@hot-updater/aws 0.25.13 → 0.26.0

package/dist/lambda/index.cjs

@@ -30,6 +30,8 @@ let path = require("path");
 path = __toESM$1(path);
 let node_crypto = require("node:crypto");
 node_crypto = __toESM$1(node_crypto);
+let __aws_sdk_client_s3 = require("@aws-sdk/client-s3");
+__aws_sdk_client_s3 = __toESM$1(__aws_sdk_client_s3);
 
 //#region ../../packages/core/dist/index.js
 const HOT_UPDATE_DIR_NAME = ".hot-updater";
@@ -1424,253 +1426,33 @@ var isContentTypeBinary = (contentType) => {
 };
 
 //#endregion
-//#region ../../node_modules/.pnpm/@aws-sdk+cloudfront-signer@3.772.0/node_modules/@aws-sdk/cloudfront-signer/dist-cjs/index.js
-var require_dist_cjs = /* @__PURE__ */ __commonJS$1({ "../../node_modules/.pnpm/@aws-sdk+cloudfront-signer@3.772.0/node_modules/@aws-sdk/cloudfront-signer/dist-cjs/index.js": ((exports, module) => {
-	var __defProp$1 = Object.defineProperty;
-	var __getOwnPropDesc$1 = Object.getOwnPropertyDescriptor;
-	var __getOwnPropNames$1 = Object.getOwnPropertyNames;
-	var __hasOwnProp$1 = Object.prototype.hasOwnProperty;
-	var __name = (target, value) => __defProp$1(target, "name", {
-		value,
-		configurable: true
-	});
-	var __export = (target, all) => {
-		for (var name in all) __defProp$1(target, name, {
-			get: all[name],
-			enumerable: true
-		});
-	};
-	var __copyProps$1 = (to, from, except, desc) => {
-		if (from && typeof from === "object" || typeof from === "function") {
-			for (let key of __getOwnPropNames$1(from)) if (!__hasOwnProp$1.call(to, key) && key !== except) __defProp$1(to, key, {
-				get: () => from[key],
-				enumerable: !(desc = __getOwnPropDesc$1(from, key)) || desc.enumerable
-			});
-		}
-		return to;
-	};
-	var __toCommonJS = (mod) => __copyProps$1(__defProp$1({}, "__esModule", { value: true }), mod);
-	var index_exports = {};
-	__export(index_exports, {
-		getSignedCookies: () => getSignedCookies,
-		getSignedUrl: () => getSignedUrl$2
-	});
-	module.exports = __toCommonJS(index_exports);
-	var import_crypto = require("crypto");
-	function getSignedUrl$2({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, passphrase }) {
-		const cloudfrontSignBuilder = new CloudfrontSignBuilder({
-			keyPairId,
-			privateKey,
-			passphrase
-		});
-		if (!url && !policy) throw new Error("@aws-sdk/cloudfront-signer: Please provide 'url' or 'policy'.");
-		if (policy) cloudfrontSignBuilder.setCustomPolicy(policy);
-		else cloudfrontSignBuilder.setPolicyParameters({
-			url,
-			dateLessThan,
-			dateGreaterThan,
-			ipAddress
-		});
-		let baseUrl;
-		if (url) baseUrl = url;
-		else if (policy) {
-			const resources = getPolicyResources(policy);
-			if (!resources[0]) throw new Error("@aws-sdk/cloudfront-signer: No URL provided and unable to determine URL from first policy statement resource.");
-			baseUrl = resources[0].replace("*://", "https://");
-		}
-		const newURL = new URL(baseUrl);
-		newURL.search = Array.from(newURL.searchParams.entries()).concat(Object.entries(cloudfrontSignBuilder.createCloudfrontAttribute())).filter(([, value]) => value !== void 0).map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join("&");
-		return getResource(newURL);
-	}
-	__name(getSignedUrl$2, "getSignedUrl");
-	function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, passphrase }) {
-		const cloudfrontSignBuilder = new CloudfrontSignBuilder({
-			keyPairId,
-			privateKey,
-			passphrase
-		});
-		if (policy) cloudfrontSignBuilder.setCustomPolicy(policy);
-		else cloudfrontSignBuilder.setPolicyParameters({
-			url,
-			dateLessThan,
-			dateGreaterThan,
-			ipAddress
-		});
-		const cloudfrontCookieAttributes = cloudfrontSignBuilder.createCloudfrontAttribute();
-		const cookies = {
-			"CloudFront-Key-Pair-Id": cloudfrontCookieAttributes["Key-Pair-Id"],
-			"CloudFront-Signature": cloudfrontCookieAttributes["Signature"]
-		};
-		if (cloudfrontCookieAttributes["Expires"]) cookies["CloudFront-Expires"] = cloudfrontCookieAttributes["Expires"];
-		if (cloudfrontCookieAttributes["Policy"]) cookies["CloudFront-Policy"] = cloudfrontCookieAttributes["Policy"];
-		return cookies;
-	}
-	__name(getSignedCookies, "getSignedCookies");
-	function getPolicyResources(policy) {
-		return ((typeof policy === "string" ? JSON.parse(policy) : policy)?.Statement ?? []).map((s) => s.Resource);
-	}
-	__name(getPolicyResources, "getPolicyResources");
-	function getResource(url) {
-		switch (url.protocol) {
-			case "http:":
-			case "https:":
-			case "ws:":
-			case "wss:": return url.toString();
-			case "rtmp:": return url.pathname.replace(/^\//, "") + url.search + url.hash;
-			default: throw new Error("Invalid URI scheme. Scheme must be one of http, https, or rtmp");
-		}
-	}
-	__name(getResource, "getResource");
-	var CloudfrontSignBuilder = class {
-		static {
-			__name(this, "CloudfrontSignBuilder");
-		}
-		keyPairId;
-		privateKey;
-		passphrase;
-		policy;
-		customPolicy = false;
-		dateLessThan;
-		constructor({ privateKey, keyPairId, passphrase }) {
-			this.keyPairId = keyPairId;
-			this.privateKey = privateKey;
-			this.policy = "";
-			this.passphrase = passphrase;
-		}
-		buildPolicy(args) {
-			const policy = { Statement: [{
-				Resource: args.resource,
-				Condition: { DateLessThan: { "AWS:EpochTime": args.dateLessThan } }
-			}] };
-			if (args.dateGreaterThan) policy.Statement[0].Condition["DateGreaterThan"] = { "AWS:EpochTime": args.dateGreaterThan };
-			if (args.ipAddress) {
-				const cidr = this.parseCIDR(args.ipAddress);
-				policy.Statement[0].Condition["IpAddress"] = { "AWS:SourceIp": cidr };
-			}
-			return policy;
-		}
-		normalizeBase64(str) {
-			const replacements = {
-				"+": "-",
-				"=": "_",
-				"/": "~"
-			};
-			return str.replace(/[+=/]/g, function(match) {
-				return replacements[match];
-			});
-		}
-		encodeToBase64(str) {
-			return this.normalizeBase64(Buffer.from(str).toString("base64"));
-		}
-		validateIP(ipStr) {
-			const octets = ipStr.split(".");
-			if (octets.length !== 4) throw new Error(`IP does not contain four octets.`);
-			if (!octets.every((octet) => {
-				const num = Number(octet);
-				return Number.isInteger(num) && num >= 0 && num <= 255;
-			})) throw new Error("invalid IP octets");
-		}
-		validateMask(maskStr) {
-			const mask = Number(maskStr);
-			if (!(Number.isInteger(mask) && mask >= 0 && mask <= 32)) throw new Error("invalid mask");
-		}
-		parseCIDR(cidrStr) {
-			try {
-				const cidrParts = cidrStr.split("/");
-				if (cidrParts.some((part) => part.length === 0)) throw new Error("missing ip or mask part of CIDR");
-				this.validateIP(cidrParts[0]);
-				let mask = "32";
-				if (cidrParts.length === 2) {
-					this.validateMask(cidrParts[1]);
-					mask = cidrParts[1];
-				}
-				return `${cidrParts[0]}/${mask}`;
-			} catch (error) {
-				const errMessage = `IP address "${cidrStr}" is invalid`;
-				if (error instanceof Error) throw new Error(`${errMessage} due to ${error.message}.`);
-				else throw new Error(`${errMessage}.`);
-			}
-		}
-		epochTime(date) {
-			return Math.round(date.getTime() / 1e3);
-		}
-		parseDate(date) {
-			if (!date) return;
-			const parsedDate = new Date(date);
-			return isNaN(parsedDate.getTime()) ? void 0 : this.epochTime(parsedDate);
-		}
-		parseDateWindow(expiration, start) {
-			const dateLessThan = this.parseDate(expiration);
-			if (!dateLessThan) throw new Error("dateLessThan is invalid. Ensure the date value is compatible with the Date constructor.");
-			return {
-				dateLessThan,
-				dateGreaterThan: this.parseDate(start)
-			};
-		}
-		signData(data, privateKey, passphrase) {
-			const sign = (0, import_crypto.createSign)("RSA-SHA1");
-			sign.update(data);
-			return sign.sign({
-				key: privateKey,
-				passphrase
-			}, "base64");
-		}
-		signPolicy(policy, privateKey, passphrase) {
-			return this.normalizeBase64(this.signData(policy, privateKey, passphrase));
-		}
-		setCustomPolicy(policy) {
-			this.customPolicy = true;
-			this.policy = policy;
-		}
-		setPolicyParameters({ url, dateLessThan, dateGreaterThan, ipAddress }) {
-			if (!url || !dateLessThan) return false;
-			const resource = getResource(new URL(url));
-			const parsedDates = this.parseDateWindow(dateLessThan, dateGreaterThan);
-			this.dateLessThan = parsedDates.dateLessThan;
-			this.customPolicy = Boolean(parsedDates.dateGreaterThan) || Boolean(ipAddress);
-			this.policy = JSON.stringify(this.buildPolicy({
-				resource,
-				ipAddress,
-				dateLessThan: parsedDates.dateLessThan,
-				dateGreaterThan: parsedDates.dateGreaterThan
-			}));
-		}
-		createCloudfrontAttribute() {
-			if (!Boolean(this.policy)) throw new Error("Invalid policy");
-			const signature = this.signPolicy(this.policy, this.privateKey, this.passphrase);
-			return {
-				Expires: this.customPolicy ? void 0 : this.dateLessThan,
-				Policy: this.customPolicy ? this.encodeToBase64(this.policy) : void 0,
-				"Key-Pair-Id": this.keyPairId,
-				Signature: signature
-			};
-		}
-	};
-}) });
+//#region lambda/cacheControl.ts
+const ONE_YEAR_IN_SECONDS = 3600 * 24 * 365;
+const NO_STORE_CACHE_CONTROL = "no-store";
+const SHARED_EDGE_CACHE_CONTROL = `public, max-age=0, s-maxage=${ONE_YEAR_IN_SECONDS}, must-revalidate`;
 
 //#endregion
 //#region ../js/dist/index.js
-var import_dist_cjs$1 = /* @__PURE__ */ __toESM$1(require_dist_cjs(), 1);
 var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
+var __defProp$1 = Object.defineProperty;
+var __getOwnPropDesc$1 = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames$1 = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __hasOwnProp$1 = Object.prototype.hasOwnProperty;
 var __commonJS = (cb, mod) => function() {
-	return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+	return mod || (0, cb[__getOwnPropNames$1(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
-var __copyProps = (to, from, except, desc) => {
-	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+var __copyProps$1 = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames$1(from), i = 0, n = keys.length, key; i < n; i++) {
 		key = keys[i];
-		if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
+		if (!__hasOwnProp$1.call(to, key) && key !== except) __defProp$1(to, key, {
 			get: ((k) => from[k]).bind(null, key),
-			enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+			enumerable: !(desc = __getOwnPropDesc$1(from, key)) || desc.enumerable
 		});
 	}
 	return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps$1(isNodeMode || !mod || !mod.__esModule ? __defProp$1(target, "default", {
 	value: mod,
 	enumerable: true
 }) : target, mod));
@@ -3038,51 +2820,46 @@ const year = day * 365.25;
 
 //#endregion
 //#region lambda/getUpdateInfo.ts
-const getCdnJson = async ({ baseUrl, key, keyPairId, privateKey }) => {
+const s3Clients = /* @__PURE__ */ new Map();
+const getS3Client = (region) => {
+	const existingClient = s3Clients.get(region);
+	if (existingClient) return existingClient;
+	const client = new __aws_sdk_client_s3.S3({ region });
+	s3Clients.set(region, client);
+	return client;
+};
+const getS3Json = async ({ bucketName, key, region }) => {
 	try {
-		const url = new URL(baseUrl);
-		url.pathname = `/${key}`;
-		const signedUrl = (0, import_dist_cjs$1.getSignedUrl)({
-			url: url.toString(),
-			keyPairId,
-			privateKey,
-			dateLessThan: new Date(Date.now() + 60 * 1e3).toISOString()
+		const body = await (await getS3Client(region).send(new __aws_sdk_client_s3.GetObjectCommand({
+			Bucket: bucketName,
+			Key: key
+		}))).Body?.transformToString();
+		if (!body) return null;
+		return JSON.parse(body);
+	} catch (error) {
+		if (error instanceof Error && (error.name === "NoSuchKey" || error.name === "NotFound")) return null;
+		console.error("Failed to read Hot Updater manifest from S3:", {
+			key,
+			error
 		});
-		const res = await fetch(signedUrl, { headers: { "Content-Type": "application/json" } });
-		if (!res.ok) return null;
-		return res.json();
-	} catch {
 		return null;
 	}
 };
-const getUpdateInfo = async ({ baseUrl, keyPairId, privateKey }, args) => {
+const getUpdateInfo = async ({ bucketName, region, readManifestJson }, args) => {
+	const manifestReader = readManifestJson ?? ((key) => getS3Json({
+		bucketName,
+		key,
+		region
+	}));
 	switch (args._updateStrategy) {
-		case "appVersion": return appVersionStrategy({
-			baseUrl,
-			keyPairId,
-			privateKey
-		}, args);
-		case "fingerprint": return fingerprintStrategy({
-			baseUrl,
-			keyPairId,
-			privateKey
-		}, args);
+		case "appVersion": return appVersionStrategy({ readManifestJson: manifestReader }, args);
+		case "fingerprint": return fingerprintStrategy({ readManifestJson: manifestReader }, args);
 		default: return null;
 	}
 };
-const appVersionStrategy = async ({ baseUrl, keyPairId, privateKey }, { platform, appVersion, bundleId, minBundleId = NIL_UUID, channel = "production" }) => {
-	const matchingVersions = filterCompatibleAppVersions(await getCdnJson({
-		baseUrl,
-		key: `${channel}/${platform}/target-app-versions.json`,
-		keyPairId,
-		privateKey
-	}) ?? [], appVersion);
-	return getUpdateInfo$1((await Promise.allSettled(matchingVersions.map((targetAppVersion) => getCdnJson({
-		baseUrl,
-		key: `${channel}/${platform}/${targetAppVersion}/update.json`,
-		keyPairId,
-		privateKey
-	})))).filter((r) => r.status === "fulfilled").flatMap((r) => r.value ?? []), {
+const appVersionStrategy = async ({ readManifestJson }, { platform, appVersion, bundleId, minBundleId = NIL_UUID, channel = "production" }) => {
+	const matchingVersions = filterCompatibleAppVersions(await readManifestJson(`${channel}/${platform}/target-app-versions.json`) ?? [], appVersion);
+	return getUpdateInfo$1((await Promise.allSettled(matchingVersions.map((targetAppVersion) => readManifestJson(`${channel}/${platform}/${targetAppVersion}/update.json`)))).filter((r) => r.status === "fulfilled").flatMap((r) => r.value ?? []), {
 		platform,
 		bundleId,
 		appVersion,
@@ -3091,15 +2868,8 @@ const appVersionStrategy = async ({ baseUrl, keyPairId, privateKey }, { platform
 		_updateStrategy: "appVersion"
 	});
 };
-const fingerprintStrategy = async ({ baseUrl, keyPairId, privateKey }, { platform, fingerprintHash, bundleId, minBundleId = NIL_UUID, channel = "production" }) => {
-	const result = await getCdnJson({
-		baseUrl,
-		key: `${channel}/${platform}/${fingerprintHash}/update.json`,
-		keyPairId,
-		privateKey
-	});
-	console.log("result", `${channel}/${platform}/${fingerprintHash}/update.json`, result);
-	return getUpdateInfo$1(result ?? [], {
+const fingerprintStrategy = async ({ readManifestJson }, { platform, fingerprintHash, bundleId, minBundleId = NIL_UUID, channel = "production" }) => {
+	return getUpdateInfo$1(await readManifestJson(`${channel}/${platform}/${fingerprintHash}/update.json`) ?? [], {
 		platform,
 		bundleId,
 		fingerprintHash,
@@ -3109,6 +2879,231 @@ const fingerprintStrategy = async ({ baseUrl, keyPairId, privateKey }, { platfor
 	});
 };
 
+//#endregion
+//#region ../../node_modules/.pnpm/@aws-sdk+cloudfront-signer@3.772.0/node_modules/@aws-sdk/cloudfront-signer/dist-cjs/index.js
+var require_dist_cjs = /* @__PURE__ */ __commonJS$1({ "../../node_modules/.pnpm/@aws-sdk+cloudfront-signer@3.772.0/node_modules/@aws-sdk/cloudfront-signer/dist-cjs/index.js": ((exports, module) => {
+	var __defProp = Object.defineProperty;
+	var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+	var __getOwnPropNames = Object.getOwnPropertyNames;
+	var __hasOwnProp = Object.prototype.hasOwnProperty;
+	var __name = (target, value) => __defProp(target, "name", {
+		value,
+		configurable: true
+	});
+	var __export = (target, all) => {
+		for (var name in all) __defProp(target, name, {
+			get: all[name],
+			enumerable: true
+		});
+	};
+	var __copyProps = (to, from, except, desc) => {
+		if (from && typeof from === "object" || typeof from === "function") {
+			for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
+				get: () => from[key],
+				enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+			});
+		}
+		return to;
+	};
+	var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+	var index_exports = {};
+	__export(index_exports, {
+		getSignedCookies: () => getSignedCookies,
+		getSignedUrl: () => getSignedUrl$1
+	});
+	module.exports = __toCommonJS(index_exports);
+	var import_crypto = require("crypto");
+	function getSignedUrl$1({ dateLessThan, dateGreaterThan, url, keyPairId, privateKey, ipAddress, policy, passphrase }) {
+		const cloudfrontSignBuilder = new CloudfrontSignBuilder({
+			keyPairId,
+			privateKey,
+			passphrase
+		});
+		if (!url && !policy) throw new Error("@aws-sdk/cloudfront-signer: Please provide 'url' or 'policy'.");
+		if (policy) cloudfrontSignBuilder.setCustomPolicy(policy);
+		else cloudfrontSignBuilder.setPolicyParameters({
+			url,
+			dateLessThan,
+			dateGreaterThan,
+			ipAddress
+		});
+		let baseUrl;
+		if (url) baseUrl = url;
+		else if (policy) {
+			const resources = getPolicyResources(policy);
+			if (!resources[0]) throw new Error("@aws-sdk/cloudfront-signer: No URL provided and unable to determine URL from first policy statement resource.");
+			baseUrl = resources[0].replace("*://", "https://");
+		}
+		const newURL = new URL(baseUrl);
+		newURL.search = Array.from(newURL.searchParams.entries()).concat(Object.entries(cloudfrontSignBuilder.createCloudfrontAttribute())).filter(([, value]) => value !== void 0).map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join("&");
+		return getResource(newURL);
+	}
+	__name(getSignedUrl$1, "getSignedUrl");
+	function getSignedCookies({ ipAddress, url, privateKey, keyPairId, dateLessThan, dateGreaterThan, policy, passphrase }) {
+		const cloudfrontSignBuilder = new CloudfrontSignBuilder({
+			keyPairId,
+			privateKey,
+			passphrase
+		});
+		if (policy) cloudfrontSignBuilder.setCustomPolicy(policy);
+		else cloudfrontSignBuilder.setPolicyParameters({
+			url,
+			dateLessThan,
+			dateGreaterThan,
+			ipAddress
+		});
+		const cloudfrontCookieAttributes = cloudfrontSignBuilder.createCloudfrontAttribute();
+		const cookies = {
+			"CloudFront-Key-Pair-Id": cloudfrontCookieAttributes["Key-Pair-Id"],
+			"CloudFront-Signature": cloudfrontCookieAttributes["Signature"]
+		};
+		if (cloudfrontCookieAttributes["Expires"]) cookies["CloudFront-Expires"] = cloudfrontCookieAttributes["Expires"];
+		if (cloudfrontCookieAttributes["Policy"]) cookies["CloudFront-Policy"] = cloudfrontCookieAttributes["Policy"];
+		return cookies;
+	}
+	__name(getSignedCookies, "getSignedCookies");
+	function getPolicyResources(policy) {
+		return ((typeof policy === "string" ? JSON.parse(policy) : policy)?.Statement ?? []).map((s) => s.Resource);
+	}
+	__name(getPolicyResources, "getPolicyResources");
+	function getResource(url) {
+		switch (url.protocol) {
+			case "http:":
+			case "https:":
+			case "ws:":
+			case "wss:": return url.toString();
+			case "rtmp:": return url.pathname.replace(/^\//, "") + url.search + url.hash;
+			default: throw new Error("Invalid URI scheme. Scheme must be one of http, https, or rtmp");
+		}
+	}
+	__name(getResource, "getResource");
+	var CloudfrontSignBuilder = class {
+		static {
+			__name(this, "CloudfrontSignBuilder");
+		}
+		keyPairId;
+		privateKey;
+		passphrase;
+		policy;
+		customPolicy = false;
+		dateLessThan;
+		constructor({ privateKey, keyPairId, passphrase }) {
+			this.keyPairId = keyPairId;
+			this.privateKey = privateKey;
+			this.policy = "";
+			this.passphrase = passphrase;
+		}
+		buildPolicy(args) {
+			const policy = { Statement: [{
+				Resource: args.resource,
+				Condition: { DateLessThan: { "AWS:EpochTime": args.dateLessThan } }
+			}] };
+			if (args.dateGreaterThan) policy.Statement[0].Condition["DateGreaterThan"] = { "AWS:EpochTime": args.dateGreaterThan };
+			if (args.ipAddress) {
+				const cidr = this.parseCIDR(args.ipAddress);
+				policy.Statement[0].Condition["IpAddress"] = { "AWS:SourceIp": cidr };
+			}
+			return policy;
+		}
+		normalizeBase64(str) {
+			const replacements = {
+				"+": "-",
+				"=": "_",
+				"/": "~"
+			};
+			return str.replace(/[+=/]/g, function(match) {
+				return replacements[match];
+			});
+		}
+		encodeToBase64(str) {
+			return this.normalizeBase64(Buffer.from(str).toString("base64"));
+		}
+		validateIP(ipStr) {
+			const octets = ipStr.split(".");
+			if (octets.length !== 4) throw new Error(`IP does not contain four octets.`);
+			if (!octets.every((octet) => {
+				const num = Number(octet);
+				return Number.isInteger(num) && num >= 0 && num <= 255;
+			})) throw new Error("invalid IP octets");
+		}
+		validateMask(maskStr) {
+			const mask = Number(maskStr);
+			if (!(Number.isInteger(mask) && mask >= 0 && mask <= 32)) throw new Error("invalid mask");
+		}
+		parseCIDR(cidrStr) {
+			try {
+				const cidrParts = cidrStr.split("/");
+				if (cidrParts.some((part) => part.length === 0)) throw new Error("missing ip or mask part of CIDR");
+				this.validateIP(cidrParts[0]);
+				let mask = "32";
+				if (cidrParts.length === 2) {
+					this.validateMask(cidrParts[1]);
+					mask = cidrParts[1];
+				}
+				return `${cidrParts[0]}/${mask}`;
+			} catch (error) {
+				const errMessage = `IP address "${cidrStr}" is invalid`;
+				if (error instanceof Error) throw new Error(`${errMessage} due to ${error.message}.`);
+				else throw new Error(`${errMessage}.`);
+			}
+		}
+		epochTime(date) {
+			return Math.round(date.getTime() / 1e3);
+		}
+		parseDate(date) {
+			if (!date) return;
+			const parsedDate = new Date(date);
+			return isNaN(parsedDate.getTime()) ? void 0 : this.epochTime(parsedDate);
+		}
+		parseDateWindow(expiration, start) {
+			const dateLessThan = this.parseDate(expiration);
+			if (!dateLessThan) throw new Error("dateLessThan is invalid. Ensure the date value is compatible with the Date constructor.");
+			return {
+				dateLessThan,
+				dateGreaterThan: this.parseDate(start)
+			};
+		}
+		signData(data, privateKey, passphrase) {
+			const sign = (0, import_crypto.createSign)("RSA-SHA1");
+			sign.update(data);
+			return sign.sign({
+				key: privateKey,
+				passphrase
+			}, "base64");
+		}
+		signPolicy(policy, privateKey, passphrase) {
+			return this.normalizeBase64(this.signData(policy, privateKey, passphrase));
+		}
+		setCustomPolicy(policy) {
+			this.customPolicy = true;
+			this.policy = policy;
+		}
+		setPolicyParameters({ url, dateLessThan, dateGreaterThan, ipAddress }) {
+			if (!url || !dateLessThan) return false;
+			const resource = getResource(new URL(url));
+			const parsedDates = this.parseDateWindow(dateLessThan, dateGreaterThan);
+			this.dateLessThan = parsedDates.dateLessThan;
+			this.customPolicy = Boolean(parsedDates.dateGreaterThan) || Boolean(ipAddress);
+			this.policy = JSON.stringify(this.buildPolicy({
+				resource,
+				ipAddress,
+				dateLessThan: parsedDates.dateLessThan,
+				dateGreaterThan: parsedDates.dateGreaterThan
+			}));
+		}
+		createCloudfrontAttribute() {
+			if (!Boolean(this.policy)) throw new Error("Invalid policy");
+			const signature = this.signPolicy(this.policy, this.privateKey, this.passphrase);
+			return {
+				Expires: this.customPolicy ? void 0 : this.dateLessThan,
+				Policy: this.customPolicy ? this.encodeToBase64(this.policy) : void 0,
+				"Key-Pair-Id": this.keyPairId,
+				Signature: signature
+			};
+		}
+	};
+}) });
+
 //#endregion
 //#region lambda/withSignedUrl.ts
 var import_dist_cjs = /* @__PURE__ */ __toESM$1(require_dist_cjs(), 1);
@@ -3149,11 +3144,8 @@ const withSignedUrl = async ({ data, reqUrl, keyPairId, privateKey, expiresSecon
 const CLOUDFRONT_KEY_PAIR_ID = HotUpdater.CLOUDFRONT_KEY_PAIR_ID;
 const SSM_PARAMETER_NAME = HotUpdater.SSM_PARAMETER_NAME;
 const SSM_REGION = HotUpdater.SSM_REGION;
+const S3_BUCKET_NAME = HotUpdater.S3_BUCKET_NAME;
 let cachedPrivateKey = null;
-/**
-* Retrieves CloudFront private key from SSM Parameter Store
-* Uses global cache to avoid repeated SSM calls on warm Lambda invocations
-*/
 async function getPrivateKey() {
 	if (cachedPrivateKey !== null) return cachedPrivateKey;
 	if (!SSM_REGION) throw new Error(`Invalid AWS region format: ${SSM_REGION}. Expected format like 'us-east-1' or 'ap-southeast-1'`);
@@ -3186,10 +3178,8 @@ const processDefaultValues = (channel, minBundleId) => ({
 	actualChannel: channel === "default" ? "production" : channel,
 	actualMinBundleId: minBundleId === "default" ? NIL_UUID : minBundleId
 });
-const handleUpdateRequest = async (c, params, strategy, expiresSeconds) => {
+const handleUpdateRequest = async (c, params, strategy, expiresSeconds, cacheControl) => {
 	try {
-		if (!c.req.header("host")) return c.json({ error: "Missing host header." }, 500);
-		const privateKey = await getPrivateKey();
 		const updateConfig = {
 			platform: params.platform,
 			bundleId: params.bundleId,
@@ -3204,11 +3194,12 @@ const handleUpdateRequest = async (c, params, strategy, expiresSeconds) => {
 			}
 		};
 		const updateInfo = await getUpdateInfo({
-			baseUrl: c.req.url,
-			keyPairId: CLOUDFRONT_KEY_PAIR_ID,
-			privateKey
+			bucketName: S3_BUCKET_NAME,
+			region: SSM_REGION
 		}, updateConfig);
+		if (cacheControl) c.header("Cache-Control", cacheControl);
 		if (!updateInfo) return c.json(null);
+		const privateKey = await getPrivateKey();
 		const appUpdateInfo = await withSignedUrl({
 			data: updateInfo,
 			reqUrl: c.req.url,
@@ -3244,7 +3235,7 @@ app.get("/api/check-update", async (c) => {
 			channel,
 			minBundleId,
 			...fingerprintHash ? { fingerprintHash } : { appVersion }
-		}, fingerprintHash ? "fingerprint" : "appVersion", 60);
+		}, fingerprintHash ? "fingerprint" : "appVersion", 60, NO_STORE_CACHE_CONTROL);
 	} catch (error) {
 		console.error("Legacy endpoint error:", error);
 		return c.json({ error: "Internal Server Error" }, 500);
@@ -3270,7 +3261,7 @@ app.get("/api/check-update/app-version/:platform/:appVersion/:channel/:minBundle
 		channel: actualChannel,
 		minBundleId: actualMinBundleId,
 		appVersion
-	}, "appVersion", 3600 * 24 * 365);
+	}, "appVersion", ONE_YEAR_IN_SECONDS, SHARED_EDGE_CACHE_CONTROL);
 });
 app.get("/api/check-update/fingerprint/:platform/:fingerprintHash/:channel/:minBundleId/:bundleId", async (c) => {
 	const { platform, fingerprintHash, channel, minBundleId, bundleId } = c.req.param();
@@ -3292,10 +3283,7 @@ app.get("/api/check-update/fingerprint/:platform/:fingerprintHash/:channel/:minB
 		channel: actualChannel,
 		minBundleId: actualMinBundleId,
 		fingerprintHash
-	}, "fingerprint", 3600 * 24 * 365);
-});
-app.get("*", async (c) => {
-	return c.env.callback(null, c.env.request);
+	}, "fingerprint", ONE_YEAR_IN_SECONDS, SHARED_EDGE_CACHE_CONTROL);
 });
 const handler = handle(app);
 

package/dist/lambda/index.d.cts

@@ -6,6 +6,7 @@ declare global {
     CLOUDFRONT_KEY_PAIR_ID: string;
     SSM_PARAMETER_NAME: string;
     SSM_REGION: string;
+    S3_BUCKET_NAME: string;
   };
 }
 declare const handler: CloudFrontRequestHandler;