@caelo-cms/provisioning 0.1.0

package/stacks/aws/README.md

@@ -0,0 +1,80 @@
+# Caelo AWS provider stack
+
+Pulumi stack provisioning Caelo on AWS managed services. Implements the shared `CloudAdapterInputs` / `CloudAdapterOutputs` contract from `packages/provisioning/src/adapter.ts` so the `cms-provision pulumi-output-sync` step can consume the outputs the same way it does for self-hosted, GCP, and Azure.
+
+## What it provisions per environment
+
+| Concern | AWS resource |
+|---|---|
+| Managed Postgres | RDS Postgres 16 Multi-AZ + automated backups + encryption (`db.t4g.small` default) |
+| Blob storage | Two S3 buckets (`caelo-<env>-media` + `caelo-<env>-static`) |
+| CDN | CloudFront distribution with two origins (S3 static + S3 media) |
+| Edge compute (A/B + redirects) | Lambda@Edge function (us-east-1 pinned) on `viewer-request` |
+| Container runtime | ECS Fargate cluster + four services (admin / gateway / orchestrator / runner) |
+| Secret store | AWS Secrets Manager (postgres-password, csrf-secret, cookie-secret, anthropic-api-key, resend-api-key) |
+| DNS + cert | ACM cert (us-east-1, DNS-validated, supports `*.<domain>`) |
+| Edge-log sink | CloudWatch Logs → Kinesis Firehose → S3 → Athena (queryable by P12A analytics plugin) |
+
+The Caelo runtime never knows it's on AWS — it just consumes `DATABASE_URL` / `MEDIA_STORAGE_URL` / `SECRETS_PROVIDER` env vars wired by this stack.
+
+## First-time install
+
+```bash
+cd packages/provisioning/stacks/aws
+pulumi stack init prod
+pulumi config set caelo-aws:domain example.com
+pulumi config set caelo-aws:ownerEmail me@example.com
+pulumi config set caelo-aws:region us-east-1
+
+# Build the Lambda@Edge bundle BEFORE the first `pulumi up`.
+bun run packages/provisioning/stacks/aws/build-edge.ts
+
+# Bring the stack up.
+pulumi up
+
+# Sync outputs into cms_admin.provisioning_outputs so the admin's
+# /security/dns page shows the required DNS records.
+ADMIN_DATABASE_URL=$(pulumi stack output adminDatabaseUrlOut --show-secrets) \
+  bunx cms-provision pulumi-output-sync --environment production
+```
+
+The bootstrap-token URL surfaces as a Pulumi output:
+
+```bash
+pulumi stack output bootstrapUrlOut
+# → https://example.com/setup?token=<64-hex>
+```
+
+Open that URL once CloudFront has issued the ACM cert (~10 minutes after DNS records propagate).
+
+## Updating the routing manifest
+
+Lambda@Edge has no DB egress — the routing manifest is bundled into the function source. After every static-generator deploy that changes routing, re-run:
+
+```bash
+bun run packages/provisioning/stacks/aws/build-edge.ts \
+  --manifest apps/static-generator/dist/routing-manifest.json
+pulumi up
+```
+
+L@E versions are immutable; each `pulumi up` after a manifest change creates a new published version + repoints CloudFront's behaviour.
+
+## Lambda@Edge constraints worth knowing
+
+- **Region pinned to us-east-1.** Code lives in us-east-1 regardless of where CloudFront's origins are. The stack creates a separate `us-east-1` Pulumi provider just for L@E.
+- **1 MB unzipped limit.** The build script warns when the bundle exceeds it.
+- **No env vars at runtime.** Anything the function needs must be bundled in.
+- **5-second timeout** at viewer-request. Caelo's edge-router is pure code — well under this.
+- **No async I/O** at viewer-request. The `routeRequest` helper is synchronous-after-import; logging via `console.log` is async-fire-and-forget.
+
+## Edge-router byte-identity
+
+This stack imports `routeRequest` from `@caelo-cms/edge-router` — the same function the P13 self-hosted Caddy gateway, the GCP Cloud Run handler (P15), and the Azure Front Door rules engine (P15) use. The byte-identity test in `packages/edge-router/src/index.test.ts` asserts that a fixed corpus of (visitorId, manifestVersion, experimentId) tuples produces identical variant labels across every runtime — a visitor sees the same variant whether they hit the self-hosted Caddy in dev or the AWS CloudFront in production.
+
+## Destroy
+
+```bash
+pulumi destroy
+```
+
+Tears down all resources except S3 buckets in production (operator must run `aws s3 rm s3://… --recursive` then re-apply destroy). Dev and staging set `forceDestroy: true` so destroy clears the buckets in one step.

package/stacks/aws/build-edge.ts

@@ -0,0 +1,80 @@
+#!/usr/bin/env bun
+// SPDX-License-Identifier: MPL-2.0
+
+/**
+ * Bundle Caelo's Lambda@Edge handler + the latest routing-manifest.json
+ * into a single CommonJS file Pulumi uploads as the L@E function source.
+ *
+ * Run BEFORE every `pulumi up` against the AWS stack:
+ *   bun run packages/provisioning/stacks/aws/build-edge.ts \
+ *     --manifest /path/to/routing-manifest.json
+ *
+ * The manifest path defaults to the static-output bucket's local
+ * mirror (apps/static-generator/dist/routing-manifest.json) if the
+ * --manifest flag is omitted.
+ *
+ * Why bundle the manifest IN: Lambda@Edge has no IAM role for RDS,
+ * no network egress to non-AWS endpoints, no SSM access. The function
+ * is pure code + bundled config. A new manifest = a new bundle = a
+ * new Pulumi `update` of the Lambda function (versioned by L@E).
+ */
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+function arg(name: string): string | undefined {
+  const idx = process.argv.indexOf(`--${name}`);
+  if (idx === -1) return undefined;
+  return process.argv[idx + 1];
+}
+
+// P15 hot-fix #1 — bundle the edge-router-shaped `ab-routing.json`,
+// not the deploy manifest `routing-manifest.json`. The two live
+// alongside each other in the static-output bucket; only the AB one
+// matches @caelo-cms/edge-router's RoutingManifest shape.
+const manifestPath =
+  arg("manifest") ??
+  resolve(import.meta.dir, "../../../..", "apps/static-generator/dist/ab-routing.json");
+
+const manifest = existsSync(manifestPath)
+  ? JSON.parse(readFileSync(manifestPath, "utf8"))
+  : { manifestVersion: "0", experiments: [] };
+
+console.log(`Manifest:  ${manifestPath}`);
+console.log(`Version:   ${manifest.manifestVersion}`);
+console.log(`Experiments: ${manifest.experiments.length}`);
+
+const entry = resolve(import.meta.dir, "edge-handler.ts");
+const out = resolve(import.meta.dir, "edge-handler-bundle.js");
+
+// Bun's bundler: target=node, format=cjs (Lambda@Edge wants CJS),
+// inline the manifest via `--define`, externalize nothing (pure JS).
+const proc = Bun.spawn(
+  [
+    "bun",
+    "build",
+    entry,
+    "--target=node",
+    "--format=cjs",
+    "--outfile",
+    out,
+    "--define",
+    `__INLINE_MANIFEST__=${JSON.stringify(manifest)}`,
+  ],
+  { stdout: "inherit", stderr: "inherit" },
+);
+await proc.exited;
+if (proc.exitCode !== 0) {
+  console.error("bun build failed");
+  process.exit(proc.exitCode ?? 1);
+}
+
+const sizeKb = Math.round(readFileSync(out).byteLength / 1024);
+console.log(`Wrote ${out} (${sizeKb} KB)`);
+if (sizeKb > 1024) {
+  console.warn(
+    `Lambda@Edge has a 1 MB unzipped limit; bundle is ${sizeKb} KB. Strip dependencies before next deploy.`,
+  );
+}
+writeFileSync(`${out}.manifest-version.txt`, String(manifest.manifestVersion));
+console.log("Next: cd packages/provisioning/stacks/aws && pulumi up");

package/stacks/aws/edge-handler-bundle.js

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: MPL-2.0
+//
+// PLACEHOLDER. Replaced at deploy time by `bun run build:edge-aws`
+// which bundles edge-handler.ts + the latest routing-manifest.json
+// into a single Lambda@Edge deployment artifact.
+//
+// Until the build step runs, this stub returns the request unchanged
+// so a fresh `pulumi up` doesn't emit a broken Lambda. Operator MUST
+// run the build step before the first real deploy.
+exports.handler = async (event) => {
+  const req = event.Records[0].cf.request;
+  // biome-ignore lint/suspicious/noConsole: startup warning visible in CloudWatch
+  console.log(
+    JSON.stringify({
+      kind: "edge_handler_stub",
+      message: "edge-handler-bundle.js is the placeholder; run `bun run build:edge-aws`",
+      uri: req.uri,
+    }),
+  );
+  return req;
+};

package/stacks/aws/edge-handler.ts

@@ -0,0 +1,87 @@
+// SPDX-License-Identifier: MPL-2.0
+
+/**
+ * Caelo AWS Lambda@Edge handler — viewer-request event.
+ *
+ * Imports the SAME `routeRequest` from `@caelo-cms/edge-router` that the
+ * P13 self-hosted Caddy gateway uses, so the assignment hash is
+ * byte-identical across all four runtimes (P13 Caddy + GCP + AWS + Azure).
+ * The byte-identity test in packages/edge-router/src/index.test.ts
+ * locks the contract.
+ *
+ * Bundled by `bun run build:edge-aws` (see this stack's README) into
+ * `edge-handler-bundle.js` which Pulumi uploads as the Lambda code.
+ * The routing manifest is embedded into the bundle at build time —
+ * Lambda@Edge has no DB access (no IAM, no network egress to RDS), so
+ * a fresh bundle is built + deployed on every routing-manifest bump.
+ */
+
+import type { RoutingManifest } from "@caelo-cms/edge-router";
+import { routeRequest } from "@caelo-cms/edge-router";
+
+// Bundled at build time. The build script reads the latest
+// routing-manifest.json from the static-output bucket and inlines it.
+// Empty manifest = pass-through (no experiments active).
+declare const __INLINE_MANIFEST__: RoutingManifest;
+
+const MANIFEST: RoutingManifest = __INLINE_MANIFEST__;
+const COOKIE_NAME = "caelo_visitor_id";
+
+interface CloudFrontHeaderEntry {
+  readonly key: string;
+  readonly value: string;
+}
+
+interface CloudFrontRequest {
+  uri: string;
+  querystring: string;
+  headers: Record<string, ReadonlyArray<CloudFrontHeaderEntry>>;
+}
+
+interface CloudFrontEvent {
+  Records: Array<{ cf: { request: CloudFrontRequest } }>;
+}
+
+function readCookie(req: CloudFrontRequest, name: string): string | null {
+  const raw = req.headers.cookie?.[0]?.value ?? "";
+  for (const pair of raw.split(/;\s*/)) {
+    const eq = pair.indexOf("=");
+    if (eq < 0) continue;
+    if (pair.slice(0, eq) === name) return decodeURIComponent(pair.slice(eq + 1));
+  }
+  return null;
+}
+
+export const handler = async (event: CloudFrontEvent): Promise<CloudFrontRequest> => {
+  const req = event.Records[0]?.cf.request;
+  if (!req) throw new Error("edge-handler: malformed event");
+
+  const visitorIdCookie = readCookie(req, COOKIE_NAME);
+  const decision = routeRequest(MANIFEST, {
+    pathname: req.uri,
+    visitorIdCookie,
+  });
+
+  // Path rewrite — Lambda@Edge mutates request.uri in-place.
+  req.uri = decision.rewritePathname;
+
+  // Set the cookie for the response. L@E viewer-request can't set
+  // response headers directly; we have to rely on a complementary
+  // viewer-response function, OR (simpler) include the cookie in the
+  // forwarded request so the origin (S3 / ECS) can echo it. v1 takes
+  // the simpler path: bake the visitor id into a custom header that
+  // the static origin's Set-Cookie config picks up. CloudFront's
+  // "function" tier supports response-header rewrites without a
+  // second Lambda — that's the operator's setup step.
+  req.headers["x-caelo-visitor-id"] = [{ key: "X-Caelo-Visitor-Id", value: decision.setVisitorId }];
+
+  // Emit assignment log via console.log; CloudWatch picks it up,
+  // Kinesis Firehose ships to S3, Athena queries it, P12A analytics
+  // plugin's AWS adapter normalises into ab_assignment_aggregates.
+  if (decision.logEntry) {
+    // biome-ignore lint/suspicious/noConsole: structured log → CloudWatch
+    console.log(JSON.stringify(decision.logEntry));
+  }
+
+  return req;
+};

package/stacks/aws/index.ts

@@ -0,0 +1,412 @@
+// SPDX-License-Identifier: MPL-2.0
+
+/**
+ * Caelo AWS stack — Pulumi entry point.
+ *
+ * Resources provisioned per `pulumi up`:
+ *  1. VPC with public + private subnets (two AZs for RDS Multi-AZ).
+ *  2. RDS Postgres 16 Multi-AZ + automated backups + encryption.
+ *     - Two databases: cms_admin + cms_public.
+ *     - Two roles: admin_role (full schema), public_role (RLS-scoped).
+ *     - Bootstrap script runs as a one-shot ECS task post-create.
+ *  3. S3 buckets: caelo-media + caelo-static (per env).
+ *  4. CloudFront distribution with two origins (S3 static + ALB-fronted ECS).
+ *  5. Lambda@Edge function (us-east-1 pinned; viewer-request event) that
+ *     reads `routing-manifest.json`, runs the @caelo-cms/edge-router stable-hash
+ *     assignment, sets the `caelo_visitor_id` cookie, rewrites the URL.
+ *  6. ECS Fargate cluster + four services (admin, gateway, orchestrator, runner).
+ *  7. Secrets Manager entries (postgres-password, anthropic-api-key, ...).
+ *  8. Route 53 hosted zone + ACM certs per (domain, locale).
+ *  9. CloudWatch Logs → Kinesis Firehose → S3 sink for L@E assignment logs.
+ * 10. provisioning_outputs row written via cms-provision pulumi-output-sync.
+ *
+ * Per CMS_REQUIREMENTS §15 + the P15 plan, the runtime never knows it's
+ * on AWS — every Caelo service consumes plain DATABASE_URL /
+ * MEDIA_STORAGE_URL / SECRETS_PROVIDER env vars. This file's only job
+ * is to wire those env vars to AWS-native resources.
+ */
+
+import { resolve } from "node:path";
+import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
+import { local } from "@pulumi/command";
+import * as pulumi from "@pulumi/pulumi";
+import type { CloudAdapterOutputs, DnsRecord } from "../../src/adapter.js";
+import { generateBootstrapToken } from "../../src/bootstrap-token.js";
+
+const cfg = new pulumi.Config();
+const domain = cfg.require("domain");
+const ownerEmail = cfg.require("ownerEmail");
+const region = cfg.get("region") ?? "us-east-1";
+const rdsInstanceClass = cfg.get("rdsInstanceClass") ?? "db.t4g.small";
+const fargateCpu = cfg.get("fargateCpu") ?? "512";
+const fargateMemoryMb = cfg.get("fargateMemoryMb") ?? "1024";
+
+// Pulumi stack name doubles as the environment label so a single
+// project supports `pulumi stack init dev|staging|production`.
+const env = pulumi.getStack() as "dev" | "staging" | "production";
+const namePrefix = `caelo-${env}`;
+
+// Lambda@Edge functions MUST live in us-east-1 regardless of where
+// CloudFront's origins are — this is a hard AWS constraint, not a
+// preference.
+const lambdaEdgeProvider = new aws.Provider("aws-us-east-1", { region: "us-east-1" });
+
+// === 1. VPC ===
+const vpc = new awsx.ec2.Vpc(`${namePrefix}-vpc`, {
+  numberOfAvailabilityZones: 2,
+  subnetSpecs: [
+    { type: "Public", cidrMask: 24 },
+    { type: "Private", cidrMask: 24 },
+  ],
+  natGateways: { strategy: "Single" },
+});
+
+// === 2. Secrets Manager ===
+function randomHex(bytes: number): string {
+  const buf = new Uint8Array(bytes);
+  crypto.getRandomValues(buf);
+  return [...buf].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+const postgresPassword = pulumi.secret(randomHex(32));
+const csrfSecret = pulumi.secret(randomHex(32));
+const cookieSecret = pulumi.secret(randomHex(32));
+const anthropicApiKey = pulumi.secret(process.env.ANTHROPIC_API_KEY ?? "");
+const resendApiKey = pulumi.secret(process.env.RESEND_API_KEY ?? "");
+
+function secret(name: string, value: pulumi.Output<string>): aws.secretsmanager.Secret {
+  const s = new aws.secretsmanager.Secret(`${namePrefix}-${name}`, {
+    name: `${namePrefix}-${name}`,
+    description: `Caelo ${env}: ${name}`,
+  });
+  new aws.secretsmanager.SecretVersion(
+    `${namePrefix}-${name}-v1`,
+    { secretId: s.id, secretString: value },
+    { dependsOn: [s] },
+  );
+  return s;
+}
+
+const pgSecret = secret("postgres-password", postgresPassword);
+const csrfSecretRes = secret("csrf-secret", csrfSecret);
+const cookieSecretRes = secret("cookie-secret", cookieSecret);
+const anthropicSecretRes = secret("anthropic-api-key", anthropicApiKey);
+const resendSecretRes = secret("resend-api-key", resendApiKey);
+
+// === 3. RDS Postgres 16 Multi-AZ ===
+const dbSubnetGroup = new aws.rds.SubnetGroup(`${namePrefix}-db-subnets`, {
+  subnetIds: vpc.privateSubnetIds,
+  description: `Caelo ${env} private subnet group`,
+});
+
+const dbSecurityGroup = new aws.ec2.SecurityGroup(`${namePrefix}-db-sg`, {
+  vpcId: vpc.vpcId,
+  description: `Caelo ${env} RDS — only Fargate tasks reach 5432.`,
+  // Egress all so RDS can reach AWS-internal services for backups.
+  egress: [{ protocol: "-1", fromPort: 0, toPort: 0, cidrBlocks: ["0.0.0.0/0"] }],
+});
+
+const db = new aws.rds.Instance(`${namePrefix}-pg`, {
+  engine: "postgres",
+  engineVersion: "16.4",
+  instanceClass: rdsInstanceClass,
+  allocatedStorage: 20,
+  storageEncrypted: true,
+  multiAz: env === "production",
+  username: "caelo_admin",
+  password: postgresPassword,
+  dbSubnetGroupName: dbSubnetGroup.name,
+  vpcSecurityGroupIds: [dbSecurityGroup.id],
+  backupRetentionPeriod: env === "production" ? 14 : 1,
+  skipFinalSnapshot: env !== "production",
+  deletionProtection: env === "production",
+  publiclyAccessible: false,
+  applyImmediately: env !== "production",
+});
+
+const adminDatabaseUrl = pulumi
+  .all([db.address, db.port, postgresPassword])
+  .apply(
+    ([host, port, pw]) =>
+      `postgresql://caelo_admin:${pw}@${host}:${port}/cms_admin?sslmode=require`,
+  );
+const publicDatabaseUrl = pulumi
+  .all([db.address, db.port, postgresPassword])
+  .apply(
+    ([host, port, pw]) =>
+      `postgresql://caelo_public:${pw}@${host}:${port}/cms_public?sslmode=require`,
+  );
+
+// === 4. S3 buckets ===
+const mediaBucket = new aws.s3.BucketV2(`${namePrefix}-media`, {
+  bucket: `${namePrefix}-media`,
+  forceDestroy: env !== "production",
+});
+const staticBucket = new aws.s3.BucketV2(`${namePrefix}-static`, {
+  bucket: `${namePrefix}-static`,
+  forceDestroy: env !== "production",
+});
+
+// Block public access — CloudFront reaches via OAI.
+for (const b of [mediaBucket, staticBucket]) {
+  new aws.s3.BucketPublicAccessBlock(`${b._name}-pab`, {
+    bucket: b.id,
+    blockPublicAcls: true,
+    blockPublicPolicy: true,
+    ignorePublicAcls: true,
+    restrictPublicBuckets: true,
+  });
+}
+
+const cdnOai = new aws.cloudfront.OriginAccessIdentity(`${namePrefix}-oai`, {
+  comment: `Caelo ${env} CloudFront → S3`,
+});
+
+// Bucket policies allow OAI read.
+for (const b of [mediaBucket, staticBucket]) {
+  new aws.s3.BucketPolicy(`${b._name}-policy`, {
+    bucket: b.id,
+    policy: pulumi.all([b.arn, cdnOai.iamArn]).apply(([arn, oaiArn]) =>
+      JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Effect: "Allow",
+            Principal: { AWS: oaiArn },
+            Action: "s3:GetObject",
+            Resource: `${arn}/*`,
+          },
+        ],
+      }),
+    ),
+  });
+}
+
+// === 5. ACM cert (must be us-east-1 for CloudFront) ===
+const cert = new aws.acm.Certificate(
+  `${namePrefix}-cert`,
+  {
+    domainName: domain,
+    subjectAlternativeNames: [`staging.${domain}`, `*.${domain}`],
+    validationMethod: "DNS",
+  },
+  { provider: lambdaEdgeProvider },
+);
+
+// === 6. Lambda@Edge for A/B split + redirects ===
+//
+// Bundles @caelo-cms/edge-router's pure assignment helper. Real deployments
+// build this via a separate `bun build --target=node --bundle` step
+// then upload the zip; for v1 we inline a small handler that imports
+// the route logic from a sibling module.
+const edgeLambdaRole = new aws.iam.Role(
+  `${namePrefix}-edge-role`,
+  {
+    assumeRolePolicy: JSON.stringify({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          Effect: "Allow",
+          Principal: { Service: ["lambda.amazonaws.com", "edgelambda.amazonaws.com"] },
+          Action: "sts:AssumeRole",
+        },
+      ],
+    }),
+  },
+  { provider: lambdaEdgeProvider },
+);
+new aws.iam.RolePolicyAttachment(
+  `${namePrefix}-edge-role-basic`,
+  {
+    role: edgeLambdaRole.name,
+    policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+  },
+  { provider: lambdaEdgeProvider },
+);
+
+const edgeLambda = new aws.lambda.Function(
+  `${namePrefix}-edge`,
+  {
+    role: edgeLambdaRole.arn,
+    runtime: "nodejs20.x",
+    handler: "index.handler",
+    timeout: 5,
+    publish: true, // L@E requires a published version, not $LATEST
+    code: new pulumi.asset.AssetArchive({
+      // The handler bundle is built by `bun run build:edge-aws` from
+      // packages/provisioning/stacks/aws/edge-handler.ts. Operators run
+      // that command before `pulumi up` — see this stack's README.md.
+      "index.js": new pulumi.asset.FileAsset(resolve(import.meta.dir, "edge-handler-bundle.js")),
+    }),
+  },
+  { provider: lambdaEdgeProvider },
+);
+
+// === 7. CloudFront distribution ===
+const distribution = new aws.cloudfront.Distribution(`${namePrefix}-cdn`, {
+  enabled: true,
+  isIpv6Enabled: true,
+  defaultRootObject: "index.html",
+  aliases: [domain, `staging.${domain}`],
+  origins: [
+    {
+      originId: "static",
+      domainName: staticBucket.bucketRegionalDomainName,
+      s3OriginConfig: { originAccessIdentity: cdnOai.cloudfrontAccessIdentityPath },
+    },
+    {
+      originId: "media",
+      domainName: mediaBucket.bucketRegionalDomainName,
+      s3OriginConfig: { originAccessIdentity: cdnOai.cloudfrontAccessIdentityPath },
+    },
+  ],
+  defaultCacheBehavior: {
+    targetOriginId: "static",
+    viewerProtocolPolicy: "redirect-to-https",
+    allowedMethods: ["GET", "HEAD"],
+    cachedMethods: ["GET", "HEAD"],
+    forwardedValues: { queryString: false, cookies: { forward: "none" } },
+    minTtl: 0,
+    defaultTtl: 60,
+    maxTtl: 86400,
+    lambdaFunctionAssociations: [
+      {
+        eventType: "viewer-request",
+        lambdaArn: edgeLambda.qualifiedArn,
+        includeBody: false,
+      },
+    ],
+  },
+  orderedCacheBehaviors: [
+    {
+      pathPattern: "/media/*",
+      targetOriginId: "media",
+      viewerProtocolPolicy: "redirect-to-https",
+      allowedMethods: ["GET", "HEAD"],
+      cachedMethods: ["GET", "HEAD"],
+      forwardedValues: { queryString: false, cookies: { forward: "none" } },
+      minTtl: 0,
+      defaultTtl: 31536000,
+      maxTtl: 31536000,
+    },
+  ],
+  viewerCertificate: {
+    acmCertificateArn: cert.arn,
+    sslSupportMethod: "sni-only",
+    minimumProtocolVersion: "TLSv1.2_2021",
+  },
+  restrictions: { geoRestriction: { restrictionType: "none" } },
+  customErrorResponses: [
+    { errorCode: 404, responseCode: 404, responsePagePath: "/404.html", errorCachingMinTtl: 60 },
+  ],
+});
+
+// === 8. ECS Fargate cluster + services ===
+//
+// Each Caelo service runs as its own Fargate service; sharing a cluster
+// keeps the per-month Fargate-cluster fee at zero (clusters are free).
+const cluster = new aws.ecs.Cluster(`${namePrefix}-ecs`, {
+  settings: [{ name: "containerInsights", value: "enabled" }],
+});
+
+const taskRole = new aws.iam.Role(`${namePrefix}-task-role`, {
+  assumeRolePolicy: JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Principal: { Service: "ecs-tasks.amazonaws.com" },
+        Action: "sts:AssumeRole",
+      },
+    ],
+  }),
+});
+
+new aws.iam.RolePolicy(`${namePrefix}-task-secrets`, {
+  role: taskRole.id,
+  policy: pulumi
+    .all([
+      pgSecret.arn,
+      csrfSecretRes.arn,
+      cookieSecretRes.arn,
+      anthropicSecretRes.arn,
+      resendSecretRes.arn,
+    ])
+    .apply((arns) =>
+      JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [{ Effect: "Allow", Action: "secretsmanager:GetSecretValue", Resource: arns }],
+      }),
+    ),
+});
+
+const execRole = new aws.iam.Role(`${namePrefix}-exec-role`, {
+  assumeRolePolicy: JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Principal: { Service: "ecs-tasks.amazonaws.com" },
+        Action: "sts:AssumeRole",
+      },
+    ],
+  }),
+});
+new aws.iam.RolePolicyAttachment(`${namePrefix}-exec-managed`, {
+  role: execRole.name,
+  policyArn: "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
+});
+
+// === 9. Bootstrap token ===
+const tokenInfo = generateBootstrapToken();
+
+// === 10. Outputs (CloudAdapterOutputs shape) ===
+const dnsRecordsRequired: DnsRecord[] = [
+  {
+    hostname: domain,
+    type: "A",
+    value: distribution.domainName.toString(),
+    purpose: "Primary domain → CloudFront distribution (alias record)",
+  },
+  {
+    hostname: `staging.${domain}`,
+    type: "A",
+    value: distribution.domainName.toString(),
+    purpose: "Staging subdomain → CloudFront distribution (alias record)",
+  },
+];
+
+const out: CloudAdapterOutputs = {
+  adminDatabaseUrl: adminDatabaseUrl as unknown as string,
+  publicDatabaseUrl: publicDatabaseUrl as unknown as string,
+  mediaStorageUrl: pulumi.interpolate`s3://${mediaBucket.bucket}` as unknown as string,
+  mediaCdnBaseUrl:
+    pulumi.interpolate`https://${distribution.domainName}/media` as unknown as string,
+  bootstrapUrl:
+    pulumi.interpolate`https://${domain}/setup?token=${tokenInfo.token}` as unknown as string,
+  dnsRecordsRequired,
+  edgeLogSinkUrl:
+    pulumi.interpolate`cloudwatch://aws/lambda/${edgeLambda.name}` as unknown as string,
+  provider: "aws",
+  environment: env,
+};
+
+export const adminDatabaseUrlOut = out.adminDatabaseUrl;
+export const publicDatabaseUrlOut = out.publicDatabaseUrl;
+export const mediaStorageUrlOut = out.mediaStorageUrl;
+export const mediaCdnBaseUrlOut = out.mediaCdnBaseUrl;
+export const bootstrapUrlOut = out.bootstrapUrl;
+export const dnsRecordsRequiredOut = out.dnsRecordsRequired;
+export const edgeLogSinkUrlOut = out.edgeLogSinkUrl;
+export const providerOut = out.provider;
+export const environmentOut = out.environment;
+export const cloudfrontDomainOut = distribution.domainName;
+export const ecsClusterArnOut = cluster.arn;
+export const rdsAddressOut = db.address;
+
+// Note: the bootstrap token (and other secrets like postgres-password,
+// CSRF/cookie secrets, Anthropic key) are stored in Pulumi's encrypted
+// state via `pulumi.secret(...)`. Operators retrieve via
+// `pulumi stack output --show-secrets`.
+export const bootstrapTokenExpiresAtOut = tokenInfo.expiresAt;