npm - headroom-cms - Versions diffs - 0.1.10 → 0.2.0 - Mend

headroom-cms 0.1.10 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/README.md +11 -6
package/admin/.well-known/headroom.json +9 -0
package/admin/assets/{AdminsPage-BIWASote.js → AdminsPage-DUMTsCEp.js} +1 -1
package/admin/assets/{AllContentPage-1gXe2OC7.js → AllContentPage-D5ey5AOV.js} +1 -1
package/admin/assets/{ApiKeysPage-BBW4ATBx.js → ApiKeysPage-CzUOSoz_.js} +1 -1
package/admin/assets/{AuditPage-B5GGFWGG.js → AuditPage-CYAg4dbI.js} +1 -1
package/admin/assets/BackupsPage-04_oMy3v.js +1 -0
package/admin/assets/{BlockEditor-ClskiZoX.js → BlockEditor-s0CRZsjy.js} +3 -3
package/admin/assets/BlockTypeEditPage-D1OFIlJZ.js +1 -0
package/admin/assets/{BlockTypesPage-D8Me6OeX.js → BlockTypesPage-cJNR25fN.js} +1 -1
package/admin/assets/{BulkActionBar--35xjnOP.js → BulkActionBar-BWysX7Wo.js} +1 -1
package/admin/assets/CollectionEditPage-DRmCA_73.js +1 -0
package/admin/assets/{CollectionsPage-BQmGXpvW.js → CollectionsPage-CeQB5e9u.js} +1 -1
package/admin/assets/{ContentCreatePage-DlgxamOe.js → ContentCreatePage-Cq8Pi8EF.js} +1 -1
package/admin/assets/ContentEditPage-CEJ7I3WH.js +1 -0
package/admin/assets/{ContentField-D04Uo1Ov.js → ContentField-BZT4OUfI.js} +1 -1
package/admin/assets/ContentListPage-BCEQrYVs.js +1 -0
package/admin/assets/{CustomBlockPreview-Cs9bFDh4.js → CustomBlockPreview-Kc6bb3oq.js} +1 -1
package/admin/assets/FieldRenderer-CT-DgCbC.js +2 -0
package/admin/assets/FileTypeIcon-CNHtffHC.js +1 -0
package/admin/assets/FloatingComposerController-D4uLQfUX-0_Y8mkGU.js +1 -0
package/admin/assets/IconPicker-BpPlHJO0.js +3 -0
package/admin/assets/{LoginPage-Bi7TBzK4.js → LoginPage-Dya8sF_P.js} +1 -1
package/admin/assets/MediaField-C3qFf3g5.js +1 -0
package/admin/assets/MediaPage-BNxc0wLq.js +1 -0
package/admin/assets/{Pagination-CuHwUPHi.js → Pagination-Dx8h11Rn.js} +1 -1
package/admin/assets/{RelationshipPicker-Dv7GaLcU.js → RelationshipPicker-C2MTxrhl.js} +1 -1
package/admin/assets/{SiteSettingsPage-nBT7NzkA.js → SiteSettingsPage-BDZaUBmf.js} +1 -1
package/admin/assets/{SiteUserEditPage-DroUTii9.js → SiteUserEditPage-MfzhPW7v.js} +1 -1
package/admin/assets/{SiteUsersPage-iVXPCBPe.js → SiteUsersPage-CrYugXpx.js} +1 -1
package/admin/assets/{SitesPage-BefZeWuJ.js → SitesPage-Cl8V3Hb7.js} +1 -1
package/admin/assets/SubmissionDetailPage-BnVlsGb-.js +1 -0
package/admin/assets/SubmissionEditPage-B0Kq52fb.js +1 -0
package/admin/assets/SubmissionListPage-K665VwMp.js +1 -0
package/admin/assets/{TagInput-d-Hw1fkL.js → TagInput-C6tcB5Xw.js} +1 -1
package/admin/assets/{TagsPage-BZzDvcKa.js → TagsPage-BONR6bSu.js} +1 -1
package/admin/assets/{UsersPage-CnQAOOGF.js → UsersPage-C2iCy0UR.js} +1 -1
package/admin/assets/{WebhookEditPage-KeS8hmdW.js → WebhookEditPage-DjZFxT72.js} +1 -1
package/admin/assets/{WebhooksPage-CASjmlPN.js → WebhooksPage-g_a224a4.js} +1 -1
package/admin/assets/{card-CZTHR2Qa.js → card-DlfsF8lU.js} +1 -1
package/admin/assets/{checkbox-DEgzM8H9.js → checkbox-BX8EcGFf.js} +1 -1
package/admin/assets/{command-CdzYw11U.js → command-DaTsImUa.js} +1 -1
package/admin/assets/{contentStatus-CkPi9Dh6.js → contentStatus-WXGfd7vX.js} +1 -1
package/admin/assets/format-BRcflvs9.js +1 -0
package/admin/assets/index-9sbb3-yI.css +1 -0
package/admin/assets/{index-BA3y7HJs.js → index-DC1UyCW2.js} +10 -10
package/admin/assets/listCellValue-CBqXAwce.js +1 -0
package/admin/assets/media-url-DdCoIedP.js +1 -0
package/admin/assets/{popover-BFw_h3j6.js → popover-BA-47SRI.js} +1 -1
package/admin/assets/{select-dX9e6VDt.js → select-waaVyoQ5.js} +1 -1
package/admin/assets/serializeToText-CjHhyvXp.js +2 -0
package/admin/assets/{table-Dk7eeOt2.js → table-Br-QgtTL.js} +1 -1
package/admin/assets/{textarea-CpDSUg2s.js → textarea-BILv1DQB.js} +1 -1
package/admin/assets/useAdminResolver-CbDzGoDp.js +1 -0
package/admin/assets/useContent-Bp4f9qe0.js +1 -0
package/admin/assets/{useContentSearch-_bwacEth.js → useContentSearch-DbiA8aG-.js} +1 -1
package/admin/assets/{usePageTitle-DYvuJQp6.js → usePageTitle-DOEFrHbj.js} +1 -1
package/admin/assets/{useSiteUsers-CKtC_8Jc.js → useSiteUsers-BFYAbJNT.js} +1 -1
package/admin/assets/{useTags-ybsMbCst.js → useTags-DJlXwDyc.js} +1 -1
package/admin/assets/{useWebhooks-BAB-3sLa.js → useWebhooks-BkpJKNLN.js} +1 -1
package/admin/favicon-16x16.png +0 -0
package/admin/favicon-32x32.png +0 -0
package/admin/icons/icon-180x180.png +0 -0
package/admin/icons/icon-192x192.png +0 -0
package/admin/icons/icon-512x512.png +0 -0
package/admin/icons/maskable-icon-512x512.png +0 -0
package/admin/index.html +2 -2
package/admin/sw.js +1 -1
package/admin/workbox-362996ec.js +1 -0
package/dist/admin-site.d.ts +4 -2
package/dist/admin-site.d.ts.map +1 -1
package/dist/admin-site.js +49 -6
package/dist/admin-site.js.map +1 -1
package/dist/api.d.ts +2 -0
package/dist/api.d.ts.map +1 -1
package/dist/api.js +57 -5
package/dist/api.js.map +1 -1
package/dist/backup.d.ts +29 -0
package/dist/backup.d.ts.map +1 -0
package/dist/backup.js +95 -0
package/dist/backup.js.map +1 -0
package/dist/cdn-api.d.ts +25 -0
package/dist/cdn-api.d.ts.map +1 -0
package/dist/{cdn.js → cdn-api.js} +27 -158
package/dist/cdn-api.js.map +1 -0
package/dist/cdn-media.d.ts +26 -0
package/dist/cdn-media.d.ts.map +1 -0
package/dist/cdn-media.js +202 -0
package/dist/cdn-media.js.map +1 -0
package/dist/image.d.ts +8 -1
package/dist/image.d.ts.map +1 -1
package/dist/image.js +26 -6
package/dist/image.js.map +1 -1
package/dist/index.d.ts +18 -3
package/dist/index.d.ts.map +1 -1
package/dist/index.js +52 -10
package/dist/index.js.map +1 -1
package/dist/storage.d.ts +1 -0
package/dist/storage.d.ts.map +1 -1
package/dist/storage.js +21 -0
package/dist/storage.js.map +1 -1
package/dist/webhooks.d.ts +4 -3
package/dist/webhooks.d.ts.map +1 -1
package/dist/webhooks.js +22 -35
package/dist/webhooks.js.map +1 -1
package/lambda/api/bootstrap +0 -0
package/lambda/backup-worker/bootstrap +0 -0
package/lambda/image-lambda/index.mjs +30 -6
package/lambda/image-lambda/node_modules/.package-lock.json +3 -3
package/lambda/image-lambda/node_modules/semver/README.md +19 -4
package/lambda/image-lambda/node_modules/semver/bin/semver.js +14 -10
package/lambda/image-lambda/node_modules/semver/classes/range.js +7 -0
package/lambda/image-lambda/node_modules/semver/functions/truncate.js +48 -0
package/lambda/image-lambda/node_modules/semver/index.js +2 -0
package/lambda/image-lambda/node_modules/semver/internal/re.js +1 -1
package/lambda/image-lambda/node_modules/semver/package.json +3 -3
package/lambda/image-lambda/node_modules/semver/range.bnf +5 -4
package/lambda/image-lambda/node_modules/semver/ranges/subset.js +2 -2
package/lambda/webhook-worker/bootstrap +0 -0
package/package.json +1 -1
package/src/admin-site.ts +53 -8
package/src/api.ts +58 -5
package/src/backup.ts +114 -0
package/src/{cdn.ts → cdn-api.ts} +28 -183
package/src/cdn-media.ts +250 -0
package/src/image.ts +30 -6
package/src/index.ts +71 -12
package/src/sst-env.d.ts +4 -0
package/src/storage.ts +22 -0
package/src/webhooks.ts +22 -39
package/admin/assets/BlockTypeEditPage-CY0gCPei.js +0 -1
package/admin/assets/CollectionEditPage-y8t0ZO89.js +0 -1
package/admin/assets/ContentEditPage-WkSbCnnG.js +0 -1
package/admin/assets/ContentListPage-BDMx7pWb.js +0 -1
package/admin/assets/FieldRenderer-wE-mtqZB.js +0 -2
package/admin/assets/FilterBar-kFcOLffg.js +0 -1
package/admin/assets/FloatingComposerController-D4uLQfUX-C0Lhbmda.js +0 -1
package/admin/assets/IconPicker-BrgSAsa_.js +0 -3
package/admin/assets/MediaField-B-Cz8TlK.js +0 -1
package/admin/assets/MediaPage-C84p9d1U.js +0 -1
package/admin/assets/SubmissionDetailPage-ktmzzOE1.js +0 -1
package/admin/assets/SubmissionEditPage-C-ykTI2t.js +0 -1
package/admin/assets/SubmissionListPage-DA-8deUy.js +0 -1
package/admin/assets/format-C88SDH8g.js +0 -1
package/admin/assets/index-c7UygSvP.css +0 -1
package/admin/assets/media-url-DIg_vSyf.js +0 -1
package/admin/assets/serializeToText-Zin3gYPm.js +0 -2
package/admin/assets/useAdminResolver-Bljb4XGQ.js +0 -1
package/admin/assets/useContent-CW0tm0FY.js +0 -1
package/admin/assets/useMedia-Cu5N4rY8.js +0 -1
package/admin/workbox-7d58179f.js +0 -1
package/dist/cdn.d.ts +0 -27
package/dist/cdn.d.ts.map +0 -1
package/dist/cdn.js.map +0 -1

package/src/cdn-media.ts ADDED Viewed

@@ -0,0 +1,250 @@
+/**
+ * Media CDN Infrastructure
+ *
+ * CloudFront distribution for the public media surface — `/media/*` and
+ * `/img/*` only. No edge auth (`/media/*` is OAC-public, `/img/*` is HMAC
+ * signed at the Sharp Lambda). The default behavior targets the S3 origin
+ * with no rewrite, so unmatched paths return AccessDenied from S3 — defense
+ * in depth.
+ */
+import type { StorageResources } from "./storage.js";
+import type { ImageResources } from "./image.js";
+export interface MediaCdnArgs {
+  image: ImageResources;
+  contentBucket: StorageResources["contentBucket"];
+  priceClass?: "PriceClass_100" | "PriceClass_200" | "PriceClass_All";
+  domain?: {
+    name: string;
+    certificateArn: string;
+  };
+}
+export function createMediaCdn(name: string, args: MediaCdnArgs) {
+  const { image, contentBucket } = args;
+  // =========================================================================
+  // CloudFront Function: Media Rewrite
+  // =========================================================================
+  const mediaRewriteFunction = new aws.cloudfront.Function(
+    `${name}MediaRewrite`,
+    {
+      name: $interpolate`${$app.name}-${$app.stage}-media-rewrite`,
+      runtime: "cloudfront-js-2.0",
+      publish: true,
+      code: `
+    function handler(event) {
+      var request = event.request;
+      var uri = request.uri;
+      // Rewrite /media/{site}/{mediaId}/{file} → /sites/{site}/media/{mediaId}/{file}
+      var parts = uri.split('/');
+      // parts: ['', 'media', '{site}', '{mediaId}', '{file}']
+      if (parts.length >= 5 && parts[1] === 'media') {
+        var site = parts[2];
+        var mediaId = parts[3];
+        var rest = parts.slice(4).join('/');
+        request.uri = '/sites/' + site + '/media/' + mediaId + '/' + rest;
+      }
+      return request;
+    }
+  `,
+    },
+  );
+  // =========================================================================
+  // Cache Policies
+  // =========================================================================
+  const imageCachePolicy = new aws.cloudfront.CachePolicy(
+    `${name}ImageCachePolicy`,
+    {
+      name: $interpolate`${$app.name}-${$app.stage}-image-cache`,
+      comment: "Cache policy for transformed images (immutable)",
+      defaultTtl: 31536000,
+      maxTtl: 31536000,
+      minTtl: 31536000,
+      parametersInCacheKeyAndForwardedToOrigin: {
+        cookiesConfig: { cookieBehavior: "none" },
+        headersConfig: { headerBehavior: "none" },
+        queryStringsConfig: {
+          queryStringBehavior: "whitelist",
+          queryStrings: {
+            items: ["w", "h", "fit", "format", "q", "sig"],
+          },
+        },
+        enableAcceptEncodingBrotli: true,
+        enableAcceptEncodingGzip: true,
+      },
+    },
+  );
+  const mediaCachePolicy = new aws.cloudfront.CachePolicy(
+    `${name}MediaCachePolicy`,
+    {
+      name: $interpolate`${$app.name}-${$app.stage}-media-cache`,
+      comment: "Cache policy for original media files (immutable)",
+      defaultTtl: 31536000,
+      maxTtl: 31536000,
+      minTtl: 31536000,
+      parametersInCacheKeyAndForwardedToOrigin: {
+        cookiesConfig: { cookieBehavior: "none" },
+        headersConfig: { headerBehavior: "none" },
+        queryStringsConfig: { queryStringBehavior: "none" },
+        enableAcceptEncodingBrotli: true,
+        enableAcceptEncodingGzip: true,
+      },
+    },
+  );
+  // =========================================================================
+  // Origin Access Controls (OAC)
+  // =========================================================================
+  const mediaOAC = new aws.cloudfront.OriginAccessControl(`${name}MediaOAC`, {
+    name: $interpolate`${$app.name}-${$app.stage}-media-oac`,
+    description: "OAC for S3 media origin",
+    originAccessControlOriginType: "s3",
+    signingBehavior: "always",
+    signingProtocol: "sigv4",
+  });
+  const imageOAC = new aws.cloudfront.OriginAccessControl(`${name}ImageOAC`, {
+    name: $interpolate`${$app.name}-${$app.stage}-image-oac`,
+    description: "OAC for image transform Lambda origin",
+    originAccessControlOriginType: "lambda",
+    signingBehavior: "always",
+    signingProtocol: "sigv4",
+  });
+  // =========================================================================
+  // CloudFront Distribution
+  // =========================================================================
+  const imageLambdaDomain = image.imageLambda.url.apply((url: string) => {
+    const parsed = new URL(url);
+    return parsed.hostname;
+  });
+  const s3RegionalDomain = $interpolate`${contentBucket.name}.s3.${aws.getRegionOutput().name}.amazonaws.com`;
+  const priceClass = args.priceClass ?? "PriceClass_100";
+  // Build aliases and certificate config for custom domain
+  const aliases = args.domain ? [args.domain.name] : undefined;
+  const viewerCertificate = args.domain
+    ? {
+        acmCertificateArn: args.domain.certificateArn,
+        sslSupportMethod: "sni-only" as const,
+        minimumProtocolVersion: "TLSv1.2_2021" as const,
+      }
+    : {
+        cloudfrontDefaultCertificate: true,
+      };
+  // Fresh resource ID `${name}MediaDistribution` (parallel to
+  // `${name}ApiDistribution` in cdn-api.ts) — same blue/green rationale.
+  const distribution = new aws.cloudfront.Distribution(
+    `${name}MediaDistribution`,
+    {
+      enabled: true,
+      comment: $interpolate`Headroom CMS Media - ${$app.stage}`,
+      httpVersion: "http2and3",
+      priceClass,
+      aliases,
+      origins: [
+        {
+          originId: "media-s3",
+          domainName: s3RegionalDomain,
+          originAccessControlId: mediaOAC.id,
+          s3OriginConfig: {
+            originAccessIdentity: "",
+          },
+        },
+        {
+          originId: "image-lambda",
+          domainName: imageLambdaDomain,
+          originAccessControlId: imageOAC.id,
+          customOriginConfig: {
+            httpPort: 80,
+            httpsPort: 443,
+            originProtocolPolicy: "https-only",
+            originSslProtocols: ["TLSv1.2"],
+          },
+        },
+      ],
+      // Default behavior: target media-s3 with mediaCachePolicy and NO
+      // viewer-request rewrite. Anything not under /media/* or /img/* hits
+      // S3 with the original URI and returns 403 AccessDenied — defense in
+      // depth so a typo can't accidentally rewrite to a real S3 key.
+      defaultCacheBehavior: {
+        targetOriginId: "media-s3",
+        viewerProtocolPolicy: "redirect-to-https",
+        allowedMethods: ["GET", "HEAD", "OPTIONS"],
+        cachedMethods: ["GET", "HEAD", "OPTIONS"],
+        compress: true,
+        cachePolicyId: mediaCachePolicy.id,
+      },
+      orderedCacheBehaviors: [
+        // Media originals: served directly from S3 via OAC. Explicit (not
+        // implicit-via-default) so the rewrite never runs on unrelated paths.
+        {
+          pathPattern: "/media/*",
+          targetOriginId: "media-s3",
+          viewerProtocolPolicy: "redirect-to-https",
+          allowedMethods: ["GET", "HEAD", "OPTIONS"],
+          cachedMethods: ["GET", "HEAD", "OPTIONS"],
+          compress: true,
+          cachePolicyId: mediaCachePolicy.id,
+          functionAssociations: [
+            {
+              eventType: "viewer-request",
+              functionArn: mediaRewriteFunction.arn,
+            },
+          ],
+        },
+        // Image transforms: served via Sharp Lambda
+        {
+          pathPattern: "/img/*",
+          targetOriginId: "image-lambda",
+          viewerProtocolPolicy: "redirect-to-https",
+          allowedMethods: ["GET", "HEAD", "OPTIONS"],
+          cachedMethods: ["GET", "HEAD", "OPTIONS"],
+          compress: true,
+          cachePolicyId: imageCachePolicy.id,
+        },
+      ],
+      restrictions: {
+        geoRestriction: { restrictionType: "none" },
+      },
+      viewerCertificate,
+    },
+  );
+  // Allow CloudFront to invoke the image Lambda via OAC.
+  // CRITICAL: sourceArn must reference the MEDIA distribution's ARN. Pointing
+  // it at the API CDN ARN would silently break image transforms in a way
+  // that's hard to spot from logs. (Single most-important consistency point
+  // per the design doc.)
+  new aws.lambda.Permission(`${name}ImageLambdaCFPermission`, {
+    action: "lambda:InvokeFunctionUrl",
+    function: image.imageLambda.name,
+    principal: "cloudfront.amazonaws.com",
+    sourceArn: distribution.arn,
+  });
+  const url = args.domain
+    ? $interpolate`https://${args.domain.name}`
+    : $interpolate`https://${distribution.domainName}`;
+  return { distribution, url };
+}
+export type MediaCdnResources = ReturnType<typeof createMediaCdn>;

package/src/image.ts CHANGED Viewed

@@ -3,6 +3,12 @@
  *
  * Sharp-based image transformation Lambda with HMAC-signed URLs.
  * Supports dev mode (Node.js source) and package mode (pre-bundled handler).
+ *
+ * The signing key is per-site: the Lambda derives it from a master KDF
+ * input (HMAC-SHA256(master, site)) so leaking one site's key cannot be
+ * used to forge URLs for another site. The OLD master is an opt-in
+ * fallback for smooth rotation — the Sharp Lambda accepts either, the Go
+ * API only signs with the primary.
  */
 import path from "path";
@@ -18,7 +24,15 @@ export interface ImageArgs {
 }
 export function createImage(name: string, args: ImageArgs) {
-  const imageSigningSecret = new sst.Secret(`${name}ImageSigningSecret`);
+  const imageSigningMasterSecret = new sst.Secret(
+    `${name}ImageSigningMasterSecret`,
+  );
+  // Optional fallback master used during rotation. SST treats unset
+  // secrets as empty strings, which the Lambda's deriveSiteSecret turns
+  // into a null per-site key — disabling the fallback path entirely.
+  const imageSigningMasterSecretOld = new sst.Secret(
+    `${name}ImageSigningMasterSecretOld`,
+  );
   let imageLambda: sst.aws.Function;
   if (args.dev) {
@@ -36,9 +50,14 @@ export function createImage(name: string, args: ImageArgs) {
       },
       environment: {
         CONTENT_BUCKET: args.contentBucket.name,
-        IMAGE_SIGNING_SECRET: imageSigningSecret.value,
+        IMAGE_SIGNING_MASTER_SECRET: imageSigningMasterSecret.value,
+        IMAGE_SIGNING_MASTER_SECRET_OLD: imageSigningMasterSecretOld.value,
       },
-      link: [args.contentBucket, imageSigningSecret],
+      link: [
+        args.contentBucket,
+        imageSigningMasterSecret,
+        imageSigningMasterSecretOld,
+      ],
     });
   } else {
     imageLambda = new sst.aws.Function(`${name}ImageLambda`, {
@@ -53,13 +72,18 @@ export function createImage(name: string, args: ImageArgs) {
       },
       environment: {
         CONTENT_BUCKET: args.contentBucket.name,
-        IMAGE_SIGNING_SECRET: imageSigningSecret.value,
+        IMAGE_SIGNING_MASTER_SECRET: imageSigningMasterSecret.value,
+        IMAGE_SIGNING_MASTER_SECRET_OLD: imageSigningMasterSecretOld.value,
       },
-      link: [args.contentBucket, imageSigningSecret],
+      link: [
+        args.contentBucket,
+        imageSigningMasterSecret,
+        imageSigningMasterSecretOld,
+      ],
     });
   }
-  return { imageSigningSecret, imageLambda };
+  return { imageSigningMasterSecret, imageSigningMasterSecretOld, imageLambda };
 }
 export type ImageResources = ReturnType<typeof createImage>;

package/src/index.ts CHANGED Viewed

@@ -10,9 +10,11 @@ import path from "path";
 import { createStorage } from "./storage.js";
 import { createAuth } from "./auth.js";
 import { createWebhooks } from "./webhooks.js";
+import { createBackup } from "./backup.js";
 import { createImage } from "./image.js";
 import { createApi } from "./api.js";
-import { createCdn } from "./cdn.js";
+import { createApiCdn } from "./cdn-api.js";
+import { createMediaCdn } from "./cdn-media.js";
 import { createScheduler } from "./scheduler.js";
 import { createCollabTable, createCollabHandler } from "./collaboration.js";
 import { createAdminSite } from "./admin-site.js";
@@ -47,9 +49,11 @@ function resolvePkgRoot(): string {
 export type { StorageResources } from "./storage.js";
 export type { AuthResources } from "./auth.js";
 export type { WebhookResources } from "./webhooks.js";
+export type { BackupResources } from "./backup.js";
 export type { ImageResources } from "./image.js";
 export type { ApiResources } from "./api.js";
-export type { CdnResources } from "./cdn.js";
+export type { ApiCdnResources } from "./cdn-api.js";
+export type { MediaCdnResources } from "./cdn-media.js";
 export type { SchedulerResources } from "./scheduler.js";
 export type { CollaborationResources } from "./collaboration.js";
 export type { AdminSiteResources } from "./admin-site.js";
@@ -63,7 +67,7 @@ export interface HeadroomCMSArgs {
   senderEmail: string;
   /**
-   * Custom domain for the CDN (API endpoint).
+   * Custom domain for the API CDN (`/v1/*` and `/health`).
    * If not provided, uses the default CloudFront domain.
    */
   domain?: {
@@ -72,6 +76,17 @@ export interface HeadroomCMSArgs {
     certificateArn: string;
   };
+  /**
+   * Custom domain for the media CDN (S3 + image-Lambda origin, serves
+   * `/media/*` and `/img/*`). If not provided, uses the default CloudFront
+   * domain. The certificate must be in us-east-1, same as `domain`.
+   */
+  mediaDomain?: {
+    name: string;
+    /** ACM certificate ARN (must be in us-east-1 for CloudFront) */
+    certificateArn: string;
+  };
   /**
    * Custom domain for the admin UI.
    * If not provided, uses the default CloudFront domain.
@@ -114,6 +129,8 @@ export interface HeadroomCMSArgs {
     apiHandler: string;
     /** Go source path for webhook worker, e.g. "packages/webhook-worker" */
     webhookWorkerHandler: string;
+    /** Go source path for backup worker, e.g. "packages/backup-worker" */
+    backupWorkerHandler: string;
     /** SST handler for custom message function, e.g. "packages/functions/custom-message.handler" */
     customMessageHandler: string;
     /** SST handler for image Lambda, e.g. "packages/image-lambda/index.handler" */
@@ -138,7 +155,8 @@ export interface HeadroomCMSArgs {
 export class HeadroomCMS {
   public readonly apiUrl: $util.Output<string>;
-  public readonly cdnUrl: $util.Output<string>;
+  public readonly apiCdnUrl: $util.Output<string>;
+  public readonly mediaCdnUrl: $util.Output<string>;
   public readonly adminUrl: $util.Output<string>;
   public readonly userPoolId: $util.Output<string>;
   public readonly userPoolClientId: $util.Output<string>;
@@ -163,7 +181,7 @@ export class HeadroomCMS {
         : undefined,
     });
-    // 3. Webhooks (DynamoDB tables, SQS queues, worker Lambda)
+    // 3. Webhooks (DynamoDB tables, DLQ, worker Lambda)
     const webhooks = createWebhooks(name, {
       sites: storage.sites,
       pkgRoot,
@@ -172,6 +190,18 @@ export class HeadroomCMS {
         : undefined,
     });
+    // 3b. Backup worker Lambda (export + restore). Needs access to every
+    // site-scoped table plus the content + backup buckets. Created after
+    // webhooks so it can link the webhooks table for backup payloads.
+    const backup = createBackup(name, {
+      storage,
+      webhooks,
+      pkgRoot,
+      dev: args.dev
+        ? { handler: args.dev.backupWorkerHandler }
+        : undefined,
+    });
     // 4. Image Lambda (Sharp transform with HMAC-signed URLs)
     const image = createImage(name, {
       contentBucket: storage.contentBucket,
@@ -190,6 +220,7 @@ export class HeadroomCMS {
       storage,
       auth,
       webhooks,
+      backup,
       image,
       collab: collabTable,
       senderEmail: args.senderEmail,
@@ -226,21 +257,28 @@ export class HeadroomCMS {
         : undefined,
     });
-    // 8. CDN (CloudFront distribution + edge functions)
-    const cdn = createCdn(name, {
+    // 8a. API CDN (CloudFront distribution + edge auth, /v1/* and /health)
+    const apiCdn = createApiCdn(name, {
       api,
-      image,
-      contentBucket: storage.contentBucket,
       kvs: storage.kvs,
       priceClass: args.priceClass,
       apiCacheTtl: args.apiCacheTtl,
       domain: args.domain,
     });
+    // 8b. Media CDN (CloudFront distribution, /media/* and /img/* only)
+    const mediaCdn = createMediaCdn(name, {
+      image,
+      contentBucket: storage.contentBucket,
+      priceClass: args.priceClass,
+      domain: args.mediaDomain,
+    });
     // 9. Admin UI (static site)
     const admin = createAdminSite(name, {
       api,
-      cdn,
+      apiCdn,
+      mediaCdn,
       auth,
       collab,
       pkgRoot,
@@ -253,7 +291,8 @@ export class HeadroomCMS {
     // Expose outputs
     this.apiUrl = api.api.url;
-    this.cdnUrl = cdn.url;
+    this.apiCdnUrl = apiCdn.url;
+    this.mediaCdnUrl = mediaCdn.url;
     this.adminUrl = admin.url;
     this.userPoolId = auth.userPool.id;
     this.userPoolClientId = auth.userPoolClient.id;
@@ -261,11 +300,31 @@ export class HeadroomCMS {
     this.outputs = {
       api: api.api.url,
-      cdn: cdn.url,
+      apiCdn: apiCdn.url,
+      mediaCdn: mediaCdn.url,
       admin: admin.url,
       userPoolId: auth.userPool.id,
       userPoolClientId: auth.userPoolClient.id,
       collabWs: collab.wsUrl,
+      // DynamoDB table names (with Pulumi-generated random suffixes baked
+      // in). Exposed so consumers — notably the Phase 6 E2E test harness —
+      // can discover real table names rather than guess them from the
+      // `<app>-<stage>-<Name>` template (which omits the random suffix).
+      // Per CLAUDE.md, `.sst/outputs.json` IS the supported interface for
+      // post-deploy discovery.
+      sitesTable: storage.sites.name,
+      contentTable: storage.content.name,
+      draftContentTable: storage.draftContent.name,
+      blocksTable: storage.blocks.name,
+      mediaTable: storage.media.name,
+      collectionsTable: storage.collections.name,
+      blockTypesTable: storage.blockTypes.name,
+      adminAuditTable: storage.adminAudit.name,
+      relationshipsTable: storage.relationships.name,
+      siteUsersTable: storage.siteUsers.name,
+      webhooksTable: webhooks.webhooks.name,
+      contentBucket: storage.contentBucket.name,
+      backupBucket: storage.backupBucket.name,
     };
   }
 }

package/src/sst-env.d.ts CHANGED Viewed

@@ -154,6 +154,10 @@ declare namespace aws {
     class EventSourceMapping {
       constructor(name: string, args?: any, opts?: any);
     }
+    class FunctionEventInvokeConfig {
+      constructor(name: string, args?: any, opts?: any);
+    }
   }
 }

package/src/storage.ts CHANGED Viewed

@@ -39,15 +39,23 @@ export function createStorage(name: string) {
     fields: {
       pk: "string",
       sk: "string",
+      siteHost: "string",
     },
     primaryIndex: { hashKey: "pk", rangeKey: "sk" },
+    globalIndexes: {
+      bySite: { hashKey: "siteHost", rangeKey: "sk" },
+    },
   });
   const blocks = new sst.aws.Dynamo(`${name}Blocks`, {
     fields: {
       pk: "string",
+      siteHost: "string",
     },
     primaryIndex: { hashKey: "pk" },
+    globalIndexes: {
+      bySite: { hashKey: "siteHost", rangeKey: "pk" },
+    },
   });
   const media = new sst.aws.Dynamo(`${name}Media`, {
@@ -94,10 +102,12 @@ export function createStorage(name: string) {
       sk: "string",
       targetPk: "string",
       targetSk: "string",
+      siteHost: "string",
     },
     primaryIndex: { hashKey: "pk", rangeKey: "sk" },
     globalIndexes: {
       byTarget: { hashKey: "targetPk", rangeKey: "targetSk" },
+      bySite: { hashKey: "siteHost", rangeKey: "sk" },
     },
   });
@@ -106,14 +116,25 @@ export function createStorage(name: string) {
       pk: "string",
       sk: "string",
       userId: "string",
+      siteHost: "string",
     },
     primaryIndex: { hashKey: "pk", rangeKey: "sk" },
     globalIndexes: {
       byUserId: { hashKey: "userId", rangeKey: "sk" },
+      bySite: { hashKey: "siteHost", rangeKey: "sk" },
     },
     ttl: "expiresAt",
   });
+  // Backup bucket: archives of full site exports written by the backup worker.
+  // Layout: backups/{host}/{timestamp}.tar.gz + backups/{host}/latest.json.
+  // Versioning disabled — archives are immutable by convention (a new timestamp
+  // is a new object). No CloudFront origin — admin endpoints serve presigned
+  // URLs directly off S3.
+  const backupBucket = new sst.aws.Bucket(`${name}BackupBucket`, {
+    versioning: false,
+  });
   const contentBucket = new sst.aws.Bucket(`${name}ContentBucket`, {
     versioning: true,
     access: "cloudfront",
@@ -181,6 +202,7 @@ export function createStorage(name: string) {
     relationships,
     siteUsers,
     contentBucket,
+    backupBucket,
     collabStateBucket,
     kvs,
     internalSecret,

package/src/webhooks.ts CHANGED Viewed

@@ -1,8 +1,9 @@
 /**
  * Webhook Infrastructure
  *
- * 2 DynamoDB tables + 2 SQS queues + webhook worker Lambda.
- * Supports dev mode (Go source) and package mode (pre-compiled binary).
+ * 2 DynamoDB tables + webhook worker Lambda (async-invoked by the API) + DLQ
+ * (Lambda async on-failure destination). The API directly invokes the worker
+ * via lambda:InvokeFunction; there is no SQS queue between them.
  */
 import path from "path";
@@ -35,6 +36,9 @@ export function createWebhooks(name: string, args: WebhookArgs) {
     ttl: "ttl",
   });
+  // DLQ retained as Lambda async OnFailure destination. Lambda writes a
+  // failure envelope (not the original payload verbatim) when retries are
+  // exhausted. No consumer polls this queue — it's a sink only.
   const webhookDeliveryDLQ = new sst.aws.Queue(`${name}WebhookDeliveryDLQ`, {
     transform: {
       queue: (queueArgs: any) => {
@@ -43,26 +47,6 @@ export function createWebhooks(name: string, args: WebhookArgs) {
     },
   });
-  const webhookDeliveryQueue = new sst.aws.Queue(
-    `${name}WebhookDeliveryQueue`,
-    {
-      dlq: {
-        queue: webhookDeliveryDLQ.arn,
-        retry: 5,
-      },
-      transform: {
-        queue: (queueArgs: any) => {
-          queueArgs.visibilityTimeoutSeconds = 60;
-          queueArgs.messageRetentionSeconds = 4 * 24 * 60 * 60; // 4 days
-        },
-      },
-    },
-  );
-  // Webhook worker Lambda: processes SQS messages and delivers webhooks.
-  // Note: We use a manual Function + EventSourceMapping instead of
-  // queue.subscribe() to avoid a duplicate LambdaEncryptionKey issue
-  // caused by SST's dynamic import creating a separate Function class instance.
   const workerConfig = args.dev
     ? {
         handler: args.dev.handler,
@@ -81,32 +65,31 @@ export function createWebhooks(name: string, args: WebhookArgs) {
     timeout: "30 seconds",
     environment: {
       WEBHOOK_DELIVERIES_TABLE: webhookDeliveries.name,
-      WEBHOOKS_TABLE: webhooks.name,
-      SITES_TABLE: args.sites.name,
     },
-    link: [webhookDeliveries, webhooks, args.sites],
-    permissions: [
-      {
-        actions: [
-          "sqs:ReceiveMessage",
-          "sqs:DeleteMessage",
-          "sqs:GetQueueAttributes",
-        ],
-        resources: [webhookDeliveryQueue.arn],
-      },
-    ],
+    // webhookDeliveryDLQ is linked so SST auto-grants sqs:SendMessage on the
+    // worker's execution role. Lambda async OnFailure delivery uses the
+    // function's own role to write the failure envelope to the DLQ — without
+    // this grant, AWS accepts the FunctionEventInvokeConfig at deploy time but
+    // silently drops failure envelopes at runtime.
+    link: [webhookDeliveries, webhookDeliveryDLQ],
   });
-  new aws.lambda.EventSourceMapping(`${name}WebhookWorkerEventSource`, {
-    eventSourceArn: webhookDeliveryQueue.arn,
+  // Lambda async retry + DLQ on terminal failure. MaximumRetryAttempts is
+  // 0–2 (industry standard for webhook delivery — Stripe/GitHub publish
+  // similar caps). Total attempts = initial + 2 retries = 3.
+  new aws.lambda.FunctionEventInvokeConfig(`${name}WebhookWorkerAsyncConfig`, {
     functionName: webhookWorker.name,
-    batchSize: 1,
+    maximumRetryAttempts: 2,
+    maximumEventAgeInSeconds: 6 * 60 * 60, // 6 hours
+    destinationConfig: {
+      onFailure: { destination: webhookDeliveryDLQ.arn },
+    },
   });
   return {
     webhooks,
     webhookDeliveries,
-    webhookDeliveryQueue,
+    webhookWorker,
     webhookDeliveryDLQ,
   };
 }