Add backup tool and document architecture rules for Copilot CLI#361
Merged
Conversation
Distills architecture rules (3-package import boundary, inference-api Runtime 404 trap, deploy order, SSE error model), conventions, and file-placement table. Points to .kiro/steering and .claude/skills for deeper dives. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Adds scripts/backup-data/ — a one-shot uv-managed Python tool that takes a complete, restore-friendly backup of all application data and users for a given CDK_PROJECT_PREFIX, plus a workflow_dispatch GitHub Actions workflow that runs it via the existing OIDC composite action.
Coverage: all ~20 application DynamoDB tables (via ExportTableToPointInTime for portable DynamoDB-JSON), user-content S3 buckets (via aws s3 sync), full Cognito user pool config including identity providers and app clients with their plaintext client secrets preserved (so IdP re-registration with the new infra can be fully automated), users / groups / group memberships, and best-effort AgentCore Memory events.
Each run lands in a freshly-created, versioned, SSE-encrypted, TLS-only backup bucket named {prefix}-backup-{utc_timestamp}. manifest.json is the single source of truth a future restore script will consume. Cognito password hashes are not exportable by AWS and that limitation is documented prominently. Ephemeral session/state tables are excluded by default.
Restore is intentionally a separate phase, to be written against the new infrastructure once it exists.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
colinmxs
added a commit
that referenced
this pull request
May 22, 2026
Merges 16 commits from origin/develop into the stack-simplification branch. Two modify/delete conflicts resolved (mcp-sandbox-stack.ts and its test — both deleted by us, modified by develop's PRs #352–#360). Ported the dynamic per-resource CSP changes from develop into constructs/mcp-sandbox/mcp-sandbox-distribution-construct.ts: - Removed buildMcpSandboxProxyCsp() (static CSP is gone) - Added loadMcpSandboxCspFunctionCode() — loads csp-function.js from assets/mcp-sandbox/, substitutes the FRAME_ANCESTORS placeholder with the real source list via JSON.stringify (handles quote-escaping for 'none' correctly) - Added McpSandboxCspFunction (CloudFront Function, JS_2_0 runtime) associated at VIEWER_RESPONSE on the default behavior — composes per-resource CSP from ?csp= query param - Removed contentSecurityPolicy from the ResponseHeadersPolicy (CSP is now dynamic via the function; other security headers stay on RHP) - Shortened RHP comment to fit 128-char AWS cap The mcp-sandbox-csp-function.test.ts that came in from develop passes against our construct (88 tests green). Also merged: file-sources adapter framework (#366, #367), frontend test fix (#368), beta.27 release merges (#365, #369), kaizen doc (#370), backup tool (#361 — already cherry-picked earlier).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a comprehensive, one-shot pre-migration backup tool for the AgentCore Public Stack. It provides a GitHub Actions workflow and a Python script (with supporting documentation and schema) to export all critical application data—including DynamoDB tables, S3 buckets, Cognito configuration, and AgentCore Memory—into a secure, portable S3 bucket. The backup is designed to be restore-friendly, with a clear manifest and strong conventions for sensitive data handling. The PR also includes detailed documentation and a manifest schema for verification and future restore steps.
Major additions and changes:
Backup Tool Implementation:
scripts/backup-data/with a Python 3.13 environment and strict dependency management, supporting full export of DynamoDB, S3, Cognito, and AgentCore Memory data. The tool is designed for portability and later restoration into a new infrastructure shape. [1] [2]GitHub Actions Workflow:
.github/workflows/backup-data.yml, a manual-dispatch workflow that orchestrates the backup process, passing environment-specific parameters and securely handling AWS credentials via OIDC. Supports dry-run, partial backup, and ephemeral table inclusion options.Documentation and Usage Guides:
scripts/backup-data/README.mdwith detailed instructions, IAM policy requirements, sensitive data warnings, and a verification checklist to ensure backup integrity and security..github/copilot-instructions.mdto clarify repository conventions, architecture, build/test/lint procedures, and debugging tips for contributors.Schema and Verification:
scripts/backup-data/manifest_schema.json, a JSON schema that defines the structure of the backup manifest, ensuring each backup is verifiable and machine-readable for future restore operations.Dependency Management:
pyproject.tomlfor the backup tool, specifying pinned dependencies for both runtime and development (including test and mock libraries for AWS services).