chore: address AutoSDE + fix build

Author: H. Furkan Bozkurt

plugins/aws-core/skills/aws-amplify/references/ai.md

@@ -67,6 +67,8 @@ const schema = a.schema({
 These constraints are asymmetric and frequently confused. Getting them wrong
 causes the CDK synthesis to fail with a non-obvious TypeError.
 
+> **Security:** Conversation history sent to Amazon Bedrock may contain PII. Do not log full request/response payloads in production. Enable CloudWatch Logs encryption (KMS) and set appropriate retention policies for any logs that may capture inference data.
+
 ### Backend Integration
 
 AI conversation and generation routes are part of your data schema. Import into `amplify/backend.ts`:

plugins/aws-core/skills/aws-amplify/references/data-backend.md

@@ -62,7 +62,7 @@ a.model({ /* fields */ }).authorization(allow => [
 ])
 ```
 
-> **Security note:** `allow.guest()` permits unauthenticated access. Only use for intentionally public, non-sensitive data. Prefer `allow.authenticated()` or `allow.owner()` for sensitive resources. See [Amplify authorization best practices](https://docs.amplify.aws/react/build-a-backend/data/customize-authz/) and [Amazon Cognito Identity Pool security](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html) for guidance on choosing the right authorization strategy.
+> **Security note:** `allow.guest()` and `allow.publicApiKey()` both permit unauthenticated access. Only use for intentionally public, non-sensitive data. Prefer `allow.authenticated()` or `allow.owner()` for sensitive resources. See [Amplify authorization best practices](https://docs.amplify.aws/react/build-a-backend/data/customize-authz/) and [Amazon Cognito Identity Pool security](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html) for guidance on choosing the right authorization strategy.
 
 Per-field authorization overrides model-level rules:
 

plugins/aws-core/skills/aws-amplify/references/deployment.md

@@ -156,11 +156,10 @@ aws amplify start-job --app-id "$APP_ID" --branch-name main --job-type RELEASE
 **Sandbox:** Set secrets via CLI:
 
 ```bash
-echo "<value>" | npx ampx sandbox secret set MY_API_KEY
+npx ampx sandbox secret set MY_API_KEY
 ```
 
-You **MUST** pipe the value via stdin — without the pipe, the command
-prompts interactively.
+> **Security:** Avoid passing secret values as CLI arguments or via `echo` — these appear in shell history and `/proc`. Instead, use `ampx sandbox secret set MY_SECRET` which prompts for input interactively, or pipe from a secure source: `aws ssm get-parameter --name /path/to/secret --with-decryption --query Parameter.Value --output text | ampx sandbox secret set MY_SECRET --from-stdin`
 
 This stores the secret for your personal sandbox environment.
 **Branch environments (production):** Set secrets via the `ampx` CLI:
@@ -181,7 +180,7 @@ aws amplify update-app --app-id "$APP_ID" \
 > For sensitive values (API keys, tokens), use `npx ampx sandbox secret set`
 > (sandbox) or `npx ampx secret set --branch` (production) which stores in
 > SSM SecureString.
-
+>
 > **Note:** Under the hood, Amplify Gen2 `secret()` references are backed by AWS Systems Manager Parameter Store (SecureString parameters). Review access policies on the `/amplify/` parameter path in your account to ensure only authorized roles can read production secrets.
 
 Reference secrets in functions using `secret()` — see

plugins/aws-core/skills/aws-amplify/references/storage-mobile.md

@@ -15,6 +15,8 @@ Imports: `amplify_flutter` + `amplify_storage_s3`. All paths wrapped with `Stora
 | Presigned URL | `Amplify.Storage.getUrl(path: const StoragePath.fromString('public/file.jpg'))`                                         |
 | Remove        | `Amplify.Storage.remove(path: const StoragePath.fromString('public/file.jpg'))`                                         |
 
+> **Security:** Amplify Gen2 enables S3 server-side encryption (SSE-S3) by default. All transfers use HTTPS (TLS in transit). For sensitive data, configure SSE-KMS with a customer-managed key via CDK overrides.
+
 Upload progress — use the `onProgress` callback parameter:
 
 ```dart

skills/foundations/aws-amplify/references/ai.md

@@ -67,6 +67,8 @@ const schema = a.schema({
 These constraints are asymmetric and frequently confused. Getting them wrong
 causes the CDK synthesis to fail with a non-obvious TypeError.
 
+> **Security:** Conversation history sent to Amazon Bedrock may contain PII. Do not log full request/response payloads in production. Enable CloudWatch Logs encryption (KMS) and set appropriate retention policies for any logs that may capture inference data.
+
 ### Backend Integration
 
 AI conversation and generation routes are part of your data schema. Import into `amplify/backend.ts`:

skills/foundations/aws-amplify/references/data-backend.md

@@ -62,7 +62,7 @@ a.model({ /* fields */ }).authorization(allow => [
 ])
 ```
 
-> **Security note:** `allow.guest()` permits unauthenticated access. Only use for intentionally public, non-sensitive data. Prefer `allow.authenticated()` or `allow.owner()` for sensitive resources. See [Amplify authorization best practices](https://docs.amplify.aws/react/build-a-backend/data/customize-authz/) and [Amazon Cognito Identity Pool security](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html) for guidance on choosing the right authorization strategy.
+> **Security note:** `allow.guest()` and `allow.publicApiKey()` both permit unauthenticated access. Only use for intentionally public, non-sensitive data. Prefer `allow.authenticated()` or `allow.owner()` for sensitive resources. See [Amplify authorization best practices](https://docs.amplify.aws/react/build-a-backend/data/customize-authz/) and [Amazon Cognito Identity Pool security](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html) for guidance on choosing the right authorization strategy.
 
 Per-field authorization overrides model-level rules:
 

skills/foundations/aws-amplify/references/deployment.md

@@ -156,11 +156,10 @@ aws amplify start-job --app-id "$APP_ID" --branch-name main --job-type RELEASE
 **Sandbox:** Set secrets via CLI:
 
 ```bash
-echo "<value>" | npx ampx sandbox secret set MY_API_KEY
+npx ampx sandbox secret set MY_API_KEY
 ```
 
-You **MUST** pipe the value via stdin — without the pipe, the command
-prompts interactively.
+> **Security:** Avoid passing secret values as CLI arguments or via `echo` — these appear in shell history and `/proc`. Instead, use `ampx sandbox secret set MY_SECRET` which prompts for input interactively, or pipe from a secure source: `aws ssm get-parameter --name /path/to/secret --with-decryption --query Parameter.Value --output text | ampx sandbox secret set MY_SECRET --from-stdin`
 
 This stores the secret for your personal sandbox environment.
 **Branch environments (production):** Set secrets via the `ampx` CLI:
@@ -181,7 +180,7 @@ aws amplify update-app --app-id "$APP_ID" \
 > For sensitive values (API keys, tokens), use `npx ampx sandbox secret set`
 > (sandbox) or `npx ampx secret set --branch` (production) which stores in
 > SSM SecureString.
-
+>
 > **Note:** Under the hood, Amplify Gen2 `secret()` references are backed by AWS Systems Manager Parameter Store (SecureString parameters). Review access policies on the `/amplify/` parameter path in your account to ensure only authorized roles can read production secrets.
 
 Reference secrets in functions using `secret()` — see

skills/foundations/aws-amplify/references/storage-mobile.md

@@ -15,6 +15,8 @@ Imports: `amplify_flutter` + `amplify_storage_s3`. All paths wrapped with `Stora
 | Presigned URL | `Amplify.Storage.getUrl(path: const StoragePath.fromString('public/file.jpg'))`                                         |
 | Remove        | `Amplify.Storage.remove(path: const StoragePath.fromString('public/file.jpg'))`                                         |
 
+> **Security:** Amplify Gen2 enables S3 server-side encryption (SSE-S3) by default. All transfers use HTTPS (TLS in transit). For sensitive data, configure SSE-KMS with a customer-managed key via CDK overrides.
+
 Upload progress — use the `onProgress` callback parameter:
 
 ```dart