-    const handlerMemory = scalingConfig.handlerMemory || 256
-    const handlerTimeout = scalingConfig.handlerTimeout || 30
-
-    // ========================================
-    // DynamoDB Tables for Connection Management
-    // ========================================
-    const connectionsTableId = `${slug}${env}RealtimeConnections`.replace(/[^a-zA-Z0-9]/g, '')
-    const channelsTableId = `${slug}${env}RealtimeChannels`.replace(/[^a-zA-Z0-9]/g, '')
-
-    if (storageConfig.type === 'dynamodb') {
-      const dynamoConfig = storageConfig.dynamodb || {}
-      const billingMode = dynamoConfig.billingMode || 'PAY_PER_REQUEST'
-
-      // Connections table - stores active WebSocket connections
-      this.builder.addResource(connectionsTableId, {
-        Type: 'AWS::DynamoDB::Table',
-        Properties: {
-          TableName: `${slug}-${env}-realtime-connections`,
-          BillingMode: billingMode,
-          AttributeDefinitions: [
-            { AttributeName: 'connectionId', AttributeType: 'S' },
-            { AttributeName: 'userId', AttributeType: 'S' },
-          ],
-          KeySchema: [
-            { AttributeName: 'connectionId', KeyType: 'HASH' },
-          ],
-          GlobalSecondaryIndexes: [
-            {
-              IndexName: 'userId-index',
-              KeySchema: [
-                { AttributeName: 'userId', KeyType: 'HASH' },
-              ],
-              Projection: { ProjectionType: 'ALL' },
-              ...(billingMode === 'PROVISIONED' && {
-                ProvisionedThroughput: {
-                  ReadCapacityUnits: dynamoConfig.readCapacity || 5,
-                  WriteCapacityUnits: dynamoConfig.writeCapacity || 5,
-                },
-              }),
-            },
-          ],
-          TimeToLiveSpecification: {
-            AttributeName: 'ttl',
-            Enabled: true,
-          },
-          ...(billingMode === 'PROVISIONED' && {
-            ProvisionedThroughput: {
-              ReadCapacityUnits: dynamoConfig.readCapacity || 5,
-              WriteCapacityUnits: dynamoConfig.writeCapacity || 5,
-            },
-          }),
-          ...(dynamoConfig.pointInTimeRecovery && {
-            PointInTimeRecoverySpecification: { PointInTimeRecoveryEnabled: true },
-          }),
-          Tags: [
-            { Key: 'Name', Value: `${slug}-${env}-realtime-connections` },
-            { Key: 'Environment', Value: env },
-          ],
-        },
-      } as any)
-
-      // Channels table - stores channel subscriptions
-      this.builder.addResource(channelsTableId, {
-        Type: 'AWS::DynamoDB::Table',
-        Properties: {
-          TableName: `${slug}-${env}-realtime-channels`,
-          BillingMode: billingMode,
-          AttributeDefinitions: [
-            { AttributeName: 'channel', AttributeType: 'S' },
-            { AttributeName: 'connectionId', AttributeType: 'S' },
-          ],
-          KeySchema: [
-            { AttributeName: 'channel', KeyType: 'HASH' },
-            { AttributeName: 'connectionId', KeyType: 'RANGE' },
-          ],
-          GlobalSecondaryIndexes: [
-            {
-              IndexName: 'connectionId-index',
-              KeySchema: [
-                { AttributeName: 'connectionId', KeyType: 'HASH' },
-              ],
-              Projection: { ProjectionType: 'ALL' },
-              ...(billingMode === 'PROVISIONED' && {
-                ProvisionedThroughput: {
-                  ReadCapacityUnits: dynamoConfig.readCapacity || 5,
-                  WriteCapacityUnits: dynamoConfig.writeCapacity || 5,
-                },
-              }),
-            },
-          ],
-          TimeToLiveSpecification: {
-            AttributeName: 'ttl',
-            Enabled: true,
-          },
-          ...(billingMode === 'PROVISIONED' && {
-            ProvisionedThroughput: {
-              ReadCapacityUnits: dynamoConfig.readCapacity || 5,
-              WriteCapacityUnits: dynamoConfig.writeCapacity || 5,
-            },
-          }),
-          Tags: [
-            { Key: 'Name', Value: `${slug}-${env}-realtime-channels` },
-            { Key: 'Environment', Value: env },
-          ],
-        },
-      } as any)
-    }
-
-    // ========================================
-    // IAM Role for WebSocket Handlers
-    // ========================================
-    const roleId = `${slug}${env}RealtimeRole`.replace(/[^a-zA-Z0-9]/g, '')
-
-    this.builder.addResource(roleId, {
-      Type: 'AWS::IAM::Role',
-      Properties: {
-        RoleName: `${slug}-${env}-realtime-handler-role`,
-        AssumeRolePolicyDocument: {
-          Version: '2012-10-17',
-          Statement: [{
-            Effect: 'Allow',
-            Principal: { Service: 'lambda.amazonaws.com' },
-            Action: 'sts:AssumeRole',
-          }],
-        },
-        ManagedPolicyArns: [
-          'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
-        ],
-        Policies: [{
-          PolicyName: 'RealtimeHandlerPolicy',
-          PolicyDocument: {
-            Version: '2012-10-17',
-            Statement: [
-              {
-                Effect: 'Allow',
-                Action: [
-                  'dynamodb:GetItem',
-                  'dynamodb:PutItem',
-                  'dynamodb:DeleteItem',
-                  'dynamodb:Query',
-                  'dynamodb:Scan',
-                  'dynamodb:UpdateItem',
-                ],
-                Resource: [
-                  { 'Fn::GetAtt': [connectionsTableId, 'Arn'] },
-                  { 'Fn::Sub': `\${${connectionsTableId}.Arn}/index/*` },
-                  { 'Fn::GetAtt': [channelsTableId, 'Arn'] },
-                  { 'Fn::Sub': `\${${channelsTableId}.Arn}/index/*` },
-                ],
-              },
-              {
-                Effect: 'Allow',
-                Action: 'execute-api:ManageConnections',
-                Resource: { 'Fn::Sub': 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*/*' },
-              },
-            ],
-          },
-        }],
-      },
-    } as any)
-
-    // ========================================
-    // Lambda Handlers for WebSocket Routes
-    // ========================================
-    const connectHandlerId = `${slug}${env}RealtimeConnect`.replace(/[^a-zA-Z0-9]/g, '')
-    const disconnectHandlerId = `${slug}${env}RealtimeDisconnect`.replace(/[^a-zA-Z0-9]/g, '')
-    const messageHandlerId = `${slug}${env}RealtimeMessage`.replace(/[^a-zA-Z0-9]/g, '')
-
-    // $connect handler
-    this.builder.addResource(connectHandlerId, {
-      Type: 'AWS::Lambda::Function',
-      Properties: {
-        FunctionName: `${slug}-${env}-realtime-connect`,
-        Runtime: 'nodejs20.x',
-        Handler: 'index.handler',
-        Role: { 'Fn::GetAtt': [roleId, 'Arn'] },
-        MemorySize: handlerMemory,
-        Timeout: handlerTimeout,
-        Environment: {
-          Variables: {
-            CONNECTIONS_TABLE: { Ref: connectionsTableId },
-            CHANNELS_TABLE: { Ref: channelsTableId },
-            ENVIRONMENT: env,
-          },
-        },
-        Code: {
-          ZipFile: this.generateConnectHandlerCode(),
-        },
-      },
-      DependsOn: [roleId, connectionsTableId],
-    } as any)
-
-    // $disconnect handler
-    this.builder.addResource(disconnectHandlerId, {
-      Type: 'AWS::Lambda::Function',
-      Properties: {
-        FunctionName: `${slug}-${env}-realtime-disconnect`,
-        Runtime: 'nodejs20.x',
-        Handler: 'index.handler',
-        Role: { 'Fn::GetAtt': [roleId, 'Arn'] },
-        MemorySize: handlerMemory,
-        Timeout: handlerTimeout,
-        Environment: {
-          Variables: {
-            CONNECTIONS_TABLE: { Ref: connectionsTableId },
-            CHANNELS_TABLE: { Ref: channelsTableId },
-            ENVIRONMENT: env,
-          },
-        },
-        Code: {
-          ZipFile: this.generateDisconnectHandlerCode(),
-        },
-      },
-      DependsOn: [roleId, connectionsTableId, channelsTableId],
-    } as any)
-
-    // $default (message) handler
-    this.builder.addResource(messageHandlerId, {
-      Type: 'AWS::Lambda::Function',
-      Properties: {
-        FunctionName: `${slug}-${env}-realtime-message`,
-        Runtime: 'nodejs20.x',
-        Handler: 'index.handler',
-        Role: { 'Fn::GetAtt': [roleId, 'Arn'] },
-        MemorySize: handlerMemory,
-        Timeout: handlerTimeout,
-        Environment: {
-          Variables: {
-            CONNECTIONS_TABLE: { Ref: connectionsTableId },
-            CHANNELS_TABLE: { Ref: channelsTableId },
-            ENVIRONMENT: env,
-          },
-        },
-        Code: {
-          ZipFile: this.generateMessageHandlerCode(),
-        },
-      },
-      DependsOn: [roleId, connectionsTableId, channelsTableId],
-    } as any)
-
-    // ========================================
-    // API Gateway WebSocket API
-    // ========================================
-    const apiId = `${slug}${env}RealtimeApi`.replace(/[^a-zA-Z0-9]/g, '')
-
-    this.builder.addResource(apiId, {
-      Type: 'AWS::ApiGatewayV2::Api',
-      Properties: {
-        Name: apiName,
-        ProtocolType: 'WEBSOCKET',
-        RouteSelectionExpression: '$request.body.action',
-        Tags: {
-          Name: apiName,
-          Environment: env,
-        },
-      },
-    } as any)
-
-    // Lambda permissions for API Gateway
-    const connectPermId = `${connectHandlerId}Permission`
-    const disconnectPermId = `${disconnectHandlerId}Permission`
-    const messagePermId = `${messageHandlerId}Permission`
-
-    this.builder.addResource(connectPermId, {
-      Type: 'AWS::Lambda::Permission',
-      Properties: {
-        FunctionName: { Ref: connectHandlerId },
-        Action: 'lambda:InvokeFunction',
-        Principal: 'apigateway.amazonaws.com',
-        SourceArn: { 'Fn::Sub': `arn:aws:execute-api:\${AWS::Region}:\${AWS::AccountId}:\${${apiId}}/*/$connect` },
-      },
-    } as any)
-
-    this.builder.addResource(disconnectPermId, {
-      Type: 'AWS::Lambda::Permission',
-      Properties: {
-        FunctionName: { Ref: disconnectHandlerId },
-        Action: 'lambda:InvokeFunction',
-        Principal: 'apigateway.amazonaws.com',
-        SourceArn: { 'Fn::Sub': `arn:aws:execute-api:\${AWS::Region}:\${AWS::AccountId}:\${${apiId}}/*/$disconnect` },
-      },
-    } as any)
-
-    this.builder.addResource(messagePermId, {
-      Type: 'AWS::Lambda::Permission',
-      Properties: {
-        FunctionName: { Ref: messageHandlerId },
-        Action: 'lambda:InvokeFunction',
-        Principal: 'apigateway.amazonaws.com',
-        SourceArn: { 'Fn::Sub': `arn:aws:execute-api:\${AWS::Region}:\${AWS::AccountId}:\${${apiId}}/*/$default` },
-      },
-    } as any)
-
-    // Integrations
-    const connectIntegId = `${apiId}ConnectInteg`
-    const disconnectIntegId = `${apiId}DisconnectInteg`
-    const messageIntegId = `${apiId}MessageInteg`
-
-    this.builder.addResource(connectIntegId, {
-      Type: 'AWS::ApiGatewayV2::Integration',
-      Properties: {
-        ApiId: { Ref: apiId },
-        IntegrationType: 'AWS_PROXY',
-        IntegrationUri: { 'Fn::Sub': `arn:aws:apigateway:\${AWS::Region}:lambda:path/2015-03-31/functions/\${${connectHandlerId}.Arn}/invocations` },
-      },
-    } as any)
-
-    this.builder.addResource(disconnectIntegId, {
-      Type: 'AWS::ApiGatewayV2::Integration',
-      Properties: {
-        ApiId: { Ref: apiId },
-        IntegrationType: 'AWS_PROXY',
-        IntegrationUri: { 'Fn::Sub': `arn:aws:apigateway:\${AWS::Region}:lambda:path/2015-03-31/functions/\${${disconnectHandlerId}.Arn}/invocations` },
-      },
-    } as any)
-
-    this.builder.addResource(messageIntegId, {
-      Type: 'AWS::ApiGatewayV2::Integration',
-      Properties: {
-        ApiId: { Ref: apiId },
-        IntegrationType: 'AWS_PROXY',
-        IntegrationUri: { 'Fn::Sub': `arn:aws:apigateway:\${AWS::Region}:lambda:path/2015-03-31/functions/\${${messageHandlerId}.Arn}/invocations` },
-      },
-    } as any)
-
-    // Routes
-    this.builder.addResource(`${apiId}ConnectRoute`, {
-      Type: 'AWS::ApiGatewayV2::Route',
-      Properties: {
-        ApiId: { Ref: apiId },
-        RouteKey: '$connect',
-        AuthorizationType: 'NONE',
-        Target: { 'Fn::Sub': `integrations/\${${connectIntegId}}` },
-      },
-    } as any)
-
-    this.builder.addResource(`${apiId}DisconnectRoute`, {
-      Type: 'AWS::ApiGatewayV2::Route',
-      Properties: {
-        ApiId: { Ref: apiId },
-        RouteKey: '$disconnect',
-        Target: { 'Fn::Sub': `integrations/\${${disconnectIntegId}}` },
-      },
-    } as any)
-
-    this.builder.addResource(`${apiId}DefaultRoute`, {
-      Type: 'AWS::ApiGatewayV2::Route',
-      Properties: {
-        ApiId: { Ref: apiId },
-        RouteKey: '$default',
-        Target: { 'Fn::Sub': `integrations/\${${messageIntegId}}` },
-      },
-    } as any)
-
-    // Stage
-    const stageId = `${apiId}Stage`
-    this.builder.addResource(stageId, {
-      Type: 'AWS::ApiGatewayV2::Stage',
-      Properties: {
-        ApiId: { Ref: apiId },
-        StageName: env,
-        AutoDeploy: true,
-        DefaultRouteSettings: {
-          ThrottlingBurstLimit: scalingConfig.messagesPerSecond || 1000,
-          ThrottlingRateLimit: scalingConfig.messagesPerSecond || 1000,
-        },
-      },
-    } as any)
-
-    // ========================================
-    // CloudWatch Alarms (if monitoring enabled)
-    // ========================================
-    if (config.monitoring?.enabled) {
-      const monitoringConfig = config.monitoring
-      let alarmTopicArn = monitoringConfig.notificationTopicArn
-
-      // Create SNS topic if emails provided
-      if (!alarmTopicArn && monitoringConfig.notificationEmails?.length) {
-        const topicId = `${apiId}AlarmTopic`
-        this.builder.addResource(topicId, {
-          Type: 'AWS::SNS::Topic',
-          Properties: {
-            TopicName: `${slug}-${env}-realtime-alarms`,
-            DisplayName: 'Realtime WebSocket Alarms',
-          },
-        } as any)
-
-        monitoringConfig.notificationEmails.forEach((email, idx) => {
-          this.builder.addResource(`${topicId}Sub${idx}`, {
-            Type: 'AWS::SNS::Subscription',
-            Properties: {
-              TopicArn: { Ref: topicId },
-              Protocol: 'email',
-              Endpoint: email,
-            },
-          } as any)
-        })
-
-        alarmTopicArn = { Ref: topicId } as any
-      }
-
-      // Connection count alarm
-      if (monitoringConfig.connectionThreshold) {
-        this.builder.addResource(`${apiId}ConnectionAlarm`, {
-          Type: 'AWS::CloudWatch::Alarm',
-          Properties: {
-            AlarmName: `${slug}-${env}-realtime-connections`,
-            AlarmDescription: `WebSocket connections exceed ${monitoringConfig.connectionThreshold}`,
-            MetricName: 'ConnectCount',
-            Namespace: 'AWS/ApiGateway',
-            Statistic: 'Sum',
-            Period: 300,
-            EvaluationPeriods: 2,
-            Threshold: monitoringConfig.connectionThreshold,
-            ComparisonOperator: 'GreaterThanThreshold',
-            Dimensions: [{ Name: 'ApiId', Value: { Ref: apiId } }],
-            ...(alarmTopicArn && { AlarmActions: [alarmTopicArn] }),
-          },
-        } as any)
-      }
-
-      // Error rate alarm
-      if (monitoringConfig.errorThreshold) {
-        this.builder.addResource(`${apiId}ErrorAlarm`, {
-          Type: 'AWS::CloudWatch::Alarm',
-          Properties: {
-            AlarmName: `${slug}-${env}-realtime-errors`,
-            AlarmDescription: `WebSocket errors exceed ${monitoringConfig.errorThreshold}/min`,
-            MetricName: 'ExecutionError',
-            Namespace: 'AWS/ApiGateway',
-            Statistic: 'Sum',
-            Period: 60,
-            EvaluationPeriods: 3,
-            Threshold: monitoringConfig.errorThreshold,
-            ComparisonOperator: 'GreaterThanThreshold',
-            Dimensions: [{ Name: 'ApiId', Value: { Ref: apiId } }],
-            ...(alarmTopicArn && { AlarmActions: [alarmTopicArn] }),
-          },
-        } as any)
-      }
-    }
-
-    // ========================================
-    // Outputs
-    // ========================================
-    this.builder.addOutput(`${apiId}Endpoint`, {
-      Description: 'WebSocket API endpoint URL',
-      Value: { 'Fn::Sub': `wss://\${${apiId}}.execute-api.\${AWS::Region}.amazonaws.com/${env}` },
-      Export: { Name: { 'Fn::Sub': `\${AWS::StackName}-realtime-endpoint` } as any },
-    })
-
-    this.builder.addOutput(`${apiId}Id`, {
-      Description: 'WebSocket API ID',
-      Value: { Ref: apiId },
-      Export: { Name: { 'Fn::Sub': `\${AWS::StackName}-realtime-api-id` } as any },
-    })
-  }
-
-  /**
-   * Generate $connect Lambda handler code
-   */
-  private generateConnectHandlerCode(): string {
-    return `
-const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
-const { DynamoDBDocumentClient, PutCommand } = require('@aws-sdk/lib-dynamodb');
-
-const client = new DynamoDBClient({});
-const docClient = DynamoDBDocumentClient.from(client);
-
-exports.handler = async (event) => {
-  const connectionId = event.requestContext.connectionId;
-  const userId = event.queryStringParameters?.userId || 'anonymous';
-  const ttl = Math.floor(Date.now() / 1000) + 86400; // 24 hours
-
-  try {
-    await docClient.send(new PutCommand({
-      TableName: process.env.CONNECTIONS_TABLE,
-      Item: {
-        connectionId,
-        userId,
-        connectedAt: new Date().toISOString(),
-        ttl,
-      },
-    }));
-
-    return { statusCode: 200, body: 'Connected' };
-  } catch (error) {
-    console.error('Connect error:', error);
-    return { statusCode: 500, body: 'Failed to connect' };
-  }
-};
-`.trim()
-  }
-
-  /**
-   * Generate $disconnect Lambda handler code
-   */
-  private generateDisconnectHandlerCode(): string {
-    return `
-const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
-const { DynamoDBDocumentClient, DeleteCommand, QueryCommand } = require('@aws-sdk/lib-dynamodb');
-
-const client = new DynamoDBClient({});
-const docClient = DynamoDBDocumentClient.from(client);
-
-exports.handler = async (event) => {
-  const connectionId = event.requestContext.connectionId;
-
-  try {
-    // Remove connection record
-    await docClient.send(new DeleteCommand({
-      TableName: process.env.CONNECTIONS_TABLE,
-      Key: { connectionId },
-    }));
-
-    // Remove all channel subscriptions for this connection
-    const subscriptions = await docClient.send(new QueryCommand({
-      TableName: process.env.CHANNELS_TABLE,
-      IndexName: 'connectionId-index',
-      KeyConditionExpression: 'connectionId = :cid',
-      ExpressionAttributeValues: { ':cid': connectionId },
-    }));
-
-    if (subscriptions.Items) {
-      for (const sub of subscriptions.Items) {
-        await docClient.send(new DeleteCommand({
-          TableName: process.env.CHANNELS_TABLE,
-          Key: { channel: sub.channel, connectionId },
-        }));
-      }
-    }
-
-    return { statusCode: 200, body: 'Disconnected' };
-  } catch (error) {
-    console.error('Disconnect error:', error);
-    return { statusCode: 500, body: 'Failed to disconnect' };
-  }
-};
-`.trim()
-  }
-
-  /**
-   * Generate $default (message) Lambda handler code
-   */
-  private generateMessageHandlerCode(): string {
-    return `
-const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
-const { DynamoDBDocumentClient, PutCommand, DeleteCommand, QueryCommand, GetCommand } = require('@aws-sdk/lib-dynamodb');
-const { ApiGatewayManagementApiClient, PostToConnectionCommand } = require('@aws-sdk/client-apigatewaymanagementapi');
-
-const dynamoClient = new DynamoDBClient({});
-const docClient = DynamoDBDocumentClient.from(dynamoClient);
-
-exports.handler = async (event) => {
-  const connectionId = event.requestContext.connectionId;
-  const endpoint = \`https://\${event.requestContext.domainName}/\${event.requestContext.stage}\`;
-  const apiClient = new ApiGatewayManagementApiClient({ endpoint });
-
-  let body;
-  try {
-    body = JSON.parse(event.body);
-  } catch {
-    return { statusCode: 400, body: 'Invalid JSON' };
-  }
-
-  const { action, channel, data } = body;
-
-  try {
-    switch (action) {
-      case 'subscribe': {
-        const ttl = Math.floor(Date.now() / 1000) + 86400;
-        await docClient.send(new PutCommand({
-          TableName: process.env.CHANNELS_TABLE,
-          Item: { channel, connectionId, subscribedAt: new Date().toISOString(), ttl },
-        }));
-        return { statusCode: 200, body: JSON.stringify({ action: 'subscribed', channel }) };
-      }
-
-      case 'unsubscribe': {
-        await docClient.send(new DeleteCommand({
-          TableName: process.env.CHANNELS_TABLE,
-          Key: { channel, connectionId },
-        }));
-        return { statusCode: 200, body: JSON.stringify({ action: 'unsubscribed', channel }) };
-      }
-
-      case 'broadcast': {
-        // Get all subscribers for the channel
-        const subscribers = await docClient.send(new QueryCommand({
-          TableName: process.env.CHANNELS_TABLE,
-          KeyConditionExpression: 'channel = :channel',
-          ExpressionAttributeValues: { ':channel': channel },
-        }));
-
-        const message = JSON.stringify({ channel, event: body.event, data });
-
-        // Send to all subscribers
-        const sendPromises = (subscribers.Items || []).map(async (sub) => {
-          try {
-            await apiClient.send(new PostToConnectionCommand({
-              ConnectionId: sub.connectionId,
-              Data: message,
-            }));
-          } catch (error) {
-            if (error.statusCode === 410) {
-              // Connection is stale, remove it
-              await docClient.send(new DeleteCommand({
-                TableName: process.env.CHANNELS_TABLE,
-                Key: { channel, connectionId: sub.connectionId },
-              }));
-            }
-          }
-        });
-
-        await Promise.all(sendPromises);
-        return { statusCode: 200, body: JSON.stringify({ action: 'broadcasted', channel, recipients: subscribers.Items?.length || 0 }) };
-      }
-
-      case 'ping': {
-        return { statusCode: 200, body: JSON.stringify({ action: 'pong', timestamp: Date.now() }) };
-      }
-
-      default:
-        return { statusCode: 400, body: JSON.stringify({ error: 'Unknown action', action }) };
-    }
-  } catch (error) {
-    console.error('Message handler error:', error);
-    return { statusCode: 500, body: JSON.stringify({ error: 'Internal error' }) };
-  }
-};
-`.trim()
-  }
-
-  /**
-   * Generate Realtime Server Mode infrastructure (ts-broadcasting)
-   * Creates ECS/EC2 resources for running the Bun WebSocket server
-   */
-  private generateRealtimeServerResources(slug: string, env: typeof this.environment): void {
-    const config = this.mergedConfig.infrastructure?.realtime
-    if (!config) return
-
-    const serverConfig = config.server || {}
-    const port = serverConfig.port || 6001
-    const instances = serverConfig.instances || 1
-
-    // ========================================
-    // Security Group for WebSocket Server
-    // ========================================
-    const sgId = `${slug}${env}RealtimeSG`.replace(/[^a-zA-Z0-9]/g, '')
-
-    this.builder.addResource(sgId, {
-      Type: 'AWS::EC2::SecurityGroup',
-      Properties: {
-        GroupDescription: `Security group for ${slug} realtime WebSocket server`,
-        GroupName: `${slug}-${env}-realtime-sg`,
-        VpcId: { Ref: 'VPC' },
-        SecurityGroupIngress: [
-          {
-            IpProtocol: 'tcp',
-            FromPort: port,
-            ToPort: port,
-            CidrIp: '0.0.0.0/0',
-            Description: 'WebSocket connections',
-          },
-          {
-            IpProtocol: 'tcp',
-            FromPort: 443,
-            ToPort: 443,
-            CidrIp: '0.0.0.0/0',
-            Description: 'HTTPS/WSS connections',
-          },
-        ],
-        SecurityGroupEgress: [
-          {
-            IpProtocol: '-1',
-            CidrIp: '0.0.0.0/0',
-            Description: 'Allow all outbound',
-          },
-        ],
-        Tags: [
-          { Key: 'Name', Value: `${slug}-${env}-realtime-sg` },
-          { Key: 'Environment', Value: env },
-        ],
-      },
-    } as any)
-
-    // ========================================
-    // ECS Task Definition for ts-broadcasting
-    // ========================================
-    const taskDefId = `${slug}${env}RealtimeTaskDef`.replace(/[^a-zA-Z0-9]/g, '')
-    const taskRoleId = `${slug}${env}RealtimeTaskRole`.replace(/[^a-zA-Z0-9]/g, '')
-    const execRoleId = `${slug}${env}RealtimeExecRole`.replace(/[^a-zA-Z0-9]/g, '')
-
-    // Task execution role
-    this.builder.addResource(execRoleId, {
-      Type: 'AWS::IAM::Role',
-      Properties: {
-        RoleName: `${slug}-${env}-realtime-exec-role`,
-        AssumeRolePolicyDocument: {
-          Version: '2012-10-17',
-          Statement: [{
-            Effect: 'Allow',
-            Principal: { Service: 'ecs-tasks.amazonaws.com' },
-            Action: 'sts:AssumeRole',
-          }],
-        },
-        ManagedPolicyArns: [
-          'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
-        ],
-      },
-    } as any)
-
-    // Task role (for the application)
-    this.builder.addResource(taskRoleId, {
-      Type: 'AWS::IAM::Role',
-      Properties: {
-        RoleName: `${slug}-${env}-realtime-task-role`,
-        AssumeRolePolicyDocument: {
-          Version: '2012-10-17',
-          Statement: [{
-            Effect: 'Allow',
-            Principal: { Service: 'ecs-tasks.amazonaws.com' },
-            Action: 'sts:AssumeRole',
-          }],
-        },
-        Policies: [{
-          PolicyName: 'RealtimeTaskPolicy',
-          PolicyDocument: {
-            Version: '2012-10-17',
-            Statement: [
-              {
-                Effect: 'Allow',
-                Action: [
-                  'logs:CreateLogStream',
-                  'logs:PutLogEvents',
-                ],
-                Resource: '*',
-              },
-              // Add ElastiCache access if Redis is enabled
-              ...(serverConfig.redis?.enabled ? [{
-                Effect: 'Allow',
-                Action: [
-                  'elasticache:DescribeCacheClusters',
-                  'elasticache:DescribeReplicationGroups',
-                ],
-                Resource: '*',
-              }] : []),
-            ],
-          },
-        }],
-      },
-    } as any)
-
-    // Build environment variables for ts-broadcasting
-    const envVars: Array<{ Name: string, Value: any }> = [
-      { Name: 'BROADCAST_HOST', Value: serverConfig.host || '0.0.0.0' },
-      { Name: 'BROADCAST_PORT', Value: String(port) },
-      { Name: 'NODE_ENV', Value: env === 'production' ? 'production' : 'development' },
-    ]
-
-    if (serverConfig.redis?.enabled) {
-      if (serverConfig.redis.useElastiCache) {
-        envVars.push({ Name: 'REDIS_HOST', Value: { 'Fn::GetAtt': ['CacheCluster', 'RedisEndpoint.Address'] } })
-        envVars.push({ Name: 'REDIS_PORT', Value: { 'Fn::GetAtt': ['CacheCluster', 'RedisEndpoint.Port'] } })
-      }
-      else {
-        envVars.push({ Name: 'REDIS_HOST', Value: serverConfig.redis.host || 'localhost' })
-        envVars.push({ Name: 'REDIS_PORT', Value: String(serverConfig.redis.port || 6379) })
-      }
-      if (serverConfig.redis.keyPrefix) {
-        envVars.push({ Name: 'REDIS_KEY_PREFIX', Value: serverConfig.redis.keyPrefix })
-      }
-    }
-
-    // Task definition
-    this.builder.addResource(taskDefId, {
-      Type: 'AWS::ECS::TaskDefinition',
-      Properties: {
-        Family: `${slug}-${env}-realtime`,
-        NetworkMode: 'awsvpc',
-        RequiresCompatibilities: ['FARGATE'],
-        Cpu: '512',
-        Memory: '1024',
-        ExecutionRoleArn: { 'Fn::GetAtt': [execRoleId, 'Arn'] },
-        TaskRoleArn: { 'Fn::GetAtt': [taskRoleId, 'Arn'] },
-        ContainerDefinitions: [{
-          Name: 'realtime',
-          Image: { 'Fn::Sub': `\${AWS::AccountId}.dkr.ecr.\${AWS::Region}.amazonaws.com/${slug}-realtime:latest` },
-          Essential: true,
-          PortMappings: [{
-            ContainerPort: port,
-            Protocol: 'tcp',
-          }],
-          Environment: envVars,
-          LogConfiguration: {
-            LogDriver: 'awslogs',
-            Options: {
-              'awslogs-group': `/ecs/${slug}-${env}-realtime`,
-              'awslogs-region': { Ref: 'AWS::Region' },
-              'awslogs-stream-prefix': 'realtime',
-            },
-          },
-          HealthCheck: {
-            Command: ['CMD-SHELL', `curl -f http://localhost:${port}${serverConfig.healthCheckPath || '/health'} || exit 1`],
-            Interval: 30,
-            Timeout: 5,
-            Retries: 3,
-            StartPeriod: 60,
-          },
-        }],
-        Tags: [
-          { Key: 'Name', Value: `${slug}-${env}-realtime` },
-          { Key: 'Environment', Value: env },
-        ],
-      },
-      DependsOn: [execRoleId, taskRoleId],
-    } as any)
-
-    // CloudWatch Log Group
-    const logGroupId = `${slug}${env}RealtimeLogs`.replace(/[^a-zA-Z0-9]/g, '')
-    this.builder.addResource(logGroupId, {
-      Type: 'AWS::Logs::LogGroup',
-      Properties: {
-        LogGroupName: `/ecs/${slug}-${env}-realtime`,
-        RetentionInDays: 30,
-      },
-    } as any)
-
-    // ========================================
-    // ECS Service
-    // ========================================
-    const serviceId = `${slug}${env}RealtimeService`.replace(/[^a-zA-Z0-9]/g, '')
-
-    this.builder.addResource(serviceId, {
-      Type: 'AWS::ECS::Service',
-      Properties: {
-        ServiceName: `${slug}-${env}-realtime`,
-        Cluster: { Ref: 'ECSCluster' },
-        TaskDefinition: { Ref: taskDefId },
-        DesiredCount: instances,
-        LaunchType: 'FARGATE',
-        NetworkConfiguration: {
-          AwsvpcConfiguration: {
-            AssignPublicIp: 'ENABLED',
-            SecurityGroups: [{ Ref: sgId }],
-            Subnets: [{ Ref: 'PublicSubnet1' }, { Ref: 'PublicSubnet2' }],
-          },
-        },
-        HealthCheckGracePeriodSeconds: 60,
-        Tags: [
-          { Key: 'Name', Value: `${slug}-${env}-realtime` },
-          { Key: 'Environment', Value: env },
-        ],
-      },
-      DependsOn: [taskDefId, sgId, logGroupId],
-    } as any)
-
-    // ========================================
-    // Auto Scaling (if configured)
-    // ========================================
-    if (serverConfig.autoScaling) {
-      const scalingConfig = serverConfig.autoScaling
-      const scalableTargetId = `${slug}${env}RealtimeScalableTarget`.replace(/[^a-zA-Z0-9]/g, '')
-
-      this.builder.addResource(scalableTargetId, {
-        Type: 'AWS::ApplicationAutoScaling::ScalableTarget',
-        Properties: {
-          MaxCapacity: scalingConfig.max || 10,
-          MinCapacity: scalingConfig.min || 1,
-          ResourceId: { 'Fn::Sub': `service/\${ECSCluster}/${slug}-${env}-realtime` },
-          RoleARN: { 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' },
-          ScalableDimension: 'ecs:service:DesiredCount',
-          ServiceNamespace: 'ecs',
-        },
-        DependsOn: serviceId,
-      } as any)
-
-      // CPU-based scaling policy
-      if (scalingConfig.targetCPU) {
-        this.builder.addResource(`${slug}${env}RealtimeCPUPolicy`.replace(/[^a-zA-Z0-9]/g, ''), {
-          Type: 'AWS::ApplicationAutoScaling::ScalingPolicy',
-          Properties: {
-            PolicyName: `${slug}-${env}-realtime-cpu-scaling`,
-            PolicyType: 'TargetTrackingScaling',
-            ScalingTargetId: { Ref: scalableTargetId },
-            TargetTrackingScalingPolicyConfiguration: {
-              PredefinedMetricSpecification: {
-                PredefinedMetricType: 'ECSServiceAverageCPUUtilization',
-              },
-              TargetValue: scalingConfig.targetCPU,
-              ScaleInCooldown: 300,
-              ScaleOutCooldown: 60,
-            },
-          },
-        } as any)
-      }
-    }
-
-    // ========================================
-    // CloudWatch Alarms (if monitoring enabled)
-    // ========================================
-    if (config.monitoring?.enabled) {
-      const monitoringConfig = config.monitoring
-      let alarmTopicArn = monitoringConfig.notificationTopicArn
-
-      if (!alarmTopicArn && monitoringConfig.notificationEmails?.length) {
-        const topicId = `${slug}${env}RealtimeAlarmTopic`.replace(/[^a-zA-Z0-9]/g, '')
-        this.builder.addResource(topicId, {
-          Type: 'AWS::SNS::Topic',
-          Properties: {
-            TopicName: `${slug}-${env}-realtime-alarms`,
-            DisplayName: 'Realtime Server Alarms',
-          },
-        } as any)
-
-        monitoringConfig.notificationEmails.forEach((email, idx) => {
-          this.builder.addResource(`${topicId}Sub${idx}`, {
-            Type: 'AWS::SNS::Subscription',
-            Properties: {
-              TopicArn: { Ref: topicId },
-              Protocol: 'email',
-              Endpoint: email,
-            },
-          } as any)
-        })
-
-        alarmTopicArn = { Ref: topicId } as any
-      }
-
-      // CPU alarm
-      this.builder.addResource(`${slug}${env}RealtimeCPUAlarm`.replace(/[^a-zA-Z0-9]/g, ''), {
-        Type: 'AWS::CloudWatch::Alarm',
-        Properties: {
-          AlarmName: `${slug}-${env}-realtime-high-cpu`,
-          AlarmDescription: 'Realtime server CPU utilization is high',
-          MetricName: 'CPUUtilization',
-          Namespace: 'AWS/ECS',
-          Statistic: 'Average',
-          Period: 300,
-          EvaluationPeriods: 2,
-          Threshold: 80,
-          ComparisonOperator: 'GreaterThanThreshold',
-          Dimensions: [
-            { Name: 'ClusterName', Value: { Ref: 'ECSCluster' } },
-            { Name: 'ServiceName', Value: `${slug}-${env}-realtime` },
-          ],
-          ...(alarmTopicArn && { AlarmActions: [alarmTopicArn] }),
-        },
-        DependsOn: serviceId,
-      } as any)
-
-      // Memory alarm
-      this.builder.addResource(`${slug}${env}RealtimeMemoryAlarm`.replace(/[^a-zA-Z0-9]/g, ''), {
-        Type: 'AWS::CloudWatch::Alarm',
-        Properties: {
-          AlarmName: `${slug}-${env}-realtime-high-memory`,
-          AlarmDescription: 'Realtime server memory utilization is high',
-          MetricName: 'MemoryUtilization',
-          Namespace: 'AWS/ECS',
-          Statistic: 'Average',
-          Period: 300,
-          EvaluationPeriods: 2,
-          Threshold: 80,
-          ComparisonOperator: 'GreaterThanThreshold',
-          Dimensions: [
-            { Name: 'ClusterName', Value: { Ref: 'ECSCluster' } },
-            { Name: 'ServiceName', Value: `${slug}-${env}-realtime` },
-          ],
-          ...(alarmTopicArn && { AlarmActions: [alarmTopicArn] }),
-        },
-        DependsOn: serviceId,
-      } as any)
-    }
-
-    // ========================================
-    // Outputs
-    // ========================================
-    this.builder.addOutput(`${slug}${env}RealtimeEndpoint`.replace(/[^a-zA-Z0-9]/g, ''), {
-      Description: 'Realtime WebSocket server endpoint',
-      Value: { 'Fn::Sub': `wss://${slug}-${env}-realtime.\${AWS::Region}.elb.amazonaws.com:${port}` },
-      Export: { Name: { 'Fn::Sub': `\${AWS::StackName}-realtime-endpoint` } as any },
-    })
-  }
-
-  /**
-   * Generate broadcast.config.ts content for ts-broadcasting
-   */
-  generateBroadcastConfig(): string {
-    const config = this.mergedConfig.infrastructure?.realtime
-    if (!config || config.mode !== 'server') return ''
-
-    const serverConfig = config.server || {}
-
-    return `import type { BroadcastConfig } from 'ts-broadcasting'
-
-export default {
-  verbose: ${this.environment !== 'production'},
-  driver: '${serverConfig.driver || 'bun'}',
-  default: 'bun',
-
-  connections: {
-    bun: {
-      driver: 'bun',
-      host: process.env.BROADCAST_HOST || '${serverConfig.host || '0.0.0.0'}',
-      port: Number(process.env.BROADCAST_PORT) || ${serverConfig.port || 6001},
-      scheme: '${serverConfig.scheme || 'wss'}',
-      options: {
-        idleTimeout: ${serverConfig.idleTimeout || 120},
-        maxPayloadLength: ${serverConfig.maxPayloadLength || 16 * 1024 * 1024},
-        backpressureLimit: ${serverConfig.backpressureLimit || 1024 * 1024},
-        closeOnBackpressureLimit: ${serverConfig.closeOnBackpressureLimit || false},
-        sendPings: ${serverConfig.sendPings !== false},
-        perMessageDeflate: ${serverConfig.perMessageDeflate !== false},
-      },
-    },
-  },
-${serverConfig.redis?.enabled ? `
-  redis: {
-    host: process.env.REDIS_HOST || '${serverConfig.redis.host || 'localhost'}',
-    port: Number(process.env.REDIS_PORT) || ${serverConfig.redis.port || 6379},
-    ${serverConfig.redis.password ? `password: process.env.REDIS_PASSWORD || '${serverConfig.redis.password}',` : ''}
-    database: ${serverConfig.redis.database || 0},
-    keyPrefix: '${serverConfig.redis.keyPrefix || 'broadcasting:'}',
-  },
-` : ''}
-${serverConfig.rateLimit?.enabled ? `
-  rateLimit: {
-    max: ${serverConfig.rateLimit.max || 100},
-    window: ${serverConfig.rateLimit.window || 60000},
-    perChannel: ${serverConfig.rateLimit.perChannel !== false},
-    perUser: ${serverConfig.rateLimit.perUser !== false},
-  },
-` : ''}
-${serverConfig.loadManagement?.enabled ? `
-  loadManagement: {
-    enabled: true,
-    maxConnections: ${serverConfig.loadManagement.maxConnections || 10000},
-    maxSubscriptionsPerConnection: ${serverConfig.loadManagement.maxSubscriptionsPerConnection || 100},
-    shedLoadThreshold: ${serverConfig.loadManagement.shedLoadThreshold || 0.8},
-  },
-` : ''}
-} satisfies BroadcastConfig
-`
-  }
-
-  /**
-   * Generate YAML output
-   */
-  toYAML(): string {
-    return this.builder.toYAML()
-  }
-
-  /**
-   * Generate JSON output
-   */
-  toJSON(): string {
-    return this.builder.toJSON()
-  }
-
-  /**
-   * Get the template builder
-   */
-  getBuilder(): TemplateBuilder {
-    return this.builder
-  }
-}