v2.0.3 — portable CDK snapshot tests

v2.0.3 — portable CDK snapshot tests

Patch release following up v2.0.2.

• fix: normalize the Lambda version logical-id hash in the CDK snapshot
  tests so they're deterministic across build environments (the backend
  snapshot failed in CI though it passed locally, because the asset-derived
  version hash differs between a local run and CI's fresh checkout)

v2.0.2 — layered Lambda, snapshot tests, expanded fork docs

v2.0.2 — layered Lambda, snapshot tests, expanded fork docs

• refactor: split the Lambda handler into handler/service/model layers
  (behavior unchanged; the generated OpenAPI spec is byte-identical)
• test: add CloudFormation template snapshot tests across all five stacks
  (asset hashes normalized; regenerate with UPDATE_SNAPSHOTS=1 make test-cdk)
• docs: expand the README for forkers — consolidated cost overview, the
  testing approaches used and not used, Secrets-Manager-vs-SSM and
  configuration guidance, and scaling pointers (async/event-driven,
  multi-tenant/SaaS, API surface conventions, privacy/compliance)

v2.0.1 — dependency maintenance

v2.0.1 — dependency maintenance

Patch release on top of v2.0.0. No functional or infrastructure changes — only
dependency updates, landed via Dependabot and merged through the make deps-merge
flow (rebase onto main, regenerate uv.lock + lambda/requirements.txt, CI-gated
auto-merge):

• linting group: ruff / mypy / pylint / etc. (#78)
• patches groups: transitive + tooling pins (#72, #84)

See the [2.0.1] section of CHANGELOG.md.

v2.0.0 — De-branded "ServerlessApp" reference architecture

v2.0.0 — De-branded "ServerlessApp" reference architecture

Major release. The headline change is a full de-brand from the "HelloWorld"
placeholder to role-based names — breaking for anyone who forked an earlier tag.

BREAKING CHANGES

• CDK package renamed: hello_world/ -> infrastructure/ (imports change).
• Stack names renamed: HelloWorld{,Data,Frontend,Waf,Audit}-{region} ->
  ServerlessApp{Backend,Data,Frontend,Waf,Audit}-{region}. Deploying v2.0.0 does
  NOT update a v1.x stack set in place — CloudFormation matches by name, so new
  stacks are created; destroy the old set (or migrate state) when upgrading.
• API route renamed: GET /hello -> GET /greeting.
• Distribution/package name: hello-world -> serverless-app.
• Classes (HelloWorldApp -> BackendApp, HelloWorldStack -> BackendStack, etc.),
  construct IDs, metric namespace (HelloWorld -> ServerlessApp), and service name
  (hello-world -> serverless-app) all de-branded. The greeting payload value
  "hello world" is intentionally unchanged.

HIGHLIGHTS SINCE v1.1.0

• Two stateful stacks behind one retain_data switch: DataStack (DynamoDB + CMK)
  and AuditStack (CloudTrail object-level S3 data-event trail + bucket + CMK).
• Progressive delivery: CodeDeploy canary on the Lambda alias, plus an opt-in
  AppConfig gradual rollout with alarm-driven rollback.
• WAF logs to S3 (aws-waf-logs-*) with partition-projected Athena/Glue tables; a
  regional WAF on API Gateway closes the execute-api CloudFront-bypass window.
• TemplateConventionChecks validation Aspect; committed + CI-gated OpenAPI spec;
  a PR CloudFormation-diff job; in-house coverage badge; env/region stack dimension.
• Verified end-to-end on a live deploy + destroy-clean teardown.

Full changelog: see the [2.0.0] section of CHANGELOG.md.

v1.1.0 — security hardening, audit fixes, and teardown safety

v1.1.0 — security hardening, audit fixes, and teardown safety

• API Gateway regional WAF, throttling, reserved concurrency, HSTS/CSP headers

• Add make destroy-clean and tighten tooling config

• Concurrency control, job timeouts, pinned CDK CLI, full-group audit

• Document the release-cutting workflow

• Document doctor + clean-venvs targets and venv strategy

• Add CLAUDE.md for future Claude Code sessions

• Document cdk-* make targets and --trace tip

• Add gitignore.io to Resources

• Document cdk-revert-drift and a future drift-as-CI-signal step

• Reconcile README/TODO/diagram with shipped code; document teardown race

• Add cleanup CR for RUM's auto-created log group

• Suppress AwsSolutions-IAM5 on the RUM cleanup CR

• Revert .bandit exclude_dirs anchoring that broke the tests exclusion

• Add doctor + clean-venvs targets, expand venv-location preamble

• Add cdk-diff/drift/diagnose/gc/rollback/ls targets

• Bump idna 3.13->3.16 and pymdown-extensions 10.21.2->10.21.3

• Add cdk-revert-drift target for drift remediation

• Strengthen CDK/unit/integration assertions and add regression guards

v1.0.1 — Documentation patch

v1.0.1 — Documentation patch

Documentation-only release. No code or infrastructure changes.

Highlights:

• AWS architecture diagram embedded at the top of the README, generated
  via the deploy-on-aws Claude Code plugin's aws-architecture-diagram
  skill. Source committed at docs/architecture.drawio; rendered PNG at
  docs/architecture.png. Covers the request path, Lambda's config/state
  dependencies, the audit + access-log analytics pipeline, and the
  auxiliary observability layer. Ten numbered steps + right-side legend.
• CHANGELOG.md auto-generated from conventional-commit history via
  git-cliff (cliff.toml). Dependabot bumps and merge commits filtered
  out so the changelog reflects feature/fix/docs/CI history rather than
  dependency churn.
• README "Commit message convention" section documents the git-cliff
  workflow and mentions Commitizen as an optional author-time enforcer
  for forks that want it.
• "Worth flagging if forked for a real workload" section adds ggshield
  (full-history secret scanning), a pointer to Renovate's post-upgrade
  tasks feature, and CloudEvents (event-format spec to adopt up front
  if a fork ever introduces async event sources).

v1.0.0 — First stable release

v1.0.0 — First stable release

A production-grade AWS CDK reference architecture for Lambda + Powertools
serverless applications.

Highlights:

• Three-stack composition (WAF, backend, frontend) inside a cdk.Stage,
  with cross-region WAF reference support.
• CMK encryption end-to-end on every resource that supports a per-resource
  key: DynamoDB, Lambda env vars, all log groups, frontend S3 bucket,
  AppConfig hosted configuration content, SQS DLQs, and CloudTrail trail
  log files. Account/region-wide encryption settings (X-Ray, Glue
  catalog) deliberately out of scope per the forkability constraints.
• Five-rule-pack cdk-nag gating every synth (AwsSolutions, Serverless,
  NIST 800-53 R5, HIPAA Security, PCI DSS 3.2.1), descending into
  Stage-nested stacks via the '**' glob.
• Confused-deputy-guarded service-principal grants on every CMK
  (CloudWatch Logs, CloudTrail, GuardDuty).
• WAF with five managed rule sets + forwarded-IP rate limit, attached
  to CloudFront.
• CloudTrail with object-level S3 data events on every audited bucket,
  log-file integrity validation, CMK-encrypted trail log files, and
  account/source-ARN-scoped bucket-policy Deny statements.
• Async failure destination on every CDK-managed singleton Lambda so
  CloudFormation provider crashes preserve their event envelope to SQS.
• Supply-chain hygiene: pip-audit + bandit + hash-pinned actions +
  grouped Dependabot updates + uv.lock <-> lambda/requirements.txt
  drift check in CI + v1.0 safety nets (detect-private-key,
  check-merge-conflict, check-added-large-files).
• CloudWatch RUM browser telemetry joined to backend X-Ray traces via
  cwr's client-side X-Ray segment integration.
• Athena + Glue access-log analytics with per-object SSE-KMS overrides
  on query results.
• Powertools idempotency on the application Lambda with caller-supplied
  Idempotency-Key header enforcement (raise_on_no_idempotency_key=True).
• Zensical-built HTML documentation deployed to GitHub Pages on every
  push to main, with OpenAPI spec regenerated from the live handler.

See TODO.md "Production readiness checklist" for the items a fork
needs to fill in before customer traffic touches it.