@daisy-workflow/plugin-aws-s3 0.1.0

package/.dockerignore

@@ -0,0 +1,9 @@
+.git
+.gitignore
+.DS_Store
+node_modules
+npm-debug.log
+*.tgz
+README.md
+LICENSE
+publish-docker.sh

package/.github/workflows/release.yml

@@ -0,0 +1,185 @@
+# ============================================================================
+# Release pipeline
+# ============================================================================
+# Fires on a SemVer tag push (vMAJOR.MINOR.PATCH). Publishes the package to
+# the npm registry and the container image to Docker Hub, then cuts a
+# GitHub Release with auto-generated notes.
+#
+# To release:
+#   1. Bump "version" in package.json
+#   2. git commit + git push
+#   3. git tag v0.1.0 && git push origin v0.1.0
+#   4. Sit back — GitHub Actions does the rest.
+#
+# Required repository secrets (Settings → Secrets and variables → Actions):
+#   NPM_TOKEN          npm automation token with publish access to the
+#                      @daisy-workflow scope. Create at npmjs.com → Access
+#                      Tokens → Generate New Token → Automation.
+#   DOCKERHUB_USERNAME Docker Hub user that owns the daisy-plugin-* images
+#                      (currently: vivek13186).
+#   DOCKERHUB_TOKEN    Docker Hub access token (Account → Security →
+#                      New Access Token, read + write + delete).
+#
+# Derived values (no need to edit per repo):
+#   npm name   = read from package.json (e.g. @daisy-workflow/plugin-jira)
+#   docker img = vivek13186/daisy-<plugin-name>  (e.g. vivek13186/daisy-plugin-jira)
+#   version    = read from package.json; tag must match.
+#
+# Action versions:
+#   actions/checkout@v5 and actions/setup-node@v5 run on Node 24 — required
+#   to avoid the deprecation warning announced 2025-09-19, where GitHub
+#   begins migrating JavaScript-based actions off Node 20 on 2026-06-02.
+#   The docker/* actions (login@v3, setup-buildx@v3, setup-qemu@v3,
+#   build-push@v6) are already on majors that ship Node 24-compatible
+#   minor releases, so no version bump needed there.
+# ============================================================================
+
+name: release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+    # Manual fallback — useful when a previous run failed half-way through
+    # and we want to re-publish without bumping the tag.
+
+permissions:
+  contents: write   # for `gh release create`
+  id-token: write   # for `npm publish --provenance`
+
+jobs:
+
+  # --------------------------------------------------------------------------
+  # 1. Verify — package.json sanity check + derive image name once.
+  # --------------------------------------------------------------------------
+  verify:
+    name: Verify version
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.read.outputs.version }}
+      image:   ${{ steps.read.outputs.image }}
+      npm:     ${{ steps.read.outputs.npm }}
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Read package.json
+        id: read
+        shell: bash
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          NPM_NAME=$(node -p "require('./package.json').name")
+          # Strip the @daisy-workflow/ scope to get the short plugin name,
+          # then prefix with the Docker Hub namespace + daisy- convention.
+          SHORT_NAME="${NPM_NAME#@daisy-workflow/}"
+          IMAGE="vivek13186/daisy-${SHORT_NAME}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "npm=$NPM_NAME"    >> "$GITHUB_OUTPUT"
+          echo "image=$IMAGE"     >> "$GITHUB_OUTPUT"
+          echo "::notice::Releasing $NPM_NAME@$VERSION → $IMAGE:$VERSION"
+
+      - name: Check tag matches package.json
+        if: github.event_name == 'push'
+        shell: bash
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          EXPECTED="v${{ steps.read.outputs.version }}"
+          if [ "$TAG" != "$EXPECTED" ]; then
+            echo "::error::Tag '$TAG' does not match package.json version '$EXPECTED'."
+            echo "Either fix the tag or bump package.json before tagging."
+            exit 1
+          fi
+
+  # --------------------------------------------------------------------------
+  # 2. npm — publish with provenance attestation.
+  # --------------------------------------------------------------------------
+  npm:
+    name: Publish to npm
+    needs: verify
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-node@v5   # v5 runs on Node 24
+        with:
+          node-version: "22"           # Node version used to BUILD/PUBLISH the package (independent of the runtime above)
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Install dependencies
+        run: npm install --omit=dev
+
+      - name: npm publish
+        # --access public is required for scoped packages on the free tier.
+        # --provenance ties the package to this exact workflow run; npm
+        # surfaces it as a "verified" badge on the package page.
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  # --------------------------------------------------------------------------
+  # 3. Docker — multi-arch build + push to Docker Hub.
+  # --------------------------------------------------------------------------
+  docker:
+    name: Build & push Docker image
+    needs: verify
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up QEMU
+        # Lets us cross-compile arm64 on an amd64 GitHub runner.
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build & push (linux/amd64, linux/arm64)
+        uses: docker/build-push-action@v6
+        with:
+          context:   .
+          file:      ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push:      true
+          tags: |
+            ${{ needs.verify.outputs.image }}:${{ needs.verify.outputs.version }}
+            ${{ needs.verify.outputs.image }}:latest
+          # GitHub Actions cache keeps subsequent builds fast (especially
+          # the arm64 leg, which would otherwise emulate from scratch).
+          cache-from: type=gha
+          cache-to:   type=gha,mode=max
+          # OCI labels so the image is self-describing on Docker Hub.
+          labels: |
+            org.opencontainers.image.title=${{ needs.verify.outputs.npm }}
+            org.opencontainers.image.version=${{ needs.verify.outputs.version }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.licenses=MIT
+
+  # --------------------------------------------------------------------------
+  # 4. Cut a GitHub Release with notes generated from commit history.
+  #    Skipped on workflow_dispatch — manual re-publishes don't create a
+  #    release because there's no new tag to attach it to.
+  # --------------------------------------------------------------------------
+  github-release:
+    name: GitHub release
+    needs: [verify, npm, docker]
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0   # full history so generate-notes can diff to prev tag
+
+      - name: Create release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release create "${GITHUB_REF#refs/tags/}" \
+            --title "v${{ needs.verify.outputs.version }}" \
+            --generate-notes

package/Dockerfile

@@ -0,0 +1,20 @@
+# aws-s3 plugin — one container, one endpoint, many operations.
+#
+# Self-contained: pulls @daisy-workflow/plugin-sdk from npm; no
+# repo-root build context needed. No native or system dependencies —
+# SigV4 (both header-based and query-string presigned) is hand-rolled
+# against node:crypto.
+
+FROM node:22-alpine
+WORKDIR /workspace
+
+COPY package.json ./
+RUN npm install --omit=dev
+
+COPY . ./
+
+ENV PORT=8080
+EXPOSE 8080
+USER node
+
+CMD ["node", "index.js"]

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Vivek Gangadharan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,163 @@
+# aws-s3 plugin for Daisy-workflow
+
+One Daisy node that talks to **AWS S3 specifically** — with full
+support for AWS-only features: storage classes, server-side encryption,
+KMS, object tags, requester pays, and presigned URLs. Mirrors n8n's
+[AWS S3 node](https://docs.n8n.io/integrations/builtin/app-nodes/n8n-nodes-base.awss3/).
+
+[![Docker Hub](https://img.shields.io/badge/Docker%20Hub-Image-blue?logo=docker)](https://hub.docker.com/repository/docker/vivek13186/daisy-plugin-aws-s3)
+
+
+> Need Wasabi, MinIO, Cloudflare R2, DigitalOcean Spaces, Backblaze B2,
+> or another S3-compatible provider? Use the **generic `s3` plugin**
+> instead — it accepts an arbitrary endpoint and `forcePathStyle`.
+
+The action is selected per-node via the **operation** dropdown.
+
+## Operations
+
+| operation | What it does |
+|---|---|
+| `bucket.getAll`     | List all buckets the credential has access to. |
+| `bucket.create`     | Create a new bucket. Sends `LocationConstraint` when region ≠ us-east-1. |
+| `bucket.delete`     | Delete a bucket (bucket must be empty). |
+| `bucket.search`     | List objects in a bucket matching a `prefix`. |
+| `bucket.location`   | Get the bucket's region (`?location` API). |
+| `file.getAll`       | List objects with optional `prefix` + pagination. |
+| `file.head`         | Get object metadata only (no body) — content-type, size, storage class, SSE config, user metadata. |
+| `file.upload`       | PUT an object. Supports `storageClass`, `serverSideEncryption`, `ssekmsKeyId`, `tags`, `acl`, `requesterPays`. |
+| `file.download`     | GET an object. Body returned as `base64` (default) or `utf8`. |
+| `file.copy`         | Copy with optional destination SSE / storage class / tags. |
+| `file.delete`       | Delete an object. |
+| `file.presignedUrl` | Generate a time-limited URL that anyone can use to GET (or PUT) the object — no API call, pure crypto. |
+| `folder.create`     | Create a "folder" placeholder (empty object with key ending in `/`). |
+| `folder.getAll`     | List "folders" using `delimiter` (default `/`) → CommonPrefixes. |
+| `folder.delete`     | Recursively delete everything under a prefix via bulk MultiObjectDelete. |
+
+## Configure auth
+
+Create one **generic** config on the **Configurations** page (default
+name `aws-s3`):
+
+| Key               | Example                                       | Notes                                              |
+|-------------------|-----------------------------------------------|----------------------------------------------------|
+| `accessKeyId`     | `AKIA…`                                       | IAM user or role access key                        |
+| `secretAccessKey` | `…`                                           |                                                    |
+| `region`          | `us-east-1` / `eu-central-1` / `ap-south-1`   | Drives the endpoint and the SigV4 signing region   |
+| `sessionToken`    | `…`                                           | Optional — STS / AssumeRole / EC2 instance role    |
+| `customEndpoint`  | `https://bucket.vpce-….s3.us-east-1.vpce.amazonaws.com` | Optional — VPC interface endpoint, S3 Transfer Acceleration host, AWS GovCloud, AWS China |
+
+The endpoint is auto-derived from the region. `cn-*` regions
+automatically use `amazonaws.com.cn`. Override with `customEndpoint`
+for transfer acceleration (`s3-accelerate.amazonaws.com`),
+VPC interface endpoints, or air-gapped AWS partitions.
+
+A node can override the config name per-call via the `config` input
+and the region per-call via the `region` input.
+
+## AWS-specific upload extras
+
+| Input | Sent as | Notes |
+|---|---|---|
+| `storageClass` | `x-amz-storage-class` | `STANDARD` / `INTELLIGENT_TIERING` / `STANDARD_IA` / `ONEZONE_IA` / `GLACIER` / `DEEP_ARCHIVE` / `GLACIER_IR` / `REDUCED_REDUNDANCY` |
+| `serverSideEncryption` | `x-amz-server-side-encryption` | `AES256` / `aws:kms` / `aws:kms:dsse` |
+| `ssekmsKeyId` | `x-amz-server-side-encryption-aws-kms-key-id` | KMS key ID or ARN when using `aws:kms*` |
+| `tags` | `x-amz-tagging` | Object → URL-encoded query string: `{env:'prod', team:'data'}` → `env=prod&team=data` |
+| `acl` | `x-amz-acl` | Note: many AWS accounts disable ACLs ("Object Ownership = Bucket owner enforced"); the header is then rejected |
+| `requesterPays` | `x-amz-request-payer: requester` | Required when reading from a Requester-Pays bucket |
+| `metadata` | `x-amz-meta-<key>` | Custom user metadata; one header per key |
+
+`file.copy` accepts the same extras for the destination object.
+
+## Presigned URLs
+
+```jsonc
+// input
+{
+  "operation":           "file.presignedUrl",
+  "bucket":              "uploads",
+  "key":                 "users/42/avatar.png",
+  "presignedMethod":     "PUT",          // GET (default) or PUT
+  "presignedExpiresIn":  3600            // seconds; max 604800 (7 days)
+}
+
+// result
+{
+  "bucket":    "uploads",
+  "key":       "users/42/avatar.png",
+  "method":    "PUT",
+  "expiresIn": 3600,
+  "expiresAt": "2026-05-18T09:30:00.000Z",
+  "url":       "https://uploads.s3.us-east-1.amazonaws.com/users/42/avatar.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=…&X-Amz-Signature=…"
+}
+```
+
+No HTTP call is made — pure crypto. Hand this URL to a browser or curl
+to upload / download without exposing the AWS credentials.
+
+## Install
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.plugins.yml \
+  --profile aws-s3 up -d
+
+npm run install-plugin -- --endpoint http://daisy-aws-s3:8080
+```
+
+## Output envelope
+
+```json
+{
+  "ok":        true,
+  "operation": "file.upload",
+  "status":    200,
+  "result":    { "bucket": "logs", "key": "2026/05/event.json", "size": 412, "etag": "ab12…", "serverSideEncryption": "AES256" },
+  "url":       "https://logs.s3.us-east-1.amazonaws.com/2026/05/event.json"
+}
+```
+
+Operation-specific `result` shapes are documented inline in
+`lib/actions.js`. Highlights:
+
+- `bucket.getAll`   → `{ owner, buckets: [{ name, creationDate }], count }`
+- `bucket.location` → `{ bucket, location }` (always real region; us-east-1 is normalized from the empty `<LocationConstraint/>` AWS returns)
+- `file.head`       → `{ bucket, key, contentType, contentLength, etag, lastModified, versionId, storageClass, serverSideEncryption, ssekmsKeyId, metadata }`
+- `file.download`   → `{ bucket, key, contentType, contentLength, etag, lastModified, encoding, data }`
+- `file.presignedUrl` → see above
+
+## Auth model — why hand-rolled SigV4?
+
+Both header-based signing and query-string presigning are implemented in
+`lib/sigv4.js` (~200 lines, zero deps, validated against AWS's
+canonical S3 test vector). Keeps the container tiny and the dependency
+surface to exactly one package (the Daisy plugin SDK).
+
+If you need features that go beyond what this plugin offers — multipart
+upload for >5GB files, S3 Select, batch operations, event subscriptions,
+inventory configs — drop in `@aws-sdk/client-s3` and add a new
+operation that uses it.
+
+## Files
+
+```
+plugins-external/aws-s3/
+├── manifest.json
+├── index.js
+├── lib/
+│   ├── sigv4.js         # signRequest() + presignUrl(), no deps
+│   ├── client.js        # auth + endpoint derivation + signed fetch
+│   └── actions.js       # one async handler per operation
+├── package.json
+├── Dockerfile
+├── publish-docker.sh
+└── README.md
+```
+
+## Publish the image
+
+```bash
+docker login
+./publish-docker.sh
+```
+
+Env overrides: `IMAGE=foo/bar`, `PLATFORMS=linux/amd64`, `PUSH=0`, `NO_LATEST=1`.

package/index.js

@@ -0,0 +1,51 @@
+// aws-s3 — AWS-specific S3 from a workflow. The action is selected
+// per-node via the `operation` input. Mirrors n8n's AWS S3 node.
+//
+// Wire it up:
+//   1. `docker compose -f docker-compose.yml -f docker-compose.plugins.yml \
+//          --profile aws-s3 up -d`
+//      `npm run install-plugin -- --endpoint http://daisy-aws-s3:8080`
+//   2. Create a workspace `generic` config named "aws-s3" with:
+//        accessKeyId, secretAccessKey, region   (+ optional sessionToken, customEndpoint)
+//   3. Use the node in any workflow.
+//
+// For non-AWS S3-compatible providers (Wasabi, MinIO, R2, B2…) use the
+// generic `s3` plugin instead — it accepts an arbitrary endpoint and
+// supports forcePathStyle.
+
+import { servePlugin } from "@daisy-workflow/plugin-sdk";
+import fs from "node:fs";
+
+import { loadAwsAuth } from "./lib/client.js";
+import { OPERATIONS }  from "./lib/actions.js";
+
+const manifest = JSON.parse(
+  fs.readFileSync(new URL("./manifest.json", import.meta.url), "utf8"),
+);
+
+servePlugin({
+  manifest,
+  async execute(input, ctx) {
+    const { operation, config = "aws-s3" } = input || {};
+    if (!operation) throw new Error("`operation` is required (see manifest enum for valid values)");
+
+    const handler = OPERATIONS[operation];
+    if (!handler) {
+      throw new Error(
+        `unknown operation "${operation}". Valid: ${Object.keys(OPERATIONS).join(", ")}`,
+      );
+    }
+
+    const auth = loadAwsAuth(ctx, config, input?.region);
+    const { status, result, url } = await handler(auth, input, ctx?.signal);
+
+    return {
+      ok:        true,
+      operation,
+      status,
+      result,
+      url,
+    };
+  },
+  async readyz() { return true; },
+});