Skip to content

feat: integrate lsp feature branch#1681

Open
megha-narayanan wants to merge 23 commits into
mainfrom
feat/cdk-lsp
Open

feat: integrate lsp feature branch#1681
megha-narayanan wants to merge 23 commits into
mainfrom
feat/cdk-lsp

Conversation

@megha-narayanan

@megha-narayanan megha-narayanan commented Jun 29, 2026

Copy link
Copy Markdown

Merges thefeat/cdk-lsp' branch into main`. The change is additive and introduces no behavior change to existing CLI commands.

  • New @aws-cdk/cdk-explorer package containing the Language Server under lib/lsp (server, diagnostics, CodeLens, template locator, position mapping).
  • Extends @aws-cdk/cloud-assembly-api with two parsing modules consumed by the server: construct-tree.ts (builds the construct tree from a cloud assembly) and template-ranges.ts (resolves a logical ID or property to its byte range in the template).

Capabilities (folds in #1559, #1593, #1592, #1617, #1624, #1630, #1631, #1662, #1634, #1674):

  • Diagnostics: surfaces synth errors and policy-validation violations in the editor, mapped back to the source.
  • Surfaces CFN resources and adds CodeLens navigation from a construct to its template resource.
  • Navigation between construct source and the synthesized template in both directions.
  • Live refresh: diagnostics and CodeLens update when cdk.out changes.
  • Reads are constrained to the project directory, and template reads run off the LSP event loop.

This PR is the server and parsing foundation. It does not add a shipped CLI command or the web explorer.

Checklist

  • This change contains a major version upgrade for a dependency and I confirm all breaking changes are addressed
    • Release notes for the new version:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

megha-narayanan and others added 9 commits May 27, 2026 15:33
Basic scaffolding for new packages to be implemented: a core
functionality library, the lsp server, and the web explorer.

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
Refactor: put LSP skeleton in a unique branch from web explorer

- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- Adds an assembly reader that joins `cdk.out/`'s `tree.json` with each
stack's manifest metadata into a `ConstructNode` tree carrying
`logicalId`, CFN type, and source location.
- LSP publishes CDK validation violations as `Diagnostic`s anchored to
the construct's TypeScript source line, with rule-level severity.
- LSP serves `CodeLens` entries above each construct creation site
summarising the CFN resources it produces.
- Source resolution covers `.ts` and `.js` (with sibling `.js.map`);
non-TS apps degrade gracefully (no crash, no source-linked features).

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
Builds on #1592, which surfaced display-only CodeLens entries for the
CFN
resources each construct produces. This PR makes them **clickable**.
Selecting a
lens jumps to the resource's definition in the synthesized
CloudFormation template.

Features:
- **Clickable navigation** — each lens carries an `openResource` command
that opens
  the resource's template file at its logical-ID line.
- **Multi-resource picker** — constructs producing several resources
show a QuickPick;
  single-resource constructs open directly.
- **Positional `templateFile` resolution (cloud-assembly-api)** —
`buildConstructTree`
threads the owning template through the tree, switching at NestedStack
boundaries.
- **Clearer titles** — `Creates AWS::S3::Bucket`, or
`Creates 3 resources: AWS::S3::Bucket, AWS::S3::BucketPolicy,
AWS::KMS::Key`.

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
- Computes character ranges for CloudFormation resource blocks in
synthesized templates and uses them for navigation in both directions:
- 
- CodeLens "go to" now selects the whole resource block (was a
zero-width cursor).
- New go-to-definition from a synthesized template back to the
construct's source.

A note on the JSON parser dependency Computing character ranges needs a
position-aware JSON parser, since JSON.parse discards offsets. The
natural choice is jsonc-parser (what the VS Code JSON language service
uses). We could not use it here: its UMD entry loads internal modules
through a parameter-shadowed require("./impl/...") that esbuild (used by
node-backpack to bundle the CLI) cannot statically trace, so the bundled
`cdk/cdk-assets` binaries fail with `Cannot find module
'./impl/format'`. Known, still-open:
[microsoft/node-jsonc-parser#57](microsoft/node-jsonc-parser#57),
[evanw/esbuild#1619](evanw/esbuild#1619). Its
ESM build bundles fine, but the esbuild mainFields workaround isn't
exposed by node-backpack, and importing the ESM build directly breaks
our CommonJS tests; marking it external isn't appropriate for a
self-contained CLI. So we use
[json-source-map](https://www.npmjs.com/package/json-source-map), a
single-file CommonJS module that bundles cleanly.


### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
The LSP currently reads `cdk.out` once at startup and never refreshes.
After this PR, any
rewrite of `cdk.out` refreshes the editor's diagnostics and CodeLenses
automatically. 

* New `lib/core/assembly-watcher.ts`: a chokidar-backed watcher with a
debounced
  200ms `onChange`, filtered to `manifest.json`, `tree.json`,
  `validation-report.json`. RWLock marker files (`synth.lock`,
`read.<pid>.<n>.lock`) are excluded. Throws from `onChange` route
through
`onError` rather than leaking from the timer. Lives in `lib/core/` so
the web
  explorer can reuse it.
* `refreshFromAssembly` is now the single fan-out for new assembly data:
rebuild `cachedIndex`, publish empty diagnostics for URIs that no longer
have
violations (clearing resolved squiggles), republish current diagnostics,
and
send `workspace/codeLens/refresh` (gated on
`workspace.codeLens.refreshSupport`).
* When the validation report fails to load, last-good diagnostics are
preserved,
  matching the existing contract for `'error'` and `'not-found'` reads.
* Watcher started in `onInitialized` after the initial refresh, closed
in
  `onShutdown`.
Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
The LSP followed source/template paths from the cloud assembly
(stack-trace
frames, source maps, template paths) with only an extension allow-list.
If
cdk.out is tampered with, a crafted path like `../../../etc/passwd.js`
could be
read or surfaced as a nav target.

Adds a symlink-aware `isWithinRoot` and gates every read: source paths
against
the project dir, `templateFile` against the assembly dir. Out-of-root
paths are
dropped as not-navigable (same as non-TS apps). No change for valid
assemblies.

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
Convert the two synchronous template reads on the LSP request paths
(onDefinition and the CodeLens provider) to fs.promises, continuing the
async direction from #1631.

resourceTarget, codeLensesForFile, and commandFor are now async and read
sequentially, so the number of concurrent reads never grows with app
size. The LspHandlers interface widens onCodeLens and onDefinition to
return Promises; the connection wiring passes the Promise through
unchanged.

readAssembly and the source-map reads stay synchronous: they run at
startup and on watch events, not per request, and convert-source-map
takes a synchronous reader.

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
@github-actions github-actions Bot added the p2 label Jun 29, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team June 29, 2026 16:02
# Conflicts:
#	packages/@aws-cdk/integ-runner/THIRD_PARTY_LICENSES
#	packages/aws-cdk/THIRD_PARTY_LICENSES
#	packages/cdk-assets/THIRD_PARTY_LICENSES
#	yarn.lock
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 12 package(s) with unknown licenses.
  • ⚠️ 1 packages with OpenSSF Scorecard issues.
See the Details below.

License Issues

packages/@aws-cdk/cdk-explorer/package.json

PackageVersionLicenseIssue Type
@aws-cdk/cloud-assembly-api^0.0.0NullUnknown License
@aws-cdk/cloud-assembly-schema^0.0.0NullUnknown License
@aws-cdk/toolkit-lib^0.0.0NullUnknown License
@jridgewell/trace-mapping^0.3NullUnknown License
chokidar^4NullUnknown License
convert-source-map^2NullUnknown License
vscode-jsonrpc^8NullUnknown License
vscode-languageserver^9NullUnknown License
vscode-languageserver-textdocument^1NullUnknown License

packages/@aws-cdk/cloud-assembly-api/package.json

PackageVersionLicenseIssue Type
json-source-map^0.6.1NullUnknown License

packages/aws-cdk/package.json

PackageVersionLicenseIssue Type
@aws-cdk/cdk-explorer^0.0.0NullUnknown License

yarn.lock

PackageVersionLicenseIssue Type
@aws-cdk/cdk-explorer@workspace:packages/0.0.0-use.localNullUnknown License

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@aws-cdk/cloud-assembly-api ^0.0.0 UnknownUnknown
npm/@aws-cdk/cloud-assembly-schema ^0.0.0 UnknownUnknown
npm/@aws-cdk/toolkit-lib ^0.0.0 UnknownUnknown
npm/@cdklabs/eslint-plugin ^2.0.11 UnknownUnknown
npm/@jridgewell/trace-mapping ^0.3 UnknownUnknown
npm/@stylistic/eslint-plugin ^3 UnknownUnknown
npm/@types/convert-source-map ^2 UnknownUnknown
npm/@types/jest ^29.5.14 UnknownUnknown
npm/@types/node ^20 UnknownUnknown
npm/@typescript-eslint/eslint-plugin ^8 UnknownUnknown
npm/@typescript-eslint/parser ^8 UnknownUnknown
npm/chokidar ^4 UnknownUnknown
npm/constructs ^10.0.0 UnknownUnknown
npm/convert-source-map ^2 UnknownUnknown
npm/eslint ^9 UnknownUnknown
npm/eslint-config-prettier ^10.1.8 UnknownUnknown
npm/eslint-import-resolver-typescript ^4.4.5 UnknownUnknown
npm/eslint-plugin-import ^2.32.0 UnknownUnknown
npm/eslint-plugin-jest ^29.15.3 UnknownUnknown
npm/eslint-plugin-jsdoc ^62.9.0 UnknownUnknown
npm/eslint-plugin-prettier ^4.2.5 UnknownUnknown
npm/jest ^29.7.0 UnknownUnknown
npm/jest-junit ^16 UnknownUnknown
npm/nx ^22.7.6 UnknownUnknown
npm/prettier ^2.8 UnknownUnknown
npm/projen ^0.100.7 UnknownUnknown
npm/ts-jest ^29.4.11 UnknownUnknown
npm/typescript 5.9 UnknownUnknown
npm/vscode-jsonrpc ^8 UnknownUnknown
npm/vscode-languageserver ^9 UnknownUnknown
npm/vscode-languageserver-protocol ^3 UnknownUnknown
npm/vscode-languageserver-textdocument ^1 UnknownUnknown
npm/@types/json-source-map ^0.6.0 UnknownUnknown
npm/json-source-map ^0.6.1 UnknownUnknown
npm/@aws-cdk/cdk-explorer ^0.0.0 UnknownUnknown
npm/@aws-cdk/cdk-explorer@workspace:packages/ 0.0.0-use.local UnknownUnknown
npm/@types/convert-source-map 2.0.3 🟢 6.5
Details
CheckScoreReason
Code-Review🟢 8Found 26/29 approved changesets -- score normalized to 8
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/@types/json-source-map 0.6.0 🟢 6.5
Details
CheckScoreReason
Code-Review🟢 8Found 26/29 approved changesets -- score normalized to 8
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
npm/json-source-map 0.6.1 ⚠️ 2
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/21 approved changesets -- score normalized to 0
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ -1No tokens found
Pinned-Dependencies⚠️ -1no dependencies found
Dangerous-Workflow⚠️ -1no workflows found
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/vscode-jsonrpc 8.2.0 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-jsonrpc 9.0.1 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-jsonrpc 8.2.1 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver 9.0.1 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-protocol 3.17.5 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-protocol 3.18.2 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-textdocument 1.0.13 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-types 3.17.5 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
npm/vscode-languageserver-types 3.18.0 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 26 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Packaging⚠️ -1no published package detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed

Scanned Files

  • packages/@aws-cdk/cdk-explorer/package.json
  • packages/@aws-cdk/cloud-assembly-api/package.json
  • packages/aws-cdk/package.json
  • yarn.lock

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@codecov-commenter

codecov-commenter commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 90.62500% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.59%. Comparing base (a7a40e0) to head (55544ef).

Files with missing lines Patch % Lines
packages/aws-cdk/lib/cli/cli.ts 40.00% 3 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1681      +/-   ##
==========================================
+ Coverage   89.57%   89.59%   +0.01%     
==========================================
  Files          77       78       +1     
  Lines       11758    11790      +32     
  Branches     1651     1655       +4     
==========================================
+ Hits        10532    10563      +31     
- Misses       1197     1198       +1     
  Partials       29       29              
Flag Coverage Δ
suite.unit 89.59% <90.62%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Adds manual synth and auto-synth-on-save to the CDK LSP. The cdk.out
watcher (landed in #1630) handles all diagnostics/lens refreshes --
these commands just add new ways to produce a fresh assembly.

Features:
↻ Synth now CodeLens at the top of any CDK source file (only when
auto-synth is off)
▶ Enable auto-synth / ⏹ Disable auto-synth toggle
Auto-synth starts disabled
When auto-synth is on, saving any non-ignored file in the project
triggers a synth
All feedback/output goes to the Output panel, no popups

Design decisions (the important ones):

Concurrent synths are supressed: if a save fires during a slow synth,
that save is skipped. The next save picks it up.
cdk.json is read once at startup. Changing it requires an LSP restart.
The toggle/synth lenses only appear on files that already have L1
resource lenses. Files with no CDK resources see nothing.
Toggle state resets to disabled on LSP restart (not persisted).

NOTE: One thing not in this PR (but must land before prod) is a
workspace trust gate. We should verify with the user that they trust
this workspace before running any synth. I may need to set up some way
to preserve this between sessions.

Open questions / things I need some feedback on:
- Is "auto-synth" the right name? Alternatives: "synth on save", "live
synth"?
- Where should the toggle live? Line 0 of a CDK file works for LSP-only,
but it's only visible when you're in a file with constructs. Status bar
item would be better UX but needs a client extension. Is there a better
alternative?
- Should synth failures (app compile errors) be more visible than the
Output panel? A diagnostic on the first line of the failing file, for
example?
- If the app has context lookups and no cached cdk.context.json, synth
fails with an auth/context error. Should the error message detect this
and suggest running cdk synth in terminal first?

<img width="809" height="161" alt="Screenshot 2026-06-16 at 3 41 01 PM"
src="https://github.com/user-attachments/assets/b542927c-0206-462f-8464-2c43f19bbe0b"
/>
<img width="771" height="166" alt="Screenshot 2026-06-16 at 3 41 10 PM"
src="https://github.com/user-attachments/assets/52695e76-2e1d-4fc8-ada7-d1ce338512cf"
/>

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
@github-actions

Copy link
Copy Markdown
Contributor

Total lines changed 4129 is greater than 1000. Please consider breaking this PR down.

megha-narayanan and others added 9 commits July 2, 2026 13:44
Setting JSII_HOST_STACK_TRACES=1 on the synth subprocess makes jsii
forward the host-language frames, so resolveFrames finds the .py/.java
source.

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
…1669)

- Adds LSP hover on construct creation lines showing the resolved
CloudFormation logical ID, resource type, construct path, and top-level
CFN properties with values
- Each property value links to its exact line in the synthesized
template; the logical ID header links to the resource block
- Multi-resource constructs show auxiliaries inline (≤5 listed
individually, >5 collapsed to a type histogram like "6× Subnet, 3×
RouteTable")
- Extends `template-ranges.ts` with `resolveResourceRanges` /
`indexTemplateRanges` to resolve per-property character ranges in a
single parse
- Exports `cfnProperties` from the construct tree builder so the hover
has access to resolved property values

example hover:
<img width="1128" height="645" alt="Screenshot 2026-06-24 at 12 12
52 PM"
src="https://github.com/user-attachments/assets/36451ea5-a753-43d0-a16a-293cf23ab776"
/>

<img width="1123" height="641" alt="Screenshot 2026-06-24 at 12 13
44 PM"
src="https://github.com/user-attachments/assets/8320d612-fd1d-4c84-94aa-6eed9d7caa37"
/>



Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…r stdio (#1670)

Editors and AI agents start a language server by running a command over
stdio,
but the CDK Language Server (in `@aws-cdk/cdk-explorer`) has no such
entry
point. This adds one, so any LSP-capable editor or agent can get CDK
diagnostics and CodeLens by pointing at `cdk lsp`.

Wires up `cdk lsp` as a CLI subcommand that starts the server on
stdin/stdout
and runs until the client closes the channel.

- Adds `@aws-cdk/cdk-explorer` as a runtime dependency so the server
ships in the CLI bundle, version-aligned with the user's CDK toolchain.
- Writes nothing to stdout (CLI logs already go to stderr), keeping the
JSON-RPC channel clean. `applicationDir` comes from the LSP `initialize`
options, so the command takes no arguments.
- Mirrors the `cdk explore` wiring from #1598 

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
…#1711)

startServer now requires toolkitBindingsFactory (added in #1634/#1669),
but the cdk lsp command still called it with only { readable, writable
}, breaking the build. Expose startLspServer() from cdk-explorer (wires
the Toolkit bindings and starts the server) and call it from the CLI.
main.ts becomes that exported function, making cdk lsp the single LSP
entrypoint.

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
Matching LSP side of #1706. Moves the assembly read-lock acquirer out of
lib/lsp into lib/core/assembly-lock.ts so the LSP and web server build
the
read lock from one shared factory. Pure refactor, LSP behavior is
unchanged,
and server.ts re-exports AssemblyLock so existing importers keep
resolving it.

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
…main

# Conflicts:
#	packages/@aws-cdk/cloud-assembly-schema/tsconfig.json
#	tsconfig.dev.json
#	yarn.lock
- onDefinition now bounds the client-supplied *.template.json path to
the project's cdk.out (realpath on both sides) before reading, matching
the file-read discipline used elsewhere in the package. Prevents reading
arbitrary files via a crafted textDocument/definition request.
- Replace the placeholder README with real content: purpose, how to
launch (cdk lsp / startLspServer), features, a security note that
auto-synth and 'Synth now' run the cdk.json app command with your
credentials on save (enable only on trusted projects), and
editor-integration notes.
- Remove the unused express / @types/express dependencies; the web
interface is not part of this branch.

Fixes #

### Checklist
- [ ] This change contains a major version upgrade for a dependency and
I confirm all breaking changes are addressed
  - Release notes for the new version:

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
…p-merge-main

# Conflicts:
#	packages/@aws-cdk/cloud-assembly-schema/tsconfig.json
#	yarn.lock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

p2 pr/exempt-size-check Skips PR size check

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants