headroom-cms 0.1.11 → 0.2.1

package/src/api.ts

@@ -6,16 +6,40 @@
  */
 
 import path from "path";
+import { execSync } from "child_process";
 import type { StorageResources } from "./storage.js";
 import type { AuthResources } from "./auth.js";
 import type { WebhookResources } from "./webhooks.js";
+import type { BackupResources } from "./backup.js";
 import type { ImageResources } from "./image.js";
 import type { CollabTableResources } from "./collaboration.js";
 
+/**
+ * Capture the deploying commit SHA so the API can self-report which build is
+ * running. Read at infra-eval time (once per `sst deploy` / `sst dev`) and
+ * baked into the Lambda's env. Falls back to "unknown" outside a git repo —
+ * never throws, since failing the deploy over a missing SHA would be hostile.
+ */
+function captureGitSha(): string {
+  // Allow CI to inject a specific SHA — useful when builds happen on a
+  // detached checkout where `git rev-parse HEAD` returns the wrong value.
+  const fromEnv = process.env.HEADROOM_GIT_SHA;
+  if (fromEnv) return fromEnv.trim();
+  try {
+    return execSync("git rev-parse HEAD", {
+      encoding: "utf-8",
+      stdio: ["ignore", "pipe", "ignore"],
+    }).trim();
+  } catch {
+    return "unknown";
+  }
+}
+
 export interface ApiArgs {
   storage: StorageResources;
   auth: AuthResources;
   webhooks: WebhookResources;
+  backup: BackupResources;
   image: ImageResources;
   /**
    * Just the collab DynamoDB table — the API Lambda only links the table
@@ -32,7 +56,7 @@ export interface ApiArgs {
 }
 
 export function createApi(name: string, args: ApiArgs) {
-  const { storage, auth, webhooks, image, collab } = args;
+  const { storage, auth, webhooks, backup, image, collab } = args;
 
   const handlerConfig = args.dev
     ? {
@@ -68,8 +92,17 @@ export function createApi(name: string, args: ApiArgs) {
       AWS_REGION_NAME: aws.getRegionOutput().name,
       WEBHOOKS_TABLE: webhooks.webhooks.name,
       WEBHOOK_DELIVERIES_TABLE: webhooks.webhookDeliveries.name,
-      WEBHOOK_QUEUE_URL: webhooks.webhookDeliveryQueue.url,
-      IMAGE_SIGNING_SECRET: image.imageSigningSecret.value,
+      WEBHOOK_WORKER_FUNCTION_NAME: webhooks.webhookWorker.name,
+      // Backup admin endpoints (Phases 3+4): the API Lambda async-invokes
+      // the backup worker and serves list/presign/delete from the backup
+      // bucket directly. Both env vars must be present for /v1/admin/...
+      // backup endpoints to function; unset = 503 from the service layer.
+      BACKUP_BUCKET: storage.backupBucket.name,
+      BACKUP_WORKER_FUNCTION_NAME: backup.backupWorker.name,
+      // The Go API only signs with the primary master and derives the
+      // per-site key per request. It never receives the OLD master —
+      // only the Sharp Lambda's verifier needs it.
+      IMAGE_SIGNING_MASTER_SECRET: image.imageSigningMasterSecret.value,
       IMAGE_LAMBDA_NAME: image.imageLambda.name,
       RELATIONSHIPS_TABLE: storage.relationships.name,
       SITE_USERS_TABLE: storage.siteUsers.name,
@@ -79,6 +112,9 @@ export function createApi(name: string, args: ApiArgs) {
       // `X-Headroom-Internal` against this on internal service calls
       // (collab → draft snapshot). See packages/api/internal/middleware/jwt.go.
       INTERNAL_SECRET: storage.internalSecret.value,
+      // Commit SHA of the source tree at infra-eval time. Surfaced on
+      // /health so operators can map deploys → commits without tagging.
+      GIT_SHA: captureGitSha(),
     },
     link: [
       storage.sites,
@@ -92,12 +128,16 @@ export function createApi(name: string, args: ApiArgs) {
       storage.contentBucket,
       webhooks.webhooks,
       webhooks.webhookDeliveries,
-      webhooks.webhookDeliveryQueue,
-      image.imageSigningSecret,
+      image.imageSigningMasterSecret,
       storage.relationships,
       storage.siteUsers,
       collab.collabTable,
       storage.internalSecret,
+      // Backup bucket — admin endpoints list/presign-get/delete here. The
+      // worker writes here (already linked via backup.ts); the API only
+      // needs read + delete + presign-get + list-bucket, which are all
+      // covered by the SST `link` IAM grant for the bucket.
+      storage.backupBucket,
     ],
     permissions: [
       {
@@ -123,6 +163,19 @@ export function createApi(name: string, args: ApiArgs) {
         actions: ["lambda:InvokeFunction"],
         resources: [image.imageLambda.arn],
       },
+      {
+        // Async invoke of the webhook worker. Replaces the old SQS
+        // SendMessage permission that was previously auto-derived from
+        // linking the queue.
+        actions: ["lambda:InvokeFunction"],
+        resources: [webhooks.webhookWorker.arn],
+      },
+      {
+        // Async invoke of the backup worker — admin endpoints for trigger
+        // backup / restore call lambda:Invoke with InvocationType=Event.
+        actions: ["lambda:InvokeFunction"],
+        resources: [backup.backupWorker.arn],
+      },
       {
         actions: ["ses:SendEmail", "ses:SendRawEmail"],
         resources: ["*"],

package/src/backup.ts

@@ -0,0 +1,114 @@
+/**
+ * Backup Infrastructure
+ *
+ * A single Go Lambda that handles both backup export and restore import.
+ * The API service invokes it synchronously via lambda:InvokeFunction for the
+ * "scheduled" entry point this will gain a daily EventBridge cron (Phase 4).
+ *
+ * The Lambda links every site-scoped table plus the content + backup buckets.
+ * Deliberately NOT linked: Collab, collabStateBucket, SchedulerLock,
+ * WebhookDeliveries — these are transient / operational and excluded from
+ * backup payloads (see steering doc "What's in scope vs. out of scope").
+ */
+
+import path from "path";
+import type { StorageResources } from "./storage.js";
+import type { WebhookResources } from "./webhooks.js";
+
+export interface BackupArgs {
+  storage: StorageResources;
+  webhooks: WebhookResources;
+  pkgRoot: string;
+  dev?: {
+    /** Go source path, e.g. "packages/backup-worker" */
+    handler: string;
+  };
+}
+
+export function createBackup(name: string, args: BackupArgs) {
+  const { storage, webhooks } = args;
+
+  const workerConfig = args.dev
+    ? {
+        handler: args.dev.handler,
+        runtime: "go" as const,
+      }
+    : {
+        bundle: path.join(args.pkgRoot, "lambda/backup-worker"),
+        handler: "bootstrap",
+        runtime: "provided.al2023" as const,
+        architecture: "arm64" as const,
+      };
+
+  const backupWorker = new sst.aws.Function(`${name}BackupWorker`, {
+    ...workerConfig,
+    // 15-minute Lambda budget. Large sites with many media files may bump up
+    // against this; see Deferred "Step Functions for very large sites" for
+    // the escape hatch.
+    timeout: "15 minutes",
+    // Higher than default — the worker holds tar/gzip pipes, an in-memory
+    // 25-row BatchWriteItem buffer, and parallel S3 GetObject buffers.
+    memory: "1024 MB",
+    environment: {
+      SITES_TABLE: storage.sites.name,
+      CONTENT_TABLE: storage.content.name,
+      DRAFT_CONTENT_TABLE: storage.draftContent.name,
+      BLOCKS_TABLE: storage.blocks.name,
+      MEDIA_TABLE: storage.media.name,
+      COLLECTIONS_TABLE: storage.collections.name,
+      BLOCK_TYPES_TABLE: storage.blockTypes.name,
+      ADMIN_AUDIT_TABLE: storage.adminAudit.name,
+      RELATIONSHIPS_TABLE: storage.relationships.name,
+      SITE_USERS_TABLE: storage.siteUsers.name,
+      WEBHOOKS_TABLE: webhooks.webhooks.name,
+      CONTENT_BUCKET: storage.contentBucket.name,
+      BACKUP_BUCKET: storage.backupBucket.name,
+      KVS_ARN: storage.kvs.arn,
+      AWS_REGION_NAME: aws.getRegionOutput().name,
+    },
+    link: [
+      storage.sites,
+      storage.content,
+      storage.draftContent,
+      storage.blocks,
+      storage.media,
+      storage.collections,
+      storage.blockTypes,
+      storage.adminAudit,
+      storage.relationships,
+      storage.siteUsers,
+      webhooks.webhooks,
+      storage.contentBucket,
+      storage.backupBucket,
+    ],
+    permissions: [
+      {
+        // CloudFront KVS resync on restore: re-publish API key hashes so the
+        // edge function recognizes them. Fail-loud per steering §2.1 step 18.
+        actions: [
+          "cloudfront-keyvaluestore:DescribeKeyValueStore",
+          "cloudfront-keyvaluestore:PutKey",
+          "cloudfront-keyvaluestore:DeleteKey",
+          "cloudfront-keyvaluestore:GetKey",
+        ],
+        resources: [storage.kvs.arn],
+      },
+    ],
+  });
+
+  // Phase 4 — daily EventBridge cron that invokes the worker with a
+  // "scheduled" event. The handler scans the Sites table, runs backup +
+  // retention cleanup for every site with backupSchedule.enabled. 02:00
+  // UTC is a low-traffic window for most public sites; tune in the
+  // steering doc if needed. Cost is one Lambda invocation per day per
+  // stack, regardless of site count.
+  const backupCron = new sst.aws.Cron(`${name}BackupSchedule`, {
+    schedule: "cron(0 2 * * ? *)",
+    function: backupWorker.arn,
+    event: { type: "scheduled" },
+  });
+
+  return { backupWorker, backupCron };
+}
+
+export type BackupResources = ReturnType<typeof createBackup>;

package/src/cdn-api.ts

@@ -143,23 +143,14 @@ export function createApiCdn(name: string, args: ApiCdnArgs) {
     },
   );
 
-  const versionCachePolicy = new aws.cloudfront.CachePolicy(
-    `${name}VersionCachePolicy`,
-    {
-      name: $interpolate`${$app.name}-${$app.stage}-version-cache`,
-      comment: "Short-TTL cache for /version to absorb client polling",
-      minTtl: 0,
-      defaultTtl: 2,
-      maxTtl: 2,
-      parametersInCacheKeyAndForwardedToOrigin: {
-        cookiesConfig: { cookieBehavior: "none" },
-        headersConfig: { headerBehavior: "none" },
-        queryStringsConfig: { queryStringBehavior: "none" },
-        enableAcceptEncodingBrotli: true,
-        enableAcceptEncodingGzip: true,
-      },
-    },
-  );
+  // NOTE: the old `versionCachePolicy` (custom 2-second TTL) was deleted
+  // when /version began returning the per-site image signing secret.
+  // CloudFront custom cache policies do not honor `Cache-Control: private`
+  // from the origin — the explicit TTLs would win and the response (with
+  // the secret) would be edge-cached for 2s. We now use the AWS-managed
+  // `CachingDisabled` policy below for /v1/*/version, so the origin's
+  // `Cache-Control: private, max-age=2` is what reaches the browser
+  // (short-window in-browser cache) while the edge bypasses caching.
 
   // =========================================================================
   // Origin Request Policy
@@ -321,10 +312,17 @@ export function createApiCdn(name: string, args: ApiCdnArgs) {
             },
           ],
         },
-        // Version endpoint: short-TTL cache (2s) shared across all consumers
-        // for a given site. The edge function still runs for API key
-        // validation. Placed before /v1/*/users/* and the default behavior
-        // because CloudFront evaluates path patterns in order, first match wins.
+        // Version endpoint: caching DISABLED at the edge. /version now
+        // carries a per-site image signing secret in the body, so the
+        // shared edge cache must not hold it. The origin sets
+        // `Cache-Control: private, max-age=2` so browsers may still cache
+        // for the 2-second window — that absorbs single-flight contention
+        // from the same client without exposing the secret to any other
+        // viewer.
+        //
+        // Tradeoff: origin Lambda invocations on /version are now one per
+        // client poll instead of one per 2-second edge window. The SDK
+        // polls every 10s by default, so the impact is bounded.
         //
         // NOTE: pathPattern "/v1/*/version" matches exact "/version" only.
         // CloudFront's `*` wildcard does not span path segments, so any
@@ -336,7 +334,7 @@ export function createApiCdn(name: string, args: ApiCdnArgs) {
           allowedMethods: ["GET", "HEAD", "OPTIONS"],
           cachedMethods: ["GET", "HEAD", "OPTIONS"],
           compress: true,
-          cachePolicyId: versionCachePolicy.id,
+          cachePolicyId: cachingDisabledPolicyId,
           originRequestPolicyId: originRequestPolicy.id,
           functionAssociations: [
             {

package/src/cron.ts

@@ -0,0 +1,153 @@
+/**
+ * Cron Infrastructure
+ *
+ * EventBridge-driven scheduled Lambdas for periodic CMS maintenance. Today
+ * this is just the trash sweeper (Phase 2b of `steering/TRASH_CAN.md`); other
+ * cron-shaped workers (backup retention, etc.) live in their own modules.
+ *
+ * The trash sweeper Lambda walks every site, every collection, and purges
+ * content trashed more than `model.TrashRetentionDays` (30) days ago via the
+ * service-layer `Purge` — which fans out to drafts, slug lookups, tag counts,
+ * relationships, audit, and a `content.deleted` webhook per item. See
+ * `packages/api/cmd/trash_sweeper/main.go` for the entrypoint.
+ *
+ * Mass-delete protection is a per-run circuit breaker inside the sweeper
+ * (`TRASH_PURGE_RUN_CAP`), not a CloudWatch alarm: a run that would purge at
+ * least the cap aborts and logs at ERROR instead of completing. This keeps the
+ * feature at $0-at-rest (no custom CloudWatch metric, no alarm, no SNS topic)
+ * while actively *preventing* a runaway purge rather than alerting after the
+ * fact. The abort is visible in the sweeper's daily CloudWatch Logs line.
+ */
+
+import path from "path";
+import type { StorageResources } from "./storage.js";
+import type { WebhookResources } from "./webhooks.js";
+
+export interface CronArgs {
+  storage: StorageResources;
+  webhooks: WebhookResources;
+  pkgRoot: string;
+  /**
+   * Stage name (`$app.stage`). Used to tune per-stage alarm thresholds: prod
+   * is tight (1000 purges/day signals mass-delete), dev/PR stages are loose
+   * to absorb manual testing without paging.
+   */
+  stage: string;
+  dev?: {
+    /** Go source path for the trash sweeper, e.g. "packages/api/cmd/trash_sweeper" */
+    handler: string;
+  };
+}
+
+/**
+ * Per-stage value for the sweeper's per-run purge circuit breaker
+ * (`TRASH_PURGE_RUN_CAP`). A run that would purge at least this many items
+ * aborts instead of completing — the cheap, $0 replacement for the old
+ * CloudWatch mass-delete alarm. Production is tight (1000/run signals a likely
+ * mass-delete); dev/PR stages are loose so manual testing doesn't trip it.
+ * Read by `packages/api/cmd/trash_sweeper/main.go`.
+ */
+function trashPurgeRunCap(stage: string): number {
+  return stage === "production" ? 1000 : 10000;
+}
+
+export function createCron(name: string, args: CronArgs) {
+  const { storage, webhooks } = args;
+
+  const trashSweeperConfig = args.dev
+    ? {
+        handler: args.dev.handler,
+        runtime: "go" as const,
+      }
+    : {
+        bundle: path.join(args.pkgRoot, "lambda/trash-sweeper"),
+        handler: "bootstrap",
+        runtime: "provided.al2023" as const,
+        architecture: "arm64" as const,
+      };
+
+  // Daily at 03:00 UTC. Cron syntax: minute hour day-of-month month day-of-week year.
+  // EventBridge requires either day-of-month or day-of-week to be `?`.
+  const trashSweeperCron = new sst.aws.Cron(`${name}TrashSweeper`, {
+    schedule: "cron(0 3 * * ? *)",
+    job: {
+      ...trashSweeperConfig,
+      // The sweeper pages through every site × every collection. 5 minutes
+      // is generous; a single site rarely has > 100 trashed items per
+      // collection per day. If we ever hit the timeout, the next run will
+      // pick up where we left off (items remain in the trash partition).
+      timeout: "5 minutes",
+      memory: "512 MB",
+      environment: {
+        // DynamoDB tables. NOTE: The sweeper's only entry point is
+        // AdminContentService.Purge, which touches content + drafts + audit
+        // + relationships + (indirectly via tagsRepo) ContentTable's
+        // tag-count items. blocksRepo and mediaRepo are passed to
+        // NewAdminContentService for symmetry with the API, but Purge's
+        // call graph never reaches them — so BLOCKS_TABLE / MEDIA_TABLE
+        // are deliberately omitted. If the sweeper ever grows a second
+        // entry point (Trash / Restore / Publish), revisit.
+        SITES_TABLE: storage.sites.name,
+        CONTENT_TABLE: storage.content.name,
+        DRAFT_CONTENT_TABLE: storage.draftContent.name,
+        COLLECTIONS_TABLE: storage.collections.name,
+        BLOCK_TYPES_TABLE: storage.blockTypes.name,
+        ADMIN_AUDIT_TABLE: storage.adminAudit.name,
+        RELATIONSHIPS_TABLE: storage.relationships.name,
+        WEBHOOKS_TABLE: webhooks.webhooks.name,
+        WEBHOOK_DELIVERIES_TABLE: webhooks.webhookDeliveries.name,
+        // Purge bumps the CDN site-version on published items, so the
+        // sweeper needs to write into the KVS just like the API Lambda.
+        KVS_ARN: storage.kvs.arn,
+        // Webhook fan-out async-invokes this Lambda per subscribed webhook.
+        WEBHOOK_WORKER_FUNCTION_NAME: webhooks.webhookWorker.name,
+        AWS_REGION_NAME: aws.getRegionOutput().name,
+        // Per-run purge circuit breaker. A sweep that would purge at least
+        // this many items aborts (and logs at ERROR) instead of completing —
+        // a $0 guard against a mass-delete / runaway, replacing the old
+        // CloudWatch mass-delete alarm. See trashPurgeRunCap above.
+        TRASH_PURGE_RUN_CAP: String(trashPurgeRunCap(args.stage)),
+      },
+      link: [
+        // Read/write — Purge mutates content (incl. tag-count items and
+        // slug-lookup rows) + drafts + audit + relationships, and emits
+        // per-item webhook delivery rows. Sites/collections/blockTypes are
+        // read-only for the sweep loop (ListAll + GetCollections).
+        // storage.blocks and storage.media are deliberately NOT linked —
+        // see env comment above.
+        storage.sites,
+        storage.content,
+        storage.draftContent,
+        storage.collections,
+        storage.blockTypes,
+        storage.adminAudit,
+        storage.relationships,
+        webhooks.webhooks,
+        webhooks.webhookDeliveries,
+      ],
+      permissions: [
+        {
+          // CloudFront KVS bump on Purge of a published item — mirrors the
+          // API Lambda's KVS permission set.
+          actions: [
+            "cloudfront-keyvaluestore:DescribeKeyValueStore",
+            "cloudfront-keyvaluestore:PutKey",
+            "cloudfront-keyvaluestore:DeleteKey",
+            "cloudfront-keyvaluestore:GetKey",
+          ],
+          resources: [storage.kvs.arn],
+        },
+        {
+          // Async invoke of the webhook worker. Same grant pattern as the
+          // API Lambda (`webhooks.webhookWorker.arn` in `api.ts`).
+          actions: ["lambda:InvokeFunction"],
+          resources: [webhooks.webhookWorker.arn],
+        },
+      ],
+    },
+  });
+
+  return { trashSweeperCron };
+}
+
+export type CronResources = ReturnType<typeof createCron>;

package/src/image.ts

@@ -3,6 +3,12 @@
  *
  * Sharp-based image transformation Lambda with HMAC-signed URLs.
  * Supports dev mode (Node.js source) and package mode (pre-bundled handler).
+ *
+ * The signing key is per-site: the Lambda derives it from a master KDF
+ * input (HMAC-SHA256(master, site)) so leaking one site's key cannot be
+ * used to forge URLs for another site. The OLD master is an opt-in
+ * fallback for smooth rotation — the Sharp Lambda accepts either, the Go
+ * API only signs with the primary.
  */
 
 import path from "path";
@@ -18,7 +24,15 @@ export interface ImageArgs {
 }
 
 export function createImage(name: string, args: ImageArgs) {
-  const imageSigningSecret = new sst.Secret(`${name}ImageSigningSecret`);
+  const imageSigningMasterSecret = new sst.Secret(
+    `${name}ImageSigningMasterSecret`,
+  );
+  // Optional fallback master used during rotation. SST treats unset
+  // secrets as empty strings, which the Lambda's deriveSiteSecret turns
+  // into a null per-site key — disabling the fallback path entirely.
+  const imageSigningMasterSecretOld = new sst.Secret(
+    `${name}ImageSigningMasterSecretOld`,
+  );
 
   let imageLambda: sst.aws.Function;
   if (args.dev) {
@@ -36,9 +50,14 @@ export function createImage(name: string, args: ImageArgs) {
       },
       environment: {
         CONTENT_BUCKET: args.contentBucket.name,
-        IMAGE_SIGNING_SECRET: imageSigningSecret.value,
+        IMAGE_SIGNING_MASTER_SECRET: imageSigningMasterSecret.value,
+        IMAGE_SIGNING_MASTER_SECRET_OLD: imageSigningMasterSecretOld.value,
       },
-      link: [args.contentBucket, imageSigningSecret],
+      link: [
+        args.contentBucket,
+        imageSigningMasterSecret,
+        imageSigningMasterSecretOld,
+      ],
     });
   } else {
     imageLambda = new sst.aws.Function(`${name}ImageLambda`, {
@@ -53,13 +72,18 @@ export function createImage(name: string, args: ImageArgs) {
       },
       environment: {
         CONTENT_BUCKET: args.contentBucket.name,
-        IMAGE_SIGNING_SECRET: imageSigningSecret.value,
+        IMAGE_SIGNING_MASTER_SECRET: imageSigningMasterSecret.value,
+        IMAGE_SIGNING_MASTER_SECRET_OLD: imageSigningMasterSecretOld.value,
       },
-      link: [args.contentBucket, imageSigningSecret],
+      link: [
+        args.contentBucket,
+        imageSigningMasterSecret,
+        imageSigningMasterSecretOld,
+      ],
     });
   }
 
-  return { imageSigningSecret, imageLambda };
+  return { imageSigningMasterSecret, imageSigningMasterSecretOld, imageLambda };
 }
 
 export type ImageResources = ReturnType<typeof createImage>;

package/src/index.ts

@@ -10,6 +10,7 @@ import path from "path";
 import { createStorage } from "./storage.js";
 import { createAuth } from "./auth.js";
 import { createWebhooks } from "./webhooks.js";
+import { createBackup } from "./backup.js";
 import { createImage } from "./image.js";
 import { createApi } from "./api.js";
 import { createApiCdn } from "./cdn-api.js";
@@ -17,6 +18,7 @@ import { createMediaCdn } from "./cdn-media.js";
 import { createScheduler } from "./scheduler.js";
 import { createCollabTable, createCollabHandler } from "./collaboration.js";
 import { createAdminSite } from "./admin-site.js";
+import { createCron } from "./cron.js";
 
 /**
  * Resolve the headroom-cms package root directory.
@@ -48,6 +50,7 @@ function resolvePkgRoot(): string {
 export type { StorageResources } from "./storage.js";
 export type { AuthResources } from "./auth.js";
 export type { WebhookResources } from "./webhooks.js";
+export type { BackupResources } from "./backup.js";
 export type { ImageResources } from "./image.js";
 export type { ApiResources } from "./api.js";
 export type { ApiCdnResources } from "./cdn-api.js";
@@ -55,6 +58,7 @@ export type { MediaCdnResources } from "./cdn-media.js";
 export type { SchedulerResources } from "./scheduler.js";
 export type { CollaborationResources } from "./collaboration.js";
 export type { AdminSiteResources } from "./admin-site.js";
+export type { CronResources } from "./cron.js";
 
 export interface HeadroomCMSArgs {
   /**
@@ -127,6 +131,8 @@ export interface HeadroomCMSArgs {
     apiHandler: string;
     /** Go source path for webhook worker, e.g. "packages/webhook-worker" */
     webhookWorkerHandler: string;
+    /** Go source path for backup worker, e.g. "packages/backup-worker" */
+    backupWorkerHandler: string;
     /** SST handler for custom message function, e.g. "packages/functions/custom-message.handler" */
     customMessageHandler: string;
     /** SST handler for image Lambda, e.g. "packages/image-lambda/index.handler" */
@@ -137,6 +143,8 @@ export interface HeadroomCMSArgs {
     schedulerHandler?: string;
     /** SST handler for collab Lambda, e.g. "packages/collab/src/index.handler" */
     collabHandler?: string;
+    /** Go source path for trash sweeper Lambda, e.g. "packages/api/cmd/trash_sweeper" */
+    trashSweeperHandler?: string;
   };
 
   /**
@@ -177,7 +185,7 @@ export class HeadroomCMS {
         : undefined,
     });
 
-    // 3. Webhooks (DynamoDB tables, SQS queues, worker Lambda)
+    // 3. Webhooks (DynamoDB tables, DLQ, worker Lambda)
     const webhooks = createWebhooks(name, {
       sites: storage.sites,
       pkgRoot,
@@ -186,6 +194,18 @@ export class HeadroomCMS {
         : undefined,
     });
 
+    // 3b. Backup worker Lambda (export + restore). Needs access to every
+    // site-scoped table plus the content + backup buckets. Created after
+    // webhooks so it can link the webhooks table for backup payloads.
+    const backup = createBackup(name, {
+      storage,
+      webhooks,
+      pkgRoot,
+      dev: args.dev
+        ? { handler: args.dev.backupWorkerHandler }
+        : undefined,
+    });
+
     // 4. Image Lambda (Sharp transform with HMAC-signed URLs)
     const image = createImage(name, {
       contentBucket: storage.contentBucket,
@@ -204,6 +224,7 @@ export class HeadroomCMS {
       storage,
       auth,
       webhooks,
+      backup,
       image,
       collab: collabTable,
       senderEmail: args.senderEmail,
@@ -240,6 +261,19 @@ export class HeadroomCMS {
         : undefined,
     });
 
+    // 7b. Cron — daily trash sweeper Lambda (with an in-sweeper per-run purge
+    // circuit breaker; no CloudWatch metric/alarm). See `steering/TRASH_CAN.md`
+    // Phase 2b.
+    const cron = createCron(name, {
+      storage,
+      webhooks,
+      pkgRoot,
+      stage: $app.stage,
+      dev: args.dev?.trashSweeperHandler
+        ? { handler: args.dev.trashSweeperHandler }
+        : undefined,
+    });
+
     // 8a. API CDN (CloudFront distribution + edge auth, /v1/* and /health)
     const apiCdn = createApiCdn(name, {
       api,
@@ -289,6 +323,29 @@ export class HeadroomCMS {
       userPoolId: auth.userPool.id,
       userPoolClientId: auth.userPoolClient.id,
       collabWs: collab.wsUrl,
+      // DynamoDB table names (with Pulumi-generated random suffixes baked
+      // in). Exposed so consumers — notably the Phase 6 E2E test harness —
+      // can discover real table names rather than guess them from the
+      // `<app>-<stage>-<Name>` template (which omits the random suffix).
+      // Per CLAUDE.md, `.sst/outputs.json` IS the supported interface for
+      // post-deploy discovery.
+      sitesTable: storage.sites.name,
+      contentTable: storage.content.name,
+      draftContentTable: storage.draftContent.name,
+      blocksTable: storage.blocks.name,
+      mediaTable: storage.media.name,
+      collectionsTable: storage.collections.name,
+      blockTypesTable: storage.blockTypes.name,
+      adminAuditTable: storage.adminAudit.name,
+      relationshipsTable: storage.relationships.name,
+      siteUsersTable: storage.siteUsers.name,
+      webhooksTable: webhooks.webhooks.name,
+      contentBucket: storage.contentBucket.name,
+      backupBucket: storage.backupBucket.name,
+      // Trash-sweeper Lambda function name (Phase 2b). Surfaced so ops/test
+      // scripts can target the sweeper by deterministic output instead of
+      // `aws lambda list-functions | grep`.
+      trashSweeperFunctionName: cron.trashSweeperCron.nodes.function.name,
     };
   }
 }