create-aws-project 1.6.0 → 1.7.0

package/dist/__tests__/config/non-interactive-aws.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/config/non-interactive-aws.spec.js

@@ -0,0 +1,100 @@
+import { describe, it, expect, jest, beforeEach } from '@jest/globals';
+import { writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+// Mock picocolors to avoid console output issues in tests
+jest.unstable_mockModule('picocolors', () => ({
+    __esModule: true,
+    default: {
+        red: (s) => s,
+        green: (s) => s,
+        blue: (s) => s,
+        yellow: (s) => s,
+        cyan: (s) => s,
+        magenta: (s) => s,
+        bold: (s) => s,
+        dim: (s) => s,
+    },
+}));
+// Dynamic import after mocking
+const { loadSetupAwsEnvsConfig, deriveEnvironmentEmails } = await import('../../config/non-interactive-aws.js');
+// Helper to write a temp config file and return its path
+function writeTempConfig(content) {
+    const tmpFile = join(tmpdir(), `non-interactive-aws-test-${Date.now()}-${Math.random().toString(36).slice(2)}.json`);
+    writeFileSync(tmpFile, typeof content === 'string' ? content : JSON.stringify(content));
+    return tmpFile;
+}
+describe('deriveEnvironmentEmails', () => {
+    it('derives standard dev/stage/prod emails from a simple address', () => {
+        const result = deriveEnvironmentEmails('owner@example.com', ['dev', 'stage', 'prod']);
+        expect(result.dev).toBe('owner-dev@example.com');
+        expect(result.stage).toBe('owner-stage@example.com');
+        expect(result.prod).toBe('owner-prod@example.com');
+    });
+    it('handles plus alias emails', () => {
+        const result = deriveEnvironmentEmails('user+tag@company.com', ['dev']);
+        expect(result.dev).toBe('user+tag-dev@company.com');
+    });
+    it('handles subdomain emails', () => {
+        const result = deriveEnvironmentEmails('admin@sub.example.com', ['dev']);
+        expect(result.dev).toBe('admin-dev@sub.example.com');
+    });
+    it('returns an empty object for an empty environments array', () => {
+        const result = deriveEnvironmentEmails('owner@example.com', []);
+        expect(result).toEqual({});
+    });
+});
+describe('loadSetupAwsEnvsConfig', () => {
+    beforeEach(() => {
+        // Mock process.exit to throw so tests can catch exit calls
+        jest.spyOn(process, 'exit').mockImplementation((() => {
+            throw new Error('process.exit called');
+        }));
+        // Suppress console.error output during tests
+        jest.spyOn(console, 'error').mockImplementation(() => { });
+    });
+    describe('schema validation (valid configs)', () => {
+        it('loads valid config with email field only', () => {
+            const tmpFile = writeTempConfig({ email: 'owner@example.com' });
+            const config = loadSetupAwsEnvsConfig(tmpFile);
+            expect(config.email).toBe('owner@example.com');
+        });
+        it('strips unknown keys silently', () => {
+            const tmpFile = writeTempConfig({ email: 'owner@example.com', unknown: 'value', extra: 42 });
+            const config = loadSetupAwsEnvsConfig(tmpFile);
+            expect(config.email).toBe('owner@example.com');
+            expect(config.unknown).toBeUndefined();
+            expect(config.extra).toBeUndefined();
+        });
+    });
+    describe('schema validation (invalid configs)', () => {
+        it('exits with error when email is missing', () => {
+            const tmpFile = writeTempConfig({});
+            expect(() => loadSetupAwsEnvsConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+            expect(console.error).toHaveBeenCalledWith(expect.stringContaining('email'));
+        });
+        it('exits with error when email is empty string', () => {
+            const tmpFile = writeTempConfig({ email: '' });
+            expect(() => loadSetupAwsEnvsConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error when email has no @ sign', () => {
+            const tmpFile = writeTempConfig({ email: 'notanemail' });
+            expect(() => loadSetupAwsEnvsConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+            expect(console.error).toHaveBeenCalledWith(expect.stringContaining('email'));
+        });
+    });
+    describe('file errors', () => {
+        it('exits with error for non-existent file', () => {
+            expect(() => loadSetupAwsEnvsConfig('/nonexistent/path/aws-config.json')).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error for invalid JSON content', () => {
+            const tmpFile = writeTempConfig('not json {{{');
+            expect(() => loadSetupAwsEnvsConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+    });
+});

package/dist/__tests__/config/non-interactive.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/config/non-interactive.spec.js

@@ -0,0 +1,152 @@
+import { describe, it, expect, jest, beforeEach } from '@jest/globals';
+import { writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+// Mock picocolors to avoid console output issues in tests
+jest.unstable_mockModule('picocolors', () => ({
+    __esModule: true,
+    default: {
+        red: (s) => s,
+        green: (s) => s,
+        blue: (s) => s,
+        yellow: (s) => s,
+        cyan: (s) => s,
+        magenta: (s) => s,
+        bold: (s) => s,
+        dim: (s) => s,
+    },
+}));
+// Dynamic import after mocking
+const { loadNonInteractiveConfig } = await import('../../config/non-interactive.js');
+// Helper to write a temp config file and return its path
+function writeTempConfig(content) {
+    const tmpFile = join(tmpdir(), `non-interactive-test-${Date.now()}-${Math.random().toString(36).slice(2)}.json`);
+    writeFileSync(tmpFile, typeof content === 'string' ? content : JSON.stringify(content));
+    return tmpFile;
+}
+describe('loadNonInteractiveConfig', () => {
+    beforeEach(() => {
+        // Mock process.exit to throw so tests can catch exit calls
+        jest.spyOn(process, 'exit').mockImplementation((() => {
+            throw new Error('process.exit called');
+        }));
+        // Suppress console.error output during tests
+        jest.spyOn(console, 'error').mockImplementation(() => { });
+    });
+    describe('schema defaults (NI-04)', () => {
+        it('applies all defaults when only name is provided', () => {
+            const tmpFile = writeTempConfig({ name: 'my-app' });
+            const config = loadNonInteractiveConfig(tmpFile);
+            expect(config.projectName).toBe('my-app');
+            expect(config.platforms).toEqual(['web', 'api']);
+            expect(config.auth.provider).toBe('none');
+            expect(config.auth.features).toEqual([]);
+            expect(config.features).toEqual(['github-actions', 'vscode-config']);
+            expect(config.awsRegion).toBe('us-east-1');
+            expect(config.brandColor).toBe('blue');
+        });
+        it('uses specified values when all fields provided', () => {
+            const tmpFile = writeTempConfig({
+                name: 'full-app',
+                platforms: ['web', 'mobile', 'api'],
+                auth: 'cognito',
+                authFeatures: ['social-login', 'mfa'],
+                features: ['github-actions'],
+                region: 'eu-west-1',
+                brandColor: 'purple',
+            });
+            const config = loadNonInteractiveConfig(tmpFile);
+            expect(config.projectName).toBe('full-app');
+            expect(config.platforms).toEqual(['web', 'mobile', 'api']);
+            expect(config.auth.provider).toBe('cognito');
+            expect(config.auth.features).toEqual(['social-login', 'mfa']);
+            expect(config.features).toEqual(['github-actions']);
+            expect(config.awsRegion).toBe('eu-west-1');
+            expect(config.brandColor).toBe('purple');
+        });
+    });
+    describe('schema validation (NI-05)', () => {
+        it('exits with error when name is missing', () => {
+            const tmpFile = writeTempConfig({});
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+            expect(console.error).toHaveBeenCalledWith(expect.stringContaining('name'));
+        });
+        it('exits with error when name is empty string', () => {
+            const tmpFile = writeTempConfig({ name: '' });
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error for invalid platform value', () => {
+            const tmpFile = writeTempConfig({ name: 'x', platforms: ['invalid'] });
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error for invalid auth provider', () => {
+            const tmpFile = writeTempConfig({ name: 'x', auth: 'firebase' });
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error for invalid region', () => {
+            const tmpFile = writeTempConfig({ name: 'x', region: 'mars-1' });
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error for invalid brand color', () => {
+            const tmpFile = writeTempConfig({ name: 'x', brandColor: 'red' });
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('reports multiple validation failures at once', () => {
+            const tmpFile = writeTempConfig({
+                // name missing AND multiple invalid fields
+                platforms: ['bad'],
+                auth: 'bad',
+                region: 'bad',
+            });
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+            // At least 3 distinct error calls for the 3+ failing fields
+            expect(console.error.mock.calls.length).toBeGreaterThanOrEqual(3);
+        });
+    });
+    describe('auth normalization', () => {
+        it('silently drops authFeatures when auth is none', () => {
+            const tmpFile = writeTempConfig({
+                name: 'x',
+                auth: 'none',
+                authFeatures: ['social-login'],
+            });
+            const config = loadNonInteractiveConfig(tmpFile);
+            expect(config.auth.features).toEqual([]);
+        });
+        it('preserves authFeatures when auth is cognito', () => {
+            const tmpFile = writeTempConfig({
+                name: 'x',
+                auth: 'cognito',
+                authFeatures: ['mfa'],
+            });
+            const config = loadNonInteractiveConfig(tmpFile);
+            expect(config.auth.features).toEqual(['mfa']);
+        });
+    });
+    describe('file errors', () => {
+        it('exits with error for non-existent file', () => {
+            expect(() => loadNonInteractiveConfig('/nonexistent/path.json')).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+        it('exits with error for invalid JSON', () => {
+            const tmpFile = writeTempConfig('not json {{{');
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+    });
+    describe('project name validation', () => {
+        it('exits with error for invalid npm package name', () => {
+            // npm package names cannot have uppercase letters
+            const tmpFile = writeTempConfig({ name: 'UPPERCASE' });
+            expect(() => loadNonInteractiveConfig(tmpFile)).toThrow('process.exit called');
+            expect(process.exit).toHaveBeenCalledWith(1);
+        });
+    });
+});

package/dist/cli.js

@@ -8,6 +8,7 @@ import { showDeprecationNotice } from './commands/setup-github.js';
 import { runSetupAwsEnvs } from './commands/setup-aws-envs.js';
 import { runInitializeGitHub } from './commands/initialize-github.js';
 import { promptGitSetup, setupGitRepository } from './git/setup.js';
+import { loadNonInteractiveConfig } from './config/non-interactive.js';
 /**
  * Write project configuration file for downstream commands
  */
@@ -54,9 +55,11 @@ Commands:
 Options:
   --help, -h          Show this help message
   --version, -v       Show version number
+  --config <path>     Create project from JSON config file (non-interactive)
 
 Usage:
   create-aws-project                              Run interactive wizard
+  create-aws-project --config project.json        Non-interactive mode
   create-aws-project setup-aws-envs               Create AWS accounts
   create-aws-project initialize-github dev        Configure dev environment
   create-aws-project initialize-github --all      Configure all environments
@@ -64,6 +67,7 @@ Usage:
 
 Examples:
   create-aws-project my-app
+  create-aws-project --config project.json
   create-aws-project setup-aws-envs
   create-aws-project initialize-github dev
   create-aws-project initialize-github --all
@@ -101,6 +105,33 @@ function printNextSteps(projectName) {
     console.log('');
     console.log(pc.gray('Happy coding!'));
 }
+/**
+ * Run project creation in non-interactive mode from a JSON config file.
+ * Skips all prompts and git setup (NI-02, NI-06).
+ */
+async function runNonInteractive(configPath) {
+    const config = loadNonInteractiveConfig(configPath);
+    const outputDir = resolve(process.cwd(), config.projectName);
+    // Check if directory already exists
+    if (existsSync(outputDir)) {
+        console.error(pc.red('Error:') + ` Directory ${pc.cyan(config.projectName)} already exists.`);
+        process.exit(1);
+    }
+    // Create project directory
+    mkdirSync(outputDir, { recursive: true });
+    // Generate project
+    console.log('');
+    await generateProject(config, outputDir);
+    // Write config file for downstream commands
+    writeConfigFile(outputDir, config);
+    // NI-06: Skip git setup entirely in non-interactive mode
+    // promptGitSetup() is NOT called
+    // Success message and next steps
+    console.log('');
+    console.log(pc.green('✔') + ` Created ${pc.bold(config.projectName)} successfully!`);
+    printNextSteps(config.projectName);
+    process.exit(0);
+}
 /**
  * Run the create project wizard flow
  * This is the default command when no subcommand is specified
@@ -108,6 +139,19 @@ function printNextSteps(projectName) {
 async function runCreate(args) {
     printWelcome();
     console.log(''); // blank line after banner
+    // Non-interactive path: --config flag provided
+    const configFlagIndex = args.findIndex(arg => arg === '--config');
+    if (configFlagIndex !== -1) {
+        const configPath = args[configFlagIndex + 1];
+        if (!configPath || configPath.startsWith('--')) {
+            console.error(pc.red('Error:') + ' --config requires a path argument');
+            console.error('  Example: npx create-aws-project --config project.json');
+            process.exit(1);
+        }
+        await runNonInteractive(configPath);
+        return;
+    }
+    // Interactive path (unchanged — existing code below)
     // Extract project name from CLI args (first non-flag argument)
     const nameArg = args.find(arg => !arg.startsWith('-'));
     const config = await runWizard(nameArg ? { defaultName: nameArg } : undefined);

package/dist/commands/setup-aws-envs.d.ts

@@ -9,6 +9,6 @@
  *
  * Creates AWS Organizations and environment accounts (dev, stage, prod)
  *
- * @param _args Command arguments (unused)
+ * @param args Command arguments
  */
-export declare function runSetupAwsEnvs(_args: string[]): Promise<void>;
+export declare function runSetupAwsEnvs(args: string[]): Promise<void>;

package/dist/commands/setup-aws-envs.js

@@ -9,6 +9,7 @@ import prompts from 'prompts';
 import pc from 'picocolors';
 import { readFileSync, writeFileSync } from 'node:fs';
 import { requireProjectContext } from '../utils/project-context.js';
+import { loadSetupAwsEnvsConfig, deriveEnvironmentEmails } from '../config/non-interactive-aws.js';
 import { createOrganizationsClient, checkExistingOrganization, createOrganization, createAccount, waitForAccountCreation, listOrganizationAccounts, } from '../aws/organizations.js';
 import { createIAMClient, createCrossAccountIAMClient, createOrAdoptDeploymentUser, createCDKDeploymentPolicy, attachPolicyToUser, createAccessKey, } from '../aws/iam.js';
 import { bootstrapAllEnvironments } from '../aws/cdk-bootstrap.js';
@@ -190,14 +191,319 @@ function handleAwsError(error) {
     }
     process.exit(1);
 }
+/**
+ * Runs setup-aws-envs in non-interactive mode using a JSON config file.
+ *
+ * Loads and validates the config, derives per-environment emails, then runs the
+ * full AWS setup flow (org, accounts, IAM users, access keys, CDK bootstrap)
+ * without any interactive prompts. After AWS setup completes, automatically
+ * invokes GitHub environment setup.
+ *
+ * Note: runInitializeGitHub may call process.exit(1) internally for auth failures
+ * (e.g. bad GitHub token). This bypasses the try/catch wrapper — it is a known
+ * limitation. The try/catch only catches thrown JavaScript errors (network, API).
+ *
+ * @param configPath Path to the JSON config file
+ */
+async function runSetupAwsEnvsNonInteractive(configPath) {
+    // Load and validate config
+    const awsConfig = loadSetupAwsEnvsConfig(configPath);
+    // Get project context (validates we're in a project directory)
+    const context = await requireProjectContext();
+    const { config, configPath: projectConfigPath } = context;
+    // Derive per-environment emails from the single root email
+    const emails = deriveEnvironmentEmails(awsConfig.email, ENVIRONMENTS);
+    // Print derived emails for transparency before AWS operations begin
+    console.log('');
+    console.log('Derived environment emails:');
+    for (const [env, email] of Object.entries(emails)) {
+        console.log(`  ${pc.cyan(env)}: ${email}`);
+    }
+    console.log('');
+    // Check if already configured (warn but don't abort - allows retry after partial failure)
+    const existingAccounts = config.accounts ?? {};
+    const existingUsers = config.deploymentUsers ?? {};
+    const existingCredentials = config.deploymentCredentials ?? {};
+    if (Object.keys(existingAccounts).length > 0) {
+        console.log('');
+        console.log(pc.yellow('Warning:') + ' AWS accounts already configured in this project:');
+        for (const [env, id] of Object.entries(existingAccounts)) {
+            const userInfo = existingUsers[env] ? ` (user: ${existingUsers[env]})` : '';
+            console.log(`  ${env}: ${id}${userInfo}`);
+        }
+        console.log('');
+        console.log(pc.dim('Continuing will skip existing accounts and create any missing ones...'));
+    }
+    // Detect root credentials and create admin user if needed
+    let adminCredentials = null;
+    if (config.adminUser) {
+        console.log('');
+        console.log(pc.yellow('Note:') + ` Admin user ${pc.cyan(config.adminUser.userName)} already configured.`);
+        console.log(pc.dim('Using existing admin user. If you have switched to IAM credentials, root detection is skipped.'));
+    }
+    else {
+        try {
+            const identity = await detectRootCredentials(config.awsRegion);
+            if (identity.isRoot) {
+                console.log('');
+                console.log(pc.yellow('Root credentials detected.'));
+                console.log('Creating admin IAM user for subsequent operations...');
+                console.log('');
+                const iamClient = createIAMClient(config.awsRegion);
+                const adminResult = await createOrAdoptAdminUser(iamClient, config.projectName);
+                adminCredentials = {
+                    accessKeyId: adminResult.accessKeyId,
+                    secretAccessKey: adminResult.secretAccessKey,
+                };
+                const configContent = JSON.parse(readFileSync(projectConfigPath, 'utf-8'));
+                configContent.adminUser = {
+                    userName: adminResult.userName,
+                    accessKeyId: adminResult.accessKeyId,
+                };
+                writeFileSync(projectConfigPath, JSON.stringify(configContent, null, 2) + '\n', 'utf-8');
+                if (adminResult.adopted) {
+                    console.log(pc.green(`Adopted existing admin user: ${adminResult.userName}`));
+                }
+                else {
+                    console.log(pc.green(`Created admin user: ${adminResult.userName}`));
+                }
+                console.log(pc.dim('Admin credentials will be used for all subsequent AWS operations in this session.'));
+                console.log('');
+            }
+        }
+        catch (error) {
+            const spinner = ora('').start();
+            spinner.fail('Failed to detect AWS credentials');
+            handleAwsError(error);
+        }
+    }
+    // Execute AWS operations with progress spinner
+    const spinner = ora('Starting AWS Organizations setup...').start();
+    try {
+        // Organizations API requires us-east-1
+        let client;
+        if (adminCredentials) {
+            client = new OrganizationsClient({
+                region: 'us-east-1',
+                credentials: {
+                    accessKeyId: adminCredentials.accessKeyId,
+                    secretAccessKey: adminCredentials.secretAccessKey,
+                },
+            });
+        }
+        else {
+            client = createOrganizationsClient('us-east-1');
+        }
+        // Check/create organization
+        spinner.text = 'Checking for existing AWS Organization...';
+        let orgId = await checkExistingOrganization(client);
+        if (!orgId) {
+            spinner.text = 'Creating AWS Organization...';
+            orgId = await createOrganization(client);
+            spinner.succeed(`Created AWS Organization: ${orgId}`);
+        }
+        else {
+            spinner.succeed(`Using existing AWS Organization: ${orgId}`);
+        }
+        // Discover existing accounts from AWS (source of truth)
+        spinner.start('Checking for existing AWS accounts...');
+        const allOrgAccounts = await listOrganizationAccounts(client);
+        const discoveredAccounts = new Map();
+        for (const account of allOrgAccounts) {
+            for (const env of ENVIRONMENTS) {
+                const expectedName = `${config.projectName}-${env}`;
+                if (account.Name === expectedName && account.Id) {
+                    discoveredAccounts.set(env, account.Id);
+                }
+            }
+        }
+        // Determine which environments still need account creation
+        const environmentsNeedingCreation = ENVIRONMENTS.filter(env => !discoveredAccounts.has(env));
+        // Report findings
+        for (const [env, accountId] of discoveredAccounts.entries()) {
+            spinner.info(`Found existing ${env} account: ${accountId}`);
+        }
+        // Warn if config has accounts not found in AWS
+        for (const [env, accountId] of Object.entries(existingAccounts)) {
+            if (!discoveredAccounts.has(env)) {
+                console.log(pc.yellow('Warning:') + ` Account ${env} (${accountId}) in config but not found in AWS Organization`);
+            }
+        }
+        // Non-interactive: emails are already derived — no collectEmails() call
+        if (environmentsNeedingCreation.length > 0) {
+            spinner.start('Continuing AWS setup with derived emails...');
+        }
+        else {
+            spinner.stop();
+            console.log('');
+            console.log(pc.green('All environment accounts already exist in AWS.'));
+            console.log(pc.dim('Skipping email collection, proceeding to deployment user setup...'));
+            console.log('');
+            spinner.start('Continuing AWS setup...');
+        }
+        // Create accounts sequentially (AWS rate limits require sequential)
+        const accounts = { ...existingAccounts };
+        for (const [env, accountId] of discoveredAccounts.entries()) {
+            accounts[env] = accountId;
+        }
+        if (discoveredAccounts.size > 0) {
+            updateConfig(projectConfigPath, accounts);
+        }
+        for (const env of ENVIRONMENTS) {
+            if (accounts[env]) {
+                spinner.succeed(`Using existing ${env} account: ${accounts[env]}`);
+                continue;
+            }
+            spinner.start(`Creating ${env} account (this may take several minutes)...`);
+            const accountName = `${config.projectName}-${env}`;
+            const { requestId } = await createAccount(client, emails[env], accountName);
+            spinner.text = `Waiting for ${env} account creation...`;
+            const result = await waitForAccountCreation(client, requestId);
+            accounts[env] = result.accountId;
+            updateConfig(projectConfigPath, accounts);
+            spinner.succeed(`Created ${env} account: ${result.accountId}`);
+        }
+        // Create IAM deployment users in each account
+        const deploymentUsers = { ...existingUsers };
+        for (const env of ENVIRONMENTS) {
+            if (existingUsers[env]) {
+                spinner.succeed(`Using existing deployment user: ${existingUsers[env]}`);
+                continue;
+            }
+            const accountId = accounts[env];
+            const userName = `${config.projectName}-${env}-deploy`;
+            const policyName = `${config.projectName}-${env}-cdk-deploy`;
+            spinner.start(`Creating deployment user in ${env} account...`);
+            let iamClient;
+            if (adminCredentials) {
+                const roleArn = `arn:aws:iam::${accountId}:role/OrganizationAccountAccessRole`;
+                iamClient = new IAMClient({
+                    region: config.awsRegion,
+                    credentials: fromTemporaryCredentials({
+                        masterCredentials: {
+                            accessKeyId: adminCredentials.accessKeyId,
+                            secretAccessKey: adminCredentials.secretAccessKey,
+                        },
+                        params: {
+                            RoleArn: roleArn,
+                            RoleSessionName: `create-aws-project-${Date.now()}`,
+                            DurationSeconds: 900,
+                        },
+                    }),
+                });
+            }
+            else {
+                iamClient = createCrossAccountIAMClient(config.awsRegion, accountId);
+            }
+            await createOrAdoptDeploymentUser(iamClient, userName);
+            spinner.text = `Creating deployment policy for ${env}...`;
+            const policyArn = await createCDKDeploymentPolicy(iamClient, policyName, accountId);
+            await attachPolicyToUser(iamClient, userName, policyArn);
+            deploymentUsers[env] = userName;
+            updateConfig(projectConfigPath, accounts, deploymentUsers);
+            spinner.succeed(`Created deployment user: ${userName}`);
+        }
+        // Create access keys for deployment users
+        const deploymentCredentials = {};
+        for (const env of ENVIRONMENTS) {
+            if (existingCredentials[env]) {
+                spinner.succeed(`Using existing credentials for ${env}: ${existingCredentials[env].accessKeyId}`);
+                deploymentCredentials[env] = existingCredentials[env];
+                continue;
+            }
+            const userName = deploymentUsers[env];
+            spinner.start(`Creating access key for ${env} deployment user...`);
+            const accountId = accounts[env];
+            let iamClient;
+            if (adminCredentials) {
+                const roleArn = `arn:aws:iam::${accountId}:role/OrganizationAccountAccessRole`;
+                iamClient = new IAMClient({
+                    region: config.awsRegion,
+                    credentials: fromTemporaryCredentials({
+                        masterCredentials: {
+                            accessKeyId: adminCredentials.accessKeyId,
+                            secretAccessKey: adminCredentials.secretAccessKey,
+                        },
+                        params: {
+                            RoleArn: roleArn,
+                            RoleSessionName: `create-aws-project-${Date.now()}`,
+                            DurationSeconds: 900,
+                        },
+                    }),
+                });
+            }
+            else {
+                iamClient = createCrossAccountIAMClient(config.awsRegion, accountId);
+            }
+            const credentials = await createAccessKey(iamClient, userName);
+            deploymentCredentials[env] = {
+                userName,
+                accessKeyId: credentials.accessKeyId,
+                secretAccessKey: credentials.secretAccessKey,
+            };
+            updateConfig(projectConfigPath, accounts, deploymentUsers, deploymentCredentials);
+            spinner.succeed(`Created access key for ${userName}`);
+        }
+        // Bootstrap CDK in each environment account
+        await bootstrapAllEnvironments({
+            accounts,
+            region: config.awsRegion,
+            adminCredentials,
+            spinner,
+        });
+        // Final success with summary table
+        console.log('');
+        console.log(pc.green('AWS environment setup complete!'));
+        console.log('');
+        console.log('Summary:');
+        console.log(`  ${'Environment'.padEnd(14)}${'Account ID'.padEnd(16)}${'Deployment User'.padEnd(30)}Access Key`);
+        for (const env of ENVIRONMENTS) {
+            const keyId = deploymentCredentials[env]?.accessKeyId ?? 'N/A';
+            console.log(`  ${env.padEnd(14)}${accounts[env].padEnd(16)}${deploymentUsers[env].padEnd(30)}${keyId}`);
+        }
+        console.log('');
+        console.log(pc.dim('CDK bootstrapped in all environment accounts.'));
+        console.log('');
+        console.log('AWS setup complete. All environments bootstrapped and ready for CDK deployments.');
+        console.log('');
+        // Auto-run GitHub setup (non-interactive path — no prompt)
+        console.log('Setting up GitHub environments...');
+        try {
+            await runInitializeGitHub(['--all']);
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            console.warn(pc.yellow('Warning:') + ` GitHub setup failed: ${msg}`);
+            console.warn('AWS setup completed successfully. Run initialize-github manually:');
+            console.warn(`  ${pc.cyan('npx create-aws-project initialize-github --all')}`);
+        }
+    }
+    catch (error) {
+        spinner.fail('AWS setup failed');
+        handleAwsError(error);
+    }
+    process.exit(0);
+}
 /**
  * Runs the setup-aws-envs command
  *
  * Creates AWS Organizations and environment accounts (dev, stage, prod)
  *
- * @param _args Command arguments (unused)
+ * @param args Command arguments
  */
-export async function runSetupAwsEnvs(_args) {
+export async function runSetupAwsEnvs(args) {
+    // --config flag: route to non-interactive mode
+    const configFlagIndex = args.findIndex(arg => arg === '--config');
+    if (configFlagIndex !== -1) {
+        const configPath = args[configFlagIndex + 1];
+        if (!configPath || configPath.startsWith('--')) {
+            console.error(pc.red('Error:') + ' --config requires a path argument');
+            console.error('  Example: npx create-aws-project setup-aws-envs --config aws.json');
+            process.exit(1);
+        }
+        await runSetupAwsEnvsNonInteractive(configPath);
+        return;
+    }
     // 1. Validate we're in a project directory
     const context = await requireProjectContext();
     const { config, configPath } = context;

package/dist/config/non-interactive-aws.d.ts

@@ -0,0 +1,27 @@
+import * as z from 'zod';
+/**
+ * Zod schema for the non-interactive JSON config file for setup-aws-envs.
+ * Only `email` is required — all other AWS setup config lives in .aws-starter-config.json.
+ */
+export declare const SetupAwsEnvsConfigSchema: z.ZodObject<{
+    email: z.ZodString;
+}, z.core.$strip>;
+export type SetupAwsEnvsConfig = z.infer<typeof SetupAwsEnvsConfigSchema>;
+/**
+ * Load, validate, and return a SetupAwsEnvsConfig from a JSON config file path.
+ * Exits with code 1 and prints all errors if validation fails.
+ * Also exits with code 1 if the email does not contain an '@' sign.
+ */
+export declare function loadSetupAwsEnvsConfig(configPath: string): SetupAwsEnvsConfig;
+/**
+ * Derive per-environment email addresses from a root email.
+ * Inserts -{env} between the local part and the domain.
+ *
+ * Example:
+ *   deriveEnvironmentEmails('owner@example.com', ['dev', 'stage', 'prod'])
+ *   → { dev: 'owner-dev@example.com', stage: 'owner-stage@example.com', prod: 'owner-prod@example.com' }
+ *
+ * Handles plus aliases: 'user+tag@company.com' → 'user+tag-dev@company.com'
+ * Handles subdomains: 'admin@sub.example.com' → 'admin-dev@sub.example.com'
+ */
+export declare function deriveEnvironmentEmails(rootEmail: string, environments: readonly string[]): Record<string, string>;

package/dist/config/non-interactive-aws.js

@@ -0,0 +1,80 @@
+import * as z from 'zod';
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import pc from 'picocolors';
+/**
+ * Zod schema for the non-interactive JSON config file for setup-aws-envs.
+ * Only `email` is required — all other AWS setup config lives in .aws-starter-config.json.
+ */
+export const SetupAwsEnvsConfigSchema = z.object({
+    email: z.string().min(1, { message: 'email is required' }),
+});
+/**
+ * Load, validate, and return a SetupAwsEnvsConfig from a JSON config file path.
+ * Exits with code 1 and prints all errors if validation fails.
+ * Also exits with code 1 if the email does not contain an '@' sign.
+ */
+export function loadSetupAwsEnvsConfig(configPath) {
+    // 1. Resolve path relative to cwd
+    const absolutePath = resolve(process.cwd(), configPath);
+    // 2. Read file — fail fast if not found or unreadable
+    let rawContent;
+    try {
+        rawContent = readFileSync(absolutePath, 'utf-8');
+    }
+    catch {
+        console.error(pc.red('Error:') + ` Cannot read config file: ${absolutePath}`);
+        process.exit(1);
+    }
+    // 3. Parse JSON — fail fast if invalid
+    let rawData;
+    try {
+        rawData = JSON.parse(rawContent);
+    }
+    catch {
+        console.error(pc.red('Error:') + ` Config file is not valid JSON: ${absolutePath}`);
+        process.exit(1);
+    }
+    // 4. Validate with Zod — collect ALL errors in one pass
+    const result = SetupAwsEnvsConfigSchema.safeParse(rawData);
+    if (!result.success) {
+        console.error(pc.red('Error:') + ' Invalid config file:');
+        console.error('');
+        for (const issue of result.error.issues) {
+            const fieldPath = issue.path.length > 0 ? issue.path.join('.') : '(root)';
+            console.error(`  ${pc.red('x')} ${fieldPath}: ${issue.message}`);
+        }
+        console.error('');
+        process.exit(1);
+    }
+    // 5. Additional email format check — must contain '@' for derivation to work correctly
+    if (!result.data.email.includes('@')) {
+        console.error(pc.red('Error:') + ' Invalid config file:');
+        console.error('');
+        console.error(`  ${pc.red('x')} email: must be a valid email address`);
+        console.error('');
+        process.exit(1);
+    }
+    return result.data;
+}
+/**
+ * Derive per-environment email addresses from a root email.
+ * Inserts -{env} between the local part and the domain.
+ *
+ * Example:
+ *   deriveEnvironmentEmails('owner@example.com', ['dev', 'stage', 'prod'])
+ *   → { dev: 'owner-dev@example.com', stage: 'owner-stage@example.com', prod: 'owner-prod@example.com' }
+ *
+ * Handles plus aliases: 'user+tag@company.com' → 'user+tag-dev@company.com'
+ * Handles subdomains: 'admin@sub.example.com' → 'admin-dev@sub.example.com'
+ */
+export function deriveEnvironmentEmails(rootEmail, environments) {
+    const atIndex = rootEmail.lastIndexOf('@');
+    const localPart = rootEmail.slice(0, atIndex);
+    const domain = rootEmail.slice(atIndex); // includes '@'
+    const derived = {};
+    for (const env of environments) {
+        derived[env] = `${localPart}-${env}${domain}`;
+    }
+    return derived;
+}

package/dist/config/non-interactive.d.ts

@@ -0,0 +1,48 @@
+import * as z from 'zod';
+import type { ProjectConfig } from '../types.js';
+/**
+ * Zod schema for the non-interactive JSON config file.
+ * Only `name` is required; all other fields have defaults matching NI-04 spec.
+ */
+export declare const NonInteractiveConfigSchema: z.ZodObject<{
+    name: z.ZodString;
+    platforms: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+        web: "web";
+        mobile: "mobile";
+        api: "api";
+    }>>>;
+    auth: z.ZodDefault<z.ZodEnum<{
+        cognito: "cognito";
+        auth0: "auth0";
+        none: "none";
+    }>>;
+    authFeatures: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+        "social-login": "social-login";
+        mfa: "mfa";
+    }>>>;
+    features: z.ZodDefault<z.ZodArray<z.ZodEnum<{
+        "github-actions": "github-actions";
+        "vscode-config": "vscode-config";
+    }>>>;
+    region: z.ZodDefault<z.ZodEnum<{
+        "us-east-1": "us-east-1";
+        "us-west-2": "us-west-2";
+        "eu-west-1": "eu-west-1";
+        "eu-central-1": "eu-central-1";
+        "ap-northeast-1": "ap-northeast-1";
+        "ap-southeast-2": "ap-southeast-2";
+    }>>;
+    brandColor: z.ZodDefault<z.ZodEnum<{
+        blue: "blue";
+        purple: "purple";
+        teal: "teal";
+        green: "green";
+        orange: "orange";
+    }>>;
+}, z.core.$strip>;
+export type NonInteractiveConfig = z.infer<typeof NonInteractiveConfigSchema>;
+/**
+ * Load, validate, and return a ProjectConfig from a JSON config file path.
+ * Exits with code 1 and prints all errors if validation fails.
+ */
+export declare function loadNonInteractiveConfig(configPath: string): ProjectConfig;

package/dist/config/non-interactive.js

@@ -0,0 +1,92 @@
+import * as z from 'zod';
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import pc from 'picocolors';
+import { validateProjectName } from '../validation/project-name.js';
+// Valid value constants (as const tuples for Zod enum compatibility)
+const VALID_PLATFORMS = ['web', 'mobile', 'api'];
+const VALID_AUTH_PROVIDERS = ['none', 'cognito', 'auth0'];
+const VALID_AUTH_FEATURES = ['social-login', 'mfa'];
+const VALID_FEATURES = ['github-actions', 'vscode-config'];
+const VALID_REGIONS = [
+    'us-east-1',
+    'us-west-2',
+    'eu-west-1',
+    'eu-central-1',
+    'ap-northeast-1',
+    'ap-southeast-2',
+];
+const VALID_BRAND_COLORS = ['blue', 'purple', 'teal', 'green', 'orange'];
+/**
+ * Zod schema for the non-interactive JSON config file.
+ * Only `name` is required; all other fields have defaults matching NI-04 spec.
+ */
+export const NonInteractiveConfigSchema = z.object({
+    name: z.string().min(1, { message: 'name is required' }),
+    platforms: z.array(z.enum(VALID_PLATFORMS)).min(1).default(['web', 'api']),
+    auth: z.enum(VALID_AUTH_PROVIDERS).default('none'),
+    authFeatures: z.array(z.enum(VALID_AUTH_FEATURES)).default([]),
+    features: z.array(z.enum(VALID_FEATURES)).default(['github-actions', 'vscode-config']),
+    region: z.enum(VALID_REGIONS).default('us-east-1'),
+    brandColor: z.enum(VALID_BRAND_COLORS).default('blue'),
+});
+/**
+ * Load, validate, and return a ProjectConfig from a JSON config file path.
+ * Exits with code 1 and prints all errors if validation fails.
+ */
+export function loadNonInteractiveConfig(configPath) {
+    // 1. Resolve path relative to cwd
+    const absolutePath = resolve(process.cwd(), configPath);
+    // 2. Read file — fail fast if not found or unreadable
+    let rawContent;
+    try {
+        rawContent = readFileSync(absolutePath, 'utf-8');
+    }
+    catch {
+        console.error(pc.red('Error:') + ` Cannot read config file: ${absolutePath}`);
+        process.exit(1);
+    }
+    // 3. Parse JSON — fail fast if invalid
+    let rawData;
+    try {
+        rawData = JSON.parse(rawContent);
+    }
+    catch {
+        console.error(pc.red('Error:') + ` Config file is not valid JSON: ${absolutePath}`);
+        process.exit(1);
+    }
+    // 4. Validate with Zod — collect ALL errors in one pass
+    const result = NonInteractiveConfigSchema.safeParse(rawData);
+    if (!result.success) {
+        console.error(pc.red('Error:') + ' Invalid config file:');
+        console.error('');
+        for (const issue of result.error.issues) {
+            const fieldPath = issue.path.length > 0 ? issue.path.join('.') : '(root)';
+            console.error(`  ${pc.red('x')} ${fieldPath}: ${issue.message}`);
+        }
+        console.error('');
+        process.exit(1);
+    }
+    const cfg = result.data;
+    // 5. Additional project name validation via existing npm package name validator
+    const nameValidation = validateProjectName(cfg.name);
+    if (nameValidation !== true) {
+        console.error(pc.red('Error:') + ' Invalid config file:');
+        console.error('');
+        console.error(`  ${pc.red('x')} name: ${nameValidation}`);
+        console.error('');
+        process.exit(1);
+    }
+    // 6. Map to ProjectConfig — silently drop authFeatures when auth is 'none'
+    return {
+        projectName: cfg.name,
+        platforms: cfg.platforms,
+        awsRegion: cfg.region,
+        features: cfg.features,
+        brandColor: cfg.brandColor,
+        auth: {
+            provider: cfg.auth,
+            features: cfg.auth === 'none' ? [] : cfg.authFeatures,
+        },
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-aws-project",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "CLI tool to scaffold AWS projects",
   "type": "module",
   "main": "./dist/index.js",
@@ -52,11 +52,12 @@
     "@aws-sdk/credential-providers": "^3.971.0",
     "@octokit/rest": "^22.0.1",
     "find-up": "^8.0.0",
+    "libsodium-wrappers": "^0.7.15",
     "ora": "^9.1.0",
     "picocolors": "^1.1.1",
     "prompts": "^2.4.2",
-    "libsodium-wrappers": "^0.7.15",
-    "validate-npm-package-name": "^7.0.2"
+    "validate-npm-package-name": "^7.0.2",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@types/jest": "^30.0.0",