chore(infra): replace LOCALSTACK_ACKNOWLEDGE with LOCALSTACK_AUTH_TOKEN

[macalbert]

Summary

Replaces the deprecated LOCALSTACK_ACKNOWLEDGE_ACCOUNT_REQUIREMENT workaround with a proper LOCALSTACK_AUTH_TOKEN, required by LocalStack's current account model. The token is fetched automatically via envilder from AWS SSM when the .env file does not exist, so no manual secret management is needed.

Changes

• docker-compose.yml — swap LOCALSTACK_ACKNOWLEDGE_ACCOUNT_REQUIREMENT for LOCALSTACK_AUTH_TOKEN read from env
• package.json — docker:up script now runs npx envilder first to populate .env before starting containers
• secrets-map.json — new map file pointing LOCALSTACK_AUTH_TOKEN to /envilder/development/localstack/authToken in AWS SSM
• vitest.global-setup.ts — load .env via dotenv before tests; auto-fetch secrets via npx envilder if .env is missing
• e2e/gha.test.ts — pass LOCALSTACK_AUTH_TOKEN from process.env to LocalStack container
• tests/.../AwsSsmSecretProvider.test.ts — same token replacement for unit-level LocalStack container

Testing

• pnpm test passes
• pnpm lint passes
• Manual verification (if applicable)

Related

N/A

---

Summary by CodeRabbit

• Tests
  • Updated integration test environment for AWS service mocking to require a local auth token and adjust the emulator startup configuration.

---

Note: Internal testing infrastructure updates only; no user-facing behavior or public APIs were changed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3ac48916-4db4-4890-bbc3-851d980709ca

📥 Commits

Reviewing files that changed from the base of the PR and between 848dc9f and 1dfa34f.

⛔ Files ignored due to path filters (8)

• .github/workflows/tests.yml is excluded by none and included by none
• docker-compose.yml is excluded by none and included by none
• e2e/gha.test.ts is excluded by none and included by none
• package.json is excluded by none and included by none
• secrets-map.json is excluded by none and included by none
• vite.config.ts is excluded by none and included by none
• vitest.global-setup.ts is excluded by none and included by none
• vitest.setup.ts is excluded by none and included by none

📒 Files selected for processing (1)

• tests/envilder/core/infrastructure/aws/AwsSsmSecretProvider.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/envilder/core/infrastructure/aws/AwsSsmSecretProvider.test.ts

---

Walkthrough

Integration test now validates presence of process.env.LOCALSTACK_AUTH_TOKEN before starting the LocalStack container and replaces LOCALSTACK_ACKNOWLEDGE_ACCOUNT_REQUIREMENT with LOCALSTACK_AUTH_TOKEN in the container environment; test flow for SSM client usage remains unchanged.

Changes

Cohort / File(s)	Summary
LocalStack Test Configuration tests/envilder/core/infrastructure/aws/AwsSsmSecretProvider.test.ts	Added validation that process.env.LOCALSTACK_AUTH_TOKEN exists (throws if missing) and replaced LOCALSTACK_ACKNOWLEDGE_ACCOUNT_REQUIREMENT: '1' with LOCALSTACK_AUTH_TOKEN: process.env.LOCALSTACK_AUTH_TOKEN in the LocalStack container environment setup.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: replacing LOCALSTACK_ACKNOWLEDGE_ACCOUNT_REQUIREMENT with LOCALSTACK_AUTH_TOKEN in infrastructure configuration.
Description check	✅ Passed	The description comprehensively covers all template sections with detailed explanations of changes, testing checklist, and properly structured content matching the required template format.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch macalbert/use-localstack-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

tests/envilder/core/infrastructure/aws/AwsSsmSecretProvider.test.ts (1)

147-165: Consider failing fast if LOCALSTACK_AUTH_TOKEN is missing.

Falling back to an empty string when LOCALSTACK_AUTH_TOKEN is undefined may cause silent test failures or unexpected LocalStack behavior. If the token is required for LocalStack's current account model (as per PR objectives), tests should fail explicitly when the prerequisite is missing rather than passing an empty value.

♻️ Suggested improvement: validate token presence

   beforeAll(async () => {
+    if (!process.env.LOCALSTACK_AUTH_TOKEN) {
+      throw new Error(
+        'LOCALSTACK_AUTH_TOKEN is required. Run `npx envilder` to populate .env',
+      );
+    }
     container = await new LocalstackContainer(LOCALSTACK_IMAGE)
       .withName(`localstack-ssm-${randomUUID().slice(0, 8)}`)
       .withEnvironment({
-        LOCALSTACK_AUTH_TOKEN: process.env.LOCALSTACK_AUTH_TOKEN ?? '',
+        LOCALSTACK_AUTH_TOKEN: process.env.LOCALSTACK_AUTH_TOKEN,
       })
       .start();

Alternatively, if LocalStack community edition should work without a token, consider documenting this behavior with a comment explaining when the empty fallback is acceptable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/envilder/core/infrastructure/aws/AwsSsmSecretProvider.test.ts` around
lines 147 - 165, The test currently falls back to an empty string for
LOCALSTACK_AUTH_TOKEN in the beforeAll block where LocalstackContainer is
constructed (see beforeAll, LocalstackContainer(...).withEnvironment and
LOCALSTACK_AUTH_TOKEN usage); instead validate process.env.LOCALSTACK_AUTH_TOKEN
at the start of beforeAll and fail fast (throw an Error or call fail) with a
clear message if it's undefined/empty so tests don't silently run with an
invalid token; if an empty token is acceptable, add an explicit comment near the
withEnvironment call explaining why the empty fallback is intentional and when
it is safe to use.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/envilder/core/infrastructure/aws/AwsSsmSecretProvider.test.ts`:
- Around line 147-165: The test currently falls back to an empty string for
LOCALSTACK_AUTH_TOKEN in the beforeAll block where LocalstackContainer is
constructed (see beforeAll, LocalstackContainer(...).withEnvironment and
LOCALSTACK_AUTH_TOKEN usage); instead validate process.env.LOCALSTACK_AUTH_TOKEN
at the start of beforeAll and fail fast (throw an Error or call fail) with a
clear message if it's undefined/empty so tests don't silently run with an
invalid token; if an empty token is acceptable, add an explicit comment near the
withEnvironment call explaining why the empty fallback is intentional and when
it is safe to use.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ee335c40-2702-475a-a403-0180a6a000c8

📥 Commits

Reviewing files that changed from the base of the PR and between 35e7f78 and 848dc9f.

⛔ Files ignored due to path filters (5)

• docker-compose.yml is excluded by none and included by none
• e2e/gha.test.ts is excluded by none and included by none
• package.json is excluded by none and included by none
• secrets-map.json is excluded by none and included by none
• vitest.global-setup.ts is excluded by none and included by none

📒 Files selected for processing (1)

• tests/envilder/core/infrastructure/aws/AwsSsmSecretProvider.test.ts