Skip to content

Run 2: Partition Resources

Creates the CDK constructs, stacks, unit tests, CI integration, and verification script for image storage and CDN delivery. Corresponds to Phase 1 and specification.md sections 1-3, 5.

Entry Criteria

#	Criterion	Verification Command	Expected Output
1	Run 1 exit gate passed	`./run-1-dns-foundation/validate-exit.sh`	`ALL CHECKS PASSED`
2	`assetsHostedZone` available in `ImportingStack`	`grep assetsHostedZone src/main/cdk/apps/Al1x/util.ts`	Import code present
3	`assetsDomain()` available	`grep assetsDomain src/main/cdk/platform/ari-configuration.ts`	Function present
4	Assets zone deployed to target infra	`dig NS alpha002.assets.arda.cards`	Returns NS records
5	ACM cert issued	`aws acm list-certificates --query "CertificateSummaryList[?DomainName=='*.alpha002.assets.arda.cards'].Status"`	`ISSUED`
6	Worktree created	`git -C <worktree-path> branch --show-current`	`jmpicnic/image-upload-infrastructure/run-2`

Artifact Specifications

Artifact	Path	Format	Description
ImageAssetBucket construct	`src/main/cdk/constructs/storage/image-asset-bucket.ts`	TypeScript	S3 bucket + presigning role (spec 1.1)
ImageAssetCdn construct	`src/main/cdk/constructs/xgress/image-asset-cdn.ts`	TypeScript	CloudFront + OAC + DNS (spec 1.2)
CloudFrontSigningKeyGroup construct	`src/main/cdk/constructs/xgress/cloudfront-signing-key-group.ts`	TypeScript	RSA key pair + Secrets Manager (spec 1.3)
PartitionImageCdnStack	`src/main/cdk/stacks/purpose/partition-image-cdn.ts`	TypeScript	CDN stack with exports (spec 2.2)
BulkStoresStack modification	`src/main/cdk/stacks/purpose/partition-bulk-stores.ts`	TypeScript	Add ImageAssetBucket (spec 2.1)
Partition wiring	`src/main/cdk/apps/Al1x/partition.ts`	TypeScript	Instantiate new stack (spec 2.3)
Jest config	`jest.config.ts`	TypeScript	Test runner configuration
Construct tests (3 files)	`src/main/cdk/constructs/*/.test.ts`	TypeScript	Unit tests per construct
Stack tests (2 files)	`src/main/cdk/stacks/purpose/*.test.ts`	TypeScript	Snapshot + export tests
CI update	`.github/workflows/ci.yaml`	YAML	Add `npm test` to build job
Verification script	`tools/verify-image-cdn.ts`	TypeScript	End-to-end verification

Task List

#	Task	Persona	Depends On	Status	Acceptance Criteria
Test Infrastructure
2.1	Create `jest.config.ts` with path aliases	devops-engineer	—	Pending	Jest runs with `arda/` mapped to `src/main/cdk/`
2.2	Add `test`, `test:ci` scripts to `package.json`; add `cdk-nag`, `@aws-sdk/client-s3`, `@aws-sdk/client-sts`, `@aws-sdk/client-secrets-manager`, `@aws-sdk/s3-presigned-post` devDependencies	devops-engineer	—	Pending	`npm test` runs (may have 0 tests initially); all SDK deps available for verification script
2.3	Add `npm test` step to `.github/workflows/ci.yaml` build job	devops-engineer	2.1, 2.2	Pending	CI `build` job includes test step after lint (V-113)
CDK Constructs
2.4	Implement `ImageAssetBucket` construct	devops-engineer	—	Pending	Versioned, RETAIN, SSE-S3, no expiration, CORS POST, presigning role with conditions (spec 1.1)
2.5	Implement `CloudFrontSigningKeyGroup` construct	devops-engineer	—	Pending	RSA key pair, public key in CF key group, private key in Secrets Manager, RETAIN (spec 1.3)
2.6	Implement `ImageAssetCdn` construct	devops-engineer	2.4, 2.5	Pending	OAC origin, HTTPS-only, GET/HEAD, CachingOptimized, PriceClass_100, trusted key groups, custom domain, Route53 A record (spec 1.2)
Stacks and Wiring
2.7	Modify `BulkStoresStack` — add `ImageAssetBucket` + exports	devops-engineer	2.4	Pending	New bucket in Built; 3 new `-API-` exports (spec 2.1)
2.8	Create `PartitionImageCdnStack` with CDN + signing key group + exports	devops-engineer	2.5, 2.6	Pending	3 new `-API-` exports; `publish()` called (spec 2.2)
2.9	Wire `PartitionImageCdnStack` into `partition.ts`	devops-engineer	2.7, 2.8	Pending	Stack instantiated after bulkStores; uses `assetsHostedZone`, `assetsCertificateArn` from ImportingStack (spec 2.3)
Unit Tests
2.10	Write `ImageAssetBucket` unit tests	devops-engineer	2.4	Pending	Tests per spec section 5: naming, versioning, RETAIN, SSE, CORS, presigning role conditions, validation
2.11	Write `ImageAssetCdn` unit tests	devops-engineer	2.6	Pending	Tests per spec section 5: OAC, HTTPS-only, GET/HEAD, cache policy, key groups, custom domain, validation
2.12	Write `CloudFrontSigningKeyGroup` unit tests	devops-engineer	2.5	Pending	Tests per spec section 5: public key, key group, secret, RETAIN
2.13	Write `BulkStoresStack` snapshot test	devops-engineer	2.7	Pending	Snapshot captures new exports; baseline established
2.14	Write `PartitionImageCdnStack` snapshot + export tests	devops-engineer	2.8	Pending	Snapshot captures full stack; 3 exports verified
Verification
2.15	Implement `verify-image-cdn.ts` script	devops-engineer	2.9	Pending	Steps 1-11 per spec section 3; exits 0 on success
2.16	Run `npm run ci-check` — all targets synth	devops-engineer	2.9	Pending	Zero errors across all infra + partition targets (V-101)
2.17	Run `npm test` — all tests pass	devops-engineer	2.10-2.14	Pending	Zero failures; cdk-nag passes (V-111, V-112)
Deployment
2.18	Deploy to Alpha002/dev and run `verify-image-cdn.ts`	devops-engineer	2.15-2.17	Pending	`amm.sh Alpha002 dev` succeeds; verification script exits 0 (V-102-V-108)
2.19	Deploy to Alpha002/stage	devops-engineer	2.18	Pending	`amm.sh Alpha002 stage` succeeds; partition has independent image infra (V-109)
2.20	Deploy to Alpha001/demo	devops-engineer	2.18	Pending	`amm.sh Alpha001 demo` succeeds (requires Phase 0 deployed to Alpha001 first)
2.21	Deploy to Alpha001/prod	devops-engineer	2.20	Pending	`amm.sh Alpha001 prod` succeeds; all production partitions operational
2.22	Deploy to SandboxKyle002/kyle	devops-engineer	2.18	Pending	`amm.sh SandboxKyle002 kyle` succeeds (requires Phase 0 deployed to SandboxKyle002 first)
Review
2.23	Code review of all constructs and stacks	quality-reviewer	2.17	Pending	Patterns match design.md section 3; naming conventions followed; no regressions

Internal Dependency Graph

2.1, 2.2 (test infra) ──→ 2.3 (CI)
                       └──→ 2.10-2.14 (unit tests)

2.4 (ImageAssetBucket) ──→ 2.6 (ImageAssetCdn) ──→ 2.8 (CdnStack) ──→ 2.9 (partition.ts)
                       └──→ 2.7 (BulkStores mod)                   └──→ 2.15 (verify script)
2.5 (SigningKeyGroup)  ──→ 2.6, 2.8

2.4 → 2.10 (bucket tests)
2.5 → 2.12 (signing tests)
2.6 → 2.11 (cdn tests)
2.7 → 2.13 (bulk stores snapshot)
2.8 → 2.14 (cdn stack snapshot)

2.15-2.17 → 2.18 (deploy Alpha002/dev)
            2.18 → 2.19 (Alpha002/stage)
            2.18 → 2.20 (Alpha001/demo) → 2.21 (Alpha001/prod)
            2.18 → 2.22 (SandboxKyle002/kyle)
2.17 → 2.23 (review) — can run in parallel with deployments

Parallelization: Tasks 2.1-2.2 (test infra), 2.4 (bucket), and 2.5 (signing key) can all start simultaneously. Task 2.6 (CDN) requires 2.4 and 2.5. Unit tests can be written alongside or immediately after each construct.

Exit Criteria

#	Criterion	Verification Command	Expected Output
1	`ci-check` passes	`npm run ci-check`	All targets synth without errors
2	`npm test` passes	`npm test`	Zero failures
3	Alpha002/dev deployed + verified	`amm.sh Alpha002 dev` + `verify-image-cdn.ts`	Stacks complete; script exits 0
4	Alpha002/stage deployed	`amm.sh Alpha002 stage`	All stacks CREATE/UPDATE_COMPLETE
5	Alpha001/demo deployed	`amm.sh Alpha001 demo`	All stacks CREATE/UPDATE_COMPLETE
6	Alpha001/prod deployed	`amm.sh Alpha001 prod`	All stacks CREATE/UPDATE_COMPLETE
7	SandboxKyle002/kyle deployed	`amm.sh SandboxKyle002 kyle`	All stacks CREATE/UPDATE_COMPLETE
8	CI gates PRs	Open test PR with deliberate failure	`build` job fails, PR blocked
9	Exports present in all partitions	Check CloudFormation exports per partition	6 ImageAsset exports per partition

Agent Prompt Templates

devops-engineer — `de-partition-resources`

Implement the CDK constructs, stacks, tests, and verification script for image storage and CDN delivery. Working directory: <worktree-path>.

Follow specification.md for construct interfaces, design.md section 3 for implementation patterns, and specification.md section 5 for testing strategy.

The existing UploadBucket in constructs/storage/public-upload-bucket.ts and ApiCloudFront in constructs/xgress/api-cloudfront.ts are the pattern models. Follow them for structure, naming, validation, and bucket policies. See the specification for specific differences.

Tasks: 2.1 through 2.17 in this plan. Start with test infrastructure (2.1-2.2), then constructs (2.4-2.6), then stacks (2.7-2.9), then tests (2.10-2.14), then verification (2.15-2.17).

quality-reviewer — `qr-partition-review`

Review the CDK constructs, stacks, and tests produced by the devops-engineer. Verify that:

All constructs follow the Configuration → Props → Built pattern

Naming follows design.md section 3.3

IAM policies follow least-privilege (design.md section 3.5)

S3 bucket follows design.md section 3.4

CloudFront follows design.md section 3.6

Cross-stack exports use correct -API- / -I- markers

Unit tests cover business logic, not CDK defaults

No regressions to existing stacks

Handoff

Artifacts Consumed (from Run 1)

Artifact	Source Run	Path
`assetsHostedZone` import	Run 1	`src/main/cdk/apps/Al1x/util.ts`
`assetsCertificateArn` import	Run 1	`src/main/cdk/apps/Al1x/util.ts`
`assetsDomain()` function	Run 1	`src/main/cdk/platform/ari-configuration.ts`
Deployed assets zone (in AWS)	Run 1	— (runtime)
Deployed ACM cert (in AWS)	Run 1	— (runtime)

Artifacts Produced (for subsequent phases)

Artifact	Consumer	Path
6 cross-stack exports (3 bucket + 3 CDN)	Phase 2 (operations CloudFormation)	CloudFormation exports
Signing key in Secrets Manager	Phase 3b (BFF cookie signing)	Secrets Manager ARN
CDN domain	Phase 2a (CdnUrlResolver)	CloudFormation export

Copyright: (c) Arda Systems 2025-2026, All rights reserved

Copyright: © Arda Systems 2025-2026, All rights reserved