@appliance.sh/api-server 1.16.1 → 1.18.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appliance.sh/api-server",
-  "version": "1.16.1",
+  "version": "1.18.0",
   "description": "",
   "author": "Eliot Lim",
   "repository": "https://github.com/appliance-sh/appliance.sh",
@@ -19,11 +19,9 @@
     "test:e2e": "vitest run --config vitest.e2e.config.ts"
   },
   "dependencies": {
-    "@appliance.sh/infra": "1.16.1",
-    "@appliance.sh/sdk": "1.16.1",
-    "@pulumi/aws": "^7.16.0",
-    "@pulumi/aws-native": "^1.48.0",
-    "@pulumi/pulumi": "^3.216.0",
+    "@appliance.sh/infra": "1.18.0",
+    "@appliance.sh/sdk": "1.18.0",
+    "@aws-sdk/client-s3": "^3.750.0",
     "express": "^5.2.1"
   },
   "devDependencies": {

package/src/app.controller.spec.ts

@@ -10,3 +10,12 @@ describe('Index Route', () => {
     expect(response.text).toBe('Hello World!');
   });
 });
+
+describe('Authenticated routes', () => {
+  it('should return 401 for /api/v1/projects without auth', async () => {
+    const app = createApp();
+    const response = await request(app).get('/api/v1/projects');
+    expect(response.status).toBe(401);
+    expect(response.body.error).toBe('Missing signature headers');
+  });
+});

package/src/main.ts

@@ -1,15 +1,32 @@
 import express from 'express';
 import { indexRoutes } from './routes';
 import { infraRoutes } from './routes/infra';
+import { projectRoutes } from './routes/projects';
+import { environmentRoutes } from './routes/environments';
+import { deploymentRoutes } from './routes/deployments';
+import { bootstrapRoutes } from './routes/bootstrap';
+import { signatureAuth } from './middleware/auth';
 
 export function createApp() {
   const app = express();
 
-  app.use(express.json());
+  app.use(
+    express.json({
+      verify: (req, _res, buf) => {
+        (req as express.Request & { rawBody?: Buffer }).rawBody = buf;
+      },
+    })
+  );
 
-  // Set up routes
+  // Unauthenticated routes
   app.use('/', indexRoutes);
-  app.use('/infra', infraRoutes);
+  app.use('/bootstrap', bootstrapRoutes);
+
+  // Authenticated routes
+  app.use('/api/v1/projects', signatureAuth, projectRoutes);
+  app.use('/api/v1/projects/:projectId/environments', signatureAuth, environmentRoutes);
+  app.use('/api/v1/deployments', signatureAuth, deploymentRoutes);
+  app.use('/api/v1/infra', signatureAuth, infraRoutes);
 
   return app;
 }

package/src/middleware/auth.spec.ts

@@ -0,0 +1,148 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import request from 'supertest';
+import express from 'express';
+import { signRequest } from '@appliance.sh/sdk';
+import { signatureAuth } from './auth';
+
+const TEST_KEY_ID = 'ak_test-key-id';
+const TEST_SECRET = 'sk_test-secret-value';
+const TEST_HOST = 'test.local';
+
+const mockKeyStore = new Map<string, { id: string; secret: string; name: string }>();
+
+vi.mock('../services/api-key.service', () => ({
+  apiKeyService: {
+    getByKeyId: async (keyId: string) => mockKeyStore.get(keyId) ?? null,
+    updateLastUsed: async () => {},
+  },
+}));
+
+function createTestApp() {
+  const app = express();
+  app.use(
+    express.json({
+      verify: (req, _res, buf) => {
+        (req as express.Request & { rawBody?: Buffer }).rawBody = buf;
+      },
+    })
+  );
+  app.get('/api/v1/test', signatureAuth, (_req, res) => {
+    res.json({ ok: true });
+  });
+  app.post('/api/v1/test', signatureAuth, (req, res) => {
+    res.json({ ok: true, body: req.body });
+  });
+  return app;
+}
+
+describe('signatureAuth middleware', () => {
+  beforeEach(() => {
+    mockKeyStore.clear();
+    mockKeyStore.set(TEST_KEY_ID, {
+      id: TEST_KEY_ID,
+      secret: TEST_SECRET,
+      name: 'test',
+    });
+  });
+
+  it('should return 401 when no signature headers', async () => {
+    const app = createTestApp();
+    const res = await request(app).get('/api/v1/test');
+    expect(res.status).toBe(401);
+    expect(res.body.error).toBe('Missing signature headers');
+  });
+
+  it('should return 401 with invalid signature', async () => {
+    const app = createTestApp();
+    const res = await request(app)
+      .get('/api/v1/test')
+      .set('signature', 'sig=:invalidbase64:')
+      .set('signature-input', 'sig=();created=1234567890;keyid="ak_wrong";alg="hmac-sha256"');
+    expect(res.status).toBe(401);
+  });
+
+  it('should pass through with valid HMAC-SHA256 signature (GET)', async () => {
+    const app = createTestApp();
+    const url = `http://${TEST_HOST}/api/v1/test`;
+    const headers: Record<string, string> = {
+      'content-type': 'application/json',
+    };
+
+    const sigHeaders = await signRequest({ keyId: TEST_KEY_ID, secret: TEST_SECRET }, { method: 'GET', url, headers });
+
+    const res = await request(app)
+      .get('/api/v1/test')
+      .set('host', TEST_HOST)
+      .set('content-type', 'application/json')
+      .set(sigHeaders);
+
+    expect(res.status).toBe(200);
+    expect(res.body.ok).toBe(true);
+  });
+
+  it('should pass through with valid HMAC-SHA256 signature (POST with body)', async () => {
+    const app = createTestApp();
+    const body = JSON.stringify({ name: 'test' });
+    const url = `http://${TEST_HOST}/api/v1/test`;
+    const headers: Record<string, string> = {
+      'content-type': 'application/json',
+    };
+
+    const sigHeaders = await signRequest(
+      { keyId: TEST_KEY_ID, secret: TEST_SECRET },
+      { method: 'POST', url, headers, body }
+    );
+
+    const res = await request(app)
+      .post('/api/v1/test')
+      .set('host', TEST_HOST)
+      .set('content-type', 'application/json')
+      .set(sigHeaders)
+      .send(body);
+
+    expect(res.status).toBe(200);
+    expect(res.body.ok).toBe(true);
+  });
+
+  it('should return 401 when Content-Digest does not match body', async () => {
+    const app = createTestApp();
+    const body = JSON.stringify({ name: 'test' });
+    const url = `http://${TEST_HOST}/api/v1/test`;
+    const headers: Record<string, string> = {
+      'content-type': 'application/json',
+    };
+
+    const sigHeaders = await signRequest(
+      { keyId: TEST_KEY_ID, secret: TEST_SECRET },
+      { method: 'POST', url, headers, body }
+    );
+
+    // Send different body than what was signed
+    const res = await request(app)
+      .post('/api/v1/test')
+      .set('host', TEST_HOST)
+      .set('content-type', 'application/json')
+      .set(sigHeaders)
+      .send(JSON.stringify({ name: 'tampered' }));
+
+    expect(res.status).toBe(401);
+  });
+
+  it('should return 401 for unknown key', async () => {
+    const app = createTestApp();
+    const url = `http://${TEST_HOST}/api/v1/test`;
+    const headers: Record<string, string> = {
+      'content-type': 'application/json',
+    };
+
+    const sigHeaders = await signRequest({ keyId: 'ak_unknown', secret: 'sk_wrong' }, { method: 'GET', url, headers });
+
+    const res = await request(app)
+      .get('/api/v1/test')
+      .set('host', TEST_HOST)
+      .set('content-type', 'application/json')
+      .set(sigHeaders);
+
+    expect(res.status).toBe(401);
+  });
+});

package/src/middleware/auth.ts

@@ -0,0 +1,68 @@
+import { Request, Response, NextFunction } from 'express';
+import { timingSafeEqual } from 'crypto';
+import { verifySignedRequest, computeContentDigest } from '@appliance.sh/sdk';
+import { apiKeyService } from '../services/api-key.service';
+
+declare module 'express-serve-static-core' {
+  interface Request {
+    apiKeyId?: string;
+    rawBody?: Buffer;
+  }
+}
+
+export async function signatureAuth(req: Request, res: Response, next: NextFunction): Promise<void> {
+  const signature = req.headers['signature'];
+  const signatureInput = req.headers['signature-input'];
+
+  if (!signature || !signatureInput) {
+    res.status(401).json({ error: 'Missing signature headers' });
+    return;
+  }
+
+  // Verify Content-Digest for requests with body
+  if (req.rawBody && req.rawBody.length > 0) {
+    const contentDigest = req.headers['content-digest'] as string | undefined;
+    if (!contentDigest) {
+      res.status(401).json({ error: 'Missing Content-Digest header' });
+      return;
+    }
+
+    const expected = computeContentDigest(req.rawBody.toString());
+    if (
+      contentDigest.length !== expected.length ||
+      !timingSafeEqual(Buffer.from(contentDigest), Buffer.from(expected))
+    ) {
+      res.status(401).json({ error: 'Unauthorized' });
+      return;
+    }
+  }
+
+  const url = `${req.protocol}://${req.get('host')}${req.originalUrl}`;
+
+  const result = await verifySignedRequest(
+    {
+      method: req.method,
+      url,
+      headers: req.headers as Record<string, string | string[]>,
+    },
+    async (keyId: string) => {
+      const key = await apiKeyService.getByKeyId(keyId);
+      if (!key) return null;
+      return { secret: key.secret };
+    }
+  );
+
+  if (!result.verified) {
+    res.status(401).json({ error: 'Unauthorized' });
+    return;
+  }
+
+  req.apiKeyId = result.keyId;
+
+  // Fire-and-forget lastUsed update
+  if (result.keyId) {
+    apiKeyService.updateLastUsed(result.keyId).catch(() => {});
+  }
+
+  next();
+}

package/src/routes/bootstrap/index.ts

@@ -0,0 +1,44 @@
+import { Router } from 'express';
+import { timingSafeEqual } from 'crypto';
+import { apiKeyInput } from '@appliance.sh/sdk';
+import { apiKeyService } from '../../services/api-key.service';
+
+function constantTimeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false;
+  return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+
+export const bootstrapRoutes = Router();
+
+bootstrapRoutes.post('/create-key', async (req, res) => {
+  try {
+    const bootstrapToken = process.env.BOOTSTRAP_TOKEN;
+    if (!bootstrapToken) {
+      res.status(500).json({ error: 'Bootstrap token not configured' });
+      return;
+    }
+
+    const providedToken = req.headers['x-bootstrap-token'] as string | undefined;
+    if (!providedToken || !constantTimeEqual(providedToken, bootstrapToken)) {
+      res.status(403).json({ error: 'Invalid bootstrap token' });
+      return;
+    }
+
+    const input = apiKeyInput.parse(req.body);
+    const result = await apiKeyService.create(input.name);
+    res.status(201).json(result);
+  } catch (error) {
+    console.error('Create key error:', error);
+    res.status(400).json({ error: 'Failed to create API key', message: String(error) });
+  }
+});
+
+bootstrapRoutes.get('/status', async (_req, res) => {
+  try {
+    const initialized = await apiKeyService.exists();
+    res.json({ initialized });
+  } catch (error) {
+    console.error('Bootstrap status error:', error);
+    res.status(500).json({ error: 'Failed to check bootstrap status', message: String(error) });
+  }
+});

package/src/routes/deployments/index.ts

@@ -0,0 +1,30 @@
+import { Router } from 'express';
+import { deploymentInput } from '@appliance.sh/sdk';
+import { deploymentService } from '../../services/deployment.service';
+
+export const deploymentRoutes = Router();
+
+deploymentRoutes.post('/', async (req, res) => {
+  try {
+    const input = deploymentInput.parse(req.body);
+    const deployment = await deploymentService.execute(input);
+    res.status(201).json(deployment);
+  } catch (error) {
+    console.error('Execute deployment error:', error);
+    res.status(400).json({ error: 'Failed to execute deployment', message: String(error) });
+  }
+});
+
+deploymentRoutes.get('/:id', async (req, res) => {
+  try {
+    const deployment = await deploymentService.get(req.params.id);
+    if (!deployment) {
+      res.status(404).json({ error: 'Deployment not found' });
+      return;
+    }
+    res.json(deployment);
+  } catch (error) {
+    console.error('Get deployment error:', error);
+    res.status(500).json({ error: 'Failed to get deployment', message: String(error) });
+  }
+});

package/src/routes/environments/index.ts

@@ -0,0 +1,84 @@
+import { Router } from 'express';
+import { environmentInput, applianceBaseConfig } from '@appliance.sh/sdk';
+import { environmentService } from '../../services/environment.service';
+import { projectService } from '../../services/project.service';
+
+interface EnvironmentParams {
+  projectId: string;
+  id?: string;
+}
+
+function getServerBaseConfig() {
+  const raw = process.env.APPLIANCE_BASE_CONFIG;
+  if (!raw) throw new Error('APPLIANCE_BASE_CONFIG is not set on the server');
+  return applianceBaseConfig.parse(JSON.parse(raw));
+}
+
+export const environmentRoutes = Router({ mergeParams: true });
+
+environmentRoutes.post('/', async (req, res) => {
+  try {
+    const params = req.params as EnvironmentParams;
+    const project = await projectService.get(params.projectId);
+    if (!project) {
+      res.status(404).json({ error: 'Project not found' });
+      return;
+    }
+    const baseConfig = getServerBaseConfig();
+    const input = environmentInput.parse({
+      ...req.body,
+      projectId: params.projectId,
+    });
+    const environment = await environmentService.create(input, project.name, baseConfig);
+    res.status(201).json(environment);
+  } catch (error) {
+    console.error('Create environment error:', error);
+    res.status(400).json({ error: 'Failed to create environment', message: String(error) });
+  }
+});
+
+environmentRoutes.get('/', async (req, res) => {
+  try {
+    const params = req.params as EnvironmentParams;
+    const environments = await environmentService.listByProject(params.projectId);
+    res.json(environments);
+  } catch (error) {
+    console.error('List environments error:', error);
+    res.status(500).json({ error: 'Failed to list environments', message: String(error) });
+  }
+});
+
+environmentRoutes.get('/:id', async (req, res) => {
+  try {
+    const params = req.params as EnvironmentParams;
+    const environment = await environmentService.get(params.id!);
+    if (!environment) {
+      res.status(404).json({ error: 'Environment not found' });
+      return;
+    }
+    if (environment.projectId !== params.projectId) {
+      res.status(404).json({ error: 'Environment not found' });
+      return;
+    }
+    res.json(environment);
+  } catch (error) {
+    console.error('Get environment error:', error);
+    res.status(500).json({ error: 'Failed to get environment', message: String(error) });
+  }
+});
+
+environmentRoutes.delete('/:id', async (req, res) => {
+  try {
+    const params = req.params as EnvironmentParams;
+    const environment = await environmentService.get(params.id!);
+    if (environment && environment.projectId !== params.projectId) {
+      res.status(404).json({ error: 'Environment not found' });
+      return;
+    }
+    await environmentService.delete(params.id!);
+    res.status(204).send();
+  } catch (error) {
+    console.error('Delete environment error:', error);
+    res.status(500).json({ error: 'Failed to delete environment', message: String(error) });
+  }
+});

package/src/routes/projects/index.ts

@@ -0,0 +1,50 @@
+import { Router } from 'express';
+import { projectInput } from '@appliance.sh/sdk';
+import { projectService } from '../../services/project.service';
+
+export const projectRoutes = Router();
+
+projectRoutes.post('/', async (req, res) => {
+  try {
+    const input = projectInput.parse(req.body);
+    const project = await projectService.create(input);
+    res.status(201).json(project);
+  } catch (error) {
+    console.error('Create project error:', error);
+    res.status(400).json({ error: 'Failed to create project', message: String(error) });
+  }
+});
+
+projectRoutes.get('/', async (_req, res) => {
+  try {
+    const projects = await projectService.list();
+    res.json(projects);
+  } catch (error) {
+    console.error('List projects error:', error);
+    res.status(500).json({ error: 'Failed to list projects', message: String(error) });
+  }
+});
+
+projectRoutes.get('/:id', async (req, res) => {
+  try {
+    const project = await projectService.get(req.params.id);
+    if (!project) {
+      res.status(404).json({ error: 'Project not found' });
+      return;
+    }
+    res.json(project);
+  } catch (error) {
+    console.error('Get project error:', error);
+    res.status(500).json({ error: 'Failed to get project', message: String(error) });
+  }
+});
+
+projectRoutes.delete('/:id', async (req, res) => {
+  try {
+    await projectService.delete(req.params.id);
+    res.status(204).send();
+  } catch (error) {
+    console.error('Delete project error:', error);
+    res.status(500).json({ error: 'Failed to delete project', message: String(error) });
+  }
+});

package/src/services/api-key.service.spec.ts

@@ -0,0 +1,80 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { ApiKeyService } from './api-key.service';
+
+const mockStore = new Map<string, string>();
+
+vi.mock('./storage.service', () => ({
+  getStorageService: () => ({
+    get: async (_collection: string, id: string) => {
+      const key = `${_collection}/${id}.json`;
+      const data = mockStore.get(key);
+      return data ? JSON.parse(data) : null;
+    },
+    set: async (_collection: string, id: string, value: unknown) => {
+      const key = `${_collection}/${id}.json`;
+      mockStore.set(key, JSON.stringify(value));
+    },
+    getAll: async (_collection: string) => {
+      const items: unknown[] = [];
+      for (const [key, value] of mockStore) {
+        if (key.startsWith(`${_collection}/`)) {
+          items.push(JSON.parse(value));
+        }
+      }
+      return items;
+    },
+    delete: async (_collection: string, id: string) => {
+      const key = `${_collection}/${id}.json`;
+      mockStore.delete(key);
+    },
+  }),
+}));
+
+describe('ApiKeyService', () => {
+  let service: ApiKeyService;
+
+  beforeEach(() => {
+    mockStore.clear();
+    service = new ApiKeyService();
+  });
+
+  it('should create a key with ak_ prefixed id and sk_ prefixed secret', async () => {
+    const result = await service.create('test-key');
+    expect(result.id).toMatch(/^ak_/);
+    expect(result.secret).toMatch(/^sk_/);
+    expect(result.name).toBe('test-key');
+    expect(result.createdAt).toBeDefined();
+  });
+
+  it('should retrieve a stored key by id', async () => {
+    const created = await service.create('test-key');
+    const stored = await service.getByKeyId(created.id);
+    expect(stored).not.toBeNull();
+    expect(stored!.id).toBe(created.id);
+    expect(stored!.name).toBe('test-key');
+    expect(stored!.secret).toBe(created.secret);
+  });
+
+  it('should return null for non-existent key', async () => {
+    const result = await service.getByKeyId('ak_nonexistent');
+    expect(result).toBeNull();
+  });
+
+  it('should return false for exists when no keys', async () => {
+    const result = await service.exists();
+    expect(result).toBe(false);
+  });
+
+  it('should return true for exists when keys exist', async () => {
+    await service.create('test-key');
+    const result = await service.exists();
+    expect(result).toBe(true);
+  });
+
+  it('should update lastUsedAt', async () => {
+    const created = await service.create('test-key');
+    await service.updateLastUsed(created.id);
+    const stored = await service.getByKeyId(created.id);
+    expect(stored!.lastUsedAt).toBeDefined();
+  });
+});

package/src/services/api-key.service.ts

@@ -0,0 +1,59 @@
+import { randomUUID, randomBytes } from 'crypto';
+import { getStorageService } from './storage.service';
+import { ApiKeyCreateResponse } from '@appliance.sh/sdk';
+
+const COLLECTION = 'api-keys';
+
+// The shared secret must be stored to verify HMAC signatures (RFC 9421).
+// Unlike password hashing, HMAC requires the original key on both sides.
+interface StoredApiKey {
+  id: string;
+  name: string;
+  secret: string;
+  createdAt: string;
+  lastUsedAt?: string;
+}
+
+export class ApiKeyService {
+  async create(name: string): Promise<ApiKeyCreateResponse> {
+    const storage = getStorageService();
+    const id = `ak_${randomUUID()}`;
+    const secret = `sk_${randomBytes(32).toString('hex')}`;
+    const now = new Date().toISOString();
+
+    const stored: StoredApiKey = {
+      id,
+      name,
+      secret,
+      createdAt: now,
+    };
+
+    await storage.set(COLLECTION, id, stored);
+
+    return { id, name, secret, createdAt: now };
+  }
+
+  async getByKeyId(keyId: string): Promise<StoredApiKey | null> {
+    const storage = getStorageService();
+    return storage.get<StoredApiKey>(COLLECTION, keyId);
+  }
+
+  async exists(): Promise<boolean> {
+    const storage = getStorageService();
+    const keys = await storage.getAll<StoredApiKey>(COLLECTION);
+    return keys.length > 0;
+  }
+
+  async updateLastUsed(keyId: string): Promise<void> {
+    const storage = getStorageService();
+    const existing = await storage.get<StoredApiKey>(COLLECTION, keyId);
+    if (existing) {
+      await storage.set(COLLECTION, keyId, {
+        ...existing,
+        lastUsedAt: new Date().toISOString(),
+      });
+    }
+  }
+}
+
+export const apiKeyService = new ApiKeyService();

package/src/services/deployment.service.ts

@@ -0,0 +1,84 @@
+import { Deployment, DeploymentInput, DeploymentStatus, DeploymentAction, EnvironmentStatus } from '@appliance.sh/sdk';
+import { createApplianceDeploymentService } from '@appliance.sh/infra';
+import { getStorageService } from './storage.service';
+import { environmentService } from './environment.service';
+import { randomUUID } from 'crypto';
+
+const COLLECTION = 'deployments';
+
+export class DeploymentService {
+  async execute(input: DeploymentInput): Promise<Deployment> {
+    const storage = getStorageService();
+
+    const environment = await environmentService.get(input.environmentId);
+    if (!environment) {
+      throw new Error(`Environment not found: ${input.environmentId}`);
+    }
+
+    const now = new Date().toISOString();
+    const deployment: Deployment = {
+      ...input,
+      id: randomUUID(),
+      projectId: environment.projectId,
+      status: DeploymentStatus.Pending,
+      startedAt: now,
+    };
+
+    await storage.set(COLLECTION, deployment.id, deployment);
+
+    // Update deployment to in_progress
+    deployment.status = DeploymentStatus.InProgress;
+    await storage.set(COLLECTION, deployment.id, deployment);
+
+    // Update environment status
+    const envStatus =
+      input.action === DeploymentAction.Deploy ? EnvironmentStatus.Deploying : EnvironmentStatus.Destroying;
+    await environmentService.updateStatus(environment.id, envStatus);
+
+    // Execute the deployment
+    try {
+      const deploymentService = createApplianceDeploymentService({
+        baseConfig: environment.baseConfig,
+      });
+
+      let result;
+      if (input.action === DeploymentAction.Deploy) {
+        result = await deploymentService.deploy(environment.stackName);
+      } else {
+        result = await deploymentService.destroy(environment.stackName);
+      }
+
+      deployment.status = DeploymentStatus.Succeeded;
+      deployment.completedAt = new Date().toISOString();
+      deployment.message = result.message;
+      deployment.idempotentNoop = result.idempotentNoop;
+      await storage.set(COLLECTION, deployment.id, deployment);
+
+      // Update environment status
+      const finalEnvStatus =
+        input.action === DeploymentAction.Deploy ? EnvironmentStatus.Deployed : EnvironmentStatus.Destroyed;
+      await environmentService.updateStatus(environment.id, finalEnvStatus);
+    } catch (error) {
+      deployment.status = DeploymentStatus.Failed;
+      deployment.completedAt = new Date().toISOString();
+      deployment.message = error instanceof Error ? error.message : String(error);
+      await storage.set(COLLECTION, deployment.id, deployment);
+
+      await environmentService.updateStatus(environment.id, EnvironmentStatus.Failed);
+    }
+
+    return deployment;
+  }
+
+  async get(id: string): Promise<Deployment | null> {
+    const storage = getStorageService();
+    return storage.get<Deployment>(COLLECTION, id);
+  }
+
+  async listByEnvironment(environmentId: string): Promise<Deployment[]> {
+    const storage = getStorageService();
+    return storage.filter<Deployment>(COLLECTION, (d) => d.environmentId === environmentId);
+  }
+}
+
+export const deploymentService = new DeploymentService();

package/src/services/environment.service.ts

@@ -0,0 +1,73 @@
+import { Environment, EnvironmentInput, EnvironmentStatus } from '@appliance.sh/sdk';
+import type { ApplianceBaseConfig } from '@appliance.sh/sdk';
+import { getStorageService } from './storage.service';
+import { randomUUID } from 'crypto';
+
+const COLLECTION = 'environments';
+
+export class EnvironmentService {
+  async create(input: EnvironmentInput, projectName: string, baseConfig: ApplianceBaseConfig): Promise<Environment> {
+    const storage = getStorageService();
+    const now = new Date().toISOString();
+    const id = randomUUID();
+    const environment: Environment = {
+      ...input,
+      id,
+      baseConfig,
+      status: EnvironmentStatus.Pending,
+      stackName: `${projectName}-${input.name}`,
+      createdAt: now,
+      updatedAt: now,
+    };
+    await storage.set(COLLECTION, environment.id, environment);
+    return environment;
+  }
+
+  async get(id: string): Promise<Environment | null> {
+    const storage = getStorageService();
+    return storage.get<Environment>(COLLECTION, id);
+  }
+
+  async listByProject(projectId: string): Promise<Environment[]> {
+    const storage = getStorageService();
+    return storage.filter<Environment>(COLLECTION, (env) => env.projectId === projectId);
+  }
+
+  async delete(id: string): Promise<void> {
+    const storage = getStorageService();
+    await storage.delete(COLLECTION, id);
+  }
+
+  async updateStatus(id: string, status: EnvironmentStatus): Promise<Environment | null> {
+    const storage = getStorageService();
+    const existing = await storage.get<Environment>(COLLECTION, id);
+    if (!existing) return null;
+
+    const updated: Environment = {
+      ...existing,
+      status,
+      updatedAt: new Date().toISOString(),
+      lastDeployedAt: status === EnvironmentStatus.Deployed ? new Date().toISOString() : existing.lastDeployedAt,
+    };
+    await storage.set(COLLECTION, id, updated);
+    return updated;
+  }
+
+  async update(id: string, updates: Partial<Environment>): Promise<Environment | null> {
+    const storage = getStorageService();
+    const existing = await storage.get<Environment>(COLLECTION, id);
+    if (!existing) return null;
+
+    const updated: Environment = {
+      ...existing,
+      ...updates,
+      id: existing.id,
+      createdAt: existing.createdAt,
+      updatedAt: new Date().toISOString(),
+    };
+    await storage.set(COLLECTION, id, updated);
+    return updated;
+  }
+}
+
+export const environmentService = new EnvironmentService();

package/src/services/project.service.ts

@@ -0,0 +1,54 @@
+import { Project, ProjectInput, ProjectStatus } from '@appliance.sh/sdk';
+import { getStorageService } from './storage.service';
+import { randomUUID } from 'crypto';
+
+const COLLECTION = 'projects';
+
+export class ProjectService {
+  async create(input: ProjectInput): Promise<Project> {
+    const storage = getStorageService();
+    const now = new Date().toISOString();
+    const project: Project = {
+      ...input,
+      id: randomUUID(),
+      status: ProjectStatus.Active,
+      createdAt: now,
+      updatedAt: now,
+    };
+    await storage.set(COLLECTION, project.id, project);
+    return project;
+  }
+
+  async get(id: string): Promise<Project | null> {
+    const storage = getStorageService();
+    return storage.get<Project>(COLLECTION, id);
+  }
+
+  async list(): Promise<Project[]> {
+    const storage = getStorageService();
+    return storage.getAll<Project>(COLLECTION);
+  }
+
+  async delete(id: string): Promise<void> {
+    const storage = getStorageService();
+    await storage.delete(COLLECTION, id);
+  }
+
+  async update(id: string, updates: Partial<Project>): Promise<Project | null> {
+    const storage = getStorageService();
+    const existing = await storage.get<Project>(COLLECTION, id);
+    if (!existing) return null;
+
+    const updated: Project = {
+      ...existing,
+      ...updates,
+      id: existing.id,
+      createdAt: existing.createdAt,
+      updatedAt: new Date().toISOString(),
+    };
+    await storage.set(COLLECTION, id, updated);
+    return updated;
+  }
+}
+
+export const projectService = new ProjectService();

package/src/services/pulumi.service.ts

@@ -1,146 +1,12 @@
-import * as auto from '@pulumi/pulumi/automation';
-import * as aws from '@pulumi/aws';
-import * as awsNative from '@pulumi/aws-native';
-import { ApplianceStack } from '@appliance.sh/infra';
-import { applianceBaseConfig } from '@appliance.sh/sdk';
+import {
+  ApplianceDeploymentService,
+  createApplianceDeploymentService,
+  type PulumiAction,
+  type PulumiResult,
+} from '@appliance.sh/infra';
 
-export type PulumiAction = 'deploy' | 'destroy';
-
-export interface PulumiResult {
-  action: PulumiAction;
-  ok: boolean;
-  idempotentNoop: boolean;
-  message: string;
-  stackName: string;
-}
-
-class PulumiService {
-  private readonly projectName = 'appliance-api-managed-proj';
-
-  private readonly baseConfig = process.env.APPLIANCE_BASE_CONFIG
-    ? applianceBaseConfig.parse(JSON.parse(process.env.APPLIANCE_BASE_CONFIG))
-    : undefined;
-  private readonly region = this.baseConfig?.aws.region || 'us-east-1';
-
-  private inlineProgram() {
-    return async () => {
-      const name = 'appliance';
-
-      if (!this.baseConfig) {
-        throw new Error('Missing base config');
-      }
-
-      const regionalProvider = new aws.Provider(`${name}-regional`, {
-        region: (this.baseConfig?.aws.region as aws.Region) ?? 'ap-southeast-1',
-      });
-      const globalProvider = new aws.Provider(`${name}-global`, {
-        region: 'us-east-1',
-      });
-      const nativeRegionalProvider = new awsNative.Provider(`${name}-native-regional`, {
-        region: (this.baseConfig?.aws.region as awsNative.Region) ?? 'ap-southeast-1',
-      });
-
-      const nativeGlobalProvider = new awsNative.Provider(`${name}-native-global`, {
-        region: 'us-east-1',
-      });
-
-      const applianceStack = new ApplianceStack(
-        `${name}-stack`,
-        {
-          tags: { project: name },
-          config: this.baseConfig,
-        },
-        {
-          globalProvider,
-          provider: regionalProvider,
-          nativeProvider: nativeRegionalProvider,
-          nativeGlobalProvider: nativeGlobalProvider,
-        }
-      );
-
-      return {
-        applianceStack,
-      };
-    };
-  }
-
-  private async getOrCreateStack(stackName: string): Promise<auto.Stack> {
-    const program = this.inlineProgram();
-    const envVars: Record<string, string> = {
-      AWS_REGION: this.region,
-    };
-    if (!this.baseConfig) {
-      throw new Error('Missing base config');
-    }
-    if (this.baseConfig) {
-      envVars['PULUMI_BACKEND_URL'] = this.baseConfig.stateBackendUrl;
-    }
-
-    const stack = await auto.LocalWorkspace.createOrSelectStack(
-      { projectName: this.projectName, stackName, program },
-      { envVars }
-    );
-    await stack.setConfig('aws:region', { value: this.baseConfig.aws.region });
-    return stack;
-  }
-
-  private async selectExistingStack(stackName: string): Promise<auto.Stack> {
-    const envVars: Record<string, string> = {
-      AWS_REGION: this.region,
-    };
-    if (!this.baseConfig) {
-      throw new Error('Missing base config');
-    }
-    if (this.baseConfig) {
-      envVars['PULUMI_BACKEND_URL'] = this.baseConfig.stateBackendUrl;
-    }
-
-    const ws = await auto.LocalWorkspace.create({
-      projectSettings: { name: this.projectName, runtime: 'nodejs' },
-      envVars,
-    });
-
-    return auto.Stack.createOrSelect(stackName, ws);
-  }
-
-  async deploy(stackName = 'appliance-api-managed'): Promise<PulumiResult> {
-    const stack = await this.getOrCreateStack(stackName);
-    const result = await stack.up({ onOutput: (m) => console.log(m) });
-    const changes = result.summary.resourceChanges || {};
-    const totalChanges = Object.entries(changes)
-      .filter(([k]) => k !== 'same')
-      .reduce((acc, [, v]) => acc + (v || 0), 0);
-    const idempotentNoop = totalChanges === 0;
-    return {
-      action: 'deploy',
-      ok: true,
-      idempotentNoop,
-      message: idempotentNoop ? 'No changes (idempotent)' : 'Stack updated',
-      stackName,
-    };
-  }
-
-  async destroy(stackName = 'appliance-api-managed'): Promise<PulumiResult> {
-    try {
-      const stack = await this.selectExistingStack(stackName);
-      await stack.destroy({ onOutput: (m) => console.log(m) });
-      return { action: 'destroy', ok: true, idempotentNoop: false, message: 'Stack resources deleted', stackName };
-    } catch (e) {
-      if (!(e instanceof Error)) throw e;
-      const msg = String(e?.message || e);
-      if (msg.includes('no stack named') || msg.includes('not found')) {
-        return {
-          action: 'destroy',
-          ok: true,
-          idempotentNoop: true,
-          message: 'Stack not found (idempotent)',
-          stackName,
-        };
-      }
-      throw e;
-    }
-  }
-}
+// Re-export types for consumers
+export type { PulumiAction, PulumiResult };
 
 // Export a singleton instance
-export const pulumiService = new PulumiService();
+export const pulumiService: ApplianceDeploymentService = createApplianceDeploymentService();

package/src/services/s3-object-store.ts

@@ -0,0 +1,78 @@
+import {
+  S3Client,
+  GetObjectCommand,
+  PutObjectCommand,
+  DeleteObjectCommand,
+  ListObjectsV2Command,
+} from '@aws-sdk/client-s3';
+import type { ObjectStore } from '@appliance.sh/sdk';
+
+export class S3ObjectStore implements ObjectStore {
+  private readonly client: S3Client;
+  private readonly bucketName: string;
+
+  constructor(bucketName: string, region?: string) {
+    this.bucketName = bucketName;
+    this.client = new S3Client({ region: region ?? 'us-east-1' });
+  }
+
+  async get(key: string): Promise<string | null> {
+    try {
+      const command = new GetObjectCommand({
+        Bucket: this.bucketName,
+        Key: key,
+      });
+      const response = await this.client.send(command);
+      return (await response.Body?.transformToString()) ?? null;
+    } catch (error) {
+      if ((error as { name?: string }).name === 'NoSuchKey') {
+        return null;
+      }
+      throw error;
+    }
+  }
+
+  async set(key: string, value: string): Promise<void> {
+    const command = new PutObjectCommand({
+      Bucket: this.bucketName,
+      Key: key,
+      Body: value,
+      ContentType: 'application/json',
+    });
+    await this.client.send(command);
+  }
+
+  async delete(key: string): Promise<void> {
+    const command = new DeleteObjectCommand({
+      Bucket: this.bucketName,
+      Key: key,
+    });
+    await this.client.send(command);
+  }
+
+  async list(prefix?: string): Promise<string[]> {
+    const keys: string[] = [];
+    let continuationToken: string | undefined;
+
+    do {
+      const command = new ListObjectsV2Command({
+        Bucket: this.bucketName,
+        Prefix: prefix,
+        ContinuationToken: continuationToken,
+      });
+      const response = await this.client.send(command);
+
+      if (response.Contents) {
+        for (const object of response.Contents) {
+          if (object.Key) {
+            keys.push(object.Key);
+          }
+        }
+      }
+
+      continuationToken = response.IsTruncated ? response.NextContinuationToken : undefined;
+    } while (continuationToken);
+
+    return keys;
+  }
+}

package/src/services/storage.service.ts

@@ -0,0 +1,72 @@
+import { applianceBaseConfig, type ObjectStore } from '@appliance.sh/sdk';
+import { S3ObjectStore } from './s3-object-store';
+
+export class StorageService {
+  private readonly store: ObjectStore;
+
+  constructor(store: ObjectStore) {
+    this.store = store;
+  }
+
+  private getKey(collection: string, id: string): string {
+    return `${collection}/${id}.json`;
+  }
+
+  async get<T>(collection: string, id: string): Promise<T | null> {
+    const data = await this.store.get(this.getKey(collection, id));
+    if (!data) return null;
+    return JSON.parse(data) as T;
+  }
+
+  async getAll<T>(collection: string): Promise<T[]> {
+    const keys = await this.store.list(`${collection}/`);
+    const items: T[] = [];
+
+    for (const key of keys) {
+      const data = await this.store.get(key);
+      if (data) {
+        items.push(JSON.parse(data) as T);
+      }
+    }
+
+    return items;
+  }
+
+  async set<T>(collection: string, id: string, value: T): Promise<void> {
+    await this.store.set(this.getKey(collection, id), JSON.stringify(value));
+  }
+
+  async delete(collection: string, id: string): Promise<void> {
+    await this.store.delete(this.getKey(collection, id));
+  }
+
+  async filter<T>(collection: string, predicate: (item: T) => boolean): Promise<T[]> {
+    const all = await this.getAll<T>(collection);
+    return all.filter(predicate);
+  }
+}
+
+function createStorageService(): StorageService {
+  const baseConfigJson = process.env.APPLIANCE_BASE_CONFIG;
+  if (!baseConfigJson) {
+    throw new Error('APPLIANCE_BASE_CONFIG environment variable is required');
+  }
+
+  const config = applianceBaseConfig.parse(JSON.parse(baseConfigJson));
+
+  if (!config.aws.dataBucketName) {
+    throw new Error('dataBucketName is required in APPLIANCE_BASE_CONFIG');
+  }
+
+  const store = new S3ObjectStore(config.aws.dataBucketName, config.aws.region);
+  return new StorageService(store);
+}
+
+let storageServiceInstance: StorageService | null = null;
+
+export function getStorageService(): StorageService {
+  if (!storageServiceInstance) {
+    storageServiceInstance = createStorageService();
+  }
+  return storageServiceInstance;
+}