create-aws-project 1.5.1 → 1.7.0

package/dist/__tests__/aws/cdk-bootstrap.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/aws/cdk-bootstrap.spec.js

@@ -0,0 +1,266 @@
+import { describe, it, expect, jest, beforeEach } from '@jest/globals';
+// Mock execa
+const mockExeca = jest.fn();
+jest.unstable_mockModule('execa', () => ({
+    execa: mockExeca,
+}));
+// Mock AWS SDK STS client
+/* eslint-disable @typescript-eslint/no-explicit-any */
+const mockSTSSend = jest.fn();
+const mockAssumeRoleCommand = jest.fn();
+/* eslint-enable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-explicit-any */
+jest.unstable_mockModule('@aws-sdk/client-sts', () => {
+    class MockSTSClient {
+        send = mockSTSSend;
+    }
+    return {
+        STSClient: MockSTSClient,
+        AssumeRoleCommand: mockAssumeRoleCommand,
+    };
+});
+/* eslint-enable @typescript-eslint/no-explicit-any */
+// Mock ora (for spinner type)
+const mockOra = {
+    text: '',
+    succeed: jest.fn(),
+    fail: jest.fn(),
+};
+const { bootstrapCDKEnvironment, bootstrapAllEnvironments } = await import('../../aws/cdk-bootstrap.js');
+describe('cdk-bootstrap', () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+        mockOra.text = '';
+        // Mock AssumeRoleCommand to return the input
+        mockAssumeRoleCommand.mockImplementation((input) => input);
+    });
+    describe('bootstrapCDKEnvironment', () => {
+        it('calls execa with correct npx cdk bootstrap command', async () => {
+            mockExeca.mockResolvedValue({ all: 'Bootstrap successful' });
+            await bootstrapCDKEnvironment({
+                accountId: '123456789012',
+                region: 'us-west-2',
+                credentials: {
+                    accessKeyId: 'AKIATEST',
+                    secretAccessKey: 'secret123',
+                    sessionToken: 'token123',
+                },
+            });
+            expect(mockExeca).toHaveBeenCalledWith('npx', [
+                'cdk',
+                'bootstrap',
+                'aws://123456789012/us-west-2',
+                '--trust',
+                '123456789012',
+                '--cloudformation-execution-policies',
+                'arn:aws:iam::aws:policy/AdministratorAccess',
+                '--require-approval',
+                'never',
+            ], expect.objectContaining({
+                all: true,
+            }));
+        });
+        it('passes credentials as environment variables', async () => {
+            mockExeca.mockResolvedValue({ all: 'Bootstrap successful' });
+            await bootstrapCDKEnvironment({
+                accountId: '123456789012',
+                region: 'us-west-2',
+                credentials: {
+                    accessKeyId: 'AKIATEST',
+                    secretAccessKey: 'secret123',
+                    sessionToken: 'token123',
+                },
+            });
+            const callArgs = mockExeca.mock.calls[0];
+            const options = callArgs[2];
+            expect(options.env).toBeDefined();
+            expect(options.env?.AWS_ACCESS_KEY_ID).toBe('AKIATEST');
+            expect(options.env?.AWS_SECRET_ACCESS_KEY).toBe('secret123');
+            expect(options.env?.AWS_SESSION_TOKEN).toBe('token123');
+            expect(options.env?.AWS_REGION).toBe('us-west-2');
+        });
+        it('omits session token from env if not provided', async () => {
+            mockExeca.mockResolvedValue({ all: 'Bootstrap successful' });
+            await bootstrapCDKEnvironment({
+                accountId: '123456789012',
+                region: 'us-west-2',
+                credentials: {
+                    accessKeyId: 'AKIATEST',
+                    secretAccessKey: 'secret123',
+                },
+            });
+            const callArgs = mockExeca.mock.calls[0];
+            const options = callArgs[2];
+            expect(options.env).toBeDefined();
+            expect(options.env?.AWS_ACCESS_KEY_ID).toBe('AKIATEST');
+            expect(options.env?.AWS_SECRET_ACCESS_KEY).toBe('secret123');
+            expect(options.env?.AWS_SESSION_TOKEN).toBeUndefined();
+            expect(options.env?.AWS_REGION).toBe('us-west-2');
+        });
+        it('returns success result on successful execution', async () => {
+            mockExeca.mockResolvedValue({ all: 'Bootstrap successful' });
+            const result = await bootstrapCDKEnvironment({
+                accountId: '123456789012',
+                region: 'us-west-2',
+                credentials: {
+                    accessKeyId: 'AKIATEST',
+                    secretAccessKey: 'secret123',
+                },
+            });
+            expect(result.success).toBe(true);
+            expect(result.output).toBe('Bootstrap successful');
+        });
+        it('returns failure result with output on error', async () => {
+            const error = new Error('Bootstrap failed');
+            error.all = 'Error: Stack already exists';
+            mockExeca.mockRejectedValue(error);
+            const result = await bootstrapCDKEnvironment({
+                accountId: '123456789012',
+                region: 'us-west-2',
+                credentials: {
+                    accessKeyId: 'AKIATEST',
+                    secretAccessKey: 'secret123',
+                },
+            });
+            expect(result.success).toBe(false);
+            expect(result.output).toBe('Error: Stack already exists');
+        });
+        it('uses error message if all property not available', async () => {
+            const error = new Error('Bootstrap failed');
+            mockExeca.mockRejectedValue(error);
+            const result = await bootstrapCDKEnvironment({
+                accountId: '123456789012',
+                region: 'us-west-2',
+                credentials: {
+                    accessKeyId: 'AKIATEST',
+                    secretAccessKey: 'secret123',
+                },
+            });
+            expect(result.success).toBe(false);
+            expect(result.output).toBe('Bootstrap failed');
+        });
+    });
+    describe('bootstrapAllEnvironments', () => {
+        beforeEach(() => {
+            // Mock successful STS AssumeRole responses
+            mockSTSSend.mockResolvedValue({
+                Credentials: {
+                    AccessKeyId: 'ASIATEMP123',
+                    SecretAccessKey: 'tempsecret123',
+                    SessionToken: 'temptoken123',
+                },
+            });
+            // Mock successful bootstrap
+            mockExeca.mockResolvedValue({ all: 'Bootstrap successful' });
+        });
+        it('calls bootstrapCDKEnvironment for each environment', async () => {
+            await bootstrapAllEnvironments({
+                accounts: {
+                    dev: '111111111111',
+                    stage: '222222222222',
+                    prod: '333333333333',
+                },
+                region: 'us-east-1',
+                adminCredentials: {
+                    accessKeyId: 'AKIAADMIN',
+                    secretAccessKey: 'adminsecret',
+                },
+                spinner: mockOra, // eslint-disable-line @typescript-eslint/no-explicit-any
+            });
+            // Should call execa 3 times (once per environment)
+            expect(mockExeca).toHaveBeenCalledTimes(3);
+            // Verify each environment was bootstrapped
+            expect(mockExeca).toHaveBeenCalledWith('npx', expect.arrayContaining(['aws://111111111111/us-east-1']), expect.any(Object));
+            expect(mockExeca).toHaveBeenCalledWith('npx', expect.arrayContaining(['aws://222222222222/us-east-1']), expect.any(Object));
+            expect(mockExeca).toHaveBeenCalledWith('npx', expect.arrayContaining(['aws://333333333333/us-east-1']), expect.any(Object));
+        });
+        it('assumes OrganizationAccountAccessRole for each account', async () => {
+            await bootstrapAllEnvironments({
+                accounts: {
+                    dev: '111111111111',
+                    stage: '222222222222',
+                    prod: '333333333333',
+                },
+                region: 'us-east-1',
+                adminCredentials: {
+                    accessKeyId: 'AKIAADMIN',
+                    secretAccessKey: 'adminsecret',
+                },
+                spinner: mockOra, // eslint-disable-line @typescript-eslint/no-explicit-any
+            });
+            // Should call AssumeRoleCommand 3 times (once per environment)
+            expect(mockAssumeRoleCommand).toHaveBeenCalledTimes(3);
+            // Verify role ARNs for each environment
+            const calls = mockAssumeRoleCommand.mock.calls;
+            expect(calls[0][0].RoleArn).toBe('arn:aws:iam::111111111111:role/OrganizationAccountAccessRole');
+            expect(calls[1][0].RoleArn).toBe('arn:aws:iam::222222222222:role/OrganizationAccountAccessRole');
+            expect(calls[2][0].RoleArn).toBe('arn:aws:iam::333333333333:role/OrganizationAccountAccessRole');
+        });
+        it('updates spinner text for each environment', async () => {
+            await bootstrapAllEnvironments({
+                accounts: {
+                    dev: '111111111111',
+                    stage: '222222222222',
+                    prod: '333333333333',
+                },
+                region: 'us-east-1',
+                adminCredentials: {
+                    accessKeyId: 'AKIAADMIN',
+                    secretAccessKey: 'adminsecret',
+                },
+                spinner: mockOra, // eslint-disable-line @typescript-eslint/no-explicit-any
+            });
+            expect(mockOra.succeed).toHaveBeenCalledTimes(3);
+            expect(mockOra.succeed).toHaveBeenCalledWith('CDK bootstrapped in dev account (111111111111)');
+            expect(mockOra.succeed).toHaveBeenCalledWith('CDK bootstrapped in stage account (222222222222)');
+            expect(mockOra.succeed).toHaveBeenCalledWith('CDK bootstrapped in prod account (333333333333)');
+        });
+        it('throws error and fails spinner if bootstrap fails', async () => {
+            mockExeca.mockResolvedValueOnce({ all: 'Success' }); // dev succeeds
+            mockExeca.mockRejectedValueOnce({
+                all: 'Error: CDK bootstrap failed',
+                message: 'Error: CDK bootstrap failed',
+            }); // stage fails
+            await expect(bootstrapAllEnvironments({
+                accounts: {
+                    dev: '111111111111',
+                    stage: '222222222222',
+                    prod: '333333333333',
+                },
+                region: 'us-east-1',
+                adminCredentials: null,
+                spinner: mockOra, // eslint-disable-line @typescript-eslint/no-explicit-any
+            })).rejects.toThrow('CDK bootstrap failed in stage account');
+            expect(mockOra.fail).toHaveBeenCalledWith('CDK bootstrap failed in stage account');
+        });
+        it('works with null adminCredentials (uses default credentials)', async () => {
+            await bootstrapAllEnvironments({
+                accounts: {
+                    dev: '111111111111',
+                },
+                region: 'us-east-1',
+                adminCredentials: null,
+                spinner: mockOra, // eslint-disable-line @typescript-eslint/no-explicit-any
+            });
+            expect(mockSTSSend).toHaveBeenCalled();
+            expect(mockExeca).toHaveBeenCalled();
+        });
+        it('skips environments with missing account IDs', async () => {
+            await bootstrapAllEnvironments({
+                accounts: {
+                    dev: '111111111111',
+                    // stage missing
+                    prod: '333333333333',
+                },
+                region: 'us-east-1',
+                adminCredentials: {
+                    accessKeyId: 'AKIAADMIN',
+                    secretAccessKey: 'adminsecret',
+                },
+                spinner: mockOra, // eslint-disable-line @typescript-eslint/no-explicit-any
+            });
+            // Should only call execa twice (dev and prod, skip stage)
+            expect(mockExeca).toHaveBeenCalledTimes(2);
+        });
+    });
+});

package/dist/__tests__/aws/root-credentials.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/aws/root-credentials.spec.js

@@ -0,0 +1,230 @@
+import { describe, it, expect, jest, beforeEach, afterEach } from '@jest/globals';
+// Mock getAccessKeyCount from iam.ts
+const mockGetAccessKeyCount = jest.fn();
+jest.unstable_mockModule('../../aws/iam.js', () => ({
+    getAccessKeyCount: mockGetAccessKeyCount,
+}));
+// Mock AWS SDK clients
+/* eslint-disable @typescript-eslint/no-explicit-any */
+const mockSTSSend = jest.fn();
+const mockIAMSend = jest.fn();
+/* eslint-enable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-explicit-any */
+jest.unstable_mockModule('@aws-sdk/client-sts', () => {
+    class MockSTSClient {
+        send = mockSTSSend;
+    }
+    return {
+        STSClient: MockSTSClient,
+        GetCallerIdentityCommand: jest.fn((input) => input),
+    };
+});
+jest.unstable_mockModule('@aws-sdk/client-iam', () => {
+    class MockIAMClient {
+        send = mockIAMSend;
+    }
+    class NoSuchEntityException extends Error {
+        constructor(message) {
+            super(message);
+            this.name = 'NoSuchEntityException';
+        }
+    }
+    return {
+        IAMClient: MockIAMClient,
+        CreateUserCommand: jest.fn((input) => input),
+        GetUserCommand: jest.fn((input) => input),
+        AttachUserPolicyCommand: jest.fn((input) => input),
+        CreateAccessKeyCommand: jest.fn((input) => input),
+        ListUserTagsCommand: jest.fn((input) => input),
+        NoSuchEntityException,
+    };
+});
+/* eslint-enable @typescript-eslint/no-explicit-any */
+const { isRootUser, detectRootCredentials, retryWithBackoff, createOrAdoptAdminUser, } = await import('../../aws/root-credentials.js');
+describe('root-credentials', () => {
+    describe('isRootUser', () => {
+        it('returns true for root ARN', () => {
+            expect(isRootUser('arn:aws:iam::123456789012:root')).toBe(true);
+        });
+        it('returns false for IAM user ARN', () => {
+            expect(isRootUser('arn:aws:iam::123456789012:user/admin')).toBe(false);
+        });
+        it('returns false for different IAM user', () => {
+            expect(isRootUser('arn:aws:iam::123456789012:user/deploy')).toBe(false);
+        });
+        it('returns false for assumed role ARN', () => {
+            expect(isRootUser('arn:aws:sts::123456789012:assumed-role/role-name/session')).toBe(false);
+        });
+        it('returns false for empty string', () => {
+            expect(isRootUser('')).toBe(false);
+        });
+    });
+    describe('detectRootCredentials', () => {
+        beforeEach(() => {
+            jest.clearAllMocks();
+        });
+        it('detects root credentials correctly', async () => {
+            mockSTSSend.mockResolvedValueOnce({
+                Arn: 'arn:aws:iam::123456789012:root',
+                Account: '123456789012',
+                UserId: '123456789012',
+            });
+            const result = await detectRootCredentials('us-east-1');
+            expect(result.arn).toBe('arn:aws:iam::123456789012:root');
+            expect(result.accountId).toBe('123456789012');
+            expect(result.userId).toBe('123456789012');
+            expect(result.isRoot).toBe(true);
+        });
+        it('detects IAM user credentials correctly', async () => {
+            mockSTSSend.mockResolvedValueOnce({
+                Arn: 'arn:aws:iam::123456789012:user/admin',
+                Account: '123456789012',
+                UserId: 'AIDACKCEVSQ6C2EXAMPLE',
+            });
+            const result = await detectRootCredentials('us-east-1');
+            expect(result.isRoot).toBe(false);
+        });
+        it('propagates errors from STS', async () => {
+            mockSTSSend.mockRejectedValueOnce(new Error('Access denied'));
+            await expect(detectRootCredentials('us-east-1')).rejects.toThrow('Access denied');
+        });
+    });
+    describe('retryWithBackoff', () => {
+        beforeEach(() => {
+            jest.useFakeTimers();
+        });
+        afterEach(() => {
+            jest.useRealTimers();
+        });
+        it('returns result on first success', async () => {
+            const fn = jest.fn().mockResolvedValue('success');
+            const promise = retryWithBackoff(fn, { baseDelayMs: 10 });
+            await jest.runAllTimersAsync();
+            const result = await promise;
+            expect(result).toBe('success');
+            expect(fn).toHaveBeenCalledTimes(1);
+        });
+        it('retries on failure and eventually succeeds', async () => {
+            const fn = jest.fn()
+                .mockRejectedValueOnce(new Error('Fail 1'))
+                .mockRejectedValueOnce(new Error('Fail 2'))
+                .mockResolvedValue('success');
+            const promise = retryWithBackoff(fn, { baseDelayMs: 10, maxRetries: 5 });
+            await jest.runAllTimersAsync();
+            const result = await promise;
+            expect(result).toBe('success');
+            expect(fn).toHaveBeenCalledTimes(3);
+        });
+        it('throws last error after all retries fail', async () => {
+            const fn = jest.fn();
+            fn.mockRejectedValue(new Error('Permanent failure'));
+            const promise = retryWithBackoff(fn, { baseDelayMs: 10, maxRetries: 2 });
+            jest.runAllTimersAsync();
+            try {
+                await promise;
+                throw new Error('Should have thrown');
+            }
+            catch (error) {
+                expect(error).toBeInstanceOf(Error);
+                expect(error.message).toBe('Permanent failure');
+            }
+            expect(fn).toHaveBeenCalledTimes(3); // Initial + 2 retries
+        });
+        it('respects maxRetries option', async () => {
+            const fn = jest.fn();
+            fn.mockRejectedValue(new Error('Always fails'));
+            const promise = retryWithBackoff(fn, { baseDelayMs: 10, maxRetries: 3 });
+            jest.runAllTimersAsync();
+            try {
+                await promise;
+                throw new Error('Should have thrown');
+            }
+            catch (error) {
+                expect(error).toBeInstanceOf(Error);
+                expect(error.message).toBe('Always fails');
+            }
+            expect(fn).toHaveBeenCalledTimes(4); // Initial + 3 retries
+        });
+    });
+    describe('createOrAdoptAdminUser', () => {
+        beforeEach(() => {
+            jest.clearAllMocks();
+            mockGetAccessKeyCount.mockReset();
+        });
+        it('creates new admin user when user does not exist', async () => {
+            // Import the mocked IAMClient and exception class
+            const { IAMClient, NoSuchEntityException } = await import('@aws-sdk/client-iam');
+            const mockIAMClient = new IAMClient({ region: 'us-east-1' });
+            // Use the mocked NoSuchEntityException class
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            const noSuchEntityError = new NoSuchEntityException('User does not exist');
+            mockIAMSend
+                .mockRejectedValueOnce(noSuchEntityError) // GetUserCommand throws
+                .mockResolvedValueOnce({}) // CreateUserCommand succeeds
+                .mockResolvedValueOnce({}) // AttachUserPolicyCommand succeeds
+                .mockResolvedValueOnce({
+                // CreateAccessKeyCommand succeeds
+                AccessKey: {
+                    AccessKeyId: 'AKIAIOSFODNN7EXAMPLE',
+                    SecretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
+                },
+            });
+            mockGetAccessKeyCount.mockResolvedValue(0);
+            const result = await createOrAdoptAdminUser(mockIAMClient, 'test-project');
+            expect(result.userName).toBe('test-project-admin');
+            expect(result.accessKeyId).toBe('AKIAIOSFODNN7EXAMPLE');
+            expect(result.secretAccessKey).toBe('wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY');
+            expect(result.adopted).toBe(false);
+            // Verify commands were called in order
+            expect(mockIAMSend).toHaveBeenCalledTimes(4);
+        });
+        it('adopts existing managed user with no keys', async () => {
+            const { IAMClient } = await import('@aws-sdk/client-iam');
+            const mockIAMClient = new IAMClient({ region: 'us-east-1' });
+            mockIAMSend
+                .mockResolvedValueOnce({}) // GetUserCommand succeeds
+                .mockResolvedValueOnce({
+                // ListUserTagsCommand returns ManagedBy tag
+                Tags: [
+                    { Key: 'ManagedBy', Value: 'create-aws-starter-kit' },
+                    { Key: 'Purpose', Value: 'CLI Admin' },
+                ],
+            })
+                .mockResolvedValueOnce({
+                // CreateAccessKeyCommand succeeds
+                AccessKey: {
+                    AccessKeyId: 'AKIAIOSFODNN7EXAMPLE',
+                    SecretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
+                },
+            });
+            mockGetAccessKeyCount.mockResolvedValue(0);
+            const result = await createOrAdoptAdminUser(mockIAMClient, 'test-project');
+            expect(result.userName).toBe('test-project-admin');
+            expect(result.adopted).toBe(true);
+            expect(mockIAMSend).toHaveBeenCalledTimes(3);
+        });
+        it('throws error when existing user is not managed by us', async () => {
+            const { IAMClient } = await import('@aws-sdk/client-iam');
+            const mockIAMClient = new IAMClient({ region: 'us-east-1' });
+            mockIAMSend
+                .mockResolvedValueOnce({}) // GetUserCommand succeeds
+                .mockResolvedValueOnce({
+                // ListUserTagsCommand returns different tag
+                Tags: [{ Key: 'Owner', Value: 'SomeoneElse' }],
+            });
+            await expect(createOrAdoptAdminUser(mockIAMClient, 'test-project')).rejects.toThrow('IAM user "test-project-admin" exists but was not created by this tool');
+        });
+        it('throws error when existing managed user has keys', async () => {
+            const { IAMClient } = await import('@aws-sdk/client-iam');
+            const mockIAMClient = new IAMClient({ region: 'us-east-1' });
+            mockIAMSend
+                .mockResolvedValueOnce({}) // GetUserCommand succeeds
+                .mockResolvedValueOnce({
+                // ListUserTagsCommand returns ManagedBy tag
+                Tags: [{ Key: 'ManagedBy', Value: 'create-aws-starter-kit' }],
+            });
+            mockGetAccessKeyCount.mockResolvedValue(1);
+            await expect(createOrAdoptAdminUser(mockIAMClient, 'test-project')).rejects.toThrow('IAM user "test-project-admin" already exists with 1 access key');
+        });
+    });
+});

package/dist/__tests__/config/non-interactive-aws.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/config/non-interactive-aws.spec.js

@@ -0,0 +1,100 @@
+import { describe, it, expect, jest, beforeEach } from '@jest/globals';
+import { writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+// Mock picocolors to avoid console output issues in tests
+jest.unstable_mockModule('picocolors', () => ({
+    __esModule: true,
+    default: {
+        red: (s) => s,
+        green: (s) => s,
+        blue: (s) => s,
+        yellow: (s) => s,
+        cyan: (s) => s,
+        magenta: (s) => s,
+        bold: (s) => s,
+        dim: (s) => s,
+    },
+}));
+// Dynamic import after mocking
+const { loadSetupAwsEnvsConfig, deriveEnvironmentEmails } = await import('../../config/non-interactive-aws.js');
+// Helper to write a temp config file and return its path
+function writeTempConfig(content) {
+    const tmpFile = join(tmpdir(), `non-interactive-aws-test-${Date.now()}-${Math.random().toString(36).slice(2)}.json`);
+    writeFileSync(tmpFile, typeof content === 'string' ? content : JSON.stringify(content));
+    return tmpFile;
+}
+describe('deriveEnvironmentEmails', () => {
+    it('derives standard dev/stage/prod emails from a simple address', () => {
+        const result = deriveEnvironmentEmails('owner@example.com', ['dev', 'stage', 'prod']);
+        expect(result.dev).toBe('owner-dev@example.com');
+        expect(result.stage).toBe('owner-stage@example.com');
+        expect(result.prod).toBe('owner-prod@example.com');
+    });
+    it('handles plus alias emails', () => {
+        const result = deriveEnvironmentEmails('user+tag@company.com', ['dev']);
+        expect(result.dev).toBe('user+tag-dev@company.com');
+    });
+    it('handles subdomain emails', () => {
+        const result = deriveEnvironmentEmails('admin@sub.example.com', ['dev']);
+        expect(result.dev).toBe('admin-dev@sub.example.com');
+    });
+    it('returns an empty object for an empty environments array', () => {
+        const result = deriveEnvironmentEmails('owner@example.com', []);
+        expect(result).toEqual({});
+    });
+});
+describe('loadSetupAwsEnvsConfig', () => {
+    beforeEach(() => {
+        // Mock process.exit to throw so tests can catch exit calls
+        jest.spyOn(process, 'exit').mockImplementation((() => {
+            throw new Error('process.exit called');
+        }));
+        // Suppress console.error output during tests
+        jest.spyOn(console, 'error').mockImplementation(() => { });
+    });
+    describe('schema validation (valid configs)', () => {
+        it('loads valid config with email field only', () => {
+            const tmpFile = writeTempConfig({ email: 'owner@example.com' });
+            const config = loadSetupAwsEnvsConfig(tmpFile);
+            expect(config.email).toBe('owner@example.com');
+        });
+        it('strips unknown keys silently', () => {
+            const tmpFile = writeTempConfig({ email: 'owner@example.com', unknown: 'value', extra: 42 });
+            const config = loadSetupAwsEnvsConfig(tmpFile);
+            expect(config.email).toBe('owner@example.com');
+            expect(config.unknown).toBeUndefined();
+            expect(config.extra).toBeUndefined();
+        });
+    });
+    describe('schema validation (invalid configs)', () => {
+        it('exits with error when email is missing', () => {
+            const tmpFile = writeTempConfig({});
+            expect(() => loadSetupAwsEnvsConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+            expect(console.error).toHaveBeenCalledWith(expect.stringContaining('email'));
+        });
+        it('exits with error when email is empty string', () => {
+            const tmpFile = writeTempConfig({ email: '' });
+            expect(() => loadSetupAwsEnvsConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error when email has no @ sign', () => {
+            const tmpFile = writeTempConfig({ email: 'notanemail' });
+            expect(() => loadSetupAwsEnvsConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+            expect(console.error).toHaveBeenCalledWith(expect.stringContaining('email'));
+        });
+    });
+    describe('file errors', () => {
+        it('exits with error for non-existent file', () => {
+            expect(() => loadSetupAwsEnvsConfig('/nonexistent/path/aws-config.json')).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error for invalid JSON content', () => {
+            const tmpFile = writeTempConfig('not json {{{');
+            expect(() => loadSetupAwsEnvsConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+    });
+});

package/dist/__tests__/config/non-interactive.spec.d.ts

@@ -0,0 +1 @@
+export {};