npm - headroom-cms - Versions diffs - 0.1.1 - Mend

headroom-cms 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/dist/api.js ADDED Viewed

@@ -0,0 +1,91 @@
+/**
+ * API Infrastructure
+ *
+ * Go Lambda function serving the Headroom API with access to all resources.
+ * Supports dev mode (Go source with live reload) and package mode (pre-compiled binary).
+ */
+import path from "path";
+export function createApi(name, args) {
+    const { storage, auth, webhooks, image } = args;
+    const handlerConfig = args.dev
+        ? {
+            handler: args.dev.handler,
+            runtime: "go",
+        }
+        : {
+            bundle: path.join(args.pkgRoot, "lambda/api"),
+            handler: "bootstrap",
+            runtime: "provided.al2023",
+            architecture: "arm64",
+        };
+    const api = new sst.aws.Function(`${name}Api`, {
+        ...handlerConfig,
+        timeout: "60 seconds",
+        url: {
+            cors: false,
+        },
+        environment: {
+            SITES_TABLE: storage.sites.name,
+            CONTENT_TABLE: storage.content.name,
+            DRAFT_CONTENT_TABLE: storage.draftContent.name,
+            BLOCKS_TABLE: storage.blocks.name,
+            MEDIA_TABLE: storage.media.name,
+            COLLECTIONS_TABLE: storage.collections.name,
+            BLOCK_TYPES_TABLE: storage.blockTypes.name,
+            ADMIN_AUDIT_TABLE: storage.adminAudit.name,
+            CONTENT_BUCKET: storage.contentBucket.name,
+            USER_POOL_ID: auth.userPool.id,
+            USER_POOL_CLIENT_ID: auth.userPoolClient.id,
+            KVS_ARN: storage.kvs.arn,
+            AWS_REGION_NAME: aws.getRegionOutput().name,
+            WEBHOOKS_TABLE: webhooks.webhooks.name,
+            WEBHOOK_DELIVERIES_TABLE: webhooks.webhookDeliveries.name,
+            WEBHOOK_QUEUE_URL: webhooks.webhookDeliveryQueue.url,
+            IMAGE_SIGNING_SECRET: image.imageSigningSecret.value,
+            IMAGE_LAMBDA_NAME: image.imageLambda.name,
+            RELATIONSHIPS_TABLE: storage.relationships.name,
+        },
+        link: [
+            storage.sites,
+            storage.content,
+            storage.draftContent,
+            storage.blocks,
+            storage.media,
+            storage.collections,
+            storage.blockTypes,
+            storage.adminAudit,
+            storage.contentBucket,
+            webhooks.webhooks,
+            webhooks.webhookDeliveries,
+            webhooks.webhookDeliveryQueue,
+            image.imageSigningSecret,
+            storage.relationships,
+        ],
+        permissions: [
+            {
+                actions: [
+                    "cloudfront-keyvaluestore:DescribeKeyValueStore",
+                    "cloudfront-keyvaluestore:PutKey",
+                    "cloudfront-keyvaluestore:DeleteKey",
+                    "cloudfront-keyvaluestore:GetKey",
+                ],
+                resources: [storage.kvs.arn],
+            },
+            {
+                actions: [
+                    "cognito-idp:ListUsers",
+                    "cognito-idp:AdminCreateUser",
+                    "cognito-idp:AdminDeleteUser",
+                    "cognito-idp:AdminGetUser",
+                ],
+                resources: [auth.userPool.arn],
+            },
+            {
+                actions: ["lambda:InvokeFunction"],
+                resources: [image.imageLambda.arn],
+            },
+        ],
+    });
+    return { api };
+}
+//# sourceMappingURL=api.js.map

package/dist/api.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AAkBxB,MAAM,UAAU,SAAS,CAAC,IAAY,EAAE,IAAa;IACnD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IAEhD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG;QAC5B,CAAC,CAAC;YACE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,OAAO,EAAE,IAAa;SACvB;QACH,CAAC,CAAC;YACE,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;YAC7C,OAAO,EAAE,WAAW;YACpB,OAAO,EAAE,iBAA0B;YACnC,YAAY,EAAE,OAAgB;SAC/B,CAAC;IAEN,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,KAAK,EAAE;QAC7C,GAAG,aAAa;QAChB,OAAO,EAAE,YAAY;QACrB,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;SACZ;QACD,WAAW,EAAE;YACX,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC/B,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;YACnC,mBAAmB,EAAE,OAAO,CAAC,YAAY,CAAC,IAAI;YAC9C,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI;YACjC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC/B,iBAAiB,EAAE,OAAO,CAAC,WAAW,CAAC,IAAI;YAC3C,iBAAiB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC1C,iBAAiB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC1C,cAAc,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI;YAC1C,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE;YAC9B,mBAAmB,EAAE,IAAI,CAAC,cAAc,CAAC,EAAE;YAC3C,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG;YACxB,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC,IAAI;YAC3C,cAAc,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI;YACtC,wBAAwB,EAAE,QAAQ,CAAC,iBAAiB,CAAC,IAAI;YACzD,iBAAiB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,GAAG;YACpD,oBAAoB,EAAE,KAAK,CAAC,kBAAkB,CAAC,KAAK;YACpD,iBAAiB,EAAE,KAAK,CAAC,WAAW,CAAC,IAAI;YACzC,mBAAmB,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI;SAChD;QACD,IAAI,EAAE;YACJ,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,YAAY;YACpB,OAAO,CAAC,MAAM;YACd,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,WAAW;YACnB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,aAAa;YACrB,QAAQ,CAAC,QAAQ;YACjB,QAAQ,CAAC,iBAAiB;YAC1B,QAAQ,CAAC,oBAAoB;YAC7B,KAAK,CAAC,kBAAkB;YACxB,OAAO,CAAC,aAAa;SACtB;QACD,WAAW,EAAE;YACX;gBACE,OAAO,EAAE;oBACP,gDAAgD;oBAChD,iCAAiC;oBACjC,oCAAoC;oBACpC,iCAAiC;iBAClC;gBACD,SAAS,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;aAC7B;YACD;gBACE,OAAO,EAAE;oBACP,uBAAuB;oBACvB,6BAA6B;oBAC7B,6BAA6B;oBAC7B,0BAA0B;iBAC3B;gBACD,SAAS,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;aAC/B;YACD;gBACE,OAAO,EAAE,CAAC,uBAAuB,CAAC;gBAClC,SAAS,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC;aACnC;SACF;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,CAAC;AACjB,CAAC"}

package/dist/auth.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * Authentication Infrastructure
+ *
+ * Cognito User Pool, SES email identity, and custom message Lambda.
+ * Supports dev mode (source handler) and package mode (pre-bundled handler).
+ */
+export interface AuthArgs {
+    senderEmail: string;
+    passwordPolicy?: {
+        minimumLength?: number;
+        requireLowercase?: boolean;
+        requireUppercase?: boolean;
+        requireNumbers?: boolean;
+        requireSymbols?: boolean;
+    };
+    pkgRoot: string;
+    dev?: {
+        /** SST handler string, e.g. "packages/functions/custom-message.handler" */
+        handler: string;
+    };
+}
+export declare function createAuth(name: string, args: AuthArgs): {
+    userPool: sst.aws.CognitoUserPool;
+    userPoolClient: sst.aws.CognitoUserPoolClient;
+};
+export type AuthResources = ReturnType<typeof createAuth>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,WAAW,QAAQ;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE;QACf,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAC3B,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAC3B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,cAAc,CAAC,EAAE,OAAO,CAAC;KAC1B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE;QACJ,2EAA2E;QAC3E,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ;;;EAkFtD;AAED,MAAM,MAAM,aAAa,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC"}

package/dist/auth.js ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * Authentication Infrastructure
+ *
+ * Cognito User Pool, SES email identity, and custom message Lambda.
+ * Supports dev mode (source handler) and package mode (pre-bundled handler).
+ */
+import path from "path";
+export function createAuth(name, args) {
+    const emailIdentity = new aws.ses.EmailIdentity(`${name}EmailIdentity`, {
+        email: args.senderEmail,
+    });
+    // Custom message Lambda: customizes Cognito invite emails
+    let customMessageFn;
+    if (args.dev) {
+        customMessageFn = new sst.aws.Function(`${name}CustomMessage`, {
+            handler: args.dev.handler,
+            runtime: "nodejs20.x",
+        });
+    }
+    else {
+        customMessageFn = new sst.aws.Function(`${name}CustomMessage`, {
+            bundle: path.join(args.pkgRoot, "lambda/functions/custom-message"),
+            handler: "index.handler",
+            runtime: "nodejs20.x",
+        });
+    }
+    const pp = args.passwordPolicy ?? {};
+    const userPool = new sst.aws.CognitoUserPool(`${name}UserPool`, {
+        usernames: ["email"],
+        transform: {
+            userPool: {
+                passwordPolicy: {
+                    minimumLength: pp.minimumLength ?? 12,
+                    requireLowercase: pp.requireLowercase ?? true,
+                    requireUppercase: pp.requireUppercase ?? true,
+                    requireNumbers: pp.requireNumbers ?? true,
+                    requireSymbols: pp.requireSymbols ?? true,
+                },
+                accountRecoverySetting: {
+                    recoveryMechanisms: [{ name: "verified_email", priority: 1 }],
+                },
+                lambdaConfig: {
+                    customMessage: customMessageFn.arn,
+                },
+                emailConfiguration: {
+                    emailSendingAccount: "DEVELOPER",
+                    sourceArn: emailIdentity.arn,
+                    fromEmailAddress: `Headroom CMS <${args.senderEmail}>`,
+                },
+                mfaConfiguration: "OPTIONAL",
+                softwareTokenMfaConfiguration: {
+                    enabled: true,
+                },
+            },
+        },
+    });
+    // Grant Cognito permission to invoke the custom message Lambda
+    new aws.lambda.Permission(`${name}CustomMessagePermission`, {
+        action: "lambda:InvokeFunction",
+        function: customMessageFn.arn,
+        principal: "cognito-idp.amazonaws.com",
+        sourceArn: userPool.arn,
+    });
+    const userPoolClient = userPool.addClient(`${name}Client`, {
+        transform: {
+            client: {
+                explicitAuthFlows: [
+                    "ALLOW_USER_SRP_AUTH",
+                    "ALLOW_REFRESH_TOKEN_AUTH",
+                    "ALLOW_ADMIN_USER_PASSWORD_AUTH",
+                ],
+                accessTokenValidity: 1,
+                idTokenValidity: 1,
+                refreshTokenValidity: 365,
+                tokenValidityUnits: {
+                    accessToken: "hours",
+                    idToken: "hours",
+                    refreshToken: "days",
+                },
+                preventUserExistenceErrors: "ENABLED",
+            },
+        },
+    });
+    return { userPool, userPoolClient };
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AAkBxB,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,IAAc;IACrD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,IAAI,eAAe,EAAE;QACtE,KAAK,EAAE,IAAI,CAAC,WAAW;KACxB,CAAC,CAAC;IAEH,0DAA0D;IAC1D,IAAI,eAAiC,CAAC;IACtC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;QACb,eAAe,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,eAAe,EAAE;YAC7D,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,OAAO,EAAE,YAAY;SACtB,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,eAAe,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,eAAe,EAAE;YAC7D,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,iCAAiC,CAAC;YAClE,OAAO,EAAE,eAAe;YACxB,OAAO,EAAE,YAAY;SACtB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,EAAE,GAAG,IAAI,CAAC,cAAc,IAAI,EAAE,CAAC;IAErC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,GAAG,IAAI,UAAU,EAAE;QAC9D,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,SAAS,EAAE;YACT,QAAQ,EAAE;gBACR,cAAc,EAAE;oBACd,aAAa,EAAE,EAAE,CAAC,aAAa,IAAI,EAAE;oBACrC,gBAAgB,EAAE,EAAE,CAAC,gBAAgB,IAAI,IAAI;oBAC7C,gBAAgB,EAAE,EAAE,CAAC,gBAAgB,IAAI,IAAI;oBAC7C,cAAc,EAAE,EAAE,CAAC,cAAc,IAAI,IAAI;oBACzC,cAAc,EAAE,EAAE,CAAC,cAAc,IAAI,IAAI;iBAC1C;gBACD,sBAAsB,EAAE;oBACtB,kBAAkB,EAAE,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;iBAC9D;gBACD,YAAY,EAAE;oBACZ,aAAa,EAAE,eAAe,CAAC,GAAG;iBACnC;gBACD,kBAAkB,EAAE;oBAClB,mBAAmB,EAAE,WAAW;oBAChC,SAAS,EAAE,aAAa,CAAC,GAAG;oBAC5B,gBAAgB,EAAE,iBAAiB,IAAI,CAAC,WAAW,GAAG;iBACvD;gBACD,gBAAgB,EAAE,UAAU;gBAC5B,6BAA6B,EAAE;oBAC7B,OAAO,EAAE,IAAI;iBACd;aACF;SACF;KACF,CAAC,CAAC;IAEH,+DAA+D;IAC/D,IAAI,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,yBAAyB,EAAE;QAC1D,MAAM,EAAE,uBAAuB;QAC/B,QAAQ,EAAE,eAAe,CAAC,GAAG;QAC7B,SAAS,EAAE,2BAA2B;QACtC,SAAS,EAAE,QAAQ,CAAC,GAAG;KACxB,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,QAAQ,CAAC,SAAS,CAAC,GAAG,IAAI,QAAQ,EAAE;QACzD,SAAS,EAAE;YACT,MAAM,EAAE;gBACN,iBAAiB,EAAE;oBACjB,qBAAqB;oBACrB,0BAA0B;oBAC1B,gCAAgC;iBACjC;gBACD,mBAAmB,EAAE,CAAC;gBACtB,eAAe,EAAE,CAAC;gBAClB,oBAAoB,EAAE,GAAG;gBACzB,kBAAkB,EAAE;oBAClB,WAAW,EAAE,OAAO;oBACpB,OAAO,EAAE,OAAO;oBAChB,YAAY,EAAE,MAAM;iBACrB;gBACD,0BAA0B,EAAE,SAAS;aACtC;SACF;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC;AACtC,CAAC"}

package/dist/cdn.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ * CDN Infrastructure
+ *
+ * CloudFront distribution with edge authentication, version-based caching,
+ * direct S3 media serving, and Sharp Lambda image transforms.
+ */
+import type { StorageResources } from "./storage.js";
+import type { ApiResources } from "./api.js";
+import type { ImageResources } from "./image.js";
+export interface CdnArgs {
+    api: ApiResources;
+    image: ImageResources;
+    contentBucket: StorageResources["contentBucket"];
+    kvs: StorageResources["kvs"];
+    priceClass?: "PriceClass_100" | "PriceClass_200" | "PriceClass_All";
+    apiCacheTtl?: number;
+    domain?: {
+        name: string;
+        certificateArn: string;
+    };
+}
+export declare function createCdn(name: string, args: CdnArgs): {
+    distribution: aws.cloudfront.Distribution;
+    url: PulumiOutput<string>;
+};
+export type CdnResources = ReturnType<typeof createCdn>;
+//# sourceMappingURL=cdn.d.ts.map

package/dist/cdn.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cdn.d.ts","sourceRoot":"","sources":["../src/cdn.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAC7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,OAAO;IACtB,GAAG,EAAE,YAAY,CAAC;IAClB,KAAK,EAAE,cAAc,CAAC;IACtB,aAAa,EAAE,gBAAgB,CAAC,eAAe,CAAC,CAAC;IACjD,GAAG,EAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC7B,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;IACpE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,MAAM,CAAC;QACb,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO;;;EAsapD;AAED,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC"}

package/dist/cdn.js ADDED Viewed

@@ -0,0 +1,382 @@
+/**
+ * CDN Infrastructure
+ *
+ * CloudFront distribution with edge authentication, version-based caching,
+ * direct S3 media serving, and Sharp Lambda image transforms.
+ */
+export function createCdn(name, args) {
+    const { api, image, contentBucket, kvs } = args;
+    const apiCacheTtl = args.apiCacheTtl ?? 3600;
+    // Extract KVS UUID from ARN (cf.kvs() needs the UUID, not the name)
+    const kvsUuid = kvs.arn.apply((arn) => arn.split("/").pop());
+    // =========================================================================
+    // CloudFront Function: Edge Auth
+    // =========================================================================
+    const edgeFunction = new aws.cloudfront.Function(`${name}EdgeAuth`, {
+        name: $interpolate `${$app.name}-${$app.stage}-edge-auth`,
+        runtime: "cloudfront-js-2.0",
+        publish: true,
+        keyValueStoreAssociations: [kvs.arn],
+        code: $interpolate `
+    import cf from 'cloudfront';
+    import crypto from 'crypto';
+    const kvsId = '${kvsUuid}';
+    const kvsHandle = cf.kvs(kvsId);
+    async function handler(event) {
+      const request = event.request;
+      const uri = request.uri;
+      const headers = request.headers;
+      // Skip auth for admin paths (use JWT auth at origin)
+      if (uri.startsWith('/v1/admin/')) {
+        return request;
+      }
+      // Skip auth for health endpoint
+      if (uri === '/health') {
+        return request;
+      }
+      // Skip auth for non-API paths
+      if (!uri.startsWith('/v1/')) {
+        return request;
+      }
+      // Extract site from path: /v1/{site}/...
+      var pathParts = uri.split('/');
+      if (pathParts.length < 3) {
+        return {
+          statusCode: 400,
+          statusDescription: 'Bad Request',
+          body: { encoding: 'text', data: 'Invalid path' }
+        };
+      }
+      var site = pathParts[2];
+      // Get API key from header
+      var apiKeyHeader = headers['x-headroom-key'];
+      if (!apiKeyHeader) {
+        return {
+          statusCode: 401,
+          statusDescription: 'Unauthorized',
+          headers: { 'content-type': { value: 'application/json' } },
+          body: { encoding: 'text', data: JSON.stringify({ error: 'API key required' }) }
+        };
+      }
+      // Hash the API key (needed for KVS lookup key)
+      var keyHash = crypto.createHash('sha256').update(apiKeyHeader.value).digest('hex');
+      var hashPrefix = keyHash.substring(0, 8);
+      // Fetch API key hash and version in parallel
+      var results = await Promise.all([
+        kvsHandle.get('site:' + site + ':key:' + hashPrefix).catch(function() { return null; }),
+        kvsHandle.get('site:' + site + ':version').catch(function() { return '0'; }),
+      ]);
+      var storedHash = results[0];
+      var versionResult = results[1];
+      // Validate API key - compare full hash
+      if (!storedHash || storedHash !== keyHash) {
+        return {
+          statusCode: 403,
+          statusDescription: 'Forbidden',
+          headers: { 'content-type': { value: 'application/json' } },
+          body: { encoding: 'text', data: JSON.stringify({ error: 'Invalid API key' }) }
+        };
+      }
+      // Add version header for cache key discrimination
+      request.headers['x-site-version'] = { value: versionResult || '0' };
+      return request;
+    }
+  `,
+    });
+    // =========================================================================
+    // CloudFront Function: Media Rewrite
+    // =========================================================================
+    const mediaRewriteFunction = new aws.cloudfront.Function(`${name}MediaRewrite`, {
+        name: $interpolate `${$app.name}-${$app.stage}-media-rewrite`,
+        runtime: "cloudfront-js-2.0",
+        publish: true,
+        code: `
+    function handler(event) {
+      var request = event.request;
+      var uri = request.uri;
+      // Rewrite /media/{site}/{mediaId}/{file} → /sites/{site}/media/{mediaId}/{file}
+      var parts = uri.split('/');
+      // parts: ['', 'media', '{site}', '{mediaId}', '{file}']
+      if (parts.length >= 5 && parts[1] === 'media') {
+        var site = parts[2];
+        var mediaId = parts[3];
+        var rest = parts.slice(4).join('/');
+        request.uri = '/sites/' + site + '/media/' + mediaId + '/' + rest;
+      }
+      return request;
+    }
+  `,
+    });
+    // =========================================================================
+    // Cache Policies
+    // =========================================================================
+    const apiCachePolicy = new aws.cloudfront.CachePolicy(`${name}APICachePolicy`, {
+        name: $interpolate `${$app.name}-${$app.stage}-api-cache`,
+        comment: "Cache policy for Headroom API with version-based cache busting",
+        defaultTtl: apiCacheTtl,
+        maxTtl: 86400,
+        minTtl: 0,
+        parametersInCacheKeyAndForwardedToOrigin: {
+            cookiesConfig: { cookieBehavior: "none" },
+            headersConfig: {
+                headerBehavior: "whitelist",
+                headers: { items: ["x-site-version"] },
+            },
+            queryStringsConfig: {
+                queryStringBehavior: "whitelist",
+                queryStrings: {
+                    items: ["collection", "limit", "cursor", "before", "after", "tag"],
+                },
+            },
+            enableAcceptEncodingBrotli: true,
+            enableAcceptEncodingGzip: true,
+        },
+    });
+    const imageCachePolicy = new aws.cloudfront.CachePolicy(`${name}ImageCachePolicy`, {
+        name: $interpolate `${$app.name}-${$app.stage}-image-cache`,
+        comment: "Cache policy for transformed images (immutable)",
+        defaultTtl: 31536000,
+        maxTtl: 31536000,
+        minTtl: 31536000,
+        parametersInCacheKeyAndForwardedToOrigin: {
+            cookiesConfig: { cookieBehavior: "none" },
+            headersConfig: { headerBehavior: "none" },
+            queryStringsConfig: {
+                queryStringBehavior: "whitelist",
+                queryStrings: {
+                    items: ["w", "h", "fit", "format", "q", "sig"],
+                },
+            },
+            enableAcceptEncodingBrotli: true,
+            enableAcceptEncodingGzip: true,
+        },
+    });
+    const mediaCachePolicy = new aws.cloudfront.CachePolicy(`${name}MediaCachePolicy`, {
+        name: $interpolate `${$app.name}-${$app.stage}-media-cache`,
+        comment: "Cache policy for original media files (immutable)",
+        defaultTtl: 31536000,
+        maxTtl: 31536000,
+        minTtl: 31536000,
+        parametersInCacheKeyAndForwardedToOrigin: {
+            cookiesConfig: { cookieBehavior: "none" },
+            headersConfig: { headerBehavior: "none" },
+            queryStringsConfig: { queryStringBehavior: "none" },
+            enableAcceptEncodingBrotli: true,
+            enableAcceptEncodingGzip: true,
+        },
+    });
+    // =========================================================================
+    // Origin Request Policy
+    // =========================================================================
+    const originRequestPolicy = new aws.cloudfront.OriginRequestPolicy(`${name}OriginRequestPolicy`, {
+        name: $interpolate `${$app.name}-${$app.stage}-origin-request`,
+        comment: "Forward necessary headers to Lambda origin",
+        cookiesConfig: { cookieBehavior: "none" },
+        headersConfig: {
+            headerBehavior: "whitelist",
+            headers: {
+                items: [
+                    "x-headroom-key",
+                    "content-type",
+                    "accept",
+                    "x-site-version",
+                ],
+            },
+        },
+        queryStringsConfig: { queryStringBehavior: "all" },
+    });
+    // Managed AllViewerExceptHostHeader policy for admin paths
+    const adminOriginRequestPolicyId = "b689b0a8-53d0-40ab-baf2-68738e2966ac";
+    // =========================================================================
+    // Origin Access Controls (OAC)
+    // =========================================================================
+    const mediaOAC = new aws.cloudfront.OriginAccessControl(`${name}MediaOAC`, {
+        name: $interpolate `${$app.name}-${$app.stage}-media-oac`,
+        description: "OAC for S3 media origin",
+        originAccessControlOriginType: "s3",
+        signingBehavior: "always",
+        signingProtocol: "sigv4",
+    });
+    const imageOAC = new aws.cloudfront.OriginAccessControl(`${name}ImageOAC`, {
+        name: $interpolate `${$app.name}-${$app.stage}-image-oac`,
+        description: "OAC for image transform Lambda origin",
+        originAccessControlOriginType: "lambda",
+        signingBehavior: "always",
+        signingProtocol: "sigv4",
+    });
+    // =========================================================================
+    // CloudFront Distribution
+    // =========================================================================
+    const originDomain = api.api.url.apply((url) => {
+        const parsed = new URL(url);
+        return parsed.hostname;
+    });
+    const imageLambdaDomain = image.imageLambda.url.apply((url) => {
+        const parsed = new URL(url);
+        return parsed.hostname;
+    });
+    const s3RegionalDomain = $interpolate `${contentBucket.name}.s3.${aws.getRegionOutput().name}.amazonaws.com`;
+    const priceClass = args.priceClass ?? "PriceClass_100";
+    // Build aliases and certificate config for custom domain
+    const aliases = args.domain ? [args.domain.name] : undefined;
+    const viewerCertificate = args.domain
+        ? {
+            acmCertificateArn: args.domain.certificateArn,
+            sslSupportMethod: "sni-only",
+            minimumProtocolVersion: "TLSv1.2_2021",
+        }
+        : {
+            cloudfrontDefaultCertificate: true,
+        };
+    const distribution = new aws.cloudfront.Distribution(`${name}Distribution`, {
+        enabled: true,
+        comment: $interpolate `Headroom CMS API - ${$app.stage}`,
+        httpVersion: "http2and3",
+        priceClass,
+        aliases,
+        origins: [
+            {
+                originId: "api",
+                domainName: originDomain,
+                customOriginConfig: {
+                    httpPort: 80,
+                    httpsPort: 443,
+                    originProtocolPolicy: "https-only",
+                    originSslProtocols: ["TLSv1.2"],
+                },
+            },
+            {
+                originId: "media-s3",
+                domainName: s3RegionalDomain,
+                originAccessControlId: mediaOAC.id,
+                s3OriginConfig: {
+                    originAccessIdentity: "",
+                },
+            },
+            {
+                originId: "image-lambda",
+                domainName: imageLambdaDomain,
+                originAccessControlId: imageOAC.id,
+                customOriginConfig: {
+                    httpPort: 80,
+                    httpsPort: 443,
+                    originProtocolPolicy: "https-only",
+                    originSslProtocols: ["TLSv1.2"],
+                },
+            },
+        ],
+        defaultCacheBehavior: {
+            targetOriginId: "api",
+            viewerProtocolPolicy: "redirect-to-https",
+            allowedMethods: [
+                "GET",
+                "HEAD",
+                "OPTIONS",
+                "PUT",
+                "POST",
+                "PATCH",
+                "DELETE",
+            ],
+            cachedMethods: ["GET", "HEAD", "OPTIONS"],
+            compress: true,
+            cachePolicyId: apiCachePolicy.id,
+            originRequestPolicyId: originRequestPolicy.id,
+            functionAssociations: [
+                {
+                    eventType: "viewer-request",
+                    functionArn: edgeFunction.arn,
+                },
+            ],
+        },
+        orderedCacheBehaviors: [
+            // Admin paths: no caching, forwards Authorization header
+            {
+                pathPattern: "/v1/admin/*",
+                targetOriginId: "api",
+                viewerProtocolPolicy: "redirect-to-https",
+                allowedMethods: [
+                    "GET",
+                    "HEAD",
+                    "OPTIONS",
+                    "PUT",
+                    "POST",
+                    "PATCH",
+                    "DELETE",
+                ],
+                cachedMethods: ["GET", "HEAD", "OPTIONS"],
+                compress: true,
+                cachePolicyId: "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
+                originRequestPolicyId: adminOriginRequestPolicyId,
+            },
+            // Media originals: served directly from S3 via OAC
+            {
+                pathPattern: "/media/*",
+                targetOriginId: "media-s3",
+                viewerProtocolPolicy: "redirect-to-https",
+                allowedMethods: ["GET", "HEAD", "OPTIONS"],
+                cachedMethods: ["GET", "HEAD", "OPTIONS"],
+                compress: true,
+                cachePolicyId: mediaCachePolicy.id,
+                functionAssociations: [
+                    {
+                        eventType: "viewer-request",
+                        functionArn: mediaRewriteFunction.arn,
+                    },
+                ],
+            },
+            // Image transforms: served via Sharp Lambda
+            {
+                pathPattern: "/img/*",
+                targetOriginId: "image-lambda",
+                viewerProtocolPolicy: "redirect-to-https",
+                allowedMethods: ["GET", "HEAD", "OPTIONS"],
+                cachedMethods: ["GET", "HEAD", "OPTIONS"],
+                compress: true,
+                cachePolicyId: imageCachePolicy.id,
+            },
+            // Health endpoint: no caching, no auth
+            {
+                pathPattern: "/health",
+                targetOriginId: "api",
+                viewerProtocolPolicy: "redirect-to-https",
+                allowedMethods: ["GET", "HEAD"],
+                cachedMethods: ["GET", "HEAD"],
+                compress: true,
+                cachePolicyId: "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
+                originRequestPolicyId: originRequestPolicy.id,
+            },
+        ],
+        restrictions: {
+            geoRestriction: { restrictionType: "none" },
+        },
+        viewerCertificate,
+    });
+    // Allow CloudFront to invoke the image Lambda via OAC
+    new aws.lambda.Permission(`${name}ImageLambdaCFPermission`, {
+        action: "lambda:InvokeFunctionUrl",
+        function: image.imageLambda.name,
+        principal: "cloudfront.amazonaws.com",
+        sourceArn: distribution.arn,
+    });
+    const url = args.domain
+        ? $interpolate `https://${args.domain.name}`
+        : $interpolate `https://${distribution.domainName}`;
+    return { distribution, url };
+}
+//# sourceMappingURL=cdn.js.map

package/dist/cdn.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cdn.js","sourceRoot":"","sources":["../src/cdn.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAmBH,MAAM,UAAU,SAAS,CAAC,IAAY,EAAE,IAAa;IACnD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAChD,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;IAE7C,oEAAoE;IACpE,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC;IAEtE,4EAA4E;IAC5E,iCAAiC;IACjC,4EAA4E;IAC5E,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,IAAI,UAAU,EAAE;QAClE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE,IAAI;QACb,yBAAyB,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC;QACpC,IAAI,EAAE,YAAY,CAAA;;;;qBAID,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0EzB;KACA,CAAC,CAAC;IAEH,4EAA4E;IAC5E,qCAAqC;IACrC,4EAA4E;IAC5E,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CACtD,GAAG,IAAI,cAAc,EACrB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,gBAAgB;QAC5D,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE,IAAI;QACb,IAAI,EAAE;;;;;;;;;;;;;;;;;GAiBT;KACE,CACF,CAAC;IAEF,4EAA4E;IAC5E,iBAAiB;IACjB,4EAA4E;IAE5E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CACnD,GAAG,IAAI,gBAAgB,EACvB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,OAAO,EACL,gEAAgE;QAClE,UAAU,EAAE,WAAW;QACvB,MAAM,EAAE,KAAK;QACb,MAAM,EAAE,CAAC;QACT,wCAAwC,EAAE;YACxC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,aAAa,EAAE;gBACb,cAAc,EAAE,WAAW;gBAC3B,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,gBAAgB,CAAC,EAAE;aACvC;YACD,kBAAkB,EAAE;gBAClB,mBAAmB,EAAE,WAAW;gBAChC,YAAY,EAAE;oBACZ,KAAK,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,CAAC;iBACnE;aACF;YACD,0BAA0B,EAAE,IAAI;YAChC,wBAAwB,EAAE,IAAI;SAC/B;KACF,CACF,CAAC;IAEF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CACrD,GAAG,IAAI,kBAAkB,EACzB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,cAAc;QAC1D,OAAO,EAAE,iDAAiD;QAC1D,UAAU,EAAE,QAAQ;QACpB,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,QAAQ;QAChB,wCAAwC,EAAE;YACxC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,kBAAkB,EAAE;gBAClB,mBAAmB,EAAE,WAAW;gBAChC,YAAY,EAAE;oBACZ,KAAK,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC;iBAC/C;aACF;YACD,0BAA0B,EAAE,IAAI;YAChC,wBAAwB,EAAE,IAAI;SAC/B;KACF,CACF,CAAC;IAEF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CACrD,GAAG,IAAI,kBAAkB,EACzB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,cAAc;QAC1D,OAAO,EAAE,mDAAmD;QAC5D,UAAU,EAAE,QAAQ;QACpB,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,QAAQ;QAChB,wCAAwC,EAAE;YACxC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,kBAAkB,EAAE,EAAE,mBAAmB,EAAE,MAAM,EAAE;YACnD,0BAA0B,EAAE,IAAI;YAChC,wBAAwB,EAAE,IAAI;SAC/B;KACF,CACF,CAAC;IAEF,4EAA4E;IAC5E,wBAAwB;IACxB,4EAA4E;IAE5E,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,mBAAmB,CAChE,GAAG,IAAI,qBAAqB,EAC5B;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,iBAAiB;QAC7D,OAAO,EAAE,4CAA4C;QACrD,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;QACzC,aAAa,EAAE;YACb,cAAc,EAAE,WAAW;YAC3B,OAAO,EAAE;gBACP,KAAK,EAAE;oBACL,gBAAgB;oBAChB,cAAc;oBACd,QAAQ;oBACR,gBAAgB;iBACjB;aACF;SACF;QACD,kBAAkB,EAAE,EAAE,mBAAmB,EAAE,KAAK,EAAE;KACnD,CACF,CAAC;IAEF,2DAA2D;IAC3D,MAAM,0BAA0B,GAC9B,sCAAsC,CAAC;IAEzC,4EAA4E;IAC5E,+BAA+B;IAC/B,4EAA4E;IAE5E,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,mBAAmB,CAAC,GAAG,IAAI,UAAU,EAAE;QACzE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,WAAW,EAAE,yBAAyB;QACtC,6BAA6B,EAAE,IAAI;QACnC,eAAe,EAAE,QAAQ;QACzB,eAAe,EAAE,OAAO;KACzB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,mBAAmB,CAAC,GAAG,IAAI,UAAU,EAAE;QACzE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,WAAW,EAAE,uCAAuC;QACpD,6BAA6B,EAAE,QAAQ;QACvC,eAAe,EAAE,QAAQ;QACzB,eAAe,EAAE,OAAO;KACzB,CAAC,CAAC;IAEH,4EAA4E;IAC5E,0BAA0B;IAC1B,4EAA4E;IAE5E,MAAM,YAAY,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAW,EAAE,EAAE;QACrD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,MAAM,iBAAiB,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAW,EAAE,EAAE;QACpE,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,YAAY,CAAA,GAAG,aAAa,CAAC,IAAI,OAAO,GAAG,CAAC,eAAe,EAAE,CAAC,IAAI,gBAAgB,CAAC;IAE5G,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAC;IAEvD,yDAAyD;IACzD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7D,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM;QACnC,CAAC,CAAC;YACE,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc;YAC7C,gBAAgB,EAAE,UAAmB;YACrC,sBAAsB,EAAE,cAAuB;SAChD;QACH,CAAC,CAAC;YACE,4BAA4B,EAAE,IAAI;SACnC,CAAC;IAEN,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAClD,GAAG,IAAI,cAAc,EACrB;QACE,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,YAAY,CAAA,sBAAsB,IAAI,CAAC,KAAK,EAAE;QACvD,WAAW,EAAE,WAAW;QACxB,UAAU;QACV,OAAO;QAEP,OAAO,EAAE;YACP;gBACE,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,YAAY;gBACxB,kBAAkB,EAAE;oBAClB,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE,GAAG;oBACd,oBAAoB,EAAE,YAAY;oBAClC,kBAAkB,EAAE,CAAC,SAAS,CAAC;iBAChC;aACF;YACD;gBACE,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,gBAAgB;gBAC5B,qBAAqB,EAAE,QAAQ,CAAC,EAAE;gBAClC,cAAc,EAAE;oBACd,oBAAoB,EAAE,EAAE;iBACzB;aACF;YACD;gBACE,QAAQ,EAAE,cAAc;gBACxB,UAAU,EAAE,iBAAiB;gBAC7B,qBAAqB,EAAE,QAAQ,CAAC,EAAE;gBAClC,kBAAkB,EAAE;oBAClB,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE,GAAG;oBACd,oBAAoB,EAAE,YAAY;oBAClC,kBAAkB,EAAE,CAAC,SAAS,CAAC;iBAChC;aACF;SACF;QAED,oBAAoB,EAAE;YACpB,cAAc,EAAE,KAAK;YACrB,oBAAoB,EAAE,mBAAmB;YACzC,cAAc,EAAE;gBACd,KAAK;gBACL,MAAM;gBACN,SAAS;gBACT,KAAK;gBACL,MAAM;gBACN,OAAO;gBACP,QAAQ;aACT;YACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;YACzC,QAAQ,EAAE,IAAI;YACd,aAAa,EAAE,cAAc,CAAC,EAAE;YAChC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;YAC7C,oBAAoB,EAAE;gBACpB;oBACE,SAAS,EAAE,gBAAgB;oBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;iBAC9B;aACF;SACF;QAED,qBAAqB,EAAE;YACrB,yDAAyD;YACzD;gBACE,WAAW,EAAE,aAAa;gBAC1B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,sCAAsC;gBACrD,qBAAqB,EAAE,0BAA0B;aAClD;YACD,mDAAmD;YACnD;gBACE,WAAW,EAAE,UAAU;gBACvB,cAAc,EAAE,UAAU;gBAC1B,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC1C,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,gBAAgB,CAAC,EAAE;gBAClC,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,oBAAoB,CAAC,GAAG;qBACtC;iBACF;aACF;YACD,4CAA4C;YAC5C;gBACE,WAAW,EAAE,QAAQ;gBACrB,cAAc,EAAE,cAAc;gBAC9B,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC1C,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,gBAAgB,CAAC,EAAE;aACnC;YACD,uCAAuC;YACvC;gBACE,WAAW,EAAE,SAAS;gBACtB,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;gBAC/B,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;gBAC9B,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,sCAAsC;gBACrD,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;aAC9C;SACF;QAED,YAAY,EAAE;YACZ,cAAc,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE;SAC5C;QAED,iBAAiB;KAClB,CACF,CAAC;IAEF,sDAAsD;IACtD,IAAI,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,yBAAyB,EAAE;QAC1D,MAAM,EAAE,0BAA0B;QAClC,QAAQ,EAAE,KAAK,CAAC,WAAW,CAAC,IAAI;QAChC,SAAS,EAAE,0BAA0B;QACrC,SAAS,EAAE,YAAY,CAAC,GAAG;KAC5B,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM;QACrB,CAAC,CAAC,YAAY,CAAA,WAAW,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,YAAY,CAAA,WAAW,YAAY,CAAC,UAAU,EAAE,CAAC;IAErD,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;AAC/B,CAAC"}

package/dist/image.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Image Infrastructure
+ *
+ * Sharp-based image transformation Lambda with HMAC-signed URLs.
+ * Supports dev mode (Node.js source) and package mode (pre-bundled handler).
+ */
+import type { StorageResources } from "./storage.js";
+export interface ImageArgs {
+    contentBucket: StorageResources["contentBucket"];
+    pkgRoot: string;
+    dev?: {
+        /** SST handler string, e.g. "packages/image-lambda/index.handler" */
+        handler: string;
+    };
+}
+export declare function createImage(name: string, args: ImageArgs): {
+    imageSigningSecret: sst.Secret;
+    imageLambda: sst.aws.Function;
+};
+export type ImageResources = ReturnType<typeof createImage>;
+//# sourceMappingURL=image.d.ts.map