chore(build): decommission embed-tfstate.mjs predev/prebuild hooks (#241)

CoderCoco · claude · web-flow · commit 8b0330640ee7 · 2026-06-14T21:27:57.000-04:00
Closes #164 ## Summary - Deletes `app/scripts/embed-tfstate.mjs` and removes the `predev`/`prebuild` npm hooks that invoked it — the desktop app reads tfstate directly at runtime via the AWS SDK, making the embed step unnecessary - Removes the `EMBEDDED_TFSTATE` fallback path from `ConfigService` (including the generated `src/generated/tfstate.ts` artifact and `.gitignore` entry for it) and updates the associated unit tests - Cleans up stale references in `CLAUDE.md`, `package.json`, `.github/workflows/package.yml`, `docs/`, and `scripts/init-parent.ts` ## Changes ``` .github/workflows/package.yml | 8 +- .gitignore | 4 - CLAUDE.md | 2 - app/package.json | 2 - app/packages/desktop-main/src/main.test.ts | 4 +- app/packages/desktop-main/src/services/ConfigService.test.ts | 39 --------- app/packages/desktop-main/src/services/ConfigService.ts | 10 +-- app/scripts/embed-tfstate.mjs | 87 ---------------------- docs/docs/components/management-app.md | 8 +- docs/docs/guides/submodule.md | 2 +- package.json | 3 +- scripts/init-parent.ts | 5 +- 12 files changed, 17 insertions(+), 157 deletions(-) ``` ## Test plan - [ ] `npm run app:test` — all unit tests pass (`ConfigService` tests no longer exercise the embedded-tfstate path) - [ ] `npm run app:lint` — 0 errors - [ ] `app/scripts/embed-tfstate.mjs` no longer exists in the repository - [ ] `app/package.json` contains no `predev` or `prebuild` scripts referencing `embed-tfstate` - [ ] `ConfigService` contains no reference to `EMBEDDED_TFSTATE` or `src/generated/tfstate.ts` - [ ] `npm run desktop:dev` starts without the embed step (no `embed-tfstate.mjs` execution) - [ ] `npm run desktop:build` completes without the embed step 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -48,15 +48,18 @@ jobs:
         # terraform/terraform.tfstate is gitignored and will never exist in a
         # clean CI checkout. electron-builder silently skips a missing
         # extraResources 'from' path, which would produce an installer that
-        # lacks the tfstate file entirely. Create an empty placeholder so
-        # electron-builder always includes the file. ConfigService falls back
-        # to the build-time-embedded tfstate.ts when the runtime file is empty,
-        # so shipping an empty state file is safe for CI-produced installers.
+        # lacks the tfstate file entirely. Create a null placeholder so
+        # electron-builder always includes the file. ConfigService.getTfOutputs()
+        # returns null for any state file that lacks an 'outputs' key (including
+        # 'null' and '{}'), so the app correctly shows "not deployed" until the
+        # operator provides a real state file. Using 'null' here makes the intent
+        # explicit and avoids any risk of the placeholder being mistaken for a
+        # valid (all-defaults) state.
         shell: bash
         run: |
           if [ ! -f terraform/terraform.tfstate ]; then
-            echo "terraform/terraform.tfstate not found — creating empty placeholder for packaging."
-            echo '{}' > terraform/terraform.tfstate
+            echo "terraform/terraform.tfstate not found — creating null placeholder for packaging."
+            echo 'null' > terraform/terraform.tfstate
           fi
 
       - name: Build workspace packages
diff --git a/.gitignore b/.gitignore
@@ -30,10 +30,6 @@ Thumbs.db
 .claude/worktrees/
 .worktrees/
 
-# Auto-generated at dev/build time — committed as null, real state must not
-# be committed (contains AWS ARNs/account IDs).
-app/packages/desktop-main/src/generated/tfstate.ts
-
 # Playwright artifacts (traces, videos, screenshots) and HTML report.
 app/packages/web/test-results/
 app/packages/web/playwright-report/
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -109,8 +109,6 @@ When adding a game, only edit `terraform.tfvars`. Don't hand-write new resources
 
 `ConfigService.getTfOutputs()` (in `app/packages/desktop-main/src/services/ConfigService.ts`) parses `terraform.tfstate` as JSON and caches it in-memory. `invalidateCache()` is called on `/api/games` and `/api/status` to pick up new deploys. The app's container mounts `./terraform:/app/terraform:ro` — this path coupling matters if directory structure changes. The parsed `TfOutputs` shape now also exposes `discord_table_name`, `discord_bot_token_secret_arn`, `discord_public_key_secret_arn`, and `interactions_invoke_url` so `DiscordConfigService` can reach the Discord stores without extra env-var plumbing.
 
-**Build-time state embedding**: `app/scripts/embed-tfstate.mjs` (runs via `predev`/`prebuild` hooks) writes `app/packages/desktop-main/src/generated/tfstate.ts`; `ConfigService` uses it as a fallback when the runtime `terraform.tfstate` is absent (Docker/CI). The file is committed as `null` and overwritten at dev/build time.
-
 ### API authentication
 
 Every `/api/*` route is gated behind a bearer token via `ApiTokenGuard` in `app/packages/desktop-main/src/guards/api-token.guard.ts`, registered globally in `AppModule` as an `APP_GUARD` provider so it applies to every controller automatically. The token comes from env `API_TOKEN` (wins, even when set to empty to deliberately disable) or `api_token` in `server_config.json`. In production (`NODE_ENV=production`), boot aborts in `main.ts` if no token is configured. In dev, a warning is logged and unauthenticated requests are allowed for convenience. The web client stores the token in `localStorage` under key `apiToken` and sends it as `Authorization: Bearer`. Don't remove the guard or bypass it on individual controllers — Copilot flagged the unauthenticated surface as a security issue and this is the fix.
diff --git a/app/package.json b/app/package.json
@@ -4,9 +4,7 @@
   "private": true,
   "type": "module",
   "scripts": {
-    "predev": "node scripts/embed-tfstate.mjs",
     "dev": "electron-vite dev --config ../electron.vite.config.ts",
-    "prebuild": "node scripts/embed-tfstate.mjs",
     "build": "npm run build -w @hyveon/shared && npm run build -w @hyveon/desktop-main && npm run build -w @hyveon/web",
     "build:lambdas": "npm run build -w @hyveon/shared && npm run build -w @hyveon/lambda-interactions -w @hyveon/lambda-followup -w @hyveon/lambda-update-dns -w @hyveon/lambda-watchdog -w @hyveon/lambda-efs-seeder",
     "start": "electron ../out/main/index.js",
diff --git a/app/packages/desktop-main/src/main.test.ts b/app/packages/desktop-main/src/main.test.ts
@@ -41,8 +41,8 @@ vi.mock('@nestjs/core', () => ({
 }));
 
 /**
- * Stub AppModule so the deep Nest module graph (which requires the generated
- * tfstate file and AWS service dependencies) is never traversed during this
+ * Stub AppModule so the deep Nest module graph (which pulls in AWS service
+ * dependencies and their transitive imports) is never traversed during this
  * unit test.
  */
 vi.mock('./app.module.js', () => ({
diff --git a/app/packages/desktop-main/src/services/ConfigService.test.ts b/app/packages/desktop-main/src/services/ConfigService.test.ts
@@ -17,20 +17,6 @@ vi.mock('../logger.js', () => ({
   },
 }));
 
-/**
- * Mutable holder for the build-time embedded Terraform state.
- * Tests that exercise the EMBEDDED_TFSTATE fallback path set this before
- * calling `getTfOutputs()`; all other tests leave it as `null` so they
- * don't accidentally exercise the fallback.
- */
-let mockEmbeddedState: Record<string, unknown> | null = null;
-
-vi.mock('../generated/tfstate.js', () => ({
-  get EMBEDDED_TFSTATE() {
-    return mockEmbeddedState;
-  },
-}));
-
 import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { ConfigService } from './ConfigService.js';
 
@@ -53,35 +39,24 @@ describe('ConfigService', () => {
 
   beforeEach(() => {
     service = new ConfigService();
-    mockEmbeddedState = null;
   });
 
   describe('getTfOutputs', () => {
-    it('should return null when both the state file and embedded state are absent', () => {
+    it('should return null when the state file is absent', () => {
       mockExists.mockReturnValue(false);
       expect(service.getTfOutputs()).toBeNull();
     });
 
-    it('should use EMBEDDED_TFSTATE as fallback when the state file is absent', () => {
-      mockEmbeddedState = {
-        outputs: {
-          aws_region: { value: 'us-west-1' },
-          game_names: { value: ['minecraft'] },
-        },
-      };
-      mockExists.mockReturnValue(false);
-      const outputs = service.getTfOutputs();
-      expect(outputs).not.toBeNull();
-      expect(outputs!.aws_region).toBe('us-west-1');
-      expect(outputs!.game_names).toEqual(['minecraft']);
-      expect(outputs!.subnet_ids).toBe('');
+    it('should return null when the state file contains the literal null', () => {
+      mockExists.mockReturnValue(true);
+      mockRead.mockReturnValue('null');
+      expect(service.getTfOutputs()).toBeNull();
     });
 
-    it('should prefer the runtime state file over EMBEDDED_TFSTATE when both are present', () => {
-      mockEmbeddedState = { outputs: { aws_region: { value: 'embedded-region' } } };
+    it('should return null when the state file has no outputs key', () => {
       mockExists.mockReturnValue(true);
-      mockRead.mockReturnValue(makeState({ aws_region: { value: 'runtime-region' } }));
-      expect(service.getTfOutputs()!.aws_region).toBe('runtime-region');
+      mockRead.mockReturnValue('{}');
+      expect(service.getTfOutputs()).toBeNull();
     });
 
     it('should parse outputs and fill defaults for missing keys', () => {
@@ -120,6 +95,26 @@ describe('ConfigService', () => {
       expect(mockRead).toHaveBeenCalledTimes(1);
     });
 
+    it('should cache a null result so an undeployed stack is not re-read on every call', () => {
+      mockExists.mockReturnValue(false);
+
+      expect(service.getTfOutputs()).toBeNull();
+      expect(service.getTfOutputs()).toBeNull();
+
+      expect(mockExists).toHaveBeenCalledTimes(1);
+    });
+
+    it('should re-read after invalidateCache when the previous result was null', () => {
+      mockExists.mockReturnValue(false);
+      expect(service.getTfOutputs()).toBeNull();
+
+      service.invalidateCache();
+      mockExists.mockReturnValue(true);
+      mockRead.mockReturnValue(makeState({ aws_region: { value: 'eu-west-1' } }));
+
+      expect(service.getTfOutputs()!.aws_region).toBe('eu-west-1');
+    });
+
     it('should force a re-read after invalidateCache', () => {
       mockExists.mockReturnValue(true);
       mockRead.mockReturnValue(makeState({ aws_region: { value: 'a' } }));
diff --git a/app/packages/desktop-main/src/services/ConfigService.ts b/app/packages/desktop-main/src/services/ConfigService.ts
@@ -4,7 +4,6 @@ import { join, dirname } from 'path';
 import { fileURLToPath } from 'url';
 import { createRequire } from 'module';
 import { logger } from '../logger.js';
-import { EMBEDDED_TFSTATE } from '../generated/tfstate.js';
 
 /** Absolute path to the `dist/services/` directory at runtime. */
 const _dirname = dirname(fileURLToPath(import.meta.url));
@@ -79,26 +78,31 @@ const DEFAULT_CONFIG: WatchdogConfig = {
  */
 @Injectable()
 export class ConfigService {
-  private tfCache: TfOutputs | null = null;
+  /**
+   * Memoised tfstate projection. Tri-state: `undefined` means "not loaded yet",
+   * `null` means "loaded, but no usable state" (absent/empty/placeholder), and
+   * an object is a parsed projection. Caching `null` matters because callers on
+   * polling paths (e.g. status) hit this every tick — without it, an undeployed
+   * stack would re-read the file and re-log a warning on every call.
+   */
+  private tfCache: TfOutputs | null | undefined = undefined;
 
   /**
    * Drop the cached tfstate parse. Called from the `/api/games` and
    * `/api/status` handlers so a fresh `terraform apply` is picked up without
    * a server restart; tests also call it between scenarios.
    */
   invalidateCache(): void {
-    this.tfCache = null;
+    this.tfCache = undefined;
   }
 
   /**
    * Parse `terraform/terraform.tfstate` (once, then memoised) and project the
-   * pieces the app cares about. Falls back to the state embedded at build time
-   * by `scripts/embed-tfstate.mjs` when the runtime file is absent. Returns
-   * `null` when neither source is available — callers treat that as "infra not
-   * deployed yet" and degrade gracefully.
+   * pieces the app cares about. Returns `null` when the runtime file is absent
+   * — callers treat that as "infra not deployed yet" and degrade gracefully.
    */
   getTfOutputs(): TfOutputs | null {
-    if (this.tfCache) return this.tfCache;
+    if (this.tfCache !== undefined) return this.tfCache;
 
     type RawState = { outputs?: Record<string, { value: unknown }> };
     let raw: RawState;
@@ -109,18 +113,24 @@ export class ConfigService {
         raw = JSON.parse(readFileSync(tfStatePath, 'utf-8')) as RawState;
       } catch (err) {
         logger.error('Failed to parse Terraform state', { err, path: tfStatePath });
-        return null;
+        return (this.tfCache = null);
+      }
+      if (raw === null || raw === undefined) {
+        logger.warn('Terraform state file is empty or null', { path: tfStatePath });
+        return (this.tfCache = null);
       }
-    } else if (EMBEDDED_TFSTATE) {
-      logger.debug('Using build-time embedded Terraform state');
-      raw = EMBEDDED_TFSTATE as unknown as RawState;
     } else {
       logger.warn('Terraform state not found', { path: tfStatePath });
-      return null;
+      return (this.tfCache = null);
     }
 
     try {
-      const out = raw.outputs ?? {};
+      if (!raw.outputs) {
+        logger.warn('Terraform state has no outputs — infra not yet deployed', { path: tfStatePath });
+        return (this.tfCache = null);
+      }
+
+      const out = raw.outputs;
       const get = <T>(key: string, fallback: T): T =>
         key in out ? (out[key]!.value as T) : fallback;
 
@@ -148,7 +158,7 @@ export class ConfigService {
       return this.tfCache;
     } catch (err) {
       logger.error('Failed to parse Terraform state', { err });
-      return null;
+      return (this.tfCache = null);
     }
   }
 
diff --git a/app/scripts/embed-tfstate.mjs b/app/scripts/embed-tfstate.mjs
diff --git a/docs/docs/components/management-app.md b/docs/docs/components/management-app.md
@@ -87,12 +87,8 @@ Every route is under `/api/*` and gated by `ApiTokenGuard`.
   on list/status so a new `terraform apply` is picked up without a server
   restart. Also resolves the bearer token from `API_TOKEN` (wins) or
   `server_config.json:api_token`. State resolution order: (1) runtime
-  `terraform/terraform.tfstate`; (2) build-time embedded state from
-  `app/packages/desktop-main/src/generated/tfstate.ts` (written by
-  `app/scripts/embed-tfstate.mjs` via the `predev`/`prebuild` npm hooks
-  — useful in Docker/CI where the Terraform directory isn't mounted);
-  (3) `null` — callers degrade gracefully so the dashboard can render
-  even pre-apply.
+  `terraform/terraform.tfstate`; (2) `null` — callers degrade gracefully
+  so the dashboard can render even pre-apply.
 - **`DiscordConfigService`** — persistence facade over DynamoDB
   (`CONFIG#discord`) + Secrets Manager. Concurrent reads are coalesced via
   an inflight-promise pattern. `getRedacted()` returns
diff --git a/docs/docs/guides/submodule.md b/docs/docs/guides/submodule.md
@@ -116,7 +116,7 @@ Five targets, no surprises:
 | `make plan` | Copies `terraform.tfvars` into `Hyveon/terraform/terraform.tfvars`, then runs `make -C Hyveon tf-plan` — which itself rebuilds the Lambda bundles before `terraform plan`. |
 | `make apply` | Same as `plan`, but delegates to `tf-apply`. The submodule's `tf-apply` recipe prints a post-deploy checklist with the Discord interactions URL when it finishes. |
 | `make update` | Bumps the submodule to the tip of `main` (`git submodule update --remote --merge`). If the new `setup.sh` differs from the recorded sha, clears `.terraform/` and re-runs `setup.sh` automatically; otherwise leaves it alone. Reminds you to commit the new submodule pointer. |
-| `make dev` | Pulls live tfstate into `.make/tfstate.json` (so the embed step has something to read), wipes stale TS build info under the submodule's `app/packages/*/`, then runs `make -C Hyveon dev`, exporting `API_TOKEN` and `TF_STATE_PATH` to the child make. |
+| `make dev` | Pulls live tfstate into `.make/tfstate.json` (so ConfigService can read it via `TF_STATE_PATH`), wipes stale TS build info under the submodule's `app/packages/*/`, then runs `make -C Hyveon dev`, exporting `API_TOKEN` and `TF_STATE_PATH` to the child make. |
 
 The `tfvars` copy is **always fresh** on plan/apply — the recipe `cp`s
 unconditionally, not just when the file is older than the destination. This
diff --git a/package.json b/package.json
@@ -28,11 +28,10 @@
     "app:lint": "npm run lint           -w game-server-manager",
     "app:lint:fix": "npm run lint:fix       -w game-server-manager",
     "app:test:e2e": "npm run test:e2e       -w @hyveon/web",
-    "app:test:integration": "node app/scripts/embed-tfstate.mjs && npm run build -w @hyveon/desktop-main && npm run test:integration -w @hyveon/web",
+    "app:test:integration": "npm run build -w @hyveon/desktop-main && npm run test:integration -w @hyveon/web",
     "scripts:init-parent": "npm run init-parent  -w @hyveon/scripts",
     "desktop:dev": "electron-vite dev",
     "desktop:build": "electron-vite build",
-    "predesktop:package": "node app/scripts/embed-tfstate.mjs",
     "desktop:package": "npm run desktop:build && electron-builder --config electron-builder.yml"
   }
 }
diff --git a/scripts/init-parent.ts b/scripts/init-parent.ts
@@ -188,8 +188,9 @@ update: | $(STAMP_DIR)
 \t@echo "  git add ${a.submoduleDir} && git commit -m 'chore: bump ${a.submoduleDir}'"
 
 # ── Dev server ───────────────────────────────────────────────────────────────
-# Pull live tfstate so embed-tfstate has something to read; falls back to null
-# when the backend isn't reachable yet (e.g. before the first apply).
+# Pull live tfstate into a temp file and point ConfigService at it via
+# TF_STATE_PATH; falls back to null when the backend isn't reachable yet
+# (e.g. before the first apply).
 dev: | $(STAMP_DIR)
 \tterraform -chdir=$(TF_DIR) state pull > $(STAMP_DIR)/tfstate.json 2>/dev/null || echo 'null' > $(STAMP_DIR)/tfstate.json
 \trm -f $(SUBMODULE)/app/packages/*/tsconfig*.tsbuildinfo
