Skip to content

fix(infra): IAM least privilege, collision-safe alert IDs, acknowledged string constants#6

Merged
bsatrom merged 4 commits intomainfrom
fix/infra-iam-alert-ids
Apr 17, 2026
Merged

fix(infra): IAM least privilege, collision-safe alert IDs, acknowledged string constants#6
bsatrom merged 4 commits intomainfrom
fix/infra-iam-alert-ids

Conversation

@bsatrom
Copy link
Copy Markdown
Member

@bsatrom bsatrom commented Apr 15, 2026

Summary

  • Remove aws-marketplace:Subscribe from chat query Lambda IAM role — this permission allows subscribing to paid Marketplace products and should never be in a Lambda execution role; also scope bedrock:InvokeModel to specific model ARNs
  • Replace Math.random() alert ID generation with crypto.randomUUID() — eliminates collision risk at high throughput, uses built-in Node 20 crypto module
  • Add ACKNOWLEDGED constant ('true'/'false' strings) to shared module — prevents accidental boolean writes that would break the GSI query
  • Add marshallOptions: { removeUndefinedValues: true } to DynamoDB clients in api-alerts and api-devices — matches the pattern already used in api-ingest and prevents latent runtime errors on optional fields

Test plan

  • CDK synth completes without errors (cd songbird-infrastructure && npx cdk synth)
  • Alert creation in ingest produces UUIDs in the alert ID field
  • Acknowledged/unacknowledged alert queries return correct results
  • Chat query Lambda still successfully invokes Bedrock models

🤖 Generated with Claude Code

bsatrom and others added 4 commits April 14, 2026 17:15
@bsatrom @claude
fix(infra): SQL injection via parameterized queries, admin check on f…
245aeb5 
…eedback endpoint, restrict device auth

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bsatrom
Merge remote-tracking branch 'origin/main' into fix/infra-iam-alert-ids
efafd7d
@bsatrom @claude
chore: merge main and update feedback.test.ts for admin-group auth
898e1f1 
Merge origin/main to pick up the test suite from #18, then update the
3 GET /analytics/feedback tests to include cognito:groups=Admin in the
authorizer JWT claims, matching the admin-group check this PR adds to
the handler. Also adds a new test covering the 403 denial path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@bsatrom
Merge branch 'main' into fix/infra-iam-alert-ids
c9e69d7
@bsatrom bsatrom merged commit 4926978 into main Apr 17, 2026
@bsatrom bsatrom deleted the fix/infra-iam-alert-ids branch April 17, 2026 02:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bsatrom