Add AWS Support evidence package helper

[nexicturbo]

/claim #55

Scope

This is a separate offline AWS Support evidence-package slice for the final restriction-removal checklist in #55. It does not overlap with the existing Civil ID, S3 env, SQS, MediaConvert, SES/mailers, Xero, Cloudinary, secret-scanning, bucket-guardrail, service-token, CloudTrail, IAM access-key review, S3 posture, Slack, or recovery-audit PRs.

No live AWS/IAM calls, key rotation/deletion, bucket policy changes, candidate data, access keys, secret keys, screenshots, private exports, account IDs, raw CloudTrail records, payment/tax data, or Civil ID files were accessed or included.

Summary

• Add tools/build-aws-support-evidence-package.mjs, an offline CLI that reads a private JSON evidence manifest and emits a redacted Markdown package for AWS Support.
• Add redaction for 12-digit AWS account IDs, AWS access-key-looking values, and long secret-like tokens while preserving public-safe key suffixes used in 🔐 AWS S3 Security Remediation & Civil ID Upload Fix — IAM Key Rotation, Bucket Hardening & Backend Patches #55.
• Cover deleted/rotated keys, replacement env var names, bucket controls, smoke tests, CloudTrail review summaries, IAM review summaries, and support notes.
• Add a synthetic sample manifest, docs, README link, and local regression check.

Validation

• node tools/check-aws-support-evidence-package.mjs
• node --check tools/build-aws-support-evidence-package.mjs
• node --check tools/check-aws-support-evidence-package.mjs
• git diff --check

Summary by CodeRabbit

• New Features

  • Added CLI tools to generate AWS support evidence packages from JSON manifest files with automatic sensitive data redaction.
  • Added validation script to verify generated evidence packages meet required standards.

• Documentation

  • Added comprehensive guide for creating and using AWS support evidence packages.
  • Included sample manifest fixture demonstrating expected structure and content.

[coderabbitai]

Warning

Rate limit exceeded

@nexicturbo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 59 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 91b833c3-7945-4432-b8f9-d34f7b0af493

📥 Commits

Reviewing files that changed from the base of the PR and between f299758 and a7fe672.

📒 Files selected for processing (2)

• tools/build-aws-support-evidence-package.mjs
• tools/check-aws-support-evidence-package.mjs

📝 Walkthrough

Walkthrough

This PR introduces an AWS Support Evidence Package feature for generating redacted incident remediation reports. It adds documentation, a Node.js build script that reads a manifest and produces sanitized Markdown, a validation script with test fixture, and a README entry.

Changes

AWS Evidence Package Feature

Layer / File(s)	Summary
Documentation and README entry README.md, docs/security/aws-support-evidence-package.md	Introduces the feature with a README link and comprehensive documentation describing manifest structure, redaction rules (AWS account IDs, access keys, secret values preserved for suffixes), required sections, exclusions, and validation commands.
Build script: CLI, manifest loading, and redaction logic tools/build-aws-support-evidence-package.mjs	CLI entrypoint validates manifest path argument and exits on missing input; loads manifest JSON; implements redact helper that normalizes null values and applies regex-based redaction for sensitive AWS patterns.
Build script: Markdown formatters and output assembly tools/build-aws-support-evidence-package.mjs	Defines line, list, table, and envTable helpers to format redacted manifest data into Markdown; assembles complete output covering deleted keys, rotated keys, environment variables, bucket controls, smoke tests, CloudTrail and IAM reviews, support notes, and safety checklist.
Validation script and test fixture tools/check-aws-support-evidence-package.mjs, tools/fixtures/aws-support-evidence-package.sample.json	Check script loads fixture, injects synthetic support note probe, writes temp manifest, invokes build script, and validates output contains all required section titles and excludes forbidden patterns (leaked account IDs, key formats, hardcoded strings); fixture provides complete example manifest with all supported fields for regression testing.

Sequence Diagram

sequenceDiagram
  participant User as User/Pipeline
  participant CheckScript as check-aws-support-evidence-package
  participant BuildScript as build-aws-support-evidence-package
  participant TempManifest as Temp Manifest JSON
  participant Output as Redacted Markdown

  User->>CheckScript: npm run check
  CheckScript->>CheckScript: Load fixture, append probe note
  CheckScript->>TempManifest: Write modified manifest
  CheckScript->>BuildScript: Execute with manifest path
  BuildScript->>TempManifest: Load and parse JSON
  BuildScript->>BuildScript: Redact account IDs, access keys, secrets
  BuildScript->>BuildScript: Format sections (keys, env vars, CloudTrail, IAM, notes)
  BuildScript->>Output: Write redacted Markdown to stdout
  CheckScript->>Output: Assert required sections present
  CheckScript->>Output: Assert forbidden patterns absent
  CheckScript->>User: ✓ Check passed

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A manifest tool hops into view,
Redacting secrets, hiding clues true,
AWS evidence, sanitized bright,
Checks and balances—all shining right! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Add AWS Support evidence package helper' directly and accurately summarizes the main change—adding a new CLI tool and supporting artifacts for generating a redacted AWS Support evidence package.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nexicturbo]

Privacy-safe demo for the offline CLI slice:

node tools/build-aws-support-evidence-package.mjs tools/fixtures/aws-support-evidence-package.sample.json | sed -n '1,80p'
node tools/check-aws-support-evidence-package.mjs

Expected behavior shown by the local run:

# StudentHub S3/IAM remediation evidence

Prepared by: Security team
Prepared at: 2026-05-15T10:30:00Z
Private evidence folder: private/aws-support-2026-05

## Deleted Inactive Keys
| suffix | iamUser | status | deletedAt | evidence |
| --- | --- | --- | --- | --- |
| FZMN | textract-access | deleted | 2026-05-15T09:00:00Z | screenshots/fzmn-deleted.png |
| 4T67K | public-environment-s3-access | deleted | 2026-05-15T09:05:00Z | screenshots/4t67k-deleted.png |

## Rotated Or Deactivated Keys
| suffix | iamUser | replacement | status | evidence |
| --- | --- | --- | --- | --- |
| ODY2X | public-environment-s3-access | AWS_TEMP_BUCKET_KEY / AWS_TEMP_BUCKET_SECRET | rotated and deactivated | screenshots/ody2x-rotated.png |
| WCUM | railway-s3-access | AWS_PERMANENT_S3_ACCESS_KEY_ID / AWS_PERMANENT_S3_SECRET_ACCESS_KEY | rotated and deactivated | screenshots/wcum-rotated.png |

## Support Notes
- Raw screenshots and exports remain in the private evidence folder.
- Synthetic redaction probe: account [aws-account-id-redacted] must not render.
- Synthetic redaction probe: token [secret-like-value-redacted] must not render.
- No full access keys or candidate Civil ID data are included in this public manifest.

AWS Support evidence package check passed.

I am keeping this as a terminal demo transcript instead of a UI recording because the tool is intentionally offline and uses only synthetic fixture data; no live AWS account, candidate data, screenshots, private exports, account IDs, access keys, or secret values were opened or recorded.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

tools/check-aws-support-evidence-package.mjs (1)

19-22: ⚡ Quick win

Consider adding a timeout to prevent indefinite hangs.

The execFileSync call has no timeout. If the build script encounters an infinite loop or blocks on I/O, this validation script will hang indefinitely.

⏱️ Proposed fix to add timeout

 const output = execFileSync(process.execPath, [
   "tools/build-aws-support-evidence-package.mjs",
   tmpManifest,
-], { encoding: "utf8" });
+], { encoding: "utf8", timeout: 10000 });

A 10-second timeout should be more than sufficient for generating a redacted Markdown report from a small JSON manifest.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/check-aws-support-evidence-package.mjs` around lines 19 - 22, The
execFileSync call using process.execPath to run
"tools/build-aws-support-evidence-package.mjs" with tmpManifest and encoding
"utf8" can hang indefinitely; add a timeout option (e.g., 10000 ms) to the
options object passed to execFileSync so the call throws if it exceeds the
limit; update the call site where execFileSync(...) is invoked to include {
encoding: "utf8", timeout: 10000 } (or similar) to prevent indefinite blocking.

tools/build-aws-support-evidence-package.mjs (1)

14-14: 💤 Low value

Wrap manifest load in try/catch for actionable errors.

A missing path or invalid JSON currently surfaces a raw Node stack trace (ENOENT, SyntaxError: Unexpected token …). Since this tool is invoked manually during an incident workflow, a friendly diagnostic is worth the few extra lines.

♻️ Proposed fix

-const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+let manifest;
+try {
+  manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+} catch (err) {
+  console.error(
+    `Failed to load manifest at ${manifestPath}: ${err.message}`,
+  );
+  process.exit(1);
+}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/build-aws-support-evidence-package.mjs` at line 14, The manifest
loading line using JSON.parse(fs.readFileSync(manifestPath, "utf8")) should be
wrapped in a try/catch so missing files or bad JSON produce a clear, actionable
error; catch errors around reading/parsing manifestPath, log a friendly
diagnostic that includes manifestPath and the caught error.message (and
optionally error.stack for debug), and then exit with a non‑zero status (or
rethrow) instead of letting a raw stack trace surface; update the code where
manifest is declared to assign inside the try block and reference manifestPath,
fs.readFileSync, and JSON.parse when implementing the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tools/build-aws-support-evidence-package.mjs`:
- Around line 30-51: The table cells are not escaped, so any pipe or newline in
values will break Markdown; update line(value) to first call redact(value ||
"not provided"), then escape all pipe characters (replace "|" with "\|") and
collapse all newline characters (replace sequences of \r?\n with a single space)
before returning; this change will automatically fix output for list(values) and
table(headers, rows) since they call line(), so ensure line() is the single
place performing escaping and newline normalization.

In `@tools/check-aws-support-evidence-package.mjs`:
- Around line 15-22: The temp directory created as tmpDir (and tmpManifest) is
never removed; wrap the creation, write, and execFileSync call plus the
subsequent validation logic currently after line 24 inside a try block, add a
finally block that always removes tmpDir and its contents (e.g., using
fs.rmSync(tmpDir, { recursive: true, force: true }) or equivalent) so cleanup
runs on success or error, and ensure any thrown errors are propagated after
cleanup; reference tmpDir, tmpManifest, execFileSync, and the build script
invocation ("tools/build-aws-support-evidence-package.mjs") when applying the
change.

---

Nitpick comments:
In `@tools/build-aws-support-evidence-package.mjs`:
- Line 14: The manifest loading line using
JSON.parse(fs.readFileSync(manifestPath, "utf8")) should be wrapped in a
try/catch so missing files or bad JSON produce a clear, actionable error; catch
errors around reading/parsing manifestPath, log a friendly diagnostic that
includes manifestPath and the caught error.message (and optionally error.stack
for debug), and then exit with a non‑zero status (or rethrow) instead of letting
a raw stack trace surface; update the code where manifest is declared to assign
inside the try block and reference manifestPath, fs.readFileSync, and JSON.parse
when implementing the change.

In `@tools/check-aws-support-evidence-package.mjs`:
- Around line 19-22: The execFileSync call using process.execPath to run
"tools/build-aws-support-evidence-package.mjs" with tmpManifest and encoding
"utf8" can hang indefinitely; add a timeout option (e.g., 10000 ms) to the
options object passed to execFileSync so the call throws if it exceeds the
limit; update the call site where execFileSync(...) is invoked to include {
encoding: "utf8", timeout: 10000 } (or similar) to prevent indefinite blocking.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 29bd3743-4a88-42b8-8cf1-0deb079f3224

📥 Commits

Reviewing files that changed from the base of the PR and between 7b023ff and f299758.

📒 Files selected for processing (5)

• README.md
• docs/security/aws-support-evidence-package.md
• tools/build-aws-support-evidence-package.mjs
• tools/check-aws-support-evidence-package.mjs
• tools/fixtures/aws-support-evidence-package.sample.json

[nexicturbo]

Follow-up after review automation:

• e4401f62 escapes Markdown table cells and collapses newlines after redaction so support-note/bucket-control text cannot break the generated evidence tables.
• a7fe672c adds temp-directory cleanup, a 10s subprocess timeout, friendly manifest load errors, and regression probes for pipes/newlines.

Revalidated locally after those commits:

• node tools/check-aws-support-evidence-package.mjs
• node --check tools/build-aws-support-evidence-package.mjs
• node --check tools/check-aws-support-evidence-package.mjs
• git diff --check

The PR now shows CodeRabbit and GitGuardian green on the latest head.