CCM-12833: AgentsMD Nested - DO NOT MERGE

Author: jamesthompson26-nhs

agents.md

@@ -0,0 +1,104 @@
+## Core Agent Guidance (Platform-Agnostic)
+
+This file now focuses on cross-cutting agent usage principles that apply regardless of technology (Terraform, TypeScript, frontend). Technology-specific detail has moved to:
+
+| Domain | Location |
+|--------|----------|
+| Terraform (Infra workflow, IAM, modules) | `infrastructure/terraform/agents-terraform.md` |
+| TypeScript (Lambdas, shared packages, frontend) | `lambdas/agents-typescript.md` |
+
+_Last reorganised: 2025-11-07_
+
+### 1. Engagement Model
+Human creates branch & supplies ticket context (JIRA ID, acceptance criteria, scope, non-goals). Agent never creates branches or merges; it produces validated changes then stops.
+
+### 2. Agent Responsibilities (Invariant)
+1. Operate only inside provided branch.
+2. Minimise surface area of change; no speculative refactors.
+3. Apply existing naming, logging, validation, and security patterns.
+4. Annotate unavoidable deviations with a concise rationale comment (`// agent: rationale <brief>` or `# agent: rationale <brief>`).
+5. Run relevant quality gates (typecheck, lint, tests, terraform validate) before handover.
+6. Produce a handover summary (files touched, IAM delta, risks, rollback hint).
+
+### 3. Quality Gates (Selector)
+| Scenario | Required Gates |
+|----------|----------------|
+| Pure Terraform change | `terraform fmt`, `terraform validate` |
+| Lambda / TypeScript code | `npm run typecheck`, `npm run lint`, `npm run test:unit` |
+| Frontend (React/Next) | Above + accessibility tests if UI affected |
+| Mixed (Infra + Code) | Union of both sets |
+
+Optional (on demand): gitleaks, trivy, syft, scorecard.
+
+### 4. Adding a New Lambda (Workspace & Build Integration)
+Follow this process so monorepo workspaces, build scripts and infra remain consistent:
+
+1. Create folder: `lambdas/<function-name>` using kebab-case.
+2. Scaffold contents:
+   - `package.json` (private, name `@notify/<function-name>`, scripts: `build`, `typecheck`, `lint`, `test:unit`).
+   - `tsconfig.json` (extends root or sibling lambda config).
+   - `jest.config.ts` (mirroring existing lambda configs).
+   - `build.sh` invoking `esbuild` bundling to `dist/`.
+   - `src/` with entry file exporting `handler` and domain modules.
+   - `__tests__/` with at least happy path + one failure case.
+3. Add workspace entry in root `package.json` under `workspaces` (maintain alphabetical grouping by top-level path).
+4. Run: `npm install` at root to ensure workspace linking.
+5. Add infrastructure module invocation (Terraform) in appropriate `.tf` file referencing new lambda dist path & env vars.
+6. Provide minimal IAM policy document (`data "aws_iam_policy_document"`) granting least privilege.
+7. Update any shared environment variable local maps if new keys required.
+8. Execute quality gates for both infra & TS (see table above).
+9. Include in handover summary: workspace addition, new module file(s), IAM diff, test coverage note.
+
+### 5. Monorepo Workspace Conventions
+Root `package.json` uses npm workspaces. Keep order logical (group by area). When adding a lambda ensure:
+```
+"workspaces": [
+  "data-migration/user-transfer",
+  "frontend",
+  "lambdas/authorizer",
+  "lambdas/backend-api",
+  "lambdas/backend-client",
+  "lambdas/cognito-triggers",
+  "lambdas/download-authorizer",
+  "lambdas/event-publisher",
+  "lambdas/sftp-letters",
+  "lambdas/<new-function>",
+  "packages/event-schemas",
+  ...
+]
+```
+Position `<new-function>` with existing lambda block (keep alphabetical within that block to reduce diff churn).
+
+### 6. CI / Automation Notes
+- Scorecard workflow (`.github/workflows/scorecard.yml`) runs on `main` push & scheduled; agent changes should not adjust it unless explicitly tasked.
+- Future CI additions (tests, security scans) should live in dedicated workflow files named by concern (`test.yml`, `security.yml`).
+- Do not embed secrets in workflow; reference pre-defined repository secrets.
+- Pin action versions (use commit SHA or semver tag) for reproducibility.
+- If adding a workflow, include a short comment header with purpose and contact.
+
+### 7. Commit Guidelines (Universal)
+Format: `<JIRA-ID> <imperative summary>` (no trailing period). Keep commits cohesive (infra vs code). Avoid mixing refactor with feature unless mandated.
+
+### 8. Rationale Comment Pattern
+Keep to a single line:
+```hcl
+# agent: rationale increase memory (PDF generation spikes >512MB)
+```
+```ts
+// agent: rationale temporary union type until schema v2 lands
+```
+Remove obsolete rationales before handover if decision becomes standard.
+
+### 9. Rollback Considerations
+- Infra: prefer additive changes; for destructive (table rename, pipe removal) document pre-change state.
+- Code: if altering handler signature, note previous export contract.
+- Provide one-line rollback instruction in handover summary.
+
+### 10. Escalation / Blockers
+If blocked by unavailable secret, unclear architectural constraint, or missing upstream module, stop and ask a single clarifying question rather than guessing.
+
+### 11. Where to Go for Detail
+- Terraform specifics: `infrastructure/terraform/agents.md`
+- TypeScript & Lambda specifics: `lambdas/agents.md`
+- Shared schemas & events: `packages/event-schemas/agents.md`
+- Scripts: `scripts/agents.md`

frontend/agents.md

@@ -0,0 +1,124 @@
+# TypeScript Style & Ways of Working (Agents & Copilot)
+
+> Extracted from root `agents.md` Section 16 (2025-11-07). Terraform-specific guidance now lives in `infrastructure/terraform/agents-terraform.md`.
+
+This document defines conventions for TypeScript across Lambdas, shared packages and the Next.js frontend. It complements Terraform guidance (security, determinism, least privilege) with code-level consistency, testability and readability. Use these rules for both autonomous agent code generation touching TypeScript and interactive AI pair programming (Copilot).
+
+## 1. Project Structure & Module Boundaries
+- Each Lambda function lives in `lambdas/<function-name>` with `src/`, `__tests__/`, build script (`build.sh` using `esbuild`), output in `dist/`.
+- Backend API Lambdas: thin entry file delegating to API handler factory.
+```ts
+export const handler = createHandler(templatesContainer());
+```
+- Domain logic separated from transport (e.g. `api/` vs `domain/`). Keep handler composition pure/injectable.
+- Shared packages expose `index.ts` re-export barrels.
+
+## 2. Naming Conventions (ESLint-Enforced)
+Follow the repository ESLint configuration rather than relying on this document for exhaustive rules. Key points are enforced automatically:
+| Concern | Enforcement Source |
+|---------|--------------------|
+| Filenames (kebab-case for files) | Custom/file naming lint rules & PR review |
+| Exported functions/constants camelCase | ESLint stylistic rules |
+| Types & interfaces PascalCase | `@typescript-eslint/naming-convention` |
+| Handler export name `handler` | Manual review + tests referencing handler |
+| Zod schemas prefixed with `$` | Convention (add if missing); not auto-enforced |
+| Factory functions suffix `create`/`make` | Convention to enhance intent |
+
+Agent guidance: Run `npm run lint` and fix reported issues; do not duplicate rule text here. If a required naming change would create wide churn, limit edits to touched lines and add a `// agent: rationale partial naming normalisation` comment if inconsistent legacy remains.
+
+## 3. Import Ordering (ESLint-Enforced)
+Ordering (built-ins → external → internal aliases → relative) is governed by ESLint (`import/order`). Agents should:
+1. Avoid manual reordering of untouched blocks unless lint fails.
+2. Preserve grouping and let `--fix` handle spacing/blank lines.
+3. If adding a new import, place it in the correct group; run `npm run lint:fix` to auto-format.
+
+Do not include example blocks; the linter output will indicate misplacement. Add rationale comment only if a deliberate cycle prevents ideal ordering.
+
+## 4. Types vs Interfaces
+Use `type` for unions/intersections; `interface` for extensible object shapes. Use `z.infer<typeof $Schema>` for types derived from Zod.
+
+## 5. Runtime Validation & Schema Design
+- Validate all external input with Zod at the boundary; parse early.
+- Use `.extend`, `.intersection`, `.omit` to compose.
+- Include `.meta({ id: '...' })` for identification.
+
+## 6. Environment Variables & Configuration
+- Validate env vars (Zod object). Coerce numeric values.
+- Parse complex JSON only after validation.
+- Throw early if required vars absent.
+
+## 7. Error Handling Patterns
+- API handlers return structured success/failure objects; avoid throwing for expected validation failures.
+- Batch SQS: validate each record; DLQ or skip unprocessable payloads.
+
+## 8. Functional Composition & Dependency Injection
+- Use factory functions returning handlers.
+- Containers construct dependency graph (clients, repositories, loggers) and return pure objects.
+- Avoid global singletons except for AWS SDK efficiency; pass constructed clients.
+
+## 9. CSV / Data Processing
+- Deterministic header set from union of record keys; sorted alphabetically.
+- RFC4180 escaping (double quotes, wrap fields containing comma/quote/newline).
+- Keep transformation functions pure and test them.
+
+## 10. Testing Conventions
+- Jest config per package; test files `__tests__/<name>.test.ts`.
+- Mock AWS SDK v3 clients by overriding `send`.
+- Use shared test helper factories (e.g. `makeSQSRecord`, `createMockLogger`).
+- Assert observable response shapes; avoid internal implementation details.
+
+## 11. Async & Promise Handling
+Use `async/await`. Sequential `for...of` loops for ordered processing; `Promise.all` only for independent operations.
+
+## 12. Logging
+- Use structured `winston` logger; inject via container.
+- Log identifiers (templateId, clientId) not full sensitive payloads.
+
+## 13. Security & PII
+- Never log secrets or personal data; redact or summarise.
+- Centralise CSP construction with nonce in frontend middleware.
+
+## 14. Performance & Memory
+- Lambda memory: 512 MB default (light); 2048 MB for heavy tasks (PDF, complex transform). Justify deviations with comment.
+- Avoid unnecessary JSON (de)serialization cycles.
+
+## 15. Formatting & Lint
+Formatting (quotes, semicolons, trailing commas, spacing) and stylistic concerns are entirely delegated to ESLint/Prettier configuration in the repo. Agent process:
+1. After code changes run: `npm run lint` and `npm run lint:fix` (if permitted) to apply canonical style.
+2. Do not handcraft style changes beyond what the linter requires for the modified lines.
+3. If large unrelated formatting noise appears, revert non-essential edits to minimise diff surface.
+
+Examples are intentionally omitted; rely on linter output for corrections.
+
+## 16. Export Strategy
+- Prefer named exports. Use barrel `index.ts` for re-exports. Avoid CommonJS patterns.
+
+## 17. Utility Patterns
+- Inline single-use pure utilities; extract to `utils/` if reused >2 times.
+- Group regex or security policies in top-level constants.
+
+## 18. Testing Edge Cases (Minimum)
+For each handler include: happy path, missing/invalid auth/env, validation failure, empty batch (no-op).
+
+## 19. Error Object Shape
+Standard failure JSON: `{ statusCode, technicalMessage, details? }`. No internal stack traces to clients.
+
+## 20. Comment Standards
+- Use `//` for brief notes; block comments only for multi-line protocol references.
+- Link external specs (e.g. CloudEvents) where relevant.
+
+## 21. AI / Agent Usage Notes (TypeScript)
+- Provide a mini contract before requesting generation: inputs, outputs, error modes, key edge cases.
+- Reject suggestions lacking types or validation.
+- Ensure new handlers follow dependency injection & logging patterns.
+- Use commit convention `<JIRA-ID> <imperative summary>`.
+- Annotate any deviation with `// agent: rationale <brief>`.
+
+## 22. Quality Gates (When TS code is generated/modified)
+Run locally before handover:
+```bash
+npm run typecheck
+npm run lint
+npm run test:unit
+```
+(Include accessibility tests if frontend changes: `npm run test:accessibility`.)