Skip to content

Fix #136: thin lesser-body runner and gate template certification #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aron23 merged 5 commits into from
Mar 31, 2026
Merged

Fix #136: thin lesser-body runner and gate template certification #142

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ce16357
Fix #137: thin RUN_MODE=lesser-body runner
aron23 Mar 31, 2026
06da024
Fix #138: skip Node/CDK install for lesser-body
aron23 Mar 31, 2026
d7b95b9
Fix #139: gate lesser-body changeset certification
aron23 Mar 31, 2026
c399ec0
Fix #140: keep managed-release certification valid
aron23 Mar 31, 2026
8e5e1d6
Fix #141: preflight large templates for --s3-bucket
aron23 Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
143 changes: 0 additions & 143 deletions .github/workflows/managed-release-canary.yml
View file
Open in desktop

This file was deleted.

39 changes: 22 additions & 17 deletions cdk/lib/lesser-host-stack.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -347,23 +347,28 @@ export class LesserHostStack extends cdk.Stack {
},
phases: {
install: {
commands: [
'set -euo pipefail',
'echo "Installing runner tools..."',
'if command -v yum >/dev/null 2>&1; then yum install -y jq tar gzip unzip openssl; fi',
'if command -v apt-get >/dev/null 2>&1; then apt-get update -y && apt-get install -y jq tar gzip unzip openssl; fi',
'node -v || true',
'npm -v || true',
'if ! command -v n >/dev/null 2>&1; then npm install -g n; fi',
'n 24',
'hash -r',
'node -v',
'npm install -g aws-cdk@2',
'npm install -g pnpm@9',
'cdk --version',
'pnpm --version',
],
},
commands: [
'set -euo pipefail',
'echo "Installing runner tools..."',
'if command -v yum >/dev/null 2>&1; then yum install -y jq tar gzip unzip openssl; fi',
'if command -v apt-get >/dev/null 2>&1; then apt-get update -y && apt-get install -y jq tar gzip unzip openssl; fi',
'RUN_MODE="${RUN_MODE:-lesser}"',
'if [ "$RUN_MODE" = "lesser-body" ]; then',
' echo "Skipping Node/CDK/pnpm install for RUN_MODE=lesser-body"',
'else',
' node -v || true',
' npm -v || true',
' if ! command -v n >/dev/null 2>&1; then npm install -g n; fi',
' n 24',
' hash -r',
' node -v',
' npm install -g aws-cdk@2',
' npm install -g pnpm@9',
' cdk --version',
' pnpm --version',
'fi',
],
},
pre_build: {
commands: [provisionRunnerPreBuild],
},
Expand Down
116 changes: 71 additions & 45 deletions cdk/lib/provision-runner-buildspec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,77 @@ export function renderProvisionRunnerBuildCommands(): string {
' fi',
' return 1',
'}',
'if [ "$RUN_MODE" = "lesser-body" ]; then',
' echo "Deploying lesser-body (AgentCore MCP)..."',
' : "${APP_SLUG:?APP_SLUG is required}"',
' : "${BASE_DOMAIN:?BASE_DOMAIN is required}"',
' : "${STAGE:?STAGE is required}"',
' : "${TARGET_ACCOUNT_ID:?TARGET_ACCOUNT_ID is required}"',
' : "${TARGET_REGION:?TARGET_REGION is required}"',
' : "${ARTIFACT_BUCKET:?ARTIFACT_BUCKET is required}"',
' : "${RECEIPT_S3_KEY:?RECEIPT_S3_KEY is required}"',
'',
' STATE_DIR="$HOME/.lesser/$APP_SLUG/$BASE_DOMAIN"',
' mkdir -p "$STATE_DIR"',
' STAGE_DOMAIN="$BASE_DOMAIN"',
' if [ "$STAGE" != "live" ]; then STAGE_DOMAIN="$STAGE.$BASE_DOMAIN"; fi',
'',
' BODY_OWNER="${LESSER_BODY_GITHUB_OWNER:-equaltoai}"',
' BODY_REPO="${LESSER_BODY_GITHUB_REPO:-lesser-body}"',
' BODY_TAG="${LESSER_BODY_VERSION:-}"',
' BODY_TAG_NORMALIZED=$(printf "%s" "$BODY_TAG" | tr "[:upper:]" "[:lower:]")',
' if [ -z "$BODY_TAG" ] || [ "$BODY_TAG_NORMALIZED" = "latest" ]; then',
' echo "Resolving latest lesser-body release..."',
' BODY_TAG=$(resolve_latest_release_tag "$BODY_OWNER" "$BODY_REPO")',
' fi',
' test -n "$BODY_TAG" && test "$BODY_TAG" != "null"',
' echo "Using lesser-body release: $BODY_TAG"',
' BODY_RELEASE_DIR="$(pwd)/lesser-body-release"',
' prepare_lesser_body_release_dir "$BODY_RELEASE_DIR" "$BODY_OWNER" "$BODY_REPO" "$BODY_TAG" "$STAGE"',
' BODY_STACK_NAME="$APP_SLUG-$STAGE-lesser-body"',
' BODY_TEMPLATE_PATH="lesser-body-managed-$STAGE.template.json"',
' BODY_ASSET_BUCKET="cdk-hnb659fds-assets-$TARGET_ACCOUNT_ID-$TARGET_REGION"',
' BODY_ASSET_PREFIX="managed/lesser-body/$APP_SLUG/$STAGE/$BODY_TAG"',
' BODY_TEMPLATE_CERT_PATH="$STATE_DIR/body-template-certification.json"',
' BODY_FAILURE_PATH="$STATE_DIR/body-failure.json"',
' BODY_TEMPLATE_CERT_LOG="$STATE_DIR/body-template-certification.log"',
' BODY_DEPLOY_LOG="$STATE_DIR/body-deploy.log"',
' rm -f "$BODY_TEMPLATE_CERT_PATH" "$BODY_FAILURE_PATH" "$BODY_TEMPLATE_CERT_LOG" "$BODY_DEPLOY_LOG"',
'',
' BODY_TEMPLATE_CERTIFY="${BODY_TEMPLATE_CERTIFY:-}"',
' BODY_TEMPLATE_CERTIFY_NORMALIZED=$(printf "%s" "$BODY_TEMPLATE_CERTIFY" | tr "[:upper:]" "[:lower:]")',
' if [ "$BODY_TEMPLATE_CERTIFY_NORMALIZED" = "true" ] || [ "$BODY_TEMPLATE_CERTIFY_NORMALIZED" = "1" ] || [ "$BODY_TEMPLATE_CERTIFY_NORMALIZED" = "yes" ] || [ "$BODY_TEMPLATE_CERTIFY_NORMALIZED" = "on" ]; then',
' echo "Certifying lesser-body CloudFormation changeset..."',
' if run_lesser_body_helper_with_capture "$BODY_TEMPLATE_CERT_LOG" env AWS_PROFILE=managed bash "$BODY_RELEASE_DIR/deploy-lesser-body-from-release.sh" --stack-name "$BODY_STACK_NAME" --asset-bucket "$BODY_ASSET_BUCKET" --asset-prefix "$BODY_ASSET_PREFIX" --app "$APP_SLUG" --stage "$STAGE" --base-domain "$BASE_DOMAIN" --no-execute-changeset; then',
' write_lesser_body_artifact "$BODY_TEMPLATE_CERT_PATH" "passed" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy_no_execute_changeset" "$BODY_TEMPLATE_CERT_LOG"',
' upload_optional_artifact "$BODY_TEMPLATE_CERT_PATH" "${BODY_TEMPLATE_CERT_S3_KEY:-}"',
' else',
' write_lesser_body_artifact "$BODY_TEMPLATE_CERT_PATH" "failed" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy_no_execute_changeset" "$BODY_TEMPLATE_CERT_LOG"',
' upload_optional_artifact "$BODY_TEMPLATE_CERT_PATH" "${BODY_TEMPLATE_CERT_S3_KEY:-}"',
' write_lesser_body_artifact "$BODY_FAILURE_PATH" "failed" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy_no_execute_changeset" "$BODY_TEMPLATE_CERT_LOG"',
' upload_optional_artifact "$BODY_FAILURE_PATH" "${BODY_FAILURE_S3_KEY:-}"',
' fail "lesser-body template certification failed for $BODY_TEMPLATE_PATH"',
' fi',
' else',
' echo "Skipping lesser-body changeset certification (BODY_TEMPLATE_CERTIFY not enabled)."',
' echo "Skipped: BODY_TEMPLATE_CERTIFY is not enabled." > "$BODY_TEMPLATE_CERT_LOG"',
' write_lesser_body_artifact "$BODY_TEMPLATE_CERT_PATH" "skipped" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy_no_execute_changeset" "$BODY_TEMPLATE_CERT_LOG"',
' upload_optional_artifact "$BODY_TEMPLATE_CERT_PATH" "${BODY_TEMPLATE_CERT_S3_KEY:-}"',
' fi',
' if ! run_lesser_body_helper_with_capture "$BODY_DEPLOY_LOG" env AWS_PROFILE=managed bash "$BODY_RELEASE_DIR/deploy-lesser-body-from-release.sh" --stack-name "$BODY_STACK_NAME" --asset-bucket "$BODY_ASSET_BUCKET" --asset-prefix "$BODY_ASSET_PREFIX" --app "$APP_SLUG" --stage "$STAGE" --base-domain "$BASE_DOMAIN"; then',
' write_lesser_body_artifact "$BODY_FAILURE_PATH" "failed" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy" "$BODY_DEPLOY_LOG"',
' upload_optional_artifact "$BODY_FAILURE_PATH" "${BODY_FAILURE_S3_KEY:-}"',
' fail "lesser-body deploy helper failed for $BODY_TEMPLATE_PATH"',
' fi',
' BODY_PARAM="/$APP_SLUG/$STAGE/lesser-body/exports/v1/mcp_lambda_arn"',
' BODY_LAMBDA_ARN=$(aws ssm get-parameter --profile managed --name "$BODY_PARAM" --query "Parameter.Value" --output text)',
' test -n "$BODY_LAMBDA_ARN" && test "$BODY_LAMBDA_ARN" != "null"',
' BODY_RECEIPT_PATH="$STATE_DIR/body-state.json"',
' BODY_RELEASE_GIT_SHA=$(jq -r \'.git_sha // empty\' "$BODY_RELEASE_DIR/lesser-body-release.json")',
' jq -n --arg stage "$STAGE" --arg base_domain "$BASE_DOMAIN" --arg mcp_url "https://api.$STAGE_DOMAIN/mcp/{actor}" --arg version "$BODY_TAG" --arg mcp_lambda_arn "$BODY_LAMBDA_ARN" --arg release_git_sha "$BODY_RELEASE_GIT_SHA" --arg template_path "lesser-body-managed-$STAGE.template.json" \'{version:1,stage:$stage,base_domain:$base_domain,mcp_url:$mcp_url,lesser_body_version:$version,mcp_lambda_arn:$mcp_lambda_arn,managed_deploy_artifacts:{mode:"release",checksums_path:"checksums.txt",release_manifest_path:"lesser-body-release.json",release:{name:"lesser-body",version:$version,git_sha:$release_git_sha,source_checkout_required:false,npm_install_required:false},deploy_artifact:{kind:"lesser_body_managed_deploy",path:"lesser-body.zip",manifest_path:"lesser-body-deploy.json",script_path:"deploy-lesser-body-from-release.sh",template_path:$template_path}}}\' > "$BODY_RECEIPT_PATH"',
' aws s3 cp "$BODY_RECEIPT_PATH" "s3://$ARTIFACT_BUCKET/$RECEIPT_S3_KEY"',
' exit 0',
'fi',
'TAG_NORMALIZED=$(printf "%s" "$TAG" | tr "[:upper:]" "[:lower:]")',
'if [ -z "$TAG" ] || [ "$TAG_NORMALIZED" = "latest" ]; then',
' echo "Resolving latest Lesser release..."',
Expand Down Expand Up @@ -312,51 +383,6 @@ export function renderProvisionRunnerBuildCommands(): string {
" jq --slurpfile release \"$LESSER_RELEASE_DIR/lesser-release.json\" --slurpfile bundle \"$LESSER_RELEASE_DIR/lesser-lambda-bundle.json\" --slurpfile metadata \"$LAMBDA_METADATA_PATH\" '. + {managed_deploy_artifacts:{mode:($metadata[0].mode // \"release\"),checksums_path:\"checksums.txt\",release_manifest_path:\"lesser-release.json\",release:{name:($release[0].name // \"\"),version:($release[0].version // \"\"),git_sha:($release[0].git_sha // \"\")},deploy_artifact:{kind:\"lambda_bundle\",path:($bundle[0].bundle.path // \"\"),manifest_path:\"lesser-lambda-bundle.json\",files:($metadata[0].files // ($bundle[0].files | map(.path))),prepared_at:($metadata[0].prepared_at // \"\")}}}' \"$RECEIPT_PATH\" > \"$MANAGED_RECEIPT_PATH\"",
' aws s3 cp "$MANAGED_RECEIPT_PATH" "s3://$ARTIFACT_BUCKET/$RECEIPT_S3_KEY"',
' if [ -f /tmp/bootstrap.json ]; then aws s3 cp /tmp/bootstrap.json "s3://$ARTIFACT_BUCKET/$BOOTSTRAP_S3_KEY"; fi',
'elif [ "$RUN_MODE" = "lesser-body" ]; then',
' echo "Deploying lesser-body (AgentCore MCP)..."',
' BODY_OWNER="${LESSER_BODY_GITHUB_OWNER:-equaltoai}"',
' BODY_REPO="${LESSER_BODY_GITHUB_REPO:-lesser-body}"',
' BODY_TAG="${LESSER_BODY_VERSION:-}"',
' BODY_TAG_NORMALIZED=$(printf "%s" "$BODY_TAG" | tr "[:upper:]" "[:lower:]")',
' if [ -z "$BODY_TAG" ] || [ "$BODY_TAG_NORMALIZED" = "latest" ]; then',
' echo "Resolving latest lesser-body release..."',
' BODY_TAG=$(resolve_latest_release_tag "$BODY_OWNER" "$BODY_REPO")',
' fi',
' test -n "$BODY_TAG" && test "$BODY_TAG" != "null"',
' echo "Using lesser-body release: $BODY_TAG"',
' BODY_RELEASE_DIR="$(pwd)/lesser-body-release"',
' prepare_lesser_body_release_dir "$BODY_RELEASE_DIR" "$BODY_OWNER" "$BODY_REPO" "$BODY_TAG" "$STAGE"',
' BODY_STACK_NAME="$APP_SLUG-$STAGE-lesser-body"',
' BODY_TEMPLATE_PATH="lesser-body-managed-$STAGE.template.json"',
' BODY_ASSET_BUCKET="cdk-hnb659fds-assets-$TARGET_ACCOUNT_ID-$TARGET_REGION"',
' BODY_ASSET_PREFIX="managed/lesser-body/$APP_SLUG/$STAGE/$BODY_TAG"',
' BODY_TEMPLATE_CERT_PATH="$STATE_DIR/body-template-certification.json"',
' BODY_FAILURE_PATH="$STATE_DIR/body-failure.json"',
' BODY_TEMPLATE_CERT_LOG="$STATE_DIR/body-template-certification.log"',
' BODY_DEPLOY_LOG="$STATE_DIR/body-deploy.log"',
' rm -f "$BODY_TEMPLATE_CERT_PATH" "$BODY_FAILURE_PATH" "$BODY_TEMPLATE_CERT_LOG" "$BODY_DEPLOY_LOG"',
' if run_lesser_body_helper_with_capture "$BODY_TEMPLATE_CERT_LOG" env AWS_PROFILE=managed bash "$BODY_RELEASE_DIR/deploy-lesser-body-from-release.sh" --stack-name "$BODY_STACK_NAME" --asset-bucket "$BODY_ASSET_BUCKET" --asset-prefix "$BODY_ASSET_PREFIX" --app "$APP_SLUG" --stage "$STAGE" --base-domain "$BASE_DOMAIN" --no-execute-changeset; then',
' write_lesser_body_artifact "$BODY_TEMPLATE_CERT_PATH" "passed" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy_no_execute_changeset" "$BODY_TEMPLATE_CERT_LOG"',
' upload_optional_artifact "$BODY_TEMPLATE_CERT_PATH" "${BODY_TEMPLATE_CERT_S3_KEY:-}"',
' else',
' write_lesser_body_artifact "$BODY_TEMPLATE_CERT_PATH" "failed" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy_no_execute_changeset" "$BODY_TEMPLATE_CERT_LOG"',
' upload_optional_artifact "$BODY_TEMPLATE_CERT_PATH" "${BODY_TEMPLATE_CERT_S3_KEY:-}"',
' write_lesser_body_artifact "$BODY_FAILURE_PATH" "failed" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy_no_execute_changeset" "$BODY_TEMPLATE_CERT_LOG"',
' upload_optional_artifact "$BODY_FAILURE_PATH" "${BODY_FAILURE_S3_KEY:-}"',
' fail "lesser-body template certification failed for $BODY_TEMPLATE_PATH"',
' fi',
' if ! run_lesser_body_helper_with_capture "$BODY_DEPLOY_LOG" env AWS_PROFILE=managed bash "$BODY_RELEASE_DIR/deploy-lesser-body-from-release.sh" --stack-name "$BODY_STACK_NAME" --asset-bucket "$BODY_ASSET_BUCKET" --asset-prefix "$BODY_ASSET_PREFIX" --app "$APP_SLUG" --stage "$STAGE" --base-domain "$BASE_DOMAIN"; then',
' write_lesser_body_artifact "$BODY_FAILURE_PATH" "failed" "$BODY_TAG" "$BODY_TEMPLATE_PATH" "$BODY_STACK_NAME" "cloudformation_deploy" "$BODY_DEPLOY_LOG"',
' upload_optional_artifact "$BODY_FAILURE_PATH" "${BODY_FAILURE_S3_KEY:-}"',
' fail "lesser-body deploy helper failed for $BODY_TEMPLATE_PATH"',
' fi',
' BODY_PARAM="/$APP_SLUG/$STAGE/lesser-body/exports/v1/mcp_lambda_arn"',
' BODY_LAMBDA_ARN=$(aws ssm get-parameter --profile managed --name "$BODY_PARAM" --query "Parameter.Value" --output text)',
' test -n "$BODY_LAMBDA_ARN" && test "$BODY_LAMBDA_ARN" != "null"',
' BODY_RECEIPT_PATH="$STATE_DIR/body-state.json"',
' BODY_RELEASE_GIT_SHA=$(jq -r \'.git_sha // empty\' "$BODY_RELEASE_DIR/lesser-body-release.json")',
' jq -n --arg stage "$STAGE" --arg base_domain "$BASE_DOMAIN" --arg mcp_url "https://api.$STAGE_DOMAIN/mcp/{actor}" --arg version "$BODY_TAG" --arg mcp_lambda_arn "$BODY_LAMBDA_ARN" --arg release_git_sha "$BODY_RELEASE_GIT_SHA" --arg template_path "lesser-body-managed-$STAGE.template.json" \'{version:1,stage:$stage,base_domain:$base_domain,mcp_url:$mcp_url,lesser_body_version:$version,mcp_lambda_arn:$mcp_lambda_arn,managed_deploy_artifacts:{mode:"release",checksums_path:"checksums.txt",release_manifest_path:"lesser-body-release.json",release:{name:"lesser-body",version:$version,git_sha:$release_git_sha,source_checkout_required:false,npm_install_required:false},deploy_artifact:{kind:"lesser_body_managed_deploy",path:"lesser-body.zip",manifest_path:"lesser-body-deploy.json",script_path:"deploy-lesser-body-from-release.sh",template_path:$template_path}}}\' > "$BODY_RECEIPT_PATH"',
' aws s3 cp "$BODY_RECEIPT_PATH" "s3://$ARTIFACT_BUCKET/$RECEIPT_S3_KEY"',
'elif [ "$RUN_MODE" = "lesser-mcp" ]; then',
' echo "Wiring POST /mcp/{actor} on existing Lesser API domain..."',
' echo "Installing Lesser lambda bundle from release assets..."',
Expand Down
Loading
Loading