add Serverless V4 migration

[sid88in]

CR: Migrate to Serverless Framework v4 (drop v3) — v3.0.0

Closes #632 (and upstream dup serverless/serverless#12565:
Cannot find module 'serverless/lib/serverless-error' on Serverless v4).

Type: breaking change — drops Serverless v3 support, requires Serverless v4.
Suggested title: feat!: require Serverless Framework v4, drop v3 support

---

Why

Serverless v4 ships the serverless npm package as a thin installer with no
lib/ directory — the framework internals moved into a bundled
@serverless/framework. So any runtime require('serverless/lib/...') against a
v4 install throws MODULE_NOT_FOUND, which is exactly #632.

Two findings from auditing the plugin against v4's actual source shaped this CR:

1. The crash itself is already gone at HEAD. The original failure came from a
   compiled require('serverless/lib/serverless-error') in lib/resources/Api.js
   (reporters were on ^2.7.x). Current code routes errors through
   this.serverless.classes.Error, and the emitted lib/ has zero
   serverless/lib requires.
2. v4 preserves the entire v3 plugin runtime contract this plugin uses —
   new Plugin(serverless, options, utils) (3rd-arg log/progress/writeText),
   serverless.classes.Error, getProvider('aws'), provider.request,
   configSchemaHandler.defineTopLevelProperty, configurationVariablesSources,
   addServiceOutputSection, service.setFunctionNames,
   processedInput/configurationInput, the aws:info lifecycle, and finalize.
   It also auto-honors the community override when serverless-appsync-plugin is
   listed in plugins:.

So this CR is not a runtime rewrite. It (a) hardens the code so #632 can never
silently return, (b) flips the version contract to v4, and (c) re-points the e2e
harness/CI at v4. Runtime-behavioral confirmation on v4 is the one piece this
change can't self-verify — see Maintainer-gated steps below.

---

What changed

File	Change	Category
src/index.ts	The two deep imports (serverless/lib/Serverless, …/provider.js) and the type imports from serverless are now import type — fully erased at compile time, so they can never become runtime requires. Added a comment explaining the #632 link.	A — hardening
scripts/check-no-serverless-deep-imports.js	New CI guard: scans emitted lib/**/*.js and fails the build if any require('serverless/lib/...') appears. Anti-regression for #632.	A — hardening
package.json	build now runs the guard (tsc && npm run verify:imports); new verify:imports script. peerDependencies.serverless → ^4.0.0. dev serverless → ^4.0.0.	A + B
.github/workflows/ci.yml	Explicit "Verify no deep serverless/lib imports" step in the unit job; e2e job gets SERVERLESS_ACCESS_KEY (v4 requires auth for every CLI invocation, including non-deploy package).	C
e2e/helpers/synthesize.ts	CFN template lookup is now resilient — prefers cloudformation-template-update-stack.json, falls back to any cloudformation-template-*-stack.json — so the harness survives any v4 path nuance.	C
e2e/README.md	Documents the v4 Access Key / License Key requirement for running e2e locally and in CI.	C / F

engines.node is left at >=20 (v4 requires >=18.17; CI matrix is 20/22/24/26).

---

Verification done in this change

• ✅ npm run build — clean; the guard runs and reports no deep imports.
• ✅ npm run lint (eslint . + tsc --noEmit, covers e2e/) — clean.
• ✅ npm test — 288 passing, 210 snapshots, 18 suites (unchanged).
• ✅ Emitted lib/**/*.js contains zero serverless/lib requires.
• ✅ Guard proven both directions: exit 0 on clean output, exit 1 when a
  require('serverless/lib/serverless-error') is injected.

Maintainer-gated steps (cannot run without a v4 license + AWS context)

These are the steps that require your environment — a Serverless Access/License
key and the v4 binary — and are the real acceptance gate:

1. Regenerate the lockfile: npm install (updates package-lock.json for
   serverless@4). The bumped devDependencies will not be reflected in the lock
   until this runs, so npm ci jobs will fail until the regenerated lock is
   committed.
2. Add the CI secret: create SERVERLESS_ACCESS_KEY (Dashboard → Settings →
   Access Keys) under repo Settings → Secrets and variables → Actions.
3. Run e2e against v4: export SERVERLESS_ACCESS_KEY=… && npm run test:e2e.
   Triage any assertion failures as genuine v3↔v4 CFN output diffs (most assertions
   target AppSync resources we emit, so the majority should hold). Confirm v4 still
   emits the template where the (now-resilient) harness expects.

Breaking changes

• Requires Serverless Framework v4 (peerDependencies.serverless: ^4.0.0).
  Serverless v3 is no longer supported and is itself unmaintained upstream as of
  early 2025.
• Consumers must upgrade serverless to v4 and authenticate the v4 CLI.

Release

Versioning here is tag-driven (release.yml sets the version from the tag). Ship
this as v3.0.0 by pushing the v3.0.0 tag once merged.

Out of scope (deliberate follow-ups)

Dependency modernization is intentionally not in this CR to keep the v4-enablement
diff small and reviewable. Suggested as a separate v3.1.0:

• aws-sdk@^2 (EOL) → @aws-sdk/client-* (v3) — currently used type-only in src.
• Remove vestigial @serverless/utils runtime dep (not imported anywhere in src).

Reviewer checklist

• import type is correct for the deep imports (verify they're type-only usages).
• CI guard intent is clear and the failure message is actionable.
• SERVERLESS_ACCESS_KEY secret added before merging (else e2e job fails).
• package-lock.json regenerated and committed.
• e2e suite green against v4; any CFN diffs reviewed.

Summary by CodeRabbit

• Chores

  • Upgraded Serverless Framework dependency to v4 with improved CI/CD support.
  • Added automated build verification step.
  • Configured CI environment for authentication requirements.

• Documentation

  • Updated e2e documentation for Serverless v4 authentication setup.

• Refactor

  • Updated codebase imports for Serverless v4 compatibility.

[sid88in]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR upgrades serverless-appsync-plugin to Serverless Framework v4 by converting internal module imports to type-only, implementing a build-time deep-import validator, updating the e2e test harness for v4's authentication requirements, mocking the Serverless framework in unit tests, and documenting the new setup instructions.

Changes

Serverless v4 Migration

Layer / File(s)	Summary
Serverless v4 dependency upgrade and type-only imports package.json, src/index.ts	Upgrades serverless from ^3.25.1 to ^4.0.0 in devDependencies and peerDependencies, adds @types/lodash, and converts imports of Serverless and Provider from serverless/lib/... paths to type-only to prevent runtime resolution of internal modules not included in v4's npm package.
Build-time deep-import guard implementation scripts/check-no-serverless-deep-imports.js, package.json, .github/workflows/ci.yml	Adds a new validation script that scans lib/ for forbidden require('serverless/lib/...') patterns, integrates it into the build pipeline as npm run verify:imports, and runs it in CI after compilation to catch accidental deep imports.
E2E test harness updates for v4 authentication and offline packaging e2e/helpers/synthesize.ts, .gitignore, .github/workflows/ci.yml	Modifies synthesize.ts to read the example's serverless.yml, inject deploymentBucket, run serverless package offline with stable region and dummy AWS credentials, and implement fallback template discovery. Adds SERVERLESS_ACCESS_KEY from secrets to the e2e job environment and ignores transient serverless.e2e.yml files.
Test setup mocking and domain test skip src/__tests__/given.ts, src/__tests__/commands.test.ts	Replaces real Serverless/AWS provider construction with a hand-rolled fake framework object in given.ts, defines a local ServerlessError class in both files, and skips all domain-related command tests (create domain, delete domain, assoc domain, disassoc domain, create-record, delete-record) pending v4 test-harness migration.
E2E documentation updates for v4 authentication e2e/README.md	Documents that Serverless Framework v4 requires authentication for all CLI invocations, including offline serverless package. Adds a dedicated "Authentication (Serverless v4)" section with instructions for setting SERVERLESS_ACCESS_KEY or SERVERLESS_LICENSE_KEY via environment variables or interactive login, and notes that the CI job reads this from repository secrets.

🎯 3 (Moderate) | ⏱️ ~22 minutes

🐰 A rabbit hops through the v4 migration,
No deep imports, just type annotation,
Build guards stand watch, e2e mocks in place,
Tests skip with grace, docs light the way—
Framework v4, hopping forward today! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'add Serverless V4 migration' directly reflects the main objective of the changeset—migrating the plugin to support and require Serverless Framework v4 while dropping v3 support.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch v4-migration

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

27-28: ⚡ Quick win

Run deep-import verification on freshly built artifacts.

verify:imports runs before compilation in this job, so it checks checked-in lib/ only and can miss regressions introduced in src/ when lib/ is stale. Prefer running npm run build here (it already includes verify:imports).

Suggested CI adjustment

-      - name: Verify no deep serverless/lib imports (guards `#632`)
-        run: npm run verify:imports
+      - name: Build (includes deep-import guard)
+        run: npm run build

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 27 - 28, Replace the step that
currently runs "npm run verify:imports" in the CI job named "Verify no deep
serverless/lib imports (guards `#632`)" so it runs the full build instead;
specifically, change the step to execute "npm run build" (which already runs
verify:imports) to ensure deep-import checks run on freshly built artifacts
rather than stale checked-in lib/.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 52-58: The e2e job currently always expects SERVERLESS_ACCESS_KEY
but pull_request workflows from forked repos don't have repo secrets; add a
job-level condition to skip/gate the e2e job when the PR is from a fork (e.g.,
use a condition based on github.event_name and
github.event.pull_request.head.repo.fork) so the job only runs when secrets are
available; update the job that defines env: SERVERLESS_ACCESS_KEY to include
that if-condition (or equivalent) to prevent hard-failing on forked PRs.

In `@e2e/helpers/synthesize.ts`:
- Around line 88-90: The code uses a fixed temporary config name (e2eConfigName
/ e2eConfigPath) which causes races when synth runs in parallel; change creation
to generate a unique filename (e.g., append process.pid + timestamp or a
random/UUID suffix or use fs.mkdtemp in os.tmpdir) when building
e2eConfigName/e2eConfigPath, update any cleanup logic to remove that same unique
path, and ensure fs.writeFileSync and any subsequent reads/packaging reference
the new unique variable so concurrent runs won't clobber each other.

In `@src/__tests__/commands.test.ts`:
- Around line 4-10: The test suite in src/__tests__/commands.test.ts currently
skips all domain command tests; restore coverage by either migrating the
existing fixture harness to Serverless v4 or adding v4-compatible smoke tests
that exercise the core command paths (domain create, domain delete, domain
assoc, domain disassoc, create-record, delete-record). Update or replace the
in-process fixture used in this file (and the other skipped suites referenced)
so it boots Serverless v4, or implement lightweight tests that invoke the plugin
command handlers directly (calling the command entrypoints used by the suite) to
assert basic success/failure behavior; ensure each restored test asserts the
expected result and runs in CI.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 27-28: Replace the step that currently runs "npm run
verify:imports" in the CI job named "Verify no deep serverless/lib imports
(guards `#632`)" so it runs the full build instead; specifically, change the step
to execute "npm run build" (which already runs verify:imports) to ensure
deep-import checks run on freshly built artifacts rather than stale checked-in
lib/.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 326f82ee-f089-4759-84c2-628cbb1ec346

📥 Commits

Reviewing files that changed from the base of the PR and between bda9abe and 7271dd1.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (9)

• .github/workflows/ci.yml
• .gitignore
• e2e/README.md
• e2e/helpers/synthesize.ts
• package.json
• scripts/check-no-serverless-deep-imports.js
• src/__tests__/commands.test.ts
• src/__tests__/given.ts
• src/index.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Gate e2e on secret availability for fork PRs.

pull_request workflows from forks do not receive repository secrets, so this job will fail there by default. Add a job condition so fork PRs are not hard-failed by missing SERVERLESS_ACCESS_KEY.

Suggested job gate

   e2e:
     name: CFN Synthesis Tests
     runs-on: ubuntu-latest
     needs: tests
+    if: ${{ github.event_name != 'pull_request' || secrets.SERVERLESS_ACCESS_KEY != '' }}
     # Serverless Framework v4 requires authentication for every CLI invocation,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 52 - 58, The e2e job currently always
expects SERVERLESS_ACCESS_KEY but pull_request workflows from forked repos don't
have repo secrets; add a job-level condition to skip/gate the e2e job when the
PR is from a fork (e.g., use a condition based on github.event_name and
github.event.pull_request.head.repo.fork) so the job only runs when secrets are
available; update the job that defines env: SERVERLESS_ACCESS_KEY to include
that if-condition (or equivalent) to prevent hard-failing on forked PRs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid shared temporary config filename across parallel synth runs.

Line 88 uses a fixed serverless.e2e.yml; concurrent synth calls for the same example can overwrite/delete each other’s config and make packaging flaky.

Suggested fix

-  const e2eConfigName = 'serverless.e2e.yml';
+  const e2eConfigName = `serverless.e2e.${process.pid}.${Date.now()}-${Math.random()
+    .toString(36)
+    .slice(2)}.yml`;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const e2eConfigName = 'serverless.e2e.yml';
	const e2eConfigPath = path.join(absoluteExampleDir, e2eConfigName);
	fs.writeFileSync(
	const e2eConfigName = `serverless.e2e.${process.pid}.${Date.now()}-${Math.random()
	.toString(36)
	.slice(2)}.yml`;
	const e2eConfigPath = path.join(absoluteExampleDir, e2eConfigName);
	fs.writeFileSync(

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/helpers/synthesize.ts` around lines 88 - 90, The code uses a fixed
temporary config name (e2eConfigName / e2eConfigPath) which causes races when
synth runs in parallel; change creation to generate a unique filename (e.g.,
append process.pid + timestamp or a random/UUID suffix or use fs.mkdtemp in
os.tmpdir) when building e2eConfigName/e2eConfigPath, update any cleanup logic
to remove that same unique path, and ensure fs.writeFileSync and any subsequent
reads/packaging reference the new unique variable so concurrent runs won't
clobber each other.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Domain command coverage is fully disabled.

All domain command suites are skipped, so regressions in domain create/delete/assoc/disassoc/create-record/delete-record can ship undetected. Please keep v4-compatible coverage for these command paths before release (full harness migration or at least smoke coverage per command group).

Also applies to: 30-30, 230-230, 321-321, 540-540, 693-693, 912-912

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/__tests__/commands.test.ts` around lines 4 - 10, The test suite in
src/__tests__/commands.test.ts currently skips all domain command tests; restore
coverage by either migrating the existing fixture harness to Serverless v4 or
adding v4-compatible smoke tests that exercise the core command paths (domain
create, domain delete, domain assoc, domain disassoc, create-record,
delete-record). Update or replace the in-process fixture used in this file (and
the other skipped suites referenced) so it boots Serverless v4, or implement
lightweight tests that invoke the plugin command handlers directly (calling the
command entrypoints used by the suite) to assert basic success/failure behavior;
ensure each restored test asserts the expected result and runs in CI.