imenesesl/lyx-infra-expert
.cursor/skills/lyx-infra-expert/SKILL.md
Expert on Lyx infrastructure: Docker, Nginx, AWS App Runner, ECR, S3, IAM, CI/CD pipeline, deployment scripts. Use when working with Docker, AWS, CI configuration, or deployment issues.
testing
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add imenesesl/lyx lyx-infra-expertInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 8:34 PM4.3s1 file scanned
SKILL.md
- name:
- lyx-infra-expert
- description:
- >-
- Expert on Lyx infrastructure:
- Docker, Nginx, AWS App Runner, ECR, S3, IAM,
Lyx Infrastructure Expert
Single Resource Model
Lyx uses a single resource model: local and production environments use the same cloud infrastructure. There are no local databases or storage services. Everything points to AWS S3 and MongoDB Atlas.
Local AWS Credentials
ALWAYS verify before any AWS command:
lyx aws status
If expired → lyx aws login
Credential flow
| File | Purpose | Auto-loaded |
|------|---------|-------------|
| ~/.lyx-aws | Local AWS credentials | Yes, by all Lyx scripts |
| ~/.lyxrc | CLI login (Admin API token, server URL, accountId) | Yes, by lyx CLI |
| GitHub Secrets | CI/CD credentials | Yes, by GitHub Actions |
When credentials are needed
| Action | AWS creds needed? | File used |
|--------|-------------------|-----------|
| lyx deploy (MFE upload) | No | ~/.lyxrc (Admin API token) |
| bash scripts/platform.sh up | Yes | ~/.lyx-aws (for S3 + MongoDB) |
| bash scripts/deploy-aws.sh | Yes | ~/.lyx-aws |
| bash scripts/ensure-infra.sh | Yes | ~/.lyx-aws |
| aws apprunner list-services | Yes | ~/.lyx-aws |
| CI deploys | Yes | GitHub Secrets |
Local Stack (Docker Compose)
platform/docker-compose.yml — 4 services (all using cloud resources):
- nginx (80) → reverse proxy
- admin-api (4000) → Express + MongoDB Atlas + S3
- admin-ui (4001) → React SPA
- ssr (4002) → Streaming SSR + S3
Requirements to start:
lyx aws login— AWS credentials in~/.lyx-awsMONGO_URIset inplatform/.env
Start: bash scripts/platform.sh up
Nginx Routing (Local)
| Path | Backend |
|------|---------|
| / | 302 → /admin/ |
| /api/ | admin-api:4000 |
| /storage/ | ssr:4002 (fetches from S3) |
| /_assets/ | ssr:4002 (immutable cache) |
| /{accountId}/{slug} | ssr:4002 (streaming, no buffering) |
| /admin/ | admin-ui:4001 (WebSocket support) |
AWS Architecture
3 App Runner services + S3 + ECR + IAM:
lyx-production-admin-api(4000, instance role for S3)lyx-production-admin-ui(4001, no instance role)lyx-production-ssr(4002, instance role for S3)
S3 Storage Access
- SSR server: Uses
@aws-sdk/client-s3withGetObjectCommand— authenticates via instance role - Admin API: Uses
@aws-sdk/client-s3withPutObjectCommand— uploads via instance role - NEVER use public S3 URLs — S3 blocks public access by default
ensure-infra.shconfigures bucket policy as fallback
Admin API Environment Variables
| Variable | Required | Description |
|----------|----------|-------------|
| MONGO_URI | Yes | MongoDB Atlas connection string |
| S3_BUCKET | Yes | S3 bucket name for MFE bundles |
| AWS_REGION | Yes | AWS region (default: us-west-2) |
| JWT_SECRET | Yes | JWT signing secret |
| PORT | No | Server port (default: 4000) |
| CORS_ORIGIN | No | CORS origin (default: *) |
CI Pipeline (ci.yml)
build-and-test— always runs (build 8 framework packages, lint 6, test 2)detect-changes— checks: manual trigger? < 3 services? first commit? CI/scripts changed? specific paths?setup-infra—ensure-infra.sh(idempotent: ECR repos, IAM roles, S3 bucket with public access config)deploy-*—ensure-service.sh(create or update App Runner)show-urls— list all services
Key Scripts
platform.sh: Start/stop local Docker services. Auto-loads~/.lyx-aws. RequiresMONGO_URIinplatform/.env.ensure-infra.sh: Creates ECR, IAM roles (lyx-apprunner-ecr, lyx-apprunner-instance), S3. Disables Block Public Access and sets bucket policy on creation. Uses::group::for GH Actions.ensure-service.sh: 5 args (name, image, port, env_json, needs_instance_role). Creates or updates.deploy-aws.sh: Full deploy with secrets, IAM, S3, ECR, build, push, App Runner. Auto-loads~/.lyx-aws. Modes: deploy, update, status.
Critical Rules
- Credentials first: Always run
lyx aws statusbefore AWS commands. If expired, runlyx aws login. - JSON construction: Always use
jq -nc --argfor secrets in env vars — never string interpolation - Concurrency: One workflow per branch at a time
- IAM policy:
scripts/iam-policy.jsoncovers ECR, App Runner, IAM roles, S3, STS - Bucket naming:
lyx-bundles-{accountId}-production - Service naming:
lyx-production-{service-name} - Instance roles: admin-api and ssr must have
NEEDS_INSTANCE_ROLE=truefor S3 access - Lockfile after renames: Always run
pnpm installand commitpnpm-lock.yamlafter renaming directories - Documentation: After fixing any infra issue, update
docs/errors.md
Related Skills
imenesesl/.cursor/skills/lyx-testing-expert
development
VerifiedTrustedCommunity
# Lyx Testing Expert ## When to Use Use this skill when: - Writing or modifying Playwright E2E tests - Writing or modifying k6 performance tests - Debugging test failures - Adding test coverage for new features - Running the test suite locally or in CI - Understanding the test architecture ## Test Architecture Overview ### Playwright E2E Tests **Location**: `tests/e2e/` **Configuration**: `playwright.config.ts` at project root **Projects**: - `setup` — Global auth setup (registers/logs in
SKILL.mdUpdated Apr 16, 2026
imenesesl/lyx-shell-expert
tools
VerifiedTrustedCommunity
Expert on the Lyx Shell: layout rendering, Module Federation, SSR streaming, URL parsing, devtools. Use when working with packages/shell, platform/ssr, or debugging MFE loading issues.
SKILL.mdUpdated Apr 16, 2026
imenesesl/lyx-sdk-expert
development
VerifiedTrustedCommunity
Expert on the Lyx SDK internals: event bus, shared state, navigation, MFE loading. Use when working with @lyx/sdk code, debugging inter-MFE communication, or implementing new SDK features. Knows all edge cases and internal behaviors.
SKILL.mdUpdated Apr 16, 2026
imenesesl/.cursor/skills/lyx-qa-regression
development
VerifiedTrustedCommunity
# Lyx QA Regression Tester ## Role You are the QA Regression Tester for the Lyx framework. Your job is to **catch every bug before the user does**. You run after every feature implementation, before any commit or push. You are the last gate — nothing ships without your sign-off. ## When to Activate This skill MUST be invoked: - After implementing any feature (P0, P1, P2, P3) - After fixing any bug - Before every `git commit` that includes code changes - When the user says "regression", "test
SKILL.mdUpdated Apr 16, 2026