@de-otio/chaoskb-server 0.2.0

package/dist/lib/handler/routes/blobs.js

@@ -0,0 +1,298 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handlePutBlob = handlePutBlob;
+exports.handleGetBlob = handleGetBlob;
+exports.handleDeleteBlob = handleDeleteBlob;
+exports.handleListBlobs = handleListBlobs;
+exports.handleCountBlobs = handleCountBlobs;
+const crypto = __importStar(require("crypto"));
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const input_validation_js_1 = require("../middleware/input-validation.js");
+const rate_limit_js_1 = require("../middleware/rate-limit.js");
+const logger_js_1 = require("../logger.js");
+const QUOTA_BYTES = 50 * 1024 * 1024; // 50 MB
+async function handlePutBlob(blobId, tenantId, rawBody, isBase64Encoded, contentType, ddb, tableName) {
+    // Rate limit check
+    const rateResult = await (0, rate_limit_js_1.checkRateLimit)(tenantId, 'PUT', ddb, tableName);
+    if (!rateResult.allowed) {
+        return {
+            statusCode: 429,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+        };
+    }
+    if (!rawBody) {
+        return {
+            statusCode: 400,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+        };
+    }
+    const bodyBuffer = isBase64Encoded
+        ? Buffer.from(rawBody, 'base64')
+        : Buffer.from(rawBody, 'utf-8');
+    // Validate input
+    const validation = (0, input_validation_js_1.validateBlobUpload)(bodyBuffer, contentType);
+    if (!validation.valid) {
+        return {
+            statusCode: 400,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'invalid_request', message: validation.error }),
+        };
+    }
+    // Check quota
+    const tenantMeta = await ddb.send(new lib_dynamodb_1.GetCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: 'META' },
+        ProjectionExpression: 'storageUsedBytes',
+    }));
+    const currentUsage = tenantMeta.Item?.['storageUsedBytes'] ?? 0;
+    if (currentUsage + bodyBuffer.length > QUOTA_BYTES) {
+        return {
+            statusCode: 413,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({
+                error: 'quota_exceeded',
+                message: 'Storage quota exceeded (50 MB)',
+                currentUsage,
+                limit: QUOTA_BYTES,
+            }),
+        };
+    }
+    const now = new Date().toISOString();
+    const sha256 = crypto.createHash('sha256').update(bodyBuffer).digest('base64');
+    // Write-if-absent
+    try {
+        await ddb.send(new lib_dynamodb_1.PutCommand({
+            TableName: tableName,
+            Item: {
+                PK: `TENANT#${tenantId}`,
+                SK: `BLOB#${blobId}`,
+                data: bodyBuffer,
+                size: bodyBuffer.length,
+                createdAt: now,
+                updatedAt: now,
+            },
+            ConditionExpression: 'attribute_not_exists(SK)',
+        }));
+    }
+    catch (err) {
+        if (err.name === 'ConditionalCheckFailedException') {
+            return {
+                statusCode: 409,
+                headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+                body: JSON.stringify({ error: 'blob_exists', id: blobId }),
+            };
+        }
+        throw err;
+    }
+    // Atomic increment storage used
+    await ddb.send(new lib_dynamodb_1.UpdateCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: 'META' },
+        UpdateExpression: 'SET storageUsedBytes = storageUsedBytes + :size',
+        ExpressionAttributeValues: { ':size': bodyBuffer.length },
+    }));
+    logger_js_1.logger.info('Blob uploaded', { tenantId, operation: 'PUT', blobCount: 1 });
+    return {
+        statusCode: 201,
+        headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+        body: JSON.stringify({ id: blobId, size: bodyBuffer.length, ts: now, sha256 }),
+    };
+}
+async function handleGetBlob(blobId, tenantId, ddb, tableName) {
+    const rateResult = await (0, rate_limit_js_1.checkRateLimit)(tenantId, 'GET', ddb, tableName);
+    if (!rateResult.allowed) {
+        return {
+            statusCode: 429,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+        };
+    }
+    const result = await ddb.send(new lib_dynamodb_1.GetCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+    }));
+    if (!result.Item || result.Item['deletedAt']) {
+        return {
+            statusCode: 404,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'not_found', message: 'Blob not found' }),
+        };
+    }
+    const data = result.Item['data'];
+    return {
+        statusCode: 200,
+        headers: {
+            'Content-Type': 'application/octet-stream',
+            ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult),
+        },
+        body: Buffer.from(data).toString('base64'),
+    };
+}
+async function handleDeleteBlob(blobId, tenantId, ddb, tableName) {
+    const rateResult = await (0, rate_limit_js_1.checkRateLimit)(tenantId, 'DELETE', ddb, tableName);
+    if (!rateResult.allowed) {
+        return {
+            statusCode: 429,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+        };
+    }
+    const now = new Date().toISOString();
+    const ttlEpoch = Math.floor(Date.now() / 1000) + 30 * 24 * 60 * 60; // 30 days
+    // Get blob size for decrementing storage
+    const existing = await ddb.send(new lib_dynamodb_1.GetCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+        ProjectionExpression: '#s',
+        ExpressionAttributeNames: { '#s': 'size' },
+    }));
+    if (!existing.Item) {
+        return {
+            statusCode: 404,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'not_found', message: 'Blob not found' }),
+        };
+    }
+    const blobSize = existing.Item['size'] ?? 0;
+    // Soft delete
+    await ddb.send(new lib_dynamodb_1.UpdateCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+        UpdateExpression: 'SET deletedAt = :deletedAt, #ttl = :ttl, updatedAt = :updatedAt',
+        ExpressionAttributeNames: { '#ttl': 'ttl' },
+        ExpressionAttributeValues: {
+            ':deletedAt': now,
+            ':ttl': ttlEpoch,
+            ':updatedAt': now,
+        },
+    }));
+    // Decrement storage used
+    await ddb.send(new lib_dynamodb_1.UpdateCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: 'META' },
+        UpdateExpression: 'SET storageUsedBytes = storageUsedBytes - :size',
+        ExpressionAttributeValues: { ':size': blobSize },
+    }));
+    logger_js_1.logger.info('Blob soft-deleted', { tenantId, operation: 'DELETE' });
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+        body: JSON.stringify({ id: blobId, deleted: true }),
+    };
+}
+async function handleListBlobs(tenantId, since, ddb, tableName) {
+    const rateResult = await (0, rate_limit_js_1.checkRateLimit)(tenantId, 'LIST', ddb, tableName);
+    if (!rateResult.allowed) {
+        return {
+            statusCode: 429,
+            headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+            body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+        };
+    }
+    let items = [];
+    if (since) {
+        // Use GSI for incremental sync
+        const result = await ddb.send(new lib_dynamodb_1.QueryCommand({
+            TableName: tableName,
+            IndexName: 'updatedAt-index',
+            KeyConditionExpression: 'PK = :pk AND updatedAt > :since',
+            ExpressionAttributeValues: {
+                ':pk': `TENANT#${tenantId}`,
+                ':since': since,
+            },
+        }));
+        items = (result.Items ?? []);
+    }
+    else {
+        // Full list — query base table
+        const result = await ddb.send(new lib_dynamodb_1.QueryCommand({
+            TableName: tableName,
+            KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+            ExpressionAttributeValues: {
+                ':pk': `TENANT#${tenantId}`,
+                ':prefix': 'BLOB#',
+            },
+            ProjectionExpression: 'SK, #s, updatedAt, deletedAt',
+            ExpressionAttributeNames: { '#s': 'size' },
+        }));
+        items = (result.Items ?? []);
+    }
+    const blobs = [];
+    const tombstones = [];
+    for (const item of items) {
+        const sk = item['SK'];
+        const blobId = sk.startsWith('BLOB#') ? sk.slice(5) : sk;
+        if (item['deletedAt']) {
+            tombstones.push({
+                id: blobId,
+                deleted_at: item['deletedAt'],
+            });
+        }
+        else {
+            blobs.push({
+                id: blobId,
+                size: item['size'],
+                ts: item['updatedAt'],
+            });
+        }
+    }
+    logger_js_1.logger.info('Blobs listed', { tenantId, operation: 'LIST', blobCount: blobs.length });
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json', ...(0, rate_limit_js_1.rateLimitHeaders)(rateResult) },
+        body: JSON.stringify({ blobs, tombstones }),
+    };
+}
+async function handleCountBlobs(tenantId, ddb, tableName) {
+    const result = await ddb.send(new lib_dynamodb_1.QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+        ExpressionAttributeValues: {
+            ':pk': `TENANT#${tenantId}`,
+            ':prefix': 'BLOB#',
+        },
+        FilterExpression: 'attribute_not_exists(deletedAt)',
+        Select: 'COUNT',
+    }));
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ count: result.Count ?? 0 }),
+    };
+}
+//# sourceMappingURL=blobs.js.map

package/dist/lib/handler/routes/blobs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"blobs.js","sourceRoot":"","sources":["../../../../lib/handler/routes/blobs.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoBA,sCA+GC;AAED,sCAuCC;AAED,4CAsEC;AAED,0CA4EC;AAED,4CAuBC;AA3VD,+CAAiC;AACjC,wDAM+B;AAC/B,2EAAuE;AACvE,+DAA+E;AAC/E,4CAAsC;AAQtC,MAAM,WAAW,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAEvC,KAAK,UAAU,aAAa,CACjC,MAAc,EACd,QAAgB,EAChB,OAAkC,EAClC,eAAwB,EACxB,WAAmB,EACnB,GAA2B,EAC3B,SAAiB;IAEjB,mBAAmB;IACnB,MAAM,UAAU,GAAG,MAAM,IAAA,8BAAc,EAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IACzE,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;SACxF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,eAAe;QAChC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC;QAChC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAElC,iBAAiB;IACjB,MAAM,UAAU,GAAG,IAAA,wCAAkB,EAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAC/D,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACtB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED,cAAc;IACd,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,IAAI,CAC/B,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QAC7C,oBAAoB,EAAE,kBAAkB;KACzC,CAAC,CACH,CAAC;IAEF,MAAM,YAAY,GAAI,UAAU,CAAC,IAAI,EAAE,CAAC,kBAAkB,CAAY,IAAI,CAAC,CAAC;IAC5E,IAAI,YAAY,GAAG,UAAU,CAAC,MAAM,GAAG,WAAW,EAAE,CAAC;QACnD,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK,EAAE,gBAAgB;gBACvB,OAAO,EAAE,gCAAgC;gBACzC,YAAY;gBACZ,KAAK,EAAE,WAAW;aACnB,CAAC;SACH,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE/E,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,yBAAU,CAAC;YACb,SAAS,EAAE,SAAS;YACpB,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU,QAAQ,EAAE;gBACxB,EAAE,EAAE,QAAQ,MAAM,EAAE;gBACpB,IAAI,EAAE,UAAU;gBAChB,IAAI,EAAE,UAAU,CAAC,MAAM;gBACvB,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG;aACf;YACD,mBAAmB,EAAE,0BAA0B;SAChD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAK,GAAyB,CAAC,IAAI,KAAK,iCAAiC,EAAE,CAAC;YAC1E,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;gBAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;aAC3D,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,gCAAgC;IAChC,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;QAChB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QAC7C,gBAAgB,EAAE,iDAAiD;QACnE,yBAAyB,EAAE,EAAE,OAAO,EAAE,UAAU,CAAC,MAAM,EAAE;KAC1D,CAAC,CACH,CAAC;IAEF,kBAAM,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;IAE3E,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;QAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,CAAC,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;KAC/E,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,aAAa,CACjC,MAAc,EACd,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,UAAU,GAAG,MAAM,IAAA,8BAAc,EAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IACzE,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,QAAQ,MAAM,EAAE,EAAE;KACxD,CAAC,CACH,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7C,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;SACxE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAW,CAAC;IAC3C,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE;YACP,cAAc,EAAE,0BAA0B;YAC1C,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC;SAChC;QACD,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC3C,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,gBAAgB,CACpC,MAAc,EACd,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,UAAU,GAAG,MAAM,IAAA,8BAAc,EAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IAC5E,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;IAE9E,yCAAyC;IACzC,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAC7B,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,QAAQ,MAAM,EAAE,EAAE;QACvD,oBAAoB,EAAE,IAAI;QAC1B,wBAAwB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;KAC3C,CAAC,CACH,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;SACxE,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAY,IAAI,CAAC,CAAC;IAExD,cAAc;IACd,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;QAChB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,QAAQ,MAAM,EAAE,EAAE;QACvD,gBAAgB,EAAE,iEAAiE;QACnF,wBAAwB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;QAC3C,yBAAyB,EAAE;YACzB,YAAY,EAAE,GAAG;YACjB,MAAM,EAAE,QAAQ;YAChB,YAAY,EAAE,GAAG;SAClB;KACF,CAAC,CACH,CAAC;IAEF,yBAAyB;IACzB,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;QAChB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QAC7C,gBAAgB,EAAE,iDAAiD;QACnE,yBAAyB,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE;KACjD,CAAC,CACH,CAAC;IAEF,kBAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;IAEpE,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;QAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;KACpD,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,KAAyB,EACzB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,UAAU,GAAG,MAAM,IAAA,8BAAc,EAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IAC1E,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;YAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;SAC9E,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,GAA8B,EAAE,CAAC;IAE1C,IAAI,KAAK,EAAE,CAAC;QACV,+BAA+B;QAC/B,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,2BAAY,CAAC;YACf,SAAS,EAAE,SAAS;YACpB,SAAS,EAAE,iBAAiB;YAC5B,sBAAsB,EAAE,iCAAiC;YACzD,yBAAyB,EAAE;gBACzB,KAAK,EAAE,UAAU,QAAQ,EAAE;gBAC3B,QAAQ,EAAE,KAAK;aAChB;SACF,CAAC,CACH,CAAC;QACF,KAAK,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAA8B,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,+BAA+B;QAC/B,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,2BAAY,CAAC;YACf,SAAS,EAAE,SAAS;YACpB,sBAAsB,EAAE,uCAAuC;YAC/D,yBAAyB,EAAE;gBACzB,KAAK,EAAE,UAAU,QAAQ,EAAE;gBAC3B,SAAS,EAAE,OAAO;aACnB;YACD,oBAAoB,EAAE,8BAA8B;YACpD,wBAAwB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;SAC3C,CAAC,CACH,CAAC;QACF,KAAK,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAA8B,CAAC;IAC5D,CAAC;IAED,MAAM,KAAK,GAA+C,EAAE,CAAC;IAC7D,MAAM,UAAU,GAAyC,EAAE,CAAC;IAE5D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAW,CAAC;QAChC,MAAM,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAEzD,IAAI,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YACtB,UAAU,CAAC,IAAI,CAAC;gBACd,EAAE,EAAE,MAAM;gBACV,UAAU,EAAE,IAAI,CAAC,WAAW,CAAW;aACxC,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,IAAI,CAAC;gBACT,EAAE,EAAE,MAAM;gBACV,IAAI,EAAE,IAAI,CAAC,MAAM,CAAW;gBAC5B,EAAE,EAAE,IAAI,CAAC,WAAW,CAAW;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kBAAM,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IAEtF,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,IAAA,gCAAgB,EAAC,UAAU,CAAC,EAAE;QAChF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;KAC5C,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,2BAAY,CAAC;QACf,SAAS,EAAE,SAAS;QACpB,sBAAsB,EAAE,uCAAuC;QAC/D,yBAAyB,EAAE;YACzB,KAAK,EAAE,UAAU,QAAQ,EAAE;YAC3B,SAAS,EAAE,OAAO;SACnB;QACD,gBAAgB,EAAE,iCAAiC;QACnD,MAAM,EAAE,OAAO;KAChB,CAAC,CACH,CAAC;IAEF,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC;KACnD,CAAC;AACJ,CAAC"}

package/dist/lib/handler/routes/blobs.ts

@@ -0,0 +1,348 @@
+import * as crypto from 'crypto';
+import {
+  DynamoDBDocumentClient,
+  PutCommand,
+  GetCommand,
+  UpdateCommand,
+  QueryCommand,
+} from '@aws-sdk/lib-dynamodb';
+import { validateBlobUpload } from '../middleware/input-validation.js';
+import { checkRateLimit, rateLimitHeaders } from '../middleware/rate-limit.js';
+import { logger } from '../logger.js';
+
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+
+const QUOTA_BYTES = 50 * 1024 * 1024; // 50 MB
+
+export async function handlePutBlob(
+  blobId: string,
+  tenantId: string,
+  rawBody: string | null | undefined,
+  isBase64Encoded: boolean,
+  contentType: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  // Rate limit check
+  const rateResult = await checkRateLimit(tenantId, 'PUT', ddb, tableName);
+  if (!rateResult.allowed) {
+    return {
+      statusCode: 429,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+    };
+  }
+
+  if (!rawBody) {
+    return {
+      statusCode: 400,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+    };
+  }
+
+  const bodyBuffer = isBase64Encoded
+    ? Buffer.from(rawBody, 'base64')
+    : Buffer.from(rawBody, 'utf-8');
+
+  // Validate input
+  const validation = validateBlobUpload(bodyBuffer, contentType);
+  if (!validation.valid) {
+    return {
+      statusCode: 400,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'invalid_request', message: validation.error }),
+    };
+  }
+
+  // Check quota
+  const tenantMeta = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: 'META' },
+      ProjectionExpression: 'storageUsedBytes',
+    }),
+  );
+
+  const currentUsage = (tenantMeta.Item?.['storageUsedBytes'] as number) ?? 0;
+  if (currentUsage + bodyBuffer.length > QUOTA_BYTES) {
+    return {
+      statusCode: 413,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({
+        error: 'quota_exceeded',
+        message: 'Storage quota exceeded (50 MB)',
+        currentUsage,
+        limit: QUOTA_BYTES,
+      }),
+    };
+  }
+
+  const now = new Date().toISOString();
+  const sha256 = crypto.createHash('sha256').update(bodyBuffer).digest('base64');
+
+  // Write-if-absent
+  try {
+    await ddb.send(
+      new PutCommand({
+        TableName: tableName,
+        Item: {
+          PK: `TENANT#${tenantId}`,
+          SK: `BLOB#${blobId}`,
+          data: bodyBuffer,
+          size: bodyBuffer.length,
+          createdAt: now,
+          updatedAt: now,
+        },
+        ConditionExpression: 'attribute_not_exists(SK)',
+      }),
+    );
+  } catch (err: unknown) {
+    if ((err as { name?: string }).name === 'ConditionalCheckFailedException') {
+      return {
+        statusCode: 409,
+        headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+        body: JSON.stringify({ error: 'blob_exists', id: blobId }),
+      };
+    }
+    throw err;
+  }
+
+  // Atomic increment storage used
+  await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: 'META' },
+      UpdateExpression: 'SET storageUsedBytes = storageUsedBytes + :size',
+      ExpressionAttributeValues: { ':size': bodyBuffer.length },
+    }),
+  );
+
+  logger.info('Blob uploaded', { tenantId, operation: 'PUT', blobCount: 1 });
+
+  return {
+    statusCode: 201,
+    headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+    body: JSON.stringify({ id: blobId, size: bodyBuffer.length, ts: now, sha256 }),
+  };
+}
+
+export async function handleGetBlob(
+  blobId: string,
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const rateResult = await checkRateLimit(tenantId, 'GET', ddb, tableName);
+  if (!rateResult.allowed) {
+    return {
+      statusCode: 429,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+    };
+  }
+
+  const result = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+    }),
+  );
+
+  if (!result.Item || result.Item['deletedAt']) {
+    return {
+      statusCode: 404,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'not_found', message: 'Blob not found' }),
+    };
+  }
+
+  const data = result.Item['data'] as Buffer;
+  return {
+    statusCode: 200,
+    headers: {
+      'Content-Type': 'application/octet-stream',
+      ...rateLimitHeaders(rateResult),
+    },
+    body: Buffer.from(data).toString('base64'),
+  };
+}
+
+export async function handleDeleteBlob(
+  blobId: string,
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const rateResult = await checkRateLimit(tenantId, 'DELETE', ddb, tableName);
+  if (!rateResult.allowed) {
+    return {
+      statusCode: 429,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+    };
+  }
+
+  const now = new Date().toISOString();
+  const ttlEpoch = Math.floor(Date.now() / 1000) + 30 * 24 * 60 * 60; // 30 days
+
+  // Get blob size for decrementing storage
+  const existing = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+      ProjectionExpression: '#s',
+      ExpressionAttributeNames: { '#s': 'size' },
+    }),
+  );
+
+  if (!existing.Item) {
+    return {
+      statusCode: 404,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'not_found', message: 'Blob not found' }),
+    };
+  }
+
+  const blobSize = (existing.Item['size'] as number) ?? 0;
+
+  // Soft delete
+  await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+      UpdateExpression: 'SET deletedAt = :deletedAt, #ttl = :ttl, updatedAt = :updatedAt',
+      ExpressionAttributeNames: { '#ttl': 'ttl' },
+      ExpressionAttributeValues: {
+        ':deletedAt': now,
+        ':ttl': ttlEpoch,
+        ':updatedAt': now,
+      },
+    }),
+  );
+
+  // Decrement storage used
+  await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: 'META' },
+      UpdateExpression: 'SET storageUsedBytes = storageUsedBytes - :size',
+      ExpressionAttributeValues: { ':size': blobSize },
+    }),
+  );
+
+  logger.info('Blob soft-deleted', { tenantId, operation: 'DELETE' });
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+    body: JSON.stringify({ id: blobId, deleted: true }),
+  };
+}
+
+export async function handleListBlobs(
+  tenantId: string,
+  since: string | undefined,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const rateResult = await checkRateLimit(tenantId, 'LIST', ddb, tableName);
+  if (!rateResult.allowed) {
+    return {
+      statusCode: 429,
+      headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+      body: JSON.stringify({ error: 'rate_limited', message: 'Too many requests' }),
+    };
+  }
+
+  let items: Record<string, unknown>[] = [];
+
+  if (since) {
+    // Use GSI for incremental sync
+    const result = await ddb.send(
+      new QueryCommand({
+        TableName: tableName,
+        IndexName: 'updatedAt-index',
+        KeyConditionExpression: 'PK = :pk AND updatedAt > :since',
+        ExpressionAttributeValues: {
+          ':pk': `TENANT#${tenantId}`,
+          ':since': since,
+        },
+      }),
+    );
+    items = (result.Items ?? []) as Record<string, unknown>[];
+  } else {
+    // Full list — query base table
+    const result = await ddb.send(
+      new QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+        ExpressionAttributeValues: {
+          ':pk': `TENANT#${tenantId}`,
+          ':prefix': 'BLOB#',
+        },
+        ProjectionExpression: 'SK, #s, updatedAt, deletedAt',
+        ExpressionAttributeNames: { '#s': 'size' },
+      }),
+    );
+    items = (result.Items ?? []) as Record<string, unknown>[];
+  }
+
+  const blobs: { id: string; size: number; ts: string }[] = [];
+  const tombstones: { id: string; deleted_at: string }[] = [];
+
+  for (const item of items) {
+    const sk = item['SK'] as string;
+    const blobId = sk.startsWith('BLOB#') ? sk.slice(5) : sk;
+
+    if (item['deletedAt']) {
+      tombstones.push({
+        id: blobId,
+        deleted_at: item['deletedAt'] as string,
+      });
+    } else {
+      blobs.push({
+        id: blobId,
+        size: item['size'] as number,
+        ts: item['updatedAt'] as string,
+      });
+    }
+  }
+
+  logger.info('Blobs listed', { tenantId, operation: 'LIST', blobCount: blobs.length });
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json', ...rateLimitHeaders(rateResult) },
+    body: JSON.stringify({ blobs, tombstones }),
+  };
+}
+
+export async function handleCountBlobs(
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const result = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+      ExpressionAttributeValues: {
+        ':pk': `TENANT#${tenantId}`,
+        ':prefix': 'BLOB#',
+      },
+      FilterExpression: 'attribute_not_exists(deletedAt)',
+      Select: 'COUNT',
+    }),
+  );
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ count: result.Count ?? 0 }),
+  };
+}