headroom-cms 0.1.9 → 0.1.11

package/dist/{cdn.js → cdn-api.js}

@@ -1,11 +1,12 @@
 /**
- * CDN Infrastructure
+ * API CDN Infrastructure
  *
- * CloudFront distribution with edge authentication, version-based caching,
- * direct S3 media serving, and Sharp Lambda image transforms.
+ * CloudFront distribution for the Headroom API only — `/v1/*` and `/health`.
+ * Edge-auth function + KVS association live here. No `/media/*` or `/img/*`
+ * behaviors; those are served by the separate media CDN (see cdn-media.ts).
  */
-export function createCdn(name, args) {
-    const { api, image, contentBucket, kvs } = args;
+export function createApiCdn(name, args) {
+    const { api, kvs } = args;
     const apiCacheTtl = args.apiCacheTtl ?? 3600;
     // Extract KVS UUID from ARN (cf.kvs() needs the UUID, not the name)
     const kvsUuid = kvs.arn.apply((arn) => arn.split("/").pop());
@@ -87,32 +88,6 @@ export function createCdn(name, args) {
       return request;
     }
   `,
-    });
-    // =========================================================================
-    // CloudFront Function: Media Rewrite
-    // =========================================================================
-    const mediaRewriteFunction = new aws.cloudfront.Function(`${name}MediaRewrite`, {
-        name: $interpolate `${$app.name}-${$app.stage}-media-rewrite`,
-        runtime: "cloudfront-js-2.0",
-        publish: true,
-        code: `
-    function handler(event) {
-      var request = event.request;
-      var uri = request.uri;
-
-      // Rewrite /media/{site}/{mediaId}/{file} → /sites/{site}/media/{mediaId}/{file}
-      var parts = uri.split('/');
-      // parts: ['', 'media', '{site}', '{mediaId}', '{file}']
-      if (parts.length >= 5 && parts[1] === 'media') {
-        var site = parts[2];
-        var mediaId = parts[3];
-        var rest = parts.slice(4).join('/');
-        request.uri = '/sites/' + site + '/media/' + mediaId + '/' + rest;
-      }
-
-      return request;
-    }
-  `,
     });
     // =========================================================================
     // Cache Policies
@@ -144,39 +119,6 @@ export function createCdn(name, args) {
             enableAcceptEncodingGzip: true,
         },
     });
-    const imageCachePolicy = new aws.cloudfront.CachePolicy(`${name}ImageCachePolicy`, {
-        name: $interpolate `${$app.name}-${$app.stage}-image-cache`,
-        comment: "Cache policy for transformed images (immutable)",
-        defaultTtl: 31536000,
-        maxTtl: 31536000,
-        minTtl: 31536000,
-        parametersInCacheKeyAndForwardedToOrigin: {
-            cookiesConfig: { cookieBehavior: "none" },
-            headersConfig: { headerBehavior: "none" },
-            queryStringsConfig: {
-                queryStringBehavior: "whitelist",
-                queryStrings: {
-                    items: ["w", "h", "fit", "format", "q", "sig"],
-                },
-            },
-            enableAcceptEncodingBrotli: true,
-            enableAcceptEncodingGzip: true,
-        },
-    });
-    const mediaCachePolicy = new aws.cloudfront.CachePolicy(`${name}MediaCachePolicy`, {
-        name: $interpolate `${$app.name}-${$app.stage}-media-cache`,
-        comment: "Cache policy for original media files (immutable)",
-        defaultTtl: 31536000,
-        maxTtl: 31536000,
-        minTtl: 31536000,
-        parametersInCacheKeyAndForwardedToOrigin: {
-            cookiesConfig: { cookieBehavior: "none" },
-            headersConfig: { headerBehavior: "none" },
-            queryStringsConfig: { queryStringBehavior: "none" },
-            enableAcceptEncodingBrotli: true,
-            enableAcceptEncodingGzip: true,
-        },
-    });
     const versionCachePolicy = new aws.cloudfront.CachePolicy(`${name}VersionCachePolicy`, {
         name: $interpolate `${$app.name}-${$app.stage}-version-cache`,
         comment: "Short-TTL cache for /version to absorb client polling",
@@ -225,34 +167,12 @@ export function createCdn(name, args) {
     // authenticated behaviors below.
     const cachingDisabledPolicyId = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad";
     // =========================================================================
-    // Origin Access Controls (OAC)
-    // =========================================================================
-    const mediaOAC = new aws.cloudfront.OriginAccessControl(`${name}MediaOAC`, {
-        name: $interpolate `${$app.name}-${$app.stage}-media-oac`,
-        description: "OAC for S3 media origin",
-        originAccessControlOriginType: "s3",
-        signingBehavior: "always",
-        signingProtocol: "sigv4",
-    });
-    const imageOAC = new aws.cloudfront.OriginAccessControl(`${name}ImageOAC`, {
-        name: $interpolate `${$app.name}-${$app.stage}-image-oac`,
-        description: "OAC for image transform Lambda origin",
-        originAccessControlOriginType: "lambda",
-        signingBehavior: "always",
-        signingProtocol: "sigv4",
-    });
-    // =========================================================================
     // CloudFront Distribution
     // =========================================================================
     const originDomain = api.api.url.apply((url) => {
         const parsed = new URL(url);
         return parsed.hostname;
     });
-    const imageLambdaDomain = image.imageLambda.url.apply((url) => {
-        const parsed = new URL(url);
-        return parsed.hostname;
-    });
-    const s3RegionalDomain = $interpolate `${contentBucket.name}.s3.${aws.getRegionOutput().name}.amazonaws.com`;
     const priceClass = args.priceClass ?? "PriceClass_100";
     // Build aliases and certificate config for custom domain
     const aliases = args.domain ? [args.domain.name] : undefined;
@@ -282,25 +202,6 @@ export function createCdn(name, args) {
                     originSslProtocols: ["TLSv1.2"],
                 },
             },
-            {
-                originId: "media-s3",
-                domainName: s3RegionalDomain,
-                originAccessControlId: mediaOAC.id,
-                s3OriginConfig: {
-                    originAccessIdentity: "",
-                },
-            },
-            {
-                originId: "image-lambda",
-                domainName: imageLambdaDomain,
-                originAccessControlId: imageOAC.id,
-                customOriginConfig: {
-                    httpPort: 80,
-                    httpsPort: 443,
-                    originProtocolPolicy: "https-only",
-                    originSslProtocols: ["TLSv1.2"],
-                },
-            },
         ],
         defaultCacheBehavior: {
             targetOriginId: "api",
@@ -484,32 +385,6 @@ export function createCdn(name, args) {
                     },
                 ],
             },
-            // Media originals: served directly from S3 via OAC
-            {
-                pathPattern: "/media/*",
-                targetOriginId: "media-s3",
-                viewerProtocolPolicy: "redirect-to-https",
-                allowedMethods: ["GET", "HEAD", "OPTIONS"],
-                cachedMethods: ["GET", "HEAD", "OPTIONS"],
-                compress: true,
-                cachePolicyId: mediaCachePolicy.id,
-                functionAssociations: [
-                    {
-                        eventType: "viewer-request",
-                        functionArn: mediaRewriteFunction.arn,
-                    },
-                ],
-            },
-            // Image transforms: served via Sharp Lambda
-            {
-                pathPattern: "/img/*",
-                targetOriginId: "image-lambda",
-                viewerProtocolPolicy: "redirect-to-https",
-                allowedMethods: ["GET", "HEAD", "OPTIONS"],
-                cachedMethods: ["GET", "HEAD", "OPTIONS"],
-                compress: true,
-                cachePolicyId: imageCachePolicy.id,
-            },
             // Health endpoint: no caching, no auth
             {
                 pathPattern: "/health",
@@ -527,16 +402,9 @@ export function createCdn(name, args) {
         },
         viewerCertificate,
     });
-    // Allow CloudFront to invoke the image Lambda via OAC
-    new aws.lambda.Permission(`${name}ImageLambdaCFPermission`, {
-        action: "lambda:InvokeFunctionUrl",
-        function: image.imageLambda.name,
-        principal: "cloudfront.amazonaws.com",
-        sourceArn: distribution.arn,
-    });
     const url = args.domain
         ? $interpolate `https://${args.domain.name}`
         : $interpolate `https://${distribution.domainName}`;
     return { distribution, url };
 }
-//# sourceMappingURL=cdn.js.map
+//# sourceMappingURL=cdn-api.js.map

package/dist/cdn-api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cdn-api.js","sourceRoot":"","sources":["../src/cdn-api.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgBH,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,IAAgB;IACzD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC;IAE7C,oEAAoE;IACpE,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC;IAEtE,4EAA4E;IAC5E,iCAAiC;IACjC,4EAA4E;IAC5E,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,IAAI,UAAU,EAAE;QAClE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE,IAAI;QACb,yBAAyB,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC;QACpC,IAAI,EAAE,YAAY,CAAA;;;;qBAID,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiEzB;KACA,CAAC,CAAC;IAEH,4EAA4E;IAC5E,iBAAiB;IACjB,4EAA4E;IAE5E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CACnD,GAAG,IAAI,gBAAgB,EACvB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,OAAO,EACL,gEAAgE;QAClE,UAAU,EAAE,WAAW;QACvB,MAAM,EAAE,KAAK;QACb,MAAM,EAAE,CAAC;QACT,wCAAwC,EAAE;YACxC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,aAAa,EAAE;gBACb,cAAc,EAAE,WAAW;gBAC3B,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,oBAAoB,CAAC,EAAE;aAC3C;YACD,kBAAkB,EAAE;gBAClB,mBAAmB,EAAE,WAAW;gBAChC,YAAY,EAAE;oBACZ,6DAA6D;oBAC7D,2DAA2D;oBAC3D,uDAAuD;oBACvD,8DAA8D;oBAC9D,qDAAqD;oBACrD,KAAK,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC;iBAC9G;aACF;YACD,0BAA0B,EAAE,IAAI;YAChC,wBAAwB,EAAE,IAAI;SAC/B;KACF,CACF,CAAC;IAEF,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CACvD,GAAG,IAAI,oBAAoB,EAC3B;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,gBAAgB;QAC5D,OAAO,EAAE,uDAAuD;QAChE,MAAM,EAAE,CAAC;QACT,UAAU,EAAE,CAAC;QACb,MAAM,EAAE,CAAC;QACT,wCAAwC,EAAE;YACxC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,kBAAkB,EAAE,EAAE,mBAAmB,EAAE,MAAM,EAAE;YACnD,0BAA0B,EAAE,IAAI;YAChC,wBAAwB,EAAE,IAAI;SAC/B;KACF,CACF,CAAC;IAEF,4EAA4E;IAC5E,wBAAwB;IACxB,4EAA4E;IAE5E,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,mBAAmB,CAChE,GAAG,IAAI,qBAAqB,EAC5B;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,iBAAiB;QAC7D,OAAO,EAAE,4CAA4C;QACrD,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;QACzC,aAAa,EAAE;YACb,cAAc,EAAE,WAAW;YAC3B,OAAO,EAAE;gBACP,KAAK,EAAE;oBACL,gBAAgB;oBAChB,oBAAoB;oBACpB,cAAc;oBACd,QAAQ;oBACR,oBAAoB;iBACrB;aACF;SACF;QACD,kBAAkB,EAAE,EAAE,mBAAmB,EAAE,KAAK,EAAE;KACnD,CACF,CAAC;IAEF,0EAA0E;IAC1E,sEAAsE;IACtE,qEAAqE;IACrE,0EAA0E;IAC1E,0EAA0E;IAC1E,oEAAoE;IACpE,2EAA2E;IAC3E,4CAA4C;IAC5C,MAAM,wCAAwC,GAC5C,sCAAsC,CAAC;IAEzC,sEAAsE;IACtE,iCAAiC;IACjC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;IAEvE,4EAA4E;IAC5E,0BAA0B;IAC1B,4EAA4E;IAE5E,MAAM,YAAY,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAW,EAAE,EAAE;QACrD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAC;IAEvD,yDAAyD;IACzD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7D,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM;QACnC,CAAC,CAAC;YACE,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc;YAC7C,gBAAgB,EAAE,UAAmB;YACrC,sBAAsB,EAAE,cAAuB;SAChD;QACH,CAAC,CAAC;YACE,4BAA4B,EAAE,IAAI;SACnC,CAAC;IAEN,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAClD,GAAG,IAAI,cAAc,EACrB;QACE,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,YAAY,CAAA,sBAAsB,IAAI,CAAC,KAAK,EAAE;QACvD,WAAW,EAAE,WAAW;QACxB,UAAU;QACV,OAAO;QAEP,OAAO,EAAE;YACP;gBACE,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,YAAY;gBACxB,kBAAkB,EAAE;oBAClB,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE,GAAG;oBACd,oBAAoB,EAAE,YAAY;oBAClC,kBAAkB,EAAE,CAAC,SAAS,CAAC;iBAChC;aACF;SACF;QAED,oBAAoB,EAAE;YACpB,cAAc,EAAE,KAAK;YACrB,oBAAoB,EAAE,mBAAmB;YACzC,cAAc,EAAE;gBACd,KAAK;gBACL,MAAM;gBACN,SAAS;gBACT,KAAK;gBACL,MAAM;gBACN,OAAO;gBACP,QAAQ;aACT;YACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;YACzC,QAAQ,EAAE,IAAI;YACd,aAAa,EAAE,cAAc,CAAC,EAAE;YAChC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;YAC7C,oBAAoB,EAAE;gBACpB;oBACE,SAAS,EAAE,gBAAgB;oBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;iBAC9B;aACF;SACF;QAED,qBAAqB,EAAE;YACrB,yDAAyD;YACzD;gBACE,WAAW,EAAE,aAAa;gBAC1B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,wCAAwC;aAChE;YACD,qEAAqE;YACrE,4DAA4D;YAC5D,iEAAiE;YACjE,mEAAmE;YACnE,mEAAmE;YACnE,0BAA0B;YAC1B;gBACE,WAAW,EAAE,cAAc;gBAC3B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,wCAAwC;gBAC/D,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD,qEAAqE;YACrE,6DAA6D;YAC7D,mEAAmE;YACnE,yEAAyE;YACzE,EAAE;YACF,mEAAmE;YACnE,gEAAgE;YAChE,wDAAwD;YACxD;gBACE,WAAW,EAAE,eAAe;gBAC5B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC1C,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,kBAAkB,CAAC,EAAE;gBACpC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;gBAC7C,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD;gBACE,WAAW,EAAE,eAAe;gBAC5B,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,wCAAwC;gBAC/D,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD,2DAA2D;YAC3D,mEAAmE;YACnE,qEAAqE;YACrE,iEAAiE;YACjE,gEAAgE;YAChE,8DAA8D;YAC9D,uDAAuD;YACvD,EAAE;YACF,uEAAuE;YACvE,4DAA4D;YAC5D,qEAAqE;YACrE,qEAAqE;YACrE,6BAA6B;YAC7B;gBACE,WAAW,EAAE,mBAAmB;gBAChC,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;gBAC7C,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD;gBACE,WAAW,EAAE,qBAAqB;gBAClC,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE;oBACd,KAAK;oBACL,MAAM;oBACN,SAAS;oBACT,KAAK;oBACL,MAAM;oBACN,OAAO;oBACP,QAAQ;iBACT;gBACD,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;gBAC7C,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,YAAY,CAAC,GAAG;qBAC9B;iBACF;aACF;YACD,uCAAuC;YACvC;gBACE,WAAW,EAAE,SAAS;gBACtB,cAAc,EAAE,KAAK;gBACrB,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;gBAC/B,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;gBAC9B,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,uBAAuB;gBACtC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE;aAC9C;SACF;QAED,YAAY,EAAE;YACZ,cAAc,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE;SAC5C;QAED,iBAAiB;KAClB,CACF,CAAC;IAEF,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM;QACrB,CAAC,CAAC,YAAY,CAAA,WAAW,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,YAAY,CAAA,WAAW,YAAY,CAAC,UAAU,EAAE,CAAC;IAErD,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;AAC/B,CAAC"}

package/dist/cdn-media.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Media CDN Infrastructure
+ *
+ * CloudFront distribution for the public media surface — `/media/*` and
+ * `/img/*` only. No edge auth (`/media/*` is OAC-public, `/img/*` is HMAC
+ * signed at the Sharp Lambda). The default behavior targets the S3 origin
+ * with no rewrite, so unmatched paths return AccessDenied from S3 — defense
+ * in depth.
+ */
+import type { StorageResources } from "./storage.js";
+import type { ImageResources } from "./image.js";
+export interface MediaCdnArgs {
+    image: ImageResources;
+    contentBucket: StorageResources["contentBucket"];
+    priceClass?: "PriceClass_100" | "PriceClass_200" | "PriceClass_All";
+    domain?: {
+        name: string;
+        certificateArn: string;
+    };
+}
+export declare function createMediaCdn(name: string, args: MediaCdnArgs): {
+    distribution: aws.cloudfront.Distribution;
+    url: PulumiOutput<string>;
+};
+export type MediaCdnResources = ReturnType<typeof createMediaCdn>;
+//# sourceMappingURL=cdn-media.d.ts.map

package/dist/cdn-media.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cdn-media.d.ts","sourceRoot":"","sources":["../src/cdn-media.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,cAAc,CAAC;IACtB,aAAa,EAAE,gBAAgB,CAAC,eAAe,CAAC,CAAC;IACjD,UAAU,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;IACpE,MAAM,CAAC,EAAE;QACP,IAAI,EAAE,MAAM,CAAC;QACb,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY;;;EAgO9D;AAED,MAAM,MAAM,iBAAiB,GAAG,UAAU,CAAC,OAAO,cAAc,CAAC,CAAC"}

package/dist/cdn-media.js

@@ -0,0 +1,202 @@
+/**
+ * Media CDN Infrastructure
+ *
+ * CloudFront distribution for the public media surface — `/media/*` and
+ * `/img/*` only. No edge auth (`/media/*` is OAC-public, `/img/*` is HMAC
+ * signed at the Sharp Lambda). The default behavior targets the S3 origin
+ * with no rewrite, so unmatched paths return AccessDenied from S3 — defense
+ * in depth.
+ */
+export function createMediaCdn(name, args) {
+    const { image, contentBucket } = args;
+    // =========================================================================
+    // CloudFront Function: Media Rewrite
+    // =========================================================================
+    const mediaRewriteFunction = new aws.cloudfront.Function(`${name}MediaRewrite`, {
+        name: $interpolate `${$app.name}-${$app.stage}-media-rewrite`,
+        runtime: "cloudfront-js-2.0",
+        publish: true,
+        code: `
+    function handler(event) {
+      var request = event.request;
+      var uri = request.uri;
+
+      // Rewrite /media/{site}/{mediaId}/{file} → /sites/{site}/media/{mediaId}/{file}
+      var parts = uri.split('/');
+      // parts: ['', 'media', '{site}', '{mediaId}', '{file}']
+      if (parts.length >= 5 && parts[1] === 'media') {
+        var site = parts[2];
+        var mediaId = parts[3];
+        var rest = parts.slice(4).join('/');
+        request.uri = '/sites/' + site + '/media/' + mediaId + '/' + rest;
+      }
+
+      return request;
+    }
+  `,
+    });
+    // =========================================================================
+    // Cache Policies
+    // =========================================================================
+    const imageCachePolicy = new aws.cloudfront.CachePolicy(`${name}ImageCachePolicy`, {
+        name: $interpolate `${$app.name}-${$app.stage}-image-cache`,
+        comment: "Cache policy for transformed images (immutable)",
+        defaultTtl: 31536000,
+        maxTtl: 31536000,
+        minTtl: 31536000,
+        parametersInCacheKeyAndForwardedToOrigin: {
+            cookiesConfig: { cookieBehavior: "none" },
+            headersConfig: { headerBehavior: "none" },
+            queryStringsConfig: {
+                queryStringBehavior: "whitelist",
+                queryStrings: {
+                    items: ["w", "h", "fit", "format", "q", "sig"],
+                },
+            },
+            enableAcceptEncodingBrotli: true,
+            enableAcceptEncodingGzip: true,
+        },
+    });
+    const mediaCachePolicy = new aws.cloudfront.CachePolicy(`${name}MediaCachePolicy`, {
+        name: $interpolate `${$app.name}-${$app.stage}-media-cache`,
+        comment: "Cache policy for original media files (immutable)",
+        defaultTtl: 31536000,
+        maxTtl: 31536000,
+        minTtl: 31536000,
+        parametersInCacheKeyAndForwardedToOrigin: {
+            cookiesConfig: { cookieBehavior: "none" },
+            headersConfig: { headerBehavior: "none" },
+            queryStringsConfig: { queryStringBehavior: "none" },
+            enableAcceptEncodingBrotli: true,
+            enableAcceptEncodingGzip: true,
+        },
+    });
+    // =========================================================================
+    // Origin Access Controls (OAC)
+    // =========================================================================
+    const mediaOAC = new aws.cloudfront.OriginAccessControl(`${name}MediaOAC`, {
+        name: $interpolate `${$app.name}-${$app.stage}-media-oac`,
+        description: "OAC for S3 media origin",
+        originAccessControlOriginType: "s3",
+        signingBehavior: "always",
+        signingProtocol: "sigv4",
+    });
+    const imageOAC = new aws.cloudfront.OriginAccessControl(`${name}ImageOAC`, {
+        name: $interpolate `${$app.name}-${$app.stage}-image-oac`,
+        description: "OAC for image transform Lambda origin",
+        originAccessControlOriginType: "lambda",
+        signingBehavior: "always",
+        signingProtocol: "sigv4",
+    });
+    // =========================================================================
+    // CloudFront Distribution
+    // =========================================================================
+    const imageLambdaDomain = image.imageLambda.url.apply((url) => {
+        const parsed = new URL(url);
+        return parsed.hostname;
+    });
+    const s3RegionalDomain = $interpolate `${contentBucket.name}.s3.${aws.getRegionOutput().name}.amazonaws.com`;
+    const priceClass = args.priceClass ?? "PriceClass_100";
+    // Build aliases and certificate config for custom domain
+    const aliases = args.domain ? [args.domain.name] : undefined;
+    const viewerCertificate = args.domain
+        ? {
+            acmCertificateArn: args.domain.certificateArn,
+            sslSupportMethod: "sni-only",
+            minimumProtocolVersion: "TLSv1.2_2021",
+        }
+        : {
+            cloudfrontDefaultCertificate: true,
+        };
+    // Fresh resource ID `${name}MediaDistribution` (parallel to
+    // `${name}ApiDistribution` in cdn-api.ts) — same blue/green rationale.
+    const distribution = new aws.cloudfront.Distribution(`${name}MediaDistribution`, {
+        enabled: true,
+        comment: $interpolate `Headroom CMS Media - ${$app.stage}`,
+        httpVersion: "http2and3",
+        priceClass,
+        aliases,
+        origins: [
+            {
+                originId: "media-s3",
+                domainName: s3RegionalDomain,
+                originAccessControlId: mediaOAC.id,
+                s3OriginConfig: {
+                    originAccessIdentity: "",
+                },
+            },
+            {
+                originId: "image-lambda",
+                domainName: imageLambdaDomain,
+                originAccessControlId: imageOAC.id,
+                customOriginConfig: {
+                    httpPort: 80,
+                    httpsPort: 443,
+                    originProtocolPolicy: "https-only",
+                    originSslProtocols: ["TLSv1.2"],
+                },
+            },
+        ],
+        // Default behavior: target media-s3 with mediaCachePolicy and NO
+        // viewer-request rewrite. Anything not under /media/* or /img/* hits
+        // S3 with the original URI and returns 403 AccessDenied — defense in
+        // depth so a typo can't accidentally rewrite to a real S3 key.
+        defaultCacheBehavior: {
+            targetOriginId: "media-s3",
+            viewerProtocolPolicy: "redirect-to-https",
+            allowedMethods: ["GET", "HEAD", "OPTIONS"],
+            cachedMethods: ["GET", "HEAD", "OPTIONS"],
+            compress: true,
+            cachePolicyId: mediaCachePolicy.id,
+        },
+        orderedCacheBehaviors: [
+            // Media originals: served directly from S3 via OAC. Explicit (not
+            // implicit-via-default) so the rewrite never runs on unrelated paths.
+            {
+                pathPattern: "/media/*",
+                targetOriginId: "media-s3",
+                viewerProtocolPolicy: "redirect-to-https",
+                allowedMethods: ["GET", "HEAD", "OPTIONS"],
+                cachedMethods: ["GET", "HEAD", "OPTIONS"],
+                compress: true,
+                cachePolicyId: mediaCachePolicy.id,
+                functionAssociations: [
+                    {
+                        eventType: "viewer-request",
+                        functionArn: mediaRewriteFunction.arn,
+                    },
+                ],
+            },
+            // Image transforms: served via Sharp Lambda
+            {
+                pathPattern: "/img/*",
+                targetOriginId: "image-lambda",
+                viewerProtocolPolicy: "redirect-to-https",
+                allowedMethods: ["GET", "HEAD", "OPTIONS"],
+                cachedMethods: ["GET", "HEAD", "OPTIONS"],
+                compress: true,
+                cachePolicyId: imageCachePolicy.id,
+            },
+        ],
+        restrictions: {
+            geoRestriction: { restrictionType: "none" },
+        },
+        viewerCertificate,
+    });
+    // Allow CloudFront to invoke the image Lambda via OAC.
+    // CRITICAL: sourceArn must reference the MEDIA distribution's ARN. Pointing
+    // it at the API CDN ARN would silently break image transforms in a way
+    // that's hard to spot from logs. (Single most-important consistency point
+    // per the design doc.)
+    new aws.lambda.Permission(`${name}ImageLambdaCFPermission`, {
+        action: "lambda:InvokeFunctionUrl",
+        function: image.imageLambda.name,
+        principal: "cloudfront.amazonaws.com",
+        sourceArn: distribution.arn,
+    });
+    const url = args.domain
+        ? $interpolate `https://${args.domain.name}`
+        : $interpolate `https://${distribution.domainName}`;
+    return { distribution, url };
+}
+//# sourceMappingURL=cdn-media.js.map

package/dist/cdn-media.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cdn-media.js","sourceRoot":"","sources":["../src/cdn-media.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAeH,MAAM,UAAU,cAAc,CAAC,IAAY,EAAE,IAAkB;IAC7D,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC;IAEtC,4EAA4E;IAC5E,qCAAqC;IACrC,4EAA4E;IAC5E,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CACtD,GAAG,IAAI,cAAc,EACrB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,gBAAgB;QAC5D,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE,IAAI;QACb,IAAI,EAAE;;;;;;;;;;;;;;;;;GAiBT;KACE,CACF,CAAC;IAEF,4EAA4E;IAC5E,iBAAiB;IACjB,4EAA4E;IAE5E,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CACrD,GAAG,IAAI,kBAAkB,EACzB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,cAAc;QAC1D,OAAO,EAAE,iDAAiD;QAC1D,UAAU,EAAE,QAAQ;QACpB,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,QAAQ;QAChB,wCAAwC,EAAE;YACxC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,kBAAkB,EAAE;gBAClB,mBAAmB,EAAE,WAAW;gBAChC,YAAY,EAAE;oBACZ,KAAK,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC;iBAC/C;aACF;YACD,0BAA0B,EAAE,IAAI;YAChC,wBAAwB,EAAE,IAAI;SAC/B;KACF,CACF,CAAC;IAEF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CACrD,GAAG,IAAI,kBAAkB,EACzB;QACE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,cAAc;QAC1D,OAAO,EAAE,mDAAmD;QAC5D,UAAU,EAAE,QAAQ;QACpB,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,QAAQ;QAChB,wCAAwC,EAAE;YACxC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,aAAa,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE;YACzC,kBAAkB,EAAE,EAAE,mBAAmB,EAAE,MAAM,EAAE;YACnD,0BAA0B,EAAE,IAAI;YAChC,wBAAwB,EAAE,IAAI;SAC/B;KACF,CACF,CAAC;IAEF,4EAA4E;IAC5E,+BAA+B;IAC/B,4EAA4E;IAE5E,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,mBAAmB,CAAC,GAAG,IAAI,UAAU,EAAE;QACzE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,WAAW,EAAE,yBAAyB;QACtC,6BAA6B,EAAE,IAAI;QACnC,eAAe,EAAE,QAAQ;QACzB,eAAe,EAAE,OAAO;KACzB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,mBAAmB,CAAC,GAAG,IAAI,UAAU,EAAE;QACzE,IAAI,EAAE,YAAY,CAAA,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,YAAY;QACxD,WAAW,EAAE,uCAAuC;QACpD,6BAA6B,EAAE,QAAQ;QACvC,eAAe,EAAE,QAAQ;QACzB,eAAe,EAAE,OAAO;KACzB,CAAC,CAAC;IAEH,4EAA4E;IAC5E,0BAA0B;IAC1B,4EAA4E;IAE5E,MAAM,iBAAiB,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAW,EAAE,EAAE;QACpE,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,YAAY,CAAA,GAAG,aAAa,CAAC,IAAI,OAAO,GAAG,CAAC,eAAe,EAAE,CAAC,IAAI,gBAAgB,CAAC;IAE5G,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAC;IAEvD,yDAAyD;IACzD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7D,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM;QACnC,CAAC,CAAC;YACE,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc;YAC7C,gBAAgB,EAAE,UAAmB;YACrC,sBAAsB,EAAE,cAAuB;SAChD;QACH,CAAC,CAAC;YACE,4BAA4B,EAAE,IAAI;SACnC,CAAC;IAEN,4DAA4D;IAC5D,uEAAuE;IACvE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAClD,GAAG,IAAI,mBAAmB,EAC1B;QACE,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,YAAY,CAAA,wBAAwB,IAAI,CAAC,KAAK,EAAE;QACzD,WAAW,EAAE,WAAW;QACxB,UAAU;QACV,OAAO;QAEP,OAAO,EAAE;YACP;gBACE,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,gBAAgB;gBAC5B,qBAAqB,EAAE,QAAQ,CAAC,EAAE;gBAClC,cAAc,EAAE;oBACd,oBAAoB,EAAE,EAAE;iBACzB;aACF;YACD;gBACE,QAAQ,EAAE,cAAc;gBACxB,UAAU,EAAE,iBAAiB;gBAC7B,qBAAqB,EAAE,QAAQ,CAAC,EAAE;gBAClC,kBAAkB,EAAE;oBAClB,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE,GAAG;oBACd,oBAAoB,EAAE,YAAY;oBAClC,kBAAkB,EAAE,CAAC,SAAS,CAAC;iBAChC;aACF;SACF;QAED,iEAAiE;QACjE,qEAAqE;QACrE,qEAAqE;QACrE,+DAA+D;QAC/D,oBAAoB,EAAE;YACpB,cAAc,EAAE,UAAU;YAC1B,oBAAoB,EAAE,mBAAmB;YACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;YAC1C,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;YACzC,QAAQ,EAAE,IAAI;YACd,aAAa,EAAE,gBAAgB,CAAC,EAAE;SACnC;QAED,qBAAqB,EAAE;YACrB,kEAAkE;YAClE,sEAAsE;YACtE;gBACE,WAAW,EAAE,UAAU;gBACvB,cAAc,EAAE,UAAU;gBAC1B,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC1C,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,gBAAgB,CAAC,EAAE;gBAClC,oBAAoB,EAAE;oBACpB;wBACE,SAAS,EAAE,gBAAgB;wBAC3B,WAAW,EAAE,oBAAoB,CAAC,GAAG;qBACtC;iBACF;aACF;YACD,4CAA4C;YAC5C;gBACE,WAAW,EAAE,QAAQ;gBACrB,cAAc,EAAE,cAAc;gBAC9B,oBAAoB,EAAE,mBAAmB;gBACzC,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC1C,aAAa,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;gBACzC,QAAQ,EAAE,IAAI;gBACd,aAAa,EAAE,gBAAgB,CAAC,EAAE;aACnC;SACF;QAED,YAAY,EAAE;YACZ,cAAc,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE;SAC5C;QAED,iBAAiB;KAClB,CACF,CAAC;IAEF,uDAAuD;IACvD,4EAA4E;IAC5E,uEAAuE;IACvE,0EAA0E;IAC1E,uBAAuB;IACvB,IAAI,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI,yBAAyB,EAAE;QAC1D,MAAM,EAAE,0BAA0B;QAClC,QAAQ,EAAE,KAAK,CAAC,WAAW,CAAC,IAAI;QAChC,SAAS,EAAE,0BAA0B;QACrC,SAAS,EAAE,YAAY,CAAC,GAAG;KAC5B,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM;QACrB,CAAC,CAAC,YAAY,CAAA,WAAW,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE;QAC3C,CAAC,CAAC,YAAY,CAAA,WAAW,YAAY,CAAC,UAAU,EAAE,CAAC;IAErD,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;AAC/B,CAAC"}

package/dist/collaboration.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Collaboration Infrastructure
+ *
+ * API Gateway WebSocket API + DynamoDB Collab table + Node.js Lambda handler.
+ * Deployed at all times but dormant for solo editing — no Lambda invocations
+ * and no Collab table writes happen until collaboration is opted into.
+ *
+ * Supports dev mode (Node.js source with live reload) and package mode
+ * (pre-bundled handler).
+ *
+ * Split into two helpers:
+ *   - `createCollabTable` — provisions just the DynamoDB Collab table.
+ *     Must be called BEFORE `createApi`, because the Go API links the
+ *     Collab table for ticket reads/writes.
+ *   - `createCollabHandler` — provisions the WebSocket API + Lambda and
+ *     wires `API_URL` into the Lambda environment so `snapshotToDraft`
+ *     can `fetch` back into the Go API on `$disconnect`. Must be called
+ *     AFTER `createApi`, because it needs `api.api.url`.
+ *
+ * The two halves are merged into a single `CollaborationResources` value
+ * by `index.ts` so downstream consumers (admin-site, etc.) see one shape.
+ */
+import type { StorageResources } from "./storage.js";
+import type { AuthResources } from "./auth.js";
+import type { ApiResources } from "./api.js";
+export interface CollabTableArgs {
+}
+export declare function createCollabTable(name: string, _args?: CollabTableArgs): {
+    collabTable: sst.aws.Dynamo;
+};
+export type CollabTableResources = ReturnType<typeof createCollabTable>;
+export interface CollabHandlerArgs {
+    storage: StorageResources;
+    auth: AuthResources;
+    api: ApiResources;
+    collabTable: CollabTableResources["collabTable"];
+    pkgRoot: string;
+    dev?: {
+        /** SST handler string, e.g. "packages/collab/src/index.handler" */
+        handler: string;
+    };
+}
+export declare function createCollabHandler(name: string, args: CollabHandlerArgs): {
+    wsApi: aws.apigatewayv2.Api;
+    wsHandler: sst.aws.Function;
+    wsUrl: PulumiOutput<string>;
+};
+export type CollabHandlerResources = ReturnType<typeof createCollabHandler>;
+/**
+ * Combined collaboration resource shape — the union of the table half
+ * (created early) and the handler half (created late). Downstream consumers
+ * (admin-site, public outputs) see a single object.
+ */
+export type CollaborationResources = CollabTableResources & CollabHandlerResources;
+//# sourceMappingURL=collaboration.d.ts.map

package/dist/collaboration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"collaboration.d.ts","sourceRoot":"","sources":["../src/collaboration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAE7C,MAAM,WAAW,eAAe;CAE/B;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,GAAE,eAAoB;;EAgB1E;AAED,MAAM,MAAM,oBAAoB,GAAG,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAExE,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,gBAAgB,CAAC;IAC1B,IAAI,EAAE,aAAa,CAAC;IACpB,GAAG,EAAE,YAAY,CAAC;IAClB,WAAW,EAAE,oBAAoB,CAAC,aAAa,CAAC,CAAC;IACjD,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE;QACJ,mEAAmE;QACnE,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB;;;;EAiHxE;AAED,MAAM,MAAM,sBAAsB,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAE5E;;;;GAIG;AACH,MAAM,MAAM,sBAAsB,GAAG,oBAAoB,GAAG,sBAAsB,CAAC"}

package/dist/collaboration.js

@@ -0,0 +1,141 @@
+/**
+ * Collaboration Infrastructure
+ *
+ * API Gateway WebSocket API + DynamoDB Collab table + Node.js Lambda handler.
+ * Deployed at all times but dormant for solo editing — no Lambda invocations
+ * and no Collab table writes happen until collaboration is opted into.
+ *
+ * Supports dev mode (Node.js source with live reload) and package mode
+ * (pre-bundled handler).
+ *
+ * Split into two helpers:
+ *   - `createCollabTable` — provisions just the DynamoDB Collab table.
+ *     Must be called BEFORE `createApi`, because the Go API links the
+ *     Collab table for ticket reads/writes.
+ *   - `createCollabHandler` — provisions the WebSocket API + Lambda and
+ *     wires `API_URL` into the Lambda environment so `snapshotToDraft`
+ *     can `fetch` back into the Go API on `$disconnect`. Must be called
+ *     AFTER `createApi`, because it needs `api.api.url`.
+ *
+ * The two halves are merged into a single `CollaborationResources` value
+ * by `index.ts` so downstream consumers (admin-site, etc.) see one shape.
+ */
+import path from "path";
+export function createCollabTable(name, _args = {}) {
+    // DynamoDB table for collaboration sessions + YJS state
+    const collabTable = new sst.aws.Dynamo(`${name}Collab`, {
+        fields: {
+            pk: "string",
+            sk: "string",
+        },
+        primaryIndex: { hashKey: "pk", rangeKey: "sk" },
+        // PascalCase to match the convention used throughout the collab TS
+        // package (RoomManager, YjsPersistence) and the Go ticket writer
+        // (repository/collab.go). DynamoDB attribute names are case-sensitive;
+        // the TTL attribute name must match what writers actually emit.
+        ttl: "ExpiresAt",
+    });
+    return { collabTable };
+}
+export function createCollabHandler(name, args) {
+    const { storage, auth, api, collabTable } = args;
+    // WebSocket API via raw Pulumi (SST v4 doesn't have a WebSocket component)
+    const wsApi = new aws.apigatewayv2.Api(`${name}WsApi`, {
+        protocolType: "WEBSOCKET",
+        routeSelectionExpression: "$request.body.action",
+    });
+    const handlerConfig = args.dev
+        ? {
+            handler: args.dev.handler,
+            runtime: "nodejs22.x",
+        }
+        : {
+            bundle: path.join(args.pkgRoot, "packages/collab"),
+            handler: "index.handler",
+            runtime: "nodejs22.x",
+        };
+    const wsHandler = new sst.aws.Function(`${name}CollabHandler`, {
+        ...handlerConfig,
+        // jsdom is pulled in transitively via @blocknote/server-util (used in
+        // src/yjs/converter.ts to convert YJS state to BlockNote blocks during
+        // the disconnect snapshot). esbuild does not auto-bundle jsdom's
+        // xhr-sync-worker.js because it's spawned dynamically at runtime
+        // (`new Worker(__dirname + "/xhr-sync-worker.js")`), so the worker file
+        // is missing on disk in the deployed Lambda and cold-starts fail with
+        // "Cannot find module './xhr-sync-worker.js'". Adding jsdom to
+        // `nodejs.install` excludes it from the esbuild bundle and instead
+        // installs it (with its full directory tree, including the worker file)
+        // into the function's node_modules/ at deploy time.
+        nodejs: {
+            install: ["jsdom"],
+        },
+        timeout: "30 seconds",
+        memory: "512 MB",
+        environment: {
+            COLLAB_TABLE: collabTable.name,
+            DRAFT_CONTENT_TABLE: storage.draftContent.name,
+            BLOCKS_TABLE: storage.blocks.name,
+            SITES_TABLE: storage.sites.name,
+            USER_POOL_ID: auth.userPool.id,
+            USER_POOL_CLIENT_ID: auth.userPoolClient.id,
+            WS_API_ENDPOINT: $interpolate `https://${wsApi.id}.execute-api.${aws.getRegionOutput().name}.amazonaws.com/${$app.stage}`,
+            // Required by `snapshotToDraft` (packages/collab/src/draft/snapshot.ts)
+            // which fetches `${apiUrl}/v1/admin/sites/{host}/content/{id}/draft`
+            // on `$disconnect` to persist the YJS room state back to DraftContent.
+            // Without this, the URL becomes `undefined/v1/admin/...` and the fetch
+            // throws "Failed to parse URL", crashing the disconnect Lambda.
+            API_URL: api.api.url,
+            // Shared with the Go API. Sent as `X-Headroom-Internal` on the
+            // disconnect snapshot PUT so the Go JWT middleware accepts the
+            // internal service-to-service call. See packages/api/internal/middleware/jwt.go.
+            INTERNAL_SECRET: storage.internalSecret.value,
+            // Phase 7.1 "Large documents": S3 bucket for YJS state that exceeds
+            // DynamoDB's 400KB per-item cap. See `YjsPersistence.saveState`.
+            COLLAB_STATE_BUCKET: storage.collabStateBucket.name,
+        },
+        link: [
+            collabTable,
+            storage.draftContent,
+            storage.blocks,
+            storage.sites,
+            storage.internalSecret,
+            // S3 link grants the Lambda IAM permissions for s3:GetObject /
+            // s3:PutObject on the bucket via SST's resource binding.
+            storage.collabStateBucket,
+        ],
+        permissions: [
+            {
+                actions: ["execute-api:ManageConnections"],
+                resources: [$interpolate `arn:aws:execute-api:*:*:${wsApi.id}/*`],
+            },
+        ],
+    });
+    // Wire up $connect, $default, $disconnect routes
+    const integration = new aws.apigatewayv2.Integration(`${name}WsIntegration`, {
+        apiId: wsApi.id,
+        integrationType: "AWS_PROXY",
+        integrationUri: wsHandler.nodes.function.invokeArn,
+    });
+    for (const routeKey of ["$connect", "$default", "$disconnect"]) {
+        new aws.apigatewayv2.Route(`${name}WsRoute${routeKey}`, {
+            apiId: wsApi.id,
+            routeKey,
+            target: $interpolate `integrations/${integration.id}`,
+        });
+    }
+    new aws.apigatewayv2.Stage(`${name}WsStage`, {
+        apiId: wsApi.id,
+        name: $app.stage,
+        autoDeploy: true,
+    });
+    // Grant API Gateway permission to invoke Lambda
+    new aws.lambda.Permission(`${name}WsPermission`, {
+        action: "lambda:InvokeFunction",
+        function: wsHandler.nodes.function.name,
+        principal: "apigateway.amazonaws.com",
+        sourceArn: $interpolate `${wsApi.executionArn}/*/*`,
+    });
+    const wsUrl = $interpolate `wss://${wsApi.id}.execute-api.${aws.getRegionOutput().name}.amazonaws.com/${$app.stage}`;
+    return { wsApi, wsHandler, wsUrl };
+}
+//# sourceMappingURL=collaboration.js.map