review round 2: errorId-before-log, least-priv default, optional schema, eager imports

- mapErrorToResponse: appendKeys({ errorId }) now runs before logger.error
  so the ERROR line itself carries the errorId the client sees.
- GiantsFunction tableAccess default flipped from 'readwrite' to 'read'.
  Least privilege by default; handlers that write opt into 'readwrite'.
- ConfigProvider.getConfig and SecretsProvider.getSecret accept an optional
  structural Schema<T> validator (matches Zod/Valibot/ArkType parse shape).
  Cements the runtime-validation counterpart of the JSON schema CDK already
  registers with AppConfig.
- Config and Secrets powertools calls are now static imports, matching
  Telemetry. No more dynamic-import inconsistency across the three.

Author: lukehedger

infra/stack.ts

@@ -73,8 +73,9 @@ export class Example extends Stack {
         path: 'hello',
         description: 'Hello world',
         memory: 128,
-        tableAccess: 'read',
         timeout: 10,
+        // Defaults to read-only DynamoDB access. Handlers that need to
+        // write should set `tableAccess: 'readwrite'`.
       },
     ];
 

packages/cdk/GiantsFunction.ts

@@ -112,11 +112,14 @@ export class GiantsFunction extends NodejsFunction {
     }
 
     if (props.table) {
-      const access = props.tableAccess ?? 'readwrite';
-      if (access === 'read') {
-        props.table.grantReadData(this);
-      } else {
+      // Default to read-only — least privilege wins unless the handler
+      // actively needs to write. Opt in to 'readwrite' per-route when it
+      // does.
+      const access = props.tableAccess ?? 'read';
+      if (access === 'readwrite') {
         props.table.grantReadWriteData(this);
+      } else {
+        props.table.grantReadData(this);
       }
     }
   }

packages/cdk/tests/GiantsFunction.test.ts

@@ -131,7 +131,28 @@ describe('GiantsFunction', () => {
     });
   });
 
-  test('grants DynamoDB read/write by default when table prop is set', () => {
+  const collectActions = (template: Template): Set<string> => {
+    const policies = template.findResources('AWS::IAM::Policy');
+    const actions = new Set<string>();
+    for (const policy of Object.values(policies)) {
+      const statements = (
+        policy as {
+          Properties: {
+            PolicyDocument: { Statement: Array<{ Action: string | string[] }> };
+          };
+        }
+      ).Properties.PolicyDocument.Statement;
+      for (const statement of statements) {
+        const raw = statement.Action;
+        for (const action of Array.isArray(raw) ? raw : [raw]) {
+          actions.add(action);
+        }
+      }
+    }
+    return actions;
+  };
+
+  test('grants read-only DynamoDB by default when a table is set', () => {
     const app = new App();
     const stack = new Stack(app, 'TestStack');
     const table = new Table(stack, 'TestTable', {
@@ -143,23 +164,14 @@ describe('GiantsFunction', () => {
       table,
     });
     const template = Template.fromStack(stack);
+    const actions = collectActions(template);
 
-    template.hasResourceProperties('AWS::IAM::Policy', {
-      PolicyDocument: {
-        Statement: Match.arrayWith([
-          Match.objectLike({
-            Action: Match.arrayWith([
-              'dynamodb:BatchGetItem',
-              'dynamodb:GetItem',
-              'dynamodb:PutItem',
-            ]),
-          }),
-        ]),
-      },
-    });
+    expect(actions.has('dynamodb:GetItem')).toBe(true);
+    expect(actions.has('dynamodb:PutItem')).toBe(false);
+    expect(actions.has('dynamodb:DeleteItem')).toBe(false);
   });
 
-  test('grants read-only DynamoDB access when tableAccess is "read"', () => {
+  test('grants DynamoDB read/write when tableAccess is "readwrite"', () => {
     const app = new App();
     const stack = new Stack(app, 'TestStack');
     const table = new Table(stack, 'TestTable', {
@@ -169,30 +181,23 @@ describe('GiantsFunction', () => {
       appConfigApplication: 'example',
       entry: new URL('fixtures/handler.ts', import.meta.url).pathname,
       table,
-      tableAccess: 'read',
+      tableAccess: 'readwrite',
     });
     const template = Template.fromStack(stack);
 
-    const policies = template.findResources('AWS::IAM::Policy');
-    const actions = new Set<string>();
-    for (const policy of Object.values(policies)) {
-      const doc = (
-        policy as {
-          Properties: {
-            PolicyDocument: { Statement: Array<{ Action: string | string[] }> };
-          };
-        }
-      ).Properties.PolicyDocument.Statement;
-      for (const statement of doc) {
-        const raw = statement.Action;
-        for (const action of Array.isArray(raw) ? raw : [raw]) {
-          actions.add(action);
-        }
-      }
-    }
-    expect(actions.has('dynamodb:GetItem')).toBe(true);
-    expect(actions.has('dynamodb:PutItem')).toBe(false);
-    expect(actions.has('dynamodb:DeleteItem')).toBe(false);
+    template.hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: Match.arrayWith([
+          Match.objectLike({
+            Action: Match.arrayWith([
+              'dynamodb:BatchGetItem',
+              'dynamodb:GetItem',
+              'dynamodb:PutItem',
+            ]),
+          }),
+        ]),
+      },
+    });
   });
 
   test('does not hardcode a functionName (avoids cross-stack collisions)', () => {

packages/config/config.ts

@@ -1,15 +1,34 @@
+import { getAppConfig } from '@aws-lambda-powertools/parameters/appconfig';
+
+/**
+ * Structural schema type — matches Zod, Valibot, ArkType, or any validator
+ * that exposes a `parse(unknown): T` method.
+ */
+export interface Schema<T> {
+  parse(input: unknown): T;
+}
+
 export interface ConfigProvider {
-  getConfig<Configuration>(profileName: string): Promise<Configuration>;
+  getConfig<Configuration>(
+    profileName: string,
+    schema?: Schema<Configuration>,
+  ): Promise<Configuration>;
 }
 
 export interface PowertoolsConfigOptions {
   environment?: string;
   maxAge?: number;
 }
 
+const validate = <Configuration>(
+  raw: unknown,
+  schema: Schema<Configuration> | undefined,
+): Configuration => (schema ? schema.parse(raw) : (raw as Configuration));
+
 export const localConfig = (): ConfigProvider => ({
   getConfig: async <Configuration>(
     profileName: string,
+    schema?: Schema<Configuration>,
   ): Promise<Configuration> => {
     const key = `CONFIG_${profileName.toUpperCase().replaceAll('-', '_')}`;
     const value = process.env[key];
@@ -18,7 +37,7 @@ export const localConfig = (): ConfigProvider => ({
       throw new Error(`Missing environment variable: ${key}`);
     }
 
-    return JSON.parse(value) as Configuration;
+    return validate(JSON.parse(value), schema);
   },
 });
 
@@ -28,21 +47,18 @@ export const powertoolsConfig = (
 ): ConfigProvider => ({
   getConfig: async <Configuration>(
     profileName: string,
+    schema?: Schema<Configuration>,
   ): Promise<Configuration> => {
-    const { getAppConfig } = await import(
-      '@aws-lambda-powertools/parameters/appconfig'
-    );
-
     const environment =
       options.environment ?? process.env.APPCONFIG_ENVIRONMENT ?? 'default';
 
-    const config = await getAppConfig(profileName, {
+    const raw = await getAppConfig(profileName, {
       application,
       environment,
       maxAge: options.maxAge ?? 300,
       transform: 'json',
     });
 
-    return config as Configuration;
+    return validate(raw, schema);
   },
 });

packages/config/index.ts

@@ -3,4 +3,5 @@ export {
   localConfig,
   type PowertoolsConfigOptions,
   powertoolsConfig,
+  type Schema,
 } from './config.ts';

packages/config/tests/config.test.ts

@@ -107,4 +107,52 @@ describe('powertoolsConfig', () => {
       expect.objectContaining({ maxAge: 30 }),
     );
   });
+
+  test('runs the raw value through an optional schema', async () => {
+    const raw = { greeting: 'hi' };
+    mockGetAppConfig.mockResolvedValueOnce(raw);
+    const schema = {
+      parse: mock((input: unknown) => input as typeof raw),
+    };
+    const result = await powertoolsConfig('example').getConfig(
+      'profile',
+      schema,
+    );
+    expect(schema.parse).toHaveBeenCalledWith(raw);
+    expect(result).toEqual(raw);
+  });
+
+  test('propagates schema parse errors', async () => {
+    mockGetAppConfig.mockResolvedValueOnce({ greeting: 42 });
+    const schema = {
+      parse: () => {
+        throw new Error('bad shape');
+      },
+    };
+    await expect(
+      powertoolsConfig('example').getConfig('profile', schema),
+    ).rejects.toThrow('bad shape');
+  });
+});
+
+describe('localConfig with schema', () => {
+  const original = process.env.CONFIG_EXAMPLE;
+
+  afterEach(() => {
+    if (original === undefined) {
+      delete process.env.CONFIG_EXAMPLE;
+    } else {
+      process.env.CONFIG_EXAMPLE = original;
+    }
+  });
+
+  test('validates via schema.parse when supplied', async () => {
+    process.env.CONFIG_EXAMPLE = JSON.stringify({ greeting: 'hi' });
+    const schema = {
+      parse: mock((input: unknown) => input as { greeting: string }),
+    };
+    const result = await localConfig().getConfig('example', schema);
+    expect(schema.parse).toHaveBeenCalledWith({ greeting: 'hi' });
+    expect(result).toEqual({ greeting: 'hi' });
+  });
 });

packages/errors/map-error-to-response.ts

@@ -23,11 +23,11 @@ export const mapErrorToResponse = (
 ): ErrorResponse => {
   const errorId = randomUUID();
 
-  logger.error('mapErrorToResponse', error as Error);
-  // Append errorId so the wide-event emitted at end-of-invocation carries
-  // the same id that's in the response body — lets clients quote errorId
-  // when asking for diagnostics.
+  // Append errorId before logging so the ERROR line itself carries the id
+  // the client will see in the response body — plus every subsequent log
+  // in the invocation, including the end-of-invocation wide-event.
   logger.appendKeys({ errorId });
+  logger.error('mapErrorToResponse', error as Error);
 
   return respond(500, {
     errorId,

packages/errors/tests/errors.test.ts

@@ -34,6 +34,24 @@ describe('mapErrorToResponse', () => {
     const body = JSON.parse(res.body);
     expect(logger.appendKeys).toHaveBeenCalledWith({ errorId: body.errorId });
   });
+
+  test('appends errorId BEFORE logging so the ERROR line carries it too', () => {
+    const order: string[] = [];
+    const logger: TelemetryLogger = {
+      debug: mock(() => {}),
+      info: mock(() => {}),
+      warn: mock(() => {}),
+      resetKeys: mock(() => {}),
+      appendKeys: mock(() => {
+        order.push('appendKeys');
+      }),
+      error: mock(() => {
+        order.push('error');
+      }),
+    };
+    mapErrorToResponse(new Error('boom'), logger);
+    expect(order).toEqual(['appendKeys', 'error']);
+  });
 });
 
 describe('validationErrorResponse', () => {

packages/secrets/index.ts

@@ -1 +1,5 @@
-export { powertoolsSecrets, type SecretsProvider } from './secrets.ts';
+export {
+  powertoolsSecrets,
+  type Schema,
+  type SecretsProvider,
+} from './secrets.ts';

packages/secrets/secrets.ts

@@ -1,18 +1,30 @@
+import { getSecret } from '@aws-lambda-powertools/parameters/secrets';
+
+/**
+ * Structural schema type — matches Zod, Valibot, ArkType, or any validator
+ * that exposes a `parse(unknown): T` method.
+ */
+export interface Schema<T> {
+  parse(input: unknown): T;
+}
+
 export interface SecretsProvider {
-  getSecret<Credentials>(secretName: string): Promise<Credentials>;
+  getSecret<Credentials>(
+    secretName: string,
+    schema?: Schema<Credentials>,
+  ): Promise<Credentials>;
 }
 
 export const powertoolsSecrets = (maxAge = 300): SecretsProvider => ({
-  getSecret: async <Credentials>(secretName: string): Promise<Credentials> => {
-    const { getSecret } = await import(
-      '@aws-lambda-powertools/parameters/secrets'
-    );
-
-    const secret = await getSecret(secretName, {
+  getSecret: async <Credentials>(
+    secretName: string,
+    schema?: Schema<Credentials>,
+  ): Promise<Credentials> => {
+    const raw = await getSecret(secretName, {
       maxAge,
       transform: 'json',
     });
 
-    return secret as Credentials;
+    return schema ? schema.parse(raw) : (raw as Credentials);
   },
 });