@anvil-cloud/sdk 0.0.8 → 0.0.9

package/aws/bucket.ts

@@ -7,11 +7,15 @@ import * as outputs from "../types/output";
 import * as utilities from "../utilities";
 
 import * as pulumiAws from "@pulumi/aws";
+import * as grants from "../grants";
 
 export class Bucket extends pulumi.ComponentResource {
     /** @internal */
     public static readonly __pulumiType = 'anvil:aws:Bucket';
 
+    /** @internal Logical resource name for grant policy naming. */
+    private __name: string;
+
     /**
      * Returns true if the given object is an instance of Bucket.  This is designed to work even
      * when multiple copies of the Pulumi SDK have been loaded into the same process.
@@ -23,6 +27,14 @@ export class Bucket extends pulumi.ComponentResource {
         return obj['__pulumiType'] === Bucket.__pulumiType;
     }
 
+    /**
+     * The ARN of the S3 bucket.
+     */
+    declare public /*out*/ readonly arn: pulumi.Output<string>;
+    /**
+     * The name of the S3 bucket.
+     */
+    declare public /*out*/ readonly bucketName: pulumi.Output<string>;
 
     /**
      * Create a Bucket resource with the given unique name, arguments, and options.
@@ -41,11 +53,99 @@ export class Bucket extends pulumi.ComponentResource {
             resourceInputs["dataClassification"] = args?.dataClassification;
             resourceInputs["lifecycle"] = args?.lifecycle;
             resourceInputs["transform"] = args?.transform;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["bucketName"] = undefined /*out*/;
         } else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["bucketName"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Bucket.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
     }
+
+    /**
+     * Grants read access (s3:GetObject, s3:ListBucket) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantRead(target: grants.GrantTarget, paths?: string[], opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-read`;
+        const arns = grants.buildResourceArns(this.arn, paths);
+        grants.createGrant(this, name, target, ["s3:GetObject", "s3:ListBucket"], arns, opts);
+    }
+
+    /**
+     * Grants write access (s3:PutObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantWrite(target: grants.GrantTarget, paths?: string[], opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-write`;
+        const arns = grants.buildResourceArns(this.arn, paths);
+        grants.createGrant(this, name, target, ["s3:PutObject"], arns, opts);
+    }
+
+    /**
+     * Grants readwrite access (s3:GetObject, s3:ListBucket, s3:PutObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantReadWrite(target: grants.GrantTarget, paths?: string[], opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-readwrite`;
+        const arns = grants.buildResourceArns(this.arn, paths);
+        grants.createGrant(this, name, target, ["s3:GetObject", "s3:ListBucket", "s3:PutObject"], arns, opts);
+    }
+
+    /**
+     * Grants delete access (s3:DeleteObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantDelete(target: grants.GrantTarget, paths?: string[], opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-delete`;
+        const arns = grants.buildResourceArns(this.arn, paths);
+        grants.createGrant(this, name, target, ["s3:DeleteObject"], arns, opts);
+    }
+
+    /**
+     * Grants full access (s3:GetObject, s3:ListBucket, s3:PutObject, s3:DeleteObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * This is an escape hatch — prefer scoped grants (grantRead, grantWrite, etc.).
+     * A warning is logged if no justification is provided.
+     */
+    public grantFullAccess(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        if (!opts?.justification) {
+            pulumi.log.warn(
+                `⚠ ${this.__name} → ${target.grantName()}: full access granted with no justification. ` +
+                `Consider scoping with grantRead, grantWrite, or grantDelete, ` +
+                `or add a justification.`,
+                this,
+            );
+        } else {
+            pulumi.log.info(
+                `ℹ ${this.__name} → ${target.grantName()}: full access granted. Justification: "${opts.justification}"`,
+                this,
+            );
+        }
+        const name = `${this.__name}-${target.grantName()}-fullaccess`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject"], arns, opts);
+    }
+
 }
 
 /**

package/aws/lambda.ts

@@ -7,11 +7,15 @@ import * as outputs from "../types/output";
 import * as utilities from "../utilities";
 
 import * as pulumiAws from "@pulumi/aws";
+import * as grants from "../grants";
 
 export class Lambda extends pulumi.ComponentResource {
     /** @internal */
     public static readonly __pulumiType = 'anvil:aws:Lambda';
 
+    /** @internal Logical resource name for grant policy naming. */
+    private __name: string;
+
     /**
      * Returns true if the given object is an instance of Lambda.  This is designed to work even
      * when multiple copies of the Pulumi SDK have been loaded into the same process.
@@ -23,6 +27,18 @@ export class Lambda extends pulumi.ComponentResource {
         return obj['__pulumiType'] === Lambda.__pulumiType;
     }
 
+    /**
+     * The ARN of the Lambda function.
+     */
+    declare public /*out*/ readonly arn: pulumi.Output<string>;
+    /**
+     * The name of the Lambda function.
+     */
+    declare public /*out*/ readonly functionName: pulumi.Output<string>;
+    /**
+     * The ARN of the Lambda's IAM execution role.
+     */
+    declare public /*out*/ readonly roleArn: pulumi.Output<string>;
 
     /**
      * Create a Lambda resource with the given unique name, arguments, and options.
@@ -41,11 +57,41 @@ export class Lambda extends pulumi.ComponentResource {
             resourceInputs["name"] = args?.name;
             resourceInputs["transform"] = args?.transform;
             resourceInputs["vpc"] = args?.vpc;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["functionName"] = undefined /*out*/;
+            resourceInputs["roleArn"] = undefined /*out*/;
         } else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["functionName"] = undefined /*out*/;
+            resourceInputs["roleArn"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Lambda.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+
+    /**
+     * Grants invoke access (lambda:InvokeFunction) on this lambda
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    public grantInvoke(target: grants.GrantTarget, opts?: grants.GrantOptions): void {
+        const name = `${this.__name}-${target.grantName()}-invoke`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["lambda:InvokeFunction"], arns, opts);
     }
+    /** Implements GrantTarget — returns the logical resource name. */
+    public grantName(): string {
+        return this.__name;
+    }
+
+    /** Implements GrantTarget — returns the IAM execution role ARN. */
+    public grantRoleArn(): pulumi.Output<string> {
+        return this.roleArn;
+    }
+
 }
 
 /**

package/aws/svelteKitSite.ts

@@ -39,6 +39,7 @@ export class SvelteKitSite extends pulumi.ComponentResource {
             resourceInputs["domain"] = args?.domain;
             resourceInputs["environment"] = args?.environment;
             resourceInputs["path"] = args?.path;
+            resourceInputs["runtimeEnvironment"] = args?.runtimeEnvironment;
             resourceInputs["transform"] = args?.transform;
             resourceInputs["bucketName"] = undefined /*out*/;
             resourceInputs["cloudFrontDistributionId"] = undefined /*out*/;
@@ -62,7 +63,14 @@ export class SvelteKitSite extends pulumi.ComponentResource {
  */
 export interface SvelteKitSiteArgs {
     domain?: pulumi.Input<string>;
+    /**
+     * Environment vars available at BOTH build time and runtime. Values must be string literals since they're needed before the build runs. Available in SvelteKit's $env/static (build) and $env/dynamic (runtime).
+     */
     environment?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
     path?: pulumi.Input<string>;
+    /**
+     * Runtime-only environment vars set on the Lambda function. Supports Pulumi Output values (e.g. bucket.name, fn.arn). Only available in SvelteKit's $env/dynamic at request time, NOT during build/prerendering.
+     */
+    runtimeEnvironment?: pulumi.Input<string>;
     transform?: pulumi.Input<string>;
 }

package/bin/aws/bucket.d.ts

@@ -1,11 +1,20 @@
 import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "../types/input";
+import * as grants from "../grants";
 export declare class Bucket extends pulumi.ComponentResource {
     /**
      * Returns true if the given object is an instance of Bucket.  This is designed to work even
      * when multiple copies of the Pulumi SDK have been loaded into the same process.
      */
     static isInstance(obj: any): obj is Bucket;
+    /**
+     * The ARN of the S3 bucket.
+     */
+    readonly arn: pulumi.Output<string>;
+    /**
+     * The name of the S3 bucket.
+     */
+    readonly bucketName: pulumi.Output<string>;
     /**
      * Create a Bucket resource with the given unique name, arguments, and options.
      *
@@ -14,6 +23,50 @@ export declare class Bucket extends pulumi.ComponentResource {
      * @param opts A bag of options that control this resource's behavior.
      */
     constructor(name: string, args: BucketArgs, opts?: pulumi.ComponentResourceOptions);
+    /**
+     * Grants read access (s3:GetObject, s3:ListBucket) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantRead(target: grants.GrantTarget, paths?: string[], opts?: grants.GrantOptions): void;
+    /**
+     * Grants write access (s3:PutObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantWrite(target: grants.GrantTarget, paths?: string[], opts?: grants.GrantOptions): void;
+    /**
+     * Grants readwrite access (s3:GetObject, s3:ListBucket, s3:PutObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantReadWrite(target: grants.GrantTarget, paths?: string[], opts?: grants.GrantOptions): void;
+    /**
+     * Grants delete access (s3:DeleteObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantDelete(target: grants.GrantTarget, paths?: string[], opts?: grants.GrantOptions): void;
+    /**
+     * Grants full access (s3:GetObject, s3:ListBucket, s3:PutObject, s3:DeleteObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * This is an escape hatch — prefer scoped grants (grantRead, grantWrite, etc.).
+     * A warning is logged if no justification is provided.
+     */
+    grantFullAccess(target: grants.GrantTarget, opts?: grants.GrantOptions): void;
 }
 /**
  * The set of arguments for constructing a Bucket resource.

package/bin/aws/bucket.js

@@ -5,6 +5,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.Bucket = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
+const grants = require("../grants");
 class Bucket extends pulumi.ComponentResource {
     /**
      * Returns true if the given object is an instance of Bucket.  This is designed to work even
@@ -33,11 +34,88 @@ class Bucket extends pulumi.ComponentResource {
             resourceInputs["dataClassification"] = args?.dataClassification;
             resourceInputs["lifecycle"] = args?.lifecycle;
             resourceInputs["transform"] = args?.transform;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["bucketName"] = undefined /*out*/;
         }
         else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["bucketName"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Bucket.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+    /**
+     * Grants read access (s3:GetObject, s3:ListBucket) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantRead(target, paths, opts) {
+        const name = `${this.__name}-${target.grantName()}-read`;
+        const arns = grants.buildResourceArns(this.arn, paths);
+        grants.createGrant(this, name, target, ["s3:GetObject", "s3:ListBucket"], arns, opts);
+    }
+    /**
+     * Grants write access (s3:PutObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantWrite(target, paths, opts) {
+        const name = `${this.__name}-${target.grantName()}-write`;
+        const arns = grants.buildResourceArns(this.arn, paths);
+        grants.createGrant(this, name, target, ["s3:PutObject"], arns, opts);
+    }
+    /**
+     * Grants readwrite access (s3:GetObject, s3:ListBucket, s3:PutObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantReadWrite(target, paths, opts) {
+        const name = `${this.__name}-${target.grantName()}-readwrite`;
+        const arns = grants.buildResourceArns(this.arn, paths);
+        grants.createGrant(this, name, target, ["s3:GetObject", "s3:ListBucket", "s3:PutObject"], arns, opts);
+    }
+    /**
+     * Grants delete access (s3:DeleteObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param paths - Optional array of path prefixes to scope access (e.g. ["uploads/*"]).
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantDelete(target, paths, opts) {
+        const name = `${this.__name}-${target.grantName()}-delete`;
+        const arns = grants.buildResourceArns(this.arn, paths);
+        grants.createGrant(this, name, target, ["s3:DeleteObject"], arns, opts);
+    }
+    /**
+     * Grants full access (s3:GetObject, s3:ListBucket, s3:PutObject, s3:DeleteObject) on this bucket
+     * to the target compute resource's execution role.
+     *
+     * This is an escape hatch — prefer scoped grants (grantRead, grantWrite, etc.).
+     * A warning is logged if no justification is provided.
+     */
+    grantFullAccess(target, opts) {
+        if (!opts?.justification) {
+            pulumi.log.warn(`⚠ ${this.__name} → ${target.grantName()}: full access granted with no justification. ` +
+                `Consider scoping with grantRead, grantWrite, or grantDelete, ` +
+                `or add a justification.`, this);
+        }
+        else {
+            pulumi.log.info(`ℹ ${this.__name} → ${target.grantName()}: full access granted. Justification: "${opts.justification}"`, this);
+        }
+        const name = `${this.__name}-${target.grantName()}-fullaccess`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject"], arns, opts);
     }
 }
 exports.Bucket = Bucket;

package/bin/aws/bucket.js.map

@@ -1 +1 @@
-{"version":3,"file":"bucket.js","sourceRoot":"","sources":["../../aws/bucket.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,0CAA0C;AAI1C,MAAa,MAAO,SAAQ,MAAM,CAAC,iBAAiB;IAIhD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,MAAM,CAAC,YAAY,CAAC;IACvD,CAAC;IAGD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAgB,EAAE,IAAsC;QAC9E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,kBAAkB,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACrD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;aACrE;YACD,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,EAAE,kBAAkB,CAAC;YAChE,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;SACjD;aAAM;SACN;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5E,CAAC;;AArCL,wBAsCC;AArCG,gBAAgB;AACO,mBAAY,GAAG,kBAAkB,CAAC"}
+{"version":3,"file":"bucket.js","sourceRoot":"","sources":["../../aws/bucket.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,0CAA0C;AAG1C,oCAAoC;AAEpC,MAAa,MAAO,SAAQ,MAAM,CAAC,iBAAiB;IAOhD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,MAAM,CAAC,YAAY,CAAC;IACvD,CAAC;IAWD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAgB,EAAE,IAAsC;QAC9E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,kBAAkB,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACrD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;aACrE;YACD,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,EAAE,kBAAkB,CAAC;YAChE,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACpD;aAAM;YACH,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACpD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACxE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;;;;;;OAOG;IACI,SAAS,CAAC,MAA0B,EAAE,KAAgB,EAAE,IAA0B;QACrF,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC;QACzD,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,cAAc,EAAE,eAAe,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC1F,CAAC;IAED;;;;;;;OAOG;IACI,UAAU,CAAC,MAA0B,EAAE,KAAgB,EAAE,IAA0B;QACtF,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC;QAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,cAAc,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IACzE,CAAC;IAED;;;;;;;OAOG;IACI,cAAc,CAAC,MAA0B,EAAE,KAAgB,EAAE,IAA0B;QAC1F,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC;QAC9D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,cAAc,EAAE,eAAe,EAAE,cAAc,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC1G,CAAC;IAED;;;;;;;OAOG;IACI,WAAW,CAAC,MAA0B,EAAE,KAAgB,EAAE,IAA0B;QACvF,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC;QAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,iBAAiB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5E,CAAC;IAED;;;;;;OAMG;IACI,eAAe,CAAC,MAA0B,EAAE,IAA0B;QACzE,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE;YACtB,MAAM,CAAC,GAAG,CAAC,IAAI,CACX,KAAK,IAAI,CAAC,MAAM,MAAM,MAAM,CAAC,SAAS,EAAE,+CAA+C;gBACvF,+DAA+D;gBAC/D,yBAAyB,EACzB,IAAI,CACP,CAAC;SACL;aAAM;YACH,MAAM,CAAC,GAAG,CAAC,IAAI,CACX,KAAK,IAAI,CAAC,MAAM,MAAM,MAAM,CAAC,SAAS,EAAE,0CAA0C,IAAI,CAAC,aAAa,GAAG,EACvG,IAAI,CACP,CAAC;SACL;QACD,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC;QAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,cAAc,EAAE,eAAe,EAAE,cAAc,EAAE,iBAAiB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC7H,CAAC;;AAvIL,wBAyIC;AAxIG,gBAAgB;AACO,mBAAY,GAAG,kBAAkB,CAAC"}

package/bin/aws/lambda.d.ts

@@ -1,11 +1,24 @@
 import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "../types/input";
+import * as grants from "../grants";
 export declare class Lambda extends pulumi.ComponentResource {
     /**
      * Returns true if the given object is an instance of Lambda.  This is designed to work even
      * when multiple copies of the Pulumi SDK have been loaded into the same process.
      */
     static isInstance(obj: any): obj is Lambda;
+    /**
+     * The ARN of the Lambda function.
+     */
+    readonly arn: pulumi.Output<string>;
+    /**
+     * The name of the Lambda function.
+     */
+    readonly functionName: pulumi.Output<string>;
+    /**
+     * The ARN of the Lambda's IAM execution role.
+     */
+    readonly roleArn: pulumi.Output<string>;
     /**
      * Create a Lambda resource with the given unique name, arguments, and options.
      *
@@ -14,6 +27,18 @@ export declare class Lambda extends pulumi.ComponentResource {
      * @param opts A bag of options that control this resource's behavior.
      */
     constructor(name: string, args: LambdaArgs, opts?: pulumi.ComponentResourceOptions);
+    /**
+     * Grants invoke access (lambda:InvokeFunction) on this lambda
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantInvoke(target: grants.GrantTarget, opts?: grants.GrantOptions): void;
+    /** Implements GrantTarget — returns the logical resource name. */
+    grantName(): string;
+    /** Implements GrantTarget — returns the IAM execution role ARN. */
+    grantRoleArn(): pulumi.Output<string>;
 }
 /**
  * The set of arguments for constructing a Lambda resource.

package/bin/aws/lambda.js

@@ -5,6 +5,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.Lambda = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
+const grants = require("../grants");
 class Lambda extends pulumi.ComponentResource {
     /**
      * Returns true if the given object is an instance of Lambda.  This is designed to work even
@@ -33,11 +34,38 @@ class Lambda extends pulumi.ComponentResource {
             resourceInputs["name"] = args?.name;
             resourceInputs["transform"] = args?.transform;
             resourceInputs["vpc"] = args?.vpc;
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["functionName"] = undefined /*out*/;
+            resourceInputs["roleArn"] = undefined /*out*/;
         }
         else {
+            resourceInputs["arn"] = undefined /*out*/;
+            resourceInputs["functionName"] = undefined /*out*/;
+            resourceInputs["roleArn"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Lambda.__pulumiType, name, resourceInputs, opts, true /*remote*/);
+        this.__name = name;
+    }
+    /**
+     * Grants invoke access (lambda:InvokeFunction) on this lambda
+     * to the target compute resource's execution role.
+     *
+     * @param target - The compute resource to grant access to.
+     * @param opts - Optional grant options (justification for audit trail).
+     */
+    grantInvoke(target, opts) {
+        const name = `${this.__name}-${target.grantName()}-invoke`;
+        const arns = grants.buildResourceArns(this.arn, undefined);
+        grants.createGrant(this, name, target, ["lambda:InvokeFunction"], arns, opts);
+    }
+    /** Implements GrantTarget — returns the logical resource name. */
+    grantName() {
+        return this.__name;
+    }
+    /** Implements GrantTarget — returns the IAM execution role ARN. */
+    grantRoleArn() {
+        return this.roleArn;
     }
 }
 exports.Lambda = Lambda;

package/bin/aws/lambda.js.map

@@ -1 +1 @@
-{"version":3,"file":"lambda.js","sourceRoot":"","sources":["../../aws/lambda.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,0CAA0C;AAI1C,MAAa,MAAO,SAAQ,MAAM,CAAC,iBAAiB;IAIhD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,MAAM,CAAC,YAAY,CAAC;IACvD,CAAC;IAGD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAgB,EAAE,IAAsC;QAC9E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,IAAI,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACvC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;aACvD;YACD,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;SACrC;aAAM;SACN;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5E,CAAC;;AArCL,wBAsCC;AArCG,gBAAgB;AACO,mBAAY,GAAG,kBAAkB,CAAC"}
+{"version":3,"file":"lambda.js","sourceRoot":"","sources":["../../aws/lambda.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,0CAA0C;AAG1C,oCAAoC;AAEpC,MAAa,MAAO,SAAQ,MAAM,CAAC,iBAAiB;IAOhD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,MAAM,CAAC,YAAY,CAAC;IACvD,CAAC;IAeD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAgB,EAAE,IAAsC;QAC9E,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,IAAI,IAAI,EAAE,IAAI,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACvC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;aACvD;YACD,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC;YAClC,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACjD;aAAM;YACH,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC1C,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACjD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACxE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;;;;;OAMG;IACI,WAAW,CAAC,MAA0B,EAAE,IAA0B;QACrE,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC;QAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3D,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,uBAAuB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAClF,CAAC;IACD,kEAAkE;IAC3D,SAAS;QACZ,OAAO,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;IAED,mEAAmE;IAC5D,YAAY;QACf,OAAO,IAAI,CAAC,OAAO,CAAC;IACxB,CAAC;;AAjFL,wBAmFC;AAlFG,gBAAgB;AACO,mBAAY,GAAG,kBAAkB,CAAC"}

package/bin/aws/svelteKitSite.d.ts

@@ -24,9 +24,16 @@ export declare class SvelteKitSite extends pulumi.ComponentResource {
  */
 export interface SvelteKitSiteArgs {
     domain?: pulumi.Input<string>;
+    /**
+     * Environment vars available at BOTH build time and runtime. Values must be string literals since they're needed before the build runs. Available in SvelteKit's $env/static (build) and $env/dynamic (runtime).
+     */
     environment?: pulumi.Input<{
         [key: string]: pulumi.Input<string>;
     }>;
     path?: pulumi.Input<string>;
+    /**
+     * Runtime-only environment vars set on the Lambda function. Supports Pulumi Output values (e.g. bucket.name, fn.arn). Only available in SvelteKit's $env/dynamic at request time, NOT during build/prerendering.
+     */
+    runtimeEnvironment?: pulumi.Input<string>;
     transform?: pulumi.Input<string>;
 }

package/bin/aws/svelteKitSite.js

@@ -30,6 +30,7 @@ class SvelteKitSite extends pulumi.ComponentResource {
             resourceInputs["domain"] = args?.domain;
             resourceInputs["environment"] = args?.environment;
             resourceInputs["path"] = args?.path;
+            resourceInputs["runtimeEnvironment"] = args?.runtimeEnvironment;
             resourceInputs["transform"] = args?.transform;
             resourceInputs["bucketName"] = undefined /*out*/;
             resourceInputs["cloudFrontDistributionId"] = undefined /*out*/;

package/bin/aws/svelteKitSite.js.map

@@ -1 +1 @@
-{"version":3,"file":"svelteKitSite.js","sourceRoot":"","sources":["../../aws/svelteKitSite.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C,MAAa,aAAc,SAAQ,MAAM,CAAC,iBAAiB;IAIvD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,aAAa,CAAC,YAAY,CAAC;IAC9D,CAAC;IAQD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAwB,EAAE,IAAsC;QACtF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC;YAClD,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/D,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC7C;aAAM;YACH,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/D,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC7C;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACnF,CAAC;;AAlDL,sCAmDC;AAlDG,gBAAgB;AACO,0BAAY,GAAG,yBAAyB,CAAC"}
+{"version":3,"file":"svelteKitSite.js","sourceRoot":"","sources":["../../aws/svelteKitSite.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C,MAAa,aAAc,SAAQ,MAAM,CAAC,iBAAiB;IAIvD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,aAAa,CAAC,YAAY,CAAC;IAC9D,CAAC;IAQD;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAwB,EAAE,IAAsC;QACtF,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;YACV,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,aAAa,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC;YAClD,cAAc,CAAC,MAAM,CAAC,GAAG,IAAI,EAAE,IAAI,CAAC;YACpC,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,EAAE,kBAAkB,CAAC;YAChE,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/D,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC7C;aAAM;YACH,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,0BAA0B,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YAC/D,cAAc,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACjD,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;YACnD,cAAc,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SAC7C;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,KAAK,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACnF,CAAC;;AAnDL,sCAoDC;AAnDG,gBAAgB;AACO,0BAAY,GAAG,yBAAyB,CAAC"}

package/bin/grants.d.ts

@@ -0,0 +1,25 @@
+import * as pulumi from '@pulumi/pulumi';
+/**
+ * GrantTarget is any Anvil compute resource that can receive IAM permissions.
+ * Compute resources (Lambda, SvelteKitSite, etc.) satisfy this interface.
+ */
+export interface GrantTarget {
+    /**
+     * The logical resource name passed to the constructor.
+     */
+    grantName(): string;
+    /**
+     * The ARN of the IAM execution role attached to this compute resource.
+     */
+    grantRoleArn(): pulumi.Output<string>;
+}
+/**
+ * Optional metadata for grant methods.
+ */
+export interface GrantOptions {
+    /**
+     * Documents why this grant is needed.
+     * Stored as a tag on the generated IAM policy resource for audit purposes.
+     */
+    justification?: string;
+}

package/bin/grants.js

@@ -0,0 +1,74 @@
+"use strict";
+// sdk/nodejs/grants.ts
+// Hand-written. Backed up/restored during gen-sdk like app.ts and block.ts.
+//
+// Provides the runtime grant execution for all resource grant methods.
+// Each resource's grant methods (injected by fix-sdk-grants.js) delegate here.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildResourceArns = exports.createGrant = void 0;
+const pulumi = require("@pulumi/pulumi");
+const aws = require("@pulumi/aws");
+/**
+ * Creates a scoped IAM RolePolicy granting the specified actions on the
+ * specified resource ARNs to the target's execution role.
+ *
+ * This is the core engine that all resource-specific grant methods delegate to.
+ *
+ * @internal
+ */
+function createGrant(parent, name, target, actions, resourceArns, opts) {
+    const policyDocument = pulumi.all(resourceArns).apply((arns) => JSON.stringify({
+        Version: '2012-10-17',
+        Statement: [
+            {
+                Effect: 'Allow',
+                Action: actions,
+                Resource: arns,
+            },
+        ],
+    }));
+    // Extract role name from ARN (everything after the last "/")
+    const roleName = target.grantRoleArn().apply((arn) => {
+        const idx = arn.lastIndexOf('/');
+        return idx >= 0 ? arn.substring(idx + 1) : arn;
+    });
+    // Justification is stored in the resource name suffix for audit trail.
+    // Future: compliance audit trail (Pro tier) will capture this metadata separately.
+    const policyName = opts?.justification
+        ? `${name}-${sanitize(opts.justification)}`
+        : name;
+    new aws.iam.RolePolicy(policyName, {
+        role: roleName,
+        policy: policyDocument,
+    }, { parent });
+}
+exports.createGrant = createGrant;
+/** @internal Sanitize a string for use in resource names. */
+function sanitize(s) {
+    return s
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, '-')
+        .slice(0, 40);
+}
+/**
+ * Builds the list of ARNs for a grant based on a base ARN and optional path scoping.
+ *
+ * - No paths: grants access to the entire resource (baseArn + baseArn/*)
+ * - With paths: grants access to baseArn (for list operations) + each scoped path
+ *
+ * @internal
+ */
+function buildResourceArns(baseArn, paths) {
+    const arns = [baseArn];
+    if (!paths || paths.length === 0) {
+        arns.push(pulumi.interpolate `${baseArn}/*`);
+    }
+    else {
+        for (const p of paths) {
+            arns.push(pulumi.interpolate `${baseArn}/${p}`);
+        }
+    }
+    return arns;
+}
+exports.buildResourceArns = buildResourceArns;
+//# sourceMappingURL=grants.js.map

package/bin/grants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"grants.js","sourceRoot":"","sources":["../grants.ts"],"names":[],"mappings":";AAAA,uBAAuB;AACvB,4EAA4E;AAC5E,EAAE;AACF,uEAAuE;AACvE,+EAA+E;;;AAE/E,yCAAyC;AACzC,mCAAmC;AA6BnC;;;;;;;GAOG;AACH,SAAgB,WAAW,CACzB,MAAuB,EACvB,IAAY,EACZ,MAAmB,EACnB,OAAiB,EACjB,YAAqC,EACrC,IAAmB;IAEnB,MAAM,cAAc,GAAG,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAC7D,IAAI,CAAC,SAAS,CAAC;QACb,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,IAAI;aACf;SACF;KACF,CAAC,CACH,CAAC;IAEF,6DAA6D;IAC7D,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnD,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACjC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,uEAAuE;IACvE,mFAAmF;IACnF,MAAM,UAAU,GAAG,IAAI,EAAE,aAAa;QACpC,CAAC,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE;QAC3C,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CACpB,UAAU,EACV;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,cAAc;KACvB,EACD,EAAE,MAAM,EAAE,CACX,CAAC;AACJ,CAAC;AAzCD,kCAyCC;AAED,6DAA6D;AAC7D,SAAS,QAAQ,CAAC,CAAS;IACzB,OAAO,CAAC;SACL,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAC/B,OAA8B,EAC9B,KAAgB;IAEhB,MAAM,IAAI,GAA4B,CAAC,OAAO,CAAC,CAAC;IAEhD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE;QAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,CAAC;KAC7C;SAAM;QACL,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE;YACrB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAA,GAAG,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;SAChD;KACF;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAfD,8CAeC"}

package/bin/index.d.ts

@@ -8,6 +8,7 @@ import * as types from "./types";
 export { aws, gcp, types, };
 export { App, AppConfig, Context, AwsProviderConfig, GcpProviderConfig, DefaultsConfig } from "./app";
 export { Block, BlockArgs } from "./block";
+export * from "./grants";
 export { ComponentResource, ComponentResourceOptions, CustomResource, ResourceOptions, ProviderResource, Config, output, all, secret, interpolate, concat, getProject, getStack, } from "@pulumi/pulumi";
 export type { Output, Input, Inputs } from "@pulumi/pulumi";
 export { pulumi };

package/bin/index.js

@@ -1,6 +1,20 @@
 "use strict";
 // *** WARNING: this file was generated by pulumi-language-nodejs. ***
 // *** Do not edit by hand unless you're certain you know what you are doing! ***
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.pulumi = exports.getStack = exports.getProject = exports.concat = exports.interpolate = exports.secret = exports.all = exports.output = exports.Config = exports.ProviderResource = exports.CustomResource = exports.ComponentResource = exports.Block = exports.App = exports.types = exports.gcp = exports.aws = exports.Provider = void 0;
 const pulumi = require("@pulumi/pulumi");
@@ -30,6 +44,8 @@ Object.defineProperty(exports, "App", { enumerable: true, get: function () { ret
 // Hand-written Block class
 var block_1 = require("./block");
 Object.defineProperty(exports, "Block", { enumerable: true, get: function () { return block_1.Block; } });
+// Grant helpers
+__exportStar(require("./grants"), exports);
 // Re-exported Pulumi primitives
 // Users can import anvil.Output, anvil.ComponentResource, etc. without @pulumi/pulumi
 var pulumi_1 = require("@pulumi/pulumi");

package/bin/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAyDhC,wBAAM;AAxDf,yCAAyC;AAK5B,QAAA,QAAQ,GAAyC,IAAW,CAAC;AAC1E,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;AAGvE,sBAAsB;AACtB,6BAA6B;AAKzB,kBAAG;AAJP,6BAA6B;AAKzB,kBAAG;AAJP,iCAAiC;AAK7B,sBAAK;AAET,MAAM,CAAC,OAAO,CAAC,uBAAuB,CAAC,OAAO,EAAE;IAC5C,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE;IAC/B,iBAAiB,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW,EAA2B,EAAE;QACpF,IAAI,IAAI,KAAK,wBAAwB,EAAE;YACnC,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;SACpD;QACD,OAAO,IAAI,gBAAQ,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;IACvD,CAAC;CACJ,CAAC,CAAC;AAEH,yBAAyB;AACzB,6BAAsG;AAA7F,0FAAA,GAAG,OAAA;AAEZ,2BAA2B;AAC3B,iCAA2C;AAAlC,8FAAA,KAAK,OAAA;AAEd,gCAAgC;AAChC,sFAAsF;AACtF,yCAcwB;AAbtB,2GAAA,iBAAiB,OAAA;AAEjB,wGAAA,cAAc,OAAA;AAEd,0GAAA,gBAAgB,OAAA;AAChB,gGAAA,MAAM,OAAA;AACN,gGAAA,MAAM,OAAA;AACN,6FAAA,GAAG,OAAA;AACH,gGAAA,MAAM,OAAA;AACN,qGAAA,WAAW,OAAA;AACX,gGAAA,MAAM,OAAA;AACN,oGAAA,UAAU,OAAA;AACV,kGAAA,QAAQ,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;;;;;;;;;;;;;;;AAEjF,yCAAyC;AA4DhC,wBAAM;AA3Df,yCAAyC;AAK5B,QAAA,QAAQ,GAAyC,IAAW,CAAC;AAC1E,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;AAGvE,sBAAsB;AACtB,6BAA6B;AAKzB,kBAAG;AAJP,6BAA6B;AAKzB,kBAAG;AAJP,iCAAiC;AAK7B,sBAAK;AAET,MAAM,CAAC,OAAO,CAAC,uBAAuB,CAAC,OAAO,EAAE;IAC5C,OAAO,EAAE,SAAS,CAAC,UAAU,EAAE;IAC/B,iBAAiB,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,GAAW,EAA2B,EAAE;QACpF,IAAI,IAAI,KAAK,wBAAwB,EAAE;YACnC,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;SACpD;QACD,OAAO,IAAI,gBAAQ,CAAC,IAAI,EAAO,SAAS,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;IACvD,CAAC;CACJ,CAAC,CAAC;AAEH,yBAAyB;AACzB,6BAAsG;AAA7F,0FAAA,GAAG,OAAA;AAEZ,2BAA2B;AAC3B,iCAA2C;AAAlC,8FAAA,KAAK,OAAA;AAEd,gBAAgB;AAChB,2CAAyB;AAEzB,gCAAgC;AAChC,sFAAsF;AACtF,yCAcwB;AAbtB,2GAAA,iBAAiB,OAAA;AAEjB,wGAAA,cAAc,OAAA;AAEd,0GAAA,gBAAgB,OAAA;AAChB,gGAAA,MAAM,OAAA;AACN,gGAAA,MAAM,OAAA;AACN,6FAAA,GAAG,OAAA;AACH,gGAAA,MAAM,OAAA;AACN,qGAAA,WAAW,OAAA;AACX,gGAAA,MAAM,OAAA;AACN,oGAAA,UAAU,OAAA;AACV,kGAAA,QAAQ,OAAA"}

package/bin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anvil-cloud/sdk",
-  "version": "0.0.8",
+  "version": "0.0.9",
   "scripts": {
     "build": "tsc && cp package.json bin/"
   },

package/grants.ts

@@ -0,0 +1,119 @@
+// sdk/nodejs/grants.ts
+// Hand-written. Backed up/restored during gen-sdk like app.ts and block.ts.
+//
+// Provides the runtime grant execution for all resource grant methods.
+// Each resource's grant methods (injected by fix-sdk-grants.js) delegate here.
+
+import * as pulumi from '@pulumi/pulumi';
+import * as aws from '@pulumi/aws';
+
+/**
+ * GrantTarget is any Anvil compute resource that can receive IAM permissions.
+ * Compute resources (Lambda, SvelteKitSite, etc.) satisfy this interface.
+ */
+export interface GrantTarget {
+  /**
+   * The logical resource name passed to the constructor.
+   */
+  grantName(): string;
+
+  /**
+   * The ARN of the IAM execution role attached to this compute resource.
+   */
+  grantRoleArn(): pulumi.Output<string>;
+}
+
+/**
+ * Optional metadata for grant methods.
+ */
+export interface GrantOptions {
+  /**
+   * Documents why this grant is needed.
+   * Stored as a tag on the generated IAM policy resource for audit purposes.
+   */
+  justification?: string;
+}
+
+/**
+ * Creates a scoped IAM RolePolicy granting the specified actions on the
+ * specified resource ARNs to the target's execution role.
+ *
+ * This is the core engine that all resource-specific grant methods delegate to.
+ *
+ * @internal
+ */
+export function createGrant(
+  parent: pulumi.Resource,
+  name: string,
+  target: GrantTarget,
+  actions: string[],
+  resourceArns: pulumi.Output<string>[],
+  opts?: GrantOptions
+): void {
+  const policyDocument = pulumi.all(resourceArns).apply((arns) =>
+    JSON.stringify({
+      Version: '2012-10-17',
+      Statement: [
+        {
+          Effect: 'Allow',
+          Action: actions,
+          Resource: arns,
+        },
+      ],
+    })
+  );
+
+  // Extract role name from ARN (everything after the last "/")
+  const roleName = target.grantRoleArn().apply((arn) => {
+    const idx = arn.lastIndexOf('/');
+    return idx >= 0 ? arn.substring(idx + 1) : arn;
+  });
+
+  // Justification is stored in the resource name suffix for audit trail.
+  // Future: compliance audit trail (Pro tier) will capture this metadata separately.
+  const policyName = opts?.justification
+    ? `${name}-${sanitize(opts.justification)}`
+    : name;
+
+  new aws.iam.RolePolicy(
+    policyName,
+    {
+      role: roleName,
+      policy: policyDocument,
+    },
+    { parent }
+  );
+}
+
+/** @internal Sanitize a string for use in resource names. */
+function sanitize(s: string): string {
+  return s
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .slice(0, 40);
+}
+
+/**
+ * Builds the list of ARNs for a grant based on a base ARN and optional path scoping.
+ *
+ * - No paths: grants access to the entire resource (baseArn + baseArn/*)
+ * - With paths: grants access to baseArn (for list operations) + each scoped path
+ *
+ * @internal
+ */
+export function buildResourceArns(
+  baseArn: pulumi.Output<string>,
+  paths?: string[]
+): pulumi.Output<string>[] {
+  const arns: pulumi.Output<string>[] = [baseArn];
+
+  if (!paths || paths.length === 0) {
+    arns.push(pulumi.interpolate`${baseArn}/*`);
+  } else {
+    for (const p of paths) {
+      arns.push(pulumi.interpolate`${baseArn}/${p}`);
+    }
+  }
+
+  return arns;
+}

package/index.ts

@@ -37,6 +37,9 @@ export { App, AppConfig, Context, AwsProviderConfig, GcpProviderConfig, Defaults
 // Hand-written Block class
 export { Block, BlockArgs } from "./block";
 
+// Grant helpers
+export * from "./grants";
+
 // Re-exported Pulumi primitives
 // Users can import anvil.Output, anvil.ComponentResource, etc. without @pulumi/pulumi
 export {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anvil-cloud/sdk",
-  "version": "0.0.8",
+  "version": "0.0.9",
   "scripts": {
     "build": "tsc && cp package.json bin/"
   },