refactor: extract sendEvent into @repo/event-utils package and apply fixes

konokenj · konokenj · commit e9f4a4c20623 · 2026-03-27T12:54:51.000+09:00
Why:
- sendEvent was duplicated in webapp and async-job with identical SigV4
  signing logic, making maintenance error-prone.
- Several minor bugs and code quality issues accumulated across the
  codebase.
- jest v30 has compatibility issues with ts-jest v29; downgrade to
  stable v29.

What:
- Extract sendEvent into packages/event-utils shared workspace package,
  removing duplicate from webapp/lib/events.ts and async-job/src/events.ts.
- Update Dockerfiles, package.json, and next.config.ts to reference
  @repo/event-utils.
- Make UserNotCreatedError extend Error with proper name/message.
- Add onConflictDoNothing to user insert in auth-callback to handle
  race conditions.
- Stabilize useEventBus callback with useRef to prevent reconnections.
- Add env var validation in db client (DSQL_ENDPOINT, AWS_REGION).
- Fix dsql-compat REFERENCES regex to handle ON DELETE/UPDATE clauses.
- Add ROLLBACK safety net for TS migration error handling.
- Add JSDoc for SQL migration statement splitting convention.
- Add grantConnect JSDoc with TODO for custom DB role migration.
- Convert Header.tsx from client to server component (remove unused
  useRouter).
- Fix Dockerfile ENV to use ARG passthrough pattern for build-time vars.
- Fix strict equality check in next.config.ts (== to ===).
- Change console.log to console.error for parse errors in async-job.
- Remove hardcoded region from TranslateClient; add userId check in
  translate job query.
- Downgrade jest from v30 to v29 for ts-jest compatibility.
diff --git a/apps/async-job/Dockerfile b/apps/async-job/Dockerfile
@@ -3,6 +3,7 @@ WORKDIR /build
 COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./
 COPY packages/db/package.json packages/db/
 COPY packages/shared-types/package.json packages/shared-types/
+COPY packages/event-utils/package.json packages/event-utils/
 COPY apps/async-job/package.json apps/async-job/
 RUN corepack enable && corepack prepare pnpm@10.8.1 --activate && pnpm install --frozen-lockfile
 COPY packages/ packages/
diff --git a/apps/async-job/package.json b/apps/async-job/package.json
@@ -12,13 +12,10 @@
     "check:ci": "pnpm run lint:ci && pnpm run format:ci"
   },
   "devDependencies": {
-    "@aws-crypto/sha256-js": "^5",
     "@aws-sdk/client-translate": "^3.995.0",
-    "@aws-sdk/credential-provider-node": "^3",
     "@repo/db": "workspace:*",
+    "@repo/event-utils": "workspace:*",
     "@repo/shared-types": "workspace:*",
-    "@smithy/protocol-http": "^5",
-    "@smithy/signature-v4": "^5",
     "@types/aws-lambda": "^8.10.149",
     "@types/node": "^22",
     "drizzle-orm": "^0.44",
diff --git a/apps/async-job/src/handler.ts b/apps/async-job/src/handler.ts
@@ -5,7 +5,7 @@ import type { Handler } from 'aws-lambda';
 export const handler: Handler<unknown> = async (event) => {
   const { data: payload, error } = jobPayloadPropsSchema.safeParse(event);
   if (error) {
-    console.log(error);
+    console.error(error);
     throw new Error(error.toString());
   }
 
diff --git a/apps/async-job/src/jobs/translate.ts b/apps/async-job/src/jobs/translate.ts
@@ -1,22 +1,20 @@
-import { sendEvent } from '../events';
+import { sendEvent } from '@repo/event-utils/send-event';
 import { db } from '@repo/db/client';
 import { todoItems } from '@repo/db/schema';
-import { eq } from 'drizzle-orm';
+import { eq, and } from 'drizzle-orm';
 import type { TranslateJobPayload } from '@repo/shared-types/job-payload';
 import { TranslateClient, TranslateTextCommand } from '@aws-sdk/client-translate';
 
 export async function translateJobHandler(params: TranslateJobPayload) {
   const todoItem = await db.query.todoItems.findFirst({
-    where: eq(todoItems.id, params.todoItemId),
+    where: and(eq(todoItems.id, params.todoItemId), eq(todoItems.userId, params.userId)),
   });
   if (!todoItem) {
     console.log(`item ${params.todoItemId} not found.`);
     return;
   }
 
-  const translateClient = new TranslateClient({
-    region: process.env.AWS_REGION || 'ap-northeast-1',
-  });
+  const translateClient = new TranslateClient({});
 
   const targetLanguage = 'ja';
   const translateResult = await translateClient.send(
diff --git a/apps/cdk/lib/constructs/database.ts b/apps/cdk/lib/constructs/database.ts
@@ -41,6 +41,11 @@ export class Database extends Construct {
     });
   }
 
+  /**
+   * Grant DML-only connect permission (dsql:DbConnect) for application workloads.
+   * Requires a custom database role created via migration. See ADR-004.
+   * TODO: Migrate webapp/async-job to use this method with a custom DB role.
+   */
   public grantConnect(grantee: IGrantable): Grant {
     return Grant.addToPrincipal({
       grantee,
diff --git a/apps/cdk/package.json b/apps/cdk/package.json
@@ -29,7 +29,7 @@
     "@types/node": "^22.14.1",
     "aws-cdk": "^2.1007.0",
     "esbuild": "^0.25.4",
-    "jest": "^30.1.3",
+    "jest": "^29.7.0",
     "ts-jest": "^29.4.4",
     "ts-node": "^10.7.0",
     "typescript": "^5.9.2"
diff --git a/apps/webapp/Dockerfile b/apps/webapp/Dockerfile
@@ -3,6 +3,7 @@ WORKDIR /build
 COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./
 COPY packages/db/package.json packages/db/
 COPY packages/shared-types/package.json packages/shared-types/
+COPY packages/event-utils/package.json packages/event-utils/
 COPY apps/webapp/package.json apps/webapp/
 RUN corepack enable && corepack prepare pnpm@10.8.1 --activate && pnpm install --frozen-lockfile
 COPY packages/ packages/
@@ -12,10 +13,14 @@ ARG SKIP_TS_BUILD=""
 ARG ALLOWED_ORIGIN_HOST=""
 ARG NEXT_PUBLIC_EVENT_HTTP_ENDPOINT=""
 ARG NEXT_PUBLIC_AWS_REGION=""
-ENV USER_POOL_CLIENT_ID="dummy"
-ENV USER_POOL_ID="dummy"
-ENV AMPLIFY_APP_ORIGIN="https://dummy.example.com"
-ENV COGNITO_DOMAIN="dummy.example.com"
+ARG USER_POOL_CLIENT_ID="dummy"
+ARG USER_POOL_ID="dummy"
+ARG AMPLIFY_APP_ORIGIN="https://dummy.example.com"
+ARG COGNITO_DOMAIN="dummy.example.com"
+ENV USER_POOL_CLIENT_ID=$USER_POOL_CLIENT_ID
+ENV USER_POOL_ID=$USER_POOL_ID
+ENV AMPLIFY_APP_ORIGIN=$AMPLIFY_APP_ORIGIN
+ENV COGNITO_DOMAIN=$COGNITO_DOMAIN
 RUN cd apps/webapp && pnpm exec next build
 
 FROM public.ecr.aws/lambda/nodejs:22 AS runner
diff --git a/apps/webapp/next.config.ts b/apps/webapp/next.config.ts
@@ -9,7 +9,7 @@ const nextConfig: NextConfig = {
   output: 'standalone',
   // Required for pnpm workspace packages — Next.js standalone output does not
   // resolve symlinked workspace dependencies by default.
-  transpilePackages: ['@repo/db', '@repo/shared-types'],
+  transpilePackages: ['@repo/db', '@repo/shared-types', '@repo/event-utils'],
   experimental: {
     webpackBuildWorker: true,
     parallelServerBuildTraces: true,
@@ -19,7 +19,7 @@ const nextConfig: NextConfig = {
     },
   },
   typescript: {
-    ignoreBuildErrors: process.env.SKIP_TS_BUILD == 'true',
+    ignoreBuildErrors: process.env.SKIP_TS_BUILD === 'true',
   },
 };
 
diff --git a/apps/webapp/package.json b/apps/webapp/package.json
@@ -18,6 +18,7 @@
     "@aws-sdk/client-lambda": "^3.995.0",
     "@aws-sdk/client-ssm": "^3.995.0",
     "@repo/db": "workspace:*",
+    "@repo/event-utils": "workspace:*",
     "@repo/shared-types": "workspace:*",
     "aws-amplify": "^6.16.2",
     "class-variance-authority": "^0.7.1",
@@ -36,12 +37,8 @@
     "zod": "^3.24.2"
   },
   "devDependencies": {
-    "@aws-crypto/sha256-js": "^5",
-    "@aws-sdk/credential-provider-node": "^3",
     "@hookform/resolvers": "^5.2.2",
     "@next-safe-action/adapter-react-hook-form": "^1.0.14",
-    "@smithy/protocol-http": "^5",
-    "@smithy/signature-v4": "^5",
     "@tailwindcss/postcss": "^4",
     "@types/node": "^20",
     "@types/react": "^19",
diff --git a/apps/webapp/src/app/auth-callback/page.tsx b/apps/webapp/src/app/auth-callback/page.tsx
@@ -13,7 +13,7 @@ export default async function AuthCallbackPage() {
     if (e instanceof UserNotCreatedError) {
       const userId = e.userId;
       console.log(userId);
-      await db.insert(users).values({ id: userId });
+      await db.insert(users).values({ id: userId }).onConflictDoNothing();
     } else {
       throw e;
     }
diff --git a/apps/webapp/src/components/Header.tsx b/apps/webapp/src/components/Header.tsx
@@ -1,11 +1,6 @@
-'use client';
-
 import Link from 'next/link';
-import { useRouter } from 'next/navigation';
 
 export default function Header() {
-  const router = useRouter();
-
   return (
     <header className="bg-indigo-600 text-white shadow-md">
       <div className="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8">
diff --git a/apps/webapp/src/hooks/use-event-bus.ts b/apps/webapp/src/hooks/use-event-bus.ts
@@ -1,7 +1,7 @@
 import { decodeJWT } from 'aws-amplify/auth';
 import { Amplify } from 'aws-amplify';
 import { events } from 'aws-amplify/data';
-import { useEffect } from 'react';
+import { useEffect, useRef } from 'react';
 
 Amplify.configure(
   {
@@ -34,14 +34,17 @@ type UseEventBusProps = {
 };
 
 export const useEventBus = ({ channelName, onReceived }: UseEventBusProps) => {
+  const onReceivedRef = useRef(onReceived);
+  onReceivedRef.current = onReceived;
+
   useEffect(() => {
     const connectAndSubscribe = async () => {
       const channel = await events.connect(`event-bus/${channelName}`);
       console.log(`subscribing channel ${channelName}`);
 
       channel.subscribe({
         next: (data) => {
-          onReceived(data);
+          onReceivedRef.current(data);
         },
         error: (err) => console.error('error', err),
       });
@@ -55,5 +58,5 @@ export const useEventBus = ({ channelName, onReceived }: UseEventBusProps) => {
         channel.close();
       });
     };
-  }, [channelName, onReceived]);
+  }, [channelName]);
 };
diff --git a/apps/webapp/src/lib/auth.ts b/apps/webapp/src/lib/auth.ts
@@ -5,8 +5,11 @@ import { db } from '@repo/db/client';
 import { users } from '@repo/db/schema';
 import { eq } from 'drizzle-orm';
 
-export class UserNotCreatedError {
-  constructor(public readonly userId: string) {}
+export class UserNotCreatedError extends Error {
+  constructor(public readonly userId: string) {
+    super(`User ${userId} not found in database`);
+    this.name = 'UserNotCreatedError';
+  }
 }
 
 export async function getSession() {
diff --git a/apps/webapp/src/lib/events.ts b/apps/webapp/src/lib/events.ts
diff --git a/packages/db/src/client.ts b/packages/db/src/client.ts
@@ -6,13 +6,11 @@ let pool: AuroraDSQLPool | undefined;
 
 export function getPool(): AuroraDSQLPool {
   if (!pool) {
-    pool = new AuroraDSQLPool({
-      host: process.env.DSQL_ENDPOINT!,
-      region: process.env.AWS_REGION!,
-      user: 'admin',
-      database: 'postgres',
-      port: 5432,
-    });
+    const host = process.env.DSQL_ENDPOINT;
+    if (!host) throw new Error('DSQL_ENDPOINT environment variable is required');
+    const region = process.env.AWS_REGION;
+    if (!region) throw new Error('AWS_REGION environment variable is required');
+    pool = new AuroraDSQLPool({ host, region, user: 'admin', database: 'postgres', port: 5432 });
   }
   return pool;
 }
diff --git a/packages/db/src/dsql-compat.ts b/packages/db/src/dsql-compat.ts
@@ -34,8 +34,11 @@ export function transformSql(sql: string): string {
   result = result.replace(/,\n\s*FOREIGN\s+KEY\s*\([^)]*\)\s*REFERENCES\s*"[^"]*"\s*\("[^"]*"\)[^\n]*/gi, '');
 
   // Remove inline REFERENCES from column definitions, preserving the column itself.
-  // e.g. "userId" text NOT NULL REFERENCES "User"("id") → "userId" text NOT NULL
-  result = result.replace(/\s+REFERENCES\s+"[^"]+"\("[^"]+"\)/gi, '');
+  // e.g. "userId" text NOT NULL REFERENCES "User"("id") ON DELETE CASCADE → "userId" text NOT NULL
+  result = result.replace(
+    /\s+REFERENCES\s+"[^"]+"\("[^"]+"\)(\s+ON\s+(?:DELETE|UPDATE)\s+(?:CASCADE|SET\s+NULL|SET\s+DEFAULT|RESTRICT|NO\s+ACTION))*/gi,
+    '',
+  );
 
   return result;
 }
diff --git a/packages/db/src/migrate.ts b/packages/db/src/migrate.ts
@@ -47,6 +47,12 @@ export async function migrate({ pool, migrationsDir }: MigrateOptions): Promise<
   }
 }
 
+/**
+ * SQL files are split into statements by blank lines (`\n\n`).
+ * Do NOT include blank lines inside a single SQL statement (e.g. within CREATE TABLE).
+ * drizzle-kit generate uses `--> statement-breakpoint` which check-dsql-compat.ts
+ * transforms to blank lines. Hand-written SQL must follow the same convention.
+ */
 async function runSqlMigration(client: PoolClient, filePath: string, file: string): Promise<void> {
   const content = fs.readFileSync(filePath, 'utf8');
   const statements = content
@@ -76,5 +82,11 @@ async function runTsMigration(client: PoolClient, filePath: string): Promise<voi
   if (typeof mod.default !== 'function') {
     throw new Error(`TS migration ${filePath} must export a default async function(client: PoolClient)`);
   }
-  await mod.default(client);
+  try {
+    await mod.default(client);
+  } catch (error) {
+    // Safety net: ROLLBACK any open transaction left by user code
+    await client.query('ROLLBACK').catch(() => {});
+    throw error;
+  }
 }
diff --git a/packages/event-utils/package.json b/packages/event-utils/package.json
@@ -0,0 +1,25 @@
+{
+  "name": "@repo/event-utils",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "exports": {
+    "./send-event": "./src/send-event.ts"
+  },
+  "scripts": {
+    "lint": "oxlint --config ../../oxlintrc.json --fix .",
+    "lint:ci": "oxlint --config ../../oxlintrc.json --max-warnings 0 .",
+    "check": "pnpm run lint",
+    "check:ci": "pnpm run lint:ci"
+  },
+  "dependencies": {
+    "@aws-crypto/sha256-js": "^5",
+    "@aws-sdk/credential-provider-node": "^3",
+    "@smithy/protocol-http": "^5",
+    "@smithy/signature-v4": "^5"
+  },
+  "devDependencies": {
+    "@types/node": "^22",
+    "typescript": "^5"
+  }
+}
diff --git a/packages/event-utils/src/send-event.ts b/packages/event-utils/src/send-event.ts
@@ -3,12 +3,11 @@ import { defaultProvider } from '@aws-sdk/credential-provider-node';
 import { HttpRequest } from '@smithy/protocol-http';
 import { Sha256 } from '@aws-crypto/sha256-js';
 
-const httpEndpoint = process.env.EVENT_HTTP_ENDPOINT!;
-const region = process.env.AWS_REGION!;
-
 export async function sendEvent(channelName: string, payload: unknown) {
-  if (httpEndpoint == null) {
-    console.log(`event api is not configured!`);
+  const httpEndpoint = process.env.EVENT_HTTP_ENDPOINT;
+  const region = process.env.AWS_REGION;
+  if (!httpEndpoint) {
+    console.log('event api is not configured!');
     return;
   }
 
@@ -17,10 +16,7 @@ export async function sendEvent(channelName: string, payload: unknown) {
 
   const requestToBeSigned = new HttpRequest({
     method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      host: url.host,
-    },
+    headers: { 'Content-Type': 'application/json', host: url.host },
     hostname: url.host,
     body: JSON.stringify({
       channel: `event-bus/${channelName}`,
@@ -31,15 +27,12 @@ export async function sendEvent(channelName: string, payload: unknown) {
 
   const signer = new SignatureV4({
     credentials: defaultProvider(),
-    region,
+    region: region!,
     service: 'appsync',
     sha256: Sha256,
   });
 
   const signed = await signer.sign(requestToBeSigned);
-  const request = new Request(endpoint, signed);
-
-  const res = await fetch(request);
-  const t = await res.text();
-  console.log(t);
+  const res = await fetch(new Request(endpoint, signed));
+  console.log(await res.text());
 }
diff --git a/packages/event-utils/tsconfig.json b/packages/event-utils/tsconfig.json
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ import type { Handler } from 'aws-lambda';`
`5`	`5`	`export const handler: Handler<unknown> = async (event) => {`
`6`	`6`	`const { data: payload, error } = jobPayloadPropsSchema.safeParse(event);`
`7`	`7`	`if (error) {`
`8`		`- console.log(error);`
	`8`	`+ console.error(error);`
`9`	`9`	`throw new Error(error.toString());`
`10`	`10`	`}`
`11`	`11`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ export default async function AuthCallbackPage() {`
`13`	`13`	`if (e instanceof UserNotCreatedError) {`
`14`	`14`	`const userId = e.userId;`
`15`	`15`	`console.log(userId);`
`16`		`- await db.insert(users).values({ id: userId });`
	`16`	`+ await db.insert(users).values({ id: userId }).onConflictDoNothing();`
`17`	`17`	`} else {`
`18`	`18`	`throw e;`
`19`	`19`	`}`