Deployment

Every Kanject service ships with CloudFormation templates and stage configs. One command deploys the whole stack — kanject deploy --env <stage> — and the deployment ledger gives you alias-flip rollback for free.

# Deploy to dev (or stage, or prod — stage names come from manifest.aws.stages)
kanject deploy --env dev

# Browse history
kanject deployments list --env dev

# Roll back to a prior Lambda version (alias flip — no rebuild)
kanject rollback --env dev

What `deploy` does

• Sync — clones every cross-repo dep at its pinned ref, packs them, rewrites csproj <PackageReference>s to the local feed.
• Resolve env — fetches every secret: and param: reference from AWS, materializes a flat env map.
• Generate aws-lambda-tools.<stage>.json — per-stage tool config with resolved env baked in.
• dotnet lambda deploy-serverless — builds, packages, uploads to S3, deploys / updates the CloudFormation stack.
• Publish + flip — a fresh Lambda version is published; the live alias is repointed.
• Ledger entry — appends a snapshot to s3://<artifactBucket>/_ledger/versions/<n>.json with the commit SHA and env-value hashes.

What gets provisioned

• API Gateway HTTP API mapped to your Lambda function
• IAM role with scoped permissions for DynamoDB, S3, SNS, Parameter Store
• CloudWatch log group with structured-log ingestion
• Per-environment stack names so staging and production stay fully isolated

Preview stacks

Set manifest.json → preview.enabled to true to unlock a per-PR / per-branch deployment lane. Preview stacks inherit AWS region / profile / Parameter Store path from basedOn (typically dev), so credentials and config are reused; they expire after ttlDays so they don't accumulate.

"preview": {
  "enabled": true,
  "basedOn": "dev",
  "ttlDays": 7,
  "stackName": "preview-{name}-{service}",
  "apiStage": "preview-{name}",
  "isolation": "shared-dev",
  "shareUrl": true
}

Lifecycle: kanject preview ls, kanject preview rm, kanject preview url. Deploy with kanject deploy --preview <name>.