ts-ag 1.1.20 → 1.1.21

package/dist/index.mjs

@@ -7,6 +7,7 @@ import { AdminGetUserCommand, AdminInitiateAuthCommand, AdminListGroupsForUserCo
 import { createHmac } from "crypto";
 import { GetObjectCommand, HeadObjectCommand, S3Client } from "@aws-sdk/client-s3";
 import { getSignedUrl as getSignedUrl$1 } from "@aws-sdk/s3-request-presigner";
+import { DynamoDBToolboxError } from "dynamodb-toolbox";
 import rehypeParse from "rehype-parse";
 import { unified } from "unified";
 import { isEqual, isObject } from "radash";
@@ -116,33 +117,33 @@ function wrapHandler(handler) {
 * Im not sure it this is optimal behaviour and if not we will migrate to only using the errorResponse function
 */
 const error_lambda_badRequest = (message, fieldName, fieldValue) => ({
-	type: "lambda_badRequest",
+	type: "badRequest",
 	message,
 	fieldName,
 	fieldValue
 });
 const error_lambda_unauthorized = (message) => ({
-	type: "lambda_unauthorized",
+	type: "unauthorized",
 	message
 });
 const error_lambda_forbidden = (message) => ({
-	type: "lambda_forbidden",
+	type: "forbidden",
 	message
 });
 const error_lambda_notFound = (message, fieldName, fieldValue) => ({
-	type: "lambda_notFound",
+	type: "notFound",
 	message,
 	fieldName,
 	fieldValue
 });
 const error_lambda_conflict = (message, fieldName, fieldValue) => ({
-	type: "lambda_conflict",
+	type: "conflict",
 	message,
 	fieldName,
 	fieldValue
 });
 const error_lambda_internal = (message) => ({
-	type: "lambda_internal",
+	type: "internal",
 	message
 });
 //#endregion
@@ -153,9 +154,17 @@ function field(obj) {
 		value: obj.fieldValue
 	} };
 }
+/**
+* Maps lambda errors to responses suitable to return from lambda functions
+* @param e
+* @param headers
+* @param type
+* @param extras
+* @returns
+*/
 function response_error(e, headers, type = "", extras = {}) {
 	switch (e.type) {
-		case "lambda_badRequest": return {
+		case "badRequest": return {
 			headers,
 			statusCode: 400,
 			body: {
@@ -165,7 +174,7 @@ function response_error(e, headers, type = "", extras = {}) {
 				...extras
 			}
 		};
-		case "lambda_unauthorized": return {
+		case "unauthorized": return {
 			headers,
 			statusCode: 401,
 			body: {
@@ -174,7 +183,7 @@ function response_error(e, headers, type = "", extras = {}) {
 				...extras
 			}
 		};
-		case "lambda_forbidden": return {
+		case "forbidden": return {
 			headers,
 			statusCode: 403,
 			body: {
@@ -183,7 +192,7 @@ function response_error(e, headers, type = "", extras = {}) {
 				...extras
 			}
 		};
-		case "lambda_notFound": return {
+		case "notFound": return {
 			headers,
 			statusCode: 404,
 			body: {
@@ -193,7 +202,7 @@ function response_error(e, headers, type = "", extras = {}) {
 				...extras
 			}
 		};
-		case "lambda_conflict": return {
+		case "conflict": return {
 			headers,
 			statusCode: 409,
 			body: {
@@ -256,126 +265,185 @@ function getCognitoClient() {
 }
 //#endregion
 //#region src/cognito/errors.ts
-const error_cognito_forbidden = {
-	group: "cognito",
-	type: "cognito_forbidden"
-};
-const error_cognito_internal = {
-	group: "cognito",
-	type: "cognito_internal"
-};
-const error_cognito_role = {
-	group: "cognito",
-	type: "cognito_role"
-};
-const error_cognito_input = {
-	group: "cognito",
-	type: "cognito_input"
-};
-const error_cognito_auth = {
-	group: "cognito",
-	type: "cognito_auth"
-};
-const error_cognito_notFound = {
-	group: "cognito",
-	type: "cognito_notFound"
-};
-const error_cognito_userNotFound = {
-	group: "cognito",
-	type: "cognito_userNotFound"
-};
-const error_cognito_tooManyRequests = {
-	group: "cognito",
-	type: "cognito_tooManyRequests"
-};
-const error_cognito_passwordPolicy = {
-	group: "cognito",
-	type: "cognito_passwordPolicy"
-};
-const error_cognito_passwordHistory = {
-	group: "cognito",
-	type: "cognito_passwordHistory"
-};
-const error_cognito_passwordResetRequired = {
-	group: "cognito",
-	type: "cognito_passwordResetRequired"
-};
-const error_cognito_codeExpired = {
-	group: "cognito",
-	type: "cognito_codeExpired"
-};
-const error_cognito_codeMismatch = {
-	group: "cognito",
-	type: "cognito_codeMismatch"
-};
-const error_cognito_delivery = {
-	group: "cognito",
-	type: "cognito_delivery"
-};
-const error_cognito_userExists = {
-	group: "cognito",
-	type: "cognito_userExists"
-};
-const awsToCognitoErrorMap = {
-	ForbiddenException: error_cognito_forbidden,
-	NotAuthorizedException: error_cognito_auth,
-	UserNotConfirmedException: error_cognito_auth,
-	UserNotFoundException: error_cognito_userNotFound,
-	ResourceNotFoundException: error_cognito_notFound,
-	InvalidParameterException: error_cognito_input,
-	InvalidPasswordException: error_cognito_passwordPolicy,
-	PasswordHistoryPolicyViolationException: error_cognito_passwordHistory,
-	PasswordResetRequiredException: error_cognito_passwordResetRequired,
-	LimitExceededException: error_cognito_tooManyRequests,
-	TooManyRequestsException: error_cognito_tooManyRequests,
-	InternalErrorException: error_cognito_internal,
-	CodeMismatchException: error_cognito_codeMismatch,
-	ExpiredCodeException: error_cognito_codeExpired,
-	TooManyFailedAttemptsException: error_cognito_tooManyRequests,
-	UnexpectedLambdaException: error_cognito_internal,
-	InvalidLambdaResponseException: error_cognito_internal,
-	UserLambdaValidationException: error_cognito_internal,
-	InvalidEmailRoleAccessPolicyException: error_cognito_role,
-	InvalidSmsRoleAccessPolicyException: error_cognito_role,
-	InvalidSmsRoleTrustRelationshipException: error_cognito_role,
-	CodeDelliveryFailureException: error_cognito_delivery,
-	AliasExistsException: error_cognito_userExists,
-	InvalidUserPoolConfigurationException: error_cognito_internal,
-	MFAMethodNotFoundException: error_cognito_notFound,
-	UnsupportedOperationException: error_cognito_internal,
-	SoftwareTokenMFANotFoundException: error_cognito_notFound,
-	UsernameExistsException: error_cognito_userExists
+const defaultErrors$3 = {
+	auth: {
+		type: "unauthorized",
+		message: "Not authorized"
+	},
+	forbidden: {
+		type: "forbidden",
+		message: "Forbidden"
+	},
+	invalidInput: {
+		type: "badRequest",
+		message: "There is an issue with your request"
+	},
+	userNotFound: {
+		type: "notFound",
+		message: "User not found"
+	},
+	resourceNotFound: {
+		type: "notFound",
+		message: "Resource not found"
+	},
+	tooManyRequests: {
+		type: "badRequest",
+		message: "Too many requests"
+	},
+	passwordPolicy: {
+		type: "badRequest",
+		message: "Password does not meet policy requirements"
+	},
+	passwordHistory: {
+		type: "conflict",
+		message: "Password was used recently"
+	},
+	passwordResetRequired: {
+		type: "badRequest",
+		message: "Password reset required"
+	},
+	codeExpired: {
+		type: "badRequest",
+		message: "Code expired"
+	},
+	codeMismatch: {
+		type: "badRequest",
+		message: "Invalid code"
+	},
+	delivery: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	userExists: {
+		type: "conflict",
+		message: "User already exists"
+	},
+	conflict: {
+		type: "conflict",
+		message: "The request conflicts with the current Cognito resource state"
+	},
+	internal: {
+		type: "internal",
+		message: "Internal server error"
+	}
 };
-/**
-* Gets a generic error from the name of the aws error
-*/
+/** Wrap an unknown caught value as a Cognito-domain error for neverthrow flows. */
 function error_cognito(error) {
-	const type = error.name;
-	if (awsToCognitoErrorMap[type] === void 0) console.warn(`${type} is not present in the cognito error map`);
-	console.error(`Cognito error: ${type}`, error);
-	return awsToCognitoErrorMap[type] || error_cognito_internal;
+	return {
+		type: "cognito",
+		error
+	};
 }
-/**
-* Converts a cognito error to a lambda error.
-* Basically just for narrowing it down a bit
-*/
-function error_lambda_fromCognito(e) {
-	switch (e.type) {
-		case "cognito_auth": return error_lambda_unauthorized("Not authorized");
-		case "cognito_forbidden": return error_lambda_forbidden("Forbidden");
-		case "cognito_internal":
-		case "cognito_role": return error_lambda_internal("Internal server error");
-		case "cognito_input": return error_lambda_badRequest("There is an issue with your request");
-		case "cognito_notFound": return error_lambda_notFound("Resource not found");
-		case "cognito_userNotFound": return error_lambda_notFound("User not found");
-		case "cognito_tooManyRequests": return error_lambda_badRequest("Too many requests");
-		case "cognito_passwordPolicy": return error_lambda_badRequest("Password does not meet policy requirements");
-		case "cognito_passwordHistory": return error_lambda_conflict("Password was used recently");
-		case "cognito_passwordResetRequired": return error_lambda_badRequest("Password reset required");
-		case "cognito_delivery": return error_lambda_internal("Delivery failed for the provided email or phone number");
-		default: return error_lambda_internal("Unknown error");
+/** Convert AWS SDK Cognito errors into a safe lambda error for API responses. */
+function error_lambda_fromCognito(e, options = {}) {
+	return fromReason$2(getCognitoReason(e.error), options);
+}
+/** Apply endpoint overrides and build the concrete lambda error object. */
+function fromReason$2(reason, options) {
+	const base = defaultErrors$3[reason];
+	const override = options[reason];
+	const args = {
+		...base,
+		...override
+	};
+	switch (args.type) {
+		case "badRequest": return error_lambda_badRequest(args.message, args.fieldName, args.fieldValue);
+		case "unauthorized": return error_lambda_unauthorized(args.message);
+		case "forbidden": return error_lambda_forbidden(args.message);
+		case "notFound": return error_lambda_notFound(args.message, args.fieldName, args.fieldValue);
+		case "conflict": return error_lambda_conflict(args.message, args.fieldName, args.fieldValue);
+		default: return error_lambda_internal(args.message);
 	}
 }
+/** Classify AWS SDK / Cognito service errors. */
+function getCognitoReason(error) {
+	switch (getErrorName$2(error)) {
+		case "NotAuthorizedException":
+		case "UnauthorizedException":
+		case "UserNotConfirmedException":
+		case "RefreshTokenReuseException": return "auth";
+		case "AccessDeniedException":
+		case "ForbiddenException": return "forbidden";
+		case "InvalidParameterException":
+		case "InvalidOAuthFlowException":
+		case "ScopeDoesNotExistException":
+		case "UnsupportedIdentityProviderException":
+		case "UnsupportedTokenTypeException": return "invalidInput";
+		case "UserNotFoundException": return "userNotFound";
+		case "ResourceNotFoundException":
+		case "MFAMethodNotFoundException":
+		case "SoftwareTokenMFANotFoundException":
+		case "WebAuthnChallengeNotFoundException": return "resourceNotFound";
+		case "LimitExceededException":
+		case "TooManyFailedAttemptsException":
+		case "TooManyRequestsException": return "tooManyRequests";
+		case "InvalidPasswordException": return "passwordPolicy";
+		case "PasswordHistoryPolicyViolationException": return "passwordHistory";
+		case "PasswordResetRequiredException": return "passwordResetRequired";
+		case "ExpiredCodeException": return "codeExpired";
+		case "CodeMismatchException": return "codeMismatch";
+		case "CodeDeliveryFailureException": return "delivery";
+		case "AliasExistsException":
+		case "DeviceKeyExistsException":
+		case "DuplicateProviderException":
+		case "GroupExistsException":
+		case "ManagedLoginBrandingExistsException":
+		case "TermsExistsException":
+		case "UsernameExistsException": return "userExists";
+		case "ConcurrentModificationException":
+		case "PreconditionNotMetException":
+		case "UnsupportedUserStateException": return "conflict";
+		case "EnableSoftwareTokenMFAException":
+		case "FeatureUnavailableInTierException":
+		case "InternalErrorException":
+		case "InternalServerException":
+		case "InvalidEmailRoleAccessPolicyException":
+		case "InvalidLambdaResponseException":
+		case "InvalidSmsRoleAccessPolicyException":
+		case "InvalidSmsRoleTrustRelationshipException":
+		case "InvalidUserPoolConfigurationException":
+		case "TierChangeNotAllowedException":
+		case "UnexpectedLambdaException":
+		case "UnsupportedOperationException":
+		case "UserImportInProgressException":
+		case "UserLambdaValidationException":
+		case "UserPoolAddOnNotEnabledException":
+		case "UserPoolTaggingException":
+		case "WebAuthnClientMismatchException":
+		case "WebAuthnConfigurationMissingException":
+		case "WebAuthnCredentialNotSupportedException":
+		case "WebAuthnNotEnabledException":
+		case "WebAuthnOriginNotAllowedException":
+		case "WebAuthnRelyingPartyMismatchException": return "internal";
+		default: return getHttpStatusReason$2(error);
+	}
+}
+function getHttpStatusReason$2(error) {
+	const status = getHttpStatusCode$2(error);
+	if (status === 400) return "invalidInput";
+	if (status === 401) return "auth";
+	if (status === 403) return "forbidden";
+	if (status === 404) return "resourceNotFound";
+	if (status === 409 || status === 412) return "conflict";
+	if (status === 429) return "tooManyRequests";
+	return "internal";
+}
+function getErrorName$2(error) {
+	if (!isRecord$2(error)) return void 0;
+	const name = error.name;
+	if (typeof name === "string") return name;
+	const code = error.code ?? error.Code;
+	if (typeof code === "string") return code;
+}
+function getHttpStatusCode$2(error) {
+	if (!isRecord$2(error)) return void 0;
+	const metadata = error.$metadata;
+	if (!isRecord$2(metadata)) return void 0;
+	return typeof metadata.httpStatusCode === "number" ? metadata.httpStatusCode : void 0;
+}
+function isRecord$2(value) {
+	return typeof value === "object" && value !== null;
+}
 //#endregion
 //#region src/cognito/user.ts
 /**
@@ -646,12 +714,12 @@ const verifyOAuthToken = ResultAsync.fromThrowable(async (a) => {
 	});
 	if (!tokenRes.ok) {
 		console.error("verifyOAuthToken: token exchange failed", await tokenRes.text());
-		throw new Error("");
+		throw Object.assign(/* @__PURE__ */ new Error("OAuth token exchange failed"), { name: "NotAuthorizedException" });
 	}
 	return await tokenRes.json();
 }, (e) => {
 	console.error("verifyOAuthToken:error", e);
-	return error_cognito_auth;
+	return error_cognito(e);
 });
 /**
 * Exchanges an OAuth2 refresh token for Cognito tokens using the oauth token endpoint.
@@ -679,12 +747,12 @@ const refreshOAuthToken = ResultAsync.fromThrowable(async (a) => {
 	});
 	if (!tokenRes.ok) {
 		console.error("refreshOAuthToken: token exchange failed", await tokenRes.text());
-		throw new Error("");
+		throw Object.assign(/* @__PURE__ */ new Error("OAuth token refresh failed"), { name: "NotAuthorizedException" });
 	}
 	return await tokenRes.json();
 }, (e) => {
 	console.error("refreshOAuthToken:error", e);
-	return error_cognito_auth;
+	return error_cognito(e);
 });
 //#endregion
 //#region src/s3/client.ts
@@ -695,12 +763,190 @@ function getS3() {
 	return new S3Client({});
 }
 //#endregion
+//#region src/utils/errors.ts
+function isRecord(value) {
+	return typeof value === "object" && value !== null;
+}
+function getErrorName(error) {
+	if (!isRecord(error)) return void 0;
+	const name = error.name;
+	if (typeof name === "string") return name;
+	const code = error.code ?? error.Code;
+	if (typeof code === "string") return code;
+}
+//#endregion
 //#region src/s3/errors.ts
-const error_s3_internal = { type: "s3_internal" };
-const error_s3_get = { type: "s3_get" };
+const defaultErrors$2 = {
+	invalidInput: {
+		type: "badRequest",
+		message: "Invalid S3 request"
+	},
+	objectNotFound: {
+		type: "notFound",
+		message: "S3 object not found"
+	},
+	bucketNotFound: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	conflict: {
+		type: "conflict",
+		message: "The request conflicts with the current S3 resource state"
+	},
+	throttled: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	accessDenied: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	internal: {
+		type: "internal",
+		message: "Internal server error"
+	}
+};
+/** Wrap an unknown caught value as an S3-domain error for neverthrow flows. */
+function error_s3(error) {
+	return {
+		type: "s3",
+		error
+	};
+}
+/** Convert AWS SDK S3 errors into a safe lambda error for API responses. */
+function error_lambda_fromS3(e, options = {}) {
+	const reason = getS3Reason(e.error);
+	const base = defaultErrors$2[reason];
+	const override = options[reason];
+	const args = {
+		...base,
+		...override
+	};
+	switch (args.type) {
+		case "badRequest": return error_lambda_badRequest(args.message, args.fieldName, args.fieldValue);
+		case "unauthorized": return error_lambda_unauthorized(args.message);
+		case "forbidden": return error_lambda_forbidden(args.message);
+		case "notFound": return error_lambda_notFound(args.message, args.fieldName, args.fieldValue);
+		case "conflict": return error_lambda_conflict(args.message, args.fieldName, args.fieldValue);
+		default: return error_lambda_internal(args.message);
+	}
+}
+/** Returns true for normal S3 object-missing responses. */
+function is_s3_notFound(error) {
+	return getS3Reason(error) === "objectNotFound";
+}
+/** Classify AWS SDK / S3 service errors. */
+function getS3Reason(error) {
+	switch (getErrorName(error)) {
+		case "NoSuchKey":
+		case "NotFound":
+		case "NoSuchVersion": return "objectNotFound";
+		case "NoSuchBucket":
+		case "NoSuchBucketPolicy":
+		case "NoSuchLifecycleConfiguration":
+		case "NoLoggingStatusForKey": return "bucketNotFound";
+		case "AmbiguousGrantByEmailAddress":
+		case "BadDigest":
+		case "EntityTooLarge":
+		case "EntityTooSmall":
+		case "IncompleteBody":
+		case "IncorrectNumberOfFilesInPostRequest":
+		case "InlineDataTooLarge":
+		case "InvalidAddressingHeader":
+		case "InvalidArgument":
+		case "InvalidBucketName":
+		case "InvalidDigest":
+		case "InvalidLocationConstraint":
+		case "InvalidPart":
+		case "InvalidPartOrder":
+		case "InvalidPayer":
+		case "InvalidPolicyDocument":
+		case "InvalidRange":
+		case "InvalidRequest":
+		case "InvalidSOAPRequest":
+		case "InvalidStorageClass":
+		case "InvalidTargetBucketForLogging":
+		case "InvalidURI":
+		case "KeyTooLongError":
+		case "MalformedACLError":
+		case "MalformedPOSTRequest":
+		case "MalformedXML":
+		case "MaxMessageLengthExceeded":
+		case "MaxPostPreDataLengthExceededError":
+		case "MetadataTooLarge":
+		case "MissingAttachment":
+		case "MissingContentLength":
+		case "MissingRequestBodyError":
+		case "RequestIsNotMultiPartContent":
+		case "RequestTorrentOfBucketError":
+		case "NoSuchUpload": return "invalidInput";
+		case "BucketAlreadyExists":
+		case "BucketAlreadyOwnedByYou":
+		case "BucketNotEmpty":
+		case "EncryptionTypeMismatch":
+		case "IdempotencyParameterMismatch":
+		case "IllegalVersioningConfigurationException":
+		case "InvalidBucketState":
+		case "InvalidEncryptionAlgorithmError":
+		case "InvalidObjectState":
+		case "InvalidWriteOffset":
+		case "ObjectAlreadyInActiveTierError":
+		case "ObjectNotInActiveTierError":
+		case "OperationAborted":
+		case "PreconditionFailed":
+		case "RestoreAlreadyInProgress":
+		case "TooManyParts": return "conflict";
+		case "RequestLimitExceeded":
+		case "RequestTimeout":
+		case "ServiceUnavailable":
+		case "SlowDown":
+		case "Throttling":
+		case "ThrottlingException": return "throttled";
+		case "AccessDenied":
+		case "AccountProblem":
+		case "AllAccessDisabled":
+		case "CredentialsNotSupported":
+		case "CrossLocationLoggingProhibited":
+		case "ExpiredToken":
+		case "InvalidAccessKeyId":
+		case "InvalidSecurity":
+		case "InvalidToken":
+		case "MethodNotAllowed":
+		case "MissingSecurityElement":
+		case "MissingSecurityHeader":
+		case "NotSignedUp":
+		case "SignatureDoesNotMatch": return "accessDenied";
+		case "AuthorizationHeaderMalformed":
+		case "InternalError":
+		case "NotImplemented":
+		case "PermanentRedirect":
+		case "Redirect":
+		case "RequestTimeTooSkewed":
+		case "TemporaryRedirect": return "internal";
+		default: return getHttpStatusReason$1(error);
+	}
+}
+function getHttpStatusReason$1(error) {
+	const status = getHttpStatusCode$1(error);
+	if (status === 400) return "invalidInput";
+	if (status === 404) return "objectNotFound";
+	if (status === 409 || status === 412) return "conflict";
+	if (status === 429 || status === 503) return "throttled";
+	if (status === 401 || status === 403) return "accessDenied";
+	return "internal";
+}
+function getHttpStatusCode$1(error) {
+	if (!isRecord(error)) return void 0;
+	const metadata = error.$metadata;
+	if (!isRecord(metadata)) return void 0;
+	return typeof metadata.httpStatusCode === "number" ? metadata.httpStatusCode : void 0;
+}
 //#endregion
 //#region src/s3/signedUrl.ts
-const getSignedUrl = ResultAsync.fromThrowable(getSignedUrl$1, (e) => e);
+const getSignedUrl = ResultAsync.fromThrowable(getSignedUrl$1, (e) => {
+	console.error("getSignedUrl: Failed to get signed url", e);
+	error_s3(e);
+});
 //#endregion
 //#region src/s3/object.ts
 /**
@@ -724,8 +970,8 @@ const getObject = ResultAsync.fromThrowable(async (bucketName, key) => {
 		stream.on("error", reject);
 	});
 }, (e) => {
-	console.error(`Error getting object from S3: ${e}`);
-	return error_s3_get;
+	console.error(`getObjectt: Error getting object from S3: ${e}`);
+	return error_s3(e);
 });
 /**
 * Convenience function to get an object from S3 and return it as a string.
@@ -749,22 +995,313 @@ const objectExists = ResultAsync.fromThrowable(async (bucketName, key) => {
 		});
 		return (await s3.send(cmd)).$metadata.httpStatusCode === 200;
 	} catch (e) {
-		if (e.$metadata.httpStatusCode === 404) return false;
-		else throw e;
+		if (is_s3_notFound(e)) return false;
+		throw e;
 	}
 }, (e) => {
-	console.error(`Error getting object head from S3: ${e}`);
-	return error_s3_get;
+	console.error(`objectExists: Error getting object head from S3: ${e}`);
+	return error_s3(e);
 });
 //#endregion
 //#region src/dynamo/errors.ts
-const error_dynamo = { type: "dynamo" };
-function error_lambda_fromDynamo(_e) {
-	return error_lambda_internal("Internal server error");
+const defaultErrors$1 = {
+	invalidInput: {
+		type: "badRequest",
+		message: "Invalid request"
+	},
+	conditionalCheckFailed: {
+		type: "conflict",
+		message: "The request conflicts with the current resource state"
+	},
+	transactionConflict: {
+		type: "conflict",
+		message: "The request conflicts with the current resource state"
+	},
+	resourceNotFound: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	throttled: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	accessDenied: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	internal: {
+		type: "internal",
+		message: "Internal server error"
+	}
+};
+/** Wrap an unknown caught value as a Dynamo-domain error for neverthrow flows. */
+function error_dynamo(error) {
+	return {
+		type: "dynamo",
+		error
+	};
+}
+/** Convert DynamoDB Toolbox or AWS SDK errors into a safe lambda error for API responses. */
+function error_lambda_fromDynamo(e, options = {}) {
+	if (e.error instanceof DynamoDBToolboxError) return fromReason$1(getToolboxReason(e.error), options, toolboxField(e.error, options.includeToolboxPath));
+	return fromReason$1(getAwsReason(e.error), options);
+}
+/** Apply endpoint overrides and build the concrete lambda error object. */
+function fromReason$1(reason, options, defaults = {}) {
+	const base = {
+		...defaultErrors$1[reason],
+		...defaults
+	};
+	const override = options[reason];
+	const args = {
+		...base,
+		...override
+	};
+	switch (args.type) {
+		case "badRequest": return error_lambda_badRequest(args.message, args.fieldName, args.fieldValue);
+		case "unauthorized": return error_lambda_unauthorized(args.message);
+		case "forbidden": return error_lambda_forbidden(args.message);
+		case "notFound": return error_lambda_notFound(args.message, args.fieldName, args.fieldValue);
+		case "conflict": return error_lambda_conflict(args.message, args.fieldName, args.fieldValue);
+		default: return error_lambda_internal(args.message);
+	}
+}
+/** Classify errors produced by Toolbox before sending, or while formatting returned items. */
+function getToolboxReason(error) {
+	if (error.code.startsWith("parsing.") || error.code === "actions.parsePrimaryKey.invalidKeyPart") return "invalidInput";
+	if (error.code.startsWith("formatter.") || error.code.startsWith("schema.") || error.code.startsWith("entity.")) return "internal";
+	switch (error.code) {
+		case "actions.invalidCondition":
+		case "actions.invalidExpressionAttributePath":
+		case "queryCommand.invalidIndex":
+		case "queryCommand.invalidPartition":
+		case "queryCommand.invalidProjectionExpression":
+		case "queryCommand.invalidRange":
+		case "queryCommand.invalidReverseOption":
+		case "scanCommand.invalidProjectionExpression":
+		case "scanCommand.invalidSegmentOption":
+		case "batchGetCommand.invalidProjectionExpression":
+		case "options.invalidCapacityOption":
+		case "options.invalidClientRequestToken":
+		case "options.invalidConsistentOption":
+		case "options.invalidIndexOption":
+		case "options.invalidLimitOption":
+		case "options.invalidMaxPagesOption":
+		case "options.invalidMetricsOption":
+		case "options.invalidReturnValuesOption":
+		case "options.invalidReturnValuesOnConditionFalseOption":
+		case "options.invalidSelectOption": return "invalidInput";
+		case "actions.incompleteAction":
+		case "actions.invalidAction":
+		case "actions.missingDocumentClient":
+		case "queryCommand.invalidTagEntitiesOption":
+		case "queryCommand.noEntityMatched":
+		case "scanCommand.noEntityMatched":
+		case "options.invalidEntityAttrFilterOption":
+		case "options.invalidNoEntityMatchBehaviorOption":
+		case "options.invalidShowEntityAttrOption":
+		case "options.invalidTableNameOption":
+		case "options.unknownOption":
+		case "table.missingTableName": return "internal";
+		default: return "internal";
+	}
+}
+function toolboxField(error, includeToolboxPath) {
+	if (!includeToolboxPath || typeof error.path !== "string") return {};
+	return {
+		fieldName: error.path,
+		fieldValue: error.message
+	};
+}
+/** Classify AWS SDK / DynamoDB service errors that bubble out of Toolbox send calls. */
+function getAwsReason(error) {
+	switch (getErrorName(error)) {
+		case "ConditionalCheckFailedException": return "conditionalCheckFailed";
+		case "TransactionCanceledException": return getTransactionReason(error);
+		case "TransactionConflictException":
+		case "ReplicatedWriteConflictException":
+		case "IdempotentParameterMismatchException":
+		case "ItemCollectionSizeLimitExceededException": return "transactionConflict";
+		case "ValidationException": return "invalidInput";
+		case "ResourceNotFoundException": return "resourceNotFound";
+		case "ProvisionedThroughputExceededException":
+		case "RequestLimitExceeded":
+		case "ThrottlingException":
+		case "ThrottlingError": return "throttled";
+		case "AccessDeniedException":
+		case "ExpiredTokenException":
+		case "IncompleteSignatureException":
+		case "InvalidSignatureException":
+		case "UnrecognizedClientException": return "accessDenied";
+		default: return "internal";
+	}
+}
+/** Pick the most useful public reason from DynamoDB transaction cancellation details. */
+function getTransactionReason(error) {
+	const cancellationReasons = getCancellationReasons(error);
+	if (cancellationReasons.some((reason) => reason === "ConditionalCheckFailed")) return "conditionalCheckFailed";
+	if (cancellationReasons.some((reason) => reason === "TransactionConflict")) return "transactionConflict";
+	if (cancellationReasons.some((reason) => reason === "ValidationError")) return "invalidInput";
+	if (cancellationReasons.some((reason) => [
+		"ProvisionedThroughputExceeded",
+		"RequestLimitExceeded",
+		"ThrottlingError"
+	].includes(reason))) return "throttled";
+	return "internal";
+}
+function getCancellationReasons(error) {
+	if (!isRecord(error)) return [];
+	const cancellationReasons = error.CancellationReasons ?? error.cancellationReasons;
+	if (!Array.isArray(cancellationReasons)) return [];
+	return cancellationReasons.map((reason) => isRecord(reason) && typeof reason.Code === "string" ? reason.Code : void 0).filter((reason) => reason !== void 0);
 }
 //#endregion
 //#region src/ses/errors.ts
-const error_ses = { type: "ses" };
+const defaultErrors = {
+	invalidInput: {
+		type: "badRequest",
+		message: "Invalid SES request"
+	},
+	messageRejected: {
+		type: "badRequest",
+		message: "Email message was rejected"
+	},
+	identityNotVerified: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	notFound: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	alreadyExists: {
+		type: "conflict",
+		message: "SES resource already exists"
+	},
+	conflict: {
+		type: "conflict",
+		message: "The request conflicts with the current SES resource state"
+	},
+	throttled: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	accessDenied: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	internal: {
+		type: "internal",
+		message: "Internal server error"
+	}
+};
+/** Wrap an unknown caught value as an SES-domain error for neverthrow flows. */
+function error_ses(error) {
+	return {
+		type: "ses",
+		error
+	};
+}
+/** Convert AWS SDK SES errors into a safe lambda error for API responses. */
+function error_lambda_fromSes(e, options = {}) {
+	return fromReason(getSesReason(e.error), options);
+}
+/** Apply endpoint overrides and build the concrete lambda error object. */
+function fromReason(reason, options) {
+	const base = defaultErrors[reason];
+	const override = options[reason];
+	const args = {
+		...base,
+		...override
+	};
+	switch (args.type) {
+		case "badRequest": return error_lambda_badRequest(args.message, args.fieldName, args.fieldValue);
+		case "unauthorized": return error_lambda_unauthorized(args.message);
+		case "forbidden": return error_lambda_forbidden(args.message);
+		case "notFound": return error_lambda_notFound(args.message, args.fieldName, args.fieldValue);
+		case "conflict": return error_lambda_conflict(args.message, args.fieldName, args.fieldValue);
+		default: return error_lambda_internal(args.message);
+	}
+}
+/** Classify AWS SDK / SES service errors. */
+function getSesReason(error) {
+	switch (getErrorName$1(error)) {
+		case "BadRequestException":
+		case "CustomVerificationEmailInvalidContentException":
+		case "InvalidParameterValue":
+		case "InvalidPolicyException":
+		case "InvalidRenderingParameterException":
+		case "InvalidSnsTopic":
+		case "InvalidSnsTopicException":
+		case "InvalidTemplateException":
+		case "InvalidTrackingOptionsException":
+		case "MissingRenderingAttributeException": return "invalidInput";
+		case "MessageRejected":
+		case "MessageRejectedException": return "messageRejected";
+		case "ConfigurationSetDoesNotExist":
+		case "ConfigurationSetDoesNotExistException":
+		case "NotFoundException":
+		case "RuleSetDoesNotExist":
+		case "TemplateDoesNotExist":
+		case "TemplateDoesNotExistException": return "notFound";
+		case "AlreadyExistsException":
+		case "ConfigurationSetAlreadyExists":
+		case "RuleSetNameAlreadyExists":
+		case "TemplateNameAlreadyExists": return "alreadyExists";
+		case "AccountSendingPausedException":
+		case "ConfigurationSetSendingPausedException":
+		case "ConcurrentModificationException":
+		case "ConflictException":
+		case "MailFromDomainNotVerified":
+		case "MailFromDomainNotVerifiedException":
+		case "SendingPausedException": return "conflict";
+		case "FromEmailAddressNotVerified":
+		case "IdentityNotVerifiedException": return "identityNotVerified";
+		case "LimitExceededException":
+		case "Throttling":
+		case "ThrottlingException":
+		case "TooManyRequestsException": return "throttled";
+		case "AccessDeniedException":
+		case "AccountSuspendedException":
+		case "ExpiredTokenException":
+		case "InvalidClientTokenId":
+		case "InvalidSignatureException":
+		case "ProductionAccessNotGrantedException":
+		case "SignatureDoesNotMatch":
+		case "UnauthorizedException": return "accessDenied";
+		case "InternalFailure":
+		case "InternalServerError":
+		case "InternalServiceError":
+		case "ServiceUnavailable": return "internal";
+		default: return getHttpStatusReason(error);
+	}
+}
+function getHttpStatusReason(error) {
+	const status = getHttpStatusCode(error);
+	if (status === 400) return "invalidInput";
+	if (status === 401) return "accessDenied";
+	if (status === 403) return "accessDenied";
+	if (status === 404) return "notFound";
+	if (status === 409 || status === 412) return "conflict";
+	if (status === 429) return "throttled";
+	return "internal";
+}
+function getErrorName$1(error) {
+	if (!isRecord$1(error)) return void 0;
+	const name = error.name;
+	if (typeof name === "string") return name;
+	const code = error.code ?? error.Code;
+	if (typeof code === "string") return code;
+}
+function getHttpStatusCode(error) {
+	if (!isRecord$1(error)) return void 0;
+	const metadata = error.$metadata;
+	if (!isRecord$1(metadata)) return void 0;
+	return typeof metadata.httpStatusCode === "number" ? metadata.httpStatusCode : void 0;
+}
+function isRecord$1(value) {
+	return typeof value === "object" && value !== null;
+}
 //#endregion
 //#region src/rehype/flat-toc.ts
 /**
@@ -1062,6 +1599,6 @@ async function readPackageJson(filePath) {
 	return JSON.parse(await readFile(filePath, { encoding: "utf-8" }));
 }
 //#endregion
-export { HTTPMethods, changePassword, colorText, computeSecretHash, confirmForgotPassword, confirmSignup, createApiRequest, deepDiff, error_cognito, error_cognito_auth, error_cognito_codeExpired, error_cognito_codeMismatch, error_cognito_delivery, error_cognito_forbidden, error_cognito_input, error_cognito_internal, error_cognito_notFound, error_cognito_passwordHistory, error_cognito_passwordPolicy, error_cognito_passwordResetRequired, error_cognito_role, error_cognito_tooManyRequests, error_cognito_userExists, error_cognito_userNotFound, error_dynamo, error_lambda_badRequest, error_lambda_conflict, error_lambda_forbidden, error_lambda_fromCognito, error_lambda_fromDynamo, error_lambda_internal, error_lambda_notFound, error_lambda_unauthorized, error_s3_get, error_s3_internal, error_ses, exists, extractAttributes, extractToc, forgotPassword, getByPath, getCognitoClient, getCookies, getObject, getObjectString, getS3, getSchemaByPath, getSignedUrl, getUserDetails, getUserGroups, isSchema, login, logout, objectExists, parseRaw, pruneToShape, readPackageJson, refreshOAuthToken, refreshTokens, resetPassword, response_error, response_ok, response_valibotError, setByPath, signUp, unwrap, verifyOAuthToken, wrapHandler, writeIfDifferent };
+export { HTTPMethods, changePassword, colorText, computeSecretHash, confirmForgotPassword, confirmSignup, createApiRequest, deepDiff, error_cognito, error_dynamo, error_lambda_badRequest, error_lambda_conflict, error_lambda_forbidden, error_lambda_fromCognito, error_lambda_fromDynamo, error_lambda_fromS3, error_lambda_fromSes, error_lambda_internal, error_lambda_notFound, error_lambda_unauthorized, error_s3, error_ses, exists, extractAttributes, extractToc, forgotPassword, getByPath, getCognitoClient, getCookies, getErrorName, getObject, getObjectString, getS3, getSchemaByPath, getSignedUrl, getUserDetails, getUserGroups, isRecord, isSchema, is_s3_notFound, login, logout, objectExists, parseRaw, pruneToShape, readPackageJson, refreshOAuthToken, refreshTokens, resetPassword, response_error, response_ok, response_valibotError, setByPath, signUp, unwrap, verifyOAuthToken, wrapHandler, writeIfDifferent };
 
 //# sourceMappingURL=index.mjs.map