@constructive-io/bucket-provisioner 0.2.0

package/LICENSE

@@ -0,0 +1,23 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Dan Lynch <pyramation@gmail.com>
+Copyright (c) 2025 Constructive <developers@constructive.io>
+Copyright (c) 2020-present, Interweb, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,335 @@
+# @constructive-io/bucket-provisioner
+
+<p align="center" width="100%">
+  <img height="250" src="https://raw.githubusercontent.com/constructive-io/constructive/refs/heads/main/assets/outline-logo.svg" />
+</p>
+
+<p align="center" width="100%">
+  <a href="https://github.com/constructive-io/constructive/actions/workflows/run-tests.yaml">
+    <img height="20" src="https://github.com/constructive-io/constructive/actions/workflows/run-tests.yaml/badge.svg" />
+  </a>
+   <a href="https://github.com/constructive-io/constructive/blob/main/LICENSE"><img height="20" src="https://img.shields.io/badge/license-MIT-blue.svg"/></a>
+   <a href="https://www.npmjs.com/package/@constructive-io/bucket-provisioner"><img height="20" src="https://img.shields.io/github/package-json/v/constructive-io/constructive?filename=packages%2Fbucket-provisioner%2Fpackage.json"/></a>
+</p>
+
+S3-compatible bucket provisioning library for the Constructive storage module. Creates and configures buckets with the correct privacy policies, CORS rules, versioning, and lifecycle settings for private, public, and temporary file storage.
+
+## Features
+
+- **Privacy enforcement** — Block All Public Access for private/temp buckets, public-read policy for public buckets
+- **CORS configuration** — Browser-compatible rules for presigned URL uploads
+- **Lifecycle rules** — Auto-cleanup for temp buckets (abandoned uploads)
+- **Versioning** — Optional S3 versioning for durability
+- **Multi-provider** — Works with AWS S3, MinIO, Cloudflare R2, Google Cloud Storage, and DigitalOcean Spaces
+- **Inspect/audit** — Read back a bucket's current configuration for verification
+- **Typed errors** — Structured `ProvisionerError` with error codes for programmatic handling
+
+## Installation
+
+```bash
+pnpm add @constructive-io/bucket-provisioner
+```
+
+## Quick Start
+
+```typescript
+import { BucketProvisioner } from '@constructive-io/bucket-provisioner';
+
+const provisioner = new BucketProvisioner({
+  connection: {
+    provider: 'minio',
+    region: 'us-east-1',
+    endpoint: 'http://minio:9000',
+    accessKeyId: 'minioadmin',
+    secretAccessKey: 'minioadmin',
+  },
+  allowedOrigins: ['https://app.example.com'],
+});
+
+// Provision a private bucket (presigned URLs only)
+const result = await provisioner.provision({
+  bucketName: 'my-app-private',
+  accessType: 'private',
+  versioning: true,
+});
+
+console.log(result);
+// {
+//   bucketName: 'my-app-private',
+//   accessType: 'private',
+//   blockPublicAccess: true,
+//   versioning: true,
+//   corsRules: [...],
+//   lifecycleRules: [],
+//   ...
+// }
+```
+
+## Usage
+
+### Provision a Public Bucket
+
+Public buckets serve files via direct URL or CDN. The provisioner applies a public-read bucket policy and configures CORS for browser uploads.
+
+```typescript
+const result = await provisioner.provision({
+  bucketName: 'my-app-public',
+  accessType: 'public',
+  publicUrlPrefix: 'https://cdn.example.com/public',
+});
+// result.blockPublicAccess === false
+// result.publicUrlPrefix === 'https://cdn.example.com/public'
+```
+
+### Provision a Temp Bucket
+
+Temp buckets are staging areas for uploads. They behave like private buckets but include a lifecycle rule to auto-delete objects after a configurable period.
+
+```typescript
+const result = await provisioner.provision({
+  bucketName: 'my-app-temp',
+  accessType: 'temp',
+});
+// result.lifecycleRules[0].id === 'temp-cleanup'
+// result.lifecycleRules[0].expirationDays === 1
+```
+
+### Inspect an Existing Bucket
+
+Read back a bucket's current configuration to verify it matches expectations.
+
+```typescript
+const config = await provisioner.inspect('my-app-private', 'private');
+console.log(config.blockPublicAccess); // true
+console.log(config.versioning);        // true
+console.log(config.corsRules.length);  // 1
+```
+
+### Use with AWS S3
+
+For AWS S3, no endpoint is needed — just region and credentials.
+
+```typescript
+const provisioner = new BucketProvisioner({
+  connection: {
+    provider: 's3',
+    region: 'us-west-2',
+    accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
+    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
+  },
+  allowedOrigins: ['https://app.example.com'],
+});
+```
+
+### Use with Cloudflare R2
+
+```typescript
+const provisioner = new BucketProvisioner({
+  connection: {
+    provider: 'r2',
+    region: 'auto',
+    endpoint: `https://${ACCOUNT_ID}.r2.cloudflarestorage.com`,
+    accessKeyId: R2_ACCESS_KEY,
+    secretAccessKey: R2_SECRET_KEY,
+  },
+  allowedOrigins: ['https://app.example.com'],
+});
+```
+
+## API
+
+### `BucketProvisioner`
+
+The main class that orchestrates bucket creation and configuration.
+
+#### `new BucketProvisioner(options)`
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `connection.provider` | `'s3' \| 'minio' \| 'r2' \| 'gcs' \| 'spaces'` | Storage provider type |
+| `connection.region` | `string` | S3 region (e.g., `'us-east-1'`) |
+| `connection.endpoint` | `string?` | S3-compatible endpoint URL. Required for non-AWS providers. |
+| `connection.accessKeyId` | `string` | AWS access key ID |
+| `connection.secretAccessKey` | `string` | AWS secret access key |
+| `connection.forcePathStyle` | `boolean?` | Force path-style URLs (auto-detected per provider) |
+| `allowedOrigins` | `string[]` | Domains allowed for CORS (e.g., `['https://app.example.com']`) |
+
+#### `provisioner.provision(options): Promise<ProvisionResult>`
+
+Creates and configures a bucket. Steps:
+
+1. Creates the bucket (or verifies it exists)
+2. Configures Block Public Access
+3. Applies bucket policy (public-read or none)
+4. Sets CORS rules for presigned URL uploads
+5. Optionally enables versioning
+6. Adds lifecycle rules for temp buckets
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `bucketName` | `string` | S3 bucket name |
+| `accessType` | `'public' \| 'private' \| 'temp'` | Determines which policies are applied |
+| `region` | `string?` | Override region for this bucket |
+| `versioning` | `boolean?` | Enable S3 versioning (default: `false`) |
+| `publicUrlPrefix` | `string?` | CDN/public URL for public buckets |
+
+#### `provisioner.inspect(bucketName, accessType): Promise<ProvisionResult>`
+
+Reads back a bucket's current configuration (policy, CORS, versioning, lifecycle).
+
+#### `provisioner.getClient(): S3Client`
+
+Returns the underlying `@aws-sdk/client-s3` S3Client for advanced operations.
+
+#### `provisioner.bucketExists(bucketName): Promise<boolean>`
+
+Checks if a bucket exists and is accessible.
+
+### Policy Builders
+
+Standalone functions for generating S3 policy documents.
+
+#### `getPublicAccessBlock(accessType)`
+
+Returns the Block Public Access configuration for a given access type.
+
+#### `buildPublicReadPolicy(bucketName, keyPrefix?)`
+
+Builds a public-read bucket policy document.
+
+#### `buildCloudFrontOacPolicy(bucketName, distributionArn, keyPrefix?)`
+
+Builds a CloudFront Origin Access Control bucket policy.
+
+#### `buildPresignedUrlIamPolicy(bucketName)`
+
+Builds the minimum-permission IAM policy for the presigned URL plugin.
+
+### CORS Builders
+
+#### `buildUploadCorsRules(allowedOrigins, maxAgeSeconds?)`
+
+CORS rules for public/temp buckets (PUT, GET, HEAD).
+
+#### `buildPrivateCorsRules(allowedOrigins, maxAgeSeconds?)`
+
+CORS rules for private buckets (PUT, HEAD only — no GET).
+
+### Lifecycle Builders
+
+#### `buildTempCleanupRule(expirationDays?, prefix?)`
+
+Lifecycle rule for auto-expiring temp bucket objects.
+
+#### `buildAbortIncompleteMultipartRule(days?)`
+
+Lifecycle rule for cleaning up incomplete multipart uploads.
+
+### Error Handling
+
+All errors thrown by the provisioner are instances of `ProvisionerError`:
+
+```typescript
+import { ProvisionerError } from '@constructive-io/bucket-provisioner';
+
+try {
+  await provisioner.provision({ bucketName: 'test', accessType: 'private' });
+} catch (err) {
+  if (err instanceof ProvisionerError) {
+    console.error(err.code);    // 'POLICY_FAILED', 'CORS_FAILED', etc.
+    console.error(err.message); // Human-readable description
+    console.error(err.cause);   // Original AWS SDK error
+  }
+}
+```
+
+Error codes:
+
+| Code | Description |
+|------|-------------|
+| `CONNECTION_FAILED` | Could not connect to the storage endpoint |
+| `BUCKET_ALREADY_EXISTS` | Bucket exists and is owned by another account |
+| `BUCKET_NOT_FOUND` | Bucket does not exist (for inspect/read operations) |
+| `INVALID_CONFIG` | Invalid configuration (missing credentials, origins, etc.) |
+| `POLICY_FAILED` | Failed to apply Block Public Access or bucket policy |
+| `CORS_FAILED` | Failed to set CORS configuration |
+| `LIFECYCLE_FAILED` | Failed to set lifecycle rules |
+| `VERSIONING_FAILED` | Failed to enable versioning |
+| `ACCESS_DENIED` | Credentials lack required permissions |
+| `PROVIDER_ERROR` | Generic provider error (check `cause` for details) |
+
+## Privacy Model
+
+| Access Type | Block Public Access | Bucket Policy | CORS Methods | Lifecycle |
+|-------------|-------------------|---------------|--------------|-----------|
+| `private` | All blocked | None (deleted) | PUT, HEAD | None |
+| `public` | Partially relaxed | Public-read | PUT, GET, HEAD | None |
+| `temp` | All blocked | None (deleted) | PUT, GET, HEAD | Auto-expire (1 day) |
+
+## Provider Notes
+
+| Provider | Endpoint Required | Path Style | Notes |
+|----------|------------------|------------|-------|
+| `s3` | No | Virtual-hosted | AWS default |
+| `minio` | Yes | Path-style | Local development, self-hosted |
+| `r2` | Yes | Path-style | Cloudflare R2 |
+| `gcs` | Yes | Path-style | GCS S3-compatible API |
+| `spaces` | Yes | Virtual-hosted | DigitalOcean Spaces |
+
+---
+
+## Education and Tutorials
+
+ 1. 🚀 [Quickstart: Getting Up and Running](https://constructive.io/learn/quickstart)
+Get started with modular databases in minutes. Install prerequisites and deploy your first module.
+
+ 2. 📦 [Modular PostgreSQL Development with Database Packages](https://constructive.io/learn/modular-postgres)
+Learn to organize PostgreSQL projects with pgpm workspaces and reusable database modules.
+
+ 3. ✏️ [Authoring Database Changes](https://constructive.io/learn/authoring-database-changes)
+Master the workflow for adding, organizing, and managing database changes with pgpm.
+
+ 4. 🧪 [End-to-End PostgreSQL Testing with TypeScript](https://constructive.io/learn/e2e-postgres-testing)
+Master end-to-end PostgreSQL testing with ephemeral databases, RLS testing, and CI/CD automation.
+
+ 5. ⚡ [Supabase Testing](https://constructive.io/learn/supabase)
+Use TypeScript-first tools to test Supabase projects with realistic RLS, policies, and auth contexts.
+
+ 6. 💧 [Drizzle ORM Testing](https://constructive.io/learn/drizzle-testing)
+Run full-stack tests with Drizzle ORM, including database setup, teardown, and RLS enforcement.
+
+ 7. 🔧 [Troubleshooting](https://constructive.io/learn/troubleshooting)
+Common issues and solutions for pgpm, PostgreSQL, and testing.
+
+## Related Constructive Tooling
+
+### 📦 Package Management
+
+* [pgpm](https://github.com/constructive-io/constructive/tree/main/pgpm/pgpm): **🖥️ PostgreSQL Package Manager** for modular Postgres development. Works with database workspaces, scaffolding, migrations, seeding, and installing database packages.
+
+### 🧪 Testing
+
+* [pgsql-test](https://github.com/constructive-io/constructive/tree/main/postgres/pgsql-test): **📊 Isolated testing environments** with per-test transaction rollbacks—ideal for integration tests, complex migrations, and RLS simulation.
+* [pgsql-seed](https://github.com/constructive-io/constructive/tree/main/postgres/pgsql-seed): **🌱 PostgreSQL seeding utilities** for CSV, JSON, SQL data loading, and pgpm deployment.
+* [supabase-test](https://github.com/constructive-io/constructive/tree/main/postgres/supabase-test): **🧪 Supabase-native test harness** preconfigured for the local Supabase stack—per-test rollbacks, JWT/role context helpers, and CI/GitHub Actions ready.
+* [graphile-test](https://github.com/constructive-io/constructive/tree/main/graphile/graphile-test): **🔐 Authentication mocking** for Graphile-focused test helpers and emulating row-level security contexts.
+* [pg-query-context](https://github.com/constructive-io/constructive/tree/main/postgres/pg-query-context): **🔒 Session context injection** to add session-local context (e.g., `SET LOCAL`) into queries—ideal for setting `role`, `jwt.claims`, and other session settings.
+
+### 🧠 Parsing & AST
+
+* [pgsql-parser](https://www.npmjs.com/package/pgsql-parser): **🔄 SQL conversion engine** that interprets and converts PostgreSQL syntax.
+* [libpg-query-node](https://www.npmjs.com/package/libpg-query): **🌉 Node.js bindings** for `libpg_query`, converting SQL into parse trees.
+* [pg-proto-parser](https://www.npmjs.com/package/pg-proto-parser): **📦 Protobuf parser** for parsing PostgreSQL Protocol Buffers definitions to generate TypeScript interfaces, utility functions, and JSON mappings for enums.
+* [@pgsql/enums](https://www.npmjs.com/package/@pgsql/enums): **🏷️ TypeScript enums** for PostgreSQL AST for safe and ergonomic parsing logic.
+* [@pgsql/types](https://www.npmjs.com/package/@pgsql/types): **📝 Type definitions** for PostgreSQL AST nodes in TypeScript.
+* [@pgsql/utils](https://www.npmjs.com/package/@pgsql/utils): **🛠️ AST utilities** for constructing and transforming PostgreSQL syntax trees.
+
+## Credits
+
+**🛠 Built by the [Constructive](https://constructive.io) team — creators of modular Postgres tooling for secure, composable backends. If you like our work, contribute on [GitHub](https://github.com/constructive-io).**
+
+## Disclaimer
+
+AS DESCRIBED IN THE LICENSES, THE SOFTWARE IS PROVIDED "AS IS", AT YOUR OWN RISK, AND WITHOUT WARRANTIES OF ANY KIND.
+
+No developer or entity involved in creating this software will be liable for any claims or damages whatsoever associated with your use, inability to use, or your interaction with other users of the code, including any direct, indirect, incidental, special, exemplary, punitive or consequential damages, or loss of profits, cryptocurrencies, tokens, or anything else of value.

package/client.d.ts

@@ -0,0 +1,19 @@
+/**
+ * S3 client factory.
+ *
+ * Creates a configured S3Client from a StorageConnectionConfig.
+ * Handles provider-specific settings (path-style for MinIO, etc.).
+ */
+import { S3Client } from '@aws-sdk/client-s3';
+import type { StorageConnectionConfig } from './types';
+/**
+ * Create an S3Client from a storage connection config.
+ *
+ * Provider-specific defaults:
+ * - `minio`: forces path-style URLs (required by MinIO)
+ * - `r2`: forces path-style URLs (required by Cloudflare R2)
+ * - `s3`: uses virtual-hosted style (AWS default)
+ * - `gcs`: forces path-style URLs (GCS S3-compatible API)
+ * - `spaces`: uses virtual-hosted style (DigitalOcean default)
+ */
+export declare function createS3Client(config: StorageConnectionConfig): S3Client;

package/client.js

@@ -0,0 +1,45 @@
+"use strict";
+/**
+ * S3 client factory.
+ *
+ * Creates a configured S3Client from a StorageConnectionConfig.
+ * Handles provider-specific settings (path-style for MinIO, etc.).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createS3Client = createS3Client;
+const client_s3_1 = require("@aws-sdk/client-s3");
+const types_1 = require("./types");
+/**
+ * Create an S3Client from a storage connection config.
+ *
+ * Provider-specific defaults:
+ * - `minio`: forces path-style URLs (required by MinIO)
+ * - `r2`: forces path-style URLs (required by Cloudflare R2)
+ * - `s3`: uses virtual-hosted style (AWS default)
+ * - `gcs`: forces path-style URLs (GCS S3-compatible API)
+ * - `spaces`: uses virtual-hosted style (DigitalOcean default)
+ */
+function createS3Client(config) {
+    if (!config.accessKeyId || !config.secretAccessKey) {
+        throw new types_1.ProvisionerError('INVALID_CONFIG', 'accessKeyId and secretAccessKey are required');
+    }
+    if (!config.region) {
+        throw new types_1.ProvisionerError('INVALID_CONFIG', 'region is required');
+    }
+    // Providers that require path-style URLs
+    const pathStyleProviders = new Set(['minio', 'r2', 'gcs']);
+    const forcePathStyle = config.forcePathStyle ?? pathStyleProviders.has(config.provider);
+    // Non-AWS providers require an endpoint
+    if (config.provider !== 's3' && !config.endpoint) {
+        throw new types_1.ProvisionerError('INVALID_CONFIG', `endpoint is required for provider '${config.provider}'`);
+    }
+    return new client_s3_1.S3Client({
+        region: config.region,
+        endpoint: config.endpoint,
+        forcePathStyle,
+        credentials: {
+            accessKeyId: config.accessKeyId,
+            secretAccessKey: config.secretAccessKey,
+        },
+    });
+}

package/cors.d.ts

@@ -0,0 +1,33 @@
+/**
+ * CORS configuration builders.
+ *
+ * Generates CORS rules for S3 buckets to allow browser-based
+ * presigned URL uploads. Without CORS, the browser will block
+ * the cross-origin PUT request to the S3 endpoint.
+ */
+import type { CorsRule } from './types';
+/**
+ * Build the default CORS rules for presigned URL uploads.
+ *
+ * This allows:
+ * - PUT: for presigned uploads from the browser
+ * - GET: for presigned downloads and public file access
+ * - HEAD: for confirmUpload verification and cache headers
+ *
+ * @param allowedOrigins - Domains allowed to make cross-origin requests.
+ *                          Use specific domains in production (e.g., ["https://app.example.com"]).
+ *                          Never use ["*"] in production.
+ * @param maxAgeSeconds - Preflight cache duration (default: 3600 = 1 hour)
+ */
+export declare function buildUploadCorsRules(allowedOrigins: string[], maxAgeSeconds?: number): CorsRule[];
+/**
+ * Build restrictive CORS rules for private-only buckets.
+ *
+ * Similar to upload CORS but without GET (private files use
+ * presigned URLs which include auth in the query string,
+ * so CORS is less of a concern for downloads).
+ *
+ * @param allowedOrigins - Domains allowed to make cross-origin requests.
+ * @param maxAgeSeconds - Preflight cache duration (default: 3600 = 1 hour)
+ */
+export declare function buildPrivateCorsRules(allowedOrigins: string[], maxAgeSeconds?: number): CorsRule[];

package/cors.js

@@ -0,0 +1,88 @@
+"use strict";
+/**
+ * CORS configuration builders.
+ *
+ * Generates CORS rules for S3 buckets to allow browser-based
+ * presigned URL uploads. Without CORS, the browser will block
+ * the cross-origin PUT request to the S3 endpoint.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildUploadCorsRules = buildUploadCorsRules;
+exports.buildPrivateCorsRules = buildPrivateCorsRules;
+/**
+ * Build the default CORS rules for presigned URL uploads.
+ *
+ * This allows:
+ * - PUT: for presigned uploads from the browser
+ * - GET: for presigned downloads and public file access
+ * - HEAD: for confirmUpload verification and cache headers
+ *
+ * @param allowedOrigins - Domains allowed to make cross-origin requests.
+ *                          Use specific domains in production (e.g., ["https://app.example.com"]).
+ *                          Never use ["*"] in production.
+ * @param maxAgeSeconds - Preflight cache duration (default: 3600 = 1 hour)
+ */
+function buildUploadCorsRules(allowedOrigins, maxAgeSeconds = 3600) {
+    if (allowedOrigins.length === 0) {
+        throw new Error('allowedOrigins must contain at least one origin');
+    }
+    return [
+        {
+            allowedOrigins,
+            allowedMethods: ['PUT', 'GET', 'HEAD'],
+            allowedHeaders: [
+                'Content-Type',
+                'Content-Length',
+                'Content-MD5',
+                'x-amz-content-sha256',
+                'x-amz-date',
+                'x-amz-security-token',
+                'Authorization',
+            ],
+            exposedHeaders: [
+                'ETag',
+                'Content-Length',
+                'Content-Type',
+                'x-amz-request-id',
+                'x-amz-id-2',
+            ],
+            maxAgeSeconds,
+        },
+    ];
+}
+/**
+ * Build restrictive CORS rules for private-only buckets.
+ *
+ * Similar to upload CORS but without GET (private files use
+ * presigned URLs which include auth in the query string,
+ * so CORS is less of a concern for downloads).
+ *
+ * @param allowedOrigins - Domains allowed to make cross-origin requests.
+ * @param maxAgeSeconds - Preflight cache duration (default: 3600 = 1 hour)
+ */
+function buildPrivateCorsRules(allowedOrigins, maxAgeSeconds = 3600) {
+    if (allowedOrigins.length === 0) {
+        throw new Error('allowedOrigins must contain at least one origin');
+    }
+    return [
+        {
+            allowedOrigins,
+            allowedMethods: ['PUT', 'HEAD'],
+            allowedHeaders: [
+                'Content-Type',
+                'Content-Length',
+                'Content-MD5',
+                'x-amz-content-sha256',
+                'x-amz-date',
+                'x-amz-security-token',
+                'Authorization',
+            ],
+            exposedHeaders: [
+                'ETag',
+                'Content-Length',
+                'x-amz-request-id',
+            ],
+            maxAgeSeconds,
+        },
+    ];
+}

package/esm/client.d.ts

@@ -0,0 +1,19 @@
+/**
+ * S3 client factory.
+ *
+ * Creates a configured S3Client from a StorageConnectionConfig.
+ * Handles provider-specific settings (path-style for MinIO, etc.).
+ */
+import { S3Client } from '@aws-sdk/client-s3';
+import type { StorageConnectionConfig } from './types';
+/**
+ * Create an S3Client from a storage connection config.
+ *
+ * Provider-specific defaults:
+ * - `minio`: forces path-style URLs (required by MinIO)
+ * - `r2`: forces path-style URLs (required by Cloudflare R2)
+ * - `s3`: uses virtual-hosted style (AWS default)
+ * - `gcs`: forces path-style URLs (GCS S3-compatible API)
+ * - `spaces`: uses virtual-hosted style (DigitalOcean default)
+ */
+export declare function createS3Client(config: StorageConnectionConfig): S3Client;

package/esm/client.js

@@ -0,0 +1,42 @@
+/**
+ * S3 client factory.
+ *
+ * Creates a configured S3Client from a StorageConnectionConfig.
+ * Handles provider-specific settings (path-style for MinIO, etc.).
+ */
+import { S3Client } from '@aws-sdk/client-s3';
+import { ProvisionerError } from './types';
+/**
+ * Create an S3Client from a storage connection config.
+ *
+ * Provider-specific defaults:
+ * - `minio`: forces path-style URLs (required by MinIO)
+ * - `r2`: forces path-style URLs (required by Cloudflare R2)
+ * - `s3`: uses virtual-hosted style (AWS default)
+ * - `gcs`: forces path-style URLs (GCS S3-compatible API)
+ * - `spaces`: uses virtual-hosted style (DigitalOcean default)
+ */
+export function createS3Client(config) {
+    if (!config.accessKeyId || !config.secretAccessKey) {
+        throw new ProvisionerError('INVALID_CONFIG', 'accessKeyId and secretAccessKey are required');
+    }
+    if (!config.region) {
+        throw new ProvisionerError('INVALID_CONFIG', 'region is required');
+    }
+    // Providers that require path-style URLs
+    const pathStyleProviders = new Set(['minio', 'r2', 'gcs']);
+    const forcePathStyle = config.forcePathStyle ?? pathStyleProviders.has(config.provider);
+    // Non-AWS providers require an endpoint
+    if (config.provider !== 's3' && !config.endpoint) {
+        throw new ProvisionerError('INVALID_CONFIG', `endpoint is required for provider '${config.provider}'`);
+    }
+    return new S3Client({
+        region: config.region,
+        endpoint: config.endpoint,
+        forcePathStyle,
+        credentials: {
+            accessKeyId: config.accessKeyId,
+            secretAccessKey: config.secretAccessKey,
+        },
+    });
+}

package/esm/cors.d.ts

@@ -0,0 +1,33 @@
+/**
+ * CORS configuration builders.
+ *
+ * Generates CORS rules for S3 buckets to allow browser-based
+ * presigned URL uploads. Without CORS, the browser will block
+ * the cross-origin PUT request to the S3 endpoint.
+ */
+import type { CorsRule } from './types';
+/**
+ * Build the default CORS rules for presigned URL uploads.
+ *
+ * This allows:
+ * - PUT: for presigned uploads from the browser
+ * - GET: for presigned downloads and public file access
+ * - HEAD: for confirmUpload verification and cache headers
+ *
+ * @param allowedOrigins - Domains allowed to make cross-origin requests.
+ *                          Use specific domains in production (e.g., ["https://app.example.com"]).
+ *                          Never use ["*"] in production.
+ * @param maxAgeSeconds - Preflight cache duration (default: 3600 = 1 hour)
+ */
+export declare function buildUploadCorsRules(allowedOrigins: string[], maxAgeSeconds?: number): CorsRule[];
+/**
+ * Build restrictive CORS rules for private-only buckets.
+ *
+ * Similar to upload CORS but without GET (private files use
+ * presigned URLs which include auth in the query string,
+ * so CORS is less of a concern for downloads).
+ *
+ * @param allowedOrigins - Domains allowed to make cross-origin requests.
+ * @param maxAgeSeconds - Preflight cache duration (default: 3600 = 1 hour)
+ */
+export declare function buildPrivateCorsRules(allowedOrigins: string[], maxAgeSeconds?: number): CorsRule[];