Phase 4 — Run 2: dev Partition Rollout (G-B+C+D)
Overview
Section titled “Overview”Branch / PR: jmpicnic/email-integration-phase-4 (infra) → PR phase-4-G-B-C-D-dev against Arda-cards/infrastructure main.
Group(s): G-B + G-C + G-D for dev.
Tasks: T-I4 (partition-email stack), T-I5-dev (dev instance config), T-I6 (apps extension), T-I8 (Phase A entry script), T-I10 (amm.sh step), T-D1 (verification entries), T-D8 (infra CHANGELOG), T-O1-dev (pre-flight), T-O3 (deploy dev), T-O4 (arda-nonprod Postmark Compliance reply).
Working directory: /Users/jmp/code/arda/projects/email-integration-worktrees/phase-4/infrastructure.
AWS impact: Resource-touching in Alpha002 (creates dev.ardamails.com zone + NS delegation + SPF + DMARC + DKIM + Return-Path records + two SM secrets + two IAM roles). Resource-touching on Postmark side (Sender Signature registration on PostmarkNonProd).
Personas: devops-engineer for T-I*; user as operator for T-O1, T-O3, T-O4.
Run-2 lands once for the whole phase: the CDK code, instance config, app extension, Phase A script, and amm.sh step are all authored here. Runs 3-5 only add their partition’s instance config + invoke amm.sh against that partition.
Entry criteria
Section titled “Entry criteria”- Run-1 PR merged to
Arda-cards/infrastructuremain. - T-O2 (Root no-drift verification) passed and recorded.
- Operator pre-flight (T-O1-dev) green:
op read "$(npx ts-node -e 'console.log(require(\"./platform/postmark-service\").postmarkCredentialOpReference(\"dev\"))')"returns a non-empty token.aws sts get-caller-identity --profile Alpha002-Adminreturns the Alpha002 account ID.dmarc-reports@arda.cardsmailbox is healthy (T-O1 one-time-per-rollout check).
| Task | Description | Files touched | Persona |
|---|---|---|---|
| T-I4 | Author PartitionEmailStack (three-interface pattern, validateProps, six -API- exports) | src/main/cdk/stacks/purpose/partition-email.ts + test | devops-engineer |
| T-I5-dev | Per-partition instance config for dev | src/main/cdk/instances/Alpha002/dev.ts | devops-engineer |
| T-I6 | Extend apps/Al1x/partition.ts to instantiate PartitionEmailStack per active partition (+ .publish() from App, never from constructor) | src/main/cdk/apps/Al1x/partition.ts | devops-engineer |
| T-I8 | Author tools/register-partition-mail-signature.ts with two-arg CLI + usage output | tools/register-partition-mail-signature.ts + test | devops-engineer |
| T-I10 | Extend amm.sh with partition-mail step (op read + ::add-mask:: + Phase A + cdk deploy) | amm.sh | devops-engineer |
| T-D1 | Verification entries (V-PART-001..020 for dev, V-IAC-003..008, V-CLI-001..005) | documentation worktree → 4-runtime-platform-updates/design/verification.md | devops-engineer |
| T-D8 | Infra CHANGELOG.md entry | CHANGELOG.md | devops-engineer |
| T-O1-dev | Pre-flight checks for dev | none (operator-driven) | user |
| T-O3 | Operator runs ./amm.sh Alpha002 dev after PR merges | none (operator-driven) | user |
| T-O4 | Operator replies to Postmark Compliance ticket #11236089 with verified-domain evidence | none (email thread) | user |
Worktree strategy
Section titled “Worktree strategy”Single working directory: /Users/jmp/code/arda/projects/email-integration-worktrees/phase-4/infrastructure. T-D1 edits the documentation worktree directly. Pre-merge operator verification of amm.sh Alpha002 dev happens against the PR branch locally before merge (recommended).
Validation
Section titled “Validation”validate-exit.sh covers all code-side exit criteria. Operator-driven gates (T-O1, T-O3, T-O4) record outcomes in the verification.md sign-off table.
Exit criteria
Section titled “Exit criteria”npm run build && npm run lint && npm testexit 0.cdk synth --app apps/Al1x/partition --context partition=devproduces a valid template; CFN stack name isAlpha002-dev-Email.partition-email.test.tspasses including:findOutputs("*", {Export: {Name: ...}})checks for all six-API-exports (V-PART-002, 012, 015, 018, 020); CFN_IO_MARKER witness output also asserted;route53:GetChangenegative test passes.register-partition-mail-signature.test.tscovers happy path, no-args (usage output), invalid<infrastructure>,SandboxKyle002rejection (PDEV-438), partition/infrastructure mismatch, Postmark API failure, 1P resolution failure.amm.shdry-run emits the three calls in order (op read,npx ts-node tools/register-partition-mail-signature.ts Alpha002 dev,cdk deploy Alpha002-dev-Email --parameters PostmarkAccountToken=...) with::add-mask::applied.- PR opened; checks green; reviewer approval received.
- Post-merge operator:
./amm.sh Alpha002 devruns end-to-end. Alldigchecks pass fordev.ardamails.com. Postmark Console shows thedev.ardamails.comSender Signature with DKIM and Return-Path verified. T-O4 reply sent. Sign-off row populated.
References
Section titled “References”../../choreography.md— sequencing + operator gates.../../../design/specification.md— T-I4, T-I5, T-I6, T-I8, T-I10, T-O1, T-O3, T-O4.../../../design/verification.md— V-PART-001..020, V-IAC-003..008, V-CLI-001..005.../../../design/exports.md§ 1 — the six-API-exports.
Copyright: (c) Arda Systems 2025-2026, All rights reserved
Copyright: © Arda Systems 2025-2026, All rights reserved