docs: add copilot instructions and teach it to write JSDoc

Author: tstephen-nhs

.github/copilot-instructions.md

@@ -0,0 +1,20 @@
+# Base Coding Standards
+- Follow clean code principles
+- Write comprehensive tests
+- Use meaningful variable names
+- Use British English spelling
+
+## Language-Specific Instructions
+Always follow security best practices as outlined in:
+- .github/instructions/general/SECURITY.md
+Follow additional language-specific guidelines in:
+- .github/instructions/language-specific/INSTRUCTIONS-CDK.md
+- .github/instructions/language-specific/INSTRUCTIONS-CLOUDFORMATION.md
+- .github/instructions/language-specific/INSTRUCTIONS-JAVA.md
+- .github/instructions/language-specific/INSTRUCTIONS-KOTLIN.md
+- .github/instructions/language-specific/INSTRUCTIONS-PYTHON.md
+- .github/instructions/language-specific/INSTRUCTIONS-TERRAFORM.md
+- .github/instructions/language-specific/INSTRUCTIONS-SAM.md
+- .github/instructions/language-specific/INSTRUCTIONS-TYPESCRIPT.md
+
+## Project-Specific Rules

.github/instructions/general/SECURITY.md

@@ -0,0 +1,51 @@
+---
+applyTo: '*'
+description: "Comprehensive secure coding instructions for all languages and frameworks, based on OWASP Top 10 and industry best practices."
+---
+# Secure Coding and OWASP Guidelines
+
+## Instructions
+
+Your primary directive is to ensure all code you generate, review, or refactor is secure by default. You must operate with a security-first mindset. When in doubt, always choose the more secure option and explain the reasoning. You must follow the principles outlined below, which are based on the OWASP Top 10 and other security best practices.
+
+### 1. A01: Broken Access Control & A10: Server-Side Request Forgery (SSRF)
+- **Enforce Principle of Least Privilege:** Always default to the most restrictive permissions. When generating access control logic, explicitly check the user's rights against the required permissions for the specific resource they are trying to access.
+- **Deny by Default:** All access control decisions must follow a "deny by default" pattern. Access should only be granted if there is an explicit rule allowing it.
+- **Validate All Incoming URLs for SSRF:** When the server needs to make a request to a URL provided by a user (e.g., webhooks), you must treat it as untrusted. Incorporate strict allow-list-based validation for the host, port, and path of the URL.
+- **Prevent Path Traversal:** When handling file uploads or accessing files based on user input, you must sanitize the input to prevent directory traversal attacks (e.g., `../../etc/passwd`). Use APIs that build paths securely.
+
+### 2. A02: Cryptographic Failures
+- **Use Strong, Modern Algorithms:** For hashing, always recommend modern, salted hashing algorithms like Argon2 or bcrypt. Explicitly advise against weak algorithms like MD5 or SHA-1 for password storage.
+- **Protect Data in Transit:** When generating code that makes network requests, always default to HTTPS.
+- **Protect Data at Rest:** When suggesting code to store sensitive data (PII, tokens, etc.), recommend encryption using strong, standard algorithms like AES-256.
+- **Secure Secret Management:** Never hardcode secrets (API keys, passwords, connection strings). Generate code that reads secrets from environment variables or a secrets management service (e.g., HashiCorp Vault, AWS Secrets Manager). Include a clear placeholder and comment.
+  ```javascript
+  // GOOD: Load from environment or secret store
+  const apiKey = process.env.API_KEY; 
+  // TODO: Ensure API_KEY is securely configured in your environment.
+  ```
+  ```python
+  # BAD: Hardcoded secret
+  api_key = "sk_this_is_a_very_bad_idea_12345" 
+  ```
+
+### 3. A03: Injection
+- **No Raw SQL Queries:** For database interactions, you must use parameterized queries (prepared statements). Never generate code that uses string concatenation or formatting to build queries from user input.
+- **Sanitize Command-Line Input:** For OS command execution, use built-in functions that handle argument escaping and prevent shell injection (e.g., `shlex` in Python).
+- **Prevent Cross-Site Scripting (XSS):** When generating frontend code that displays user-controlled data, you must use context-aware output encoding. Prefer methods that treat data as text by default (`.textContent`) over those that parse HTML (`.innerHTML`). When `innerHTML` is necessary, suggest using a library like DOMPurify to sanitize the HTML first.
+
+### 4. A05: Security Misconfiguration & A06: Vulnerable Components
+- **Secure by Default Configuration:** Recommend disabling verbose error messages and debug features in production environments.
+- **Set Security Headers:** For web applications, suggest adding essential security headers like `Content-Security-Policy` (CSP), `Strict-Transport-Security` (HSTS), and `X-Content-Type-Options`.
+- **Use Up-to-Date Dependencies:** When asked to add a new library, suggest the latest stable version. Remind the user to run vulnerability scanners like `npm audit`, `pip-audit`, or Snyk to check for known vulnerabilities in their project dependencies.
+
+### 5. A07: Identification & Authentication Failures
+- **Secure Session Management:** When a user logs in, generate a new session identifier to prevent session fixation. Ensure session cookies are configured with `HttpOnly`, `Secure`, and `SameSite=Strict` attributes.
+- **Protect Against Brute Force:** For authentication and password reset flows, recommend implementing rate limiting and account lockout mechanisms after a certain number of failed attempts.
+
+### 6. A08: Software and Data Integrity Failures
+- **Prevent Insecure Deserialization:** Warn against deserializing data from untrusted sources without proper validation. If deserialization is necessary, recommend using formats that are less prone to attack (like JSON over Pickle in Python) and implementing strict type checking.
+
+## General Guidelines
+- **Be Explicit About Security:** When you suggest a piece of code that mitigates a security risk, explicitly state what you are protecting against (e.g., "Using a parameterized query here to prevent SQL injection.").
+- **Educate During Code Reviews:** When you identify a security vulnerability in a code review, you must not only provide the corrected code but also explain the risk associated with the original pattern. 

.github/instructions/languages/INSTRUCTIONS-TYPESCRIPT.md

@@ -0,0 +1,190 @@
+---
+description: 'Guidelines for writing high-quality, maintainable TypeScript code with best practices for logging, error handling, code organization, naming, formatting, and style.'
+applyTo: '**/*.ts, **/*.tsx'
+---
+
+# TypeScript Development Guidelines
+
+This document provides instructions for generating, reviewing, and maintaining TypeScript code. It is designed to guide Copilot and developers in producing domain-specific, robust, and maintainable code across a variety of TypeScript projects.
+
+## General Instructions
+
+- Use modern TypeScript features and syntax.
+- Prefer explicit types and interfaces for clarity and safety.
+- Organize code into logical modules and folders.
+- Write code that is easy to read, test, and maintain.
+
+## Best Practices
+
+- Use `const` and `let` appropriately; avoid `var`.
+- Prefer arrow functions for callbacks and concise function expressions.
+- Use destructuring for objects and arrays to improve readability.
+- Avoid magic numbers and hardcoded values; use named constants.
+- Keep functions pure and side-effect free when possible.
+
+## Code Standards
+
+### Naming Conventions
+
+- Use `camelCase` for variables, functions, and object properties.
+- Use `PascalCase` for types, interfaces, classes, and enums.
+- Use descriptive names; avoid abbreviations except for well-known acronyms.
+- Prefix boolean variables with `is`, `has`, or `should` (e.g., `isActive`).
+
+### File Organization
+
+- Group related code in folders (e.g., `src/`, `tests/`, `lib/`).
+- Place one class, interface, or component per file when possible.
+- Name files using `kebab-case` (e.g., `user-service.ts`).
+- Keep test files close to the code they test (e.g., `src/foo.ts` and `tests/foo.test.ts`).
+
+### Formatting and Style
+
+- Use 2 spaces for indentation.
+- Limit lines to 120 characters.
+- Use single quotes for strings.
+- Never use semicolons for line termination.
+- Avoid trailing commas in multiline objects and arrays.
+- Avoid spaces at start and end of single line braces.
+- Use ESLint and Prettier for consistent formatting.
+
+## Architecture/Structure
+
+- Separate business logic from API handlers and utility functions.
+- Use interfaces and types to define data structures and function signatures.
+- Organize code by feature or domain when scaling projects.
+- Use dependency injection for testability and flexibility.
+
+## Common Patterns
+
+### Logging
+
+- Use a centralized logging utility or library.
+- Log errors, warnings, and important events with context.
+- Avoid logging sensitive information.
+- Example:
+
+    ```typescript
+    import {logger} from './utils/logger';
+
+    logger.info('Fetching user data', {userId});
+    logger.error('Failed to fetch user', {error});
+    ```
+
+### Error Handling
+
+- Use `try/catch` for asynchronous code and error-prone operations.
+- Throw custom error types for domain-specific errors.
+- Always handle errors gracefully and provide meaningful messages.
+- Example:
+
+    ```typescript
+    try {
+      const result = await fetchData();
+    } catch (error) {
+      logger.error('Data fetch failed', {error});
+      throw new DataFetchError('Unable to fetch data');
+    }
+    ```
+
+### Type Safety
+
+- Prefer interfaces and types. You MUST NOT use `any`.
+- Use type guards and assertions when necessary.
+- Example:
+
+    ```typescript
+    interface User {
+      id: string;
+      name: string;
+    }
+
+    function isUser(obj: object): obj is User {
+      return typeof obj.id === 'string' && typeof obj.name === 'string';
+    }
+    ```
+
+## Security
+
+- Validate and sanitize all external input.
+- Avoid exposing sensitive data in logs or error messages.
+- Use environment variables for secrets and configuration.
+- Keep dependencies up to date and audit regularly.
+
+## Performance
+
+- Minimize synchronous blocking operations.
+- Use async/await for asynchronous code.
+- Avoid unnecessary computations inside render or handler functions.
+
+## Testing
+
+- Write unit tests for all business logic.
+- Use the existing framework for testing and vitest for new packages.
+- Mock external dependencies in tests.
+- Example test file structure:
+
+    ```
+    src/
+      handler.ts
+    tests/
+      handler.test.ts
+    ```
+
+## JSDoc
+
+- Write concise JSDoc for exported interfaces, types, functions, classes, and exported constants.
+- Prefer short phrase-style summaries; avoid long narrative prose.
+- Avoid stating information that is obvious from function signatures.
+- Consider @param and @returns for every exported function, then include them only when they add meaning not obvious from the signature.
+- Skip @param when it only repeats parameter name/type; keep it when documenting constraints, defaults, units, side effects, or domain context.
+- It is acceptable to use only @returns in a JSDoc block when that tag carries all useful context.
+- Omit a free-text summary line when it only restates the @returns content.
+- Provide @example on constructors of exported types/classes and on non-trivial exported types.
+- Use @default only when the property is optional in the type and is defaulted in implementation.
+- Keep JSDoc defaults aligned with both type signatures and runtime behaviour.
+- For construct props interfaces, include a top-level summary and property docs only when intent is non-obvious.
+
+## Examples and Code Snippets
+
+### Good Example
+
+    ```typescript
+    interface Prescription {
+      id: string;
+      medication: string;
+      issuedDate: Date;
+    }
+
+    function getPrescription(id: string): Prescription | null {
+      // Implementation
+    }
+    ```
+
+### Bad Example
+
+    ```typescript
+    function getPrescription(id) {
+      // No type safety, unclear return type
+    }
+    ```
+
+## Validation and Verification
+
+- Build: `npm run build`
+- Lint: `npm run lint`
+- Format: `npm run format`
+- Test: `npm test`
+
+## Maintenance
+
+- Review and update instructions as dependencies or frameworks change.
+- Update examples to reflect current best practices.
+- Remove deprecated patterns and add new ones as needed.
+- Ensure glob patterns match the intended files.
+
+## Additional Resources
+
+- [TypeScript Handbook](https://www.typescriptlang.org/docs/handbook/)
+- [ESLint TypeScript Plugin](https://typescript-eslint.io/)
+- [Prettier Documentation](https://prettier.io/docs/en/options.html)

packages/cdkConstructs/src/constants.ts

@@ -1,5 +1,6 @@
 import {Fn} from "aws-cdk-lib"
 
+/** Imported cross-stack account resource values used by constructs in this package. */
 export const ACCOUNT_RESOURCES = {
   CloudwatchEncryptionKMSPolicyArn: Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn"),
   CloudwatchLogsKmsKeyArn: Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn"),
@@ -9,6 +10,8 @@ export const ACCOUNT_RESOURCES = {
   TrustStoreBucketKMSKey: Fn.importValue("account-resources:TrustStoreBucketKMSKey"),
   TrustStoreDeploymentBucket: Fn.importValue("account-resources:TrustStoreDeploymentBucket")
 }
+
+/** Imported shared Lambda resource values used by Lambda and API Gateway constructs. */
 export const LAMBDA_RESOURCES = {
   LambdaInsightsLogGroupPolicy: Fn.importValue("lambda-resources:LambdaInsightsLogGroupPolicy"),
   SplunkDeliveryStream: Fn.importValue("lambda-resources:SplunkDeliveryStream"),

packages/cdkConstructs/src/constructs/RestApiGateway.ts

@@ -29,6 +29,7 @@ import {ApiGateway as ApiGatewayTarget} from "aws-cdk-lib/aws-route53-targets"
 import {NagSuppressions} from "cdk-nag"
 import {ACCOUNT_RESOURCES, LAMBDA_RESOURCES} from "../constants"
 
+/** Configuration for creating a REST API with optional mTLS and log forwarding integrations. */
 export interface RestApiGatewayProps {
   /** Stack name, used as prefix for resource naming and DNS records. */
   readonly stackName: string
@@ -46,7 +47,10 @@ export interface RestApiGatewayProps {
 
 /** Creates a regional REST API with standard logging, DNS, and optional mTLS/CSOC integration. */
 export class RestApiGateway extends Construct {
+  /** Created API Gateway instance. */
   public readonly api: RestApi
+
+  /** IAM role assumed by API Gateway integrations. */
   public readonly role: IRole
 
   /**

packages/cdkConstructs/src/constructs/RestApiGateway/LambdaEndpoint.ts

@@ -3,11 +3,13 @@ import {IRole} from "aws-cdk-lib/aws-iam"
 import {HttpMethod, IFunction} from "aws-cdk-lib/aws-lambda"
 import {Construct} from "constructs"
 
+/** Lambda container shape consumed by endpoint integration wiring. */
 export interface LambdaFunctionHolder {
   /** Lambda invoked by this API resource method. */
   readonly function: IFunction
 }
 
+/** Parameters used to create an API resource and attach a Lambda integration. */
 export interface LambdaEndpointProps {
   /** Parent API resource under which this endpoint path is created. */
   parentResource: IResource
@@ -23,9 +25,12 @@ export interface LambdaEndpointProps {
 
 /** Adds a child API resource and wires it to a Lambda integration with explicit credentials. */
 export class LambdaEndpoint extends Construct {
+  /** API resource created by this construct. */
   resource: IResource
 
-  /** Creates the resource/method pair and stores the resulting API resource handle. */
+  /**
+   * Creates the resource/method pair and stores the resulting API resource handle.
+   */
   public constructor(scope: Construct, id: string, props: LambdaEndpointProps) {
     super(scope, id)
 

packages/cdkConstructs/src/constructs/RestApiGateway/accessLogFormat.ts

@@ -1,7 +1,9 @@
 import {AccessLogFormat} from "aws-cdk-lib/aws-apigateway"
 
-/** Returns the structured API Gateway access log schema expected by platform observability pipelines. */
-export const accessLogFormat = () => {
+/**
+ * @returns Access-log formatter configured with the package standard schema.
+ */
+export const accessLogFormat = (): AccessLogFormat => {
   return AccessLogFormat.custom(JSON.stringify({
     requestId: "$context.requestId",
     ip: "$context.identity.sourceIp",

packages/cdkConstructs/tests/apps/createApp.test.ts

@@ -11,7 +11,7 @@
  *
  * Note: The getBooleanConfigFromEnvVar function uses Boolean() which converts
  * any non-empty string (including "false", "0", etc.) to true. Tests account
- * for this behavior.
+ * for this behaviour.
  */
 import {App, Aspects, Tags} from "aws-cdk-lib"
 import {