effortless-aws 0.36.1 → 0.37.0

package/README.md

@@ -2,48 +2,49 @@
 
 [![npm version](https://img.shields.io/npm/v/effortless-aws)](https://www.npmjs.com/package/effortless-aws)
 
-Code-first AWS Lambda framework. Export handlers, deploy with one command. No YAML, no CloudFormation, no state files.
+You write handlers. The framework builds, bundles, provisions AWS resources, wires IAM permissions, and deploys — all from your TypeScript code.
 
-```bash
-npm install effortless-aws
-```
+Your TypeScript is the single source of truth — for code and infrastructure.
 
-## What it looks like
+## You write this
 
 ```typescript
-import { defineApi } from "effortless-aws";
+import { defineApi, defineTable } from "effortless-aws";
+
+const db = defineTable<Order>();
 
-export const hello = defineApi({ basePath: "/hello" })
-  .get("/", async ({ ok }) => ok({ message: "Hello!" }));
+export const api = defineApi({ basePath: "/orders" })
+  .deps(() => ({ db }))
+  .get("/{id}", async ({ params, deps, ok }) => {
+    const order = await deps.db.get(params.id);
+    return ok(order);
+  });
 ```
 
-## Handlers
+## You run this
 
-| Handler | Description |
-|---------|-------------|
-| `defineApi` | HTTP API with typed GET/POST routes via Lambda Function URL |
-| `defineApp` | SSR framework deployment (Nuxt, Next.js) via CloudFront |
-| `defineTable` | DynamoDB table with stream processing |
-| `defineFifoQueue` | SQS FIFO queue consumer |
-| `defineBucket` | S3 bucket with event triggers |
-| `defineMailer` | SES email sending |
-| `defineStaticSite` | CloudFront + S3 static site with optional middleware |
+```bash
+eff deploy
+```
 
-## Features
+## The framework handles the rest
 
-- **Infrastructure from code** — export a handler, get the AWS resources
-- **Typed everything** — `defineTable<Order>()` gives you typed `put()`, typed `deps.orders.get()`, typed `record.new`
-- **Cross-handler deps** — `.deps(() => ({ orders }))` auto-wires IAM and injects a typed `TableClient`
-- **SSM params** — `.config(({ defineSecret }) => ...)` fetches secrets from Parameter Store at cold start
-- **Static files** — `static: ["templates/*.ejs"]` bundles files into the Lambda ZIP
-- **Cold start caching** — `setup` factory runs once per cold start, cached across invocations
+From the example above, `eff deploy` will:
 
-Deploy with [`@effortless-aws/cli`](https://www.npmjs.com/package/@effortless-aws/cli).
+- **Bundle** your code with esbuild and package dependencies into a Lambda layer
+- **Create a DynamoDB table** with streams and indexes — from `defineTable<Order>()`
+- **Create a Lambda** with a public HTTP endpoint — from `defineApi()`
+- **Wire IAM permissions** so the API can read/write the table — from `.deps(() => ({ db }))`
+- **Type everything** — `deps.db.get()` returns `Order`, no casts, no `as any`
+
+The same principle works for S3 buckets, SQS queues, SES email, static sites, SSR apps, cron jobs — define a handler, the infrastructure follows.
 
 ## Documentation
 
 Full docs, examples, and API reference: **[effortless-aws.website](https://effortless-aws.website)**
 
+Deploy with [`@effortless-aws/cli`](https://www.npmjs.com/package/@effortless-aws/cli).
+
 ## License
 
 MIT

package/dist/auth-YWMYFMBX.js

@@ -0,0 +1,11 @@
+import {
+  AUTH_COOKIE_NAME,
+  createAuthRuntime,
+  signCfCookies
+} from "./chunk-4UKWMWM5.js";
+import "./chunk-VONNUUEN.js";
+export {
+  AUTH_COOKIE_NAME,
+  createAuthRuntime,
+  signCfCookies
+};

package/dist/bucket-client-FRWISKEB.js

@@ -0,0 +1,9 @@
+import {
+  createBucketClient,
+  createBucketClientWithEntities
+} from "./chunk-UU3AKDJU.js";
+import "./chunk-U56MLLWP.js";
+export {
+  createBucketClient,
+  createBucketClientWithEntities
+};

package/dist/chunk-3NKYT4OX.js

@@ -0,0 +1,268 @@
+import {
+  toSeconds
+} from "./chunk-VONNUUEN.js";
+
+// src/runtime/handler-utils.ts
+import { readFileSync } from "fs";
+import { join } from "path";
+var lazyTableClient = async (name, opts) => {
+  const { createTableClient } = await import("./table-client-BBLIC3EV.js");
+  return createTableClient(name, opts);
+};
+var lazyBucketClient = async (name) => {
+  const { createBucketClient } = await import("./bucket-client-FRWISKEB.js");
+  return createBucketClient(name);
+};
+var lazyBucketClientWithEntities = async (name, config) => {
+  const { createBucketClientWithEntities } = await import("./bucket-client-FRWISKEB.js");
+  return createBucketClientWithEntities(name, config);
+};
+var lazyEmailClient = async () => {
+  const { createEmailClient } = await import("./email-client-RMDQDOYI.js");
+  return createEmailClient();
+};
+var lazyQueueClient = async (name) => {
+  const { createQueueClient } = await import("./queue-client-WDAJYGQO.js");
+  return createQueueClient(name);
+};
+var lazyWorkerClient = async (name) => {
+  const { createWorkerClient } = await import("./worker-client-ZS25XCC2.js");
+  return createWorkerClient(name);
+};
+var lazyGetParameters = async (paths) => {
+  const { getParameters } = await import("./ssm-client-2XDJC3HF.js");
+  return getParameters(paths);
+};
+var lazyCreateAuthRuntime = async (secret, defaultExpiresIn, apiTokenVerify, apiTokenHeader, apiTokenCacheTtlSeconds, cfSigningConfig) => {
+  const { createAuthRuntime } = await import("./auth-YWMYFMBX.js");
+  return createAuthRuntime(secret, defaultExpiresIn, apiTokenVerify, apiTokenHeader, apiTokenCacheTtlSeconds, cfSigningConfig);
+};
+var ENV_DEP_PREFIX = "EFF_DEP_";
+var ENV_PARAM_PREFIX = "EFF_PARAM_";
+var LOG_RANK = { error: 0, info: 1, debug: 2 };
+var truncate = (value, maxLength = 4096) => {
+  if (value === void 0 || value === null) return value;
+  const str = typeof value === "string" ? value : JSON.stringify(value);
+  if (str.length <= maxLength) return value;
+  return str.slice(0, maxLength) + "...[truncated]";
+};
+var DEP_FACTORIES = {
+  table: (name, depHandler) => {
+    const tagField = depHandler?.__spec?.tagField;
+    return lazyTableClient(name, tagField ? { tagField } : void 0);
+  },
+  bucket: (name, depHandler) => {
+    const entities = depHandler?.__spec?.entities;
+    if (entities && Object.keys(entities).length > 0) {
+      const config = {};
+      for (const [entityName, entityOpts] of Object.entries(entities)) {
+        config[entityName] = entityOpts.cache ? { cacheSeconds: toSeconds(entityOpts.cache) } : {};
+      }
+      return lazyBucketClientWithEntities(name, config);
+    }
+    return lazyBucketClient(name);
+  },
+  mailer: () => lazyEmailClient(),
+  queue: (name) => lazyQueueClient(name),
+  worker: (name) => lazyWorkerClient(name)
+};
+var parseDepValue = (raw) => {
+  const idx = raw.indexOf(":");
+  return { type: raw.slice(0, idx), name: raw.slice(idx + 1) };
+};
+var resolveDepsInput = (deps) => typeof deps === "function" ? deps() : deps;
+var buildDeps = async (rawDeps) => {
+  const deps = resolveDepsInput(rawDeps);
+  if (!deps) return void 0;
+  const result = {};
+  const entries = Object.keys(deps).map((key) => {
+    const raw = process.env[`${ENV_DEP_PREFIX}${key}`];
+    if (!raw) throw new Error(`Missing environment variable ${ENV_DEP_PREFIX}${key} for dep "${key}"`);
+    const { type, name } = parseDepValue(raw);
+    const factory = DEP_FACTORIES[type];
+    if (!factory) throw new Error(`Unknown dep type "${type}" for dep "${key}"`);
+    return { key, promise: factory(name, deps[key]) };
+  });
+  for (const { key, promise } of entries) {
+    result[key] = await promise;
+  }
+  return result;
+};
+var buildParams = async (params) => {
+  if (!params) return void 0;
+  const entries = [];
+  for (const propName of Object.keys(params)) {
+    const ssmPath = process.env[`${ENV_PARAM_PREFIX}${propName}`];
+    if (!ssmPath) {
+      throw new Error(`Missing environment variable ${ENV_PARAM_PREFIX}${propName} for param "${propName}"`);
+    }
+    entries.push({ propName, ssmPath });
+  }
+  if (entries.length === 0) return void 0;
+  const values = await lazyGetParameters(entries.map((e) => e.ssmPath));
+  const result = {};
+  for (const { propName, ssmPath } of entries) {
+    const raw = values.get(ssmPath) ?? "";
+    const ref = params[propName];
+    const transform = typeof ref === "object" && ref !== null && "transform" in ref && typeof ref.transform === "function" ? ref.transform : void 0;
+    result[propName] = transform ? transform(raw) : raw;
+  }
+  return result;
+};
+var resolvePath = (filePath) => join(process.cwd(), filePath);
+var staticFiles = {
+  read: (filePath) => readFileSync(resolvePath(filePath), "utf-8"),
+  readBuffer: (filePath) => readFileSync(resolvePath(filePath)),
+  path: resolvePath
+};
+var createHandlerRuntime = (handler, handlerType, logLevel = "info", extraSetupArgs) => {
+  const handlerName = process.env.EFF_HANDLER ?? "unknown";
+  const rank = LOG_RANK[logLevel];
+  let ctx = null;
+  let resolvedAuthRuntime = null;
+  let depsPromise = null;
+  const getDeps = () => depsPromise ??= buildDeps(handler.deps);
+  let configPromise = null;
+  const getConfig = () => configPromise ??= buildParams(handler.config);
+  let resolvedCfSigningConfig = null;
+  const getCfSigningConfig = async () => {
+    if (resolvedCfSigningConfig !== null) return resolvedCfSigningConfig;
+    const cfSigningKeySsmPath = process.env.EFF_CF_SIGNING_KEY;
+    const cfKeyPairId = process.env.EFF_CF_KEY_PAIR_ID;
+    const cfDomain = process.env.EFF_CF_DOMAIN;
+    if (!cfSigningKeySsmPath || !cfKeyPairId || !cfDomain) {
+      resolvedCfSigningConfig = void 0;
+      return void 0;
+    }
+    const values = await lazyGetParameters([cfSigningKeySsmPath]);
+    const privateKey = values.get(cfSigningKeySsmPath);
+    if (!privateKey) {
+      resolvedCfSigningConfig = void 0;
+      return void 0;
+    }
+    resolvedCfSigningConfig = { privateKey, keyPairId: cfKeyPairId, domain: cfDomain };
+    return resolvedCfSigningConfig;
+  };
+  const getAuthRuntime = async () => {
+    if (resolvedAuthRuntime !== null) return resolvedAuthRuntime;
+    if (!handler.authFn) {
+      resolvedAuthRuntime = void 0;
+      return void 0;
+    }
+    const config = await getConfig();
+    const deps = await getDeps();
+    const authArgs = {};
+    if (config) authArgs.config = config;
+    if (deps) authArgs.deps = deps;
+    const authOpts = await handler.authFn(authArgs);
+    if (!authOpts?.secret) {
+      resolvedAuthRuntime = void 0;
+      return void 0;
+    }
+    const secret = authOpts.secret;
+    resolvedAuthHeaderName = authOpts.apiToken?.header;
+    const defaultExpires = authOpts.expiresIn ? toSeconds(authOpts.expiresIn) : 604800;
+    const apiToken = authOpts.apiToken;
+    const cacheTtlSeconds = apiToken?.cacheTtl ? toSeconds(apiToken.cacheTtl) : void 0;
+    const rawVerify = apiToken?.verify;
+    const wrappedVerify = rawVerify ? (args) => rawVerify(args.value) : void 0;
+    const cfSigningConfig = await getCfSigningConfig();
+    resolvedAuthRuntime = await lazyCreateAuthRuntime(
+      secret,
+      defaultExpires,
+      wrappedVerify,
+      apiToken?.header,
+      cacheTtlSeconds,
+      cfSigningConfig
+    );
+    return resolvedAuthRuntime;
+  };
+  const getSetup = async () => {
+    if (ctx !== null) return ctx;
+    if (handler.setup) {
+      const config = await getConfig();
+      const deps = await getDeps();
+      const args = {};
+      if (config) args.config = config;
+      if (deps) args.deps = deps;
+      if (handler.static) args.files = staticFiles;
+      if (extraSetupArgs) Object.assign(args, await extraSetupArgs());
+      ctx = await handler.setup(args);
+    }
+    return ctx;
+  };
+  let resolvedAuthHeaderName;
+  const commonArgs = async (cookieValue, authHeader, headers) => {
+    const args = {};
+    if (handler.setup) args.ctx = await getSetup();
+    const deps = await getDeps();
+    if (deps) args.deps = deps;
+    const config = await getConfig();
+    if (config) args.config = config;
+    if (handler.static) args.files = staticFiles;
+    const authRuntime = await getAuthRuntime();
+    if (authRuntime) {
+      let finalAuthHeader = authHeader;
+      if (finalAuthHeader === void 0 && headers && resolvedAuthHeaderName) {
+        finalAuthHeader = headers[resolvedAuthHeaderName] ?? headers[resolvedAuthHeaderName.toLowerCase()] ?? void 0;
+      }
+      args.auth = await authRuntime.forRequest(cookieValue, finalAuthHeader);
+    }
+    return args;
+  };
+  const logExecution = (startTime, input, output) => {
+    if (rank < LOG_RANK.info) return;
+    const entry = {
+      level: "info",
+      handler: handlerName,
+      type: handlerType,
+      ms: Date.now() - startTime
+    };
+    if (rank >= LOG_RANK.debug) {
+      entry.input = truncate(input);
+      entry.output = truncate(output);
+    }
+    console.log(JSON.stringify(entry));
+  };
+  const logError = (startTime, input, error) => {
+    const entry = {
+      level: "error",
+      handler: handlerName,
+      type: handlerType,
+      ms: Date.now() - startTime,
+      error: error instanceof Error ? error.message : String(error)
+    };
+    if (rank >= LOG_RANK.debug) {
+      entry.input = truncate(input);
+    }
+    console.error(JSON.stringify(entry));
+  };
+  const noop = () => {
+  };
+  const saved = { log: console.log, info: console.info, debug: console.debug };
+  const patchConsole = () => {
+    if (rank < LOG_RANK.debug) console.debug = noop;
+    if (rank < LOG_RANK.info) {
+      console.log = noop;
+      console.info = noop;
+    }
+  };
+  const restoreConsole = () => {
+    console.log = saved.log;
+    console.info = saved.info;
+    console.debug = saved.debug;
+  };
+  const preload = async () => {
+    await getDeps();
+    await getConfig();
+    await getAuthRuntime();
+    await getSetup();
+  };
+  return { preload, commonArgs, logExecution, logError, patchConsole, restoreConsole, handlerName };
+};
+
+export {
+  buildDeps,
+  buildParams,
+  createHandlerRuntime
+};

package/dist/chunk-4UKWMWM5.js

@@ -0,0 +1,113 @@
+import {
+  toSeconds
+} from "./chunk-VONNUUEN.js";
+
+// src/handlers/auth.ts
+import * as crypto from "crypto";
+var cfBase64Encode = (buffer) => buffer.toString("base64").replace(/\+/g, "-").replace(/=/g, "_").replace(/\//g, "~");
+var signCfCookies = (policy, config) => {
+  const ttlSeconds = toSeconds(policy.ttl);
+  const expireTime = Math.floor(Date.now() / 1e3) + ttlSeconds;
+  const resource = config.domain === "*" ? `https://*${policy.path}` : `https://${config.domain}${policy.path}`;
+  const policyJson = JSON.stringify({
+    Statement: [{
+      Resource: resource,
+      Condition: {
+        DateLessThan: { "AWS:EpochTime": expireTime }
+      }
+    }]
+  });
+  const policyBase64 = cfBase64Encode(Buffer.from(policyJson, "utf-8"));
+  const signature = cfBase64Encode(
+    crypto.sign("sha1", Buffer.from(policyJson, "utf-8"), config.privateKey)
+  );
+  const cookieAttrs = `; Secure; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;
+  return [
+    `CloudFront-Policy=${policyBase64}${cookieAttrs}`,
+    `CloudFront-Signature=${signature}${cookieAttrs}`,
+    `CloudFront-Key-Pair-Id=${config.keyPairId}${cookieAttrs}`
+  ];
+};
+var AUTH_COOKIE_NAME = "__eff_session";
+var createAuthRuntime = (secret, defaultExpiresIn, apiTokenVerify, apiTokenHeader, apiTokenCacheTtlSeconds, cfSigningConfig) => {
+  const tokenCache = apiTokenCacheTtlSeconds ? /* @__PURE__ */ new Map() : void 0;
+  const sign2 = (payload) => crypto.createHmac("sha256", secret).update(payload).digest("base64url");
+  const cookieBase = `${AUTH_COOKIE_NAME}=`;
+  const cookieAttrs = "; HttpOnly; Secure; SameSite=Lax; Path=/";
+  const decodeSession = (cookieValue) => {
+    if (!cookieValue) return void 0;
+    const dot = cookieValue.indexOf(".");
+    if (dot === -1) return void 0;
+    const payload = cookieValue.slice(0, dot);
+    const sig = cookieValue.slice(dot + 1);
+    if (sign2(payload) !== sig) return void 0;
+    try {
+      const parsed = JSON.parse(Buffer.from(payload, "base64url").toString("utf-8"));
+      if (parsed.exp <= Math.floor(Date.now() / 1e3)) return void 0;
+      const { exp: _, ...data } = parsed;
+      return Object.keys(data).length > 0 ? data : void 0;
+    } catch {
+      return void 0;
+    }
+  };
+  const extractTokenValue = (headerValue) => {
+    const isDefaultHeader = !apiTokenHeader || apiTokenHeader.toLowerCase() === "authorization";
+    if (isDefaultHeader && headerValue.toLowerCase().startsWith("bearer ")) {
+      return headerValue.slice(7);
+    }
+    return headerValue;
+  };
+  const buildHelpers = (sessionData) => ({
+    createSession(data, options) {
+      const seconds = options?.expiresIn ? toSeconds(options.expiresIn) : defaultExpiresIn;
+      const exp = Math.floor(Date.now() / 1e3) + seconds;
+      const payload = Buffer.from(JSON.stringify({ exp, ...data }), "utf-8").toString("base64url");
+      const sig = sign2(payload);
+      const sessionCookie = `${cookieBase}${payload}.${sig}${cookieAttrs}; Max-Age=${seconds}`;
+      const cfCookies = options?.cdnPolicy && cfSigningConfig ? signCfCookies(options.cdnPolicy, cfSigningConfig) : void 0;
+      return {
+        status: 200,
+        body: { ok: true },
+        headers: {
+          "set-cookie": sessionCookie
+        },
+        ...cfCookies ? { cookies: [sessionCookie, ...cfCookies] } : {}
+      };
+    },
+    clearSession() {
+      return {
+        status: 200,
+        body: { ok: true },
+        headers: {
+          "set-cookie": `${cookieBase}${cookieAttrs}; Max-Age=0`
+        }
+      };
+    },
+    session: sessionData
+  });
+  return {
+    async forRequest(cookieValue, authHeader) {
+      if (authHeader && apiTokenVerify) {
+        const tokenValue = extractTokenValue(authHeader);
+        if (tokenCache) {
+          const cached = tokenCache.get(tokenValue);
+          if (cached && cached.expiresAt > Date.now()) {
+            return buildHelpers(cached.session);
+          }
+        }
+        const session = await apiTokenVerify({ value: tokenValue });
+        if (tokenCache && apiTokenCacheTtlSeconds) {
+          tokenCache.set(tokenValue, { session, expiresAt: Date.now() + apiTokenCacheTtlSeconds * 1e3 });
+        }
+        return buildHelpers(session);
+      }
+      return buildHelpers(decodeSession(cookieValue));
+    }
+  };
+};
+
+export {
+  signCfCookies,
+  AUTH_COOKIE_NAME,
+  createAuthRuntime
+};