Skip to content

feat: sync AWS Transform agent-plugin from ATXKiroPower (post cli-3.3.0)#209

Merged
jdonboch merged 3 commits into
mainfrom
aws-transform-release-post-cli-3.3.0
Jul 2, 2026
Merged

feat: sync AWS Transform agent-plugin from ATXKiroPower (post cli-3.3.0)#209
jdonboch merged 3 commits into
mainfrom
aws-transform-release-post-cli-3.3.0

Conversation

@jdonboch

@jdonboch jdonboch commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Promotes ATXKiroPower/mainline changes merged since the cli-3.3.0 tag.

Themes: Continuous Modernization EC2/Batch execution rewrite (CFN + SSM, multi-worker, memory caps, prechecks), scheduling, security agent skill (admin/executor split), mainframe-reimagine workflow, remediation + custom-TD, source handling (GitHub/GitLab/Bitbucket), reporting, telemetry, and markdown lint/format cleanup.

Version bump: 1.1.2 → 1.2.0 (minor; feature release) across .claude-plugin/plugin.json, .codex-plugin/plugin.json, and the aws-transform entry in .claude-plugin/marketplace.json.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

Comment thread plugins/aws-transform/.claude-plugin/plugin.json
Comment thread plugins/aws-transform/skills/aws-transform/references/mainframe-reimagine-ddd.md Outdated

@github-advanced-security github-advanced-security AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep OSS found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@jdonboch jdonboch force-pushed the aws-transform-release-post-cli-3.3.0 branch 3 times, most recently from d60ca81 to b49f9fc Compare June 30, 2026 20:15
@jdonboch jdonboch changed the title AWS Transform agent-plugin sync (post cli-3.3.0) feat: sync AWS Transform agent-plugin from ATXKiroPower (post cli-3.3.0) Jun 30, 2026
…3.0)

Promote ATXKiroPower/mainline changes merged since the cli-3.3.0 tag:
EC2/Batch execution rewrite (CFN + SSM, multi-worker, memory caps,
prechecks), scheduling, security agent skill (admin/executor split),
mainframe-reimagine workflow, remediation + custom-TD, source handling
(GitHub/GitLab/Bitbucket), reporting, telemetry, and lint cleanup.

Bump plugin version 1.1.2 -> 1.2.0 (minor; feature release). Public
plugin.json schema preserved (author/homepage/keywords/license/repository).
@jdonboch jdonboch force-pushed the aws-transform-release-post-cli-3.3.0 branch from b49f9fc to 0a15e41 Compare June 30, 2026 20:29
@jdonboch jdonboch marked this pull request as ready for review June 30, 2026 20:36
@jdonboch jdonboch requested review from a team as code owners June 30, 2026 20:36
carolabadeer
carolabadeer previously approved these changes Jun 30, 2026
ntarakad-aws
ntarakad-aws previously approved these changes Jun 30, 2026
@jdonboch jdonboch enabled auto-merge June 30, 2026 21:59
krokoko and others added 2 commits July 1, 2026 15:52
Drop the mainframe reimagine skill files and the verify-traceability.py
script from the post cli-3.3.0 sync while AppSec questions on those
changes are resolved. This lets the continuous-modernization updates and
version bump ship without the mainframe content.

- Delete mainframe-reimagine{,-analysis,-ddd,-specgen,-verify}.md
- Delete skills/aws-transform/scripts/verify-traceability.py
- Revert mainframe.md to its main-branch state so no mainframe changes
  remain in this release
@jdonboch jdonboch dismissed stale reviews from carolabadeer and ntarakad-aws via 0a4eb9d July 2, 2026 16:36
@jdonboch jdonboch requested a review from dhasani23 July 2, 2026 17:18

@scottschreckengaust scottschreckengaust left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve — with nits

Reviewed the substantive part of this sync: the embedded CloudFormation/bash in continuous-modernization-ec2-execution.md (default WorkerCount 5→1, the new memory precheck, per-container --memory caps, --restart unless-stoppedon-failure:3, the rewritten health-check loop, the laptop-side/ssm_run memory math, and the new Secrets Manager credential-validation step), plus the skill-instruction reflows in source/remediation/schedule/batch-execution.

The new logic is carefully built. I verified the high-risk mechanics rather than assuming, and they hold up. The items below are hardening nits, not correctness regressions — hence approving.

✅ Verified correct

  • Memory math (MEM_TOTAL_MB - 4096) / WorkerCount with a 2048 floor: the precheck (WorkerCount*2048 + 4096) guarantees the floor never over-commits the host; --memory-swap == --memory correctly disables overflow swap.
  • !Sub escaping: every ${!bash_var} vs ${CfnRef} is correct, including the deliberate wait "${!PIDS[@]}" (renders to literal ${PIDS[@]} for bash).
  • Health-check terminal logic dead OR (exited AND (ExitCode==0 OR RestartCount>=3)) exactly matches its comment and correctly tolerates the transient exited snapshot between on-failure:3 retries.
  • WorkerCount=1 default is consistent everywhere — CFN default, MinValue/MaxValue, provisioning script auto-sizing, decision tables, and prose. No stale references to the old default of 5.

⚠️ Nits — silent-failure hardening in the new code (non-blocking)

  1. Precheck can fail open if MemTotal reads empty. MEM_TOTAL_MB=$(( $(awk '/MemTotal/{print $2}' /proc/meminfo) / 1024 )) — if awk yields nothing, the arithmetic errors but set -e does not abort; [ "" -lt REQUIRED_MB ] is then false, so UserData prints "PASSED" and continues, and the empty value later poisons --memory="m". This defeats the precheck's stated purpose (fail in seconds). Suggest validating MEM_TOTAL_MB is a positive integer and exit 1 with a clear message otherwise.

  2. --restart on-failure:3 leaves a container permanently down post-provision with no watchdog. Correct at provision time (a clean exit surfaces via the CreationPolicy timeout). But after CREATE_COMPLETE, a runtime OOM-loop that exhausts 3 retries — or a clean exit — leaves the container dead silently; the next job's docker exec just fails. Consider having the Step 9 status path verify State.Status=running and message clearly ("container down — retries exhausted") rather than reporting a generic "no AID / still pending".

  3. Laptop-side ssm_run memory-math errors are swallowed. An empty remote MEM_TOTAL_MB, or WORKER_COUNT=0, makes the remote docker run fail — but the error lands only in StandardErrorContent, which the ssm_run helper never reads (it fetches StandardOutputContent only), so the flow proceeds as if the container launched. Note the ${WORKER_COUNT:-1} fallback guards unset/empty but not a literal 0. Suggest validating remotely and surfacing StandardErrorContent (and the command Status) on non-Success.

  4. New Step 7 credential snippet masks create failures. create-secret … 2>/dev/null || put-secret-value … hides an AccessDenied/KMS failure and falls through to put-secret-value, which then fails with a misleading ResourceNotFoundException. The sibling describe-secret … 2>&1 in the same step surfaces errors correctly — worth making these consistent (only fall back on the specific already-exists condition).

📝 Maintainability advisory

No comment contradicts its code. The one real drift risk is magic numbers duplicated in prose: 2048/4096 (three spots), on-failure:3 coupled to the health check's -ge 3, and the computed "300s" (actually seq 1 60 × sleep 5) stated as a literal. All correct today, but nothing keeps them in sync — consider hoisting shared constants into named vars or adding "keep in sync with X" pointers. Also worth confirming the troubleshooting table's port 8081 is accurate (it's unverifiable from the file alone).

🔭 Out of scope (not introduced by this PR)

Two items I initially surfaced trace to pre-existing code this PR doesn't touch (the remediation fan-out's --ids/--repo interaction, and the ssm_submit fire-and-forget launch not verifying its sentinel). Flagging for a possible separate follow-up — not blockers here.

Nice, defensive work on the memory-capping and health-check rewrite. 👍

Review assisted by Claude Code (pr-review-toolkit).

@jdonboch jdonboch added this pull request to the merge queue Jul 2, 2026
Merged via the queue into main with commit 23dc619 Jul 2, 2026
24 checks passed
@jdonboch jdonboch deleted the aws-transform-release-post-cli-3.3.0 branch July 2, 2026 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants