create-aws-project 1.5.1 → 1.7.0

package/dist/config/non-interactive-aws.d.ts

@@ -0,0 +1,27 @@
+import * as z from 'zod';
+/**
+ * Zod schema for the non-interactive JSON config file for setup-aws-envs.
+ * Only `email` is required — all other AWS setup config lives in .aws-starter-config.json.
+ */
+export declare const SetupAwsEnvsConfigSchema: z.ZodObject<{
+    email: z.ZodString;
+}, z.core.$strip>;
+export type SetupAwsEnvsConfig = z.infer<typeof SetupAwsEnvsConfigSchema>;
+/**
+ * Load, validate, and return a SetupAwsEnvsConfig from a JSON config file path.
+ * Exits with code 1 and prints all errors if validation fails.
+ * Also exits with code 1 if the email does not contain an '@' sign.
+ */
+export declare function loadSetupAwsEnvsConfig(configPath: string): SetupAwsEnvsConfig;
+/**
+ * Derive per-environment email addresses from a root email.
+ * Inserts -{env} between the local part and the domain.
+ *
+ * Example:
+ *   deriveEnvironmentEmails('owner@example.com', ['dev', 'stage', 'prod'])
+ *   → { dev: 'owner-dev@example.com', stage: 'owner-stage@example.com', prod: 'owner-prod@example.com' }
+ *
+ * Handles plus aliases: 'user+tag@company.com' → 'user+tag-dev@company.com'
+ * Handles subdomains: 'admin@sub.example.com' → 'admin-dev@sub.example.com'
+ */
+export declare function deriveEnvironmentEmails(rootEmail: string, environments: readonly string[]): Record<string, string>;

package/dist/config/non-interactive-aws.js

@@ -0,0 +1,80 @@
+import * as z from 'zod';
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import pc from 'picocolors';
+/**
+ * Zod schema for the non-interactive JSON config file for setup-aws-envs.
+ * Only `email` is required — all other AWS setup config lives in .aws-starter-config.json.
+ */
+export const SetupAwsEnvsConfigSchema = z.object({
+    email: z.string().min(1, { message: 'email is required' }),
+});
+/**
+ * Load, validate, and return a SetupAwsEnvsConfig from a JSON config file path.
+ * Exits with code 1 and prints all errors if validation fails.
+ * Also exits with code 1 if the email does not contain an '@' sign.
+ */
+export function loadSetupAwsEnvsConfig(configPath) {
+    // 1. Resolve path relative to cwd
+    const absolutePath = resolve(process.cwd(), configPath);
+    // 2. Read file — fail fast if not found or unreadable
+    let rawContent;
+    try {
+        rawContent = readFileSync(absolutePath, 'utf-8');
+    }
+    catch {
+        console.error(pc.red('Error:') + ` Cannot read config file: ${absolutePath}`);
+        process.exit(1);
+    }
+    // 3. Parse JSON — fail fast if invalid
+    let rawData;
+    try {
+        rawData = JSON.parse(rawContent);
+    }
+    catch {
+        console.error(pc.red('Error:') + ` Config file is not valid JSON: ${absolutePath}`);
+        process.exit(1);
+    }
+    // 4. Validate with Zod — collect ALL errors in one pass
+    const result = SetupAwsEnvsConfigSchema.safeParse(rawData);
+    if (!result.success) {
+        console.error(pc.red('Error:') + ' Invalid config file:');
+        console.error('');
+        for (const issue of result.error.issues) {
+            const fieldPath = issue.path.length > 0 ? issue.path.join('.') : '(root)';
+            console.error(`  ${pc.red('x')} ${fieldPath}: ${issue.message}`);
+        }
+        console.error('');
+        process.exit(1);
+    }
+    // 5. Additional email format check — must contain '@' for derivation to work correctly
+    if (!result.data.email.includes('@')) {
+        console.error(pc.red('Error:') + ' Invalid config file:');
+        console.error('');
+        console.error(`  ${pc.red('x')} email: must be a valid email address`);
+        console.error('');
+        process.exit(1);
+    }
+    return result.data;
+}
+/**
+ * Derive per-environment email addresses from a root email.
+ * Inserts -{env} between the local part and the domain.
+ *
+ * Example:
+ *   deriveEnvironmentEmails('owner@example.com', ['dev', 'stage', 'prod'])
+ *   → { dev: 'owner-dev@example.com', stage: 'owner-stage@example.com', prod: 'owner-prod@example.com' }
+ *
+ * Handles plus aliases: 'user+tag@company.com' → 'user+tag-dev@company.com'
+ * Handles subdomains: 'admin@sub.example.com' → 'admin-dev@sub.example.com'
+ */
+export function deriveEnvironmentEmails(rootEmail, environments) {
+    const atIndex = rootEmail.lastIndexOf('@');
+    const localPart = rootEmail.slice(0, atIndex);
+    const domain = rootEmail.slice(atIndex); // includes '@'
+    const derived = {};
+    for (const env of environments) {
+        derived[env] = `${localPart}-${env}${domain}`;
+    }
+    return derived;
+}

package/dist/config/non-interactive.d.ts

@@ -0,0 +1,48 @@
+import * as z from 'zod';
+import type { ProjectConfig } from '../types.js';
+/**
+ * Zod schema for the non-interactive JSON config file.
+ * Only `name` is required; all other fields have defaults matching NI-04 spec.
+ */
+export declare const NonInteractiveConfigSchema: z.ZodObject<{
+    name: z.ZodString;
+    platforms: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+        web: "web";
+        mobile: "mobile";
+        api: "api";
+    }>>>;
+    auth: z.ZodDefault<z.ZodEnum<{
+        cognito: "cognito";
+        auth0: "auth0";
+        none: "none";
+    }>>;
+    authFeatures: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+        "social-login": "social-login";
+        mfa: "mfa";
+    }>>>;
+    features: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+        "github-actions": "github-actions";
+        "vscode-config": "vscode-config";
+    }>>>;
+    region: z.ZodDefault<z.ZodEnum<{
+        "us-east-1": "us-east-1";
+        "us-west-2": "us-west-2";
+        "eu-west-1": "eu-west-1";
+        "eu-central-1": "eu-central-1";
+        "ap-northeast-1": "ap-northeast-1";
+        "ap-southeast-2": "ap-southeast-2";
+    }>>;
+    brandColor: z.ZodDefault<z.ZodEnum<{
+        blue: "blue";
+        purple: "purple";
+        teal: "teal";
+        green: "green";
+        orange: "orange";
+    }>>;
+}, z.core.$strip>;
+export type NonInteractiveConfig = z.infer<typeof NonInteractiveConfigSchema>;
+/**
+ * Load, validate, and return a ProjectConfig from a JSON config file path.
+ * Exits with code 1 and prints all errors if validation fails.
+ */
+export declare function loadNonInteractiveConfig(configPath: string): ProjectConfig;

package/dist/config/non-interactive.js

@@ -0,0 +1,92 @@
+import * as z from 'zod';
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import pc from 'picocolors';
+import { validateProjectName } from '../validation/project-name.js';
+// Valid value constants (as const tuples for Zod enum compatibility)
+const VALID_PLATFORMS = ['web', 'mobile', 'api'];
+const VALID_AUTH_PROVIDERS = ['none', 'cognito', 'auth0'];
+const VALID_AUTH_FEATURES = ['social-login', 'mfa'];
+const VALID_FEATURES = ['github-actions', 'vscode-config'];
+const VALID_REGIONS = [
+    'us-east-1',
+    'us-west-2',
+    'eu-west-1',
+    'eu-central-1',
+    'ap-northeast-1',
+    'ap-southeast-2',
+];
+const VALID_BRAND_COLORS = ['blue', 'purple', 'teal', 'green', 'orange'];
+/**
+ * Zod schema for the non-interactive JSON config file.
+ * Only `name` is required; all other fields have defaults matching NI-04 spec.
+ */
+export const NonInteractiveConfigSchema = z.object({
+    name: z.string().min(1, { message: 'name is required' }),
+    platforms: z.array(z.enum(VALID_PLATFORMS)).min(1).default(['web', 'api']),
+    auth: z.enum(VALID_AUTH_PROVIDERS).default('none'),
+    authFeatures: z.array(z.enum(VALID_AUTH_FEATURES)).default([]),
+    features: z.array(z.enum(VALID_FEATURES)).default(['github-actions', 'vscode-config']),
+    region: z.enum(VALID_REGIONS).default('us-east-1'),
+    brandColor: z.enum(VALID_BRAND_COLORS).default('blue'),
+});
+/**
+ * Load, validate, and return a ProjectConfig from a JSON config file path.
+ * Exits with code 1 and prints all errors if validation fails.
+ */
+export function loadNonInteractiveConfig(configPath) {
+    // 1. Resolve path relative to cwd
+    const absolutePath = resolve(process.cwd(), configPath);
+    // 2. Read file — fail fast if not found or unreadable
+    let rawContent;
+    try {
+        rawContent = readFileSync(absolutePath, 'utf-8');
+    }
+    catch {
+        console.error(pc.red('Error:') + ` Cannot read config file: ${absolutePath}`);
+        process.exit(1);
+    }
+    // 3. Parse JSON — fail fast if invalid
+    let rawData;
+    try {
+        rawData = JSON.parse(rawContent);
+    }
+    catch {
+        console.error(pc.red('Error:') + ` Config file is not valid JSON: ${absolutePath}`);
+        process.exit(1);
+    }
+    // 4. Validate with Zod — collect ALL errors in one pass
+    const result = NonInteractiveConfigSchema.safeParse(rawData);
+    if (!result.success) {
+        console.error(pc.red('Error:') + ' Invalid config file:');
+        console.error('');
+        for (const issue of result.error.issues) {
+            const fieldPath = issue.path.length > 0 ? issue.path.join('.') : '(root)';
+            console.error(`  ${pc.red('x')} ${fieldPath}: ${issue.message}`);
+        }
+        console.error('');
+        process.exit(1);
+    }
+    const cfg = result.data;
+    // 5. Additional project name validation via existing npm package name validator
+    const nameValidation = validateProjectName(cfg.name);
+    if (nameValidation !== true) {
+        console.error(pc.red('Error:') + ' Invalid config file:');
+        console.error('');
+        console.error(`  ${pc.red('x')} name: ${nameValidation}`);
+        console.error('');
+        process.exit(1);
+    }
+    // 6. Map to ProjectConfig — silently drop authFeatures when auth is 'none'
+    return {
+        projectName: cfg.name,
+        platforms: cfg.platforms,
+        awsRegion: cfg.region,
+        features: cfg.features,
+        brandColor: cfg.brandColor,
+        auth: {
+            provider: cfg.auth,
+            features: cfg.auth === 'none' ? [] : cfg.authFeatures,
+        },
+    };
+}

package/dist/git/setup.d.ts

@@ -19,10 +19,10 @@ export declare function promptGitSetup(): Promise<{
     pat: string;
 } | null>;
 /**
- * Sets up git repository with initial commit and pushes to GitHub
- * Creates the remote repository if it doesn't exist
+ * Sets up local git repository and ensures GitHub remote exists
+ * Does NOT commit or push — code is pushed after AWS accounts are configured
  * @param projectDir - Path to the project directory
  * @param repoUrl - GitHub repository URL
- * @param pat - GitHub Personal Access Token
+ * @param pat - GitHub Personal Access Token (used to create repo if needed)
  */
 export declare function setupGitRepository(projectDir: string, repoUrl: string, pat: string): Promise<void>;

package/dist/git/setup.js

@@ -83,11 +83,11 @@ export async function promptGitSetup() {
     return { repoUrl, pat: patResponse.pat };
 }
 /**
- * Sets up git repository with initial commit and pushes to GitHub
- * Creates the remote repository if it doesn't exist
+ * Sets up local git repository and ensures GitHub remote exists
+ * Does NOT commit or push — code is pushed after AWS accounts are configured
  * @param projectDir - Path to the project directory
  * @param repoUrl - GitHub repository URL
- * @param pat - GitHub Personal Access Token
+ * @param pat - GitHub Personal Access Token (used to create repo if needed)
  */
 export async function setupGitRepository(projectDir, repoUrl, pat) {
     const spinner = ora();
@@ -99,19 +99,8 @@ export async function setupGitRepository(projectDir, repoUrl, pat) {
         // Git init
         spinner.start('Initializing git repository...');
         execSync('git init -b main', { cwd: projectDir, stdio: 'pipe' });
-        // Check for git user config, set if not configured
-        try {
-            execSync('git config user.name', { cwd: projectDir, stdio: 'pipe' });
-        }
-        catch {
-            // User config not set, use defaults
-            execSync('git config user.name "create-aws-project"', { cwd: projectDir, stdio: 'pipe' });
-            execSync('git config user.email "noreply@create-aws-project"', { cwd: projectDir, stdio: 'pipe' });
-        }
-        execSync('git add .', { cwd: projectDir, stdio: 'pipe' });
-        execSync('git commit -m "Initial commit from create-aws-project"', { cwd: projectDir, stdio: 'pipe' });
         spinner.succeed('Git repository initialized');
-        // Ensure remote repo exists
+        // Ensure remote repo exists on GitHub
         spinner.start('Checking GitHub repository...');
         try {
             await octokit.rest.repos.get({ owner, repo });
@@ -144,22 +133,37 @@ export async function setupGitRepository(projectDir, repoUrl, pat) {
                 throw error;
             }
         }
-        // Push to remote
-        spinner.start('Pushing to GitHub...');
-        const authUrl = `https://${pat}@github.com/${owner}/${repo}.git`;
-        execSync(`git remote add origin ${authUrl}`, { cwd: projectDir, stdio: 'pipe' });
-        execSync('git push -u origin main', { cwd: projectDir, stdio: 'pipe' });
-        // CRITICAL: Remove PAT from .git/config
+        // Set origin remote (clean URL, no PAT embedded)
+        spinner.start('Setting remote origin...');
         const cleanUrl = `https://github.com/${owner}/${repo}.git`;
-        execSync(`git remote set-url origin ${cleanUrl}`, { cwd: projectDir, stdio: 'pipe' });
-        spinner.succeed(`Pushed to ${owner}/${repo}`);
+        execSync(`git remote add origin ${cleanUrl}`, { cwd: projectDir, stdio: 'pipe' });
+        spinner.succeed(`Origin set to ${owner}/${repo}`);
+        // Guide user on next steps
+        console.log('');
+        console.log(pc.dim('Code will be committed and pushed after AWS setup is complete.'));
+        console.log(pc.dim('Next: run setup-aws-envs to configure AWS accounts.'));
     }
     catch (error) {
         // Git setup failure should not prevent the user from using their project
         if (spinner.isSpinning) {
             spinner.fail();
         }
-        console.log(pc.yellow('Warning:') + ' Git setup failed: ' + (error instanceof Error ? error.message : 'Unknown error'));
+        // Detect GitHub auth/permission errors and give actionable guidance
+        if (error?.status === 401 || error?.status === 403 || error?.message?.includes('Bad credentials')) {
+            console.log('');
+            console.log(pc.red('GitHub authentication failed.'));
+            console.log('');
+            console.log('Create a Personal Access Token at:');
+            console.log(`  ${pc.cyan('https://github.com/settings/tokens/new')}`);
+            console.log('');
+            console.log('Required scopes:');
+            console.log(`  ${pc.bold('repo')} — full repository access`);
+            console.log('');
+            console.log('Then re-run project creation and enter the new token.');
+        }
+        else {
+            console.log(pc.yellow('Warning:') + ' Git setup failed: ' + (error instanceof Error ? error.message : 'Unknown error'));
+        }
         console.log(pc.dim('Your project was created successfully. You can set up git manually.'));
     }
 }

package/dist/utils/project-context.d.ts

@@ -9,6 +9,15 @@
  * This file is generated by the wizard and contains project settings
  */
 export declare const CONFIG_FILE = ".aws-starter-config.json";
+/**
+ * Deployment credentials for a single environment
+ * Created by setup-aws-envs, consumed by initialize-github
+ */
+export interface DeploymentCredentials {
+    userName: string;
+    accessKeyId: string;
+    secretAccessKey: string;
+}
 /**
  * Minimal project config structure for context detection
  * Full config defined in types.ts - this is subset needed for context
@@ -20,6 +29,11 @@ export interface ProjectConfigMinimal {
     configVersion?: string;
     accounts?: Record<string, string>;
     deploymentUsers?: Record<string, string>;
+    deploymentCredentials?: Record<string, DeploymentCredentials>;
+    adminUser?: {
+        userName: string;
+        accessKeyId: string;
+    };
 }
 /**
  * Project context containing config path, project root, and parsed config

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-aws-project",
-  "version": "1.5.1",
+  "version": "1.7.0",
   "description": "CLI tool to scaffold AWS projects",
   "type": "module",
   "main": "./dist/index.js",
@@ -52,11 +52,12 @@
     "@aws-sdk/credential-providers": "^3.971.0",
     "@octokit/rest": "^22.0.1",
     "find-up": "^8.0.0",
+    "libsodium-wrappers": "^0.7.15",
     "ora": "^9.1.0",
     "picocolors": "^1.1.1",
     "prompts": "^2.4.2",
-    "libsodium-wrappers": "^0.7.15",
-    "validate-npm-package-name": "^7.0.2"
+    "validate-npm-package-name": "^7.0.2",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@types/jest": "^30.0.0",

package/templates/apps/web/src/App.tsx

@@ -41,8 +41,10 @@ function App() {
 
   // Fetch users on mount
   useEffect(() => {
-    handleFetchUsers();
-  }, []);
+    if (isAuthenticated) {
+      handleFetchUsers();
+    }
+  }, [isAuthenticated]);
 
   const handleLoadDemoUser = () => {
     const demoUser: User = {

package/templates/apps/web/src/__tests__/App.spec.tsx

@@ -15,15 +15,9 @@ jest.mock('../config/api', () => ({
 }));
 
 // Mock useAuth hook to provide auth context for tests
+const mockUseAuth = jest.fn();
 jest.mock('../auth/use-auth', () => ({
-  useAuth: () => ({
-    user: null,
-    isAuthenticated: false,
-    isLoading: false,
-    login: jest.fn(),
-    logout: jest.fn(),
-    getAccessToken: jest.fn().mockResolvedValue(null),
-  }),
+  useAuth: (...args: unknown[]) => mockUseAuth(...args),
 }));
 
 const mockApiClient = apiClient as jest.Mocked<typeof apiClient>;
@@ -51,6 +45,15 @@ describe('App', () => {
     });
     // Reset mocks
     jest.clearAllMocks();
+    // Default: not authenticated
+    mockUseAuth.mockReturnValue({
+      user: null,
+      isAuthenticated: false,
+      isLoading: false,
+      signIn: jest.fn(),
+      signOut: jest.fn(),
+      getAccessToken: jest.fn().mockResolvedValue(null),
+    });
     // Default mock implementations
     mockApiClient.getUsers.mockResolvedValue([]);
   });
@@ -217,7 +220,16 @@ describe('App', () => {
     });
   });
 
-  it('should fetch users on mount and display count', async () => {
+  it('should fetch users on mount when authenticated', async () => {
+    mockUseAuth.mockReturnValue({
+      user: { email: 'test@example.com' },
+      isAuthenticated: true,
+      isLoading: false,
+      signIn: jest.fn(),
+      signOut: jest.fn(),
+      getAccessToken: jest.fn().mockResolvedValue('token'),
+    });
+
     const mockUsers = [
       { id: '1', email: 'user1@example.com', name: 'User 1', createdAt: '2024-01-01' },
       { id: '2', email: 'user2@example.com', name: 'User 2', createdAt: '2024-01-02' },
@@ -236,6 +248,12 @@ describe('App', () => {
     });
   });
 
+  it('should not fetch users on mount when not authenticated', async () => {
+    await renderWithChakra(<App />);
+
+    expect(mockApiClient.getUsers).not.toHaveBeenCalled();
+  });
+
   it('should display error message when error state is set', async () => {
     // Set error state before rendering
     useUserStore.setState({

package/templates/apps/web/vite.config.ts

@@ -15,6 +15,9 @@ export default defineConfig(({ mode }) => {
       strictPort: false, // Try next port if 3000 is taken
       open: false, // Don't auto-open browser
       cors: true,
+      fs: {
+        allow: [path.resolve(__dirname, '../..')],
+      },
       // Proxy API requests to backend during development
       // Note: Vite automatically loads VITE_ prefixed env vars
       proxy: mode === 'development' ? {