Feature Specification: aws-sandbox npm Package Release v0.3.18

Status: APPROVED Created: 2026-02-01 Updated: 2026-02-02 Version: 0.3.18 ADLC Framework: v3.1.0 Constitutional Compliance: CHK049 (Agentic Behavior Spec), CHK050 (SOPs Defined)

1. Executive Summary

1.1 Feature Overview

Release the aws-sandbox npm package (v0.3.18) - an Enterprise AWS account vending solution with self-service sandbox provisioning, implementing the ADLC 6+1 phase lifecycle with Consumer E2E validation (Phase 3.5) as the primary quality gate.

1.2 Business Value

Metric	Value	Evidence
Risk Mitigation	Prevent 100% broken npm publishes	v0.3.3-v0.3.9 incident (7 broken versions)
Time Savings	70-80% automation via CDK	Manual vs IaC comparison
Cost Control	$0 testing (Tier 1+2 on LocalStack)	No AWS charges for validation

1.3 Target Users

Developers: Self-service sandbox provisioning
Cloud Architects: AWS Organizations integration
Platform Engineers: Enterprise account vending automation

2. Problem Statement

2.1 Current State

The aws-sandbox npm package (v0.3.18) has:

29/29 Tier 1 snapshot tests PASS (5.38s, $0)
11/11 Tier 2 LocalStack tests PASS (1.28s, $0)
58/58 Constitutional checkpoints PASS

Gap Identified: Phase 3.5 Consumer E2E Deploy validation has never been executed. Historical evidence from v0.3.3-v0.3.9 shows that developer mode tests can pass while consumer mode (npm package installation) fails at runtime.

2.2 Root Cause Analysis

Version	Issue	Root Cause
v0.3.3	Package failed to install	Missing `files` in package.json
v0.3.4-v0.3.7	CLI not executable	Broken shebang in bin/cli.js
v0.3.8	Consumer mode not detected	app.cjs not bundled
v0.3.9	LocalStack deploy failed	Lambda bundles missing

2.3 Target State

Phase 3.5 Consumer E2E Deploy executed and PASS
5-layer validation strategy per ADR-005
Evidence captured to tmp/cdk/release-logs/
npm publish only after Phase 3.5 PASS gate

3. Requirements

3.1 Functional Requirements

FR-001: Phase 3.5 Consumer E2E Deploy

Priority: P0 (BLOCKING) Description: Execute Consumer E2E validation before npm publish

Acceptance Criteria:

ID	Given	When	Then
AC-1	[email protected] tarball created	npm pack executed	Valid .tgz file generated
AC-2	Fresh consumer environment	npm install aws-sandbox-0.3.18.tgz	Package installs successfully
AC-3	Package installed	npx aws-sandbox --version	Returns "0.3.18"
AC-4	Consumer mode active	npx aws-sandbox synth --all	CloudFormation templates generated
AC-5	LocalStack running	npx aws-sandbox deploy --localstack	All stacks CREATE_COMPLETE

FR-002: 3-Tier Testing

Priority: P0 (Required) Description: Validate package quality through 3-tier testing strategy

Tier	Tests	Duration	Cost	Coverage
Tier 1	29/29	5.38s	$0	70-80%
Tier 2	11/11	1.28s	$0	+15-20%
Tier 3	Deferred	5-10min	~$50/mo	+5-10%

FR-003: npm Package Contents

Priority: P0 (Required) Description: Package must include all required files

aws-sandbox-0.3.18.tgz
├── bin/cli.js                                    # CLI entrypoint
├── lib/                                          # Compiled TypeScript
│   ├── index.js
│   ├── stacks/
│   └── helpers/
├── source/infrastructure/dist/
│   └── infrastructure/bin/app.cjs               # Pre-bundled consumer app (~58MB)
├── source/lambdas-bundled/
│   ├── accounts-api/*.zip                       # Lambda bundles
│   └── lease-manager/*.zip
└── source/frontend/dist/                        # React frontend build

3.2 Non-Functional Requirements

NFR-001: Performance

Metric	Target	Actual
Tier 1 execution	≤10s	5.38s
Tier 2 execution	≤60s	1.28s
npm install time	≤30s	TBD
Consumer deploy time	≤5min	TBD

NFR-002: Reliability

Metric	Target
Tier 1 pass rate	100%
Tier 2 pass rate	100% (with 25 documented skips per ADR-003)
Consumer deploy success	100%

NFR-003: Security

Apache-2.0 license compliance
npm audit: ≤5 high vulnerabilities (current: 54)
No secrets in package

4. INVEST User Stories

US-001: Phase 3.5 Consumer E2E Deploy (P0)

Independent: Can execute after Tier 1+2 PASS Negotiable: 5-layer strategy per ADR-005 Valuable: Prevents 100% of broken npm publishes Estimable: 0.75 days effort Small: Single validation workflow Testable: Binary PASS/FAIL with evidence

As a release-manager
I want Consumer E2E deploy to succeed on LocalStack
So that npm publish doesn't ship broken packages

WSJF Score: 20.0 (highest priority)

US-002: Tier 3 AWS E2E Tests (P1)

Deferred: To v0.4.0 cycle with documented exemption

As a cloud-architect
I want real AWS deployment validation
So that AWS-specific behaviors are verified

WSJF Score: 6.5

US-003: npm Vulnerabilities Remediation (P2)

Deferred: To v0.4.0 cycle

As a security-engineer
I want npm audit vulnerabilities reduced
So that published package meets enterprise standards

WSJF Score: 8.0

5. Architecture Decisions

ADR	Title	Status
ADR-001	LocalStack Services Configuration	Approved
ADR-005	Consumer E2E Strategy	Approved
ADR-006	Tier 3 Testing Architecture	Approved
ADR-007	npm Publish Pipeline	Approved

5.2 Deployment Targets

LocalStack (Tier 2): $0, 85% coverage
AWS Sandbox (Tier 3): ~$50/mo, 100% coverage (deferred)

5.3 CDK Stacks

Stack	Resources	LocalStack	AWS
InnovationSandbox-Data	19	Full	Full
InnovationSandbox-Compute	26	85%	100%
InnovationSandbox-AccountPool	-	No	Yes (Organizations)
InnovationSandbox-IDC	-	No	Yes (Identity Center)

6. Risk Assessment

6.1 Technical Risks

Risk	Probability	Impact	Mitigation
Consumer deploy fails	MEDIUM	HIGH	5-layer validation (ADR-005)
LocalStack parity gaps	HIGH	MEDIUM	Tier 3 deferred with exemption
app.cjs bundling fails	LOW	HIGH	Build step in Phase 2

6.2 Business Risks

Risk	Probability	Impact	Mitigation
Broken npm publish	HIGH (without Phase 3.5)	HIGH	Phase 3.5 BLOCKING gate
User adoption failure	LOW	MEDIUM	CLI UX validation in Phase 3.5

7. Success Criteria

7.1 Definition of Done

Phase 3.5 Consumer E2E Deploy: PASS
Evidence captured: tmp/cdk/release-logs/phase3.5-consumer-*.log
0 deploy errors in evidence log
npm pack creates valid tarball
CLI commands work in consumer mode
HITL approval obtained for npm publish

7.2 KPIs

KPI	Target	Baseline
Phase 3.5 pass rate	100%	N/A (first execution)
Consumer install success	100%	Unknown
npm download increase	+10%	Current downloads

8. Constraints

8.1 Technical Constraints

LocalStack Free tier limitations (Lambda Layers require Pro)
Docker required for LocalStack testing
Node.js ≥18 for ESM support

8.2 Business Constraints

HITL required for npm publish (Phase 5+)
Tier 3 testing deferred (cost: ~$50/mo)
Constitutional compliance required (58 checkpoints)

8.3 Assumptions (RQ3 Upgrade)

ID	Assumption	Risk if Invalid	Validation Method
A-001	LocalStack provides ≥85% AWS service parity for CDK stacks	Phase 3.5 may fail on unsupported services	Tier 2 test coverage analysis
A-002	Consumer environment has Docker available for LocalStack	Users cannot run Phase 3.5 locally	README prerequisites check
A-003	npm package structure remains stable (no breaking changes)	Consumer imports fail	Semantic versioning (0.3.x)
A-004	app.cjs bundling captures all runtime dependencies	Consumer synth fails with missing modules	Phase 3.5 Layer 3 validation
A-005	Lambda bundles are architecture-agnostic (x86_64 + arm64)	Deploy fails on ARM-based LocalStack	Multi-arch build verification
A-006	ADLC agents (product-owner, cloud-architect) are invoked FIRST	STANDALONE_EXECUTION violation	Coordination logs in tmp/

9. Out of Scope

Tier 3 AWS E2E testing (deferred to v0.4.0)
npm vulnerability remediation (deferred to v0.4.0)
AccountPool and IDC stack validation (requires AWS Organizations)
Breaking API changes

10. References

10.1 Evidence Files

File	Purpose
`tmp/cdk/coordination-logs/product-owner-2026-02-01.json`	Business validation
`tmp/cdk/coordination-logs/cloud-architect-2026-02-01.json`	Technical design
`tmp/cdk/architecture-decisions/ADR-005-consumer-e2e-strategy.md`	Phase 3.5 strategy
`tmp/cdk/test-results/tier1-2026-02-01-081221.log`	Tier 1 results
`tmp/cdk/test-results/tier2-2026-02-01-081151.log`	Tier 2 results

10.2 Constitutional Checkpoints

CHK049: Agentic behavior specification - PASS
CHK050: SOPs defined - PASS
CHK051: Prompt design - PASS
CHK052: Agent orchestration - PASS
CHK053: Evaluation framework - PARTIAL (Phase 3.5 pending)

11. Approval

Role	Name	Date	Status
Product Owner	product-owner agent	2026-02-01	APPROVED
Cloud Architect	cloud-architect agent	2026-02-01	APPROVED
HITL Manager	@nnthanh101	PENDING	PENDING

12. Open Questions (RQ3 Upgrade)

ID	Question	Owner	Status	Resolution
Q-001	Should Phase 3.5 run in CI/CD or only locally?	cloud-architect	OPEN	Recommend: Local-first, then GitHub Actions
Q-002	What is the npm audit threshold for publish approval?	security-engineer	OPEN	Current: 54 high vulns, Target: ≤5
Q-003	Should we support ARM64 Lambda bundles?	infrastructure-engineer	OPEN	Deferred to v0.4.0
Q-004	Is LocalStack Pro required for full Phase 3.5 coverage?	qa-engineer	RESOLVED	No - Free tier covers 85% (ADR-001)
Q-005	Should HITL approval be automated via GitHub PR review?	product-owner	OPEN	Recommend: PR approval = HITL approval

13. Architecture Diagrams (RQ4 Cross-Reference)

13.1 Draw.io Diagrams (SVG)

Diagram	Purpose	Location
High-Level Architecture	System context (C4 Level 1)	`cdk/docs/diagrams/architecture/high-level.drawio.svg`
In-Depth Architecture	Container view (C4 Level 2)	`cdk/docs/diagrams/architecture/in-depth.drawio.svg`
Stack Dependencies	CDK stack relationships	`cdk/docs/diagrams/architecture/stack-dependencies.drawio.svg`
Stack Relationships	Inter-stack data flow	`cdk/docs/diagrams/architecture/stack-relationships.drawio.svg`
Software Layers	Application architecture	`cdk/docs/diagrams/architecture/software-architecture-layers.drawio.svg`
Account Cleaner	Cleanup workflow	`cdk/docs/diagrams/architecture/account-cleaner.drawio.svg`
Event Infrastructure	EventBridge patterns	`cdk/docs/diagrams/architecture/event-infrastructure.drawio.svg`
Organizational Units	AWS Organizations structure	`cdk/docs/diagrams/architecture/organizational-units.drawio.svg`
Web App	Frontend architecture	`cdk/docs/diagrams/architecture/web-app.drawio.svg`

13.2 Mermaid Diagrams (Docusaurus-Ready)

Diagram	Purpose	Location
AWS 4-Stack Architecture	architecture-beta + flowchart	`cdk/docs/ARCHITECTURE-DIAGRAMS.md#1`
Consumer E2E Flow	5-layer validation pipeline	`cdk/docs/ARCHITECTURE-DIAGRAMS.md#2`
3-Tier Testing Pipeline	Tier 1 → Tier 2 → Phase 3.5 → Tier 3	`cdk/docs/ARCHITECTURE-DIAGRAMS.md#3`
Deployment Sequence	Phase-based stack deployment	`cdk/docs/ARCHITECTURE-DIAGRAMS.md#4`
npm Package Structure	Tarball contents → consumer usage	`cdk/docs/ARCHITECTURE-DIAGRAMS.md#5`
ADLC 6+1 Lifecycle	Release workflow phases	`cdk/docs/ARCHITECTURE-DIAGRAMS.md#6`
Stack Resource Mapping	DataStack + ComputeStack resources	`cdk/docs/ARCHITECTURE-DIAGRAMS.md#7`

Specification Version: 1.1.0 ADLC Phase: 1.1 (Business Context & KPI Definition) Updated: 2026-02-02 (RQ3+RQ4 Upgrades Applied) Next Action: Execute Phase 3.5 Consumer E2E Deploy

1. Executive Summary​

1.1 Feature Overview​

1.2 Business Value​

1.3 Target Users​

2. Problem Statement​

2.1 Current State​

2.2 Root Cause Analysis​

2.3 Target State​

3. Requirements​

3.1 Functional Requirements​

FR-001: Phase 3.5 Consumer E2E Deploy​

FR-002: 3-Tier Testing​

FR-003: npm Package Contents​

3.2 Non-Functional Requirements​

NFR-001: Performance​

NFR-002: Reliability​

NFR-003: Security​

4. INVEST User Stories​

US-001: Phase 3.5 Consumer E2E Deploy (P0)​

US-002: Tier 3 AWS E2E Tests (P1)​

US-003: npm Vulnerabilities Remediation (P2)​

5. Architecture Decisions​

5.1 Related ADRs​

5.2 Deployment Targets​

5.3 CDK Stacks​

6. Risk Assessment​

6.1 Technical Risks​

6.2 Business Risks​

7. Success Criteria​

7.1 Definition of Done​

7.2 KPIs​

8. Constraints​

8.1 Technical Constraints​

8.2 Business Constraints​

8.3 Assumptions (RQ3 Upgrade)​

9. Out of Scope​

10. References​

10.1 Evidence Files​

10.2 Constitutional Checkpoints​

11. Approval​

12. Open Questions (RQ3 Upgrade)​

13. Architecture Diagrams (RQ4 Cross-Reference)​

13.1 Draw.io Diagrams (SVG)​

13.2 Mermaid Diagrams (Docusaurus-Ready)​