Purpose

Use this skill to design and implement Postgres-backed REST APIs on AWS in a way that fits the target repository.

Treat Postgres plus Drizzle as the default persistence model. When the repository already has compatible constructs and runtime patterns, extend them. When those pieces do not exist, use the references in this skill as portable patterns to generate an equivalent structure.

Portable references live in references/ . Load only the patterns needed for the task:

• references/rest-api-pattern.md for centralized REST route composition patterns

• references/node-lambda-pattern.md for Lambda defaults and environment wiring

• references/importer-pattern.md for importing existing AWS resources into the stack

• references/response-pattern.md for controller and middleware response conventions

• references/sql-drizzle-pattern.md for Drizzle schema, repository, and DatabaseContext guidance

• references/auth-pattern.md for Cognito authorizer, scopes, and handler-level group authorization

• references/runtime-composition-pattern.md for src/app.ts singleton wiring and dependency aggregation

• references/middleware-pattern.md for reusable Middy middleware such as auth, validation, HTTP error handling, and Powertools logger injection

• references/services-pattern.md for logger, storage, notification, and mapper service design

• references/utilities-pattern.md for RestResult , error types, status codes, cursor helpers, and related utilities

• references/schedule-pattern.md for EventBridge-triggered scheduled Lambda jobs

Repository Rule

This skill is repository-aware, not file-path-bound.

The source of truth order is:

• The target repository's current architecture, naming, and abstractions

• The patterns in this skill's references

• The inline examples in this skill

If the local code differs from examples in this skill, follow local code and use the examples only as design guidance.

Repository Discovery

Start every use of this skill with a short discovery pass before proposing code.

Inspect only the parts of the repository that matter for the request. Common places include:

• lib/core-stack.ts

• lib/constructs/rest-api.ts

• lib/constructs/node-lambda.ts

• lib/constructs/api-models.ts

• src/handlers/

• src/controllers/

• src/middlewares/

• src/services/

• src/models/validation/

• src/data/db/

• src/data/repositories/

• src/data/context.ts

• src/utilities/rest-result.ts

• src/utilities/

• src/app.ts

Look for:

• how the route is registered in CDK

• which handler export name the stack expects

• which Middy middleware chain the handler follows

• whether the controller already exists or should be added

• whether a repository or schema already models the data

• whether shared services or mappers already exist for the resource area

• whether middleware or utilities already solve validation, authorization, cursor parsing, or error handling

• whether the change needs environment variables from getDefaultLambdaEnvironment

• whether handler files export a typed HANDLER registry constant to use for handlerName wiring

• whether src/data/db/schema/ modules already define the relevant table, and whether a schema index re-exports them

• whether a migration workflow exists (drizzle.config.ts , a drizzle/ folder) and what command generates migrations — confirm before proposing schema changes

• whether src/data/db/client.ts already exports a shared db client and Db type

• whether src/middlewares/inject-lambda-context.middleware.ts exists — adapter that bridges @aws-lambda-powertools/logger/middleware with Middy v7; used inside withCommonMiddleware in every handler file

After discovery, choose the appropriate approach and state it:

• Existing pattern mode : the repository already has abstractions worth extending

• Pattern generation mode : the repository is missing one or more pieces, so generate code that establishes the pattern cleanly

Existing Pattern Mode

Use the repository's existing abstractions directly:

• RestServerlessApi for API Gateway REST route composition

• NodeLambda for Lambda defaults and bundling

• Importer when the stack needs to attach to existing AWS resources

• RestResult for API Gateway response objects

• DatabaseContext plus Drizzle repositories for persistence

• src/middlewares/inject-lambda-context.middleware.ts for AWS Powertools logger injection in handler pipelines

Avoid hand-rolling raw API Gateway, Lambda, or persistence wiring unless the existing abstractions clearly cannot support the requirement.

Pattern Generation Mode

Use this mode when the target repository has no reusable abstraction for one or more layers.

In this mode:

• use the references as guidance for the shape of the code, not as a demand that exact filenames or classes exist

• create only the minimal new abstraction needed to keep the generated code coherent and reusable

• prefer introducing a small reusable construct, helper, middleware, service, or repository pattern over shipping one-off route code

• keep the generated names and folders aligned with the target repository's conventions, even when the conceptual pattern comes from this skill

Working Rules

• Read the relevant local construct, stack, handler, controller, and repository code before editing.

• If the repository already has a route composition abstraction such as RestServerlessApi , use it. If not, generate a small reusable pattern instead of scattering raw CDK logic.

• Keep handlers thin. Put orchestration in controllers and persistence in src/data/repositories/ .

• For database work, model schema in Drizzle and query via a shared db client or equivalent shared database access layer.

• Reuse an existing dependency composition pattern such as DatabaseContext or src/app.ts when it exists. If it does not, create a lightweight equivalent rather than wiring dependencies ad hoc in handlers.

• Reuse the local Middy middleware stack pattern when it exists. If it does not, generate a reusable middleware composition pattern instead of inlining validation and auth in every handler.

• Return responses through the local response helper when one exists. Otherwise generate one shared response utility instead of repeating inline response objects.

• Preserve Cognito authorizer behavior and group-based authorization middleware when extending protected routes.

• Prefer service classes and mapper classes for cross-cutting logic that appears in more than one controller.

• Centralize reusable error and cursor helpers under src/utilities/ or an equivalent shared module rather than duplicating them in repositories or handlers.

• Prefer small reusable services for cross-cutting concerns such as logging, storage, notifications, and DTO mapping. When the same concern appears in more than one controller, extract it into a shared service rather than duplicating it inline.

Default Assumptions

• API type: API Gateway REST API

• Compute: one Lambda handler export per route

• Datastore: Postgres via Drizzle and the shared Neon HTTP client

• Runtime defaults: existing Lambda wrapper defaults when present, otherwise a consistent Node.js Lambda baseline

• Auth: Cognito authorizer at API Gateway plus authorizedGroup(...) in handlers when needed

• Validation: Zod schemas through validation.middleware.ts

• Environment: Lambda runtime should receive shared database and app settings through one central helper or wiring layer when possible

If the user gives constraints that conflict with these defaults, adapt and state the change.

Project Shape

Use a structure like this when the repository does not already provide a better one:

lib/ ├── constructs/ └── core-stack.ts

src/ ├── controllers/ ├── data/ │ ├── db/ │ │ ├── client.ts │ │ └── schema/ │ ├── context.ts │ └── repositories/ ├── handlers/ ├── middlewares/ ├── models/ │ └── validation/ ├── services/ ├── utilities/ └── app.ts

Treat this as a conceptual layout, not a hard requirement:

• lib/core-stack.ts or an equivalent stack module registers routes and shared route defaults

• src/handlers/ contains Middy-wrapped Lambda exports

• src/controllers/ contains request orchestration and response shaping

• src/data/db/schema/ defines Drizzle Postgres tables and relations

• src/data/repositories/ contains SQL access logic

• src/data/context.ts or an equivalent module wires repositories to a shared Db and exposes a shared runtime context

• src/services/ holds logger, storage, notification, mapper, and other integration-facing services

• src/utilities/ holds response helpers, error types, status codes, cursor helpers, and shared pure functions

• src/models/validation/ contains Zod schemas for request validation

Construct-Centered Guidance

1. Route composition should be centralized

If the repository already has a route composition abstraction such as RestServerlessApi , extend it. Otherwise create one reusable route composition layer and keep route registration centralized.

Common route helpers are:

• get

• getById

• post

• put

• delete

Set shared defaults once:

const cognitoAuthorizer = api.createCognitoAuthorizer(userPool);

api.setDefaultRouteOptions({ authorizer: cognitoAuthorizer, environmentVariables: getDefaultLambdaEnvironment(), });

Important pattern details:

• routePath must start with /

• default route options merge with per-route options

• setting authorizer: undefined on a route removes the default authorizer

• scopes are typically passed per route in the stack layer

• route grants are connection-based; no table-level IAM grants are needed for SQL persistence

2. Lambda runtime defaults should be centralized

If the repository already has a Lambda wrapper such as NodeLambda , use it. Otherwise generate a small shared wrapper or helper that centralizes runtime defaults.

Useful baseline defaults include:

• Node.js 24.x

• ARM64

• 128 MB memory unless overridden

• 15 second timeout unless overridden

• active X-Ray tracing

• CloudWatch log group with three-month retention

• bundling with @aws-sdk/* externalized

A shared environment helper often needs values such as:

• DATABASE_URL

• FRONTEND_URL

• S3_BUCKET

• SES_IDENTITY_EMAIL

• SES_IDENTITY_EMAIL_ARN

• optional CORS_ORIGIN

• optional ALLOWED_GROUP

When adding routes, inherit shared environment wiring unless there is a strong reason not to.

Three helpers are commonly used together in the stack: getDefaultLambdaEnvironment() , getStackLambdaName() , and createSendEmailPolicy() . See references/node-lambda-pattern.md for their signatures, usage, and the pattern for attaching the SES policy.

3. Keep route wiring readable and repetitive in the right way

Never write handlerName as a bare string literal — a rename in the handler file will not be caught at compile time without a registry. Each handler file should export a typed HANDLER registry constant, which the stack imports and uses for all route wiring.

Prefer:

• one handler file per resource area

• HANDLER registry constants exported from each handler file and imported by the stack

• lambdaName() and handlerPath() local helpers wrapping getStackLambdaName and path.join

• shared Cognito authorizer defaults with per-route scopes

See references/rest-api-pattern.md for the full registry template, multi-route stack examples, and the setDefaultRouteOptions setup.

4. Prefer Importer for existing infrastructure

If the repository exposes an importer helper like lib/constructs/api-importer.ts , use it when wiring a stack to resources that already exist.

Prefer patterns like:

import { Importer } from './constructs/api-importer';

const userPool = Importer.getCognitoUserPoolById(this, process.env.COGNITO_USER_POOL_ID!); const s3Bucket = Importer.getS3Bucket(this, process.env.S3_BUCKET!); const apiDomain = Importer.getApiGatewayDomainName( this, process.env.API_DOMAIN_NAME!, process.env.API_DOMAIN_NAME_ALIAS!, process.env.ZONE_ID!, );

Use the importer when the stack attaches to an existing user pool, S3 bucket, domain, or other shared resource, and the repository already centralizes from* imports behind an importer helper. Do not replace a repository-wide importer with direct fromUserPoolId or similar calls unless the user explicitly asks for it.

See references/importer-pattern.md for the portable shape.

5. Prefer RestResult for API responses

If the repository has a response helper like src/utilities/rest-result.ts , use it as the default response format for controllers.

Prefer methods such as:

• RestResult.Ok(...)

• RestResult.Created(..., location)

• RestResult.NoContent()

• RestResult.BadRequest(...)

• RestResult.Unauthorized(...)

• RestResult.Forbidden(...)

• RestResult.NotFound(...)

• RestResult.Conflict(...)

• RestResult.InternalServerError(...)

Use RestResult.fromDatabaseError(error) before falling through to a generic 500 whenever a repository operation could fail with a recognized Postgres constraint error. This keeps CORS headers, content types, status codes, and error body shapes consistent across all endpoints.

If no local response helper exists, load references/response-pattern.md for the full class shape and baseline implementation.

6. Use ScheduleLambda for EventBridge-triggered background jobs

If the repository exposes a scheduled Lambda construct (e.g., lib/constructs/schedule.ts ), use it for any non-API background work such as soft-delete cleanup, digest emails, or data expiry sweeps. Do not create a raw events.Rule

• NodejsFunction pair inline.

Key points:

• the scheduled Lambda follows the same HANDLER registry pattern as API handlers

• the handler entrypoint type is ScheduledEvent from aws-lambda , not APIGatewayProxyEvent

• for Postgres-backed jobs, pass DATABASE_URL through getDefaultLambdaEnvironment() — no table-level IAM grants are needed

See references/schedule-pattern.md for the full construct snippet, handler template, and all key options.

Runtime Guidance

Handlers

Handlers should follow the local Middy pattern:

• httpHeaderNormalizer()

• httpEventNormalizer()

• handleHttpError()

• httpJsonBodyParser({ disableContentTypeError: true }) for write routes

• authorizedGroup(...) when group authorization is required

• validateHeaders(...) , validatePathParameters(...) , validateQueryParameters(...) , and validateBody(...) as needed

Keep handler files mostly declarative. They should compose middleware around controller functions rather than implement business logic directly.

If the repository does not yet have a consistent handler pattern, generate one that keeps:

• middleware composition in the handler

• orchestration in the controller

• persistence in repositories

• shared concerns in middleware, services, and utilities

Controllers

Controllers should:

• read typed event data after middleware validation

• call dbContext and other shared services from a shared composition module

• map entities through the repository and mapper layers

• return RestResult responses

• translate repository failures with RestResult.fromDatabaseError(...) when applicable

Data Layer

Persistence work belongs under src/data/ or an equivalent data layer.

Preferred flow:

• define or update table schema in src/data/db/schema/

• export it through the schema index if needed

• implement repository behavior in src/data/repositories/

• wire the repository through src/data/context.ts if it is a new repository

• consume it from controllers via dbContext

Do not open raw database connections inside handlers or controllers. Reuse the shared db and DatabaseContext or an equivalent context pattern.

Drizzle Schema Rules

When adding or changing persistence:

• use pgTable , typed columns, indexes, enums, and relations from Drizzle

• keep relations centralized in a dedicated schema module when appropriate

• mirror existing schema naming and table file conventions when they already exist

• prefer SQL constraints and indexes over application-only uniqueness logic

• generate migrations with the repo's Drizzle workflow, or introduce one coherent migration workflow instead of inventing manual SQL files

Repository Rules

Repository APIs in this skill should stay SQL-oriented, not key-value oriented.

Prefer methods that reflect domain behavior, for example:

• getById

• query

• save

• updateById

• delete

• relation-specific helpers when needed

For cursor pagination, do not assume UUID v4 primary keys are time-ordered. Prefer a stable ordered tuple such as created_at plus id , and make the cursor carry both values.

When generating a repository pattern from scratch:

• define repository methods around domain actions rather than query-builder details

• keep transaction boundaries above the repository only when multiple repositories must coordinate

• keep mapping from raw row shape to API response out of the handler

• avoid importing Drizzle schema objects directly into handlers unless the repository layer does not exist yet

Response and Error Rules

Use src/utilities/rest-result.ts or an equivalent shared response helper for all API responses.

Prefer:

• RestResult.Ok(...)

• RestResult.Created(...)

• RestResult.NoContent()

• RestResult.BadRequest(...)

• RestResult.NotFound(...)

• RestResult.Unauthorized(...)

• RestResult.Forbidden(...)

• RestResult.InternalServerError(...)

For recognized Postgres constraint failures, prefer RestResult.fromDatabaseError(error) before falling back to generic 500 handling.

Auth Rules

Protected routes should usually use two layers:

• API Gateway Cognito authorizer and scopes in CDK

• handler-level group authorization via authorizedGroup(...)

When changing protected routes:

• preserve route scopes in the stack layer

• preserve or extend group checks in handlers

• use existing ALLOWED_GROUP semantics when present

• do not reintroduce removed client-account auth flows

Change Patterns

When adding a new CRUD endpoint, the usual path is:

• add or update the Drizzle schema if persistence changes

• add or extend the repository

• add or extend the controller

• add or extend the handler with Middy middleware and validation

• register the route in the stack or route-composition layer

• add focused tests for the changed behavior

When the request is only infrastructure-facing, still confirm whether handler, controller, repository, validation, or environment wiring also needs to move with it.

When generating the architecture from scratch, prefer this order:

• define or update the data model and migration

• define repository methods around the use case

• define controller behavior and response mapping

• add handler middleware and validation

• register the route and shared environment wiring

• add tests around the repository, controller, or handler boundary that changed

Response Style

When using this skill, produce:

• A short statement of the endpoint(s) being added or changed

• A note saying whether you are using Existing pattern mode or Pattern generation mode

• CDK snippets based on local constructs when present, or the portable baseline when not

• The data layer change: new Drizzle schema and migration needed, or existing schema extended

• Any handler, controller, repository, or validation follow-on work needed to make the endpoint functional

• Explicit assumptions where auth, schema, or validation is ambiguous

Avoid generic AWS guidance when a repository-specific construct snippet would answer the request better. Treat the repository's code as authoritative and the skill as workflow guidance, not as a competing source of truth.

Definition of Done

A change using this skill is usually complete when:

• the route is registered through the local CDK abstractions

• the handler matches the repository's Middy style or establishes one coherent style

• controller and repository responsibilities stay separated

• persistence uses Drizzle and Postgres only

• tests cover the changed behavior at the right layer