@mux/ai 0.6.0 → 0.7.3

package/dist/index.js

@@ -5,7 +5,7 @@ var __export = (target, all) => {
 };
 
 // package.json
-var version = "0.6.0";
+var version = "0.7.3";
 
 // src/env.ts
 import { z } from "zod";
@@ -60,6 +60,9 @@ var EnvSchema = z.object({
   S3_BUCKET: optionalString("Bucket used for caption and audio uploads.", "S3 bucket"),
   S3_ACCESS_KEY_ID: optionalString("Access key ID for S3-compatible uploads.", "S3 access key id"),
   S3_SECRET_ACCESS_KEY: optionalString("Secret access key for S3-compatible uploads.", "S3 secret access key"),
+  S3_ALLOWED_ENDPOINT_HOSTS: optionalString(
+    "Comma-separated S3 endpoint allowlist (supports exact hosts and *.suffix patterns)."
+  ),
   EVALITE_RESULTS_ENDPOINT: optionalString(
     "Full URL for posting Evalite results (e.g., https://example.com/api/evalite-results).",
     "Evalite results endpoint"
@@ -135,11 +138,15 @@ function bytesToBase64(bytes) {
   }
   return output;
 }
+function normalizeBase64Input(value) {
+  const cleaned = value.replace(/\s+/g, "").replace(/-/g, "+").replace(/_/g, "/");
+  return cleaned?.length % 4 === 0 ? cleaned : cleaned + "=".repeat(4 - cleaned.length % 4);
+}
 function base64ToBytes(value, label) {
   if (!value) {
     throw new Error(`${label} is missing`);
   }
-  const normalized = value.length % 4 === 0 ? value : value + "=".repeat(4 - value.length % 4);
+  const normalized = normalizeBase64Input(value);
   const atobImpl = typeof globalThis.atob === "function" ? globalThis.atob.bind(globalThis) : void 0;
   if (atobImpl) {
     let binary;
@@ -157,19 +164,18 @@ function base64ToBytes(value, label) {
     }
     return bytes2;
   }
-  const cleaned = normalized.replace(/\s+/g, "");
-  if (cleaned.length % 4 !== 0) {
+  if (normalized.length % 4 !== 0) {
     throw new Error(`${label} is not valid base64`);
   }
-  const padding = cleaned.endsWith("==") ? 2 : cleaned.endsWith("=") ? 1 : 0;
-  const outputLength = cleaned.length / 4 * 3 - padding;
+  const padding = normalized.endsWith("==") ? 2 : normalized.endsWith("=") ? 1 : 0;
+  const outputLength = normalized.length / 4 * 3 - padding;
   const bytes = new Uint8Array(outputLength);
   let offset = 0;
-  for (let i = 0; i < cleaned.length; i += 4) {
-    const c0 = cleaned.charCodeAt(i);
-    const c1 = cleaned.charCodeAt(i + 1);
-    const c2 = cleaned.charCodeAt(i + 2);
-    const c3 = cleaned.charCodeAt(i + 3);
+  for (let i = 0; i < normalized.length; i += 4) {
+    const c0 = normalized.charCodeAt(i);
+    const c1 = normalized.charCodeAt(i + 1);
+    const c2 = normalized.charCodeAt(i + 2);
+    const c3 = normalized.charCodeAt(i + 3);
     if (c0 === 61 || c1 === 61) {
       throw new Error(`${label} is not valid base64`);
     }
@@ -318,7 +324,9 @@ async function shouldEnforceEncryptedCredentials() {
 function getWorkflowSecretKeyFromEnv() {
   const key = env_default.MUX_AI_WORKFLOW_SECRET_KEY;
   if (!key) {
-    throw new Error("Workflow secret key is required. Set MUX_AI_WORKFLOW_SECRET_KEY environment variable.");
+    throw new Error(
+      "Workflow secret key is required. Set MUX_AI_WORKFLOW_SECRET_KEY environment variable."
+    );
   }
   return key;
 }
@@ -349,36 +357,92 @@ async function resolveWorkflowCredentials(credentials) {
       );
       return { ...resolved, ...decrypted };
     } catch (error) {
-      const detail = error instanceof Error ? error.message : String(error);
+      const detail = error instanceof Error ? error.message : "Unknown error.";
       throw new Error(`Failed to decrypt workflow credentials. ${detail}`);
     }
   }
   if (await shouldEnforceEncryptedCredentials()) {
     throw new Error(
-      "Plaintext workflow credentials are not allowed when using Workflow Dev Kit.Pass encrypted credentials (encryptForWorkflow) or resolve secrets via environment variables."
+      "Plaintext workflow credentials are not allowed when using Workflow Dev Kit. Pass encrypted credentials (encryptForWorkflow) or resolve secrets via environment variables."
     );
   }
   return { ...resolved, ...credentials };
 }
-async function resolveMuxCredentials(credentials) {
+function readString(record, key) {
+  const value = record?.[key];
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function resolveDirectMuxCredentials(record) {
+  const tokenId = readString(record, "muxTokenId");
+  const tokenSecret = readString(record, "muxTokenSecret");
+  const signingKey = readString(record, "muxSigningKey");
+  const privateKey = readString(record, "muxPrivateKey");
+  if (!tokenId && !tokenSecret && !signingKey && !privateKey) {
+    return void 0;
+  }
+  if (!tokenId || !tokenSecret) {
+    throw new Error(
+      "Both muxTokenId and muxTokenSecret are required when passing direct Mux workflow credentials."
+    );
+  }
+  return {
+    tokenId,
+    tokenSecret,
+    signingKey,
+    privateKey
+  };
+}
+function createWorkflowMuxClient(options) {
+  return {
+    async createClient() {
+      const { default: MuxClient } = await import("@mux/mux-node");
+      return new MuxClient({
+        tokenId: options.tokenId,
+        tokenSecret: options.tokenSecret
+      });
+    },
+    getSigningKey() {
+      return options.signingKey;
+    },
+    getPrivateKey() {
+      return options.privateKey;
+    }
+  };
+}
+async function resolveMuxClient(credentials) {
   const resolved = await resolveWorkflowCredentials(credentials);
-  const muxTokenId = resolved.muxTokenId ?? env_default.MUX_TOKEN_ID;
-  const muxTokenSecret = resolved.muxTokenSecret ?? env_default.MUX_TOKEN_SECRET;
+  const resolvedRecord = resolved;
+  const resolvedMuxCredentials = resolveDirectMuxCredentials(resolvedRecord);
+  if (resolvedMuxCredentials) {
+    return createWorkflowMuxClient(resolvedMuxCredentials);
+  }
+  const muxTokenId = env_default.MUX_TOKEN_ID;
+  const muxTokenSecret = env_default.MUX_TOKEN_SECRET;
   if (!muxTokenId || !muxTokenSecret) {
     throw new Error(
-      "Mux credentials are required. Provide encrypted workflow credentials or set MUX_TOKEN_ID and MUX_TOKEN_SECRET environment variables."
+      "Mux credentials are required. Provide muxTokenId/muxTokenSecret via workflow credentials, or set MUX_TOKEN_ID and MUX_TOKEN_SECRET environment variables."
     );
   }
-  return { muxTokenId, muxTokenSecret };
+  return createWorkflowMuxClient({
+    tokenId: muxTokenId,
+    tokenSecret: muxTokenSecret,
+    signingKey: env_default.MUX_SIGNING_KEY,
+    privateKey: env_default.MUX_PRIVATE_KEY
+  });
 }
-async function resolveProviderApiKey(provider, credentials) {
-  const resolved = await resolveWorkflowCredentials(credentials);
+function resolveProviderApiKeyFromCredentials(provider, resolved) {
+  const record = resolved;
+  const openaiApiKey = readString(record, "openaiApiKey");
+  const anthropicApiKey = readString(record, "anthropicApiKey");
+  const googleApiKey = readString(record, "googleApiKey");
+  const hiveApiKey = readString(record, "hiveApiKey");
+  const elevenLabsApiKey = readString(record, "elevenLabsApiKey");
   const apiKeyMap = {
-    openai: resolved.openaiApiKey ?? env_default.OPENAI_API_KEY,
-    anthropic: resolved.anthropicApiKey ?? env_default.ANTHROPIC_API_KEY,
-    google: resolved.googleApiKey ?? env_default.GOOGLE_GENERATIVE_AI_API_KEY,
-    hive: resolved.hiveApiKey ?? env_default.HIVE_API_KEY,
-    elevenlabs: resolved.elevenLabsApiKey ?? env_default.ELEVENLABS_API_KEY
+    openai: openaiApiKey ?? env_default.OPENAI_API_KEY,
+    anthropic: anthropicApiKey ?? env_default.ANTHROPIC_API_KEY,
+    google: googleApiKey ?? env_default.GOOGLE_GENERATIVE_AI_API_KEY,
+    hive: hiveApiKey ?? env_default.HIVE_API_KEY,
+    elevenlabs: elevenLabsApiKey ?? env_default.ELEVENLABS_API_KEY
   };
   const apiKey = apiKeyMap[provider];
   if (!apiKey) {
@@ -390,21 +454,320 @@ async function resolveProviderApiKey(provider, credentials) {
       elevenlabs: "ELEVENLABS_API_KEY"
     };
     throw new Error(
-      `${provider} API key is required. Provide encrypted workflow credentials or set ${envVarNames[provider]} environment variable.`
+      `${provider} API key is required. Provide ${provider} credentials via workflow credentials or set ${envVarNames[provider]} environment variable.`
     );
   }
   return apiKey;
 }
+async function resolveProviderApiKey(provider, credentials) {
+  const resolved = await resolveWorkflowCredentials(credentials);
+  return resolveProviderApiKeyFromCredentials(provider, resolved);
+}
 async function resolveMuxSigningContext(credentials) {
   const resolved = await resolveWorkflowCredentials(credentials);
-  const keyId = resolved.muxSigningKey ?? env_default.MUX_SIGNING_KEY;
-  const keySecret = resolved.muxPrivateKey ?? env_default.MUX_PRIVATE_KEY;
+  const resolvedRecord = resolved;
+  const keyId = readString(resolvedRecord, "muxSigningKey") ?? env_default.MUX_SIGNING_KEY;
+  const keySecret = readString(resolvedRecord, "muxPrivateKey") ?? env_default.MUX_PRIVATE_KEY;
   if (!keyId || !keySecret) {
     return void 0;
   }
   return { keyId, keySecret };
 }
 
+// node_modules/@workflow/serde/dist/index.js
+var WORKFLOW_SERIALIZE = /* @__PURE__ */ Symbol.for("workflow-serialize");
+var WORKFLOW_DESERIALIZE = /* @__PURE__ */ Symbol.for("workflow-deserialize");
+
+// src/lib/s3-sigv4.ts
+var AWS4_ALGORITHM = "AWS4-HMAC-SHA256";
+var AWS4_REQUEST_TERMINATOR = "aws4_request";
+var AWS4_SERVICE = "s3";
+var S3_ALLOWED_ENDPOINT_PATTERNS = parseEndpointAllowlist(
+  env_default.S3_ALLOWED_ENDPOINT_HOSTS
+);
+function getCrypto() {
+  const webCrypto = globalThis.crypto;
+  if (!webCrypto?.subtle) {
+    throw new Error("Web Crypto API is required for S3 signing.");
+  }
+  return webCrypto;
+}
+var textEncoder = new TextEncoder();
+function toBytes(value) {
+  return typeof value === "string" ? textEncoder.encode(value) : value;
+}
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+async function sha256Hex(value) {
+  const digest = await getCrypto().subtle.digest("SHA-256", toBytes(value));
+  return bytesToHex(new Uint8Array(digest));
+}
+async function hmacSha256Raw(key, value) {
+  const cryptoKey = await getCrypto().subtle.importKey(
+    "raw",
+    key,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await getCrypto().subtle.sign("HMAC", cryptoKey, textEncoder.encode(value));
+  return new Uint8Array(signature);
+}
+async function deriveSigningKey(secretAccessKey, shortDate, region) {
+  const kDate = await hmacSha256Raw(textEncoder.encode(`AWS4${secretAccessKey}`), shortDate);
+  const kRegion = await hmacSha256Raw(kDate, region);
+  const kService = await hmacSha256Raw(kRegion, AWS4_SERVICE);
+  return hmacSha256Raw(kService, AWS4_REQUEST_TERMINATOR);
+}
+function formatAmzDate(date = /* @__PURE__ */ new Date()) {
+  const iso = date.toISOString();
+  const shortDate = iso.slice(0, 10).replace(/-/g, "");
+  const amzDate = `${iso.slice(0, 19).replace(/[-:]/g, "")}Z`;
+  return { amzDate, shortDate };
+}
+function encodeRFC3986(value) {
+  return encodeURIComponent(value).replace(/[!'()*]/g, (char) => `%${char.charCodeAt(0).toString(16).toUpperCase()}`);
+}
+function encodePath(path) {
+  return path.split("/").map((segment) => encodeRFC3986(segment)).join("/");
+}
+function normalizeEndpoint(endpoint) {
+  let url;
+  try {
+    url = new URL(endpoint);
+  } catch {
+    throw new Error(`Invalid S3 endpoint: ${endpoint}`);
+  }
+  if (url.search || url.hash) {
+    throw new Error("S3 endpoint must not include query params or hash fragments.");
+  }
+  enforceEndpointPolicy(url);
+  return url;
+}
+function parseEndpointAllowlist(allowlist) {
+  if (!allowlist) {
+    return [];
+  }
+  return allowlist.split(",").map((value) => value.trim().toLowerCase()).filter(Boolean);
+}
+function hostnameMatchesPattern(hostname, pattern) {
+  if (pattern.startsWith("*.")) {
+    const suffix = pattern.slice(1);
+    return hostname.endsWith(suffix) && hostname.length > suffix.length;
+  }
+  return hostname === pattern;
+}
+function enforceEndpointPolicy(url) {
+  const hostname = url.hostname.toLowerCase();
+  if (url.protocol !== "https:") {
+    throw new Error(
+      `Insecure S3 endpoint protocol "${url.protocol}" is not allowed. Use HTTPS.`
+    );
+  }
+  if (S3_ALLOWED_ENDPOINT_PATTERNS.length > 0 && !S3_ALLOWED_ENDPOINT_PATTERNS.some((pattern) => hostnameMatchesPattern(hostname, pattern))) {
+    throw new Error(
+      `S3 endpoint host "${hostname}" is not in S3_ALLOWED_ENDPOINT_HOSTS.`
+    );
+  }
+}
+function buildCanonicalUri(endpoint, bucket, key) {
+  const endpointPath = endpoint.pathname === "/" ? "" : encodePath(endpoint.pathname.replace(/\/+$/, ""));
+  const encodedBucket = encodeRFC3986(bucket);
+  const encodedKey = encodePath(key);
+  return `${endpointPath}/${encodedBucket}/${encodedKey}`;
+}
+function buildCanonicalQuery(params) {
+  return Object.entries(params).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${encodeRFC3986(key)}=${encodeRFC3986(value)}`).join("&");
+}
+async function signString(secretAccessKey, shortDate, region, value) {
+  const signingKey = await deriveSigningKey(secretAccessKey, shortDate, region);
+  const signatureBytes = await hmacSha256Raw(signingKey, value);
+  return bytesToHex(signatureBytes);
+}
+function buildCredentialScope(shortDate, region) {
+  return `${shortDate}/${region}/${AWS4_SERVICE}/${AWS4_REQUEST_TERMINATOR}`;
+}
+async function putObjectToS3({
+  accessKeyId,
+  secretAccessKey,
+  endpoint,
+  region,
+  bucket,
+  key,
+  body,
+  contentType
+}) {
+  const resolvedEndpoint = normalizeEndpoint(endpoint);
+  const canonicalUri = buildCanonicalUri(resolvedEndpoint, bucket, key);
+  const host = resolvedEndpoint.host;
+  const normalizedContentType = contentType?.trim();
+  const { amzDate, shortDate } = formatAmzDate();
+  const payloadHash = await sha256Hex(body);
+  const signingHeaders = [
+    ["host", host],
+    ["x-amz-content-sha256", payloadHash],
+    ["x-amz-date", amzDate],
+    ...normalizedContentType ? [["content-type", normalizedContentType]] : []
+  ].sort(([a], [b]) => a.localeCompare(b));
+  const canonicalHeaders = signingHeaders.map(([name, value]) => `${name}:${value}`).join("\n");
+  const signedHeaders = signingHeaders.map(([name]) => name).join(";");
+  const canonicalRequest = [
+    "PUT",
+    canonicalUri,
+    "",
+    `${canonicalHeaders}
+`,
+    signedHeaders,
+    payloadHash
+  ].join("\n");
+  const credentialScope = buildCredentialScope(shortDate, region);
+  const stringToSign = [
+    AWS4_ALGORITHM,
+    amzDate,
+    credentialScope,
+    await sha256Hex(canonicalRequest)
+  ].join("\n");
+  const signature = await signString(secretAccessKey, shortDate, region, stringToSign);
+  const authorization = `${AWS4_ALGORITHM} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+  const requestUrl = `${resolvedEndpoint.origin}${canonicalUri}`;
+  const response = await fetch(requestUrl, {
+    method: "PUT",
+    headers: {
+      "Authorization": authorization,
+      "x-amz-content-sha256": payloadHash,
+      "x-amz-date": amzDate,
+      ...normalizedContentType ? { "content-type": normalizedContentType } : {}
+    },
+    body
+  });
+  if (!response.ok) {
+    const errorBody = await response.text().catch(() => "");
+    const detail = errorBody ? ` ${errorBody}` : "";
+    throw new Error(`S3 PUT failed (${response.status} ${response.statusText}).${detail}`);
+  }
+}
+async function createPresignedGetUrl({
+  accessKeyId,
+  secretAccessKey,
+  endpoint,
+  region,
+  bucket,
+  key,
+  expiresInSeconds = 3600
+}) {
+  const resolvedEndpoint = normalizeEndpoint(endpoint);
+  const canonicalUri = buildCanonicalUri(resolvedEndpoint, bucket, key);
+  const host = resolvedEndpoint.host;
+  const { amzDate, shortDate } = formatAmzDate();
+  const credentialScope = buildCredentialScope(shortDate, region);
+  const signedHeaders = "host";
+  const queryParams = {
+    "X-Amz-Algorithm": AWS4_ALGORITHM,
+    "X-Amz-Credential": `${accessKeyId}/${credentialScope}`,
+    "X-Amz-Date": amzDate,
+    "X-Amz-Expires": `${expiresInSeconds}`,
+    "X-Amz-SignedHeaders": signedHeaders
+  };
+  const canonicalQuery = buildCanonicalQuery(queryParams);
+  const canonicalRequest = [
+    "GET",
+    canonicalUri,
+    canonicalQuery,
+    `host:${host}
+`,
+    signedHeaders,
+    "UNSIGNED-PAYLOAD"
+  ].join("\n");
+  const stringToSign = [
+    AWS4_ALGORITHM,
+    amzDate,
+    credentialScope,
+    await sha256Hex(canonicalRequest)
+  ].join("\n");
+  const signature = await signString(secretAccessKey, shortDate, region, stringToSign);
+  const queryWithSignature = `${canonicalQuery}&X-Amz-Signature=${signature}`;
+  return `${resolvedEndpoint.origin}${canonicalUri}?${queryWithSignature}`;
+}
+
+// src/lib/workflow-serialization.ts
+var WORKFLOW_CLASS_REGISTRY = /* @__PURE__ */ Symbol.for("workflow-class-registry");
+function registerWorkflowSerializationClass(classId, cls) {
+  const globalObject = globalThis;
+  let registry = globalObject[WORKFLOW_CLASS_REGISTRY];
+  if (!registry) {
+    registry = /* @__PURE__ */ new Map();
+    globalObject[WORKFLOW_CLASS_REGISTRY] = registry;
+  }
+  registry.set(classId, cls);
+  const serializableClass = cls;
+  if (serializableClass.classId !== classId) {
+    Object.defineProperty(cls, "classId", {
+      value: classId,
+      writable: false,
+      enumerable: false,
+      configurable: false
+    });
+  }
+}
+
+// src/lib/workflow-storage-client.ts
+var WorkflowStorageClient = class {
+  constructor(options = {}) {
+    this.accessKeyId = options.accessKeyId;
+    this.secretAccessKey = options.secretAccessKey;
+  }
+  resolveCredentials(input) {
+    const accessKeyId = input.accessKeyId ?? this.accessKeyId;
+    const secretAccessKey = input.secretAccessKey ?? this.secretAccessKey;
+    if (!accessKeyId || !secretAccessKey) {
+      throw new Error(
+        "Storage credentials are required. Provide accessKeyId/secretAccessKey in WorkflowStorageClient options or in the storage operation input."
+      );
+    }
+    return { accessKeyId, secretAccessKey };
+  }
+  async putObject(input) {
+    const credentials = this.resolveCredentials(input);
+    await putObjectToS3({
+      accessKeyId: credentials.accessKeyId,
+      secretAccessKey: credentials.secretAccessKey,
+      endpoint: input.endpoint,
+      region: input.region,
+      bucket: input.bucket,
+      key: input.key,
+      body: input.body,
+      contentType: input.contentType
+    });
+  }
+  async createPresignedGetUrl(input) {
+    const credentials = this.resolveCredentials(input);
+    return createPresignedGetUrl({
+      accessKeyId: credentials.accessKeyId,
+      secretAccessKey: credentials.secretAccessKey,
+      endpoint: input.endpoint,
+      region: input.region,
+      bucket: input.bucket,
+      key: input.key,
+      expiresInSeconds: input.expiresInSeconds
+    });
+  }
+  static [WORKFLOW_SERIALIZE](instance) {
+    return {
+      accessKeyId: instance.accessKeyId,
+      secretAccessKey: instance.secretAccessKey
+    };
+  }
+  static [WORKFLOW_DESERIALIZE](value) {
+    return new this(value);
+  }
+};
+WorkflowStorageClient.classId = "WorkflowStorageClient";
+registerWorkflowSerializationClass(WorkflowStorageClient.classId, WorkflowStorageClient);
+function createWorkflowStorageClient(options = {}) {
+  return new WorkflowStorageClient(options);
+}
+
 // src/primitives/index.ts
 var primitives_exports = {};
 __export(primitives_exports, {
@@ -418,6 +781,12 @@ __export(primitives_exports, {
   extractTimestampedTranscript: () => extractTimestampedTranscript,
   fetchTranscriptForAsset: () => fetchTranscriptForAsset,
   findCaptionTrack: () => findCaptionTrack,
+  getHeatmapForAsset: () => getHeatmapForAsset,
+  getHeatmapForPlaybackId: () => getHeatmapForPlaybackId,
+  getHeatmapForVideo: () => getHeatmapForVideo,
+  getHotspotsForAsset: () => getHotspotsForAsset,
+  getHotspotsForPlaybackId: () => getHotspotsForPlaybackId,
+  getHotspotsForVideo: () => getHotspotsForVideo,
   getReadyTextTracks: () => getReadyTextTracks,
   getStoryboardUrl: () => getStoryboardUrl,
   getThumbnailUrls: () => getThumbnailUrls,
@@ -426,10 +795,166 @@ __export(primitives_exports, {
   vttTimestampToSeconds: () => vttTimestampToSeconds
 });
 
+// src/lib/providers.ts
+import { createAnthropic } from "@ai-sdk/anthropic";
+import { createGoogleGenerativeAI } from "@ai-sdk/google";
+import { createOpenAI } from "@ai-sdk/openai";
+var DEFAULT_LANGUAGE_MODELS = {
+  openai: "gpt-5.1",
+  anthropic: "claude-sonnet-4-5",
+  google: "gemini-3-flash-preview"
+};
+var DEFAULT_EMBEDDING_MODELS = {
+  openai: "text-embedding-3-small",
+  google: "gemini-embedding-001"
+};
+function resolveLanguageModelConfig(options = {}) {
+  const provider = options.provider || "openai";
+  const modelId = options.model || DEFAULT_LANGUAGE_MODELS[provider];
+  return { provider, modelId };
+}
+function resolveEmbeddingModelConfig(options = {}) {
+  const provider = options.provider || "openai";
+  const modelId = options.model || DEFAULT_EMBEDDING_MODELS[provider];
+  return { provider, modelId };
+}
+async function createLanguageModelFromConfig(provider, modelId, credentials) {
+  switch (provider) {
+    case "openai": {
+      const apiKey = await resolveProviderApiKey("openai", credentials);
+      const openai = createOpenAI({ apiKey });
+      return openai(modelId);
+    }
+    case "anthropic": {
+      const apiKey = await resolveProviderApiKey("anthropic", credentials);
+      const anthropic = createAnthropic({ apiKey });
+      return anthropic(modelId);
+    }
+    case "google": {
+      const apiKey = await resolveProviderApiKey("google", credentials);
+      const google = createGoogleGenerativeAI({ apiKey });
+      return google(modelId);
+    }
+    default: {
+      const exhaustiveCheck = provider;
+      throw new Error(`Unsupported provider: ${exhaustiveCheck}`);
+    }
+  }
+}
+async function createEmbeddingModelFromConfig(provider, modelId, credentials) {
+  switch (provider) {
+    case "openai": {
+      const apiKey = await resolveProviderApiKey("openai", credentials);
+      const openai = createOpenAI({ apiKey });
+      return openai.embedding(modelId);
+    }
+    case "google": {
+      const apiKey = await resolveProviderApiKey("google", credentials);
+      const google = createGoogleGenerativeAI({ apiKey });
+      return google.textEmbeddingModel(modelId);
+    }
+    default: {
+      const exhaustiveCheck = provider;
+      throw new Error(`Unsupported embedding provider: ${exhaustiveCheck}`);
+    }
+  }
+}
+
+// src/lib/client-factory.ts
+async function getMuxClientFromEnv(credentials) {
+  return resolveMuxClient(credentials);
+}
+async function getApiKeyFromEnv(provider, credentials) {
+  return resolveProviderApiKey(provider, credentials);
+}
+
+// src/primitives/heatmap.ts
+async function getHeatmapForAsset(assetId, options = {}) {
+  "use step";
+  return fetchHeatmap("assets", assetId, options);
+}
+async function getHeatmapForVideo(videoId, options = {}) {
+  "use step";
+  return fetchHeatmap("videos", videoId, options);
+}
+async function getHeatmapForPlaybackId(playbackId, options = {}) {
+  "use step";
+  return fetchHeatmap("playback-ids", playbackId, options);
+}
+function transformHeatmapResponse(response) {
+  return {
+    assetId: response.asset_id,
+    videoId: response.video_id,
+    playbackId: response.playback_id,
+    heatmap: response.heatmap,
+    timeframe: response.timeframe
+  };
+}
+async function fetchHeatmap(identifierType, id, options) {
+  "use step";
+  const { timeframe = "[24:hours]", credentials } = options;
+  const muxClient = await getMuxClientFromEnv(credentials);
+  const mux = await muxClient.createClient();
+  const queryParams = new URLSearchParams();
+  queryParams.append("timeframe[]", timeframe);
+  const path = `/data/v1/engagement/${identifierType}/${id}/heatmap?${queryParams.toString()}`;
+  const response = await mux.get(path);
+  return transformHeatmapResponse(response);
+}
+
+// src/primitives/hotspots.ts
+async function getHotspotsForAsset(assetId, options = {}) {
+  "use step";
+  const response = await fetchHotspots("assets", assetId, options);
+  return response.hotspots;
+}
+async function getHotspotsForVideo(videoId, options = {}) {
+  "use step";
+  const response = await fetchHotspots("videos", videoId, options);
+  return response.hotspots;
+}
+async function getHotspotsForPlaybackId(playbackId, options = {}) {
+  "use step";
+  const response = await fetchHotspots("playback-ids", playbackId, options);
+  return response.hotspots;
+}
+function transformHotspotResponse(response) {
+  return {
+    assetId: response.data.asset_id,
+    videoId: response.data.video_id,
+    playbackId: response.data.playback_id,
+    hotspots: response.data.hotspots.map((h) => ({
+      startMs: h.start_ms,
+      endMs: h.end_ms,
+      score: h.score
+    }))
+  };
+}
+async function fetchHotspots(identifierType, id, options) {
+  "use step";
+  const {
+    limit = 5,
+    orderDirection = "desc",
+    orderBy = "score",
+    timeframe = "[24:hours]",
+    credentials
+  } = options;
+  const muxClient = await getMuxClientFromEnv(credentials);
+  const mux = await muxClient.createClient();
+  const queryParams = new URLSearchParams();
+  queryParams.append("limit", String(limit));
+  queryParams.append("order_direction", orderDirection);
+  queryParams.append("order_by", orderBy);
+  queryParams.append("timeframe[]", timeframe);
+  const path = `/data/v1/engagement/${identifierType}/${id}/hotspots?${queryParams.toString()}`;
+  const response = await mux.get(path);
+  return transformHotspotResponse(response);
+}
+
 // src/lib/url-signing.ts
-import Mux from "@mux/mux-node";
-function createSigningClient(context) {
-  return new Mux({
+async function createSigningClient(context) {
+  const { default: MuxClient } = await import("@mux/mux-node");
+  return new MuxClient({
     // These are not needed for signing, but the SDK requires them
     // Using empty strings as we only need the jwt functionality
     tokenId: env_default.MUX_TOKEN_ID || "",
@@ -440,7 +965,7 @@ function createSigningClient(context) {
 }
 async function signPlaybackId(playbackId, context, type = "video", params) {
   "use step";
-  const client = createSigningClient(context);
+  const client = await createSigningClient(context);
   const stringParams = params ? Object.fromEntries(
     Object.entries(params).map(([key, value]) => [key, String(value)])
   ) : void 0;
@@ -455,7 +980,7 @@ async function signUrl(url, playbackId, context, type = "video", params, credent
   const resolvedContext = context ?? await resolveMuxSigningContext(credentials);
   if (!resolvedContext) {
     throw new Error(
-      "Signed playback ID requires signing credentials. Provide muxSigningKey and muxPrivateKey in credentials or set MUX_SIGNING_KEY and MUX_PRIVATE_KEY environment variables."
+      "Signed playback ID requires signing credentials. Provide muxSigningKey and muxPrivateKey via workflow credentials or set MUX_SIGNING_KEY and MUX_PRIVATE_KEY environment variables."
     );
   }
   const token = await signPlaybackId(playbackId, resolvedContext, type, params);
@@ -906,82 +1431,6 @@ async function downloadImagesAsBase64(urls, options = {}, maxConcurrent = 5) {
   return results;
 }
 
-// src/lib/mux-assets.ts
-import Mux2 from "@mux/mux-node";
-
-// src/lib/providers.ts
-import { createAnthropic } from "@ai-sdk/anthropic";
-import { createGoogleGenerativeAI } from "@ai-sdk/google";
-import { createOpenAI } from "@ai-sdk/openai";
-var DEFAULT_LANGUAGE_MODELS = {
-  openai: "gpt-5.1",
-  anthropic: "claude-sonnet-4-5",
-  google: "gemini-3-flash-preview"
-};
-var DEFAULT_EMBEDDING_MODELS = {
-  openai: "text-embedding-3-small",
-  google: "gemini-embedding-001"
-};
-function resolveLanguageModelConfig(options = {}) {
-  const provider = options.provider || "openai";
-  const modelId = options.model || DEFAULT_LANGUAGE_MODELS[provider];
-  return { provider, modelId };
-}
-function resolveEmbeddingModelConfig(options = {}) {
-  const provider = options.provider || "openai";
-  const modelId = options.model || DEFAULT_EMBEDDING_MODELS[provider];
-  return { provider, modelId };
-}
-async function createLanguageModelFromConfig(provider, modelId, credentials) {
-  switch (provider) {
-    case "openai": {
-      const apiKey = await resolveProviderApiKey("openai", credentials);
-      const openai = createOpenAI({ apiKey });
-      return openai(modelId);
-    }
-    case "anthropic": {
-      const apiKey = await resolveProviderApiKey("anthropic", credentials);
-      const anthropic = createAnthropic({ apiKey });
-      return anthropic(modelId);
-    }
-    case "google": {
-      const apiKey = await resolveProviderApiKey("google", credentials);
-      const google = createGoogleGenerativeAI({ apiKey });
-      return google(modelId);
-    }
-    default: {
-      const exhaustiveCheck = provider;
-      throw new Error(`Unsupported provider: ${exhaustiveCheck}`);
-    }
-  }
-}
-async function createEmbeddingModelFromConfig(provider, modelId, credentials) {
-  switch (provider) {
-    case "openai": {
-      const apiKey = await resolveProviderApiKey("openai", credentials);
-      const openai = createOpenAI({ apiKey });
-      return openai.embedding(modelId);
-    }
-    case "google": {
-      const apiKey = await resolveProviderApiKey("google", credentials);
-      const google = createGoogleGenerativeAI({ apiKey });
-      return google.textEmbeddingModel(modelId);
-    }
-    default: {
-      const exhaustiveCheck = provider;
-      throw new Error(`Unsupported embedding provider: ${exhaustiveCheck}`);
-    }
-  }
-}
-
-// src/lib/client-factory.ts
-async function getMuxCredentialsFromEnv(credentials) {
-  return resolveMuxCredentials(credentials);
-}
-async function getApiKeyFromEnv(provider, credentials) {
-  return resolveProviderApiKey(provider, credentials);
-}
-
 // src/lib/mux-assets.ts
 function getPlaybackId(asset) {
   const playbackIds = asset.playback_ids || [];
@@ -1002,25 +1451,35 @@ function isAudioOnlyAsset(asset) {
   const hasVideoTrack = asset.tracks?.some((track) => track.type === "video") ?? false;
   return hasAudioTrack && !hasVideoTrack;
 }
+function toPlaybackAsset(asset) {
+  const { id: playbackId, policy } = getPlaybackId(asset);
+  return { asset, playbackId, policy };
+}
 async function getPlaybackIdForAsset(assetId, credentials) {
   "use step";
   const asset = await getMuxAsset(assetId, credentials);
-  const { id: playbackId, policy } = getPlaybackId(asset);
-  return { asset, playbackId, policy };
+  return toPlaybackAsset(asset);
 }
 async function getMuxAsset(assetId, credentials) {
   "use step";
-  const { muxTokenId, muxTokenSecret } = await getMuxCredentialsFromEnv(credentials);
-  const mux = new Mux2({
-    tokenId: muxTokenId,
-    tokenSecret: muxTokenSecret
-  });
+  const muxClient = await getMuxClientFromEnv(credentials);
+  const mux = await muxClient.createClient();
   return mux.video.assets.retrieve(assetId);
 }
 function getAssetDurationSecondsFromAsset(asset) {
   const duration = asset.duration;
   return typeof duration === "number" && Number.isFinite(duration) ? duration : void 0;
 }
+function getVideoTrackDurationSecondsFromAsset(asset) {
+  const videoTrack = asset.tracks?.find((track) => track.type === "video");
+  const duration = videoTrack?.duration;
+  return typeof duration === "number" && Number.isFinite(duration) ? duration : void 0;
+}
+function getVideoTrackMaxFrameRateFromAsset(asset) {
+  const videoTrack = asset.tracks?.find((track) => track.type === "video");
+  const maxFrameRate = videoTrack?.max_frame_rate;
+  return typeof maxFrameRate === "number" && Number.isFinite(maxFrameRate) && maxFrameRate > 0 ? maxFrameRate : void 0;
+}
 
 // src/lib/prompt-builder.ts
 function renderSection(section) {
@@ -1560,10 +2019,7 @@ async function hasBurnedInCaptions(assetId, options = {}) {
     model,
     provider
   });
-  const { asset: assetData, playbackId, policy } = await getPlaybackIdForAsset(
-    assetId,
-    credentials
-  );
+  const { asset: assetData, playbackId, policy } = await getPlaybackIdForAsset(assetId, credentials);
   const assetDurationSeconds = getAssetDurationSecondsFromAsset(assetData);
   const imageUrl = await getStoryboardUrl(playbackId, 640, policy === "signed", credentials);
   let analysisResponse;
@@ -1761,10 +2217,7 @@ async function generateChapters(assetId, languageCode, options = {}) {
     model,
     provider
   });
-  const { asset: assetData, playbackId, policy } = await getPlaybackIdForAsset(
-    assetId,
-    credentials
-  );
+  const { asset: assetData, playbackId, policy } = await getPlaybackIdForAsset(assetId, credentials);
   const assetDurationSeconds = getAssetDurationSecondsFromAsset(assetData);
   const isAudioOnly = isAudioOnlyAsset(assetData);
   const signingContext = await resolveMuxSigningContext(credentials);
@@ -2003,6 +2456,66 @@ async function generateVideoEmbeddings(assetId, options = {}) {
   return generateEmbeddingsInternal(assetId, options);
 }
 
+// src/lib/sampling-plan.ts
+var DEFAULT_FPS = 30;
+function roundToNearestFrameMs(tsMs, fps = DEFAULT_FPS) {
+  const frameMs = 1e3 / fps;
+  return Math.round(Math.round(tsMs / frameMs) * frameMs * 100) / 100;
+}
+function planSamplingTimestamps(options) {
+  const DEFAULT_MIN_CANDIDATES = 10;
+  const DEFAULT_MAX_CANDIDATES = 30;
+  const {
+    duration_sec,
+    min_candidates = DEFAULT_MIN_CANDIDATES,
+    max_candidates = DEFAULT_MAX_CANDIDATES,
+    trim_start_sec = 1,
+    trim_end_sec = 1,
+    fps = DEFAULT_FPS,
+    base_cadence_hz,
+    anchor_percents = [0.2, 0.5, 0.8],
+    anchor_window_sec = 1.5
+  } = options;
+  const usableSec = Math.max(0, duration_sec - (trim_start_sec + trim_end_sec));
+  if (usableSec <= 0)
+    return [];
+  const cadenceHz = base_cadence_hz ?? (duration_sec < 15 ? 3 : duration_sec < 60 ? 2 : duration_sec < 180 ? 1.5 : 1);
+  let target = Math.round(usableSec * cadenceHz);
+  target = Math.max(min_candidates, Math.min(max_candidates, target));
+  const stepSec = usableSec / target;
+  const t0 = trim_start_sec;
+  const base = [];
+  for (let i = 0; i < target; i++) {
+    const tsSec = t0 + (i + 0.5) * stepSec;
+    base.push(tsSec * 1e3);
+  }
+  const slack = Math.max(0, max_candidates - base.length);
+  const extra = [];
+  if (slack > 0 && anchor_percents.length > 0) {
+    const perAnchor = Math.max(1, Math.min(5, Math.floor(slack / anchor_percents.length)));
+    for (const p of anchor_percents) {
+      const centerSec = Math.min(
+        t0 + usableSec - 1e-3,
+        // nudge just inside the end bound
+        Math.max(t0 + 1e-3, duration_sec * p)
+        // nudge just inside the start bound
+      );
+      const startSec = Math.max(t0, centerSec - anchor_window_sec / 2);
+      const endSec = Math.min(t0 + usableSec, centerSec + anchor_window_sec / 2);
+      if (endSec <= startSec)
+        continue;
+      const wStep = (endSec - startSec) / perAnchor;
+      for (let i = 0; i < perAnchor; i++) {
+        const tsSec = startSec + (i + 0.5) * wStep;
+        extra.push(tsSec * 1e3);
+      }
+    }
+  }
+  const all = base.concat(extra).map((ms) => roundToNearestFrameMs(ms, fps)).filter((ms) => ms >= trim_start_sec * 1e3 && ms <= (duration_sec - trim_end_sec) * 1e3);
+  const uniqSorted = Array.from(new Set(all)).sort((a, b) => a - b);
+  return uniqSorted.slice(0, max_candidates);
+}
+
 // src/workflows/moderation.ts
 var DEFAULT_THRESHOLDS = {
   sexual: 0.7,
@@ -2014,31 +2527,19 @@ var HIVE_SEXUAL_CATEGORIES = [
   "general_nsfw",
   "general_suggestive",
   "yes_sexual_activity",
-  "female_underwear",
-  "male_underwear",
-  "bra",
-  "panties",
   "sex_toys",
   "nudity_female",
-  "nudity_male",
-  "cleavage",
-  "swimwear"
+  "nudity_male"
 ];
 var HIVE_VIOLENCE_CATEGORIES = [
   "gun_in_hand",
   "gun_not_in_hand",
-  "animated_gun",
   "knife_in_hand",
-  "knife_not_in_hand",
-  "culinary_knife_not_in_hand",
-  "culinary_knife_in_hand",
   "very_bloody",
-  "a_little_bloody",
   "other_blood",
   "hanging",
   "noose",
   "human_corpse",
-  "animated_corpse",
   "emaciated_body",
   "self_harm",
   "animal_abuse",
@@ -2097,7 +2598,8 @@ async function moderateImageWithOpenAI(entry) {
       url: entry.url,
       sexual: 0,
       violence: 0,
-      error: true
+      error: true,
+      errorMessage: error instanceof Error ? error.message : String(error)
     };
   }
 }
@@ -2142,7 +2644,8 @@ async function requestOpenAITextModeration(text, model, url, credentials) {
       url,
       sexual: 0,
       violence: 0,
-      error: true
+      error: true,
+      errorMessage: error instanceof Error ? error.message : String(error)
     };
   }
 }
@@ -2167,7 +2670,7 @@ async function requestOpenAITranscriptModeration(transcriptText, model, maxConcu
   const chunks = chunkTextByUtf16CodeUnits(transcriptText, 1e4);
   if (!chunks.length) {
     return [
-      { url: "transcript:0", sexual: 0, violence: 0, error: true }
+      { url: "transcript:0", sexual: 0, violence: 0, error: true, errorMessage: "No transcript chunks to moderate" }
     ];
   }
   const targets = chunks.map((chunk, idx) => ({
@@ -2201,34 +2704,59 @@ async function moderateImageWithHive(entry) {
       });
       formData.append("media", blob, `thumbnail.${extension}`);
     }
-    const res = await fetch(HIVE_ENDPOINT, {
-      method: "POST",
-      headers: {
-        Accept: "application/json",
-        Authorization: `Token ${apiKey}`
-      },
-      body: formData
-    });
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 15e3);
+    let res;
+    try {
+      res = await fetch(HIVE_ENDPOINT, {
+        method: "POST",
+        headers: {
+          Accept: "application/json",
+          Authorization: `Token ${apiKey}`
+        },
+        body: formData,
+        signal: controller.signal
+      });
+    } catch (err) {
+      if (err?.name === "AbortError") {
+        throw new Error("Hive request timed out after 15s");
+      }
+      throw err;
+    } finally {
+      clearTimeout(timeout);
+    }
     const json = await res.json().catch(() => void 0);
     if (!res.ok) {
       throw new Error(
         `Hive moderation error: ${res.status} ${res.statusText} - ${JSON.stringify(json)}`
       );
     }
-    const classes = json?.status?.[0]?.response?.output?.[0]?.classes || [];
+    if (json?.return_code != null && json.return_code !== 0) {
+      throw new Error(
+        `Hive API error (return_code ${json.return_code}): ${json.message || "Unknown error"}`
+      );
+    }
+    const classes = json?.status?.[0]?.response?.output?.[0]?.classes;
+    if (!Array.isArray(classes)) {
+      throw new TypeError(
+        `Unexpected Hive response structure: ${JSON.stringify(json)}`
+      );
+    }
+    const sexual = getHiveCategoryScores(classes, HIVE_SEXUAL_CATEGORIES);
+    const violence = getHiveCategoryScores(classes, HIVE_VIOLENCE_CATEGORIES);
     return {
       url: entry.url,
-      sexual: getHiveCategoryScores(classes, HIVE_SEXUAL_CATEGORIES),
-      violence: getHiveCategoryScores(classes, HIVE_VIOLENCE_CATEGORIES),
+      sexual,
+      violence,
       error: false
     };
   } catch (error) {
-    console.error("Hive moderation failed:", error);
     return {
       url: entry.url,
       sexual: 0,
       violence: 0,
-      error: true
+      error: true,
+      errorMessage: error instanceof Error ? error.message : String(error)
     };
   }
 }
@@ -2247,7 +2775,20 @@ async function requestHiveModeration(imageUrls, maxConcurrent = 5, submissionMod
     source: { kind: "url", value: url },
     credentials
   }));
-  return processConcurrently(targets, moderateImageWithHive, maxConcurrent);
+  return await processConcurrently(targets, moderateImageWithHive, maxConcurrent);
+}
+async function getThumbnailUrlsFromTimestamps(playbackId, timestampsMs, options) {
+  "use step";
+  const { width, shouldSign, credentials } = options;
+  const baseUrl = `https://image.mux.com/${playbackId}/thumbnail.png`;
+  const urlPromises = timestampsMs.map(async (tsMs) => {
+    const time = Number((tsMs / 1e3).toFixed(2));
+    if (shouldSign) {
+      return signUrl(baseUrl, playbackId, void 0, "thumbnail", { time, width }, credentials);
+    }
+    return `${baseUrl}?time=${time}&width=${width}`;
+  });
+  return Promise.all(urlPromises);
 }
 async function getModerationScores(assetId, options = {}) {
   "use workflow";
@@ -2262,11 +2803,17 @@ async function getModerationScores(assetId, options = {}) {
     maxConcurrent = 5,
     imageSubmissionMode = "url",
     imageDownloadOptions,
-    credentials
+    credentials: providedCredentials
   } = options;
+  const credentials = providedCredentials;
   const { asset, playbackId, policy } = await getPlaybackIdForAsset(assetId, credentials);
+  const videoTrackDurationSeconds = getVideoTrackDurationSecondsFromAsset(asset);
+  const videoTrackFps = getVideoTrackMaxFrameRateFromAsset(asset);
   const assetDurationSeconds = getAssetDurationSecondsFromAsset(asset);
-  const duration = assetDurationSeconds ?? 0;
+  const candidateDurations = [videoTrackDurationSeconds, assetDurationSeconds].filter(
+    (d) => d != null
+  );
+  const duration = candidateDurations.length > 0 ? Math.min(...candidateDurations) : 0;
   const isAudioOnly = isAudioOnlyAsset(asset);
   const signingContext = await resolveMuxSigningContext(credentials);
   if (policy === "signed" && !signingContext) {
@@ -2308,13 +2855,35 @@ async function getModerationScores(assetId, options = {}) {
       throw new Error(`Unsupported moderation provider: ${provider}`);
     }
   } else {
-    const thumbnailUrls = await getThumbnailUrls(playbackId, duration, {
-      interval: thumbnailInterval,
-      width: thumbnailWidth,
-      shouldSign: policy === "signed",
-      maxSamples,
-      credentials
-    });
+    const thumbnailUrls = maxSamples === void 0 ? (
+      // Generate thumbnail URLs (signed if needed) using existing interval-based logic.
+      await getThumbnailUrls(playbackId, duration, {
+        interval: thumbnailInterval,
+        width: thumbnailWidth,
+        shouldSign: policy === "signed",
+        credentials
+      })
+    ) : (
+      // In maxSamples mode, sample valid timestamps over the trimmed usable span.
+      // Use proportional trims (≈ duration/6, capped at 5s) to stay well inside the
+      // renderable range — Mux can't always serve thumbnails at the very edges.
+      await getThumbnailUrlsFromTimestamps(
+        playbackId,
+        planSamplingTimestamps({
+          duration_sec: duration,
+          max_candidates: maxSamples,
+          trim_start_sec: duration > 2 ? Math.min(5, Math.max(1, duration / 6)) : 0,
+          trim_end_sec: duration > 2 ? Math.min(5, Math.max(1, duration / 6)) : 0,
+          fps: videoTrackFps,
+          base_cadence_hz: thumbnailInterval > 0 ? 1 / thumbnailInterval : void 0
+        }),
+        {
+          width: thumbnailWidth,
+          shouldSign: policy === "signed",
+          credentials
+        }
+      )
+    );
     thumbnailCount = thumbnailUrls.length;
     if (provider === "openai") {
       thumbnailScores = await requestOpenAIModeration(
@@ -2337,6 +2906,13 @@ async function getModerationScores(assetId, options = {}) {
       throw new Error(`Unsupported moderation provider: ${provider}`);
     }
   }
+  const failed = thumbnailScores.filter((s) => s.error);
+  if (failed.length > 0) {
+    const details = failed.map((s) => `${s.url}: ${s.errorMessage || "Unknown error"}`).join("; ");
+    throw new Error(
+      `Moderation failed for ${failed.length}/${thumbnailScores.length} thumbnail(s): ${details}`
+    );
+  }
   const maxSexual = Math.max(...thumbnailScores.map((s) => s.sexual));
   const maxViolence = Math.max(...thumbnailScores.map((s) => s.violence));
   const finalThresholds = { ...DEFAULT_THRESHOLDS, ...thresholds };
@@ -2347,7 +2923,7 @@ async function getModerationScores(assetId, options = {}) {
     thumbnailScores,
     usage: {
       metadata: {
-        assetDurationSeconds,
+        assetDurationSeconds: duration,
         ...thumbnailCount === void 0 ? {} : { thumbnailCount }
       }
     },
@@ -2708,7 +3284,8 @@ async function getSummaryAndTags(assetId, options) {
     model,
     provider
   });
-  const { asset: assetData, playbackId, policy } = await getPlaybackIdForAsset(assetId, credentials);
+  const workflowCredentials = credentials;
+  const { asset: assetData, playbackId, policy } = await getPlaybackIdForAsset(assetId, workflowCredentials);
   const assetDurationSeconds = getAssetDurationSecondsFromAsset(assetData);
   const isAudioOnly = isAudioOnlyAsset(assetData);
   if (isAudioOnly && !includeTranscript) {
@@ -2716,7 +3293,7 @@ async function getSummaryAndTags(assetId, options) {
       "Audio-only assets require a transcript. Set includeTranscript: true and ensure the asset has a ready text track (captions/subtitles)."
     );
   }
-  const signingContext = await resolveMuxSigningContext(credentials);
+  const signingContext = await resolveMuxSigningContext(workflowCredentials);
   if (policy === "signed" && !signingContext) {
     throw new Error(
       "Signed playback ID requires signing credentials. Set MUX_SIGNING_KEY and MUX_PRIVATE_KEY environment variables."
@@ -2725,7 +3302,7 @@ async function getSummaryAndTags(assetId, options) {
   const transcriptText = includeTranscript ? (await fetchTranscriptForAsset(assetData, playbackId, {
     cleanTranscript,
     shouldSign: policy === "signed",
-    credentials,
+    credentials: workflowCredentials,
     required: isAudioOnly
   })).transcriptText : "";
   const userPrompt = buildUserPrompt4({
@@ -2745,10 +3322,10 @@ async function getSummaryAndTags(assetId, options) {
         modelConfig.modelId,
         userPrompt,
         systemPrompt,
-        credentials
+        workflowCredentials
       );
     } else {
-      const storyboardUrl = await getStoryboardUrl(playbackId, 640, policy === "signed", credentials);
+      const storyboardUrl = await getStoryboardUrl(playbackId, 640, policy === "signed", workflowCredentials);
       imageUrl = storyboardUrl;
       if (imageSubmissionMode === "base64") {
         const downloadResult = await downloadImageAsBase64(storyboardUrl, imageDownloadOptions);
@@ -2758,7 +3335,7 @@ async function getSummaryAndTags(assetId, options) {
           modelConfig.modelId,
           userPrompt,
           systemPrompt,
-          credentials
+          workflowCredentials
         );
       } else {
         analysisResponse = await withRetry(() => analyzeStoryboard2(
@@ -2767,7 +3344,7 @@ async function getSummaryAndTags(assetId, options) {
           modelConfig.modelId,
           userPrompt,
           systemPrompt,
-          credentials
+          workflowCredentials
         ));
       }
     }
@@ -2803,9 +3380,6 @@ async function getSummaryAndTags(assetId, options) {
   };
 }
 
-// src/workflows/translate-audio.ts
-import Mux3 from "@mux/mux-node";
-
 // src/lib/language-codes.ts
 var ISO639_1_TO_3 = {
   // Major world languages
@@ -2964,6 +3538,48 @@ function getLanguageName(code) {
   }
 }
 
+// src/lib/storage-adapter.ts
+function requireCredentials(accessKeyId, secretAccessKey) {
+  if (!accessKeyId || !secretAccessKey) {
+    throw new Error(
+      "S3 credentials are required for default storage operations. Provide S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY or pass options.storageAdapter."
+    );
+  }
+  return { accessKeyId, secretAccessKey };
+}
+async function putObjectWithStorageAdapter(input, adapter) {
+  if (adapter) {
+    await adapter.putObject(input);
+    return;
+  }
+  const credentials = requireCredentials(input.accessKeyId, input.secretAccessKey);
+  await putObjectToS3({
+    accessKeyId: credentials.accessKeyId,
+    secretAccessKey: credentials.secretAccessKey,
+    endpoint: input.endpoint,
+    region: input.region,
+    bucket: input.bucket,
+    key: input.key,
+    body: input.body,
+    contentType: input.contentType
+  });
+}
+async function createPresignedGetUrlWithStorageAdapter(input, adapter) {
+  if (adapter) {
+    return adapter.createPresignedGetUrl(input);
+  }
+  const credentials = requireCredentials(input.accessKeyId, input.secretAccessKey);
+  return createPresignedGetUrl({
+    accessKeyId: credentials.accessKeyId,
+    secretAccessKey: credentials.secretAccessKey,
+    endpoint: input.endpoint,
+    region: input.region,
+    bucket: input.bucket,
+    key: input.key,
+    expiresInSeconds: input.expiresInSeconds
+  });
+}
+
 // src/workflows/translate-audio.ts
 var STATIC_RENDITION_POLL_INTERVAL_MS = 5e3;
 var STATIC_RENDITION_MAX_ATTEMPTS = 36;
@@ -2983,11 +3599,8 @@ function getReadyAudioStaticRendition(asset) {
 var hasReadyAudioStaticRendition = (asset) => Boolean(getReadyAudioStaticRendition(asset));
 async function requestStaticRenditionCreation(assetId, credentials) {
   "use step";
-  const { muxTokenId, muxTokenSecret } = await getMuxCredentialsFromEnv(credentials);
-  const mux = new Mux3({
-    tokenId: muxTokenId,
-    tokenSecret: muxTokenSecret
-  });
+  const muxClient = await resolveMuxClient(credentials);
+  const mux = await muxClient.createClient();
   try {
     await mux.video.assets.createStaticRendition(assetId, {
       resolution: "audio-only"
@@ -3009,11 +3622,8 @@ async function waitForAudioStaticRendition({
   credentials
 }) {
   "use step";
-  const { muxTokenId, muxTokenSecret } = await getMuxCredentialsFromEnv(credentials);
-  const mux = new Mux3({
-    tokenId: muxTokenId,
-    tokenSecret: muxTokenSecret
-  });
+  const muxClient = await resolveMuxClient(credentials);
+  const mux = await muxClient.createClient();
   let currentAsset = initialAsset;
   if (hasReadyAudioStaticRendition(currentAsset)) {
     return currentAsset;
@@ -3126,53 +3736,40 @@ async function uploadDubbedAudioToS3({
   toLanguageCode,
   s3Endpoint,
   s3Region,
-  s3Bucket
+  s3Bucket,
+  storageAdapter
 }) {
   "use step";
-  const { S3Client, GetObjectCommand } = await import("@aws-sdk/client-s3");
-  const { Upload } = await import("@aws-sdk/lib-storage");
-  const { getSignedUrl } = await import("@aws-sdk/s3-request-presigner");
   const s3AccessKeyId = env_default.S3_ACCESS_KEY_ID;
   const s3SecretAccessKey = env_default.S3_SECRET_ACCESS_KEY;
-  const s3Client = new S3Client({
+  const audioKey = `audio-translations/${assetId}/auto-to-${toLanguageCode}-${Date.now()}.m4a`;
+  await putObjectWithStorageAdapter({
+    accessKeyId: s3AccessKeyId,
+    secretAccessKey: s3SecretAccessKey,
+    endpoint: s3Endpoint,
     region: s3Region,
+    bucket: s3Bucket,
+    key: audioKey,
+    body: new Uint8Array(dubbedAudioBuffer),
+    contentType: "audio/mp4"
+  }, storageAdapter);
+  const presignedUrl = await createPresignedGetUrlWithStorageAdapter({
+    accessKeyId: s3AccessKeyId,
+    secretAccessKey: s3SecretAccessKey,
     endpoint: s3Endpoint,
-    credentials: {
-      accessKeyId: s3AccessKeyId,
-      secretAccessKey: s3SecretAccessKey
-    },
-    forcePathStyle: true
-  });
-  const audioKey = `audio-translations/${assetId}/auto-to-${toLanguageCode}-${Date.now()}.m4a`;
-  const upload = new Upload({
-    client: s3Client,
-    params: {
-      Bucket: s3Bucket,
-      Key: audioKey,
-      Body: new Uint8Array(dubbedAudioBuffer),
-      ContentType: "audio/mp4"
-    }
-  });
-  await upload.done();
-  const getObjectCommand = new GetObjectCommand({
-    Bucket: s3Bucket,
-    Key: audioKey
-  });
-  const presignedUrl = await getSignedUrl(s3Client, getObjectCommand, {
-    expiresIn: 3600
-    // 1 hour
-  });
+    region: s3Region,
+    bucket: s3Bucket,
+    key: audioKey,
+    expiresInSeconds: 3600
+  }, storageAdapter);
   console.warn(`\u2705 Audio uploaded successfully to: ${audioKey}`);
   console.warn(`\u{1F517} Generated presigned URL (expires in 1 hour)`);
   return presignedUrl;
 }
 async function createAudioTrackOnMux(assetId, languageCode, presignedUrl, credentials) {
   "use step";
-  const { muxTokenId, muxTokenSecret } = await getMuxCredentialsFromEnv(credentials);
-  const mux = new Mux3({
-    tokenId: muxTokenId,
-    tokenSecret: muxTokenSecret
-  });
+  const muxClient = await resolveMuxClient(credentials);
+  const mux = await muxClient.createClient();
   const languageName = new Intl.DisplayNames(["en"], { type: "language" }).of(languageCode) || languageCode.toUpperCase();
   const trackName = `${languageName} (auto-dubbed)`;
   const trackResponse = await mux.video.assets.createTrack(assetId, {
@@ -3192,34 +3789,24 @@ async function translateAudio(assetId, toLanguageCode, options = {}) {
     provider = "elevenlabs",
     numSpeakers = 0,
     // 0 = auto-detect
-    elevenLabsApiKey,
     uploadToMux = true,
+    storageAdapter,
     credentials: providedCredentials
   } = options;
   if (provider !== "elevenlabs") {
     throw new Error("Only ElevenLabs provider is currently supported for audio translation");
   }
-  let credentials;
-  if (isEncryptedPayload(providedCredentials)) {
-    credentials = providedCredentials;
-  } else if (providedCredentials || elevenLabsApiKey) {
-    credentials = {
-      ...providedCredentials ?? {},
-      ...elevenLabsApiKey ? { elevenLabsApiKey } : {}
-    };
-  }
+  const credentials = providedCredentials;
+  const effectiveStorageAdapter = storageAdapter;
   const s3Endpoint = options.s3Endpoint ?? env_default.S3_ENDPOINT;
   const s3Region = options.s3Region ?? env_default.S3_REGION ?? "auto";
   const s3Bucket = options.s3Bucket ?? env_default.S3_BUCKET;
   const s3AccessKeyId = env_default.S3_ACCESS_KEY_ID;
   const s3SecretAccessKey = env_default.S3_SECRET_ACCESS_KEY;
-  if (uploadToMux && (!s3Endpoint || !s3Bucket || !s3AccessKeyId || !s3SecretAccessKey)) {
-    throw new Error("S3 configuration is required for uploading to Mux. Provide s3Endpoint, s3Bucket, s3AccessKeyId, and s3SecretAccessKey in options or set S3_ENDPOINT, S3_BUCKET, S3_ACCESS_KEY_ID, and S3_SECRET_ACCESS_KEY environment variables.");
+  if (uploadToMux && (!s3Endpoint || !s3Bucket || !effectiveStorageAdapter && (!s3AccessKeyId || !s3SecretAccessKey))) {
+    throw new Error("Storage configuration is required for uploading to Mux. Provide s3Endpoint and s3Bucket. If no storageAdapter is supplied, also provide s3AccessKeyId and s3SecretAccessKey in options or set S3_ENDPOINT, S3_BUCKET, S3_ACCESS_KEY_ID, and S3_SECRET_ACCESS_KEY environment variables.");
   }
-  const { asset: initialAsset, playbackId, policy } = await getPlaybackIdForAsset(
-    assetId,
-    credentials
-  );
+  const { asset: initialAsset, playbackId, policy } = await getPlaybackIdForAsset(assetId, credentials);
   const assetDurationSeconds = getAssetDurationSecondsFromAsset(initialAsset);
   let currentAsset = initialAsset;
   if (!hasReadyAudioStaticRendition(currentAsset)) {
@@ -3333,7 +3920,8 @@ async function translateAudio(assetId, toLanguageCode, options = {}) {
       toLanguageCode,
       s3Endpoint,
       s3Region,
-      s3Bucket
+      s3Bucket,
+      storageAdapter: effectiveStorageAdapter
     });
   } catch (error) {
     throw new Error(`Failed to upload audio to S3: ${error instanceof Error ? error.message : "Unknown error"}`);
@@ -3369,7 +3957,6 @@ async function translateAudio(assetId, toLanguageCode, options = {}) {
 }
 
 // src/workflows/translate-captions.ts
-import Mux4 from "@mux/mux-node";
 import { generateText as generateText5, Output as Output5 } from "ai";
 import { z as z6 } from "zod";
 var translationSchema = z6.object({
@@ -3423,51 +4010,37 @@ async function uploadVttToS3({
   toLanguageCode,
   s3Endpoint,
   s3Region,
-  s3Bucket
+  s3Bucket,
+  storageAdapter
 }) {
   "use step";
-  const { S3Client, GetObjectCommand } = await import("@aws-sdk/client-s3");
-  const { Upload } = await import("@aws-sdk/lib-storage");
-  const { getSignedUrl } = await import("@aws-sdk/s3-request-presigner");
   const s3AccessKeyId = env_default.S3_ACCESS_KEY_ID;
   const s3SecretAccessKey = env_default.S3_SECRET_ACCESS_KEY;
-  const s3Client = new S3Client({
+  const vttKey = `translations/${assetId}/${fromLanguageCode}-to-${toLanguageCode}-${Date.now()}.vtt`;
+  await putObjectWithStorageAdapter({
+    accessKeyId: s3AccessKeyId,
+    secretAccessKey: s3SecretAccessKey,
+    endpoint: s3Endpoint,
     region: s3Region,
+    bucket: s3Bucket,
+    key: vttKey,
+    body: translatedVtt,
+    contentType: "text/vtt"
+  }, storageAdapter);
+  return createPresignedGetUrlWithStorageAdapter({
+    accessKeyId: s3AccessKeyId,
+    secretAccessKey: s3SecretAccessKey,
     endpoint: s3Endpoint,
-    credentials: {
-      accessKeyId: s3AccessKeyId,
-      secretAccessKey: s3SecretAccessKey
-    },
-    forcePathStyle: true
-  });
-  const vttKey = `translations/${assetId}/${fromLanguageCode}-to-${toLanguageCode}-${Date.now()}.vtt`;
-  const upload = new Upload({
-    client: s3Client,
-    params: {
-      Bucket: s3Bucket,
-      Key: vttKey,
-      Body: translatedVtt,
-      ContentType: "text/vtt"
-    }
-  });
-  await upload.done();
-  const getObjectCommand = new GetObjectCommand({
-    Bucket: s3Bucket,
-    Key: vttKey
-  });
-  const presignedUrl = await getSignedUrl(s3Client, getObjectCommand, {
-    expiresIn: 3600
-    // 1 hour
-  });
-  return presignedUrl;
+    region: s3Region,
+    bucket: s3Bucket,
+    key: vttKey,
+    expiresInSeconds: 3600
+  }, storageAdapter);
 }
 async function createTextTrackOnMux(assetId, languageCode, trackName, presignedUrl, credentials) {
   "use step";
-  const { muxTokenId, muxTokenSecret } = await getMuxCredentialsFromEnv(credentials);
-  const mux = new Mux4({
-    tokenId: muxTokenId,
-    tokenSecret: muxTokenSecret
-  });
+  const muxClient = await resolveMuxClient(credentials);
+  const mux = await muxClient.createClient();
   const trackResponse = await mux.video.assets.createTrack(assetId, {
     type: "text",
     text_type: "subtitles",
@@ -3489,8 +4062,11 @@ async function translateCaptions(assetId, fromLanguageCode, toLanguageCode, opti
     s3Region: providedS3Region,
     s3Bucket: providedS3Bucket,
     uploadToMux: uploadToMuxOption,
-    credentials
+    storageAdapter,
+    credentials: providedCredentials
   } = options;
+  const credentials = providedCredentials;
+  const effectiveStorageAdapter = storageAdapter;
   const s3Endpoint = providedS3Endpoint ?? env_default.S3_ENDPOINT;
   const s3Region = providedS3Region ?? env_default.S3_REGION ?? "auto";
   const s3Bucket = providedS3Bucket ?? env_default.S3_BUCKET;
@@ -3502,13 +4078,10 @@ async function translateCaptions(assetId, fromLanguageCode, toLanguageCode, opti
     model,
     provider
   });
-  if (uploadToMux && (!s3Endpoint || !s3Bucket || !s3AccessKeyId || !s3SecretAccessKey)) {
-    throw new Error("S3 configuration is required for uploading to Mux. Provide s3Endpoint, s3Bucket, s3AccessKeyId, and s3SecretAccessKey in options or set S3_ENDPOINT, S3_BUCKET, S3_ACCESS_KEY_ID, and S3_SECRET_ACCESS_KEY environment variables.");
+  if (uploadToMux && (!s3Endpoint || !s3Bucket || !effectiveStorageAdapter && (!s3AccessKeyId || !s3SecretAccessKey))) {
+    throw new Error("Storage configuration is required for uploading to Mux. Provide s3Endpoint and s3Bucket. If no storageAdapter is supplied, also provide s3AccessKeyId and s3SecretAccessKey in options or set S3_ENDPOINT, S3_BUCKET, S3_ACCESS_KEY_ID, and S3_SECRET_ACCESS_KEY environment variables.");
   }
-  const { asset: assetData, playbackId, policy } = await getPlaybackIdForAsset(
-    assetId,
-    credentials
-  );
+  const { asset: assetData, playbackId, policy } = await getPlaybackIdForAsset(assetId, credentials);
   const assetDurationSeconds = getAssetDurationSecondsFromAsset(assetData);
   const isAudioOnly = isAudioOnlyAsset(assetData);
   const signingContext = await resolveMuxSigningContext(credentials);
@@ -3593,7 +4166,8 @@ async function translateCaptions(assetId, fromLanguageCode, toLanguageCode, opti
       toLanguageCode,
       s3Endpoint,
       s3Region,
-      s3Bucket
+      s3Bucket,
+      storageAdapter: effectiveStorageAdapter
     });
   } catch (error) {
     throw new Error(`Failed to upload VTT to S3: ${error instanceof Error ? error.message : "Unknown error"}`);
@@ -3626,6 +4200,8 @@ async function translateCaptions(assetId, fromLanguageCode, toLanguageCode, opti
   };
 }
 export {
+  WorkflowStorageClient,
+  createWorkflowStorageClient,
   decryptFromWorkflow,
   encryptForWorkflow,
   primitives_exports as primitives,