@teaminabottle/domain-cdk-packer 0.1.0

package/README.md

@@ -0,0 +1,83 @@
+# @teaminabottle/domain-cdk-packer
+
+AWS CDK L3 constructs that compile a `DomainRegistry` snapshot into CloudFormation. Takes the output of `tib-domain-module build` and generates type-safe infrastructure.
+
+## Install
+
+```bash
+npm install @teaminabottle/domain-cdk-packer --save-dev
+```
+
+## Quick Start
+
+Pack a domain registry into a CDK stack:
+
+```typescript
+import { packDomain } from '@teaminabottle/domain-cdk-packer';
+import * as cdk from 'aws-cdk-lib';
+import * as fs from 'fs';
+
+const app = new cdk.App();
+const registry = JSON.parse(
+  fs.readFileSync('.tib/domain-registry.json', 'utf-8')
+);
+
+packDomain(registry, app, {
+  env: { region: 'eu-north-1', account: '123456789' },
+});
+
+app.synth();
+```
+
+Or use `DomainStack` directly:
+
+```typescript
+import { DomainStack } from '@teaminabottle/domain-cdk-packer';
+
+new DomainStack(app, 'PaymentsStack', {
+  registry,
+  env: { region: 'eu-north-1', account: '123456789' },
+});
+```
+
+## Constructs Generated
+
+For each handler in the registry, the packer provisions:
+
+| Handler Type | Generated Constructs |
+|---|---|
+| `defineApi()` | Lambda function, API Gateway route (method + path), EventBridge integration |
+| `defineWebhook()` | Lambda function, API Gateway webhook route, GitHub webhook validation |
+| `defineSubscriber()` | Lambda function, EventBridge rule (event filter), Lambda target |
+| `defineSchedule()` | Lambda function, EventBridge Scheduler rule (cron expression) |
+| `defineJob()` | Lambda function, SQS queue, Lambda event source mapping |
+| `defineAction()` | Lambda function, Function URL (for workspace invocation) |
+| `defineIntegration()` | Lambda function, SQS DLQ, error retry logic |
+
+All handlers use **esbuild** for bundling and **Drizzle ORM** for database access.
+
+## Advanced Features
+
+**StepFunctionsCodegen** — Convert domain actions into AWS Step Functions task states for TIB Flow Designer integration:
+
+```typescript
+import { StepFunctionsCodegen } from '@teaminabottle/domain-cdk-packer';
+
+const sfnCodegen = new StepFunctionsCodegen(registry);
+const taskStates = sfnCodegen.generate();
+// taskStates: StepFunctionsTaskState[] — ready to be serialized to Flow Designer
+```
+
+## Peer Dependencies
+
+`@teaminabottle/domain-cdk-packer` requires:
+
+- `aws-cdk-lib` (^2.0)
+- `constructs` (^10.0)
+
+And expects `@teaminabottle/domain-runtime` to be installed in the same project (used for type reflection).
+
+## See Also
+
+- `@teaminabottle/domain-runtime` — handler definitions
+- `@teaminabottle/domain-cli` — local build and validation

package/dist/DomainStack.d.ts

@@ -0,0 +1,36 @@
+import * as cdk from 'aws-cdk-lib';
+import * as apigwv2 from 'aws-cdk-lib/aws-apigatewayv2';
+import { Construct } from 'constructs';
+import type { DomainRegistry } from './registry.js';
+/**
+ * Configuration properties for DomainStack.
+ */
+export interface DomainStackProps extends cdk.StackProps {
+    /** The compiled domain registry. */
+    registry: DomainRegistry;
+    /** ARN of the EventBridge event bus for event subscribers. */
+    eventBusArn: string;
+    /** Database connection URL passed from SharedStack. */
+    databaseUrl?: string;
+    /** Optional Cognito User Pool ARN for JWT-authenticated routes. */
+    userPoolArn?: string;
+    /** Optional Cognito User Pool Client ID — required when userPoolArn is provided. */
+    userPoolClientId?: string;
+    /** Optional Secrets Manager ARN for the database master credentials. */
+    dbSecretArn?: string;
+}
+/**
+ * Top-level CDK Stack that composes all domain constructs from a single DomainRegistry input.
+ * Uses grouped Lambdas for each primitive type to reduce deployment artifact size.
+ */
+export declare class DomainStack extends cdk.Stack {
+    /** Shared HTTP API for routing API and webhook requests. */
+    readonly httpApi: apigwv2.HttpApi;
+    /**
+     * Create a new DomainStack instance.
+     * @param scope - Parent CDK scope.
+     * @param id - Stack identifier.
+     * @param props - Stack properties including domain registry and event bus ARN.
+     */
+    constructor(scope: Construct, id: string, props: DomainStackProps);
+}

package/dist/DomainStack.js

@@ -0,0 +1,360 @@
+import * as cdk from 'aws-cdk-lib';
+import * as apigwv2 from 'aws-cdk-lib/aws-apigatewayv2';
+import * as apigwv2integrations from 'aws-cdk-lib/aws-apigatewayv2-integrations';
+import * as apigwv2authorizers from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
+import * as events from 'aws-cdk-lib/aws-events';
+import * as eventsTargets from 'aws-cdk-lib/aws-events-targets';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as scheduler from 'aws-cdk-lib/aws-scheduler';
+import { createGroupedLambdas } from './grouped-lambda-factory.js';
+import { IamPolicyBuilder } from './iam/iam-policy-builder.js';
+/**
+ * Top-level CDK Stack that composes all domain constructs from a single DomainRegistry input.
+ * Uses grouped Lambdas for each primitive type to reduce deployment artifact size.
+ */
+export class DomainStack extends cdk.Stack {
+    /** Shared HTTP API for routing API and webhook requests. */
+    httpApi;
+    /**
+     * Create a new DomainStack instance.
+     * @param scope - Parent CDK scope.
+     * @param id - Stack identifier.
+     * @param props - Stack properties including domain registry and event bus ARN.
+     */
+    constructor(scope, id, props) {
+        super(scope, id, props);
+        const { registry, eventBusArn, databaseUrl, userPoolArn, userPoolClientId, dbSecretArn } = props;
+        const domainId = registry.domain.id;
+        this.httpApi = new apigwv2.HttpApi(this, 'HttpApi', {
+            apiName: `${domainId}-api`,
+            corsPreflight: {
+                allowHeaders: ['Content-Type', 'Authorization'],
+                allowMethods: [apigwv2.CorsHttpMethod.ANY],
+                allowOrigins: ['*'],
+            },
+        });
+        const iamBuilder = new IamPolicyBuilder();
+        const eventBus = events.EventBus.fromEventBusArn(this, 'TibEventBus', eventBusArn);
+        // Build common environment for all Lambdas
+        const environment = {
+            TIB_DOMAIN_ID: domainId,
+            TIB_EVENT_BUS_ARN: eventBusArn,
+        };
+        if (databaseUrl) {
+            environment.DATABASE_URL = databaseUrl;
+        }
+        if (dbSecretArn) {
+            environment.DB_SECRET_ARN = dbSecretArn;
+        }
+        // Create JWT authorizer if userPoolArn is provided
+        let jwtAuthorizer;
+        if (userPoolArn && userPoolClientId) {
+            const userPoolId = userPoolArn.split('/').pop();
+            jwtAuthorizer = new apigwv2authorizers.HttpJwtAuthorizer('JwtAuthorizer', `https://cognito-idp.${this.region}.amazonaws.com/${userPoolId}`, {
+                jwtAudience: [userPoolClientId],
+            });
+        }
+        // Deploy API endpoints as grouped Lambdas
+        if (registry.apis.length > 0) {
+            const apiLambdas = createGroupedLambdas(this, {
+                domainId,
+                primitiveType: 'api',
+                handlerEntries: registry.apis.map(api => ({
+                    id: api.id,
+                    handlerFile: api.handlerFile,
+                })),
+                environment,
+                eventBusArn,
+                dedicated: registry.apis.some(api => api.deployment?.isolation === 'dedicated'),
+            });
+            // Wire each API Lambda to the HttpApi
+            const iamPolicies = iamBuilder.forApi();
+            apiLambdas.forEach((fn) => {
+                iamPolicies.forEach(statement => fn.addToRolePolicy(statement));
+            });
+            // Add dbSecretArn grant if provided
+            if (dbSecretArn) {
+                apiLambdas.forEach(fn => fn.addToRolePolicy(new iam.PolicyStatement({
+                    actions: ['secretsmanager:GetSecretValue'],
+                    resources: [dbSecretArn],
+                })));
+            }
+            // Add routes for each API entry
+            for (const api of registry.apis) {
+                const fn = apiLambdas[0]; // Grouped Lambda or first dedicated
+                const apiRouteBase = {
+                    path: api.path,
+                    methods: [toHttpMethod(api.method)],
+                    integration: new apigwv2integrations.HttpLambdaIntegration(`Apis${toPascalCase(api.id)}Integration`, fn),
+                };
+                let apiRoute;
+                if (api.authType === 'jwt' && jwtAuthorizer) {
+                    apiRoute = { ...apiRouteBase, authorizer: jwtAuthorizer };
+                }
+                else if (api.authType === 'api-key') {
+                    // TODO(#1785): wire HttpApiKeyAuthorizer
+                    apiRoute = apiRouteBase;
+                }
+                else {
+                    apiRoute = apiRouteBase;
+                }
+                this.httpApi.addRoutes(apiRoute);
+            }
+        }
+        // Deploy webhooks as grouped Lambdas
+        if (registry.webhooks.length > 0) {
+            // Create shared dedupe table for webhooks
+            const dedupeTable = new dynamodb.Table(this, 'WebhookDedupeTable', {
+                partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
+                billingMode: dynamodb.BillingMode.PAY_PER_REQUEST,
+                timeToLiveAttribute: 'expiresAt',
+                removalPolicy: cdk.RemovalPolicy.DESTROY,
+            });
+            const webhookLambdas = createGroupedLambdas(this, {
+                domainId,
+                primitiveType: 'webhook',
+                handlerEntries: registry.webhooks.map(webhook => ({
+                    id: webhook.id,
+                    handlerFile: webhook.handlerFile,
+                })),
+                environment,
+                eventBusArn,
+                dedicated: registry.webhooks.some(webhook => webhook.deployment?.isolation === 'dedicated'),
+            });
+            // Wire each webhook Lambda to the HttpApi
+            const iamPolicies = iamBuilder.forWebhook({ dedupeTableArn: dedupeTable.tableArn });
+            webhookLambdas.forEach((fn) => {
+                iamPolicies.forEach(statement => fn.addToRolePolicy(statement));
+                dedupeTable.grantReadWriteData(fn);
+            });
+            // Add dbSecretArn grant if provided
+            if (dbSecretArn) {
+                webhookLambdas.forEach(fn => fn.addToRolePolicy(new iam.PolicyStatement({
+                    actions: ['secretsmanager:GetSecretValue'],
+                    resources: [dbSecretArn],
+                })));
+            }
+            // Add routes for each webhook entry
+            for (const webhook of registry.webhooks) {
+                const fn = webhookLambdas[0]; // Grouped Lambda or first dedicated
+                this.httpApi.addRoutes({
+                    path: webhook.path,
+                    methods: [apigwv2.HttpMethod.POST],
+                    integration: new apigwv2integrations.HttpLambdaIntegration(`Webhooks${toPascalCase(webhook.id)}Integration`, fn),
+                });
+            }
+        }
+        // Deploy event subscribers as grouped Lambdas
+        if (registry.subscribers.length > 0) {
+            const subscriberLambdas = createGroupedLambdas(this, {
+                domainId,
+                primitiveType: 'subscriber',
+                handlerEntries: registry.subscribers.map(subscriber => ({
+                    id: subscriber.id,
+                    handlerFile: subscriber.handlerFile,
+                })),
+                environment,
+                eventBusArn,
+                dedicated: registry.subscribers.some(subscriber => subscriber.deployment?.isolation === 'dedicated'),
+            });
+            // Wire EventBridge → SQS → Lambda for each subscriber
+            for (const subscriber of registry.subscribers) {
+                const pascalId = toPascalCase(subscriber.id);
+                // Create dead-letter queue
+                const dlq = new sqs.Queue(this, `${pascalId}Dlq`, {
+                    retentionPeriod: cdk.Duration.days(14),
+                });
+                // Create main queue with dead-letter queue configuration
+                const queue = new sqs.Queue(this, `${pascalId}Queue`, {
+                    visibilityTimeout: cdk.Duration.seconds(180),
+                    deadLetterQueue: {
+                        queue: dlq,
+                        maxReceiveCount: 3,
+                    },
+                });
+                // Add SQS as event source for the first grouped Lambda
+                const fn = subscriberLambdas[0];
+                fn.addEventSource(new lambdaEventSources.SqsEventSource(queue, {
+                    batchSize: 10,
+                    maxConcurrency: subscriber.concurrency ?? 5,
+                }));
+                // Grant IAM permissions for this queue
+                const queuePolicies = iamBuilder.forSubscriber({ queueArn: queue.queueArn, dlqArn: dlq.queueArn });
+                queuePolicies.forEach(statement => fn.addToRolePolicy(statement));
+                // Create EventBridge rule targeting SQS queue
+                new events.Rule(this, `${pascalId}Rule`, {
+                    eventBus,
+                    eventPattern: { detailType: [subscriber.event] },
+                    targets: [new eventsTargets.SqsQueue(queue)],
+                });
+            }
+            // Add dbSecretArn grant if provided
+            if (dbSecretArn) {
+                subscriberLambdas.forEach(fn => fn.addToRolePolicy(new iam.PolicyStatement({
+                    actions: ['secretsmanager:GetSecretValue'],
+                    resources: [dbSecretArn],
+                })));
+            }
+        }
+        // Deploy scheduled tasks as grouped Lambdas
+        if (registry.schedules.length > 0) {
+            const scheduleLambdas = createGroupedLambdas(this, {
+                domainId,
+                primitiveType: 'schedule',
+                handlerEntries: registry.schedules.map(schedule => ({
+                    id: schedule.id,
+                    handlerFile: schedule.handlerFile,
+                })),
+                environment,
+                eventBusArn,
+                dedicated: registry.schedules.some(schedule => schedule.deployment?.isolation === 'dedicated'),
+            });
+            const iamPolicies = iamBuilder.forSchedule();
+            scheduleLambdas.forEach((fn) => {
+                iamPolicies.forEach(statement => fn.addToRolePolicy(statement));
+            });
+            // Add dbSecretArn grant if provided
+            if (dbSecretArn) {
+                scheduleLambdas.forEach(fn => fn.addToRolePolicy(new iam.PolicyStatement({
+                    actions: ['secretsmanager:GetSecretValue'],
+                    resources: [dbSecretArn],
+                })));
+            }
+            // Wire EventBridge Scheduler rules to Lambda
+            for (const schedule of registry.schedules) {
+                const pascalId = toPascalCase(schedule.id);
+                const fn = scheduleLambdas[0]; // Grouped Lambda or first dedicated
+                // Create a dedicated IAM role for the EventBridge Scheduler to assume
+                const schedulerRole = new iam.Role(this, `${pascalId}SchedulerRole`, {
+                    assumedBy: new iam.ServicePrincipal('scheduler.amazonaws.com'),
+                });
+                // Grant the scheduler role permission to invoke the Lambda
+                fn.grantInvoke(schedulerRole);
+                // Create the EventBridge Scheduler rule
+                new scheduler.CfnSchedule(this, `${pascalId}Schedule`, {
+                    scheduleExpression: schedule.cron,
+                    flexibleTimeWindow: { mode: 'OFF' },
+                    state: schedule.enabled ? 'ENABLED' : 'DISABLED',
+                    target: {
+                        arn: fn.functionArn,
+                        roleArn: schedulerRole.roleArn,
+                        input: JSON.stringify({}),
+                    },
+                });
+            }
+        }
+        // Deploy background jobs as grouped Lambdas
+        if (registry.jobs.length > 0) {
+            const jobLambdas = createGroupedLambdas(this, {
+                domainId,
+                primitiveType: 'job',
+                handlerEntries: registry.jobs.map(job => ({
+                    id: job.id,
+                    handlerFile: job.handlerFile,
+                })),
+                environment,
+                eventBusArn,
+                dedicated: registry.jobs.some(job => job.deployment?.isolation === 'dedicated'),
+            });
+            // Wire SQS → Lambda for each job
+            for (const job of registry.jobs) {
+                const pascalId = toPascalCase(job.id);
+                // Create dead-letter queue
+                const dlq = new sqs.Queue(this, `${pascalId}JobDlq`, {
+                    retentionPeriod: cdk.Duration.days(14),
+                });
+                // Create main queue with dead-letter queue configuration
+                const queue = new sqs.Queue(this, `${pascalId}JobQueue`, {
+                    visibilityTimeout: cdk.Duration.seconds(job.visibilityTimeoutSeconds),
+                    deadLetterQueue: {
+                        queue: dlq,
+                        maxReceiveCount: job.maxRetries,
+                    },
+                });
+                // Add SQS as event source for the first grouped Lambda
+                const fn = jobLambdas[0];
+                fn.addEventSource(new lambdaEventSources.SqsEventSource(queue, {
+                    batchSize: 1,
+                }));
+                // Grant IAM permissions for this queue
+                const queuePolicies = iamBuilder.forJob({ queueArn: queue.queueArn, dlqArn: dlq.queueArn });
+                queuePolicies.forEach(statement => fn.addToRolePolicy(statement));
+            }
+            // Add dbSecretArn grant if provided
+            if (dbSecretArn) {
+                jobLambdas.forEach(fn => fn.addToRolePolicy(new iam.PolicyStatement({
+                    actions: ['secretsmanager:GetSecretValue'],
+                    resources: [dbSecretArn],
+                })));
+            }
+        }
+        // Deploy callable actions as grouped Lambdas
+        if (registry.actions.length > 0) {
+            const actionLambdas = createGroupedLambdas(this, {
+                domainId,
+                primitiveType: 'action',
+                handlerEntries: registry.actions.map(action => ({
+                    id: action.id,
+                    handlerFile: action.handlerFile,
+                })),
+                environment,
+                eventBusArn,
+                dedicated: registry.actions.some(action => action.deployment?.isolation === 'dedicated'),
+            });
+            const iamPolicies = iamBuilder.forAction();
+            actionLambdas.forEach((fn) => {
+                iamPolicies.forEach(statement => fn.addToRolePolicy(statement));
+            });
+            // Add dbSecretArn grant if provided
+            if (dbSecretArn) {
+                actionLambdas.forEach(fn => fn.addToRolePolicy(new iam.PolicyStatement({
+                    actions: ['secretsmanager:GetSecretValue'],
+                    resources: [dbSecretArn],
+                })));
+            }
+        }
+        new cdk.CfnOutput(this, 'HttpApiUrl', {
+            value: this.httpApi.apiEndpoint,
+            description: 'Domain HTTP API endpoint',
+        });
+    }
+}
+/**
+ * Convert kebab-case or snake_case string to PascalCase.
+ * @param s - Input string.
+ * @returns PascalCase string.
+ */
+function toPascalCase(s) {
+    return s
+        .split(/[-_]/)
+        .map((segment) => segment.charAt(0).toUpperCase() + segment.slice(1))
+        .join('');
+}
+/**
+ * Convert HTTP method string to ApiGatewayV2 HttpMethod enum.
+ * @param method - HTTP method string (e.g., 'GET', 'POST').
+ * @returns HttpMethod enum value.
+ */
+function toHttpMethod(method) {
+    switch (method.toUpperCase()) {
+        case 'GET':
+            return apigwv2.HttpMethod.GET;
+        case 'POST':
+            return apigwv2.HttpMethod.POST;
+        case 'PUT':
+            return apigwv2.HttpMethod.PUT;
+        case 'PATCH':
+            return apigwv2.HttpMethod.PATCH;
+        case 'DELETE':
+            return apigwv2.HttpMethod.DELETE;
+        case 'HEAD':
+            return apigwv2.HttpMethod.HEAD;
+        case 'OPTIONS':
+            return apigwv2.HttpMethod.OPTIONS;
+        default:
+            return apigwv2.HttpMethod.ANY;
+    }
+}

package/dist/__tests__/domain-stack.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/domain-stack.test.js

@@ -0,0 +1,138 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import * as cdk from 'aws-cdk-lib';
+import { Template } from 'aws-cdk-lib/assertions';
+import fs from 'node:fs';
+import path from 'node:path';
+import { DomainStack } from '../DomainStack.js';
+const DOMAIN_ROOT = '/tmp/test-domain-cdk-packer';
+const minimalRegistry = {
+    schemaVersion: '1',
+    domainRoot: DOMAIN_ROOT,
+    domain: { id: 'test-domain', kind: 'domain', name: 'Test Domain', tenancy: 'none' },
+    apis: [
+        {
+            id: 'get-users',
+            kind: 'api',
+            handlerFile: 'src/handlers/get-users.ts',
+            path: '/users',
+            method: 'GET',
+            authType: 'jwt',
+        },
+    ],
+    webhooks: [],
+    subscribers: [],
+    schedules: [],
+    jobs: [],
+    actions: [],
+    integrations: [],
+    events: [],
+};
+beforeAll(() => {
+    const handlerDir = path.join(DOMAIN_ROOT, 'src', 'handlers');
+    fs.mkdirSync(handlerDir, { recursive: true });
+    fs.writeFileSync(path.join(handlerDir, 'get-users.ts'), 'export const handler = async () => ({ statusCode: 200 });\n');
+});
+afterAll(() => {
+    fs.rmSync(DOMAIN_ROOT, { recursive: true, force: true });
+});
+describe('DomainStack', () => {
+    const eventBusArn = 'arn:aws:events:eu-north-1:123456789012:event-bus/tib-event-bus';
+    it('synthesises without error for minimal registry', () => {
+        const app = new cdk.App();
+        expect(() => new DomainStack(app, 'TestDomainStack', { registry: minimalRegistry, eventBusArn })).not.toThrow();
+    });
+    it('template contains HttpApi', () => {
+        const app = new cdk.App();
+        const stack = new DomainStack(app, 'TestDomainStack2', { registry: minimalRegistry, eventBusArn });
+        const template = Template.fromStack(stack);
+        template.resourceCountIs('AWS::ApiGatewayV2::Api', 1);
+    });
+    it('template contains one Lambda function for the api entry', () => {
+        const app = new cdk.App();
+        const stack = new DomainStack(app, 'TestDomainStack3', { registry: minimalRegistry, eventBusArn });
+        const template = Template.fromStack(stack);
+        template.resourceCountIs('AWS::Lambda::Function', 2);
+    });
+    it('attaches JWT authorizer to jwt-auth API routes when userPoolArn provided', () => {
+        const app = new cdk.App();
+        const userPoolArn = 'arn:aws:cognito-idp:eu-north-1:123456789012:userpool/eu-north-1_abc123xyz';
+        const userPoolClientId = 'test-client-id';
+        const stack = new DomainStack(app, 'TestDomainStackJwt', {
+            registry: minimalRegistry,
+            eventBusArn,
+            userPoolArn,
+            userPoolClientId,
+        });
+        const template = Template.fromStack(stack);
+        template.hasResourceProperties('AWS::ApiGatewayV2::Authorizer', {
+            AuthorizerType: 'JWT',
+        });
+    });
+    it('no authorizer attached when authType is none', () => {
+        const app = new cdk.App();
+        const registryNoAuth = {
+            ...minimalRegistry,
+            apis: [
+                {
+                    ...minimalRegistry.apis[0],
+                    authType: 'none',
+                },
+            ],
+        };
+        const stack = new DomainStack(app, 'TestDomainStackNoAuth', {
+            registry: registryNoAuth,
+            eventBusArn,
+        });
+        const template = Template.fromStack(stack);
+        template.resourceCountIs('AWS::ApiGatewayV2::Authorizer', 0);
+    });
+    it('DB_SECRET_ARN env var set on Lambdas when dbSecretArn provided', () => {
+        const app = new cdk.App();
+        const dbSecretArn = 'arn:aws:secretsmanager:eu-north-1:123456789012:secret:db-secret-abc123';
+        const stack = new DomainStack(app, 'TestDomainStackDbSecret', {
+            registry: minimalRegistry,
+            eventBusArn,
+            dbSecretArn,
+        });
+        const template = Template.fromStack(stack);
+        template.allResources('AWS::Lambda::Function', {
+            Environment: {
+                Variables: {
+                    Match: {
+                        stringLike: {
+                            DB_SECRET_ARN: dbSecretArn,
+                        },
+                    },
+                },
+            },
+        });
+    });
+    it('secretsmanager:GetSecretValue grant added when dbSecretArn provided', () => {
+        const app = new cdk.App();
+        const dbSecretArn = 'arn:aws:secretsmanager:eu-north-1:123456789012:secret:db-secret-abc123';
+        const stack = new DomainStack(app, 'TestDomainStackSecretGrant', {
+            registry: minimalRegistry,
+            eventBusArn,
+            dbSecretArn,
+        });
+        const template = Template.fromStack(stack);
+        template.allResources('AWS::IAM::Policy', {
+            PolicyDocument: {
+                Match: {
+                    objectLike: {
+                        Statement: [
+                            {
+                                Match: {
+                                    objectLike: {
+                                        Action: ['secretsmanager:GetSecretValue'],
+                                        Resource: [dbSecretArn],
+                                    },
+                                },
+                            },
+                        ],
+                    },
+                },
+            },
+        });
+    });
+});

package/dist/__tests__/lambda-factory.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/lambda-factory.test.js

@@ -0,0 +1,30 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import * as cdk from 'aws-cdk-lib';
+import fs from 'node:fs';
+import path from 'node:path';
+import { LambdaFactory } from '../lambda-factory.js';
+const DOMAIN_ROOT = '/tmp/test-domain-cdk-packer';
+const minimalRegistry = {
+    schemaVersion: '1',
+    domainRoot: DOMAIN_ROOT,
+    domain: { id: 'test-domain', kind: 'domain', name: 'Test Domain', tenancy: 'none' },
+    apis: [], webhooks: [], subscribers: [], schedules: [], jobs: [], actions: [], integrations: [], events: [],
+};
+beforeAll(() => {
+    const handlerDir = path.join(DOMAIN_ROOT, 'src');
+    fs.mkdirSync(handlerDir, { recursive: true });
+    fs.writeFileSync(path.join(handlerDir, 'api.ts'), 'export const handler = async () => ({ statusCode: 200 });\n');
+});
+afterAll(() => {
+    fs.rmSync(DOMAIN_ROOT, { recursive: true, force: true });
+});
+describe('LambdaFactory', () => {
+    it('creates a NodejsFunction construct without throwing', () => {
+        const app = new cdk.App();
+        const stack = new cdk.Stack(app, 'TestStack');
+        const factory = new LambdaFactory({ scope: stack, registry: minimalRegistry, domainRoot: minimalRegistry.domainRoot });
+        expect(() => {
+            factory.createFunction({ id: 'test-api', kind: 'api', handlerFile: 'src/api.ts' });
+        }).not.toThrow();
+    });
+});

package/dist/__tests__/pack-flows.test.d.ts

@@ -0,0 +1 @@
+export {};