create-ampless 0.2.0-alpha.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ampless contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,38 @@
+# create-ampless
+
+CLI scaffolding tool for [ampless](https://github.com/heavymoons/ampless) projects.
+
+> **Pre-release / alpha.** Breaking changes possible in any minor version until v1.0. Use the `@alpha` tag (the `@latest` tag won't exist until v1.0).
+
+```bash
+npx create-ampless@alpha
+```
+
+The wizard walks you through:
+
+1. Project name
+2. Site name (used as the default `<title>` and OGP `siteName`)
+3. Theme — `blog` for v0.1
+4. Plugins — `seo`, `rss`, `webhook`
+
+Output is a Next.js 15 (App Router) project with the AWS Amplify Gen 2 backend definitions, an admin panel at `/admin`, public blog at `/`, the chosen plugins pre-wired in `cms.config.ts`, and a `RUNBOOK.md` for operations notes.
+
+## Next steps inside the generated project
+
+```bash
+cd my-project
+npm install
+npx ampx sandbox        # provision AWS dev resources, generates amplify_outputs.json
+npm run dev             # http://localhost:3000
+```
+
+Sign up at `/login` — the first registered user is automatically promoted to the `ampless-admin` Cognito group.
+
+## Requirements
+
+- Node.js >= 20
+- AWS account + `aws configure` already set up (sandbox / pipeline-deploy talk to AWS directly)
+
+## License
+
+[MIT](../../LICENSE)

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+
+export {  }

package/dist/index.js

@@ -0,0 +1,229 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { spinner, outro, log } from "@clack/prompts";
+import { existsSync as existsSync2 } from "fs";
+import { resolve as resolve3 } from "path";
+
+// src/prompts.ts
+import * as p from "@clack/prompts";
+async function runPrompts(argProjectName) {
+  p.intro("create-ampless");
+  const result = await p.group(
+    {
+      projectName: () => p.text({
+        message: "Project name",
+        placeholder: "my-ampless-site",
+        defaultValue: argProjectName ?? "my-ampless-site",
+        validate: (v) => {
+          if (!v.trim()) return "Project name is required";
+          if (!/^[a-z0-9-_]+$/.test(v)) return "Use lowercase letters, numbers, hyphens, underscores";
+        }
+      }),
+      siteName: () => p.text({
+        message: "Site display name",
+        placeholder: "My Blog",
+        defaultValue: "My Blog"
+      }),
+      // Multiple themes can ship side-by-side. The first selected is the
+      // default active theme; admins can switch per-site at runtime. Add
+      // / remove themes later by editing themes-registry.ts and
+      // themes/<name>/.
+      themes: () => p.multiselect({
+        message: "Themes to install (space to toggle)",
+        options: [
+          { value: "blog", label: "Blog \u2014 neutral monochrome (shadcn default)" },
+          { value: "minimal", label: "Minimal \u2014 soft blue accent on warm neutral" },
+          { value: "landing", label: "Landing \u2014 hero-led marketing page" },
+          { value: "corporate", label: "Corporate \u2014 slate / navy company site" },
+          { value: "docs", label: "Docs \u2014 sidebar-led docs (tag-driven sections)" },
+          { value: "dads", label: "DADS \u2014 Digital Agency Design System (Japanese government style)" }
+        ],
+        initialValues: ["blog"],
+        required: true
+      }),
+      plugins: () => p.multiselect({
+        message: "Plugins (space to toggle)",
+        options: [
+          { value: "seo", label: "SEO \u2014 meta tags, OGP, sitemap", hint: "recommended" },
+          { value: "rss", label: "RSS \u2014 /feed.xml" },
+          { value: "webhook", label: "Webhook \u2014 POST events to external URLs" }
+        ],
+        initialValues: ["seo"],
+        required: false
+      })
+    },
+    {
+      onCancel: () => {
+        p.cancel("Cancelled.");
+        process.exit(0);
+      }
+    }
+  );
+  const themes = result.themes;
+  if (themes.length === 0) {
+    p.cancel("At least one theme must be selected.");
+    return null;
+  }
+  const confirmed = await p.confirm({
+    message: `Create project "${result.projectName}"?`,
+    initialValue: true
+  });
+  if (p.isCancel(confirmed) || !confirmed) {
+    p.cancel("Cancelled.");
+    return null;
+  }
+  return {
+    projectName: result.projectName,
+    siteName: result.siteName,
+    themes,
+    defaultTheme: themes[0],
+    plugins: result.plugins
+  };
+}
+
+// src/scaffold.ts
+import { cp, readFile, writeFile, readdir, mkdir, rm } from "fs/promises";
+import { join, extname, resolve as resolve2 } from "path";
+
+// src/templates.ts
+import { existsSync } from "fs";
+import { fileURLToPath } from "url";
+import { resolve } from "path";
+function resolveTemplatesDir() {
+  const distDir = resolve(fileURLToPath(import.meta.url), "..");
+  const bundled = resolve(distDir, "templates");
+  if (existsSync(bundled)) return bundled;
+  return resolve(distDir, "..", "..", "..", "templates");
+}
+var templatesDir = resolveTemplatesDir();
+function sharedTemplateDir() {
+  return resolve(templatesDir, "_shared");
+}
+function templatePath(theme) {
+  return resolve(templatesDir, theme);
+}
+
+// src/scaffold.ts
+var TEXT_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".json",
+  ".md",
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  ".html",
+  ".css",
+  ".env",
+  ".txt",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".gitignore"
+]);
+async function substituteFile(filePath, vars) {
+  const ext = extname(filePath) || filePath.endsWith(".gitignore") ? ".gitignore" : "";
+  if (!TEXT_EXTENSIONS.has(ext)) return;
+  const content = await readFile(filePath, "utf-8");
+  const replaced = content.replace(/\{\{(\w+)\}\}/g, (_, key) => vars[key] ?? `{{${key}}}`);
+  if (replaced !== content) await writeFile(filePath, replaced, "utf-8");
+}
+async function substituteDir(dirPath, vars) {
+  const entries = await readdir(dirPath, { withFileTypes: true });
+  await Promise.all(
+    entries.map(async (entry) => {
+      const fullPath = join(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        await substituteDir(fullPath, vars);
+      } else {
+        await substituteFile(fullPath, vars);
+      }
+    })
+  );
+}
+function buildRegistry(themes) {
+  const imports = themes.map((t) => `import ${t} from '@/themes/${t}'`).join("\n");
+  const map = themes.map((t) => `  ${t},`).join("\n");
+  return `// Generated by create-ampless. Lists every theme installed under
+// \`themes/<name>/\`. Adding a theme = drop a directory under themes/,
+// add an import + map entry below, and redeploy.
+//
+// \`theme.active\` (per-site, in KvStore) picks which theme renders for
+// each request; everything listed here gets bundled so switching is
+// instant.
+
+${imports}
+
+export const themes = {
+${map}
+} as const
+
+export type ThemeName = keyof typeof themes
+
+export const themeList = Object.values(themes)
+
+export const DEFAULT_THEME: ThemeName = (themeList[0]?.name as ThemeName) ?? '${themes[0]}'
+`;
+}
+async function scaffold(sharedDir, themesRoot, destDir, opts) {
+  await cp(sharedDir, destDir, { recursive: true });
+  const destThemesDir = resolve2(destDir, "themes");
+  await rm(destThemesDir, { recursive: true, force: true });
+  await mkdir(destThemesDir, { recursive: true });
+  for (const theme of opts.themes) {
+    const src = templatePath(theme);
+    const dst = resolve2(destThemesDir, theme);
+    await cp(src, dst, { recursive: true });
+  }
+  void themesRoot;
+  const registryPath = resolve2(destDir, "themes-registry.ts");
+  await writeFile(registryPath, buildRegistry(opts.themes), "utf-8");
+  const vars = {
+    projectName: opts.projectName,
+    siteName: opts.siteName,
+    year: String((/* @__PURE__ */ new Date()).getFullYear()),
+    plugins: JSON.stringify(opts.plugins),
+    themes: JSON.stringify(opts.themes),
+    defaultTheme: opts.defaultTheme
+  };
+  await substituteDir(destDir, vars);
+}
+
+// src/index.ts
+import pc from "picocolors";
+async function main() {
+  const argProjectName = process.argv[2];
+  const opts = await runPrompts(argProjectName);
+  if (!opts) return;
+  const destDir = resolve3(process.cwd(), opts.projectName);
+  if (existsSync2(destDir)) {
+    log.error(`Directory already exists: ${destDir}`);
+    process.exit(1);
+  }
+  const sharedDir = sharedTemplateDir();
+  const s = spinner();
+  s.start("Scaffolding project...");
+  try {
+    await scaffold(sharedDir, templatesDir, destDir, opts);
+    s.stop("Done!");
+  } catch (err) {
+    s.stop("Failed.");
+    log.error(String(err));
+    process.exit(1);
+  }
+  outro(
+    `${pc.green("\u2714")} Project created at ${pc.bold(opts.projectName)}
+
+  Next steps:
+    ${pc.cyan("cd")} ${opts.projectName}
+    ${pc.cyan("npm install")}
+    ${pc.cyan("npx ampx sandbox")}   ${pc.dim("# start Amplify backend")}
+    ${pc.cyan("npm run dev")}         ${pc.dim("# start Next.js")}`
+  );
+}
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/dist/templates/_shared/RUNBOOK.md

@@ -0,0 +1,178 @@
+# Runbook
+
+Operational tasks for an ampless-powered site.
+
+## AppSync API key (auto-renewed)
+
+Public blog reads (`listPublishedPosts`, `getPublishedPost`,
+`listPostsByTag`) are gated by an AppSync API key. The key lives in
+`amplify_outputs.json` and is therefore **visible to anyone visiting
+the public site** — treat it as a low-trust credential. Its only
+privilege is calling the three custom queries, which themselves only
+return rows where `status === 'published'`.
+
+### Why an API key (and not the Identity Pool guest role)?
+
+Amplify Gen 2 `a.handler.custom` resolvers don't support `allow.guest()`
+or `allow.authenticated('identityPool')` — only apiKey / userPool /
+lambda / group / owner. v0.1 chose API key for simplicity; switching
+the public reads to a Lambda function data source (`a.handler.function`)
+is a v0.2 candidate.
+
+### Auto-renewal — no rotation runbook required
+
+The `api-key-renewer` Lambda (see `amplify/functions/api-key-renewer/`)
+is invoked by an EventBridge schedule on the 1st of every month at
+03:00 UTC. It calls `AppSync.UpdateApiKey` to push `expires` to
+"now + 364 days" on the existing key, so:
+
+- the key id never changes,
+- `amplify_outputs.json` stays valid,
+- the Next.js app does not need to be rebuilt,
+- at any moment, the key has at least ~334 days of remaining validity.
+
+If you want to inspect or trigger it manually:
+
+```bash
+# verify current expiry
+aws appsync list-api-keys \
+  --region <region-from-amplify_outputs.json:data.aws_region> \
+  --api-id <api-id-derived-from-amplify_outputs.json:data.url>
+
+# manual run (e.g. after a long sandbox pause)
+aws lambda invoke \
+  --function-name $(aws lambda list-functions \
+    --query "Functions[?contains(FunctionName,'api-key-renewer')].FunctionName | [0]" \
+    --output text) \
+  /tmp/out.json && cat /tmp/out.json
+```
+
+### If a key is suspected leaked
+
+Immediate response is to rotate the key value (not just push expiry):
+
+1. In `amplify/data/resource.ts`, edit a comment to force a CFN update
+2. Run `npx ampx sandbox` (sandbox) or `npx ampx pipeline-deploy ...`
+   (production) — Amplify regenerates the key value
+3. Re-deploy the Next.js app so SSR picks up the new `data.api_key`
+
+## Common operations
+
+### Promote / demote a user
+
+Use the AWS Cognito console:
+
+1. User Pool → Users → pick the user
+2. Group memberships → Add to / remove from group
+3. Have the user sign out and back in for the new claims to apply
+
+Groups: `ampless-admin` (full CRUD + ops), `ampless-editor` (content
+CRUD), `ampless-reader` (reserved for future REST/MCP API consumers).
+
+### Reset a user's password (admin override)
+
+If someone is locked out and email-based recovery isn't an option:
+
+```bash
+aws cognito-idp admin-set-user-password \
+  --user-pool-id <pool-id-from-amplify_outputs.json:auth.user_pool_id> \
+  --region <region> \
+  --username <email> \
+  --password '<new-password>' --permanent
+```
+
+The `/login` page also has a self-service "Forgot password?" flow.
+
+### Restore from a Post-table backup
+
+DynamoDB Point-in-Time Recovery is **not** enabled by `defineData` in
+v0.1; turn it on manually via AWS Console → DynamoDB → Tables →
+`<your post table>` → Backups → Edit PITR. Once enabled, restoration
+takes the form `aws dynamodb restore-table-to-point-in-time` to a new
+table; you'll need to migrate items back to the live table afterwards.
+
+### Inspect failed plugin events
+
+Failed processor invocations land in the shared events DLQ created in
+`amplify/backend.ts` (`EventsDlq`). View messages via the SQS console
+or `aws sqs receive-message --queue-url <dlq-url> --max-number-of-messages 10`.
+There's no automated alarm in v0.1 — periodic manual checks recommended,
+or wire up a CloudWatch alarm on `ApproximateNumberOfMessagesVisible`.
+
+## Multi-site / custom domains
+
+ampless can serve multiple sites from one Amplify Hosting deployment.
+Each site is identified by a `siteId` and bound to one or more
+hostnames via `cms.config.ts`:
+
+```ts
+sites: {
+  blog: {
+    domains: ['blog.example.com', 'www.example.com'],
+    name: 'My Blog',
+    url: 'https://blog.example.com',
+  },
+  docs: {
+    domains: ['docs.example.com'],
+    name: 'Docs',
+    url: 'https://docs.example.com',
+  },
+},
+```
+
+The middleware (`middleware.ts`) maps incoming `Host` to a `siteId` and
+internally rewrites the path to `/_sites/{siteId}/...`. Subdomains and
+fully separate domains are equivalent at the application layer — only
+the AWS-side wiring differs.
+
+### Single domain operation
+
+If `sites` is undefined or has only one entry, ampless runs in
+single-site mode (`siteId='default'`). SSR responses follow each page's
+own caching directives (so you can opt into CloudFront caching with
+`Cache-Control: public, s-maxage=...` per route).
+
+### Multi-site mode caveat: SSR caching is force-disabled
+
+When two or more sites are declared, the middleware adds
+`Cache-Control: private, no-store` to every public response. This is
+because Amplify Hosting's CloudFront does not include `Host` in its
+cache key — leaving caching on would let `https://site1/foo` and
+`https://site2/foo` cross-contaminate at the edge. The trade-off is
+that every public read hits Lambda. Lifting it requires moving off
+Amplify Hosting onto a self-managed CloudFront + Open Next stack
+(roadmap: post-v1.0).
+
+### Adding a custom domain to Amplify Hosting
+
+For each domain you want to bind:
+
+1. **Amplify Hosting console** → your app → **Domain management** →
+   **Add domain**.
+2. Enter the apex domain (`example.com`) and the subdomains you want
+   to attach. Amplify provisions an ACM certificate and a CloudFront
+   SAN entry automatically.
+3. Update DNS:
+   - **Same DNS provider as Route 53 / Amplify managed**: Amplify
+     creates the CNAMEs for you, just confirm.
+   - **External DNS** (Cloudflare, Squarespace, etc.): Amplify shows
+     CNAME / DNS verification records to copy. ACM email-validation
+     also works as a fallback.
+4. Wait for the **Domain activation** to finish (typically 15–60
+   minutes; certificate validation is the slow step).
+5. Add the new domain to the matching `sites.{id}.domains[]` in
+   `cms.config.ts` and redeploy:
+   ```bash
+   git add cms.config.ts && git commit -m "feat: add docs.example.com"
+   git push   # Amplify Hosting picks it up
+   ```
+
+Verify end-to-end:
+
+```bash
+curl -I https://docs.example.com/                  # 200 with the docs site's HTML
+curl -sI https://docs.example.com/ | grep -i cache # Cache-Control: private, no-store
+```
+
+If the request returns `404 Site not found` instead, the host is not
+listed in any `sites.*.domains[]` — fix the config and redeploy.

package/dist/templates/_shared/amplify/auth/post-confirmation/handler.ts

@@ -0,0 +1,4 @@
+// Re-exported from @ampless/backend so the package can ship Lambda
+// handler updates via `npm update`. Amplify's esbuild follows this
+// import and bundles the real handler into the Lambda artifact.
+export { handler } from '@ampless/backend/auth/post-confirmation'

package/dist/templates/_shared/amplify/auth/post-confirmation/resource.ts

@@ -0,0 +1,6 @@
+import { defineFunction } from '@aws-amplify/backend'
+
+export const postConfirmation = defineFunction({
+  name: 'post-confirmation',
+  entry: './handler.ts',
+})

package/dist/templates/_shared/amplify/auth/resource.ts

@@ -0,0 +1,8 @@
+import { defineAmplessAuth } from '@ampless/backend'
+import { postConfirmation } from './post-confirmation/resource.js'
+
+// Provisions a Cognito User Pool + Identity Pool with the three role
+// groups (ampless-admin, ampless-editor, ampless-reader) and wires in
+// the post-confirmation Lambda that promotes the first confirmed user
+// to ampless-admin.
+export const auth = defineAmplessAuth({ postConfirmation })

package/dist/templates/_shared/amplify/backend.ts

@@ -0,0 +1,29 @@
+import { defineAmplessBackend } from '@ampless/backend'
+
+import { auth } from './auth/resource.js'
+import { data } from './data/resource.js'
+import { storage } from './storage/resource.js'
+import { postConfirmation } from './auth/post-confirmation/resource.js'
+import { eventDispatcher } from './events/dispatcher/resource.js'
+import { processorTrusted } from './events/processor-trusted/resource.js'
+import { processorUntrusted } from './events/processor-untrusted/resource.js'
+import { apiKeyRenewer } from './functions/api-key-renewer/resource.js'
+
+// `defineAmplessBackend` provisions auth, data, storage, the event
+// system (DynamoDB Streams → SQS-trusted / SQS-untrusted → trust_level
+// Lambdas), the AppSync API key renewer, and every IAM / CORS /
+// password policy override. Add custom CDK constructs / IAM policies
+// below by mutating the returned `backend` — `defineAmplessBackend`
+// returns the same object Amplify Gen 2's `defineBackend` does.
+const backend = defineAmplessBackend({
+  auth,
+  data,
+  storage,
+  postConfirmation,
+  eventDispatcher,
+  processorTrusted,
+  processorUntrusted,
+  apiKeyRenewer,
+})
+
+export default backend

package/dist/templates/_shared/amplify/data/get-published-post.js

@@ -0,0 +1,33 @@
+import { util } from '@aws-appsync/utils'
+
+// AppSync JS resolver: returns a single published post by slug.
+//
+// Reads the `bySiteIdSlug` GSI: PK = `${siteId}#${slug}`. A given
+// (site, slug) tuple identifies at most one row, so this is an O(1)
+// PK Query — no scan, no filter, no per-partition limit issues.
+//
+// Drafts are dropped in the response handler. The admin form
+// enforces a unique slug per site at the application layer, but if
+// somehow draft + published share a slug we prefer the published row.
+export function request(ctx) {
+  const siteId = ctx.args.siteId ?? 'default'
+  const slug = ctx.args.slug
+  const partition = `${siteId}#${slug}`
+  return {
+    operation: 'Query',
+    index: 'bySiteIdSlug',
+    query: {
+      expression: '#siteIdSlug = :siteIdSlug',
+      expressionNames: { '#siteIdSlug': 'siteIdSlug' },
+      expressionValues: util.dynamodb.toMapValues({ ':siteIdSlug': partition }),
+    },
+    limit: 5,
+  }
+}
+
+export function response(ctx) {
+  if (ctx.error) util.error(ctx.error.message, ctx.error.type)
+  const items = ctx.result.items ?? []
+  const published = items.find((i) => i.status === 'published')
+  return published ?? null
+}

package/dist/templates/_shared/amplify/data/list-posts-by-tag.js

@@ -0,0 +1,52 @@
+import { util } from '@aws-appsync/utils'
+
+// AppSync JS resolver: list published posts for a given tag, newest first.
+// Reads the denormalized PostTag table where:
+//   PK = `${siteId}#${tag}`
+//   SK = `${publishedAt}#${postId}` (so descending SK = newest first)
+//
+// Authorization is enforced by AppSync; the resolver itself only encodes
+// the tag/site partition condition. Drafts never appear here because the
+// admin client only writes PostTag rows for posts whose status is
+// 'published'.
+export function request(ctx) {
+  const { siteId = 'default', tag, limit, nextToken } = ctx.args
+  return {
+    operation: 'Query',
+    query: {
+      expression: '#siteIdTag = :siteIdTag',
+      expressionNames: { '#siteIdTag': 'siteIdTag' },
+      expressionValues: util.dynamodb.toMapValues({
+        ':siteIdTag': `${siteId}#${tag}`,
+      }),
+    },
+    scanIndexForward: false, // newest first (SK descends)
+    limit: limit ?? 20,
+    nextToken: nextToken ?? undefined,
+  }
+}
+
+export function response(ctx) {
+  if (ctx.error) util.error(ctx.error.message, ctx.error.type)
+
+  // PostTag rows are summary records (no `body`). Map them to the same
+  // PublicPost shape `listPublishedPosts` returns; the detail view should
+  // call `getPublishedPost(slug)` for the full body.
+  const items = (ctx.result.items ?? []).map((row) => ({
+    siteId: row.siteId,
+    postId: row.postId,
+    slug: row.slug,
+    title: row.title,
+    excerpt: row.excerpt ?? null,
+    format: 'markdown',
+    body: null,
+    status: 'published',
+    publishedAt: row.publishedAt,
+    tags: row.tags ?? [],
+  }))
+
+  return {
+    items,
+    nextToken: ctx.result.nextToken ?? null,
+  }
+}

package/dist/templates/_shared/amplify/data/list-published-posts.js

@@ -0,0 +1,57 @@
+import { util } from '@aws-appsync/utils'
+
+// AppSync JS resolver: list a site's published posts, newest first.
+//
+// Reads the `bySiteIdStatus` GSI:
+//   PK = `${siteId}#${status}`   (denormalized field set by writers)
+//   SK = publishedAt
+// so a single Query reads only one site's published partition. Drafts
+// never appear because the PK condition pins status='published'.
+//
+// Date-range filtering (`from`, `to`) is pushed into the SK condition,
+// so DynamoDB only reads the matching range. `nextToken` paginates
+// without re-issuing a fresh query.
+export function request(ctx) {
+  const { siteId = 'default', from, to, limit, nextToken } = ctx.args
+
+  const partition = `${siteId}#published`
+  let keyExpression = '#siteIdStatus = :siteIdStatus'
+  const expressionNames = { '#siteIdStatus': 'siteIdStatus' }
+  const expressionValueMap = { ':siteIdStatus': partition }
+
+  if (from && to) {
+    keyExpression += ' AND #publishedAt BETWEEN :from AND :to'
+    expressionNames['#publishedAt'] = 'publishedAt'
+    expressionValueMap[':from'] = from
+    expressionValueMap[':to'] = to
+  } else if (from) {
+    keyExpression += ' AND #publishedAt >= :from'
+    expressionNames['#publishedAt'] = 'publishedAt'
+    expressionValueMap[':from'] = from
+  } else if (to) {
+    keyExpression += ' AND #publishedAt <= :to'
+    expressionNames['#publishedAt'] = 'publishedAt'
+    expressionValueMap[':to'] = to
+  }
+
+  return {
+    operation: 'Query',
+    index: 'bySiteIdStatus',
+    query: {
+      expression: keyExpression,
+      expressionNames,
+      expressionValues: util.dynamodb.toMapValues(expressionValueMap),
+    },
+    scanIndexForward: false, // newest first
+    limit: limit ?? 20,
+    nextToken: nextToken ?? undefined,
+  }
+}
+
+export function response(ctx) {
+  if (ctx.error) util.error(ctx.error.message, ctx.error.type)
+  return {
+    items: ctx.result.items ?? [],
+    nextToken: ctx.result.nextToken ?? null,
+  }
+}