chore(cdk): clean no-magic-numbers baseline and flip rule to error (aws-samples#312) (aws-samples#340)

* chore(cdk): clean no-magic-numbers baseline and flip rule to error (aws-samples#312)

Promote inline numeric literals across CDK constructs and handlers to named
module constants, then make @typescript-eslint/no-magic-numbers blocking to
match CLI enforcement from aws-samples#258.

Co-authored-by: Cursor <cursoragent@cursor.com>

* chore(cdk): extract Lambda memory sizes and orchestrator timeout to constants

Address PR aws-samples#340 review feedback by promoting remaining memorySize literals
and the orchestrator 60s timeout to named module constants, reusing
CEDAR_WASM_MIN_LAMBDA_MEMORY_MB for GetPoliciesFn.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(deps): pin js-yaml to 4.2.0 via yarn resolution

Force js-yaml 4.2.0 to remediate GHSA-h67p-54hq-rp68 pulled in transitively
by @istanbuljs/load-nyc-config, unblocking security:deps CI.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: bgagent <bgagent@noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Sphia Sadek <isadeks@gmail.com>

Author: 4 people

cdk/eslint.config.mjs

@@ -158,9 +158,8 @@ export default [
       // TypeScript rules
       // AI007 guard (#258): inline numeric literals should be named constants.
       // Values shared across Python/TypeScript belong in contracts/constants.json
-      // (see contracts/constants.md). Advisory ('warn') until the existing
-      // baseline is cleaned up, then this becomes 'error' like in cli/.
-      '@typescript-eslint/no-magic-numbers': ['warn', {
+      // (see contracts/constants.md). Baseline cleaned in #312; blocking like cli/.
+      '@typescript-eslint/no-magic-numbers': ['error', {
         ignore: [
           // Identity / trivial arithmetic
           -1, 0, 1, 2,

cdk/src/constructs/agent-memory.ts

@@ -23,6 +23,9 @@ import type * as iam from 'aws-cdk-lib/aws-iam';
 import { NagSuppressions } from 'cdk-nag';
 import { Construct } from 'constructs';
 
+/** Default short-term memory event expiration (days). */
+const DEFAULT_EXPIRATION_DAYS = 365;
+
 /**
  * Properties for the AgentMemory construct.
  */
@@ -72,7 +75,7 @@ export class AgentMemory extends Construct {
     this.memory = new agentcore.Memory(this, 'Memory', {
       memoryName: props?.memoryName,
       description: 'Cross-task interaction memory for background coding agents',
-      expirationDuration: props?.expirationDuration ?? Duration.days(365),
+      expirationDuration: props?.expirationDuration ?? Duration.days(DEFAULT_EXPIRATION_DAYS),
       memoryStrategies: [
         agentcore.MemoryStrategy.usingSemantic({
           strategyName: 'SemanticKnowledge',

cdk/src/constructs/agent-vpc.ts

@@ -23,6 +23,9 @@ import * as logs from 'aws-cdk-lib/aws-logs';
 import { NagSuppressions } from 'cdk-nag';
 import { Construct } from 'constructs';
 
+/** HTTPS port — the only egress allowed from the Runtime ENIs. */
+const HTTPS_PORT = 443;
+
 /**
  * Properties for the AgentVpc construct.
  */
@@ -113,7 +116,7 @@ export class AgentVpc extends Construct {
 
     this.runtimeSecurityGroup.addEgressRule(
       ec2.Peer.anyIpv4(),
-      ec2.Port.tcp(443),
+      ec2.Port.tcp(HTTPS_PORT),
       'Allow HTTPS egress (GitHub + package registries via NAT, AWS services via endpoints)',
     );
 

cdk/src/constructs/approval-metrics-publisher-consumer.ts

@@ -28,6 +28,15 @@ import * as sqs from 'aws-cdk-lib/aws-sqs';
 import { NagSuppressions } from 'cdk-nag';
 import { Construct } from 'constructs';
 
+/** DLQ message retention for persistent-failure records (days). */
+const DLQ_RETENTION_DAYS = 14;
+
+/** Max batching window before the Lambda is invoked on a partial batch (seconds). */
+const DEFAULT_MAX_BATCHING_WINDOW_SECONDS = 5;
+
+/** Approval-metrics publisher Lambda memory (MB). */
+const PUBLISHER_MEMORY_MB = 256;
+
 /**
  * Properties for ``ApprovalMetricsPublisherConsumer`` — the Chunk 8
  * consumer that reads ``TaskEventsTable`` via DynamoDB Streams and
@@ -97,7 +106,7 @@ export class ApprovalMetricsPublisherConsumer extends Construct {
       // Chunk 10 follow-ups — until a notification channel is wired
       // to SNS, an alarm on ``ApproximateNumberOfMessagesVisible``
       // would fire into the void.
-      retentionPeriod: Duration.days(14),
+      retentionPeriod: Duration.days(DLQ_RETENTION_DAYS),
       enforceSSL: true,
     });
 
@@ -121,7 +130,7 @@ export class ApprovalMetricsPublisherConsumer extends Construct {
       // lines) — 256 MB is more than enough. Timeout is 1 minute to
       // match fanout; actual invocations should finish in tens of ms.
       timeout: Duration.minutes(1),
-      memorySize: 256,
+      memorySize: PUBLISHER_MEMORY_MB,
       logGroup,
       bundling: {
         externalModules: ['@aws-sdk/*'],
@@ -146,7 +155,7 @@ export class ApprovalMetricsPublisherConsumer extends Construct {
     this.fn.addEventSource(new DynamoEventSource(props.taskEventsTable, {
       startingPosition: StartingPosition.LATEST,
       batchSize: props.batchSize ?? 100,
-      maxBatchingWindow: props.maxBatchingWindow ?? Duration.seconds(5),
+      maxBatchingWindow: props.maxBatchingWindow ?? Duration.seconds(DEFAULT_MAX_BATCHING_WINDOW_SECONDS),
       retryAttempts: 3,
       onFailure: new SqsDlq(this.dlq),
       reportBatchItemFailures: true,

cdk/src/constructs/attachments-bucket.ts

@@ -24,6 +24,9 @@ import { Construct } from 'constructs';
 /** Lifecycle expiry for task attachments — matches task record retention. */
 export const ATTACHMENT_TTL_DAYS = 90;
 
+/** Noncurrent version expiry — covers the longest-running tasks. */
+const NONCURRENT_VERSION_TTL_DAYS = 7;
+
 /** S3 key prefix for all attachments. Layout: attachments/<user_id>/<task_id>/<attachment_id>/<filename> */
 export const ATTACHMENT_OBJECT_KEY_PREFIX = 'attachments/';
 
@@ -77,7 +80,7 @@ export class AttachmentsBucket extends Construct {
           id: 'attachments-ttl',
           enabled: true,
           expiration: Duration.days(ATTACHMENT_TTL_DAYS),
-          noncurrentVersionExpiration: Duration.days(7),
+          noncurrentVersionExpiration: Duration.days(NONCURRENT_VERSION_TTL_DAYS),
           abortIncompleteMultipartUploadAfter: Duration.days(1),
         },
       ],

cdk/src/constructs/blueprint.ts

@@ -39,6 +39,12 @@ const DOMAIN_PATTERN = /^(\*\.)?[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9
 const APPROVAL_GATE_CAP_MIN = sharedConstants.approval_gate_cap.min;
 const APPROVAL_GATE_CAP_MAX = sharedConstants.approval_gate_cap.max;
 
+/** Timeout for the RepoConfig custom resource (minutes). */
+const REPO_CONFIG_CR_TIMEOUT_MINUTES = 5;
+
+/** TTL (days) applied to a RepoConfig row on blueprint delete before cleanup. */
+const REMOVED_REPO_TTL_DAYS = 30;
+
 /**
  * Properties for the Blueprint construct.
  */
@@ -244,7 +250,7 @@ export class Blueprint extends Construct {
     }
 
     new cr.AwsCustomResource(this, 'RepoConfigCR', {
-      timeout: Duration.minutes(5),
+      timeout: Duration.minutes(REPO_CONFIG_CR_TIMEOUT_MINUTES),
       onCreate: {
         service: 'DynamoDB',
         action: 'putItem',
@@ -289,7 +295,7 @@ export class Blueprint extends Construct {
           ExpressionAttributeValues: {
             ':removed': { S: 'removed' },
             ':now': { S: new Date().toISOString() },
-            ':ttl': { N: String(Math.floor(Date.now() / 1000) + 30 * 86400) },
+            ':ttl': { N: String(Math.floor(Date.now() / 1000) + REMOVED_REPO_TTL_DAYS * 86400) },
           },
         },
       },

cdk/src/constructs/concurrency-reconciler.ts

@@ -27,6 +27,15 @@ import * as lambda from 'aws-cdk-lib/aws-lambda-nodejs';
 import { NagSuppressions } from 'cdk-nag';
 import { Construct } from 'constructs';
 
+/** Reconciler Lambda timeout (minutes). */
+const RECONCILER_TIMEOUT_MINUTES = 5;
+
+/** Default reconciliation schedule interval (minutes). */
+const DEFAULT_SCHEDULE_MINUTES = 15;
+
+/** Reconciler Lambda memory (MB). */
+const RECONCILER_MEMORY_MB = 256;
+
 /**
  * Properties for ConcurrencyReconciler construct.
  */
@@ -66,8 +75,8 @@ export class ConcurrencyReconciler extends Construct {
       handler: 'handler',
       runtime: Runtime.NODEJS_24_X,
       architecture: Architecture.ARM_64,
-      timeout: Duration.minutes(5),
-      memorySize: 256,
+      timeout: Duration.minutes(RECONCILER_TIMEOUT_MINUTES),
+      memorySize: RECONCILER_MEMORY_MB,
       environment: {
         TASK_TABLE_NAME: props.taskTable.tableName,
         USER_CONCURRENCY_TABLE_NAME: props.userConcurrencyTable.tableName,
@@ -80,7 +89,7 @@ export class ConcurrencyReconciler extends Construct {
     props.taskTable.grantReadData(this.fn);
     props.userConcurrencyTable.grantReadWriteData(this.fn);
 
-    const schedule = props.schedule ?? Duration.minutes(15);
+    const schedule = props.schedule ?? Duration.minutes(DEFAULT_SCHEDULE_MINUTES);
     const rule = new events.Rule(this, 'ReconcilerSchedule', {
       schedule: events.Schedule.rate(schedule),
     });

cdk/src/constructs/ecs-agent-cluster.ts

@@ -62,6 +62,9 @@ const BEDROCK_MODEL_IDS = [
   'anthropic.claude-haiku-4-5-20251001-v1:0',
 ];
 
+/** HTTPS port — the only egress allowed from the agent task ENIs. */
+const HTTPS_PORT = 443;
+
 export class EcsAgentCluster extends Construct {
   public readonly cluster: ecs.Cluster;
   public readonly taskDefinition: ecs.FargateTaskDefinition;
@@ -90,7 +93,7 @@ export class EcsAgentCluster extends Construct {
 
     this.securityGroup.addEgressRule(
       ec2.Peer.anyIpv4(),
-      ec2.Port.tcp(443),
+      ec2.Port.tcp(HTTPS_PORT),
       'Allow HTTPS egress (GitHub API, AWS services)',
     );
 

cdk/src/constructs/fanout-consumer.ts

@@ -31,6 +31,18 @@ import * as sqs from 'aws-cdk-lib/aws-sqs';
 import { NagSuppressions } from 'cdk-nag';
 import { Construct } from 'constructs';
 
+/** DLQ message retention for persistent-failure records (days). */
+const DLQ_RETENTION_DAYS = 14;
+
+/** Max batching window before the Lambda is invoked on a partial batch (seconds). */
+const DEFAULT_MAX_BATCHING_WINDOW_SECONDS = 5;
+
+/** DLQ-depth alarm metric period (minutes). */
+const DLQ_ALARM_PERIOD_MINUTES = 5;
+
+/** Fan-out consumer Lambda memory (MB). */
+const FANOUT_MEMORY_MB = 256;
+
 /**
  * Properties for `FanOutConsumer` — the Phase 1b §8.9 fan-out plane
  * consumer that reads `TaskEventsTable` via DynamoDB Streams and
@@ -137,7 +149,7 @@ export class FanOutConsumer extends Construct {
     this.dlq = new sqs.Queue(this, 'FanOutDlq', {
       // Persistent failures (e.g., dispatcher throws non-caught error
       // five times in a row) land here for operator inspection.
-      retentionPeriod: Duration.days(14),
+      retentionPeriod: Duration.days(DLQ_RETENTION_DAYS),
       enforceSSL: true,
     });
 
@@ -157,7 +169,7 @@ export class FanOutConsumer extends Construct {
       runtime: Runtime.NODEJS_24_X,
       architecture: Architecture.ARM_64,
       timeout: Duration.minutes(1),
-      memorySize: 256,
+      memorySize: FANOUT_MEMORY_MB,
       logGroup,
       bundling: {
         externalModules: ['@aws-sdk/*'],
@@ -226,7 +238,7 @@ export class FanOutConsumer extends Construct {
     // record means three Lambda retries already failed.
     this.dlqDepthAlarm = new cloudwatch.Alarm(this, 'FanOutDlqDepthAlarm', {
       metric: this.dlq.metricApproximateNumberOfMessagesVisible({
-        period: Duration.minutes(5),
+        period: Duration.minutes(DLQ_ALARM_PERIOD_MINUTES),
         statistic: 'Maximum',
       }),
       threshold: 1,
@@ -239,7 +251,7 @@ export class FanOutConsumer extends Construct {
     this.fn.addEventSource(new DynamoEventSource(props.taskEventsTable, {
       startingPosition: StartingPosition.LATEST,
       batchSize: props.batchSize ?? 100,
-      maxBatchingWindow: props.maxBatchingWindow ?? Duration.seconds(5),
+      maxBatchingWindow: props.maxBatchingWindow ?? Duration.seconds(DEFAULT_MAX_BATCHING_WINDOW_SECONDS),
       // Fan-out delivery is best-effort; don't block the stream if one
       // poisonous record blows up the Lambda. After 3 retries, send the
       // record batch to the DLQ and advance the iterator.

cdk/src/constructs/github-screenshot-integration.ts

@@ -31,6 +31,18 @@ import { NagSuppressions } from 'cdk-nag';
 import { Construct } from 'constructs';
 import { ScreenshotBucket } from './screenshot-bucket';
 
+/** Async screenshot-processor Lambda timeout (seconds). */
+const PROCESSOR_TIMEOUT_SECONDS = 120;
+
+/** Async-invoke DLQ message retention (days). */
+const PROCESSOR_DLQ_RETENTION_DAYS = 14;
+
+/** DLQ-depth alarm metric period (minutes). */
+const DLQ_ALARM_PERIOD_MINUTES = 5;
+
+/** Async screenshot-processor Lambda memory (MB). */
+const PROCESSOR_MEMORY_MB = 512;
+
 /**
  * Properties for GitHubScreenshotIntegration construct.
  */
@@ -161,7 +173,7 @@ export class GitHubScreenshotIntegration extends Construct {
     // would otherwise vanish after Lambda's built-in async retries. The
     // DLQ keeps the failed invocation payload for operator inspection.
     const processorDlq = new sqs.Queue(this, 'WebhookProcessorDlq', {
-      retentionPeriod: Duration.days(14),
+      retentionPeriod: Duration.days(PROCESSOR_DLQ_RETENTION_DAYS),
       enforceSSL: true,
     });
 
@@ -170,8 +182,8 @@ export class GitHubScreenshotIntegration extends Construct {
       handler: 'handler',
       runtime: Runtime.NODEJS_24_X,
       architecture: Architecture.ARM_64,
-      timeout: Duration.seconds(120),
-      memorySize: 512,
+      timeout: Duration.seconds(PROCESSOR_TIMEOUT_SECONDS),
+      memorySize: PROCESSOR_MEMORY_MB,
       deadLetterQueue: processorDlq,
       environment: {
         SCREENSHOT_BUCKET_NAME: this.screenshotBucket.bucket.bucketName,
@@ -197,7 +209,7 @@ export class GitHubScreenshotIntegration extends Construct {
     // threshold-1 shape as FanOutConsumer.dlqDepthAlarm.
     this.processorDlqDepthAlarm = new cloudwatch.Alarm(this, 'WebhookProcessorDlqDepthAlarm', {
       metric: processorDlq.metricApproximateNumberOfMessagesVisible({
-        period: Duration.minutes(5),
+        period: Duration.minutes(DLQ_ALARM_PERIOD_MINUTES),
         statistic: 'Maximum',
       }),
       threshold: 1,