feat: Migrate aws-sdk v2 to @aws-sdk v3 for Node 20+ Lambda support

[mecham-lynn]

Summary

• Migrate all 6 source files from aws-sdk v2 to modular @aws-sdk v3 packages
• Remove b.external("aws-sdk") from lib/build.js — this was the root cause of Node 20 Lambda failures (Cannot find module 'aws-sdk')
• Replace v2 service constructors with v3 client/command pattern across S3, Lambda, STS, DynamoDB, and credential providers
• Remove aws-sdk v2 dependency, add 6 @aws-sdk v3 packages
• Bump version to 4.0.0-awsv3
• Fix latent bug in docker-run.js where error handler called undefined callback (now uses process.exit(1))

Files Changed

File	Migration
lib/build.js	Removed b.external("aws-sdk"), replaced credential handling with env vars + leo-aws
lib/leo-aws.js	Replaced aws.STS().credentialsFrom() and aws.SharedIniFileCredentials with static creds and fromIni()
lib/functionWrap.js	Removed aws-sdk import (only used in commented-out code)
lib/defaultCronRunner.js	Migrated Lambda, S3 clients + presigned URL generation to v3
docker-run.js	Migrated Lambda, STS (fromTemporaryCredentials), DynamoDB to v3
docker/run.js	Migrated Lambda, DynamoDB to v3
package.json	Version bump, dependency swap
docker/package.json	Dependency swap

Test Plan

• Install leo-cli@4.0.0-awsv3 globally
• leo-cli publish a Lambda project targeting nodejs20.x runtime
• Verify Lambda zip contains AWS SDK (no longer externalized)
• Deploy and invoke Lambda — confirm no Cannot find module errors
• Test with AWS profile switching (--profile flag)
• Test leo-cli test (local Lambda execution via functionWrap)
• Test docker-based Lambda execution

Jira

Jira: https://chb.atlassian.net/browse/ES-2949

🤖 Generated with Claude Code

---

Note

Medium Risk
Broad migration of AWS service/credential codepaths (Lambda/S3/DynamoDB/STS) and packaging behavior; regressions could break local runners, profile-based auth, or deployed Lambda execution if v3 client semantics differ.

Overview
Migrates the CLI and docker lambda runners from aws-sdk v2 to AWS SDK v3 (@aws-sdk/* + Smithy handler), updating Lambda, S3, DynamoDB, and credential usage to the v3 client/command pattern.

Fixes Node 20 runtime packaging issues by stopping browserify from externalizing aws-sdk (so the SDK is bundled when needed), and updates publishing/profile handling to resolve credentials via leo-aws/AWS_PROFILE and pass explicit env creds to the aws s3 CLI.

Improves error handling in the docker runners (async handler() with proper nonzero exits), adds explicit assumed-role env var precedence in docker-run.js, and bumps version to 4.0.0-awsv3 while updating dependencies/lockfile to remove aws-sdk.

^{Written by Cursor Bugbot for commit 4b2ee27. This will update automatically on new commits. Configure here.}

[ch-snyk-sa]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

Missing dependency in docker package.json breaks container

High Severity

docker/run.js requires @smithy/node-http-handler at line 26, but this package is not declared in docker/package.json. The Dockerfile runs npm install solely from docker/package.json, so the only reason this might resolve is if it happens to be hoisted as a transitive dependency of the listed @aws-sdk/* packages. Relying on undeclared transitive dependencies is fragile and can break across npm versions, lockfile changes, or alternative package managers.

Additional Locations (1)

• docker/run.js#L25-L26