headroom-cms 0.1.10 → 0.2.0

package/src/api.ts

@@ -6,16 +6,40 @@
  */
 
 import path from "path";
+import { execSync } from "child_process";
 import type { StorageResources } from "./storage.js";
 import type { AuthResources } from "./auth.js";
 import type { WebhookResources } from "./webhooks.js";
+import type { BackupResources } from "./backup.js";
 import type { ImageResources } from "./image.js";
 import type { CollabTableResources } from "./collaboration.js";
 
+/**
+ * Capture the deploying commit SHA so the API can self-report which build is
+ * running. Read at infra-eval time (once per `sst deploy` / `sst dev`) and
+ * baked into the Lambda's env. Falls back to "unknown" outside a git repo —
+ * never throws, since failing the deploy over a missing SHA would be hostile.
+ */
+function captureGitSha(): string {
+  // Allow CI to inject a specific SHA — useful when builds happen on a
+  // detached checkout where `git rev-parse HEAD` returns the wrong value.
+  const fromEnv = process.env.HEADROOM_GIT_SHA;
+  if (fromEnv) return fromEnv.trim();
+  try {
+    return execSync("git rev-parse HEAD", {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "ignore"],
+    }).trim();
+  } catch {
+    return "unknown";
+  }
+}
+
 export interface ApiArgs {
   storage: StorageResources;
   auth: AuthResources;
   webhooks: WebhookResources;
+  backup: BackupResources;
   image: ImageResources;
   /**
    * Just the collab DynamoDB table — the API Lambda only links the table
@@ -32,7 +56,7 @@ export interface ApiArgs {
 }
 
 export function createApi(name: string, args: ApiArgs) {
-  const { storage, auth, webhooks, image, collab } = args;
+  const { storage, auth, webhooks, backup, image, collab } = args;
 
   const handlerConfig = args.dev
     ? {
@@ -68,8 +92,17 @@ export function createApi(name: string, args: ApiArgs) {
       AWS_REGION_NAME: aws.getRegionOutput().name,
       WEBHOOKS_TABLE: webhooks.webhooks.name,
       WEBHOOK_DELIVERIES_TABLE: webhooks.webhookDeliveries.name,
-      WEBHOOK_QUEUE_URL: webhooks.webhookDeliveryQueue.url,
-      IMAGE_SIGNING_SECRET: image.imageSigningSecret.value,
+      WEBHOOK_WORKER_FUNCTION_NAME: webhooks.webhookWorker.name,
+      // Backup admin endpoints (Phases 3+4): the API Lambda async-invokes
+      // the backup worker and serves list/presign/delete from the backup
+      // bucket directly. Both env vars must be present for /v1/admin/...
+      // backup endpoints to function; unset = 503 from the service layer.
+      BACKUP_BUCKET: storage.backupBucket.name,
+      BACKUP_WORKER_FUNCTION_NAME: backup.backupWorker.name,
+      // The Go API only signs with the primary master and derives the
+      // per-site key per request. It never receives the OLD master —
+      // only the Sharp Lambda's verifier needs it.
+      IMAGE_SIGNING_MASTER_SECRET: image.imageSigningMasterSecret.value,
       IMAGE_LAMBDA_NAME: image.imageLambda.name,
       RELATIONSHIPS_TABLE: storage.relationships.name,
       SITE_USERS_TABLE: storage.siteUsers.name,
@@ -79,6 +112,9 @@ export function createApi(name: string, args: ApiArgs) {
       // `X-Headroom-Internal` against this on internal service calls
       // (collab → draft snapshot). See packages/api/internal/middleware/jwt.go.
       INTERNAL_SECRET: storage.internalSecret.value,
+      // Commit SHA of the source tree at infra-eval time. Surfaced on
+      // /health so operators can map deploys → commits without tagging.
+      GIT_SHA: captureGitSha(),
     },
     link: [
       storage.sites,
@@ -92,12 +128,16 @@ export function createApi(name: string, args: ApiArgs) {
       storage.contentBucket,
       webhooks.webhooks,
       webhooks.webhookDeliveries,
-      webhooks.webhookDeliveryQueue,
-      image.imageSigningSecret,
+      image.imageSigningMasterSecret,
       storage.relationships,
       storage.siteUsers,
       collab.collabTable,
       storage.internalSecret,
+      // Backup bucket — admin endpoints list/presign-get/delete here. The
+      // worker writes here (already linked via backup.ts); the API only
+      // needs read + delete + presign-get + list-bucket, which are all
+      // covered by the SST `link` IAM grant for the bucket.
+      storage.backupBucket,
     ],
     permissions: [
       {
@@ -123,6 +163,19 @@ export function createApi(name: string, args: ApiArgs) {
         actions: ["lambda:InvokeFunction"],
         resources: [image.imageLambda.arn],
       },
+      {
+        // Async invoke of the webhook worker. Replaces the old SQS
+        // SendMessage permission that was previously auto-derived from
+        // linking the queue.
+        actions: ["lambda:InvokeFunction"],
+        resources: [webhooks.webhookWorker.arn],
+      },
+      {
+        // Async invoke of the backup worker — admin endpoints for trigger
+        // backup / restore call lambda:Invoke with InvocationType=Event.
+        actions: ["lambda:InvokeFunction"],
+        resources: [backup.backupWorker.arn],
+      },
       {
         actions: ["ses:SendEmail", "ses:SendRawEmail"],
         resources: ["*"],

package/src/backup.ts

@@ -0,0 +1,114 @@
+/**
+ * Backup Infrastructure
+ *
+ * A single Go Lambda that handles both backup export and restore import.
+ * The API service invokes it synchronously via lambda:InvokeFunction for the
+ * "scheduled" entry point this will gain a daily EventBridge cron (Phase 4).
+ *
+ * The Lambda links every site-scoped table plus the content + backup buckets.
+ * Deliberately NOT linked: Collab, collabStateBucket, SchedulerLock,
+ * WebhookDeliveries — these are transient / operational and excluded from
+ * backup payloads (see steering doc "What's in scope vs. out of scope").
+ */
+
+import path from "path";
+import type { StorageResources } from "./storage.js";
+import type { WebhookResources } from "./webhooks.js";
+
+export interface BackupArgs {
+  storage: StorageResources;
+  webhooks: WebhookResources;
+  pkgRoot: string;
+  dev?: {
+    /** Go source path, e.g. "packages/backup-worker" */
+    handler: string;
+  };
+}
+
+export function createBackup(name: string, args: BackupArgs) {
+  const { storage, webhooks } = args;
+
+  const workerConfig = args.dev
+    ? {
+        handler: args.dev.handler,
+        runtime: "go" as const,
+      }
+    : {
+        bundle: path.join(args.pkgRoot, "lambda/backup-worker"),
+        handler: "bootstrap",
+        runtime: "provided.al2023" as const,
+        architecture: "arm64" as const,
+      };
+
+  const backupWorker = new sst.aws.Function(`${name}BackupWorker`, {
+    ...workerConfig,
+    // 15-minute Lambda budget. Large sites with many media files may bump up
+    // against this; see Deferred "Step Functions for very large sites" for
+    // the escape hatch.
+    timeout: "15 minutes",
+    // Higher than default — the worker holds tar/gzip pipes, an in-memory
+    // 25-row BatchWriteItem buffer, and parallel S3 GetObject buffers.
+    memory: "1024 MB",
+    environment: {
+      SITES_TABLE: storage.sites.name,
+      CONTENT_TABLE: storage.content.name,
+      DRAFT_CONTENT_TABLE: storage.draftContent.name,
+      BLOCKS_TABLE: storage.blocks.name,
+      MEDIA_TABLE: storage.media.name,
+      COLLECTIONS_TABLE: storage.collections.name,
+      BLOCK_TYPES_TABLE: storage.blockTypes.name,
+      ADMIN_AUDIT_TABLE: storage.adminAudit.name,
+      RELATIONSHIPS_TABLE: storage.relationships.name,
+      SITE_USERS_TABLE: storage.siteUsers.name,
+      WEBHOOKS_TABLE: webhooks.webhooks.name,
+      CONTENT_BUCKET: storage.contentBucket.name,
+      BACKUP_BUCKET: storage.backupBucket.name,
+      KVS_ARN: storage.kvs.arn,
+      AWS_REGION_NAME: aws.getRegionOutput().name,
+    },
+    link: [
+      storage.sites,
+      storage.content,
+      storage.draftContent,
+      storage.blocks,
+      storage.media,
+      storage.collections,
+      storage.blockTypes,
+      storage.adminAudit,
+      storage.relationships,
+      storage.siteUsers,
+      webhooks.webhooks,
+      storage.contentBucket,
+      storage.backupBucket,
+    ],
+    permissions: [
+      {
+        // CloudFront KVS resync on restore: re-publish API key hashes so the
+        // edge function recognizes them. Fail-loud per steering §2.1 step 18.
+        actions: [
+          "cloudfront-keyvaluestore:DescribeKeyValueStore",
+          "cloudfront-keyvaluestore:PutKey",
+          "cloudfront-keyvaluestore:DeleteKey",
+          "cloudfront-keyvaluestore:GetKey",
+        ],
+        resources: [storage.kvs.arn],
+      },
+    ],
+  });
+
+  // Phase 4 — daily EventBridge cron that invokes the worker with a
+  // "scheduled" event. The handler scans the Sites table, runs backup +
+  // retention cleanup for every site with backupSchedule.enabled. 02:00
+  // UTC is a low-traffic window for most public sites; tune in the
+  // steering doc if needed. Cost is one Lambda invocation per day per
+  // stack, regardless of site count.
+  const backupCron = new sst.aws.Cron(`${name}BackupSchedule`, {
+    schedule: "cron(0 2 * * ? *)",
+    function: backupWorker.arn,
+    event: { type: "scheduled" },
+  });
+
+  return { backupWorker, backupCron };
+}
+
+export type BackupResources = ReturnType<typeof createBackup>;

package/src/{cdn.ts → cdn-api.ts}

@@ -1,18 +1,16 @@
 /**
- * CDN Infrastructure
+ * API CDN Infrastructure
  *
- * CloudFront distribution with edge authentication, version-based caching,
- * direct S3 media serving, and Sharp Lambda image transforms.
+ * CloudFront distribution for the Headroom API only — `/v1/*` and `/health`.
+ * Edge-auth function + KVS association live here. No `/media/*` or `/img/*`
+ * behaviors; those are served by the separate media CDN (see cdn-media.ts).
  */
 
 import type { StorageResources } from "./storage.js";
 import type { ApiResources } from "./api.js";
-import type { ImageResources } from "./image.js";
 
-export interface CdnArgs {
+export interface ApiCdnArgs {
   api: ApiResources;
-  image: ImageResources;
-  contentBucket: StorageResources["contentBucket"];
   kvs: StorageResources["kvs"];
   priceClass?: "PriceClass_100" | "PriceClass_200" | "PriceClass_All";
   apiCacheTtl?: number;
@@ -22,8 +20,8 @@ export interface CdnArgs {
   };
 }
 
-export function createCdn(name: string, args: CdnArgs) {
-  const { api, image, contentBucket, kvs } = args;
+export function createApiCdn(name: string, args: ApiCdnArgs) {
+  const { api, kvs } = args;
   const apiCacheTtl = args.apiCacheTtl ?? 3600;
 
   // Extract KVS UUID from ARN (cf.kvs() needs the UUID, not the name)
@@ -109,36 +107,6 @@ export function createCdn(name: string, args: CdnArgs) {
   `,
   });
 
-  // =========================================================================
-  // CloudFront Function: Media Rewrite
-  // =========================================================================
-  const mediaRewriteFunction = new aws.cloudfront.Function(
-    `${name}MediaRewrite`,
-    {
-      name: $interpolate`${$app.name}-${$app.stage}-media-rewrite`,
-      runtime: "cloudfront-js-2.0",
-      publish: true,
-      code: `
-    function handler(event) {
-      var request = event.request;
-      var uri = request.uri;
-
-      // Rewrite /media/{site}/{mediaId}/{file} → /sites/{site}/media/{mediaId}/{file}
-      var parts = uri.split('/');
-      // parts: ['', 'media', '{site}', '{mediaId}', '{file}']
-      if (parts.length >= 5 && parts[1] === 'media') {
-        var site = parts[2];
-        var mediaId = parts[3];
-        var rest = parts.slice(4).join('/');
-        request.uri = '/sites/' + site + '/media/' + mediaId + '/' + rest;
-      }
-
-      return request;
-    }
-  `,
-    },
-  );
-
   // =========================================================================
   // Cache Policies
   // =========================================================================
@@ -175,64 +143,14 @@ export function createCdn(name: string, args: CdnArgs) {
     },
   );
 
-  const imageCachePolicy = new aws.cloudfront.CachePolicy(
-    `${name}ImageCachePolicy`,
-    {
-      name: $interpolate`${$app.name}-${$app.stage}-image-cache`,
-      comment: "Cache policy for transformed images (immutable)",
-      defaultTtl: 31536000,
-      maxTtl: 31536000,
-      minTtl: 31536000,
-      parametersInCacheKeyAndForwardedToOrigin: {
-        cookiesConfig: { cookieBehavior: "none" },
-        headersConfig: { headerBehavior: "none" },
-        queryStringsConfig: {
-          queryStringBehavior: "whitelist",
-          queryStrings: {
-            items: ["w", "h", "fit", "format", "q", "sig"],
-          },
-        },
-        enableAcceptEncodingBrotli: true,
-        enableAcceptEncodingGzip: true,
-      },
-    },
-  );
-
-  const mediaCachePolicy = new aws.cloudfront.CachePolicy(
-    `${name}MediaCachePolicy`,
-    {
-      name: $interpolate`${$app.name}-${$app.stage}-media-cache`,
-      comment: "Cache policy for original media files (immutable)",
-      defaultTtl: 31536000,
-      maxTtl: 31536000,
-      minTtl: 31536000,
-      parametersInCacheKeyAndForwardedToOrigin: {
-        cookiesConfig: { cookieBehavior: "none" },
-        headersConfig: { headerBehavior: "none" },
-        queryStringsConfig: { queryStringBehavior: "none" },
-        enableAcceptEncodingBrotli: true,
-        enableAcceptEncodingGzip: true,
-      },
-    },
-  );
-
-  const versionCachePolicy = new aws.cloudfront.CachePolicy(
-    `${name}VersionCachePolicy`,
-    {
-      name: $interpolate`${$app.name}-${$app.stage}-version-cache`,
-      comment: "Short-TTL cache for /version to absorb client polling",
-      minTtl: 0,
-      defaultTtl: 2,
-      maxTtl: 2,
-      parametersInCacheKeyAndForwardedToOrigin: {
-        cookiesConfig: { cookieBehavior: "none" },
-        headersConfig: { headerBehavior: "none" },
-        queryStringsConfig: { queryStringBehavior: "none" },
-        enableAcceptEncodingBrotli: true,
-        enableAcceptEncodingGzip: true,
-      },
-    },
-  );
+  // NOTE: the old `versionCachePolicy` (custom 2-second TTL) was deleted
+  // when /version began returning the per-site image signing secret.
+  // CloudFront custom cache policies do not honor `Cache-Control: private`
+  // from the origin — the explicit TTLs would win and the response (with
+  // the secret) would be edge-cached for 2s. We now use the AWS-managed
+  // `CachingDisabled` policy below for /v1/*/version, so the origin's
+  // `Cache-Control: private, max-age=2` is what reaches the browser
+  // (short-window in-browser cache) while the edge bypasses caching.
 
   // =========================================================================
   // Origin Request Policy
@@ -275,26 +193,6 @@ export function createCdn(name: string, args: CdnArgs) {
   // authenticated behaviors below.
   const cachingDisabledPolicyId = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad";
 
-  // =========================================================================
-  // Origin Access Controls (OAC)
-  // =========================================================================
-
-  const mediaOAC = new aws.cloudfront.OriginAccessControl(`${name}MediaOAC`, {
-    name: $interpolate`${$app.name}-${$app.stage}-media-oac`,
-    description: "OAC for S3 media origin",
-    originAccessControlOriginType: "s3",
-    signingBehavior: "always",
-    signingProtocol: "sigv4",
-  });
-
-  const imageOAC = new aws.cloudfront.OriginAccessControl(`${name}ImageOAC`, {
-    name: $interpolate`${$app.name}-${$app.stage}-image-oac`,
-    description: "OAC for image transform Lambda origin",
-    originAccessControlOriginType: "lambda",
-    signingBehavior: "always",
-    signingProtocol: "sigv4",
-  });
-
   // =========================================================================
   // CloudFront Distribution
   // =========================================================================
@@ -304,13 +202,6 @@ export function createCdn(name: string, args: CdnArgs) {
     return parsed.hostname;
   });
 
-  const imageLambdaDomain = image.imageLambda.url.apply((url: string) => {
-    const parsed = new URL(url);
-    return parsed.hostname;
-  });
-
-  const s3RegionalDomain = $interpolate`${contentBucket.name}.s3.${aws.getRegionOutput().name}.amazonaws.com`;
-
   const priceClass = args.priceClass ?? "PriceClass_100";
 
   // Build aliases and certificate config for custom domain
@@ -345,25 +236,6 @@ export function createCdn(name: string, args: CdnArgs) {
             originSslProtocols: ["TLSv1.2"],
           },
         },
-        {
-          originId: "media-s3",
-          domainName: s3RegionalDomain,
-          originAccessControlId: mediaOAC.id,
-          s3OriginConfig: {
-            originAccessIdentity: "",
-          },
-        },
-        {
-          originId: "image-lambda",
-          domainName: imageLambdaDomain,
-          originAccessControlId: imageOAC.id,
-          customOriginConfig: {
-            httpPort: 80,
-            httpsPort: 443,
-            originProtocolPolicy: "https-only",
-            originSslProtocols: ["TLSv1.2"],
-          },
-        },
       ],
 
       defaultCacheBehavior: {
@@ -440,10 +312,17 @@ export function createCdn(name: string, args: CdnArgs) {
             },
           ],
         },
-        // Version endpoint: short-TTL cache (2s) shared across all consumers
-        // for a given site. The edge function still runs for API key
-        // validation. Placed before /v1/*/users/* and the default behavior
-        // because CloudFront evaluates path patterns in order, first match wins.
+        // Version endpoint: caching DISABLED at the edge. /version now
+        // carries a per-site image signing secret in the body, so the
+        // shared edge cache must not hold it. The origin sets
+        // `Cache-Control: private, max-age=2` so browsers may still cache
+        // for the 2-second window — that absorbs single-flight contention
+        // from the same client without exposing the secret to any other
+        // viewer.
+        //
+        // Tradeoff: origin Lambda invocations on /version are now one per
+        // client poll instead of one per 2-second edge window. The SDK
+        // polls every 10s by default, so the impact is bounded.
         //
         // NOTE: pathPattern "/v1/*/version" matches exact "/version" only.
         // CloudFront's `*` wildcard does not span path segments, so any
@@ -455,7 +334,7 @@ export function createCdn(name: string, args: CdnArgs) {
           allowedMethods: ["GET", "HEAD", "OPTIONS"],
           cachedMethods: ["GET", "HEAD", "OPTIONS"],
           compress: true,
-          cachePolicyId: versionCachePolicy.id,
+          cachePolicyId: cachingDisabledPolicyId,
           originRequestPolicyId: originRequestPolicy.id,
           functionAssociations: [
             {
@@ -549,32 +428,6 @@ export function createCdn(name: string, args: CdnArgs) {
             },
           ],
         },
-        // Media originals: served directly from S3 via OAC
-        {
-          pathPattern: "/media/*",
-          targetOriginId: "media-s3",
-          viewerProtocolPolicy: "redirect-to-https",
-          allowedMethods: ["GET", "HEAD", "OPTIONS"],
-          cachedMethods: ["GET", "HEAD", "OPTIONS"],
-          compress: true,
-          cachePolicyId: mediaCachePolicy.id,
-          functionAssociations: [
-            {
-              eventType: "viewer-request",
-              functionArn: mediaRewriteFunction.arn,
-            },
-          ],
-        },
-        // Image transforms: served via Sharp Lambda
-        {
-          pathPattern: "/img/*",
-          targetOriginId: "image-lambda",
-          viewerProtocolPolicy: "redirect-to-https",
-          allowedMethods: ["GET", "HEAD", "OPTIONS"],
-          cachedMethods: ["GET", "HEAD", "OPTIONS"],
-          compress: true,
-          cachePolicyId: imageCachePolicy.id,
-        },
         // Health endpoint: no caching, no auth
         {
           pathPattern: "/health",
@@ -596,14 +449,6 @@ export function createCdn(name: string, args: CdnArgs) {
     },
   );
 
-  // Allow CloudFront to invoke the image Lambda via OAC
-  new aws.lambda.Permission(`${name}ImageLambdaCFPermission`, {
-    action: "lambda:InvokeFunctionUrl",
-    function: image.imageLambda.name,
-    principal: "cloudfront.amazonaws.com",
-    sourceArn: distribution.arn,
-  });
-
   const url = args.domain
     ? $interpolate`https://${args.domain.name}`
     : $interpolate`https://${distribution.domainName}`;
@@ -611,4 +456,4 @@ export function createCdn(name: string, args: CdnArgs) {
   return { distribution, url };
 }
 
-export type CdnResources = ReturnType<typeof createCdn>;
+export type ApiCdnResources = ReturnType<typeof createApiCdn>;