npm - @stacksjs/ts-cloud-core - Versions diffs - 0.1.3 → 0.1.6 - Mend

@stacksjs/ts-cloud-core 0.1.3 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (250) hide show

package/README.md +98 -13
package/package.json +12 -3
package/src/advanced-features.test.ts +0 -465
package/src/aws/cloudformation.ts +0 -421
package/src/aws/cloudfront.ts +0 -158
package/src/aws/credentials.test.ts +0 -132
package/src/aws/credentials.ts +0 -545
package/src/aws/index.ts +0 -87
package/src/aws/s3.test.ts +0 -188
package/src/aws/s3.ts +0 -1088
package/src/aws/signature.test.ts +0 -670
package/src/aws/signature.ts +0 -1155
package/src/backup/disaster-recovery.test.ts +0 -726
package/src/backup/disaster-recovery.ts +0 -500
package/src/backup/index.ts +0 -34
package/src/backup/manager.test.ts +0 -498
package/src/backup/manager.ts +0 -432
package/src/cicd/circleci.ts +0 -430
package/src/cicd/github-actions.ts +0 -424
package/src/cicd/gitlab-ci.ts +0 -255
package/src/cicd/index.ts +0 -8
package/src/cli/history.ts +0 -396
package/src/cli/index.ts +0 -10
package/src/cli/progress.ts +0 -458
package/src/cli/repl.ts +0 -454
package/src/cli/suggestions.ts +0 -327
package/src/cli/table.test.ts +0 -319
package/src/cli/table.ts +0 -332
package/src/cloudformation/builder.test.ts +0 -327
package/src/cloudformation/builder.ts +0 -378
package/src/cloudformation/builders/api-gateway.ts +0 -449
package/src/cloudformation/builders/cache.ts +0 -334
package/src/cloudformation/builders/cdn.ts +0 -278
package/src/cloudformation/builders/compute.ts +0 -485
package/src/cloudformation/builders/database.ts +0 -392
package/src/cloudformation/builders/functions.ts +0 -343
package/src/cloudformation/builders/messaging.ts +0 -140
package/src/cloudformation/builders/monitoring.ts +0 -300
package/src/cloudformation/builders/network.ts +0 -264
package/src/cloudformation/builders/queue.ts +0 -147
package/src/cloudformation/builders/security.ts +0 -399
package/src/cloudformation/builders/storage.ts +0 -285
package/src/cloudformation/index.ts +0 -30
package/src/cloudformation/types.ts +0 -173
package/src/compliance/aws-config.ts +0 -543
package/src/compliance/cloudtrail.ts +0 -376
package/src/compliance/compliance.test.ts +0 -423
package/src/compliance/guardduty.ts +0 -446
package/src/compliance/index.ts +0 -66
package/src/compliance/security-hub.ts +0 -456
package/src/containers/build-optimization.ts +0 -416
package/src/containers/containers.test.ts +0 -508
package/src/containers/image-scanning.ts +0 -360
package/src/containers/index.ts +0 -9
package/src/containers/registry.ts +0 -293
package/src/containers/service-mesh.ts +0 -520
package/src/database/database.test.ts +0 -762
package/src/database/index.ts +0 -9
package/src/database/migrations.ts +0 -444
package/src/database/performance.ts +0 -528
package/src/database/replicas.ts +0 -534
package/src/database/users.ts +0 -494
package/src/dependency-graph.ts +0 -143
package/src/deployment/ab-testing.ts +0 -582
package/src/deployment/blue-green.ts +0 -452
package/src/deployment/canary.ts +0 -500
package/src/deployment/deployment.test.ts +0 -526
package/src/deployment/index.ts +0 -61
package/src/deployment/progressive.ts +0 -62
package/src/dns/dns.test.ts +0 -641
package/src/dns/dnssec.ts +0 -315
package/src/dns/index.ts +0 -8
package/src/dns/resolver.ts +0 -496
package/src/dns/routing.ts +0 -593
package/src/email/advanced/analytics.ts +0 -445
package/src/email/advanced/index.ts +0 -11
package/src/email/advanced/rules.ts +0 -465
package/src/email/advanced/scheduling.ts +0 -352
package/src/email/advanced/search.ts +0 -412
package/src/email/advanced/shared-mailboxes.ts +0 -404
package/src/email/advanced/templates.ts +0 -455
package/src/email/advanced/threading.ts +0 -281
package/src/email/analytics.ts +0 -467
package/src/email/bounce-handling.ts +0 -425
package/src/email/email.test.ts +0 -431
package/src/email/handlers/__tests__/inbound.test.ts +0 -38
package/src/email/handlers/__tests__/outbound.test.ts +0 -37
package/src/email/handlers/converter.ts +0 -227
package/src/email/handlers/feedback.ts +0 -228
package/src/email/handlers/inbound.ts +0 -169
package/src/email/handlers/outbound.ts +0 -178
package/src/email/index.ts +0 -15
package/src/email/reputation.ts +0 -303
package/src/email/templates.ts +0 -352
package/src/errors/index.test.ts +0 -434
package/src/errors/index.ts +0 -416
package/src/health-checks/index.ts +0 -40
package/src/index.ts +0 -360
package/src/intrinsic-functions.ts +0 -118
package/src/lambda/concurrency.ts +0 -330
package/src/lambda/destinations.ts +0 -345
package/src/lambda/dlq.ts +0 -425
package/src/lambda/index.ts +0 -11
package/src/lambda/lambda.test.ts +0 -840
package/src/lambda/layers.ts +0 -263
package/src/lambda/versions.ts +0 -376
package/src/lambda/vpc.ts +0 -399
package/src/local/config.ts +0 -114
package/src/local/index.ts +0 -6
package/src/local/mock-aws.ts +0 -351
package/src/modules/ai.ts +0 -340
package/src/modules/api.ts +0 -478
package/src/modules/auth.ts +0 -805
package/src/modules/cache.ts +0 -417
package/src/modules/cdn.ts +0 -1062
package/src/modules/communication.ts +0 -1094
package/src/modules/compute.ts +0 -3348
package/src/modules/database.ts +0 -554
package/src/modules/deployment.ts +0 -1079
package/src/modules/dns.ts +0 -337
package/src/modules/email.ts +0 -1538
package/src/modules/filesystem.ts +0 -515
package/src/modules/index.ts +0 -32
package/src/modules/messaging.ts +0 -486
package/src/modules/monitoring.ts +0 -2086
package/src/modules/network.ts +0 -664
package/src/modules/parameter-store.ts +0 -325
package/src/modules/permissions.ts +0 -1081
package/src/modules/phone.ts +0 -494
package/src/modules/queue.ts +0 -1260
package/src/modules/redirects.ts +0 -464
package/src/modules/registry.ts +0 -699
package/src/modules/search.ts +0 -401
package/src/modules/secrets.ts +0 -416
package/src/modules/security.ts +0 -731
package/src/modules/sms.ts +0 -389
package/src/modules/storage.ts +0 -1120
package/src/modules/workflow.ts +0 -680
package/src/multi-account/config.ts +0 -521
package/src/multi-account/index.ts +0 -7
package/src/multi-account/manager.ts +0 -427
package/src/multi-region/cross-region.ts +0 -410
package/src/multi-region/index.ts +0 -8
package/src/multi-region/manager.ts +0 -483
package/src/multi-region/regions.ts +0 -435
package/src/network-security/index.ts +0 -48
package/src/observability/index.ts +0 -9
package/src/observability/logs.ts +0 -522
package/src/observability/metrics.ts +0 -460
package/src/observability/observability.test.ts +0 -782
package/src/observability/synthetics.ts +0 -568
package/src/observability/xray.ts +0 -358
package/src/phone/advanced/analytics.ts +0 -349
package/src/phone/advanced/callbacks.ts +0 -428
package/src/phone/advanced/index.ts +0 -8
package/src/phone/advanced/ivr-builder.ts +0 -504
package/src/phone/advanced/recording.ts +0 -310
package/src/phone/handlers/__tests__/incoming-call.test.ts +0 -40
package/src/phone/handlers/incoming-call.ts +0 -117
package/src/phone/handlers/missed-call.ts +0 -116
package/src/phone/handlers/voicemail.ts +0 -179
package/src/phone/index.ts +0 -9
package/src/presets/api-backend.ts +0 -134
package/src/presets/data-pipeline.ts +0 -204
package/src/presets/extend.test.ts +0 -295
package/src/presets/extend.ts +0 -297
package/src/presets/fullstack-app.ts +0 -144
package/src/presets/index.ts +0 -27
package/src/presets/jamstack.ts +0 -135
package/src/presets/microservices.ts +0 -167
package/src/presets/ml-api.ts +0 -208
package/src/presets/nodejs-server.ts +0 -104
package/src/presets/nodejs-serverless.ts +0 -114
package/src/presets/realtime-app.ts +0 -184
package/src/presets/static-site.ts +0 -64
package/src/presets/traditional-web-app.ts +0 -339
package/src/presets/wordpress.ts +0 -138
package/src/preview/github.test.ts +0 -249
package/src/preview/github.ts +0 -297
package/src/preview/index.ts +0 -37
package/src/preview/manager.test.ts +0 -440
package/src/preview/manager.ts +0 -326
package/src/preview/notifications.test.ts +0 -582
package/src/preview/notifications.ts +0 -341
package/src/queue/batch-processing.ts +0 -402
package/src/queue/dlq-monitoring.ts +0 -402
package/src/queue/fifo.ts +0 -342
package/src/queue/index.ts +0 -9
package/src/queue/management.ts +0 -428
package/src/queue/queue.test.ts +0 -429
package/src/resource-mgmt/index.ts +0 -39
package/src/resource-naming.ts +0 -62
package/src/s3/index.ts +0 -523
package/src/schema/cloud-config.schema.json +0 -554
package/src/schema/index.ts +0 -68
package/src/security/certificate-manager.ts +0 -492
package/src/security/index.ts +0 -9
package/src/security/scanning.ts +0 -545
package/src/security/secrets-manager.ts +0 -476
package/src/security/secrets-rotation.ts +0 -456
package/src/security/security.test.ts +0 -738
package/src/sms/advanced/ab-testing.ts +0 -389
package/src/sms/advanced/analytics.ts +0 -336
package/src/sms/advanced/campaigns.ts +0 -523
package/src/sms/advanced/chatbot.ts +0 -224
package/src/sms/advanced/index.ts +0 -10
package/src/sms/advanced/link-tracking.ts +0 -248
package/src/sms/advanced/mms.ts +0 -308
package/src/sms/handlers/__tests__/send.test.ts +0 -40
package/src/sms/handlers/delivery-status.ts +0 -133
package/src/sms/handlers/receive.ts +0 -162
package/src/sms/handlers/send.ts +0 -174
package/src/sms/index.ts +0 -9
package/src/stack-diff.ts +0 -389
package/src/static-site/index.ts +0 -85
package/src/template-builder.ts +0 -110
package/src/template-validator.ts +0 -574
package/src/utils/cache.ts +0 -291
package/src/utils/diff.ts +0 -269
package/src/utils/hash.ts +0 -227
package/src/utils/index.ts +0 -8
package/src/utils/parallel.ts +0 -294
package/src/validators/credentials.test.ts +0 -274
package/src/validators/credentials.ts +0 -233
package/src/validators/quotas.test.ts +0 -434
package/src/validators/quotas.ts +0 -217
package/test/ai.test.ts +0 -327
package/test/api.test.ts +0 -511
package/test/auth.test.ts +0 -632
package/test/cache.test.ts +0 -406
package/test/cdn.test.ts +0 -247
package/test/compute.test.ts +0 -861
package/test/database.test.ts +0 -523
package/test/deployment.test.ts +0 -499
package/test/dns.test.ts +0 -270
package/test/email.test.ts +0 -439
package/test/filesystem.test.ts +0 -382
package/test/integration.test.ts +0 -350
package/test/messaging.test.ts +0 -514
package/test/monitoring.test.ts +0 -634
package/test/network.test.ts +0 -425
package/test/permissions.test.ts +0 -488
package/test/queue.test.ts +0 -484
package/test/registry.test.ts +0 -306
package/test/security.test.ts +0 -462
package/test/storage.test.ts +0 -463
package/test/template-validator.test.ts +0 -559
package/test/workflow.test.ts +0 -592
package/tsconfig.json +0 -16
package/tsconfig.tsbuildinfo +0 -1

package/src/aws/signature.ts DELETED Viewed

@@ -1,1155 +0,0 @@
-/**
- * AWS Signature Version 4 Signing Process
- * Implements request signing for direct AWS API calls without SDK
- *
- * Reference: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
- *
- * Browser compatible: Use async functions (signRequestAsync, createPresignedUrlAsync)
- * Node.js/Bun: Use sync functions for better performance (signRequest, createPresignedUrl)
- */
-// Conditional import for Node.js crypto - will be undefined in browser
-let nodeCrypto: typeof import('node:crypto') | undefined
-try {
-  nodeCrypto = await import('node:crypto')
-} catch {
-  // Running in browser - nodeCrypto stays undefined
-}
-/**
- * Signing key cache for improved performance on repeated requests
- * Keys are cached by: secretAccessKey + date + region + service
- * Supports both Buffer (Node.js) and Uint8Array (browser)
- */
-const signingKeyCache = new Map<string, Buffer | Uint8Array>()
-const MAX_CACHE_SIZE = 100
-/**
- * Service name mappings for hosts that don't follow standard naming
- */
-const HOST_SERVICES: Record<string, string> = {
-  'appstream2': 'appstream',
-  'cloudhsmv2': 'cloudhsm',
-  'email': 'ses',
-  'marketplace': 'aws-marketplace',
-  'mobile': 'AWSMobileHubService',
-  'pinpoint': 'mobiletargeting',
-  'queue': 'sqs',
-  'git-codecommit': 'codecommit',
-  'mturk-requester-sandbox': 'mturk-requester',
-  'personalize-runtime': 'personalize',
-}
-export interface SignatureOptions {
-  method: string
-  url: string
-  /** Service name - if not provided, will be auto-detected from URL */
-  service?: string
-  /** Region - if not provided, will be auto-detected from URL */
-  region?: string
-  headers?: Record<string, string>
-  body?: string
-  accessKeyId: string
-  secretAccessKey: string
-  sessionToken?: string
-  /**
-   * Optional external cache for signing keys
-   * If not provided, uses internal cache
-   * Supports both Buffer (Node.js) and Uint8Array (browser)
-   */
-  cache?: Map<string, Buffer | Uint8Array>
-  /**
-   * Sign via query string instead of Authorization header
-   * Used for presigned URLs (e.g., S3 presigned URLs)
-   */
-  signQuery?: boolean
-  /**
-   * Expiration time in seconds for presigned URLs (default: 86400 = 24 hours)
-   * Only used when signQuery is true
-   */
-  expiresIn?: number
-  /**
-   * Custom datetime for signing (format: YYYYMMDDTHHMMSSZ)
-   * If not provided, uses current time
-   * Useful for testing and reproducibility
-   */
-  datetime?: string
-}
-export interface SignedRequest {
-  url: string
-  method: string
-  headers: Record<string, string>
-  body?: string
-}
-export interface PresignedUrlOptions {
-  url: string
-  method?: string
-  accessKeyId: string
-  secretAccessKey: string
-  sessionToken?: string
-  /** Service name - if not provided, will be auto-detected from URL */
-  service?: string
-  /** Region - if not provided, will be auto-detected from URL */
-  region?: string
-  /** Expiration time in seconds (default: 3600 = 1 hour, max: 604800 = 7 days) */
-  expiresIn?: number
-  /** Optional external cache for signing keys */
-  cache?: Map<string, Buffer | Uint8Array>
-}
-export interface RetryOptions {
-  /** Maximum number of retry attempts (default: 3) */
-  maxRetries?: number
-  /** Initial delay in ms before first retry (default: 100) */
-  initialDelayMs?: number
-  /** Maximum delay in ms between retries (default: 5000) */
-  maxDelayMs?: number
-  /** HTTP status codes that should trigger a retry (default: [429, 500, 502, 503, 504]) */
-  retryableStatusCodes?: number[]
-  /** Request timeout in milliseconds (default: 30000 = 30 seconds) */
-  timeoutMs?: number
-}
-/**
- * Detect service and region from AWS URL
- * Supports standard AWS endpoints, Lambda URLs, R2, and Backblaze B2
- */
-export function detectServiceRegion(url: string | URL): { service: string, region: string } {
-  const urlObj = typeof url === 'string' ? new URL(url) : url
-  const { hostname, pathname } = urlObj
-  // Lambda function URLs: xxx.lambda-url.region.on.aws
-  if (hostname.endsWith('.on.aws')) {
-    const match = hostname.match(/^[^.]+\.lambda-url\.([^.]+)\.on\.aws$/)
-    if (match) {
-      return { service: 'lambda', region: match[1] }
-    }
-    return { service: '', region: '' }
-  }
-  // Cloudflare R2: xxx.r2.cloudflarestorage.com
-  if (hostname.endsWith('.r2.cloudflarestorage.com')) {
-    return { service: 's3', region: 'auto' }
-  }
-  // Backblaze B2: xxx.s3.region.backblazeb2.com
-  if (hostname.endsWith('.backblazeb2.com')) {
-    const match = hostname.match(/^(?:[^.]+\.)?s3\.([^.]+)\.backblazeb2\.com$/)
-    if (match) {
-      return { service: 's3', region: match[1] }
-    }
-    return { service: '', region: '' }
-  }
-  // Standard AWS endpoints: service.region.amazonaws.com
-  const match = hostname
-    .replace('dualstack.', '')
-    .match(/([^.]+)\.(?:([^.]+)\.)?amazonaws\.com(?:\.cn)?$/)
-  if (!match) {
-    return { service: '', region: '' }
-  }
-  let service = match[1]
-  let region = match[2] || ''
-  // Handle special cases
-  if (region === 'us-gov') {
-    region = 'us-gov-west-1'
-  } else if (region === 's3' || region === 's3-accelerate') {
-    region = 'us-east-1'
-    service = 's3'
-  } else if (service === 'iot') {
-    if (hostname.startsWith('iot.')) {
-      service = 'execute-api'
-    } else if (hostname.startsWith('data.jobs.iot.')) {
-      service = 'iot-jobs-data'
-    } else {
-      service = pathname === '/mqtt' ? 'iotdevicegateway' : 'iotdata'
-    }
-  } else if (service === 'autoscaling') {
-    // Could be application-autoscaling or autoscaling-plans based on target
-    // Default to autoscaling
-  } else if (!region && service.startsWith('s3-')) {
-    region = service.slice(3).replace(/^fips-|^external-1/, '')
-    service = 's3'
-  } else if (service.endsWith('-fips')) {
-    service = service.slice(0, -5)
-  } else if (region && /-\d$/.test(service) && !/-\d$/.test(region)) {
-    // Swap service and region if they appear reversed
-    [service, region] = [region, service]
-  }
-  // Apply service name mappings
-  service = HOST_SERVICES[service] || service
-  return { service, region: region || 'us-east-1' }
-}
-/**
- * Sign an AWS request using Signature Version 4
- */
-export function signRequest(options: SignatureOptions): SignedRequest {
-  const {
-    method,
-    url,
-    body = '',
-    accessKeyId,
-    secretAccessKey,
-    sessionToken,
-    signQuery = false,
-    expiresIn = 86400,
-    datetime,
-  } = options
-  const urlObj = new URL(url)
-  const host = urlObj.hostname
-  // Auto-detect service and region if not provided
-  const detected = detectServiceRegion(urlObj)
-  const service = options.service || detected.service
-  const region = options.region || detected.region
-  if (!service) {
-    throw new Error('Could not detect service from URL. Please provide service explicitly.')
-  }
-  if (!region) {
-    throw new Error('Could not detect region from URL. Please provide region explicitly.')
-  }
-  // Step 1: Create canonical request
-  const timestamp = datetime || new Date().toISOString().replace(/[:-]|\.\d{3}/g, '')
-  const date = timestamp.substring(0, 8)
-  const credentialScope = [date, region, service, 'aws4_request'].join('/')
-  const algorithm = 'AWS4-HMAC-SHA256'
-  if (signQuery) {
-    // Query string signing (for presigned URLs)
-    return signWithQueryString({
-      urlObj,
-      method,
-      body,
-      accessKeyId,
-      secretAccessKey,
-      sessionToken,
-      service,
-      region,
-      timestamp,
-      date,
-      credentialScope,
-      algorithm,
-      expiresIn,
-      cache: options.cache,
-    })
-  }
-  // Header-based signing
-  const path = urlObj.pathname || '/'
-  const query = canonicalQueryString(urlObj.searchParams)
-  const headers: Record<string, string> = {
-    'host': host,
-    'x-amz-date': timestamp,
-    ...options.headers,
-  }
-  if (sessionToken) {
-    headers['x-amz-security-token'] = sessionToken
-  }
-  // Add content-type for requests with body
-  if (body && !headers['content-type']) {
-    headers['content-type'] = 'application/x-amz-json-1.0'
-  }
-  // For S3, add content hash header
-  if (service === 's3' && !headers['x-amz-content-sha256']) {
-    headers['x-amz-content-sha256'] = hash(body)
-  }
-  const canonicalHeaders = getCanonicalHeaders(headers)
-  const signedHeaders = getSignedHeaders(headers)
-  const payloadHash = headers['x-amz-content-sha256'] || hash(body)
-  const canonicalRequest = [
-    method,
-    encodePath(path),
-    query,
-    canonicalHeaders,
-    signedHeaders,
-    payloadHash,
-  ].join('\n')
-  // Step 2: Create string to sign
-  const canonicalRequestHash = hash(canonicalRequest)
-  const stringToSign = [
-    algorithm,
-    timestamp,
-    credentialScope,
-    canonicalRequestHash,
-  ].join('\n')
-  // Step 3: Calculate signature (with key caching for performance)
-  const cache = options.cache ?? signingKeyCache
-  const signature = calculateSignature(
-    secretAccessKey,
-    date,
-    region,
-    service,
-    stringToSign,
-    cache,
-  )
-  // Step 4: Add authorization header
-  const authorization = [
-    `${algorithm} Credential=${accessKeyId}/${credentialScope}`,
-    `SignedHeaders=${signedHeaders}`,
-    `Signature=${signature}`,
-  ].join(', ')
-  headers['authorization'] = authorization
-  return {
-    url,
-    method,
-    headers,
-    body: body || undefined,
-  }
-}
-/**
- * Sign an AWS request using Signature Version 4 (async - browser compatible)
- * Use this in browser environments where crypto.subtle is available
- */
-export async function signRequestAsync(options: SignatureOptions): Promise<SignedRequest> {
-  const {
-    method,
-    url,
-    body = '',
-    accessKeyId,
-    secretAccessKey,
-    sessionToken,
-    signQuery = false,
-    expiresIn = 86400,
-    datetime,
-  } = options
-  const urlObj = new URL(url)
-  const host = urlObj.hostname
-  // Auto-detect service and region if not provided
-  const detected = detectServiceRegion(urlObj)
-  const service = options.service || detected.service
-  const region = options.region || detected.region
-  if (!service) {
-    throw new Error('Could not detect service from URL. Please provide service explicitly.')
-  }
-  if (!region) {
-    throw new Error('Could not detect region from URL. Please provide region explicitly.')
-  }
-  // Step 1: Create canonical request
-  const timestamp = datetime || new Date().toISOString().replace(/[:-]|\.\d{3}/g, '')
-  const date = timestamp.substring(0, 8)
-  const credentialScope = [date, region, service, 'aws4_request'].join('/')
-  const algorithm = 'AWS4-HMAC-SHA256'
-  if (signQuery) {
-    // Query string signing (for presigned URLs)
-    return signWithQueryStringAsync({
-      urlObj,
-      method,
-      body,
-      accessKeyId,
-      secretAccessKey,
-      sessionToken,
-      service,
-      region,
-      timestamp,
-      date,
-      credentialScope,
-      algorithm,
-      expiresIn,
-      cache: options.cache,
-    })
-  }
-  // Header-based signing
-  const path = urlObj.pathname || '/'
-  const query = canonicalQueryString(urlObj.searchParams)
-  const headers: Record<string, string> = {
-    'host': host,
-    'x-amz-date': timestamp,
-    ...options.headers,
-  }
-  if (sessionToken) {
-    headers['x-amz-security-token'] = sessionToken
-  }
-  // Add content-type for requests with body
-  if (body && !headers['content-type']) {
-    headers['content-type'] = 'application/x-amz-json-1.0'
-  }
-  // For S3, add content hash header
-  const bodyHash = await hashAsync(body)
-  if (service === 's3' && !headers['x-amz-content-sha256']) {
-    headers['x-amz-content-sha256'] = bodyHash
-  }
-  const canonicalHeaders = getCanonicalHeaders(headers)
-  const signedHeaders = getSignedHeaders(headers)
-  const payloadHash = headers['x-amz-content-sha256'] || bodyHash
-  const canonicalRequest = [
-    method,
-    encodePath(path),
-    query,
-    canonicalHeaders,
-    signedHeaders,
-    payloadHash,
-  ].join('\n')
-  // Step 2: Create string to sign
-  const canonicalRequestHash = await hashAsync(canonicalRequest)
-  const stringToSign = [
-    algorithm,
-    timestamp,
-    credentialScope,
-    canonicalRequestHash,
-  ].join('\n')
-  // Step 3: Calculate signature (with key caching for performance)
-  const cache = options.cache ?? signingKeyCache
-  const signature = await calculateSignatureAsync(
-    secretAccessKey,
-    date,
-    region,
-    service,
-    stringToSign,
-    cache,
-  )
-  // Step 4: Add authorization header
-  const authorization = [
-    `${algorithm} Credential=${accessKeyId}/${credentialScope}`,
-    `SignedHeaders=${signedHeaders}`,
-    `Signature=${signature}`,
-  ].join(', ')
-  headers['authorization'] = authorization
-  return {
-    url,
-    method,
-    headers,
-    body: body || undefined,
-  }
-}
-/**
- * Sign request using query string parameters (for presigned URLs)
- */
-function signWithQueryString(params: {
-  urlObj: URL
-  method: string
-  body: string
-  accessKeyId: string
-  secretAccessKey: string
-  sessionToken?: string
-  service: string
-  region: string
-  timestamp: string
-  date: string
-  credentialScope: string
-  algorithm: string
-  expiresIn: number
-  cache?: Map<string, Buffer | Uint8Array>
-}): SignedRequest {
-  const {
-    urlObj,
-    method,
-    body,
-    accessKeyId,
-    secretAccessKey,
-    sessionToken,
-    service,
-    region,
-    timestamp,
-    date,
-    credentialScope,
-    algorithm,
-    expiresIn,
-    cache,
-  } = params
-  // Clone URL to avoid modifying original
-  const signedUrl = new URL(urlObj.toString())
-  // Add required query parameters
-  signedUrl.searchParams.set('X-Amz-Algorithm', algorithm)
-  signedUrl.searchParams.set('X-Amz-Credential', `${accessKeyId}/${credentialScope}`)
-  signedUrl.searchParams.set('X-Amz-Date', timestamp)
-  signedUrl.searchParams.set('X-Amz-Expires', String(expiresIn))
-  // For S3, default to UNSIGNED-PAYLOAD
-  const payloadHash = service === 's3' ? 'UNSIGNED-PAYLOAD' : hash(body)
-  if (service === 's3') {
-    signedUrl.searchParams.set('X-Amz-Content-Sha256', payloadHash)
-  }
-  // Signed headers (only host for query string signing)
-  const signedHeaders = 'host'
-  signedUrl.searchParams.set('X-Amz-SignedHeaders', signedHeaders)
-  if (sessionToken) {
-    signedUrl.searchParams.set('X-Amz-Security-Token', sessionToken)
-  }
-  // Build canonical request
-  const path = encodePath(signedUrl.pathname || '/')
-  const canonicalHeaders = `host:${signedUrl.hostname}\n`
-  const query = canonicalQueryString(signedUrl.searchParams)
-  const canonicalRequest = [
-    method,
-    path,
-    query,
-    canonicalHeaders,
-    signedHeaders,
-    payloadHash,
-  ].join('\n')
-  // Create string to sign
-  const stringToSign = [
-    algorithm,
-    timestamp,
-    credentialScope,
-    hash(canonicalRequest),
-  ].join('\n')
-  // Calculate signature
-  const signingCache = cache ?? signingKeyCache
-  const signature = calculateSignature(
-    secretAccessKey,
-    date,
-    region,
-    service,
-    stringToSign,
-    signingCache,
-  )
-  // Add signature to URL
-  signedUrl.searchParams.set('X-Amz-Signature', signature)
-  return {
-    url: signedUrl.toString(),
-    method,
-    headers: {},
-    body: body || undefined,
-  }
-}
-/**
- * Sign request using query string parameters (async - browser compatible)
- */
-async function signWithQueryStringAsync(params: {
-  urlObj: URL
-  method: string
-  body: string
-  accessKeyId: string
-  secretAccessKey: string
-  sessionToken?: string
-  service: string
-  region: string
-  timestamp: string
-  date: string
-  credentialScope: string
-  algorithm: string
-  expiresIn: number
-  cache?: Map<string, Buffer | Uint8Array>
-}): Promise<SignedRequest> {
-  const {
-    urlObj,
-    method,
-    body,
-    accessKeyId,
-    secretAccessKey,
-    sessionToken,
-    service,
-    region,
-    timestamp,
-    date,
-    credentialScope,
-    algorithm,
-    expiresIn,
-    cache,
-  } = params
-  // Clone URL to avoid modifying original
-  const signedUrl = new URL(urlObj.toString())
-  // Add required query parameters
-  signedUrl.searchParams.set('X-Amz-Algorithm', algorithm)
-  signedUrl.searchParams.set('X-Amz-Credential', `${accessKeyId}/${credentialScope}`)
-  signedUrl.searchParams.set('X-Amz-Date', timestamp)
-  signedUrl.searchParams.set('X-Amz-Expires', String(expiresIn))
-  // For S3, default to UNSIGNED-PAYLOAD
-  const payloadHash = service === 's3' ? 'UNSIGNED-PAYLOAD' : await hashAsync(body)
-  if (service === 's3') {
-    signedUrl.searchParams.set('X-Amz-Content-Sha256', payloadHash)
-  }
-  // Signed headers (only host for query string signing)
-  const signedHeaders = 'host'
-  signedUrl.searchParams.set('X-Amz-SignedHeaders', signedHeaders)
-  if (sessionToken) {
-    signedUrl.searchParams.set('X-Amz-Security-Token', sessionToken)
-  }
-  // Build canonical request
-  const path = encodePath(signedUrl.pathname || '/')
-  const canonicalHeaders = `host:${signedUrl.hostname}\n`
-  const query = canonicalQueryString(signedUrl.searchParams)
-  const canonicalRequest = [
-    method,
-    path,
-    query,
-    canonicalHeaders,
-    signedHeaders,
-    payloadHash,
-  ].join('\n')
-  // Create string to sign
-  const stringToSign = [
-    algorithm,
-    timestamp,
-    credentialScope,
-    await hashAsync(canonicalRequest),
-  ].join('\n')
-  // Calculate signature
-  const signingCache = cache ?? signingKeyCache
-  const signature = await calculateSignatureAsync(
-    secretAccessKey,
-    date,
-    region,
-    service,
-    stringToSign,
-    signingCache,
-  )
-  // Add signature to URL
-  signedUrl.searchParams.set('X-Amz-Signature', signature)
-  return {
-    url: signedUrl.toString(),
-    method,
-    headers: {},
-    body: body || undefined,
-  }
-}
-/**
- * Generate a presigned URL for AWS requests (e.g., S3 GetObject, PutObject)
- */
-export function createPresignedUrl(options: PresignedUrlOptions): string {
-  const {
-    url,
-    method = 'GET',
-    expiresIn = 3600,
-    ...rest
-  } = options
-  // Max expiration is 7 days for most services
-  const clampedExpires = Math.min(expiresIn, 604800)
-  const signed = signRequest({
-    ...rest,
-    url,
-    method,
-    signQuery: true,
-    expiresIn: clampedExpires,
-  })
-  return signed.url
-}
-/**
- * Generate a presigned URL for AWS requests (async - browser compatible)
- */
-export async function createPresignedUrlAsync(options: PresignedUrlOptions): Promise<string> {
-  const {
-    url,
-    method = 'GET',
-    expiresIn = 3600,
-    ...rest
-  } = options
-  // Max expiration is 7 days for most services
-  const clampedExpires = Math.min(expiresIn, 604800)
-  const signed = await signRequestAsync({
-    ...rest,
-    url,
-    method,
-    signQuery: true,
-    expiresIn: clampedExpires,
-  })
-  return signed.url
-}
-/**
- * Create canonical headers string
- */
-function getCanonicalHeaders(headers: Record<string, string>): string {
-  return Object.keys(headers)
-    .sort()
-    .map(key => `${key.toLowerCase()}:${headers[key].trim().replace(/\s+/g, ' ')}`)
-    .join('\n') + '\n'
-}
-/**
- * Get signed headers string
- */
-function getSignedHeaders(headers: Record<string, string>): string {
-  return Object.keys(headers)
-    .sort()
-    .map(key => key.toLowerCase())
-    .join(';')
-}
-/**
- * Create canonical query string (sorted and encoded)
- */
-function canonicalQueryString(params: URLSearchParams): string {
-  const sorted: Array<[string, string]> = []
-  params.forEach((value, key) => {
-    sorted.push([encodeRfc3986(key), encodeRfc3986(value)])
-  })
-  sorted.sort((a, b) => {
-    if (a[0] < b[0]) return -1
-    if (a[0] > b[0]) return 1
-    if (a[1] < b[1]) return -1
-    if (a[1] > b[1]) return 1
-    return 0
-  })
-  return sorted.map(([k, v]) => `${k}=${v}`).join('&')
-}
-/**
- * Encode path for canonical request
- */
-function encodePath(path: string): string {
-  return path
-    .split('/')
-    .map(segment => encodeRfc3986(segment))
-    .join('/')
-}
-/**
- * RFC 3986 URI encoding (stricter than encodeURIComponent)
- */
-function encodeRfc3986(str: string): string {
-  return encodeURIComponent(str).replace(/[!'()*]/g, c => `%${c.charCodeAt(0).toString(16).toUpperCase()}`)
-}
-/**
- * Calculate SHA256 hash (synchronous - Node.js/Bun only)
- */
-function hash(data: string): string {
-  if (!nodeCrypto) {
-    throw new Error('Synchronous hash not available in browser. Use signRequestAsync() instead.')
-  }
-  return nodeCrypto.createHash('sha256').update(data, 'utf8').digest('hex')
-}
-/**
- * Calculate HMAC SHA256 (synchronous - Node.js/Bun only)
- */
-function hmac(key: Buffer | string, data: string): Buffer {
-  if (!nodeCrypto) {
-    throw new Error('Synchronous hmac not available in browser. Use signRequestAsync() instead.')
-  }
-  return nodeCrypto.createHmac('sha256', key).update(data, 'utf8').digest()
-}
-/**
- * Calculate SHA256 hash (async - browser compatible)
- */
-async function hashAsync(data: string): Promise<string> {
-  const encoder = new TextEncoder()
-  const dataBuffer = encoder.encode(data)
-  const hashBuffer = await crypto.subtle.digest('SHA-256', dataBuffer)
-  return bufferToHex(new Uint8Array(hashBuffer))
-}
-/**
- * Calculate HMAC SHA256 (async - browser compatible)
- */
-async function hmacAsync(key: Uint8Array | string, data: string): Promise<Uint8Array> {
-  const encoder = new TextEncoder()
-  const keyBuffer = typeof key === 'string' ? encoder.encode(key) : key
-  const dataBuffer = encoder.encode(data)
-  const cryptoKey = await crypto.subtle.importKey(
-    'raw',
-    keyBuffer.buffer as ArrayBuffer,
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign'],
-  )
-  const signature = await crypto.subtle.sign('HMAC', cryptoKey, dataBuffer.buffer)
-  return new Uint8Array(signature)
-}
-/**
- * Convert Uint8Array to hex string
- */
-function bufferToHex(buffer: Uint8Array): string {
-  return Array.from(buffer)
-    .map(b => b.toString(16).padStart(2, '0'))
-    .join('')
-}
-/**
- * Calculate signature using AWS signing key derivation (sync - Node.js/Bun only)
- * Uses caching for signing keys to improve performance on repeated requests
- */
-function calculateSignature(
-  secretAccessKey: string,
-  date: string,
-  region: string,
-  service: string,
-  stringToSign: string,
-  cache: Map<string, Buffer | Uint8Array>,
-): string {
-  // Create cache key from signing parameters
-  const cacheKey = `${secretAccessKey}:${date}:${region}:${service}`
-  let kSigning = cache.get(cacheKey) as Buffer | undefined
-  if (!kSigning) {
-    // Derive signing key (expensive operation)
-    const kDate = hmac(`AWS4${secretAccessKey}`, date)
-    const kRegion = hmac(kDate, region)
-    const kService = hmac(kRegion, service)
-    kSigning = hmac(kService, 'aws4_request')
-    // Limit cache size to prevent memory leaks
-    if (cache.size >= MAX_CACHE_SIZE) {
-      // Remove oldest entry (first key)
-      const firstKey = cache.keys().next().value
-      if (firstKey)
-        cache.delete(firstKey)
-    }
-    cache.set(cacheKey, kSigning)
-  }
-  return hmac(kSigning, stringToSign).toString('hex')
-}
-/**
- * Calculate signature using AWS signing key derivation (async - browser compatible)
- * Uses caching for signing keys to improve performance on repeated requests
- */
-async function calculateSignatureAsync(
-  secretAccessKey: string,
-  date: string,
-  region: string,
-  service: string,
-  stringToSign: string,
-  cache: Map<string, Buffer | Uint8Array>,
-): Promise<string> {
-  // Create cache key from signing parameters
-  const cacheKey = `${secretAccessKey}:${date}:${region}:${service}`
-  let kSigning = cache.get(cacheKey) as Uint8Array | undefined
-  if (!kSigning) {
-    // Derive signing key (expensive operation)
-    const kDate = await hmacAsync(`AWS4${secretAccessKey}`, date)
-    const kRegion = await hmacAsync(kDate, region)
-    const kService = await hmacAsync(kRegion, service)
-    kSigning = await hmacAsync(kService, 'aws4_request')
-    // Limit cache size to prevent memory leaks
-    if (cache.size >= MAX_CACHE_SIZE) {
-      // Remove oldest entry (first key)
-      const firstKey = cache.keys().next().value
-      if (firstKey)
-        cache.delete(firstKey)
-    }
-    cache.set(cacheKey, kSigning)
-  }
-  const signature = await hmacAsync(kSigning, stringToSign)
-  return bufferToHex(signature)
-}
-/**
- * Check if an error/status code is retryable
- */
-function isRetryable(status: number, retryableCodes: number[]): boolean {
-  return retryableCodes.includes(status)
-}
-/**
- * Calculate delay with exponential backoff and jitter
- */
-function calculateBackoff(attempt: number, initialDelayMs: number, maxDelayMs: number): number {
-  const exponentialDelay = initialDelayMs * Math.pow(2, attempt)
-  const jitter = Math.random() * 0.3 * exponentialDelay // 0-30% jitter
-  return Math.min(exponentialDelay + jitter, maxDelayMs)
-}
-/**
- * Sleep for specified milliseconds
- */
-function sleep(ms: number): Promise<void> {
-  return new Promise(resolve => setTimeout(resolve, ms))
-}
-/**
- * Make a signed AWS API request with automatic retry
- */
-export async function makeAWSRequest(
-  options: SignatureOptions,
-  retryOptions?: RetryOptions,
-): Promise<Response> {
-  const {
-    maxRetries = 3,
-    initialDelayMs = 100,
-    maxDelayMs = 5000,
-    retryableStatusCodes = [429, 500, 502, 503, 504],
-    timeoutMs = 30000,
-  } = retryOptions ?? {}
-  let lastError: Error | undefined
-  let lastResponse: Response | undefined
-  for (let attempt = 0; attempt <= maxRetries; attempt++) {
-    // Re-sign request on each attempt (timestamp changes)
-    const signedRequest = signRequest(options)
-    const fetchOptions: RequestInit = {
-      method: signedRequest.method,
-      headers: signedRequest.headers,
-    }
-    if (signedRequest.body) {
-      fetchOptions.body = signedRequest.body
-    }
-    // Add timeout support via AbortController
-    const controller = new AbortController()
-    const timeoutId = setTimeout(() => controller.abort(), timeoutMs)
-    fetchOptions.signal = controller.signal
-    try {
-      const response = await fetch(signedRequest.url, fetchOptions)
-      clearTimeout(timeoutId)
-      lastResponse = response
-      // Success - return immediately
-      if (response.ok) {
-        return response
-      }
-      // Check if we should retry
-      if (attempt < maxRetries && isRetryable(response.status, retryableStatusCodes)) {
-        const delay = calculateBackoff(attempt, initialDelayMs, maxDelayMs)
-        await sleep(delay)
-        continue
-      }
-      // Non-retryable error or max retries reached
-      const errorText = await response.text()
-      throw new Error(`AWS API request failed (${response.status}): ${errorText}`)
-    } catch (error) {
-      clearTimeout(timeoutId)
-      lastError = error as Error
-      // Handle timeout errors
-      if (error instanceof Error && error.name === 'AbortError') {
-        lastError = new Error(`Request timed out after ${timeoutMs}ms`)
-      }
-      // Network errors and timeouts are retryable
-      if (attempt < maxRetries && !(error instanceof Error && error.message.includes('AWS API request failed'))) {
-        const delay = calculateBackoff(attempt, initialDelayMs, maxDelayMs)
-        await sleep(delay)
-        continue
-      }
-      throw lastError
-    }
-  }
-  // Should not reach here, but just in case
-  throw lastError ?? new Error('Request failed after retries')
-}
-/**
- * Make a signed AWS API request without retry (for backwards compatibility)
- */
-export async function makeAWSRequestOnce(
-  options: SignatureOptions,
-): Promise<Response> {
-  return makeAWSRequest(options, { maxRetries: 0 })
-}
-/**
- * Make a signed AWS API request with automatic retry (async - browser compatible)
- * Use this in browser environments where crypto.subtle is available
- */
-export async function makeAWSRequestAsync(
-  options: SignatureOptions,
-  retryOptions?: RetryOptions,
-): Promise<Response> {
-  const {
-    maxRetries = 3,
-    initialDelayMs = 100,
-    maxDelayMs = 5000,
-    retryableStatusCodes = [429, 500, 502, 503, 504],
-    timeoutMs = 30000,
-  } = retryOptions ?? {}
-  let lastError: Error | undefined
-  for (let attempt = 0; attempt <= maxRetries; attempt++) {
-    // Re-sign request on each attempt (timestamp changes)
-    const signedRequest = await signRequestAsync(options)
-    const fetchOptions: RequestInit = {
-      method: signedRequest.method,
-      headers: signedRequest.headers,
-    }
-    if (signedRequest.body) {
-      fetchOptions.body = signedRequest.body
-    }
-    // Add timeout support via AbortController
-    const controller = new AbortController()
-    const timeoutId = setTimeout(() => controller.abort(), timeoutMs)
-    fetchOptions.signal = controller.signal
-    try {
-      const response = await fetch(signedRequest.url, fetchOptions)
-      clearTimeout(timeoutId)
-      // Success - return immediately
-      if (response.ok) {
-        return response
-      }
-      // Check if we should retry
-      if (attempt < maxRetries && isRetryable(response.status, retryableStatusCodes)) {
-        const delay = calculateBackoff(attempt, initialDelayMs, maxDelayMs)
-        await sleep(delay)
-        continue
-      }
-      // Non-retryable error or max retries reached
-      const errorText = await response.text()
-      throw new Error(`AWS API request failed (${response.status}): ${errorText}`)
-    } catch (error) {
-      clearTimeout(timeoutId)
-      lastError = error as Error
-      // Handle timeout errors
-      if (error instanceof Error && error.name === 'AbortError') {
-        lastError = new Error(`Request timed out after ${timeoutMs}ms`)
-      }
-      // Network errors and timeouts are retryable
-      if (attempt < maxRetries && !(error instanceof Error && error.message.includes('AWS API request failed'))) {
-        const delay = calculateBackoff(attempt, initialDelayMs, maxDelayMs)
-        await sleep(delay)
-        continue
-      }
-      throw lastError
-    }
-  }
-  // Should not reach here, but just in case
-  throw lastError ?? new Error('Request failed after retries')
-}
-/**
- * Parse XML response from AWS
- */
-export async function parseXMLResponse<T = any>(response: Response): Promise<T> {
-  const text = await response.text()
-  // Simple XML parsing (for production, use a proper XML parser)
-  // This is a basic implementation for demonstration
-  const result: any = {}
-  // Extract key-value pairs from XML
-  const regex = /<(\w+)>([^<]+)<\/\1>/g
-  let match
-  while ((match = regex.exec(text)) !== null) {
-    const [, key, value] = match
-    result[key] = value
-  }
-  return result as T
-}
-/**
- * Parse JSON response from AWS
- */
-export async function parseJSONResponse<T = any>(response: Response): Promise<T> {
-  return await response.json() as T
-}
-/**
- * Clear the internal signing key cache
- * Call this when credentials change or for testing
- */
-export function clearSigningKeyCache(): void {
-  signingKeyCache.clear()
-}
-/**
- * Get current cache size (for diagnostics)
- */
-export function getSigningKeyCacheSize(): number {
-  return signingKeyCache.size
-}
-/**
- * Check if Node.js crypto is available (for sync operations)
- * Returns true in Node.js/Bun, false in browser
- */
-export function isNodeCryptoAvailable(): boolean {
-  return nodeCrypto !== undefined
-}
-/**
- * Check if Web Crypto API is available (for async operations)
- * Returns true in modern browsers and Node.js 15+
- */
-export function isWebCryptoAvailable(): boolean {
-  return typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined'
-}