headroom-cms 0.1.10 → 0.2.0

package/dist/api.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AA0BxB,MAAM,UAAU,SAAS,CAAC,IAAY,EAAE,IAAa;IACnD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAExD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG;QAC5B,CAAC,CAAC;YACE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,OAAO,EAAE,IAAa;SACvB;QACH,CAAC,CAAC;YACE,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;YAC7C,OAAO,EAAE,WAAW;YACpB,OAAO,EAAE,iBAA0B;YACnC,YAAY,EAAE,OAAgB;SAC/B,CAAC;IAEN,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,KAAK,EAAE;QAC7C,GAAG,aAAa;QAChB,OAAO,EAAE,YAAY;QACrB,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;SACZ;QACD,WAAW,EAAE;YACX,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC/B,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;YACnC,mBAAmB,EAAE,OAAO,CAAC,YAAY,CAAC,IAAI;YAC9C,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI;YACjC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC/B,iBAAiB,EAAE,OAAO,CAAC,WAAW,CAAC,IAAI;YAC3C,iBAAiB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC1C,iBAAiB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC1C,cAAc,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI;YAC1C,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE;YAC9B,mBAAmB,EAAE,IAAI,CAAC,cAAc,CAAC,EAAE;YAC3C,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG;YACxB,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC,IAAI;YAC3C,cAAc,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI;YACtC,wBAAwB,EAAE,QAAQ,CAAC,iBAAiB,CAAC,IAAI;YACzD,iBAAiB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,GAAG;YACpD,oBAAoB,EAAE,KAAK,CAAC,kBAAkB,CAAC,KAAK;YACpD,iBAAiB,EAAE,KAAK,CAAC,WAAW,CAAC,IAAI;YACzC,mBAAmB,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI;YAC/C,gBAAgB,EAAE,OAAO,CAAC,SAAS,CAAC,IAAI;YACxC,cAAc,EAAE,IAAI,CAAC,WAAW;YAChC,YAAY,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;YACrC,gEAAgE;YAChE,+DAA+D;YAC/D,0EAA0E;YAC1E,eAAe,EAAE,OAAO,CAAC,cAAc,CAAC,KAAK;SAC9C;QACD,IAAI,EAAE;YACJ,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,YAAY;YACpB,OAAO,CAAC,MAAM;YACd,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,WAAW;YACnB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,aAAa;YACrB,QAAQ,CAAC,QAAQ;YACjB,QAAQ,CAAC,iBAAiB;YAC1B,QAAQ,CAAC,oBAAoB;YAC7B,KAAK,CAAC,kBAAkB;YACxB,OAAO,CAAC,aAAa;YACrB,OAAO,CAAC,SAAS;YACjB,MAAM,CAAC,WAAW;YAClB,OAAO,CAAC,cAAc;SACvB;QACD,WAAW,EAAE;YACX;gBACE,OAAO,EAAE;oBACP,gDAAgD;oBAChD,iCAAiC;oBACjC,oCAAoC;oBACpC,iCAAiC;iBAClC;gBACD,SAAS,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;aAC7B;YACD;gBACE,OAAO,EAAE;oBACP,uBAAuB;oBACvB,6BAA6B;oBAC7B,6BAA6B;oBAC7B,0BAA0B;oBAC1B,+BAA+B;iBAChC;gBACD,SAAS,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;aAC/B;YACD;gBACE,OAAO,EAAE,CAAC,uBAAuB,CAAC;gBAClC,SAAS,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC;aACnC;YACD;gBACE,OAAO,EAAE,CAAC,eAAe,EAAE,kBAAkB,CAAC;gBAC9C,SAAS,EAAE,CAAC,GAAG,CAAC;aACjB;SACF;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,CAAC;AACjB,CAAC"}
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAQzC;;;;;GAKG;AACH,SAAS,aAAa;IACpB,qEAAqE;IACrE,wEAAwE;IACxE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC7C,IAAI,OAAO;QAAE,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,oBAAoB,EAAE;YACpC,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAsBD,MAAM,UAAU,SAAS,CAAC,IAAY,EAAE,IAAa;IACnD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAEhE,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG;QAC5B,CAAC,CAAC;YACE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,OAAO,EAAE,IAAa;SACvB;QACH,CAAC,CAAC;YACE,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;YAC7C,OAAO,EAAE,WAAW;YACpB,OAAO,EAAE,iBAA0B;YACnC,YAAY,EAAE,OAAgB;SAC/B,CAAC;IAEN,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,KAAK,EAAE;QAC7C,GAAG,aAAa;QAChB,OAAO,EAAE,YAAY;QACrB,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;SACZ;QACD,WAAW,EAAE;YACX,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC/B,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;YACnC,mBAAmB,EAAE,OAAO,CAAC,YAAY,CAAC,IAAI;YAC9C,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI;YACjC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC/B,iBAAiB,EAAE,OAAO,CAAC,WAAW,CAAC,IAAI;YAC3C,iBAAiB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC1C,iBAAiB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC1C,cAAc,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI;YAC1C,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE;YAC9B,mBAAmB,EAAE,IAAI,CAAC,cAAc,CAAC,EAAE;YAC3C,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG;YACxB,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC,IAAI;YAC3C,cAAc,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI;YACtC,wBAAwB,EAAE,QAAQ,CAAC,iBAAiB,CAAC,IAAI;YACzD,4BAA4B,EAAE,QAAQ,CAAC,aAAa,CAAC,IAAI;YACzD,oEAAoE;YACpE,mEAAmE;YACnE,mEAAmE;YACnE,oEAAoE;YACpE,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,IAAI;YACxC,2BAA2B,EAAE,MAAM,CAAC,YAAY,CAAC,IAAI;YACrD,gEAAgE;YAChE,+DAA+D;YAC/D,6CAA6C;YAC7C,2BAA2B,EAAE,KAAK,CAAC,wBAAwB,CAAC,KAAK;YACjE,iBAAiB,EAAE,KAAK,CAAC,WAAW,CAAC,IAAI;YACzC,mBAAmB,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI;YAC/C,gBAAgB,EAAE,OAAO,CAAC,SAAS,CAAC,IAAI;YACxC,cAAc,EAAE,IAAI,CAAC,WAAW;YAChC,YAAY,EAAE,MAAM,CAAC,WAAW,CAAC,IAAI;YACrC,gEAAgE;YAChE,+DAA+D;YAC/D,0EAA0E;YAC1E,eAAe,EAAE,OAAO,CAAC,cAAc,CAAC,KAAK;YAC7C,gEAAgE;YAChE,kEAAkE;YAClE,OAAO,EAAE,aAAa,EAAE;SACzB;QACD,IAAI,EAAE;YACJ,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,YAAY;YACpB,OAAO,CAAC,MAAM;YACd,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,WAAW;YACnB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,aAAa;YACrB,QAAQ,CAAC,QAAQ;YACjB,QAAQ,CAAC,iBAAiB;YAC1B,KAAK,CAAC,wBAAwB;YAC9B,OAAO,CAAC,aAAa;YACrB,OAAO,CAAC,SAAS;YACjB,MAAM,CAAC,WAAW;YAClB,OAAO,CAAC,cAAc;YACtB,oEAAoE;YACpE,kEAAkE;YAClE,iEAAiE;YACjE,sDAAsD;YACtD,OAAO,CAAC,YAAY;SACrB;QACD,WAAW,EAAE;YACX;gBACE,OAAO,EAAE;oBACP,gDAAgD;oBAChD,iCAAiC;oBACjC,oCAAoC;oBACpC,iCAAiC;iBAClC;gBACD,SAAS,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;aAC7B;YACD;gBACE,OAAO,EAAE;oBACP,uBAAuB;oBACvB,6BAA6B;oBAC7B,6BAA6B;oBAC7B,0BAA0B;oBAC1B,+BAA+B;iBAChC;gBACD,SAAS,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;aAC/B;YACD;gBACE,OAAO,EAAE,CAAC,uBAAuB,CAAC;gBAClC,SAAS,EAAE,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC;aACnC;YACD;gBACE,2DAA2D;gBAC3D,+DAA+D;gBAC/D,qBAAqB;gBACrB,OAAO,EAAE,CAAC,uBAAuB,CAAC;gBAClC,SAAS,EAAE,CAAC,QAAQ,CAAC,aAAa,CAAC,GAAG,CAAC;aACxC;YACD;gBACE,kEAAkE;gBAClE,iEAAiE;gBACjE,OAAO,EAAE,CAAC,uBAAuB,CAAC;gBAClC,SAAS,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC;aACrC;YACD;gBACE,OAAO,EAAE,CAAC,eAAe,EAAE,kBAAkB,CAAC;gBAC9C,SAAS,EAAE,CAAC,GAAG,CAAC;aACjB;SACF;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,CAAC;AACjB,CAAC"}

package/dist/backup.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Backup Infrastructure
+ *
+ * A single Go Lambda that handles both backup export and restore import.
+ * The API service invokes it synchronously via lambda:InvokeFunction for the
+ * "scheduled" entry point this will gain a daily EventBridge cron (Phase 4).
+ *
+ * The Lambda links every site-scoped table plus the content + backup buckets.
+ * Deliberately NOT linked: Collab, collabStateBucket, SchedulerLock,
+ * WebhookDeliveries — these are transient / operational and excluded from
+ * backup payloads (see steering doc "What's in scope vs. out of scope").
+ */
+import type { StorageResources } from "./storage.js";
+import type { WebhookResources } from "./webhooks.js";
+export interface BackupArgs {
+    storage: StorageResources;
+    webhooks: WebhookResources;
+    pkgRoot: string;
+    dev?: {
+        /** Go source path, e.g. "packages/backup-worker" */
+        handler: string;
+    };
+}
+export declare function createBackup(name: string, args: BackupArgs): {
+    backupWorker: sst.aws.Function;
+    backupCron: sst.aws.Cron;
+};
+export type BackupResources = ReturnType<typeof createBackup>;
+//# sourceMappingURL=backup.d.ts.map

package/dist/backup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"backup.d.ts","sourceRoot":"","sources":["../src/backup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAEtD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,gBAAgB,CAAC;IAC1B,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE;QACJ,oDAAoD;QACpD,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU;;;EAoF1D;AAED,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC"}

package/dist/backup.js

@@ -0,0 +1,95 @@
+/**
+ * Backup Infrastructure
+ *
+ * A single Go Lambda that handles both backup export and restore import.
+ * The API service invokes it synchronously via lambda:InvokeFunction for the
+ * "scheduled" entry point this will gain a daily EventBridge cron (Phase 4).
+ *
+ * The Lambda links every site-scoped table plus the content + backup buckets.
+ * Deliberately NOT linked: Collab, collabStateBucket, SchedulerLock,
+ * WebhookDeliveries — these are transient / operational and excluded from
+ * backup payloads (see steering doc "What's in scope vs. out of scope").
+ */
+import path from "path";
+export function createBackup(name, args) {
+    const { storage, webhooks } = args;
+    const workerConfig = args.dev
+        ? {
+            handler: args.dev.handler,
+            runtime: "go",
+        }
+        : {
+            bundle: path.join(args.pkgRoot, "lambda/backup-worker"),
+            handler: "bootstrap",
+            runtime: "provided.al2023",
+            architecture: "arm64",
+        };
+    const backupWorker = new sst.aws.Function(`${name}BackupWorker`, {
+        ...workerConfig,
+        // 15-minute Lambda budget. Large sites with many media files may bump up
+        // against this; see Deferred "Step Functions for very large sites" for
+        // the escape hatch.
+        timeout: "15 minutes",
+        // Higher than default — the worker holds tar/gzip pipes, an in-memory
+        // 25-row BatchWriteItem buffer, and parallel S3 GetObject buffers.
+        memory: "1024 MB",
+        environment: {
+            SITES_TABLE: storage.sites.name,
+            CONTENT_TABLE: storage.content.name,
+            DRAFT_CONTENT_TABLE: storage.draftContent.name,
+            BLOCKS_TABLE: storage.blocks.name,
+            MEDIA_TABLE: storage.media.name,
+            COLLECTIONS_TABLE: storage.collections.name,
+            BLOCK_TYPES_TABLE: storage.blockTypes.name,
+            ADMIN_AUDIT_TABLE: storage.adminAudit.name,
+            RELATIONSHIPS_TABLE: storage.relationships.name,
+            SITE_USERS_TABLE: storage.siteUsers.name,
+            WEBHOOKS_TABLE: webhooks.webhooks.name,
+            CONTENT_BUCKET: storage.contentBucket.name,
+            BACKUP_BUCKET: storage.backupBucket.name,
+            KVS_ARN: storage.kvs.arn,
+            AWS_REGION_NAME: aws.getRegionOutput().name,
+        },
+        link: [
+            storage.sites,
+            storage.content,
+            storage.draftContent,
+            storage.blocks,
+            storage.media,
+            storage.collections,
+            storage.blockTypes,
+            storage.adminAudit,
+            storage.relationships,
+            storage.siteUsers,
+            webhooks.webhooks,
+            storage.contentBucket,
+            storage.backupBucket,
+        ],
+        permissions: [
+            {
+                // CloudFront KVS resync on restore: re-publish API key hashes so the
+                // edge function recognizes them. Fail-loud per steering §2.1 step 18.
+                actions: [
+                    "cloudfront-keyvaluestore:DescribeKeyValueStore",
+                    "cloudfront-keyvaluestore:PutKey",
+                    "cloudfront-keyvaluestore:DeleteKey",
+                    "cloudfront-keyvaluestore:GetKey",
+                ],
+                resources: [storage.kvs.arn],
+            },
+        ],
+    });
+    // Phase 4 — daily EventBridge cron that invokes the worker with a
+    // "scheduled" event. The handler scans the Sites table, runs backup +
+    // retention cleanup for every site with backupSchedule.enabled. 02:00
+    // UTC is a low-traffic window for most public sites; tune in the
+    // steering doc if needed. Cost is one Lambda invocation per day per
+    // stack, regardless of site count.
+    const backupCron = new sst.aws.Cron(`${name}BackupSchedule`, {
+        schedule: "cron(0 2 * * ? *)",
+        function: backupWorker.arn,
+        event: { type: "scheduled" },
+    });
+    return { backupWorker, backupCron };
+}
+//# sourceMappingURL=backup.js.map

package/dist/backup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"backup.js","sourceRoot":"","sources":["../src/backup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AAcxB,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,IAAgB;IACzD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;IAEnC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG;QAC3B,CAAC,CAAC;YACE,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO;YACzB,OAAO,EAAE,IAAa;SACvB;QACH,CAAC,CAAC;YACE,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,sBAAsB,CAAC;YACvD,OAAO,EAAE,WAAW;YACpB,OAAO,EAAE,iBAA0B;YACnC,YAAY,EAAE,OAAgB;SAC/B,CAAC;IAEN,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,IAAI,cAAc,EAAE;QAC/D,GAAG,YAAY;QACf,yEAAyE;QACzE,uEAAuE;QACvE,oBAAoB;QACpB,OAAO,EAAE,YAAY;QACrB,sEAAsE;QACtE,mEAAmE;QACnE,MAAM,EAAE,SAAS;QACjB,WAAW,EAAE;YACX,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC/B,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI;YACnC,mBAAmB,EAAE,OAAO,CAAC,YAAY,CAAC,IAAI;YAC9C,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI;YACjC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YAC/B,iBAAiB,EAAE,OAAO,CAAC,WAAW,CAAC,IAAI;YAC3C,iBAAiB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC1C,iBAAiB,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAC1C,mBAAmB,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI;YAC/C,gBAAgB,EAAE,OAAO,CAAC,SAAS,CAAC,IAAI;YACxC,cAAc,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI;YACtC,cAAc,EAAE,OAAO,CAAC,aAAa,CAAC,IAAI;YAC1C,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,IAAI;YACxC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG;YACxB,eAAe,EAAE,GAAG,CAAC,eAAe,EAAE,CAAC,IAAI;SAC5C;QACD,IAAI,EAAE;YACJ,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,YAAY;YACpB,OAAO,CAAC,MAAM;YACd,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,WAAW;YACnB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,aAAa;YACrB,OAAO,CAAC,SAAS;YACjB,QAAQ,CAAC,QAAQ;YACjB,OAAO,CAAC,aAAa;YACrB,OAAO,CAAC,YAAY;SACrB;QACD,WAAW,EAAE;YACX;gBACE,qEAAqE;gBACrE,sEAAsE;gBACtE,OAAO,EAAE;oBACP,gDAAgD;oBAChD,iCAAiC;oBACjC,oCAAoC;oBACpC,iCAAiC;iBAClC;gBACD,SAAS,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;aAC7B;SACF;KACF,CAAC,CAAC;IAEH,kEAAkE;IAClE,sEAAsE;IACtE,sEAAsE;IACtE,iEAAiE;IACjE,oEAAoE;IACpE,mCAAmC;IACnC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,gBAAgB,EAAE;QAC3D,QAAQ,EAAE,mBAAmB;QAC7B,QAAQ,EAAE,YAAY,CAAC,GAAG;QAC1B,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE;KAC7B,CAAC,CAAC;IAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;AACtC,CAAC"}

package/dist/cdn-api.d.ts

@@ -0,0 +1,25 @@
+/**
+ * API CDN Infrastructure
+ *
+ * CloudFront distribution for the Headroom API only — `/v1/*` and `/health`.
+ * Edge-auth function + KVS association live here. No `/media/*` or `/img/*`
+ * behaviors; those are served by the separate media CDN (see cdn-media.ts).
+ */
+import type { StorageResources } from "./storage.js";
+import type { ApiResources } from "./api.js";
+export interface ApiCdnArgs {
+    api: ApiResources;
+    kvs: StorageResources["kvs"];
+    priceClass?: "PriceClass_100" | "PriceClass_200" | "PriceClass_All";
+    apiCacheTtl?: number;
+    domain?: {
+        name: string;
+        certificateArn: string;
+    };
+}
+export declare function createApiCdn(name: string, args: ApiCdnArgs): {
+    distribution: aws.cloudfront.Distribution;
+    url: PulumiOutput<string>;
+};
+export type ApiCdnResources = ReturnType<typeof createApiCdn>;
+//# sourceMappingURL=cdn-api.d.ts.map

package/dist/cdn-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cdn-api.d.ts","sourceRoot":"","sources":["../src/cdn-api.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAE7C,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,YAAY,CAAC;IAClB,GAAG,EAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC7B,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;IACpE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,MAAM,CAAC;QACb,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU;;;EAkb1D;AAED,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC"}

package/dist/{cdn.js → cdn-api.js}

@@ -1,11 +1,12 @@
 /**
- * CDN Infrastructure
+ * API CDN Infrastructure
  *
- * CloudFront distribution with edge authentication, version-based caching,
- * direct S3 media serving, and Sharp Lambda image transforms.
+ * CloudFront distribution for the Headroom API only — `/v1/*` and `/health`.
+ * Edge-auth function + KVS association live here. No `/media/*` or `/img/*`
+ * behaviors; those are served by the separate media CDN (see cdn-media.ts).
  */
-export function createCdn(name, args) {
-    const { api, image, contentBucket, kvs } = args;
+export function createApiCdn(name, args) {
+    const { api, kvs } = args;
     const apiCacheTtl = args.apiCacheTtl ?? 3600;
     // Extract KVS UUID from ARN (cf.kvs() needs the UUID, not the name)
     const kvsUuid = kvs.arn.apply((arn) => arn.split("/").pop());
@@ -87,32 +88,6 @@ export function createCdn(name, args) {
       return request;
     }
   `,
-    });
-    // =========================================================================
-    // CloudFront Function: Media Rewrite
-    // =========================================================================
-    const mediaRewriteFunction = new aws.cloudfront.Function(`${name}MediaRewrite`, {
-        name: $interpolate `${$app.name}-${$app.stage}-media-rewrite`,
-        runtime: "cloudfront-js-2.0",
-        publish: true,
-        code: `
-    function handler(event) {
-      var request = event.request;
-      var uri = request.uri;
-
-      // Rewrite /media/{site}/{mediaId}/{file} → /sites/{site}/media/{mediaId}/{file}
-      var parts = uri.split('/');
-      // parts: ['', 'media', '{site}', '{mediaId}', '{file}']
-      if (parts.length >= 5 && parts[1] === 'media') {
-        var site = parts[2];
-        var mediaId = parts[3];
-        var rest = parts.slice(4).join('/');
-        request.uri = '/sites/' + site + '/media/' + mediaId + '/' + rest;
-      }
-
-      return request;
-    }
-  `,
     });
     // =========================================================================
     // Cache Policies
@@ -144,53 +119,14 @@ export function createCdn(name, args) {
             enableAcceptEncodingGzip: true,
         },
     });
-    const imageCachePolicy = new aws.cloudfront.CachePolicy(`${name}ImageCachePolicy`, {
-        name: $interpolate `${$app.name}-${$app.stage}-image-cache`,
-        comment: "Cache policy for transformed images (immutable)",
-        defaultTtl: 31536000,
-        maxTtl: 31536000,
-        minTtl: 31536000,
-        parametersInCacheKeyAndForwardedToOrigin: {
-            cookiesConfig: { cookieBehavior: "none" },
-            headersConfig: { headerBehavior: "none" },
-            queryStringsConfig: {
-                queryStringBehavior: "whitelist",
-                queryStrings: {
-                    items: ["w", "h", "fit", "format", "q", "sig"],
-                },
-            },
-            enableAcceptEncodingBrotli: true,
-            enableAcceptEncodingGzip: true,
-        },
-    });
-    const mediaCachePolicy = new aws.cloudfront.CachePolicy(`${name}MediaCachePolicy`, {
-        name: $interpolate `${$app.name}-${$app.stage}-media-cache`,
-        comment: "Cache policy for original media files (immutable)",
-        defaultTtl: 31536000,
-        maxTtl: 31536000,
-        minTtl: 31536000,
-        parametersInCacheKeyAndForwardedToOrigin: {
-            cookiesConfig: { cookieBehavior: "none" },
-            headersConfig: { headerBehavior: "none" },
-            queryStringsConfig: { queryStringBehavior: "none" },
-            enableAcceptEncodingBrotli: true,
-            enableAcceptEncodingGzip: true,
-        },
-    });
-    const versionCachePolicy = new aws.cloudfront.CachePolicy(`${name}VersionCachePolicy`, {
-        name: $interpolate `${$app.name}-${$app.stage}-version-cache`,
-        comment: "Short-TTL cache for /version to absorb client polling",
-        minTtl: 0,
-        defaultTtl: 2,
-        maxTtl: 2,
-        parametersInCacheKeyAndForwardedToOrigin: {
-            cookiesConfig: { cookieBehavior: "none" },
-            headersConfig: { headerBehavior: "none" },
-            queryStringsConfig: { queryStringBehavior: "none" },
-            enableAcceptEncodingBrotli: true,
-            enableAcceptEncodingGzip: true,
-        },
-    });
+    // NOTE: the old `versionCachePolicy` (custom 2-second TTL) was deleted
+    // when /version began returning the per-site image signing secret.
+    // CloudFront custom cache policies do not honor `Cache-Control: private`
+    // from the origin — the explicit TTLs would win and the response (with
+    // the secret) would be edge-cached for 2s. We now use the AWS-managed
+    // `CachingDisabled` policy below for /v1/*/version, so the origin's
+    // `Cache-Control: private, max-age=2` is what reaches the browser
+    // (short-window in-browser cache) while the edge bypasses caching.
     // =========================================================================
     // Origin Request Policy
     // =========================================================================
@@ -225,34 +161,12 @@ export function createCdn(name, args) {
     // authenticated behaviors below.
     const cachingDisabledPolicyId = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad";
     // =========================================================================
-    // Origin Access Controls (OAC)
-    // =========================================================================
-    const mediaOAC = new aws.cloudfront.OriginAccessControl(`${name}MediaOAC`, {
-        name: $interpolate `${$app.name}-${$app.stage}-media-oac`,
-        description: "OAC for S3 media origin",
-        originAccessControlOriginType: "s3",
-        signingBehavior: "always",
-        signingProtocol: "sigv4",
-    });
-    const imageOAC = new aws.cloudfront.OriginAccessControl(`${name}ImageOAC`, {
-        name: $interpolate `${$app.name}-${$app.stage}-image-oac`,
-        description: "OAC for image transform Lambda origin",
-        originAccessControlOriginType: "lambda",
-        signingBehavior: "always",
-        signingProtocol: "sigv4",
-    });
-    // =========================================================================
     // CloudFront Distribution
     // =========================================================================
     const originDomain = api.api.url.apply((url) => {
         const parsed = new URL(url);
         return parsed.hostname;
     });
-    const imageLambdaDomain = image.imageLambda.url.apply((url) => {
-        const parsed = new URL(url);
-        return parsed.hostname;
-    });
-    const s3RegionalDomain = $interpolate `${contentBucket.name}.s3.${aws.getRegionOutput().name}.amazonaws.com`;
     const priceClass = args.priceClass ?? "PriceClass_100";
     // Build aliases and certificate config for custom domain
     const aliases = args.domain ? [args.domain.name] : undefined;
@@ -282,25 +196,6 @@ export function createCdn(name, args) {
                     originSslProtocols: ["TLSv1.2"],
                 },
             },
-            {
-                originId: "media-s3",
-                domainName: s3RegionalDomain,
-                originAccessControlId: mediaOAC.id,
-                s3OriginConfig: {
-                    originAccessIdentity: "",
-                },
-            },
-            {
-                originId: "image-lambda",
-                domainName: imageLambdaDomain,
-                originAccessControlId: imageOAC.id,
-                customOriginConfig: {
-                    httpPort: 80,
-                    httpsPort: 443,
-                    originProtocolPolicy: "https-only",
-                    originSslProtocols: ["TLSv1.2"],
-                },
-            },
         ],
         defaultCacheBehavior: {
             targetOriginId: "api",
@@ -375,10 +270,17 @@ export function createCdn(name, args) {
                     },
                 ],
             },
-            // Version endpoint: short-TTL cache (2s) shared across all consumers
-            // for a given site. The edge function still runs for API key
-            // validation. Placed before /v1/*/users/* and the default behavior
-            // because CloudFront evaluates path patterns in order, first match wins.
+            // Version endpoint: caching DISABLED at the edge. /version now
+            // carries a per-site image signing secret in the body, so the
+            // shared edge cache must not hold it. The origin sets
+            // `Cache-Control: private, max-age=2` so browsers may still cache
+            // for the 2-second window — that absorbs single-flight contention
+            // from the same client without exposing the secret to any other
+            // viewer.
+            //
+            // Tradeoff: origin Lambda invocations on /version are now one per
+            // client poll instead of one per 2-second edge window. The SDK
+            // polls every 10s by default, so the impact is bounded.
             //
             // NOTE: pathPattern "/v1/*/version" matches exact "/version" only.
             // CloudFront's `*` wildcard does not span path segments, so any
@@ -390,7 +292,7 @@ export function createCdn(name, args) {
                 allowedMethods: ["GET", "HEAD", "OPTIONS"],
                 cachedMethods: ["GET", "HEAD", "OPTIONS"],
                 compress: true,
-                cachePolicyId: versionCachePolicy.id,
+                cachePolicyId: cachingDisabledPolicyId,
                 originRequestPolicyId: originRequestPolicy.id,
                 functionAssociations: [
                     {
@@ -484,32 +386,6 @@ export function createCdn(name, args) {
                     },
                 ],
             },
-            // Media originals: served directly from S3 via OAC
-            {
-                pathPattern: "/media/*",
-                targetOriginId: "media-s3",
-                viewerProtocolPolicy: "redirect-to-https",
-                allowedMethods: ["GET", "HEAD", "OPTIONS"],
-                cachedMethods: ["GET", "HEAD", "OPTIONS"],
-                compress: true,
-                cachePolicyId: mediaCachePolicy.id,
-                functionAssociations: [
-                    {
-                        eventType: "viewer-request",
-                        functionArn: mediaRewriteFunction.arn,
-                    },
-                ],
-            },
-            // Image transforms: served via Sharp Lambda
-            {
-                pathPattern: "/img/*",
-                targetOriginId: "image-lambda",
-                viewerProtocolPolicy: "redirect-to-https",
-                allowedMethods: ["GET", "HEAD", "OPTIONS"],
-                cachedMethods: ["GET", "HEAD", "OPTIONS"],
-                compress: true,
-                cachePolicyId: imageCachePolicy.id,
-            },
             // Health endpoint: no caching, no auth
             {
                 pathPattern: "/health",
@@ -527,16 +403,9 @@ export function createCdn(name, args) {
         },
         viewerCertificate,
     });
-    // Allow CloudFront to invoke the image Lambda via OAC
-    new aws.lambda.Permission(`${name}ImageLambdaCFPermission`, {
-        action: "lambda:InvokeFunctionUrl",
-        function: image.imageLambda.name,
-        principal: "cloudfront.amazonaws.com",
-        sourceArn: distribution.arn,
-    });
     const url = args.domain
         ? $interpolate `https://${args.domain.name}`
         : $interpolate `https://${distribution.domainName}`;
     return { distribution, url };
 }
-//# sourceMappingURL=cdn.js.map
+//# sourceMappingURL=cdn-api.js.map

package/dist/cdn-api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cdn-api.js","sourceRoot":"","sources":["../src/cdn-api.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgBH,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,IAAgB;IACzD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;IAE7C,oEAAoE;IACpE,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC;IAEtE,4EAA4E;IAC5E,iCAAiC;IACjC,4EAA4E;IAC5E,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,IAAI,UAAU,EAAE;QAClE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE,IAAI;QACb,yBAAyB,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC;QACpC,IAAI,EAAE,YAAY,CAAA;;;;qBAID,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiEzB;KACA,CAAC,CAAC;IAEH,4EAA4E;IAC5E,iBAAiB;IACjB,4EAA4E;IAE5E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CACnD,GAAG,IAAI,gBAAgB,EACvB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,OAAO,EACL,gEAAgE;QAClE,UAAU,EAAE,WAAW;QACvB,MAAM,EAAE,KAAK;QACb,MAAM,EAAE,CAAC;QACT,wCAAwC,EAAE;YACxC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,aAAa,EAAE;gBACb,cAAc,EAAE,WAAW;gBAC3B,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,oBAAoB,CAAC,EAAE;aAC3C;YACD,kBAAkB,EAAE;gBAClB,mBAAmB,EAAE,WAAW;gBAChC,YAAY,EAAE;oBACZ,6DAA6D;oBAC7D,2DAA2D;oBAC3D,uDAAuD;oBACvD,8DAA8D;oBAC9D,qDAAqD;oBACrD,KAAK,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC;iBAC9G;aACF;YACD,0BAA0B,EAAE,IAAI;YAChC,wBAAwB,EAAE,IAAI;SAC/B;KACF,CACF,CAAC;IAEF,uEAAuE;IACvE,mEAAmE;IACnE,yEAAyE;IACzE,uEAAuE;IACvE,sEAAsE;IACtE,oEAAoE;IACpE,kEAAkE;IAClE,mEAAmE;IAEnE,4EAA4E;IAC5E,wBAAwB;IACxB,4EAA4E;IAE5E,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,mBAAmB,CAChE,GAAG,IAAI,qBAAqB,EAC5B;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,iBAAiB;QAC7D,OAAO,EAAE,4CAA4C;QACrD,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;QACzC,aAAa,EAAE;YACb,cAAc,EAAE,WAAW;YAC3B,OAAO,EAAE;gBACP,KAAK,EAAE;oBACL,gBAAgB;oBAChB,oBAAoB;oBACpB,cAAc;oBACd,QAAQ;oBACR,oBAAoB;iBACrB;aACF;SACF;QACD,kBAAkB,EAAE,EAAE,mBAAmB,EAAE,KAAK,EAAE;KACnD,CACF,CAAC;IAEF,0EAA0E;IAC1E,sEAAsE;IACtE,qEAAqE;IACrE,0EAA0E;IAC1E,0EAA0E;IAC1E,oEAAoE;IACpE,2EAA2E;IAC3E,4CAA4C;IAC5C,MAAM,wCAAwC,GAC5C,sCAAsC,CAAC;IAEzC,sEAAsE;IACtE,iCAAiC;IACjC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;IAEvE,4EAA4E;IAC5E,0BAA0B;IAC1B,4EAA4E;IAE5E,MAAM,YAAY,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAW,EAAE,EAAE;QACrD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAC;IAEvD,yDAAyD;IACzD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7D,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM;QACnC,CAAC,CAAC;YACE,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc;YAC7C,gBAAgB,EAAE,UAAmB;YACrC,sBAAsB,EAAE,cAAuB;SAChD;QACH,CAAC,CAAC;YACE,4BAA4B,EAAE,IAAI;SACnC,CAAC;IAEN,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAClD,GAAG,IAAI,cAAc,EACrB;QACE,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,YAAY,CAAA,sBAAsB,IAAI,CAAC,KAAK,EAAE;QACvD,WAAW,EAAE,WAAW;QACxB,UAAU;QACV,OAAO;QAEP,OAAO,EAAE;YACP;gBACE,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,YAAY;gBACxB,kBAAkB,EAAE;oBAClB,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE,GAAG;oBACd,oBAAoB,EAAE,YAAY;oBAClC,kBAAkB,EAAE,CAAC,SAAS,CAAC;iBAChC;aACF;SACF;QAED,oBAAoB,EAAE;YACpB,cAAc,EAAE,KAAK;YACrB,oBAAoB,EAAE,mBAAmB;YACzC,cAAc,EAAE;gBACd,KAAK;gBACL,MAAM;gBACN,SAAS;gBACT,KAAK;gBACL,MAAM;gBACN,OAAO;gBACP,QAAQ;aACT;YACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;YACzC,QAAQ,EAAE,IAAI;YACd,aAAa,EAAE,cAAc,CAAC,EAAE;YAChC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;YAC7C,oBAAoB,EAAE;gBACpB;oBACE,SAAS,EAAE,gBAAgB;oBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;iBAC9B;aACF;SACF;QAED,qBAAqB,EAAE;YACrB,yDAAyD;YACzD;gBACE,WAAW,EAAE,aAAa;gBAC1B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,wCAAwC;aAChE;YACD,qEAAqE;YACrE,4DAA4D;YAC5D,iEAAiE;YACjE,mEAAmE;YACnE,mEAAmE;YACnE,0BAA0B;YAC1B;gBACE,WAAW,EAAE,cAAc;gBAC3B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,wCAAwC;gBAC/D,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD,+DAA+D;YAC/D,8DAA8D;YAC9D,sDAAsD;YACtD,kEAAkE;YAClE,kEAAkE;YAClE,gEAAgE;YAChE,UAAU;YACV,EAAE;YACF,kEAAkE;YAClE,+DAA+D;YAC/D,wDAAwD;YACxD,EAAE;YACF,mEAAmE;YACnE,gEAAgE;YAChE,wDAAwD;YACxD;gBACE,WAAW,EAAE,eAAe;gBAC5B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC1C,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;gBAC7C,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD;gBACE,WAAW,EAAE,eAAe;gBAC5B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,wCAAwC;gBAC/D,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD,2DAA2D;YAC3D,mEAAmE;YACnE,qEAAqE;YACrE,iEAAiE;YACjE,gEAAgE;YAChE,8DAA8D;YAC9D,uDAAuD;YACvD,EAAE;YACF,uEAAuE;YACvE,4DAA4D;YAC5D,qEAAqE;YACrE,qEAAqE;YACrE,6BAA6B;YAC7B;gBACE,WAAW,EAAE,mBAAmB;gBAChC,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;gBAC7C,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD;gBACE,WAAW,EAAE,qBAAqB;gBAClC,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;gBAC7C,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD,uCAAuC;YACvC;gBACE,WAAW,EAAE,SAAS;gBACtB,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;gBAC/B,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;gBAC9B,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;aAC9C;SACF;QAED,YAAY,EAAE;YACZ,cAAc,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE;SAC5C;QAED,iBAAiB;KAClB,CACF,CAAC;IAEF,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM;QACrB,CAAC,CAAC,YAAY,CAAA,WAAW,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,YAAY,CAAA,WAAW,YAAY,CAAC,UAAU,EAAE,CAAC;IAErD,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;AAC/B,CAAC"}

package/dist/cdn-media.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Media CDN Infrastructure
+ *
+ * CloudFront distribution for the public media surface — `/media/*` and
+ * `/img/*` only. No edge auth (`/media/*` is OAC-public, `/img/*` is HMAC
+ * signed at the Sharp Lambda). The default behavior targets the S3 origin
+ * with no rewrite, so unmatched paths return AccessDenied from S3 — defense
+ * in depth.
+ */
+import type { StorageResources } from "./storage.js";
+import type { ImageResources } from "./image.js";
+export interface MediaCdnArgs {
+    image: ImageResources;
+    contentBucket: StorageResources["contentBucket"];
+    priceClass?: "PriceClass_100" | "PriceClass_200" | "PriceClass_All";
+    domain?: {
+        name: string;
+        certificateArn: string;
+    };
+}
+export declare function createMediaCdn(name: string, args: MediaCdnArgs): {
+    distribution: aws.cloudfront.Distribution;
+    url: PulumiOutput<string>;
+};
+export type MediaCdnResources = ReturnType<typeof createMediaCdn>;
+//# sourceMappingURL=cdn-media.d.ts.map

package/dist/cdn-media.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cdn-media.d.ts","sourceRoot":"","sources":["../src/cdn-media.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,cAAc,CAAC;IACtB,aAAa,EAAE,gBAAgB,CAAC,eAAe,CAAC,CAAC;IACjD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;IACpE,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,MAAM,CAAC;QACb,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY;;;EAgO9D;AAED,MAAM,MAAM,iBAAiB,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC"}