Run 1: DNS Foundation
Establishes the assets.arda.cards DNS hierarchy and ACM certificates
required by the image CDN. Corresponds to
Phase 0 and
specification.md section 2.4.
Entry Criteria
Section titled “Entry Criteria”| # | Criterion | Verification Command | Expected Output |
|---|---|---|---|
| 1 | Infrastructure repo cloned and dependencies installed | ls infrastructure/package.json | File exists |
| 2 | AWS credentials for root account available | aws sts get-caller-identity --profile Admin-Root | Account 841876193886 |
| 3 | AWS credentials for target infra account available | aws sts get-caller-identity | Account for target infra |
| 4 | Worktree created | git -C <worktree-path> branch --show-current | jmpicnic/image-upload-infrastructure/run-1 |
Artifact Specifications
Section titled “Artifact Specifications”| Artifact | Path | Format | Description |
|---|---|---|---|
| Root stack modification | src/main/cdk/stacks/root/root-configuration-stack.ts | TypeScript | Add assetsZone export |
| Infra ingress modification | src/main/cdk/stacks/infrastructure/ingress-stack.ts | TypeScript | Add assets subdomain zone, NS delegation, ACM cert, exports |
| ImportingStack modification | src/main/cdk/apps/Al1x/util.ts | TypeScript | Import assetsHostedZone and assetsCertificateArn |
| Domain convention | src/main/cdk/platform/ari-configuration.ts | TypeScript | Add ASSETS_DOMAIN_PREFIX, ASSETS_DOMAIN, assetsDomain() |
| Root deploy script | deploy-root.sh | Bash | CDK bootstrap + deploy for root account (profile: Admin-PlatformRoot) |
| Root CI check | tools/ci-root-check.js | JavaScript | Synth root configuration targets separately from ci-check.js |
Task List
Section titled “Task List”| # | Task | Persona | Depends On | Status | Acceptance Criteria |
|---|---|---|---|---|---|
| 1.1 | Add ASSETS_DOMAIN_PREFIX, ASSETS_DOMAIN, assetsDomain() to ari-configuration.ts | devops-engineer | — | Pending | Function returns <purpose>.assets.arda.cards; follows apiGatewayDomain() pattern |
| 1.2 | Add assets.arda.cards zone to RootConfigurationStack | devops-engineer | 1.1 | Pending | New PublicHostedZone; assetsZone added to ExportKeys and publish(); follows io/app/auth pattern |
| 1.3 | Add <infra>.assets.arda.cards subdomain zone to InfrastructureIngress | devops-engineer | 1.1 | Pending | Subdomain zone created; NS delegation via WriteNSRecordsToUpstreamDns; follows io/app/auth pattern |
| 1.4 | Add *.<infra>.assets.arda.cards ACM certificate to InfrastructureIngress | devops-engineer | 1.3 | Pending | Wildcard cert with DNS validation against assets subdomain zone; assetsCertificateArn exported |
| 1.5 | Import assets zone and cert in ImportingStack (util.ts) | devops-engineer | 1.3, 1.4 | Pending | importedStack.assetsHostedZone and importedStack.ingressImports.assetsCertificateArn available |
| 1.6 | Create deploy-root.sh (profile: Admin-PlatformRoot) | devops-engineer | — | Pending | Script bootstraps CDK and deploys r53-zones.ts to root account; executable; idempotent |
| 1.7 | Create tools/ci-root-check.js | devops-engineer | 1.2 | Pending | Synths root configuration target; separate from ci-check.js to allow independent evolution |
| 1.8 | Verify npm run ci-check + ci-root-check.js pass (no regressions) | devops-engineer | 1.2-1.7 | Pending | All infra + partition + root targets synthesize without errors (V-003) |
Internal Dependency Graph
Section titled “Internal Dependency Graph”1.1 (ari-config) ──→ 1.2 (root zone) ──→ 1.7 (ci-root-check) └──→ 1.3 (infra zone) ──→ 1.4 (ACM cert) ──→ 1.5 (ImportingStack)1.6 (deploy-root.sh) — independent1.8 (ci-check + ci-root-check) — after all code changesTasks 1.1 and 1.6 can start in parallel. Tasks 1.2 and 1.3 can start in parallel after 1.1. Task 1.8 runs last.
Exit Criteria
Section titled “Exit Criteria”| # | Criterion | Verification Command | Expected Output |
|---|---|---|---|
| 1 | ci-check passes | npm run ci-check | All targets synth without errors |
| 2 | Root zone deployed | deploy-root.sh && aws route53 list-hosted-zones-by-name --dns-name assets.arda.cards --max-items 1 | Zone exists |
| 3 | Infra zone deployed | amm.sh Alpha002 dev (infra step only) | Stack deploys without errors |
| 4 | DNS resolves | dig NS alpha002.assets.arda.cards | Returns subdomain zone NS records |
| 5 | ACM cert issued | aws acm list-certificates --query "CertificateSummaryList[?DomainName=='*.alpha002.assets.arda.cards'].Status" | ISSUED |
| 6 | Exports available | aws cloudformation list-exports --query "Exports[?contains(Name,'AssetsCertificateArn')]" | Non-empty |
Agent Prompt Templates
Section titled “Agent Prompt Templates”devops-engineer — de-dns-foundation
Section titled “devops-engineer — de-dns-foundation”Implement the DNS foundation for the
assets.arda.cardsdomain in the infrastructure repository. Working directory:<worktree-path>.Follow specification.md section 2.4 for all changes. The existing io/app/auth zone pattern in
root-configuration-stack.tsandingress-stack.tsis the model.Tasks: 1.1 through 1.7 in this plan. Run
npm run ci-checkafter all code changes to verify no regressions.
Handoff
Section titled “Handoff”Artifacts Consumed (from previous runs)
Section titled “Artifacts Consumed (from previous runs)”None — this is the first run.
Artifacts Produced (for subsequent runs)
Section titled “Artifacts Produced (for subsequent runs)”| Artifact | Consumer Run | Path |
|---|---|---|
assetsHostedZone import in ImportingStack | Run 2 | src/main/cdk/apps/Al1x/util.ts |
assetsCertificateArn import in ImportingStack | Run 2 | src/main/cdk/apps/Al1x/util.ts |
assetsDomain() function | Run 2 | src/main/cdk/platform/ari-configuration.ts |
Deployed assets.arda.cards zone (in AWS) | Run 2 | — (runtime dependency) |
| Deployed ACM cert (in AWS) | Run 2 | — (runtime dependency) |
Copyright: (c) Arda Systems 2025-2026, All rights reserved
Copyright: © Arda Systems 2025-2026, All rights reserved