Add search api domain parameter for frontend env vars and CSP header

[landonshumway-ia]

To support calling the search API from the frontend, we need to pass in the new domain as a config value in the SSM parameter that is used by the frontend CDK app when setting the frontend env vars and configuring the CSP headers.

Summary by CodeRabbit

• New Features

  • Support for a dedicated search API domain so the frontend can target a separate search endpoint.

• Chores

  • CSP updated to permit requests to the search API domain.
  • Frontend environment and persisted configuration extended to expose the search API domain.
  • Multiple dependency version bumps across backend and UI packages.

• Tests

  • Tests and deployment snapshots updated to include and validate the search API domain.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new configurable search_api_domain_name and propagates it through persistent frontend config, deployment/distribution replacements, the CloudFront CSP Lambda (connect-src), tests, and snapshots; also includes several dependency pin bumps and minor build-script edits.

Changes

Cohort / File(s)	Change Summary
Frontend config & tests backend/common-cdk/common_constructs/frontend_app_config_utility.py, backend/compact-connect/stacks/persistent_stack/__init__.py, backend/compact-connect/tests/app/test_frontend_app_config.py	Added search_api_domain_name parameter to set_domain_names(); persisted value in dummy/test config; added PersistentStackFrontendAppConfigValues.search_api_domain_name property; updated callers and tests.
CloudFront CSP Lambda & tests backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js, backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js	Introduced environmentValues.searchApi → exposed as domains.searchApi; added domains.searchApi to CSP connect-src; tests updated to provide ##SEARCH_API## replacement.
Deployment & distribution wiring backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py, backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py	Switched VUE_APP_API_SEARCH_ROOT to use search_api_domain_name; added ##SEARCH_API## replacement mapping when generating CSP Lambda zip.
Build tooling (JS) backend/compact-connect-ui-app/lambdas/nodejs/package.json, backend/compact-connect/lambdas/nodejs/package.json	Updated audit:dependencies script to treat Yarn audit exit codes ≥4 as failure (non-zero exit).
Snapshots / Lambda versions backend/compact-connect-ui-app/tests/resources/snapshots/*	Updated inline Lambda environment snapshots to include searchApi; updated Lambda version Ref values in distribution snapshots.
Python dependency pins backend/compact-connect/**/requirements*.txt, backend/compact-connect-ui-app/**/requirements*.txt, backend/compact-connect/lambdas/python/**/requirements*.txt	Multiple patch/minor version bumps across many requirements*.txt and requirements-dev.txt files (version updates only).

Sequence Diagram(s)

sequenceDiagram
  participant PersistentStack
  participant Deployment
  participant DistributionBuilder
  participant CSPLambda
  participant CloudFront

  PersistentStack->>Deployment: expose search_api_domain_name
  Deployment->>DistributionBuilder: include ##SEARCH_API## -> search_api_domain_name
  DistributionBuilder->>CSPLambda: inject searchApi env into Lambda zip
  CloudFront->>CSPLambda: viewer-response triggers CSP Lambda
  CSPLambda->>CloudFront: return CSP headers including domains.searchApi in connect-src

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Feat/authorize net payment opaque data #847 — Modifies the CloudFront CSP Lambda and environment/domain allowances; overlaps with adding searchApi domain to CSP and environment wiring.

Suggested reviewers

• jlkravitz
• jusdino
• isabeleliassen

Poem

🐰 A tiny domain hopped through the stack,
Into configs, zips, and CSP's track,
Headers now whisper a brand-new name,
Search hops in, and nothing's the same,
🥕 The rabbit cheers — success on the rack!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and does not follow the provided template structure. Required sections like Requirements, Testing, and issue closure are missing.	Complete the description by adding Required sections (Requirements List, Description List, Testing List with specific commands), and reference the closing issue number.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly describes the main change: adding search API domain parameter for frontend environment variables and CSP header configuration.
Docstring Coverage	✅ Passed	Docstring coverage is 91.67% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e17644f and 4de762a.

📒 Files selected for processing (1)

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

🧰 Additional context used

🧠 Learnings (6)

📚 Learning: 2025-07-22T03:52:25.934Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/provider-data-v1/requirements.txt:2-2
Timestamp: 2025-07-22T03:52:25.934Z
Learning: In CompactConnect, the Python version used by pip-compile to generate requirements.txt files (shown in the header comment) is separate from the actual Lambda runtime environment. Dependencies are installed by a Python 3.12 container during the CI/CD pipeline, ensuring runtime compatibility regardless of the Python version used for pip-compile dependency resolution.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-08-12T19:49:24.999Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1001
File: backend/compact-connect/lambdas/python/disaster-recovery/requirements.in:1-1
Timestamp: 2025-08-12T19:49:24.999Z
Learning: In CompactConnect disaster-recovery Lambda functions, runtime dependencies like boto3, aws-lambda-powertools, and botocore are provided by lambda layers at deploy time rather than being specified in requirements.in files. The requirements.in file intentionally contains only a comment explaining this approach.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-07-22T03:36:17.137Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/purchases/requirements-dev.txt:15-0
Timestamp: 2025-07-22T03:36:17.137Z
Learning: In CompactConnect, requirements-dev.txt files for Lambda functions are used exclusively for running tests and development, not for actual Lambda runtime environments. Concerns about runtime compatibility (like OpenSSL versions) don't apply to these development dependency files.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-08-12T19:49:48.235Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1001
File: backend/compact-connect/lambdas/python/disaster-recovery/requirements.txt:1-6
Timestamp: 2025-08-12T19:49:48.235Z
Learning: The disaster-recovery Lambda functions in CompactConnect get their aws-lambda-powertools dependency from the shared lambda layer rather than individual requirements.txt files, which is why their requirements.txt files can be empty or header-only.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-08-21T02:51:28.199Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1014
File: backend/compact-connect/lambdas/python/common/requirements.in:4-4
Timestamp: 2025-08-21T02:51:28.199Z
Learning: In CompactConnect, the purchases lambda contains requests as a transitive dependency from the Authorize.net SDK, which is automatically resolved by pip-compile. This should not be manually removed even when requests is also available in the common layer, as it's managed automatically by the dependency resolver.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-07-21T20:40:56.491Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/common/requirements.txt:7-0
Timestamp: 2025-07-21T20:40:56.491Z
Learning: In CompactConnect, there is only one lambda layer in use for Python lambdas, and this single layer manages the versions of aws-lambda-powertools, boto3, and botocore dependencies. This eliminates concerns about version skew across multiple lambda layers since all Python lambdas share the same dependency management through this single layer.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: TestApp

🔇 Additional comments (1)

backend/compact-connect/lambdas/python/purchases/requirements-dev.txt (1)

1-8: File appears unrelated to PR objectives.

This dependency file contains routine version bumps and path simplifications, but the PR objectives describe adding search_api_domain_name for frontend configuration and CSP headers. This file update appears to be incidental maintenance rather than directly supporting the stated changes.

Please confirm whether this file was intentionally included or if it was regenerated as part of routine maintenance during development.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js (1)

54-73: Consider updating the JSDoc to document the new searchApi return property.

The implementation correctly adds searchApi to the environment URLs object, following the established pattern. The JSDoc block (lines 56-61) documents several return properties but doesn't include searchApi.

📝 Suggested JSDoc update

 /**
  * Helper to get the fully-qualified domains for connected services.
  * @return {object}               A map of fully-qualified domains for the environment.
  *   @return {string} dataApi       The data API fully-qualified domain.
+ *   @return {string} searchApi     The search API fully-qualified domain.
  *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.
  *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.
  *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.
+ *   @return {string} cognitoProvider The Cognito fully-qualified domain for authenticating provider users.
  */

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd1318d and 407a5f7.

📒 Files selected for processing (8)

• backend/common-cdk/common_constructs/frontend_app_config_utility.py
• backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js
• backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js
• backend/compact-connect-ui-app/lambdas/nodejs/package.json
• backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py
• backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py
• backend/compact-connect/stacks/persistent_stack/__init__.py
• backend/compact-connect/tests/app/test_frontend_app_config.py

🧰 Additional context used

🧠 Learnings (9)

📚 Learning: 2025-08-22T21:20:35.260Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1029
File: backend/compact-connect/docs/api-specification/latest-oas30.json:468-471
Timestamp: 2025-08-22T21:20:35.260Z
Learning: The file backend/compact-connect/docs/api-specification/latest-oas30.json is auto-generated by API Gateway and should not be modified inline. Any schema changes would need to be addressed at the source in the CDK/CloudFormation definitions.

Applied to files:

• backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js

📚 Learning: 2025-12-16T21:43:07.408Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1219
File: backend/compact-connect/lambdas/python/search/handlers/search.py:131-140
Timestamp: 2025-12-16T21:43:07.408Z
Learning: In backend/compact-connect/lambdas/python/search/handlers/search.py, avoid logging the full request body. Do not log sensitive content by default. If logging is required for security investigations, redact or mask sensitive fields (e.g., credentials, tokens, PII) and log only safe metadata (method, path, status, user identifier). Use a secure, access-controlled audit log or feature flag to enable such logs, ensuring minimal exposure and compliance with security policies. This guideline targets Python backend handlers handling external requests and should be considered for similar files with request processing.

Applied to files:

• backend/compact-connect/stacks/persistent_stack/__init__.py
• backend/compact-connect/tests/app/test_frontend_app_config.py

📚 Learning: 2026-01-05T22:50:09.696Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1243
File: backend/compact-connect/tests/smoke/smoke_common.py:503-521
Timestamp: 2026-01-05T22:50:09.696Z
Learning: Enforce the rule: there is only one privilege record per provider per jurisdiction, and do not paginate when querying privilege records by jurisdiction. This applies across the codebase wherever privilege records are queried or tested (implementation and tests). Note that privilege update records can have multiple rows and require pagination. Implement checks and queries to assume a unique constraint for (provider, jurisdiction) on privilege records, and ensure any list endpoints or test smoke checks reflect no pagination for jurisdiction-based privilege queries while preserving pagination for privilege updates.

Applied to files:

• backend/compact-connect/stacks/persistent_stack/__init__.py
• backend/compact-connect/tests/app/test_frontend_app_config.py

📚 Learning: 2025-12-01T17:57:35.454Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1219
File: backend/compact-connect/tests/app/test_search_persistent_stack.py:104-130
Timestamp: 2025-12-01T17:57:35.454Z
Learning: In backend/compact-connect/tests/app/test_search_persistent_stack.py, the OpenSearch Domain's EncryptionAtRestOptions.KmsKeyId assertion correctly uses {"Ref": encryption_key_logical_id} format. This pattern has been validated to work with CDK's opensearchservice.Domain construct.

Applied to files:

• backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js
• backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py

📚 Learning: 2025-10-10T05:26:06.933Z

Learnt from: jusdino
Repo: csg-org/CompactConnect PR: 1143
File: backend/compact-connect/common_constructs/python_common_layer_versions.py:64-69
Timestamp: 2025-10-10T05:26:06.933Z
Learning: In CompactConnect, each environment (sandbox, test, beta, prod, etc.) is deployed to a separate AWS account, so SSM parameter names and other account-scoped resources don't collide across environments.

Applied to files:

• backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js

📚 Learning: 2025-09-11T14:24:22.210Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1075
File: backend/compact-connect/lambdas/nodejs/lib/email/environment-banner-service.ts:0-0
Timestamp: 2025-09-11T14:24:22.210Z
Learning: In the CompactConnect codebase, there is explicitly only one production environment named 'prod' for the ENVIRONMENT_NAME environment variable.

Applied to files:

• backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js

📚 Learning: 2025-10-10T18:45:43.801Z

Learnt from: jsandoval81
Repo: csg-org/CompactConnect PR: 1114
File: backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py:34-35
Timestamp: 2025-10-10T18:45:43.801Z
Learning: In backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py, the cdk.context.deploy-example.json file is intentionally minimal and serves as a template, not for actual deployments. Actual deployment environments (test, beta, prod, sandbox) contain all required environment-specific keys like statsig_key, app_env, recaptcha_public_key, and robots_meta. This is by design.

Applied to files:

• backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py
• backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py

📚 Learning: 2025-12-01T23:28:17.728Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1219
File: backend/compact-connect/pipeline/backend_stage.py:44-52
Timestamp: 2025-12-01T23:28:17.728Z
Learning: In backend/compact-connect/pipeline/backend_stage.py, the VpcStack is intentionally created for all environments (including prod and beta) even though SearchPersistentStack and SearchApiStack are temporarily only deployed to non-prod/non-beta environments. This pre-provisioning strategy supports a phased rollout—the search stacks will eventually be released to prod and beta.

Applied to files:

• backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py
• backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py

📚 Learning: 2025-11-21T18:33:18.590Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1219
File: backend/compact-connect/stacks/vpc_stack/__init__.py:95-133
Timestamp: 2025-11-21T18:33:18.590Z
Learning: CompactConnect: In backend/compact-connect/stacks/vpc_stack/__init__.py, do not add an S3 Gateway VPC endpoint by default for the OpenSearch VPC stack. S3 access is not required at this time; add the endpoint only if OpenSearch snapshots to S3 or Lambda runtime S3 access are introduced.

Applied to files:

• backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py

🧬 Code graph analysis (6)

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js (1)

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js (1)

• environmentValues (20-28)

backend/compact-connect/stacks/persistent_stack/__init__.py (2)

backend/common-cdk/common_constructs/frontend_app_config_utility.py (4)

• set_domain_names (44-54)
• ui_domain_name (224-226)
• api_domain_name (229-231)
• search_api_domain_name (234-236)

backend/common-cdk/common_constructs/stack.py (3)

• ui_domain_name (132-135)
• api_domain_name (114-117)
• search_api_domain_name (126-129)

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js (1)

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js (1)

• environmentValues (19-27)

backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py (1)

backend/common-cdk/common_constructs/frontend_app_config_utility.py (1)

• search_api_domain_name (234-236)

backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py (2)

backend/common-cdk/common_constructs/frontend_app_config_utility.py (1)

• search_api_domain_name (234-236)

backend/common-cdk/common_constructs/stack.py (1)

• search_api_domain_name (126-129)

backend/compact-connect/tests/app/test_frontend_app_config.py (1)

backend/common-cdk/common_constructs/frontend_app_config_utility.py (4)

• set_domain_names (44-54)
• ui_domain_name (224-226)
• api_domain_name (229-231)
• search_api_domain_name (234-236)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: TestApp

🔇 Additional comments (15)

backend/compact-connect-ui-app/lambdas/nodejs/package.json (1)

12-12: LGTM - Audit script correctly filters vulnerability severity.

The exit code logic properly uses yarn audit's bitmask: exits 1 for moderate+ (≥4), exits 0 for info/low. The /bin/bash -c wrapper is necessary for the [[ ]] syntax.

backend/common-cdk/common_constructs/frontend_app_config_utility.py (3)

233-236: LGTM - Property accessor follows established pattern.

The new search_api_domain_name property is consistent with existing domain accessors like api_domain_name and ui_domain_name.

---

205-205: LGTM - Dummy value added for testing.

The test domain value follows the established naming convention.

---

44-54: All callers of set_domain_names have been updated with the new search_api_domain_name parameter. No breaking changes detected.

backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py (1)

65-65: LGTM - Search API root now uses explicit domain configuration.

The change from deriving the search domain as a subdomain (search.{api_domain}) to using an explicitly configured search_api_domain_name provides more flexibility and aligns with the PR objective.

backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py (1)

60-60: LGTM - CSP placeholder replacement added for search API.

The new ##SEARCH_API## replacement follows the established pattern. Based on the relevant code snippet from cloudfront-csp/index.js (lines 18-26), the placeholder ##SEARCH_API## is correctly defined in the template's environmentValues.searchApi.

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js (4)

20-28: LGTM - Test environment values properly include search API.

The test configuration mirrors the production placeholder structure with searchApi: 'search.compactconnect.org'.

---

47-55: LGTM - Test replacement map updated consistently.

The placeholder replacement map correctly mirrors the CDK build-time replacements from distribution.py.

---

72-79: LGTM - Search API URL correctly extracted for CSP generation.

The searchApiUrl extraction follows the same pattern as other domain URLs in the CSP builder.

---

153-175: LGTM - Search API domain added to CSP connect-src.

Adding searchApiUrl to the cspConnectSrc directive is essential for allowing the frontend to make requests to the search API endpoint.

backend/compact-connect/stacks/persistent_stack/__init__.py (1)

494-498: LGTM!

The addition of search_api_domain_name to the set_domain_names call correctly follows the existing pattern for ui_domain_name and api_domain_name. The value is sourced from the inherited search_api_domain_name property in AppStack.

backend/compact-connect/tests/app/test_frontend_app_config.py (2)

22-42: LGTM!

The test correctly validates that set_domain_names accepts the new search_api_domain_name parameter and that the value is properly included in the JSON configuration output.

---

47-64: LGTM!

The test correctly validates that PersistentStackFrontendAppConfigValues can deserialize the search_api_domain_name from JSON and that the getter returns the expected value.

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js (2)

19-27: LGTM!

The searchApi placeholder follows the established pattern for environment value injection. The ##SEARCH_API## placeholder will be replaced at build time with the actual search API domain.

---

239-261: LGTM!

The domains.searchApi is correctly added to the connect-src CSP directive, which is the appropriate directive for allowing XHR/fetch calls to the search API. The placement alongside domains.dataApi is logical.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt (1)

7-67: Consider separating dependency updates from feature changes.

The requirements-dev.txt updates result from bumping moto in requirements-dev.in. While dependency updates to test infrastructure are valid, bundling them with other feature work can complicate rollbacks. If these updates aren't essential to the PR's primary objective, moving the requirements-dev.in change to a separate maintenance PR would improve change clarity.

All verified package versions exist on PyPI and are current as of January 2026.

backend/compact-connect/lambdas/python/cognito-backup/requirements.txt (1)

1-30: Inconsistency: File changes unrelated to PR objectives.

The PR objectives state this PR adds "a new domain as a config value in the SSM parameter used by the frontend CDK app" and configures CSP headers for the search API. However, this file only contains backend Lambda dependency version bumps with no connection to CSP headers or frontend configuration.

The AI summary mentions changes to:

• frontend/app config: search_api_domain_name
• UI CSP and environment wiring
• Deployment stacks
• Tests and snapshots

None of these changes appear in the files provided for review. Either critical files are missing from this review, or these dependency updates were inadvertently included in the wrong PR.

backend/compact-connect/requirements-dev.txt (1)

1-108: Clarify the relationship between dependency updates and PR objectives.

This file contains only development dependency version updates, which appear unrelated to the PR's stated objective of adding a CSP header placeholder for the search API. The commit message "update requirements to latest" suggests this may be bundled maintenance work.

Consider separating unrelated dependency updates into a dedicated PR to maintain clear scope and simplify review.

backend/compact-connect/requirements.txt (1)

11-36: Test aws-cdk-aws-lambda-python-alpha for known compatibility issues before merging.

The stable CDK library (aws-cdk-lib 2.234.1) and jsii (1.125.0) updates are patched and have no breaking changes. However, aws-cdk-aws-lambda-python-alpha 2.234.1a0 has reported compatibility issues that require testing:

• Poetry 2.0 export removal breaks bundling (may need poetry-plugin-export or custom build image)
• NumPy 2.3.0+ compatibility issues with Python 3.11 in the bundler
• Lambda runtime/platform mismatches and inconsistent bundling options (especially for ARM64)

Verify that your Lambda build/bundling workflow works with this alpha version, particularly if using NumPy or Python 3.11.

backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt (1)

7-67: Update boto3 to available version 1.42.24.

boto3==1.42.25 does not exist on PyPI; the latest available version is 1.42.24 (released Jan 7, 2026). This will cause installation failures. While botocore and related type-stub packages have 1.42.25 releases, boto3 has not yet published that version. Update the pinned version to boto3==1.42.24 or re-run pip-compile to resolve the constraint correctly.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 85e00f8 and dde0c98.

📒 Files selected for processing (15)

• backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements.txt
• backend/compact-connect/lambdas/python/common/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements.txt
• backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt
• backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt
• backend/compact-connect/lambdas/python/data-events/requirements-dev.txt
• backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt
• backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements.txt
• backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt
• backend/compact-connect/lambdas/python/staff-users/requirements-dev.txt
• backend/compact-connect/requirements-dev.txt
• backend/compact-connect/requirements.txt

🧰 Additional context used

🧠 Learnings (8)

📚 Learning: 2025-07-22T03:36:17.137Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/purchases/requirements-dev.txt:15-0
Timestamp: 2025-07-22T03:36:17.137Z
Learning: In CompactConnect, requirements-dev.txt files for Lambda functions are used exclusively for running tests and development, not for actual Lambda runtime environments. Concerns about runtime compatibility (like OpenSSL versions) don't apply to these development dependency files.

Applied to files:

• backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements.txt
• backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt
• backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt
• backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements.txt
• backend/compact-connect/lambdas/python/common/requirements-dev.txt
• backend/compact-connect/lambdas/python/data-events/requirements-dev.txt
• backend/compact-connect/requirements.txt
• backend/compact-connect/lambdas/python/staff-users/requirements-dev.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements-dev.txt
• backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt
• backend/compact-connect/requirements-dev.txt

📚 Learning: 2025-08-12T19:49:24.999Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1001
File: backend/compact-connect/lambdas/python/disaster-recovery/requirements.in:1-1
Timestamp: 2025-08-12T19:49:24.999Z
Learning: In CompactConnect disaster-recovery Lambda functions, runtime dependencies like boto3, aws-lambda-powertools, and botocore are provided by lambda layers at deploy time rather than being specified in requirements.in files. The requirements.in file intentionally contains only a comment explaining this approach.

Applied to files:

• backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements.txt
• backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt
• backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt
• backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements-dev.txt
• backend/compact-connect/lambdas/python/data-events/requirements-dev.txt
• backend/compact-connect/requirements.txt
• backend/compact-connect/lambdas/python/staff-users/requirements-dev.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements-dev.txt
• backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt

📚 Learning: 2025-07-22T03:52:25.934Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/provider-data-v1/requirements.txt:2-2
Timestamp: 2025-07-22T03:52:25.934Z
Learning: In CompactConnect, the Python version used by pip-compile to generate requirements.txt files (shown in the header comment) is separate from the actual Lambda runtime environment. Dependencies are installed by a Python 3.12 container during the CI/CD pipeline, ensuring runtime compatibility regardless of the Python version used for pip-compile dependency resolution.

Applied to files:

• backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements.txt
• backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt
• backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt
• backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements.txt
• backend/compact-connect/lambdas/python/common/requirements-dev.txt
• backend/compact-connect/lambdas/python/data-events/requirements-dev.txt
• backend/compact-connect/requirements.txt
• backend/compact-connect/lambdas/python/staff-users/requirements-dev.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements-dev.txt
• backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt
• backend/compact-connect/requirements-dev.txt

📚 Learning: 2025-08-12T19:49:48.235Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1001
File: backend/compact-connect/lambdas/python/disaster-recovery/requirements.txt:1-6
Timestamp: 2025-08-12T19:49:48.235Z
Learning: The disaster-recovery Lambda functions in CompactConnect get their aws-lambda-powertools dependency from the shared lambda layer rather than individual requirements.txt files, which is why their requirements.txt files can be empty or header-only.

Applied to files:

• backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements.txt
• backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt
• backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt
• backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements-dev.txt
• backend/compact-connect/lambdas/python/data-events/requirements-dev.txt
• backend/compact-connect/requirements.txt
• backend/compact-connect/lambdas/python/staff-users/requirements-dev.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements-dev.txt
• backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt

📚 Learning: 2025-07-21T20:40:56.491Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/common/requirements.txt:7-0
Timestamp: 2025-07-21T20:40:56.491Z
Learning: In CompactConnect, there is only one lambda layer in use for Python lambdas, and this single layer manages the versions of aws-lambda-powertools, boto3, and botocore dependencies. This eliminates concerns about version skew across multiple lambda layers since all Python lambdas share the same dependency management through this single layer.

Applied to files:

• backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements.txt
• backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt
• backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt
• backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements-dev.txt
• backend/compact-connect/lambdas/python/data-events/requirements-dev.txt
• backend/compact-connect/requirements.txt
• backend/compact-connect/lambdas/python/staff-users/requirements-dev.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements-dev.txt
• backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt

📚 Learning: 2025-08-22T21:20:35.260Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1029
File: backend/compact-connect/docs/api-specification/latest-oas30.json:468-471
Timestamp: 2025-08-22T21:20:35.260Z
Learning: The file backend/compact-connect/docs/api-specification/latest-oas30.json is auto-generated by API Gateway and should not be modified inline. Any schema changes would need to be addressed at the source in the CDK/CloudFormation definitions.

Applied to files:

• backend/compact-connect/lambdas/python/cognito-backup/requirements.txt
• backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt
• backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt
• backend/compact-connect/requirements.txt
• backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt

📚 Learning: 2025-12-11T17:30:43.367Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1219
File: backend/compact-connect/lambdas/python/search/handlers/provider_update_ingest.py:15-20
Timestamp: 2025-12-11T17:30:43.367Z
Learning: In the CompactConnect project, Lambda functions use AWS CDK's PythonFunction construct for bundling. The bundling process handles module resolution such that handlers in backend/compact-connect/lambdas/python/search/handlers/ can use bare imports (e.g., `from opensearch_client import OpenSearchClient`) to reference modules at the parent search level, even without an __init__.py file in the search directory. The imports work correctly at runtime despite static analysis concerns.

Applied to files:

• backend/compact-connect/requirements.txt

📚 Learning: 2025-08-21T02:51:28.199Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1014
File: backend/compact-connect/lambdas/python/common/requirements.in:4-4
Timestamp: 2025-08-21T02:51:28.199Z
Learning: In CompactConnect, the purchases lambda contains requests as a transitive dependency from the Authorize.net SDK, which is automatically resolved by pip-compile. This should not be manually removed even when requests is also available in the common layer, as it's managed automatically by the dependency resolver.

Applied to files:

• backend/compact-connect/requirements.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: TestApp
• GitHub Check: TestApp

🔇 Additional comments (19)

backend/compact-connect/lambdas/python/search/requirements.txt (2)

1-36: Inconsistency between PR objectives and file changes.

The PR title and description focus on adding a placeholder for CSP headers to support the search API domain configuration. However, this file only contains Python dependency version updates (certifi, protobuf, urllib3) with no apparent connection to CSP or frontend configuration.

Please clarify:

• Are these dependency updates intentionally part of this PR, or were they included by mistake?
• Should this be a separate PR focused solely on dependency updates?

---

7-7: All package versions are valid and current on PyPI. No issues identified.

• certifi==2026.1.4 ✓ (latest version)
• protobuf==6.33.3 ✓ (latest version)
• urllib3==2.6.3 ✓ (latest version)

backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt (1)

7-70: Remove the version verification concern; all library versions are valid.

The updated packages (boto3, botocore, certifi, moto, urllib3, werkzeug) have all been verified to exist on PyPI with valid releases from late December 2025 through January 2026. Note that certifi==2026.1.4 uses standard date-based versioning (2026.01.04 format), not a future-dated version.

Regarding the scope inconsistency: This file contains routine development dependency maintenance, which is common to bundle with feature PRs. If these updates should be isolated, they can be split into a separate PR; otherwise, updating the PR description to reflect the broader scope would clarify the intent.

backend/compact-connect/lambdas/python/cognito-backup/requirements.txt (1)

7-11: No action required. The dependency versions in cognito-backup requirements.txt are correctly pinned and already consistent with the rest of the codebase (e.g., common requirements.txt specifies identical versions). No separate lambda layer exists in the code that requires synchronization.

Likely an incorrect or invalid review comment.

backend/compact-connect/lambdas/python/data-events/requirements-dev.txt (2)

7-67: Verify that this file should be included in this PR.

The PR objectives describe adding a CSP header placeholder for the search API domain, involving frontend configuration and CloudFront CSP changes. However, this file contains dependency updates for the data-events Lambda's development requirements, which appears unrelated to the stated PR purpose.

Please confirm whether these dependency updates should be in a separate PR or if there's a relationship to the search API CSP configuration that isn't documented.

---

7-67: No security issues identified; urllib3 and werkzeug updates fix known vulnerabilities.

• boto3 1.42.25: No known vulnerabilities
• botocore 1.42.25: No known vulnerabilities
• certifi 2026.1.4: No known vulnerabilities
• moto 5.1.19: No known vulnerabilities
• urllib3 2.6.3: Fixes CVE-2026-21441 (decompression-bomb DoS vulnerability)
• werkzeug 3.1.5: Fixes CVE-2026-21860 (Windows path-traversal with device names)

The dependency updates are secure and include security fixes.

backend/compact-connect/requirements-dev.txt (1)

9-101: All package versions verified as valid and current.

The dependency updates reference legitimate package versions on PyPI with no known security vulnerabilities. All specified versions (including security-sensitive packages certifi 2026.1.4 and urllib3 2.6.3) are the latest available releases with appropriate timestamps and clean metadata.

backend/compact-connect/lambdas/python/search/requirements-dev.txt (2)

1-67: Inconsistency: File changes don't match PR objectives.

The PR objectives describe adding CSP header configuration for the search API domain, but this file only contains routine dependency version updates with no relation to CSP headers or domain configuration. This suggests either:

• This file was included in the PR by mistake, or
• Unrelated dependency updates were bundled with the CSP changes

Consider separating dependency updates into a distinct PR to maintain clear, focused change sets.

---

7-65: All dependency versions are valid. Certifi uses a date-based versioning scheme; version 2026.1.4 (released January 4, 2026) is current and legitimate. Boto3 1.42.25, botocore 1.42.25 (both released January 9, 2026), and urllib3 2.6.3 are all confirmed on PyPI. No known security vulnerabilities were identified in these packages.

Likely an incorrect or invalid review comment.

backend/compact-connect/lambdas/python/common/requirements.txt (2)

1-55: PR description inconsistency with file changes.

The PR description focuses on adding CSP header configuration for the search API domain, but this file only contains dependency version updates. While the AI summary indicates that CSP-related changes exist in other files (frontend config, CloudFront CSP Lambda, etc.), these requirements updates appear unrelated to the stated PR objective.

---

11-52: All dependency versions (boto3 1.42.25, botocore 1.42.25, aws-lambda-powertools 3.24.0, certifi 2026.1.4, urllib3 2.6.3, marshmallow 3.26.2, and others) are valid and exist on PyPI. No known security vulnerabilities were found. urllib3 2.6.3 and certifi 2026.1.4 actually include security fixes for earlier CVEs. Versions are safe for use.

backend/compact-connect/lambdas/python/common/requirements-dev.txt (2)

1-184: PR description inconsistency with file changes.

Similar to requirements.txt, this file contains only development dependency version updates, which are unrelated to the PR's stated objective of adding CSP header configuration for the search API domain.

---

15-178: Development dependencies are current and security-patched.

All verified package versions exist on PyPI and have no critical unpatched vulnerabilities:

• boto3/botocore 1.42.25: No known security issues
• moto 5.1.19: No CVEs reported
• cfn-lint 1.41.0: No known vulnerabilities
• pydantic 2.12.4: No critical issues (earlier CVE-2024-3772 fixed in 2.4.0+)
• werkzeug 3.1.5: Patched version fixing CVE-2026-21860 (Windows path traversal) and CVE-2025-66221
• urllib3 2.6.3: Patched version fixing CVE-2026-21441 (decompression-bomb vulnerability)
• certifi 2026.1.4: Valid release (January 4, 2026)

backend/compact-connect/requirements.txt (1)

1-74: The file changes don't match the PR objectives.

The PR description states this change adds "a placeholder for new CSP header for search api" and should propagate search_api_domain_name through frontend config and CSP headers. However, this file only contains CDK dependency version bumps and has no relationship to CSP configuration, search API domains, or frontend settings.

This suggests either:

1. The actual CSP/configuration changes are in other files not included in this review
2. These dependency updates are unrelated changes bundled into the same PR

Please confirm whether there are additional files that implement the CSP header functionality described in the PR objectives.

backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt (1)

7-68: This file update is consistent with the PR objective. The git commit message "update requirements to latest" indicates this PR's purpose is to update all requirements files across the codebase to their latest versions. The disaster-recovery Lambda's requirements-dev.txt file is appropriately part of this scope and does not represent unrelated changes.

Likely an incorrect or invalid review comment.

backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt (1)

7-86: Clarify PR scope: dependency updates appear bundled with CSP header changes.

The cognito-backup dev requirements file contains only routine dependency version updates unrelated to the CSP header configuration for the search API. Either split these into separate commits or explain why they're bundled together in this PR.

backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt (2)

1-74: PR description does not match file changes.

The PR description states this change adds a CSP header placeholder for the search API domain in frontend configuration. However, this file contains only backend Lambda dev dependency version updates with no relation to CSP headers or frontend config.

Please verify whether these dependency updates were intentionally bundled with the CSP changes or if the PR description needs updating.

---

7-71: No action needed. All dependency versions have been verified as legitimate releases on PyPI. urllib3 2.6.3 and werkzeug 3.1.5 include security fixes (CVE-2026-21441 and CVE-2026-21860 respectively), and no known security issues exist for the other packages. Since this is a dev-only file, these updates have no impact on the Lambda runtime.

backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt (1)

7-67: Dependency updates unrelated to PR objectives.

The PR objectives describe adding CSP header configuration for a search API domain, but this file only contains dependency version bumps for a backend Lambda's development requirements. These changes appear to be incidental maintenance rather than related to the stated PR goals.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

backend/compact-connect/lambdas/nodejs/package.json (1)

12-12: Potential portability issue with bash-specific syntax.

The script uses /bin/bash and the bash-specific [[ ]] test syntax, which will fail on Windows or environments where bash isn't at that path. If cross-platform support is needed, consider using POSIX-compatible syntax or a cross-platform approach.

Additionally, this change appears unrelated to the PR's objective of adding the search API domain parameter. Consider splitting it into a separate PR for cleaner history and easier review.

♻️ POSIX-compatible alternative (if portability matters)

-    "audit:dependencies": "/bin/bash -c 'yarn audit --groups dependencies --level moderate; [[ $? -ge 4 ]] && exit 1 || exit 0'"
+    "audit:dependencies": "sh -c 'yarn audit --groups dependencies --level moderate; ret=$?; [ $ret -ge 4 ] && exit 1 || exit 0'"

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 03b0e5f and e17644f.

📒 Files selected for processing (14)

• backend/common-cdk/common_constructs/base_pipeline_stack.py
• backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect/lambdas/nodejs/package.json
• backend/compact-connect/lambdas/python/purchases/requirements-dev.in
• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt
• backend/compact-connect/lambdas/python/purchases/requirements.in
• backend/compact-connect/lambdas/python/purchases/requirements.txt

🚧 Files skipped from review as they are similar to previous changes (3)

• backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json

🧰 Additional context used

🧠 Learnings (12)

📚 Learning: 2025-08-22T21:20:35.260Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1029
File: backend/compact-connect/docs/api-specification/latest-oas30.json:468-471
Timestamp: 2025-08-22T21:20:35.260Z
Learning: The file backend/compact-connect/docs/api-specification/latest-oas30.json is auto-generated by API Gateway and should not be modified inline. Any schema changes would need to be addressed at the source in the CDK/CloudFormation definitions.

Applied to files:

• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json

📚 Learning: 2025-12-01T23:28:17.728Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1219
File: backend/compact-connect/pipeline/backend_stage.py:44-52
Timestamp: 2025-12-01T23:28:17.728Z
Learning: In backend/compact-connect/pipeline/backend_stage.py, the VpcStack is intentionally created for all environments (including prod and beta) even though SearchPersistentStack and SearchApiStack are temporarily only deployed to non-prod/non-beta environments. This pre-provisioning strategy supports a phased rollout—the search stacks will eventually be released to prod and beta.

Applied to files:

• backend/common-cdk/common_constructs/base_pipeline_stack.py
• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json

📚 Learning: 2025-07-22T03:52:25.934Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/provider-data-v1/requirements.txt:2-2
Timestamp: 2025-07-22T03:52:25.934Z
Learning: In CompactConnect, the Python version used by pip-compile to generate requirements.txt files (shown in the header comment) is separate from the actual Lambda runtime environment. Dependencies are installed by a Python 3.12 container during the CI/CD pipeline, ensuring runtime compatibility regardless of the Python version used for pip-compile dependency resolution.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.in
• backend/compact-connect/lambdas/python/purchases/requirements.txt
• backend/compact-connect/lambdas/python/purchases/requirements.in
• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-07-22T03:36:17.137Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/purchases/requirements-dev.txt:15-0
Timestamp: 2025-07-22T03:36:17.137Z
Learning: In CompactConnect, requirements-dev.txt files for Lambda functions are used exclusively for running tests and development, not for actual Lambda runtime environments. Concerns about runtime compatibility (like OpenSSL versions) don't apply to these development dependency files.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.in
• backend/compact-connect/lambdas/python/purchases/requirements.txt
• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-08-21T02:51:28.199Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1014
File: backend/compact-connect/lambdas/python/common/requirements.in:4-4
Timestamp: 2025-08-21T02:51:28.199Z
Learning: In CompactConnect, the purchases lambda contains requests as a transitive dependency from the Authorize.net SDK, which is automatically resolved by pip-compile. This should not be manually removed even when requests is also available in the common layer, as it's managed automatically by the dependency resolver.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.in
• backend/compact-connect/lambdas/python/purchases/requirements.txt
• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-08-12T19:49:24.999Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1001
File: backend/compact-connect/lambdas/python/disaster-recovery/requirements.in:1-1
Timestamp: 2025-08-12T19:49:24.999Z
Learning: In CompactConnect disaster-recovery Lambda functions, runtime dependencies like boto3, aws-lambda-powertools, and botocore are provided by lambda layers at deploy time rather than being specified in requirements.in files. The requirements.in file intentionally contains only a comment explaining this approach.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.in
• backend/compact-connect/lambdas/python/purchases/requirements.txt
• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-10-10T18:45:43.801Z

Learnt from: jsandoval81
Repo: csg-org/CompactConnect PR: 1114
File: backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py:34-35
Timestamp: 2025-10-10T18:45:43.801Z
Learning: In backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py, the cdk.context.deploy-example.json file is intentionally minimal and serves as a template, not for actual deployments. Actual deployment environments (test, beta, prod, sandbox) contain all required environment-specific keys like statsig_key, app_env, recaptcha_public_key, and robots_meta. This is by design.

Applied to files:

• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json

📚 Learning: 2025-10-10T05:26:06.933Z

Learnt from: jusdino
Repo: csg-org/CompactConnect PR: 1143
File: backend/compact-connect/common_constructs/python_common_layer_versions.py:64-69
Timestamp: 2025-10-10T05:26:06.933Z
Learning: In CompactConnect, each environment (sandbox, test, beta, prod, etc.) is deployed to a separate AWS account, so SSM parameter names and other account-scoped resources don't collide across environments.

Applied to files:

• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json

📚 Learning: 2025-09-03T22:16:52.533Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1040
File: backend/compact-connect/stacks/api_stack/v1_api/staff_users.py:459-459
Timestamp: 2025-09-03T22:16:52.533Z
Learning: In the CompactConnect codebase, IAM permissions for Lambda functions should only be granted for API calls that are actually made in the code, following the principle of least privilege. Do not suggest additional permissions without first verifying they are needed by the implementation.

Applied to files:

• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
• backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json

📚 Learning: 2025-09-12T19:53:43.731Z

Learnt from: jusdino
Repo: csg-org/CompactConnect PR: 1080
File: backend/compact-connect/resources/bootstrap-stack-beta.yaml:582-639
Timestamp: 2025-09-12T19:53:43.731Z
Learning: In CompactConnect bootstrap stack templates, the CloudFormationExecutionBoundaryPolicy intentionally allows broad IAM access (iam:*) because the CloudFormation execution role must provision IAM resources across the entire application infrastructure. The security is provided by the permissions boundary restricting access to only the AWS services CompactConnect uses, creating a service-level "sandbox" for CloudFormation operations.

Applied to files:

• backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json

📚 Learning: 2025-08-12T19:49:48.235Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 1001
File: backend/compact-connect/lambdas/python/disaster-recovery/requirements.txt:1-6
Timestamp: 2025-08-12T19:49:48.235Z
Learning: The disaster-recovery Lambda functions in CompactConnect get their aws-lambda-powertools dependency from the shared lambda layer rather than individual requirements.txt files, which is why their requirements.txt files can be empty or header-only.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

📚 Learning: 2025-07-21T20:40:56.491Z

Learnt from: landonshumway-ia
Repo: csg-org/CompactConnect PR: 907
File: backend/compact-connect/lambdas/python/common/requirements.txt:7-0
Timestamp: 2025-07-21T20:40:56.491Z
Learning: In CompactConnect, there is only one lambda layer in use for Python lambdas, and this single layer manages the versions of aws-lambda-powertools, boto3, and botocore dependencies. This eliminates concerns about version skew across multiple lambda layers since all Python lambdas share the same dependency management through this single layer.

Applied to files:

• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: TestApp
• GitHub Check: TestApp

🔇 Additional comments (10)

backend/common-cdk/common_constructs/base_pipeline_stack.py (1)

42-43: LGTM!

The removal of the redundant self.env reassignment is correct. The parent Stack.__init__() already receives and sets the env parameter (line 40), and the comments clearly explain the rationale regarding CDK's read-only behavior in newer versions. This prevents potential issues with attempting to reassign a read-only property.

backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json (1)

5-5: LGTM! Search API domain correctly integrated into CSP Lambda.

The snapshot correctly reflects the addition of searchApi to:

• environmentValues configuration
• getEnvironmentUrls() helper function
• CSP connect-src directive

This enables the frontend to make XHR/fetch requests to the search API domain while maintaining CSP security.

backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json (1)

42-42: LGTM! Lambda version reference updated correctly.

The CSP Lambda function version reference is updated to reflect the new code that includes the search API domain in the CSP configuration. This ensures the CloudFront distribution uses the updated CSP Lambda.

backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json (1)

42-42: LGTM! Lambda version reference consistent with other environment snapshots.

The version reference matches the updated CSP Lambda that includes search API domain support.

backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json (1)

5-5: LGTM! CSP Lambda code correctly includes search API domain.

The embedded Lambda code properly adds the searchApi domain to the environment configuration and CSP connect-src directive, consistent with the other environment snapshots.

backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json (1)

5-5: LGTM! Sandbox CSP Lambda snapshot consistent with other environments.

The search API domain integration is correctly reflected in all Lambda function snapshots, ensuring consistent CSP behavior across Beta, Prod, and Sandbox deployments.

backend/compact-connect/lambdas/python/purchases/requirements-dev.in (1)

17-17: LGTM!

The urllib3 version bump to >=2.6.3 aligns with the runtime requirements and ensures consistent dependency versions across dev and production environments.

backend/compact-connect/lambdas/python/purchases/requirements.txt (1)

5-5: LGTM!

The autogenerated file correctly reflects the updated constraints from requirements.in. The urllib3 source annotation now properly shows it's both an explicit pin and a transitive dependency of requests.

Also applies to: 9-9, 21-24

backend/compact-connect/lambdas/python/purchases/requirements-dev.txt (1)

1-184: LGTM!

Routine autogenerated dependency updates. The simplified source path references (e.g., -r requirements-dev.in instead of full paths) improve readability. Based on learnings, this file is used exclusively for tests and development, so these version bumps don't affect Lambda runtime.

backend/compact-connect/lambdas/python/purchases/requirements.in (1)

3-4: Good practice explicitly pinning a transitive dependency for a security patch.

The comment clearly documents the reasoning. The version constraint >=2.6.3, <3 appropriately ensures the package includes security fixes—urllib3 2.6.0+ addressed decompression and streaming DOS vulnerabilities (CVE-2025-66418, CVE-2025-66471).

Likely an incorrect or invalid review comment.

[jlkravitz]

@isabeleliassen This is good to merge!