npm - headroom-cms - Versions diffs - 0.1.9 → 0.1.11 - Mend

headroom-cms 0.1.9 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/README.md +11 -6
package/admin/assets/{AdminsPage-Bt_ekZen.js → AdminsPage-BnzH9TL3.js} +1 -1
package/admin/assets/AllContentPage-BtObN6oy.js +1 -0
package/admin/assets/{ApiKeysPage-BfWCxGhC.js → ApiKeysPage-DEAa8eyC.js} +1 -1
package/admin/assets/AuditPage-BN9yNsxh.js +1 -0
package/admin/assets/BlockEditor-3wnisTOZ.js +176 -0
package/admin/assets/BlockEditor-CQpF8tYb.css +1 -0
package/admin/assets/BlockTypeEditPage-C2evAESK.js +1 -0
package/admin/assets/BlockTypesPage-Dhkho6T_.js +1 -0
package/admin/assets/{BulkActionBar-TRiXXLQd.js → BulkActionBar-BxdfUSrN.js} +1 -1
package/admin/assets/CollectionEditPage-lOb4hEZy.js +1 -0
package/admin/assets/{CollectionsPage-ClplrxNn.js → CollectionsPage-CgtOloa1.js} +1 -1
package/admin/assets/{ContentCreatePage-DfYcEH1u.js → ContentCreatePage-LeQjahp_.js} +1 -1
package/admin/assets/ContentEditPage-xczr4d_h.js +1 -0
package/admin/assets/ContentField-pilCbdnA.js +1 -0
package/admin/assets/ContentListPage-BAKDn1Xy.js +1 -0
package/admin/assets/CustomBlockPreview-DNnTFM0z.js +479 -0
package/admin/assets/FieldRenderer-DiOKvkWV.js +2 -0
package/admin/assets/FilterBar-BZoa63zh.js +1 -0
package/admin/assets/FloatingComposerController-D4uLQfUX-BMIvFCoE.js +1 -0
package/admin/assets/IconPicker-CpIgiQTC.js +3 -0
package/admin/assets/{LoginPage-DutieANA.js → LoginPage-D9ZsGLIi.js} +1 -1
package/admin/assets/MediaField-CxccCFGQ.js +1 -0
package/admin/assets/MediaPage-QvMaH2YJ.js +1 -0
package/admin/assets/Pagination-Df9nQ7Z0.js +1 -0
package/admin/assets/RelationshipPicker-B3Ftmqxp.js +1 -0
package/admin/assets/{SiteSettingsPage-BtCC3RKc.js → SiteSettingsPage-6NvH7CiQ.js} +1 -1
package/admin/assets/{SiteUserEditPage-ClHmp0T-.js → SiteUserEditPage-D5VaQ1Xq.js} +1 -1
package/admin/assets/SiteUsersPage-BYVduiqs.js +1 -0
package/admin/assets/{SitesPage-Bw_WBN6v.js → SitesPage-rfWWE0yK.js} +1 -1
package/admin/assets/{SubmissionDetailPage-DS08LGxd.js → SubmissionDetailPage-BSUR685F.js} +1 -1
package/admin/assets/SubmissionEditPage-DjLXHjWU.js +1 -0
package/admin/assets/SubmissionListPage-DBxNEvde.js +1 -0
package/admin/assets/{TagInput-BILCaC9b.js → TagInput-57c4DG1w.js} +1 -1
package/admin/assets/{TagsPage-DdeZokow.js → TagsPage-BEO5AwCv.js} +1 -1
package/admin/assets/{UsersPage-B0vLxjrg.js → UsersPage-BpIRorJ1.js} +1 -1
package/admin/assets/{WebhookEditPage-SlJE4d3z.js → WebhookEditPage-D5xgi56h.js} +1 -1
package/admin/assets/{WebhooksPage-C6lGZLpr.js → WebhooksPage-BY7AaiGr.js} +1 -1
package/admin/assets/{card-hXVtlM0q.js → card-C9hfyHXf.js} +1 -1
package/admin/assets/checkbox-DVJcwUt1.js +1 -0
package/admin/assets/{collapsible-B414SspL.js → collapsible-D3d29uJp.js} +1 -1
package/admin/assets/{command-fvBFHye4.js → command-Bfmj0MEL.js} +1 -1
package/admin/assets/contentStatus-CkPi9Dh6.js +1 -0
package/admin/assets/{core.esm-B_kcYf6n.js → core.esm-DdQHdRkd.js} +2 -2
package/admin/assets/index-BB9Syqw2.css +1 -0
package/admin/assets/index-Ce5pmRMj.js +18 -0
package/admin/assets/media-url-DdCoIedP.js +1 -0
package/admin/assets/popover-CzaQYEEP.js +1 -0
package/admin/assets/radix-C5ZmWuuL.js +51 -0
package/admin/assets/select-CrRhFGIi.js +1 -0
package/admin/assets/serializeToText-2VrsuRUh.js +2 -0
package/admin/assets/{sortable.esm-QyXA6fio.js → sortable.esm-qVEMoaTg.js} +1 -1
package/admin/assets/{table-DLoIbCQ5.js → table-_3bMY0_z.js} +1 -1
package/admin/assets/{textarea-vSXNxwTe.js → textarea-6fq0R6VV.js} +1 -1
package/admin/assets/useAdminResolver-BJNPz3OG.js +1 -0
package/admin/assets/useContent-Bs7nel7C.js +1 -0
package/admin/assets/useContentSearch-B3aTjuCu.js +1 -0
package/admin/assets/{useMedia-e3sqWm_t.js → useMedia-ae3s_ajC.js} +1 -1
package/admin/assets/usePageTitle-C1r1-C00.js +1 -0
package/admin/assets/useSiteUsers-DIaqgNSp.js +1 -0
package/admin/assets/{useTags-f7AVSLuj.js → useTags-B-HgMVwo.js} +1 -1
package/admin/assets/{useWebhooks-BH_r8-Mo.js → useWebhooks-BvZjUJkJ.js} +1 -1
package/admin/assets/yjs-tXBm_srz.js +5 -0
package/admin/favicon-16x16.png +0 -0
package/admin/favicon-32x32.png +0 -0
package/admin/icons/icon-180x180.png +0 -0
package/admin/icons/icon-192x192.png +0 -0
package/admin/icons/icon-512x512.png +0 -0
package/admin/icons/maskable-icon-512x512.png +0 -0
package/admin/index.html +3 -3
package/admin/sw.js +1 -1
package/dist/admin-site.d.ts +16 -2
package/dist/admin-site.d.ts.map +1 -1
package/dist/admin-site.js +10 -3
package/dist/admin-site.js.map +1 -1
package/dist/api.d.ts +7 -0
package/dist/api.d.ts.map +1 -1
package/dist/api.js +8 -1
package/dist/api.js.map +1 -1
package/dist/cdn-api.d.ts +25 -0
package/dist/cdn-api.d.ts.map +1 -0
package/dist/{cdn.js → cdn-api.js} +7 -139
package/dist/cdn-api.js.map +1 -0
package/dist/cdn-media.d.ts +26 -0
package/dist/cdn-media.d.ts.map +1 -0
package/dist/cdn-media.js +202 -0
package/dist/cdn-media.js.map +1 -0
package/dist/collaboration.d.ts +55 -0
package/dist/collaboration.d.ts.map +1 -0
package/dist/collaboration.js +141 -0
package/dist/collaboration.js.map +1 -0
package/dist/index.d.ts +27 -3
package/dist/index.d.ts.map +1 -1
package/dist/index.js +47 -12
package/dist/index.js.map +1 -1
package/dist/storage.d.ts +2 -0
package/dist/storage.d.ts.map +1 -1
package/dist/storage.js +33 -0
package/dist/storage.js.map +1 -1
package/lambda/api/bootstrap +0 -0
package/lambda/image-lambda/node_modules/.package-lock.json +3 -3
package/lambda/image-lambda/node_modules/semver/README.md +19 -4
package/lambda/image-lambda/node_modules/semver/bin/semver.js +14 -10
package/lambda/image-lambda/node_modules/semver/functions/truncate.js +48 -0
package/lambda/image-lambda/node_modules/semver/index.js +2 -0
package/lambda/image-lambda/node_modules/semver/internal/re.js +1 -1
package/lambda/image-lambda/node_modules/semver/package.json +3 -3
package/lambda/image-lambda/node_modules/semver/range.bnf +5 -4
package/lambda/webhook-worker/bootstrap +0 -0
package/package.json +1 -1
package/src/admin-site.ts +26 -5
package/src/api.ts +15 -1
package/src/{cdn.ts → cdn-api.ts} +8 -161
package/src/cdn-media.ts +250 -0
package/src/collaboration.ts +187 -0
package/src/index.ts +77 -14
package/src/sst-env.d.ts +28 -0
package/src/storage.ts +35 -0
package/admin/assets/AllContentPage-CFqEMAl9.js +0 -1
package/admin/assets/AuditPage-BE0XIUl2.js +0 -1
package/admin/assets/BlockEditor-6wqsThJ7.js +0 -179
package/admin/assets/BlockEditor-Cp_wZ2xN.css +0 -1
package/admin/assets/BlockTypeEditPage-CuNJfZw0.js +0 -1
package/admin/assets/BlockTypesPage-BIMBVxBs.js +0 -1
package/admin/assets/CollectionEditPage-BqX_0cC2.js +0 -1
package/admin/assets/ContentEditPage-D3Rvlktk.js +0 -2
package/admin/assets/ContentListPage-zmO8Is4d.js +0 -1
package/admin/assets/CustomBlockPreview-C6HqS4xv.js +0 -479
package/admin/assets/FieldBuilder-36tfpSyM.js +0 -3
package/admin/assets/FilterBar-DhRwTqFv.js +0 -1
package/admin/assets/MediaField-J2TLG_fu.js +0 -1
package/admin/assets/MediaPage-DZZKMGF4.js +0 -1
package/admin/assets/RelationshipPicker-CDFs4TMW.js +0 -1
package/admin/assets/SiteUsersPage-AyJvcVM7.js +0 -1
package/admin/assets/SubmissionEditPage-Brf-DK2X.js +0 -1
package/admin/assets/SubmissionListPage-DNMzQZHS.js +0 -1
package/admin/assets/checkbox-WGrS3sUr.js +0 -1
package/admin/assets/contentStatus-BmaiYVOm.js +0 -1
package/admin/assets/index-Cir9tY_P.js +0 -18
package/admin/assets/index-DACBYsKM.css +0 -1
package/admin/assets/media-url-DIg_vSyf.js +0 -1
package/admin/assets/popover-D5_HjjUC.js +0 -1
package/admin/assets/radix-C1kb_NqW.js +0 -51
package/admin/assets/select-_uJYxzeZ.js +0 -1
package/admin/assets/serializeToText-DR_WnxiI.js +0 -2
package/admin/assets/useAdminResolver-D-LlmquD.js +0 -1
package/admin/assets/useContent-e8beBIuq.js +0 -1
package/admin/assets/useContentSearch-DOjveB9t.js +0 -1
package/admin/assets/useDebouncedValue-C-cQUcLG.js +0 -1
package/admin/assets/usePageTitle-BNSba9_L.js +0 -1
package/admin/assets/useSiteUsers-BdnvuM2E.js +0 -1
package/dist/cdn.d.ts +0 -27
package/dist/cdn.d.ts.map +0 -1
package/dist/cdn.js.map +0 -1

package/src/api.ts CHANGED Viewed

@@ -10,12 +10,19 @@ import type { StorageResources } from "./storage.js";
 import type { AuthResources } from "./auth.js";
 import type { WebhookResources } from "./webhooks.js";
 import type { ImageResources } from "./image.js";
+import type { CollabTableResources } from "./collaboration.js";
 export interface ApiArgs {
   storage: StorageResources;
   auth: AuthResources;
   webhooks: WebhookResources;
   image: ImageResources;
+  /**
+   * Just the collab DynamoDB table — the API Lambda only links the table
+   * for ticket reads/writes, it does NOT depend on the WebSocket handler.
+   * (The WS handler is created AFTER the API because its env needs api.url.)
+   */
+  collab: CollabTableResources;
   senderEmail: string;
   pkgRoot: string;
   dev?: {
@@ -25,7 +32,7 @@ export interface ApiArgs {
 }
 export function createApi(name: string, args: ApiArgs) {
-  const { storage, auth, webhooks, image } = args;
+  const { storage, auth, webhooks, image, collab } = args;
   const handlerConfig = args.dev
     ? {
@@ -67,6 +74,11 @@ export function createApi(name: string, args: ApiArgs) {
       RELATIONSHIPS_TABLE: storage.relationships.name,
       SITE_USERS_TABLE: storage.siteUsers.name,
       SES_FROM_EMAIL: args.senderEmail,
+      COLLAB_TABLE: collab.collabTable.name,
+      // Shared with the collab Lambda. The Go JWT middleware verifies
+      // `X-Headroom-Internal` against this on internal service calls
+      // (collab → draft snapshot). See packages/api/internal/middleware/jwt.go.
+      INTERNAL_SECRET: storage.internalSecret.value,
     },
     link: [
       storage.sites,
@@ -84,6 +96,8 @@ export function createApi(name: string, args: ApiArgs) {
       image.imageSigningSecret,
       storage.relationships,
       storage.siteUsers,
+      collab.collabTable,
+      storage.internalSecret,
     ],
     permissions: [
       {

package/src/{cdn.ts → cdn-api.ts} RENAMED Viewed

@@ -1,18 +1,16 @@
 /**
- * CDN Infrastructure
+ * API CDN Infrastructure
  *
- * CloudFront distribution with edge authentication, version-based caching,
- * direct S3 media serving, and Sharp Lambda image transforms.
+ * CloudFront distribution for the Headroom API only — `/v1/*` and `/health`.
+ * Edge-auth function + KVS association live here. No `/media/*` or `/img/*`
+ * behaviors; those are served by the separate media CDN (see cdn-media.ts).
  */
 import type { StorageResources } from "./storage.js";
 import type { ApiResources } from "./api.js";
-import type { ImageResources } from "./image.js";
-export interface CdnArgs {
+export interface ApiCdnArgs {
   api: ApiResources;
-  image: ImageResources;
-  contentBucket: StorageResources["contentBucket"];
   kvs: StorageResources["kvs"];
   priceClass?: "PriceClass_100" | "PriceClass_200" | "PriceClass_All";
   apiCacheTtl?: number;
@@ -22,8 +20,8 @@ export interface CdnArgs {
   };
 }
-export function createCdn(name: string, args: CdnArgs) {
-  const { api, image, contentBucket, kvs } = args;
+export function createApiCdn(name: string, args: ApiCdnArgs) {
+  const { api, kvs } = args;
   const apiCacheTtl = args.apiCacheTtl ?? 3600;
   // Extract KVS UUID from ARN (cf.kvs() needs the UUID, not the name)
@@ -109,36 +107,6 @@ export function createCdn(name: string, args: CdnArgs) {
   `,
   });
-  // =========================================================================
-  // CloudFront Function: Media Rewrite
-  // =========================================================================
-  const mediaRewriteFunction = new aws.cloudfront.Function(
-    `${name}MediaRewrite`,
-    {
-      name: $interpolate`${$app.name}-${$app.stage}-media-rewrite`,
-      runtime: "cloudfront-js-2.0",
-      publish: true,
-      code: `
-    function handler(event) {
-      var request = event.request;
-      var uri = request.uri;
-      // Rewrite /media/{site}/{mediaId}/{file} → /sites/{site}/media/{mediaId}/{file}
-      var parts = uri.split('/');
-      // parts: ['', 'media', '{site}', '{mediaId}', '{file}']
-      if (parts.length >= 5 && parts[1] === 'media') {
-        var site = parts[2];
-        var mediaId = parts[3];
-        var rest = parts.slice(4).join('/');
-        request.uri = '/sites/' + site + '/media/' + mediaId + '/' + rest;
-      }
-      return request;
-    }
-  `,
-    },
-  );
   // =========================================================================
   // Cache Policies
   // =========================================================================
@@ -175,47 +143,6 @@ export function createCdn(name: string, args: CdnArgs) {
     },
   );
-  const imageCachePolicy = new aws.cloudfront.CachePolicy(
-    `${name}ImageCachePolicy`,
-    {
-      name: $interpolate`${$app.name}-${$app.stage}-image-cache`,
-      comment: "Cache policy for transformed images (immutable)",
-      defaultTtl: 31536000,
-      maxTtl: 31536000,
-      minTtl: 31536000,
-      parametersInCacheKeyAndForwardedToOrigin: {
-        cookiesConfig: { cookieBehavior: "none" },
-        headersConfig: { headerBehavior: "none" },
-        queryStringsConfig: {
-          queryStringBehavior: "whitelist",
-          queryStrings: {
-            items: ["w", "h", "fit", "format", "q", "sig"],
-          },
-        },
-        enableAcceptEncodingBrotli: true,
-        enableAcceptEncodingGzip: true,
-      },
-    },
-  );
-  const mediaCachePolicy = new aws.cloudfront.CachePolicy(
-    `${name}MediaCachePolicy`,
-    {
-      name: $interpolate`${$app.name}-${$app.stage}-media-cache`,
-      comment: "Cache policy for original media files (immutable)",
-      defaultTtl: 31536000,
-      maxTtl: 31536000,
-      minTtl: 31536000,
-      parametersInCacheKeyAndForwardedToOrigin: {
-        cookiesConfig: { cookieBehavior: "none" },
-        headersConfig: { headerBehavior: "none" },
-        queryStringsConfig: { queryStringBehavior: "none" },
-        enableAcceptEncodingBrotli: true,
-        enableAcceptEncodingGzip: true,
-      },
-    },
-  );
   const versionCachePolicy = new aws.cloudfront.CachePolicy(
     `${name}VersionCachePolicy`,
     {
@@ -275,26 +202,6 @@ export function createCdn(name: string, args: CdnArgs) {
   // authenticated behaviors below.
   const cachingDisabledPolicyId = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad";
-  // =========================================================================
-  // Origin Access Controls (OAC)
-  // =========================================================================
-  const mediaOAC = new aws.cloudfront.OriginAccessControl(`${name}MediaOAC`, {
-    name: $interpolate`${$app.name}-${$app.stage}-media-oac`,
-    description: "OAC for S3 media origin",
-    originAccessControlOriginType: "s3",
-    signingBehavior: "always",
-    signingProtocol: "sigv4",
-  });
-  const imageOAC = new aws.cloudfront.OriginAccessControl(`${name}ImageOAC`, {
-    name: $interpolate`${$app.name}-${$app.stage}-image-oac`,
-    description: "OAC for image transform Lambda origin",
-    originAccessControlOriginType: "lambda",
-    signingBehavior: "always",
-    signingProtocol: "sigv4",
-  });
   // =========================================================================
   // CloudFront Distribution
   // =========================================================================
@@ -304,13 +211,6 @@ export function createCdn(name: string, args: CdnArgs) {
     return parsed.hostname;
   });
-  const imageLambdaDomain = image.imageLambda.url.apply((url: string) => {
-    const parsed = new URL(url);
-    return parsed.hostname;
-  });
-  const s3RegionalDomain = $interpolate`${contentBucket.name}.s3.${aws.getRegionOutput().name}.amazonaws.com`;
   const priceClass = args.priceClass ?? "PriceClass_100";
   // Build aliases and certificate config for custom domain
@@ -345,25 +245,6 @@ export function createCdn(name: string, args: CdnArgs) {
             originSslProtocols: ["TLSv1.2"],
           },
         },
-        {
-          originId: "media-s3",
-          domainName: s3RegionalDomain,
-          originAccessControlId: mediaOAC.id,
-          s3OriginConfig: {
-            originAccessIdentity: "",
-          },
-        },
-        {
-          originId: "image-lambda",
-          domainName: imageLambdaDomain,
-          originAccessControlId: imageOAC.id,
-          customOriginConfig: {
-            httpPort: 80,
-            httpsPort: 443,
-            originProtocolPolicy: "https-only",
-            originSslProtocols: ["TLSv1.2"],
-          },
-        },
       ],
       defaultCacheBehavior: {
@@ -549,32 +430,6 @@ export function createCdn(name: string, args: CdnArgs) {
             },
           ],
         },
-        // Media originals: served directly from S3 via OAC
-        {
-          pathPattern: "/media/*",
-          targetOriginId: "media-s3",
-          viewerProtocolPolicy: "redirect-to-https",
-          allowedMethods: ["GET", "HEAD", "OPTIONS"],
-          cachedMethods: ["GET", "HEAD", "OPTIONS"],
-          compress: true,
-          cachePolicyId: mediaCachePolicy.id,
-          functionAssociations: [
-            {
-              eventType: "viewer-request",
-              functionArn: mediaRewriteFunction.arn,
-            },
-          ],
-        },
-        // Image transforms: served via Sharp Lambda
-        {
-          pathPattern: "/img/*",
-          targetOriginId: "image-lambda",
-          viewerProtocolPolicy: "redirect-to-https",
-          allowedMethods: ["GET", "HEAD", "OPTIONS"],
-          cachedMethods: ["GET", "HEAD", "OPTIONS"],
-          compress: true,
-          cachePolicyId: imageCachePolicy.id,
-        },
         // Health endpoint: no caching, no auth
         {
           pathPattern: "/health",
@@ -596,14 +451,6 @@ export function createCdn(name: string, args: CdnArgs) {
     },
   );
-  // Allow CloudFront to invoke the image Lambda via OAC
-  new aws.lambda.Permission(`${name}ImageLambdaCFPermission`, {
-    action: "lambda:InvokeFunctionUrl",
-    function: image.imageLambda.name,
-    principal: "cloudfront.amazonaws.com",
-    sourceArn: distribution.arn,
-  });
   const url = args.domain
     ? $interpolate`https://${args.domain.name}`
     : $interpolate`https://${distribution.domainName}`;
@@ -611,4 +458,4 @@ export function createCdn(name: string, args: CdnArgs) {
   return { distribution, url };
 }
-export type CdnResources = ReturnType<typeof createCdn>;
+export type ApiCdnResources = ReturnType<typeof createApiCdn>;

package/src/cdn-media.ts ADDED Viewed

@@ -0,0 +1,250 @@
+/**
+ * Media CDN Infrastructure
+ *
+ * CloudFront distribution for the public media surface — `/media/*` and
+ * `/img/*` only. No edge auth (`/media/*` is OAC-public, `/img/*` is HMAC
+ * signed at the Sharp Lambda). The default behavior targets the S3 origin
+ * with no rewrite, so unmatched paths return AccessDenied from S3 — defense
+ * in depth.
+ */
+import type { StorageResources } from "./storage.js";
+import type { ImageResources } from "./image.js";
+export interface MediaCdnArgs {
+  image: ImageResources;
+  contentBucket: StorageResources["contentBucket"];
+  priceClass?: "PriceClass_100" | "PriceClass_200" | "PriceClass_All";
+  domain?: {
+    name: string;
+    certificateArn: string;
+  };
+}
+export function createMediaCdn(name: string, args: MediaCdnArgs) {
+  const { image, contentBucket } = args;
+  // =========================================================================
+  // CloudFront Function: Media Rewrite
+  // =========================================================================
+  const mediaRewriteFunction = new aws.cloudfront.Function(
+    `${name}MediaRewrite`,
+    {
+      name: $interpolate`${$app.name}-${$app.stage}-media-rewrite`,
+      runtime: "cloudfront-js-2.0",
+      publish: true,
+      code: `
+    function handler(event) {
+      var request = event.request;
+      var uri = request.uri;
+      // Rewrite /media/{site}/{mediaId}/{file} → /sites/{site}/media/{mediaId}/{file}
+      var parts = uri.split('/');
+      // parts: ['', 'media', '{site}', '{mediaId}', '{file}']
+      if (parts.length >= 5 && parts[1] === 'media') {
+        var site = parts[2];
+        var mediaId = parts[3];
+        var rest = parts.slice(4).join('/');
+        request.uri = '/sites/' + site + '/media/' + mediaId + '/' + rest;
+      }
+      return request;
+    }
+  `,
+    },
+  );
+  // =========================================================================
+  // Cache Policies
+  // =========================================================================
+  const imageCachePolicy = new aws.cloudfront.CachePolicy(
+    `${name}ImageCachePolicy`,
+    {
+      name: $interpolate`${$app.name}-${$app.stage}-image-cache`,
+      comment: "Cache policy for transformed images (immutable)",
+      defaultTtl: 31536000,
+      maxTtl: 31536000,
+      minTtl: 31536000,
+      parametersInCacheKeyAndForwardedToOrigin: {
+        cookiesConfig: { cookieBehavior: "none" },
+        headersConfig: { headerBehavior: "none" },
+        queryStringsConfig: {
+          queryStringBehavior: "whitelist",
+          queryStrings: {
+            items: ["w", "h", "fit", "format", "q", "sig"],
+          },
+        },
+        enableAcceptEncodingBrotli: true,
+        enableAcceptEncodingGzip: true,
+      },
+    },
+  );
+  const mediaCachePolicy = new aws.cloudfront.CachePolicy(
+    `${name}MediaCachePolicy`,
+    {
+      name: $interpolate`${$app.name}-${$app.stage}-media-cache`,
+      comment: "Cache policy for original media files (immutable)",
+      defaultTtl: 31536000,
+      maxTtl: 31536000,
+      minTtl: 31536000,
+      parametersInCacheKeyAndForwardedToOrigin: {
+        cookiesConfig: { cookieBehavior: "none" },
+        headersConfig: { headerBehavior: "none" },
+        queryStringsConfig: { queryStringBehavior: "none" },
+        enableAcceptEncodingBrotli: true,
+        enableAcceptEncodingGzip: true,
+      },
+    },
+  );
+  // =========================================================================
+  // Origin Access Controls (OAC)
+  // =========================================================================
+  const mediaOAC = new aws.cloudfront.OriginAccessControl(`${name}MediaOAC`, {
+    name: $interpolate`${$app.name}-${$app.stage}-media-oac`,
+    description: "OAC for S3 media origin",
+    originAccessControlOriginType: "s3",
+    signingBehavior: "always",
+    signingProtocol: "sigv4",
+  });
+  const imageOAC = new aws.cloudfront.OriginAccessControl(`${name}ImageOAC`, {
+    name: $interpolate`${$app.name}-${$app.stage}-image-oac`,
+    description: "OAC for image transform Lambda origin",
+    originAccessControlOriginType: "lambda",
+    signingBehavior: "always",
+    signingProtocol: "sigv4",
+  });
+  // =========================================================================
+  // CloudFront Distribution
+  // =========================================================================
+  const imageLambdaDomain = image.imageLambda.url.apply((url: string) => {
+    const parsed = new URL(url);
+    return parsed.hostname;
+  });
+  const s3RegionalDomain = $interpolate`${contentBucket.name}.s3.${aws.getRegionOutput().name}.amazonaws.com`;
+  const priceClass = args.priceClass ?? "PriceClass_100";
+  // Build aliases and certificate config for custom domain
+  const aliases = args.domain ? [args.domain.name] : undefined;
+  const viewerCertificate = args.domain
+    ? {
+        acmCertificateArn: args.domain.certificateArn,
+        sslSupportMethod: "sni-only" as const,
+        minimumProtocolVersion: "TLSv1.2_2021" as const,
+      }
+    : {
+        cloudfrontDefaultCertificate: true,
+      };
+  // Fresh resource ID `${name}MediaDistribution` (parallel to
+  // `${name}ApiDistribution` in cdn-api.ts) — same blue/green rationale.
+  const distribution = new aws.cloudfront.Distribution(
+    `${name}MediaDistribution`,
+    {
+      enabled: true,
+      comment: $interpolate`Headroom CMS Media - ${$app.stage}`,
+      httpVersion: "http2and3",
+      priceClass,
+      aliases,
+      origins: [
+        {
+          originId: "media-s3",
+          domainName: s3RegionalDomain,
+          originAccessControlId: mediaOAC.id,
+          s3OriginConfig: {
+            originAccessIdentity: "",
+          },
+        },
+        {
+          originId: "image-lambda",
+          domainName: imageLambdaDomain,
+          originAccessControlId: imageOAC.id,
+          customOriginConfig: {
+            httpPort: 80,
+            httpsPort: 443,
+            originProtocolPolicy: "https-only",
+            originSslProtocols: ["TLSv1.2"],
+          },
+        },
+      ],
+      // Default behavior: target media-s3 with mediaCachePolicy and NO
+      // viewer-request rewrite. Anything not under /media/* or /img/* hits
+      // S3 with the original URI and returns 403 AccessDenied — defense in
+      // depth so a typo can't accidentally rewrite to a real S3 key.
+      defaultCacheBehavior: {
+        targetOriginId: "media-s3",
+        viewerProtocolPolicy: "redirect-to-https",
+        allowedMethods: ["GET", "HEAD", "OPTIONS"],
+        cachedMethods: ["GET", "HEAD", "OPTIONS"],
+        compress: true,
+        cachePolicyId: mediaCachePolicy.id,
+      },
+      orderedCacheBehaviors: [
+        // Media originals: served directly from S3 via OAC. Explicit (not
+        // implicit-via-default) so the rewrite never runs on unrelated paths.
+        {
+          pathPattern: "/media/*",
+          targetOriginId: "media-s3",
+          viewerProtocolPolicy: "redirect-to-https",
+          allowedMethods: ["GET", "HEAD", "OPTIONS"],
+          cachedMethods: ["GET", "HEAD", "OPTIONS"],
+          compress: true,
+          cachePolicyId: mediaCachePolicy.id,
+          functionAssociations: [
+            {
+              eventType: "viewer-request",
+              functionArn: mediaRewriteFunction.arn,
+            },
+          ],
+        },
+        // Image transforms: served via Sharp Lambda
+        {
+          pathPattern: "/img/*",
+          targetOriginId: "image-lambda",
+          viewerProtocolPolicy: "redirect-to-https",
+          allowedMethods: ["GET", "HEAD", "OPTIONS"],
+          cachedMethods: ["GET", "HEAD", "OPTIONS"],
+          compress: true,
+          cachePolicyId: imageCachePolicy.id,
+        },
+      ],
+      restrictions: {
+        geoRestriction: { restrictionType: "none" },
+      },
+      viewerCertificate,
+    },
+  );
+  // Allow CloudFront to invoke the image Lambda via OAC.
+  // CRITICAL: sourceArn must reference the MEDIA distribution's ARN. Pointing
+  // it at the API CDN ARN would silently break image transforms in a way
+  // that's hard to spot from logs. (Single most-important consistency point
+  // per the design doc.)
+  new aws.lambda.Permission(`${name}ImageLambdaCFPermission`, {
+    action: "lambda:InvokeFunctionUrl",
+    function: image.imageLambda.name,
+    principal: "cloudfront.amazonaws.com",
+    sourceArn: distribution.arn,
+  });
+  const url = args.domain
+    ? $interpolate`https://${args.domain.name}`
+    : $interpolate`https://${distribution.domainName}`;
+  return { distribution, url };
+}
+export type MediaCdnResources = ReturnType<typeof createMediaCdn>;