feat(jobs): golang aws lambdas scaffolding

[alexsapps]

Summary by CodeRabbit

• New Features

  • AWS Lambda jobs infrastructure with a hello-world email function
  • AWS SAM deployment automation for Lambda functions

• Documentation

  • Added usage and deployment guide for the jobs workflow

• Chores

  • Updated development environment features (Node v25, Python 3.12) and added AWS CLI support
  • Minor config/path comment updates and added job build/deploy tooling and ignore rules

[coderabbitai]

Warning

Review limit reached

@alexsapps, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 51 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: af50acba-9336-4e83-96f7-718f1ab2e601

📥 Commits

Reviewing files that changed from the base of the PR and between a71219f and e74d1c3.

⛔ Files ignored due to path filters (2)

• go.work.sum is excluded by !**/*.sum
• jobs/go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• .devcontainer/devcontainer-lock.json
• .devcontainer/devcontainer.json
• jobs/.gitignore
• jobs/Makefile
• jobs/README.md
• jobs/functions/hello-world/main.go
• jobs/go.mod
• jobs/hello-world
• jobs/requirements.txt
• jobs/samconfig.toml
• jobs/template.yaml
• server/src/go.mod

📝 Walkthrough

Walkthrough

This PR upgrades devcontainer features (Node -> node:2, adds aws-cli, removes pnpm mount), normalizes Go module sync comments to use relative paths, and adds a new AWS SAM–based jobs subsystem including build/deploy Makefile, SAM template, Go Lambda handler, and supporting configs/docs.

Changes

Development Environment & AWS Lambda Jobs Setup

Layer / File(s)	Summary
Dev Container Feature Updates .devcontainer/devcontainer.json, .devcontainer/devcontainer-lock.json	Dev container moved to ghcr.io/devcontainers/features/node:2 (Node v25), added aws-cli:1, removed mount-pnpm-store, ensured Python feature is 3.12 with installTools: false, and updated lockfile metadata.
Build System Path Normalization Dockerfile, Dockerfile.cli, Makefile, cli/go.mod, pkg/go.mod, server/src/go.mod	Sync comments changed from absolute /workspace/server/src/go.mod to relative server/src/go.mod; Makefile comment updated to include devcontainer Node feature.
Lambda Build and Deployment Configuration jobs/Makefile, jobs/.gitignore, jobs/go.mod, jobs/requirements.txt, jobs/samconfig.toml, jobs/README.md	Adds Makefile targets to build and package Lambda bootstrap binaries, install Python deps, deploy via SAM with SSM-sourced parameters; includes module manifest, SAM config, requirements, gitignore, and README.
Lambda Infrastructure Template and SMTP Handler jobs/template.yaml, jobs/functions/hello-world/main.go	Adds SAM template defining globals, VPC, and HelloWorldFunction; Go Lambda reads SMTP_USER/SMTP_PASS, opens TLS SMTP connection, authenticates, and sends a fixed "Hello World" email.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant Makefile
  participant Go Compiler
  participant SAM Deploy
  participant SSM
  participant Lambda
  User->>Makefile: make deps
  Makefile->>Makefile: pip install requirements.txt
  User->>Makefile: make build
  Makefile->>Go Compiler: go build -o bootstrap (Linux ARM64)
  Go Compiler->>Makefile: bootstrap binary
  Makefile->>Makefile: zip -r hello-world.zip
  User->>Makefile: make deploy
  Makefile->>SAM Deploy: sam deploy --parameter-overrides
  SAM Deploy->>SSM: fetch SmtpUser, SmtpPass
  SSM->>Lambda: inject SMTP_USER, SMTP_PASS env vars
  Lambda->>User: deployment complete

Loading

sequenceDiagram
  participant Lambda
  participant Environment
  participant TLS
  participant SMTP Server
  participant Email Client
  Lambda->>Environment: read SMTP_USER, SMTP_PASS
  Lambda->>TLS: dial smtpHost:smtpPort with TLS
  TLS->>SMTP Server: establish TLS connection
  SMTP Server->>Lambda: connection OK
  Lambda->>SMTP Server: create smtp.Client
  Lambda->>SMTP Server: authenticate PlainAuth
  SMTP Server->>Lambda: auth success
  Lambda->>SMTP Server: SetFrom, Recipient, Data
  Lambda->>SMTP Server: write message body
  SMTP Server->>Email Client: send "Hello World" email
  Email Client->>Lambda: success
  Lambda->>Lambda: return "sent"

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• jakehobbs

Poem

🐰 From Node eighteen to twenty-five I hop with cheer,
New dev tools arrive and AWS CLI is here,
Makefile hums, SAM packs a tiny zip so neat,
A TLS SMTP hello lands an email sweet,
Paths now relative — tidy trails for every hare.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change—adding scaffolding for Go-based AWS Lambda jobs, which is reflected in the new jobs directory with Makefile, template.yaml, and hello-world Lambda handler.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alex/community-report

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[alexsapps]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

jobs/functions/hello-world/main.go (1)

17-17: ⚡ Quick win

Avoid hardcoding a real recipient address in source.

Make the recipient configurable (env var or parameter) to prevent accidental sends and improve portability across environments.

Suggested change

 const (
@@
-	toAddress    = "ataylor@directactioneverywhere.com"
 	fromAddress  = "tech-noreply@directactioneverywhere.com"
@@
 )
@@
 	user := os.Getenv("SMTP_USER")
 	pass := os.Getenv("SMTP_PASS")
+	toAddress := os.Getenv("SMTP_TO_ADDRESS")
-	if user == "" || pass == "" {
-		return "", fmt.Errorf("SMTP_USER and SMTP_PASS must be set")
+	if user == "" || pass == "" || toAddress == "" {
+		return "", fmt.Errorf("SMTP_USER, SMTP_PASS, and SMTP_TO_ADDRESS must be set")
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@jobs/functions/hello-world/main.go` at line 17, The hardcoded recipient
address in the jobs/functions/hello-world file is unsafe; replace the toAddress
constant with a configurable value (e.g., read from an environment variable or
function parameter). Specifically, remove the fixed toAddress =
"ataylor@directactioneverywhere.com" and instead initialize toAddress from
os.Getenv("TO_ADDRESS") (or accept it as an argument where the handler function
is defined), provide a sensible default or fail-fast check if missing, and
update any call sites that reference toAddress (the variable used in the send
logic) to use the new configurable value.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@jobs/README.md`:
- Around line 14-16: The fenced code blocks in README.md that contain shell
commands (e.g., the blocks with "make deps", "aws sso login --profile
<your-profile>", "make build", "make deploy", "aws lambda invoke --function-name
jobs-hello-world --region us-west-2 /dev/stdout", and "make clean") are missing
language identifiers; update each triple-backtick fence to include a language
tag (use "bash" or "sh") so they read ```bash to satisfy MD040 and improve
readability.
- Around line 20-22: Update the jobs/README.md entry for the authentication step
to clarify that the documented command is `aws login` (which is valid in AWS CLI
v2.32.0+ for console-based authentication), add a short note stating the minimum
AWS CLI version required, and explicitly warn not to replace it with `aws sso
login` unless the repo is using IAM Identity Center; also add a one-line note
that `aws sso login --profile <name>` is the alternative only when profiles are
configured via IAM Identity Center.

In `@jobs/requirements.txt`:
- Line 1: The requirements entry for aws-sam-cli is unpinned; update the package
entry in requirements.txt to pin it to the tested release (replace "aws-sam-cli"
with "aws-sam-cli==1.161.0") so builds are reproducible and include the known
security fix; also scan for any other occurrences of an unpinned aws-sam-cli
(e.g., in CI or other requirements files) and pin them the same way.

In `@jobs/template.yaml`:
- Around line 20-25: The VpcConfig currently hardcodes SecurityGroupIds and
SubnetIds (SecurityGroupIds and SubnetIds) making the template
environment-specific; add CloudFormation Parameters (e.g., ParamSecurityGroupIds
and ParamSubnetIds) that accept a comma-separated list or AWS::SSM parameter
values, replace the hardcoded arrays in VpcConfig with references to those
parameters (using Fn::Split or !Ref as appropriate), and update any related
parameter metadata/defaults and template validation to ensure deployments can
supply environment-specific VPC identifiers.

---

Nitpick comments:
In `@jobs/functions/hello-world/main.go`:
- Line 17: The hardcoded recipient address in the jobs/functions/hello-world
file is unsafe; replace the toAddress constant with a configurable value (e.g.,
read from an environment variable or function parameter). Specifically, remove
the fixed toAddress = "ataylor@directactioneverywhere.com" and instead
initialize toAddress from os.Getenv("TO_ADDRESS") (or accept it as an argument
where the handler function is defined), provide a sensible default or fail-fast
check if missing, and update any call sites that reference toAddress (the
variable used in the send logic) to use the new configurable value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9fe2c118-506e-44ef-8576-8b1736e1db82

📥 Commits

Reviewing files that changed from the base of the PR and between 6d08025 and ec70a13.

⛔ Files ignored due to path filters (3)

• go.work is excluded by !**/*.work
• go.work.sum is excluded by !**/*.sum
• jobs/go.sum is excluded by !**/*.sum

📒 Files selected for processing (17)

• .devcontainer/devcontainer-lock.json
• .devcontainer/devcontainer.json
• Dockerfile
• Dockerfile.cli
• Makefile
• cli/go.mod
• jobs/.gitignore
• jobs/Makefile
• jobs/README.md
• jobs/functions/hello-world/main.go
• jobs/go.mod
• jobs/hello-world
• jobs/requirements.txt
• jobs/samconfig.toml
• jobs/template.yaml
• pkg/go.mod
• server/src/go.mod

[coderabbitai]

🧹 Nitpick comments (2)

jobs/README.md (2)

18-27: ⚡ Quick win

Add minimum AWS CLI version requirement for aws login.

The aws login command requires AWS CLI version 2.32.0 or later. Add a note documenting this requirement so users don't encounter unexpected failures with older CLI versions.

📝 Suggested addition

 Log in with the AWS CLI:
 
 ```bash
 aws login

-Note: the above command works for IAM users, not SSO / Identity Center users,
+Note: aws login requires AWS CLI version 2.32.0 or later. It works for IAM users, not SSO / Identity Center users,
and uses your console credentials rather than storing a long term IAM access
key. You must re-run it every time your console session expires.

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @jobs/README.md around lines 18 - 27, Update the README note for the "aws
login" snippet to specify the minimum AWS CLI version required: state that aws login requires AWS CLI version 2.32.0 or later, and then retain the existing
clarification that it works for IAM users (not SSO/Identity Center) and that it
uses console credentials and must be re-run when the session expires; modify the
sentence containing "Note:" to begin with the version requirement and keep the
rest of the explanation intact so readers see both the version constraint and
usage caveats for the aws login command.

</details>

---

`24-26`: _⚡ Quick win_

**Fix hyphenation: "long-term" is a compound modifier.**

Line 25 uses "long term" but should use "long-term" when modifying "IAM access key".




<details>
<summary>📝 Grammar fix</summary>

```diff
-and uses your console credentials rather than storing a long term IAM access
+and uses your console credentials rather than storing a long-term IAM access
 key. You must re-run it every time your console session expires.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@jobs/README.md` around lines 24 - 26, Change the phrase "long term IAM access
key" to use the compound modifier form "long-term IAM access key" in the
README.md sentence that currently reads "uses your console credentials rather
than storing a long term IAM access key" so the hyphenated form correctly
modifies "IAM access key".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@jobs/README.md`:
- Around line 18-27: Update the README note for the "aws login" snippet to
specify the minimum AWS CLI version required: state that `aws login` requires
AWS CLI version 2.32.0 or later, and then retain the existing clarification that
it works for IAM users (not SSO/Identity Center) and that it uses console
credentials and must be re-run when the session expires; modify the sentence
containing "Note:" to begin with the version requirement and keep the rest of
the explanation intact so readers see both the version constraint and usage
caveats for the `aws login` command.
- Around line 24-26: Change the phrase "long term IAM access key" to use the
compound modifier form "long-term IAM access key" in the README.md sentence that
currently reads "uses your console credentials rather than storing a long term
IAM access key" so the hyphenated form correctly modifies "IAM access key".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 28b36f56-a653-42f8-8da0-cb49ccb4fb99

📥 Commits

Reviewing files that changed from the base of the PR and between ec70a13 and a71219f.

⛔ Files ignored due to path filters (2)

• go.work.sum is excluded by !**/*.sum
• jobs/go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• .devcontainer/devcontainer-lock.json
• .devcontainer/devcontainer.json
• jobs/.gitignore
• jobs/Makefile
• jobs/README.md
• jobs/functions/hello-world/main.go
• jobs/go.mod
• jobs/hello-world
• jobs/requirements.txt
• jobs/samconfig.toml
• jobs/template.yaml
• server/src/go.mod

✅ Files skipped from review due to trivial changes (4)

• jobs/.gitignore
• server/src/go.mod
• jobs/go.mod
• jobs/samconfig.toml

🚧 Files skipped from review as they are similar to previous changes (4)

• jobs/template.yaml
• .devcontainer/devcontainer-lock.json
• jobs/functions/hello-world/main.go
• .devcontainer/devcontainer.json