ts-ag 1.1.26 → 1.2.0

package/dist/worker.mjs

@@ -0,0 +1,1603 @@
+import { parse, stringify } from "devalue";
+import * as v from "valibot";
+import { parse as parse$1 } from "cookie";
+import { Result, ResultAsync } from "neverthrow";
+import { AdminGetUserCommand, AdminInitiateAuthCommand, AdminListGroupsForUserCommand, ChangePasswordCommand, CognitoIdentityProviderClient, ConfirmForgotPasswordCommand, ConfirmSignUpCommand, ForgotPasswordCommand, GlobalSignOutCommand, RespondToAuthChallengeCommand, SignUpCommand } from "@aws-sdk/client-cognito-identity-provider";
+import { createHmac } from "node:crypto";
+import { GetObjectCommand, HeadObjectCommand, S3Client } from "@aws-sdk/client-s3";
+import { getSignedUrl as getSignedUrl$1 } from "@aws-sdk/s3-request-presigner";
+import { DynamoDBToolboxError } from "dynamodb-toolbox";
+import rehypeParse from "rehype-parse";
+import { unified } from "unified";
+import { isEqual, isObject } from "radash";
+import { lstat, mkdir, readFile, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
+import chalk from "chalk";
+//#region src/lambda/client-types.ts
+const HTTPMethods = [
+	"GET",
+	"POST",
+	"PUT",
+	"DELETE",
+	"PATCH",
+	"OPTIONS",
+	"HEAD"
+];
+//#endregion
+//#region src/lambda/client.ts
+const bodyMethods = [
+	"POST",
+	"PUT",
+	"PATCH"
+];
+const queryMethods = ["GET", "DELETE"];
+async function _apiRequest(path, method, input, schema, environment, apiUrl, headers) {
+	if (schema) if (schema.async === true) await v.parseAsync(schema, input);
+	else v.parse(schema, input);
+	let url = `${apiUrl}${apiUrl.endsWith("/") ? "" : "/"}${path}`;
+	if (queryMethods.includes(method)) {
+		const params = new URLSearchParams();
+		for (const [key, value] of Object.entries(input ?? {})) if (Array.isArray(value)) value.forEach((item) => params.append(key, String(item)));
+		else params.append(key, String(value));
+		const queryString = params.toString();
+		if (queryString) url += `?${queryString}`;
+	}
+	headers = {
+		"Content-Type": "application/json",
+		...headers
+	};
+	const response = await fetch(url, {
+		method,
+		headers,
+		body: bodyMethods.includes(method) ? JSON.stringify(input) : void 0,
+		credentials: "include"
+	});
+	const contentType = response.headers.get("content-type") ?? "";
+	let retrieved = false;
+	response.json = async () => {
+		if (retrieved === false) retrieved = response.text();
+		if (contentType === "application/devalue") return await parse(await retrieved);
+		else return JSON.parse(await retrieved);
+	};
+	return response;
+}
+/**
+* @returns A function that can be used to make API requests with type safety
+* @example const clientApiRequest = createApiRequest<ApiEndpoints>();
+*/
+function createApiRequest(schemas, apiUrl, env) {
+	return async function apiRequest(path, method, input, headers) {
+		const schema = schemas[path]?.[method];
+		if (schema === void 0) throw new Error("Schema is undefined in api request");
+		return _apiRequest(path, method, input, schema, env, apiUrl, headers);
+	};
+}
+//#endregion
+//#region src/lambda/handlerUtils.ts
+/**
+* Wraps a handler that returns the body as an object rather than a string.
+*
+* This means you can achieve proper type inference on your handler and have standardised serialisation
+*
+* @example
+```ts
+export type AuthorizerContext = {
+details: JWTPayload;
+} | null;
+
+export const wrapHandler = baseWrapHandler<APIGatewayProxyEventV2WithLambdaAuthorizer<AuthorizerContext>>
+
+*/
+function wrapHandler(handler) {
+	return async (event, context) => {
+		const result = await handler(event, context);
+		if (result.body) {
+			const headers = new Headers(result.headers);
+			headers.set("Content-Type", "application/devalue");
+			return {
+				...result,
+				headers: Object.fromEntries(headers),
+				body: stringify(result.body)
+			};
+		} else return {
+			...result,
+			body: void 0
+		};
+	};
+}
+//#endregion
+//#region src/lambda/errors.ts
+/**
+* These are the various errors that should be returned from anything called by a lambda function.
+*
+* Pass a lambda error to the errorResponse function to get a suitable response to return from the lambda handler.
+*
+* The separation means that they can be returned from functions that are certainly run inside a lambda fucntion but theyre not the actual return of the lambda.
+* Im not sure it this is optimal behaviour and if not we will migrate to only using the errorResponse function
+*/
+const error_lambda_badRequest = (message, fieldName, fieldValue) => ({
+	type: "badRequest",
+	message,
+	fieldName,
+	fieldValue
+});
+const error_lambda_unauthorized = (message) => ({
+	type: "unauthorized",
+	message
+});
+const error_lambda_forbidden = (message) => ({
+	type: "forbidden",
+	message
+});
+const error_lambda_notFound = (message, fieldName, fieldValue) => ({
+	type: "notFound",
+	message,
+	fieldName,
+	fieldValue
+});
+const error_lambda_conflict = (message, fieldName, fieldValue) => ({
+	type: "conflict",
+	message,
+	fieldName,
+	fieldValue
+});
+const error_lambda_internal = (message) => ({
+	type: "internal",
+	message
+});
+//#endregion
+//#region src/lambda/response.ts
+function field(obj) {
+	return obj.fieldName === void 0 || obj.fieldValue === void 0 ? {} : { field: {
+		name: obj.fieldName,
+		value: obj.fieldValue
+	} };
+}
+/**
+* Maps lambda errors to responses suitable to return from lambda functions
+* @param e
+* @param headers
+* @param type
+* @param extras
+* @returns
+*/
+function response_error(e, headers, type = "", extras = {}) {
+	switch (e.type) {
+		case "badRequest": return {
+			headers,
+			statusCode: 400,
+			body: {
+				message: e.message,
+				type,
+				...field(e),
+				...extras
+			}
+		};
+		case "unauthorized": return {
+			headers,
+			statusCode: 401,
+			body: {
+				message: e.message,
+				type,
+				...extras
+			}
+		};
+		case "forbidden": return {
+			headers,
+			statusCode: 403,
+			body: {
+				message: e.message,
+				type,
+				...extras
+			}
+		};
+		case "notFound": return {
+			headers,
+			statusCode: 404,
+			body: {
+				message: e.message,
+				type,
+				...field(e),
+				...extras
+			}
+		};
+		case "conflict": return {
+			headers,
+			statusCode: 409,
+			body: {
+				message: e.message,
+				type,
+				...field(e),
+				...extras
+			}
+		};
+		default: return {
+			headers,
+			statusCode: 500,
+			body: {
+				message: "Unknown error",
+				type,
+				...extras
+			}
+		};
+	}
+}
+/**
+* Helper function to get a reasonable default error response from a valibot parse result
+* @param res - The output from calling safeParse on the input
+* @param headers - The headers to return in the response
+*/
+function response_valibotError(res, headers) {
+	const issue = res.issues[0];
+	if (issue.path && issue.path[0] && typeof issue.path[0].key === "string") return response_error(error_lambda_badRequest("Invalid input", issue.path[0].key, issue.message), headers);
+	else return response_error(error_lambda_badRequest(`Invalid input: ${issue.message}`), headers);
+}
+function response_ok(body, headers, cookies) {
+	return {
+		headers,
+		cookies,
+		statusCode: 200,
+		body
+	};
+}
+//#endregion
+//#region src/lambda/server/authentication.ts
+/**
+* Wraps cookies parse along with the api gateway event with neverthrow
+*/
+const getCookies = Result.fromThrowable((event) => {
+	if (!("headers" in event) || !event.headers) throw new Error("No headers in event");
+	const cookieString = Array.isArray(event.cookies) && event.cookies.length > 0 ? event.cookies.join("; ") : event.headers.Cookie || event.headers.cookie;
+	if (!cookieString) throw new Error("No cookies found in event");
+	return parse$1(cookieString);
+}, (e) => {
+	if (e instanceof Error) return error_lambda_unauthorized(e.message);
+	return error_lambda_unauthorized("Invalid Cookies");
+});
+//#endregion
+//#region src/cognito/client.ts
+/**
+* Convenience function if process.env.AWS_REGION is set
+*/
+function getCognitoClient() {
+	return new CognitoIdentityProviderClient({});
+}
+//#endregion
+//#region src/cognito/errors.ts
+const defaultErrors$3 = {
+	auth: {
+		type: "unauthorized",
+		message: "Not authorized"
+	},
+	forbidden: {
+		type: "forbidden",
+		message: "Forbidden"
+	},
+	invalidInput: {
+		type: "badRequest",
+		message: "There is an issue with your request"
+	},
+	userNotFound: {
+		type: "notFound",
+		message: "User not found"
+	},
+	resourceNotFound: {
+		type: "notFound",
+		message: "Resource not found"
+	},
+	tooManyRequests: {
+		type: "badRequest",
+		message: "Too many requests"
+	},
+	passwordPolicy: {
+		type: "badRequest",
+		message: "Password does not meet policy requirements"
+	},
+	passwordHistory: {
+		type: "conflict",
+		message: "Password was used recently"
+	},
+	passwordResetRequired: {
+		type: "badRequest",
+		message: "Password reset required"
+	},
+	codeExpired: {
+		type: "badRequest",
+		message: "Code expired"
+	},
+	codeMismatch: {
+		type: "badRequest",
+		message: "Invalid code"
+	},
+	delivery: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	userExists: {
+		type: "conflict",
+		message: "User already exists"
+	},
+	conflict: {
+		type: "conflict",
+		message: "The request conflicts with the current Cognito resource state"
+	},
+	internal: {
+		type: "internal",
+		message: "Internal server error"
+	}
+};
+/** Wrap an unknown caught value as a Cognito-domain error for neverthrow flows. */
+function error_cognito(error) {
+	return {
+		type: "cognito",
+		error
+	};
+}
+/** Convert AWS SDK Cognito errors into a safe lambda error for API responses. */
+function error_lambda_fromCognito(e, options = {}) {
+	return fromReason$2(getCognitoReason(e.error), options);
+}
+/** Apply endpoint overrides and build the concrete lambda error object. */
+function fromReason$2(reason, options) {
+	const base = defaultErrors$3[reason];
+	const override = options[reason];
+	const args = {
+		...base,
+		...override
+	};
+	switch (args.type) {
+		case "badRequest": return error_lambda_badRequest(args.message, args.fieldName, args.fieldValue);
+		case "unauthorized": return error_lambda_unauthorized(args.message);
+		case "forbidden": return error_lambda_forbidden(args.message);
+		case "notFound": return error_lambda_notFound(args.message, args.fieldName, args.fieldValue);
+		case "conflict": return error_lambda_conflict(args.message, args.fieldName, args.fieldValue);
+		default: return error_lambda_internal(args.message);
+	}
+}
+/** Classify AWS SDK / Cognito service errors. */
+function getCognitoReason(error) {
+	switch (getErrorName$2(error)) {
+		case "NotAuthorizedException":
+		case "UnauthorizedException":
+		case "UserNotConfirmedException":
+		case "RefreshTokenReuseException": return "auth";
+		case "AccessDeniedException":
+		case "ForbiddenException": return "forbidden";
+		case "InvalidParameterException":
+		case "InvalidOAuthFlowException":
+		case "ScopeDoesNotExistException":
+		case "UnsupportedIdentityProviderException":
+		case "UnsupportedTokenTypeException": return "invalidInput";
+		case "UserNotFoundException": return "userNotFound";
+		case "ResourceNotFoundException":
+		case "MFAMethodNotFoundException":
+		case "SoftwareTokenMFANotFoundException":
+		case "WebAuthnChallengeNotFoundException": return "resourceNotFound";
+		case "LimitExceededException":
+		case "TooManyFailedAttemptsException":
+		case "TooManyRequestsException": return "tooManyRequests";
+		case "InvalidPasswordException": return "passwordPolicy";
+		case "PasswordHistoryPolicyViolationException": return "passwordHistory";
+		case "PasswordResetRequiredException": return "passwordResetRequired";
+		case "ExpiredCodeException": return "codeExpired";
+		case "CodeMismatchException": return "codeMismatch";
+		case "CodeDeliveryFailureException": return "delivery";
+		case "AliasExistsException":
+		case "DeviceKeyExistsException":
+		case "DuplicateProviderException":
+		case "GroupExistsException":
+		case "ManagedLoginBrandingExistsException":
+		case "TermsExistsException":
+		case "UsernameExistsException": return "userExists";
+		case "ConcurrentModificationException":
+		case "PreconditionNotMetException":
+		case "UnsupportedUserStateException": return "conflict";
+		case "EnableSoftwareTokenMFAException":
+		case "FeatureUnavailableInTierException":
+		case "InternalErrorException":
+		case "InternalServerException":
+		case "InvalidEmailRoleAccessPolicyException":
+		case "InvalidLambdaResponseException":
+		case "InvalidSmsRoleAccessPolicyException":
+		case "InvalidSmsRoleTrustRelationshipException":
+		case "InvalidUserPoolConfigurationException":
+		case "TierChangeNotAllowedException":
+		case "UnexpectedLambdaException":
+		case "UnsupportedOperationException":
+		case "UserImportInProgressException":
+		case "UserLambdaValidationException":
+		case "UserPoolAddOnNotEnabledException":
+		case "UserPoolTaggingException":
+		case "WebAuthnClientMismatchException":
+		case "WebAuthnConfigurationMissingException":
+		case "WebAuthnCredentialNotSupportedException":
+		case "WebAuthnNotEnabledException":
+		case "WebAuthnOriginNotAllowedException":
+		case "WebAuthnRelyingPartyMismatchException": return "internal";
+		default: return getHttpStatusReason$2(error);
+	}
+}
+function getHttpStatusReason$2(error) {
+	const status = getHttpStatusCode$2(error);
+	if (status === 400) return "invalidInput";
+	if (status === 401) return "auth";
+	if (status === 403) return "forbidden";
+	if (status === 404) return "resourceNotFound";
+	if (status === 409 || status === 412) return "conflict";
+	if (status === 429) return "tooManyRequests";
+	return "internal";
+}
+function getErrorName$2(error) {
+	if (!isRecord$2(error)) return void 0;
+	const name = error.name;
+	if (typeof name === "string") return name;
+	const code = error.code ?? error.Code;
+	if (typeof code === "string") return code;
+}
+function getHttpStatusCode$2(error) {
+	if (!isRecord$2(error)) return void 0;
+	const metadata = error.$metadata;
+	if (!isRecord$2(metadata)) return void 0;
+	return typeof metadata.httpStatusCode === "number" ? metadata.httpStatusCode : void 0;
+}
+function isRecord$2(value) {
+	return typeof value === "object" && value !== null;
+}
+//#endregion
+//#region src/cognito/user.ts
+/**
+* Performs an AdminGetUserCommand and extracts the user attributes into an object
+*/
+const getUserDetails = ResultAsync.fromThrowable(async (a) => {
+	console.log("getUserDetails: Getting details for user: ", a.username);
+	const res = await getCognitoClient().send(new AdminGetUserCommand({
+		UserPoolId: a.userPoolId,
+		Username: a.username
+	}));
+	return {
+		...res,
+		UserAttributes: extractAttributes(res.UserAttributes)
+	};
+}, (e) => {
+	console.error("getUserDetails:error:", e);
+	return error_cognito(e);
+});
+/**
+* @returns An object of attributes with their names as keys and values as values.
+*/
+function extractAttributes(attrs) {
+	const attributes = {};
+	if (attrs) {
+		for (const attr of attrs) if (attr.Name && attr.Value) attributes[attr.Name] = attr.Value;
+	}
+	return attributes;
+}
+/**
+* Performs an AdminGetUserCommand and extracts the user attributes into an object
+*/
+const getUserGroups = ResultAsync.fromThrowable(async (a) => {
+	console.log("getUserGroups: Getting groups for user: ", a.username);
+	return await getCognitoClient().send(new AdminListGroupsForUserCommand({
+		UserPoolId: a.userPoolId,
+		Username: a.username
+	}));
+}, (e) => {
+	console.error("getUserGroups:error:", e);
+	return error_cognito(e);
+});
+//#endregion
+//#region src/cognito/password.ts
+/**
+* Computes Cognito secret hash used for client-side authentication flows.
+*
+* @param username - Cognito username or alias.
+* @param clientId - Cognito app client ID.
+* @param clientSecret - Cognito app client secret.
+*/
+function computeSecretHash(username, clientId, clientSecret) {
+	console.log("computeSecretHash: ", username, clientId, clientSecret);
+	return createHmac("SHA256", clientSecret).update(username + clientId).digest("base64");
+}
+/**
+* Changes a user's password given a valid access token.
+*
+* @param accessToken - Access token for the authenticated user.
+* @param oldPassword - Current password.
+* @param newPassword - New password to set.
+*/
+const changePassword = ResultAsync.fromThrowable(async (accessToken, oldPassword, newPassword) => {
+	return getCognitoClient().send(new ChangePasswordCommand({
+		AccessToken: accessToken,
+		PreviousPassword: oldPassword,
+		ProposedPassword: newPassword
+	}));
+}, (e) => {
+	console.error("ChangePasswordCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Completes a forgot-password flow by submitting the confirmation code and new password.
+*
+* @param a.username - Cognito username or alias.
+* @param a.confirmationCode - Code sent by Cognito to the user.
+* @param a.newPassword - New password to set.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret.
+*/
+const confirmForgotPassword = ResultAsync.fromThrowable((a) => {
+	return getCognitoClient().send(new ConfirmForgotPasswordCommand({
+		ClientId: a.clientId,
+		Username: a.username,
+		ConfirmationCode: a.confirmationCode,
+		Password: a.newPassword,
+		SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
+	}));
+}, (e) => {
+	console.error("ConfirmForgotPasswordCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Confirms a user's signup using the confirmation code sent by Cognito.
+*
+* @param a.username - Cognito username or alias.
+* @param a.confirmationCode - Code sent to the user after signup.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret.
+*/
+const confirmSignup = ResultAsync.fromThrowable((a) => {
+	return getCognitoClient().send(new ConfirmSignUpCommand({
+		ClientId: a.clientId,
+		Username: a.username,
+		ConfirmationCode: a.confirmationCode,
+		SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
+	}));
+}, (e) => {
+	console.error("ConfirmSignUpCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Starts a forgot-password flow by sending a reset code to the user.
+*
+* @param a.username - Cognito username or alias.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret.
+*/
+const forgotPassword = ResultAsync.fromThrowable((a) => {
+	return getCognitoClient().send(new ForgotPasswordCommand({
+		ClientId: a.clientId,
+		Username: a.username,
+		SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
+	}));
+}, (e) => {
+	console.error("ForgotPasswordCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Signs a user in with ADMIN_USER_PASSWORD_AUTH.
+*
+* @param a.username - Cognito username or alias.
+* @param a.password - User password.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret.
+* @param a.userPoolId - Cognito user pool ID.
+*/
+const login = ResultAsync.fromThrowable((a) => {
+	return getCognitoClient().send(new AdminInitiateAuthCommand({
+		AuthFlow: "ADMIN_USER_PASSWORD_AUTH",
+		ClientId: a.clientId,
+		UserPoolId: a.userPoolId,
+		AuthParameters: {
+			USERNAME: a.username,
+			PASSWORD: a.password,
+			SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret)
+		}
+	}));
+}, (e) => {
+	console.error("AdminInitiateAuthCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Exchanges a refresh token for new tokens.
+*
+* @param a.username - Cognito username or alias used to compute secret hash.
+* @param a.refreshToken - Refresh token to exchange.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret.
+* @param a.userPoolId - Cognito user pool ID.
+*/
+const refreshTokens = ResultAsync.fromThrowable((a) => {
+	return getCognitoClient().send(new AdminInitiateAuthCommand({
+		AuthFlow: "REFRESH_TOKEN_AUTH",
+		ClientId: a.clientId,
+		UserPoolId: a.userPoolId,
+		AuthParameters: {
+			REFRESH_TOKEN: a.refreshToken,
+			SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret)
+		}
+	}));
+}, (e) => {
+	console.error("refreshTokens: AdminInitiateAuthCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Globally signs out a user by invalidating all refresh tokens.
+*
+* @param accessToken - Access token for the authenticated user.
+*/
+const logout = ResultAsync.fromThrowable((accessToken) => {
+	return getCognitoClient().send(new GlobalSignOutCommand({ AccessToken: accessToken }));
+}, (e) => {
+	console.error("GlobalSignOutCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Completes a NEW_PASSWORD_REQUIRED challenge for users who must set a new password.
+*
+* @param a.session - Session returned from the auth challenge.
+* @param a.newPassword - New password to set.
+* @param a.username - Cognito username or alias.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret.
+*/
+const resetPassword = ResultAsync.fromThrowable((a) => {
+	return getCognitoClient().send(new RespondToAuthChallengeCommand({
+		ChallengeName: "NEW_PASSWORD_REQUIRED",
+		ClientId: a.clientId,
+		Session: a.session,
+		ChallengeResponses: {
+			SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret),
+			NEW_PASSWORD: a.newPassword,
+			USERNAME: a.username
+		}
+	}));
+}, (e) => {
+	console.error("RespondToAuthChallengeCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Registers a new user with Cognito and optional custom attributes.
+*
+* @param a.username - Cognito username.
+* @param a.password - User password.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret.
+* @param a.<attribute> - Any additional user attributes to set.
+*/
+const signUp = ResultAsync.fromThrowable((a) => {
+	const cognitoClient = getCognitoClient();
+	const secretHash = computeSecretHash(a.username, a.clientId, a.clientSecret);
+	return cognitoClient.send(new SignUpCommand({
+		ClientId: a.clientId,
+		Username: a.username,
+		Password: a.password,
+		SecretHash: secretHash,
+		UserAttributes: Object.entries(a).filter(([key]) => ![
+			"username",
+			"password",
+			"clientId",
+			"clientSecret"
+		].includes(key)).map(([key, value]) => ({
+			Name: key,
+			Value: value
+		}))
+	}));
+}, (e) => {
+	console.error("SignUpCommand error", e);
+	return error_cognito(e);
+});
+/**
+* Exchanges an OAuth2 authorization code for Cognito tokens using the token endpoint.
+* See https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html for request/response fields and grant details.
+*
+* @param a.code - Authorization code returned by the hosted UI.
+* @param a.redirectUri - Redirect URI registered with the app client.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret used for Basic Auth.
+* @param a.cognitoDomain - Cognito domain URL (e.g., your-domain.auth.region.amazoncognito.com).
+* @returns Parsed token payload containing `access_token`, `id_token`, `refresh_token`, token type, and expiry.
+*/
+const verifyOAuthToken = ResultAsync.fromThrowable(async (a) => {
+	const basicAuth = Buffer.from(`${a.clientId}:${a.clientSecret}`).toString("base64");
+	const params = new URLSearchParams();
+	params.append("grant_type", "authorization_code");
+	params.append("code", a.code);
+	params.append("redirect_uri", a.redirectUri);
+	console.log("verifyOAuthToken: params", params.toString());
+	const tokenRes = await fetch(`https://${a.cognitoDomain}/oauth2/token`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/x-www-form-urlencoded",
+			Authorization: `Basic ${basicAuth}`
+		},
+		body: params.toString()
+	});
+	if (!tokenRes.ok) {
+		console.error("verifyOAuthToken: token exchange failed", await tokenRes.text());
+		throw Object.assign(/* @__PURE__ */ new Error("OAuth token exchange failed"), { name: "NotAuthorizedException" });
+	}
+	return await tokenRes.json();
+}, (e) => {
+	console.error("verifyOAuthToken:error", e);
+	return error_cognito(e);
+});
+/**
+* Exchanges an OAuth2 refresh token for Cognito tokens using the oauth token endpoint.
+* See https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html for request/response fields and grant details.
+*
+* @param a.redirectUri - Redirect URI registered with the app client.
+* @param a.clientId - Cognito app client ID.
+* @param a.clientSecret - Cognito app client secret used for Basic Auth.
+* @param a.cognitoDomain - Cognito domain URL (e.g., your-domain.auth.region.amazoncognito.com).
+* @returns Parsed token payload containing `access_token`, `id_token`, `refresh_token`, token type, and expiry.
+*/
+const refreshOAuthToken = ResultAsync.fromThrowable(async (a) => {
+	const basicAuth = Buffer.from(`${a.clientId}:${a.clientSecret}`).toString("base64");
+	const params = new URLSearchParams();
+	params.append("grant_type", "refresh_token");
+	params.append("refresh_token", a.refreshToken);
+	console.log("refreshOAuthToken: params", params.toString());
+	const tokenRes = await fetch(`https://${a.cognitoDomain}/oauth2/token`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/x-www-form-urlencoded",
+			Authorization: `Basic ${basicAuth}`
+		},
+		body: params.toString()
+	});
+	if (!tokenRes.ok) {
+		console.error("refreshOAuthToken: token exchange failed", await tokenRes.text());
+		throw Object.assign(/* @__PURE__ */ new Error("OAuth token refresh failed"), { name: "NotAuthorizedException" });
+	}
+	return await tokenRes.json();
+}, (e) => {
+	console.error("refreshOAuthToken:error", e);
+	return error_cognito(e);
+});
+//#endregion
+//#region src/s3/client.ts
+/**
+* Convenience function for S3Client when process.env.REGION is set
+*/
+function getS3() {
+	return new S3Client({});
+}
+//#endregion
+//#region src/utils/errors.ts
+function isRecord(value) {
+	return typeof value === "object" && value !== null;
+}
+function getErrorName(error) {
+	if (!isRecord(error)) return void 0;
+	const name = error.name;
+	if (typeof name === "string") return name;
+	const code = error.code ?? error.Code;
+	if (typeof code === "string") return code;
+}
+//#endregion
+//#region src/s3/errors.ts
+const defaultErrors$2 = {
+	invalidInput: {
+		type: "badRequest",
+		message: "Invalid S3 request"
+	},
+	objectNotFound: {
+		type: "notFound",
+		message: "S3 object not found"
+	},
+	bucketNotFound: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	conflict: {
+		type: "conflict",
+		message: "The request conflicts with the current S3 resource state"
+	},
+	throttled: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	accessDenied: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	internal: {
+		type: "internal",
+		message: "Internal server error"
+	}
+};
+/** Wrap an unknown caught value as an S3-domain error for neverthrow flows. */
+function error_s3(error) {
+	return {
+		type: "s3",
+		error
+	};
+}
+/** Convert AWS SDK S3 errors into a safe lambda error for API responses. */
+function error_lambda_fromS3(e, options = {}) {
+	const reason = getS3Reason(e.error);
+	const base = defaultErrors$2[reason];
+	const override = options[reason];
+	const args = {
+		...base,
+		...override
+	};
+	switch (args.type) {
+		case "badRequest": return error_lambda_badRequest(args.message, args.fieldName, args.fieldValue);
+		case "unauthorized": return error_lambda_unauthorized(args.message);
+		case "forbidden": return error_lambda_forbidden(args.message);
+		case "notFound": return error_lambda_notFound(args.message, args.fieldName, args.fieldValue);
+		case "conflict": return error_lambda_conflict(args.message, args.fieldName, args.fieldValue);
+		default: return error_lambda_internal(args.message);
+	}
+}
+/** Returns true for normal S3 object-missing responses. */
+function is_s3_notFound(error) {
+	return getS3Reason(error) === "objectNotFound";
+}
+/** Classify AWS SDK / S3 service errors. */
+function getS3Reason(error) {
+	switch (getErrorName(error)) {
+		case "NoSuchKey":
+		case "NotFound":
+		case "NoSuchVersion": return "objectNotFound";
+		case "NoSuchBucket":
+		case "NoSuchBucketPolicy":
+		case "NoSuchLifecycleConfiguration":
+		case "NoLoggingStatusForKey": return "bucketNotFound";
+		case "AmbiguousGrantByEmailAddress":
+		case "BadDigest":
+		case "EntityTooLarge":
+		case "EntityTooSmall":
+		case "IncompleteBody":
+		case "IncorrectNumberOfFilesInPostRequest":
+		case "InlineDataTooLarge":
+		case "InvalidAddressingHeader":
+		case "InvalidArgument":
+		case "InvalidBucketName":
+		case "InvalidDigest":
+		case "InvalidLocationConstraint":
+		case "InvalidPart":
+		case "InvalidPartOrder":
+		case "InvalidPayer":
+		case "InvalidPolicyDocument":
+		case "InvalidRange":
+		case "InvalidRequest":
+		case "InvalidSOAPRequest":
+		case "InvalidStorageClass":
+		case "InvalidTargetBucketForLogging":
+		case "InvalidURI":
+		case "KeyTooLongError":
+		case "MalformedACLError":
+		case "MalformedPOSTRequest":
+		case "MalformedXML":
+		case "MaxMessageLengthExceeded":
+		case "MaxPostPreDataLengthExceededError":
+		case "MetadataTooLarge":
+		case "MissingAttachment":
+		case "MissingContentLength":
+		case "MissingRequestBodyError":
+		case "RequestIsNotMultiPartContent":
+		case "RequestTorrentOfBucketError":
+		case "NoSuchUpload": return "invalidInput";
+		case "BucketAlreadyExists":
+		case "BucketAlreadyOwnedByYou":
+		case "BucketNotEmpty":
+		case "EncryptionTypeMismatch":
+		case "IdempotencyParameterMismatch":
+		case "IllegalVersioningConfigurationException":
+		case "InvalidBucketState":
+		case "InvalidEncryptionAlgorithmError":
+		case "InvalidObjectState":
+		case "InvalidWriteOffset":
+		case "ObjectAlreadyInActiveTierError":
+		case "ObjectNotInActiveTierError":
+		case "OperationAborted":
+		case "PreconditionFailed":
+		case "RestoreAlreadyInProgress":
+		case "TooManyParts": return "conflict";
+		case "RequestLimitExceeded":
+		case "RequestTimeout":
+		case "ServiceUnavailable":
+		case "SlowDown":
+		case "Throttling":
+		case "ThrottlingException": return "throttled";
+		case "AccessDenied":
+		case "AccountProblem":
+		case "AllAccessDisabled":
+		case "CredentialsNotSupported":
+		case "CrossLocationLoggingProhibited":
+		case "ExpiredToken":
+		case "InvalidAccessKeyId":
+		case "InvalidSecurity":
+		case "InvalidToken":
+		case "MethodNotAllowed":
+		case "MissingSecurityElement":
+		case "MissingSecurityHeader":
+		case "NotSignedUp":
+		case "SignatureDoesNotMatch": return "accessDenied";
+		case "AuthorizationHeaderMalformed":
+		case "InternalError":
+		case "NotImplemented":
+		case "PermanentRedirect":
+		case "Redirect":
+		case "RequestTimeTooSkewed":
+		case "TemporaryRedirect": return "internal";
+		default: return getHttpStatusReason$1(error);
+	}
+}
+function getHttpStatusReason$1(error) {
+	const status = getHttpStatusCode$1(error);
+	if (status === 400) return "invalidInput";
+	if (status === 404) return "objectNotFound";
+	if (status === 409 || status === 412) return "conflict";
+	if (status === 429 || status === 503) return "throttled";
+	if (status === 401 || status === 403) return "accessDenied";
+	return "internal";
+}
+function getHttpStatusCode$1(error) {
+	if (!isRecord(error)) return void 0;
+	const metadata = error.$metadata;
+	if (!isRecord(metadata)) return void 0;
+	return typeof metadata.httpStatusCode === "number" ? metadata.httpStatusCode : void 0;
+}
+//#endregion
+//#region src/s3/signedUrl.ts
+const getSignedUrl = ResultAsync.fromThrowable(getSignedUrl$1, (e) => {
+	console.error("getSignedUrl: Failed to get signed url", e);
+	error_s3(e);
+});
+//#endregion
+//#region src/s3/object.ts
+/**
+* Retrieves an object from an S3 bucket.
+*
+* @param {string} bucketName - The name of the S3 bucket.
+* @param {string} key - The key of the object to retrieve.
+* @returns {Promise<Buffer>} A promise that resolves to the object data as a Buffer.
+*/
+const getObject = ResultAsync.fromThrowable(async (bucketName, key) => {
+	const s3 = getS3();
+	const cmd = new GetObjectCommand({
+		Bucket: bucketName,
+		Key: key
+	});
+	const stream = (await s3.send(cmd)).Body;
+	return new Promise((resolve, reject) => {
+		const chunks = [];
+		stream.on("data", (chunk) => chunks.push(chunk));
+		stream.on("end", () => resolve(Buffer.concat(chunks)));
+		stream.on("error", reject);
+	});
+}, (e) => {
+	console.error(`getObjectt: Error getting object from S3: ${e}`);
+	return error_s3(e);
+});
+/**
+* Convenience function to get an object from S3 and return it as a string.
+*/
+function getObjectString(bucketName, key) {
+	return getObject(bucketName, key).map((buffer) => buffer.toString("utf-8"));
+}
+/**
+* Checks if an object exists in an s3 bucket by retrieving the HEAD data
+*
+* @param {string} bucketName - The name of the S3 bucket.
+* @param {string} key - The key of the object to retrieve.
+* @returns {Promise<Buffer>} A promise that resolves to a boolean.
+*/
+const objectExists = ResultAsync.fromThrowable(async (bucketName, key) => {
+	const s3 = getS3();
+	try {
+		const cmd = new HeadObjectCommand({
+			Bucket: bucketName,
+			Key: key
+		});
+		return (await s3.send(cmd)).$metadata.httpStatusCode === 200;
+	} catch (e) {
+		if (is_s3_notFound(e)) return false;
+		throw e;
+	}
+}, (e) => {
+	console.error(`objectExists: Error getting object head from S3: ${e}`);
+	return error_s3(e);
+});
+//#endregion
+//#region src/dynamo/errors.ts
+const defaultErrors$1 = {
+	invalidInput: {
+		type: "badRequest",
+		message: "Invalid request"
+	},
+	conditionalCheckFailed: {
+		type: "conflict",
+		message: "The request conflicts with the current resource state"
+	},
+	transactionConflict: {
+		type: "conflict",
+		message: "The request conflicts with the current resource state"
+	},
+	resourceNotFound: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	throttled: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	accessDenied: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	internal: {
+		type: "internal",
+		message: "Internal server error"
+	}
+};
+/** Wrap an unknown caught value as a Dynamo-domain error for neverthrow flows. */
+function error_dynamo(error) {
+	return {
+		type: "dynamo",
+		error
+	};
+}
+/** Convert DynamoDB Toolbox or AWS SDK errors into a safe lambda error for API responses. */
+function error_lambda_fromDynamo(e, options = {}) {
+	if (e.error instanceof DynamoDBToolboxError) return fromReason$1(getToolboxReason(e.error), options, toolboxField(e.error, options.includeToolboxPath));
+	return fromReason$1(getAwsReason(e.error), options);
+}
+/** Apply endpoint overrides and build the concrete lambda error object. */
+function fromReason$1(reason, options, defaults = {}) {
+	const base = {
+		...defaultErrors$1[reason],
+		...defaults
+	};
+	const override = options[reason];
+	const args = {
+		...base,
+		...override
+	};
+	switch (args.type) {
+		case "badRequest": return error_lambda_badRequest(args.message, args.fieldName, args.fieldValue);
+		case "unauthorized": return error_lambda_unauthorized(args.message);
+		case "forbidden": return error_lambda_forbidden(args.message);
+		case "notFound": return error_lambda_notFound(args.message, args.fieldName, args.fieldValue);
+		case "conflict": return error_lambda_conflict(args.message, args.fieldName, args.fieldValue);
+		default: return error_lambda_internal(args.message);
+	}
+}
+/** Classify errors produced by Toolbox before sending, or while formatting returned items. */
+function getToolboxReason(error) {
+	if (error.code.startsWith("parsing.") || error.code === "actions.parsePrimaryKey.invalidKeyPart") return "invalidInput";
+	if (error.code.startsWith("formatter.") || error.code.startsWith("schema.") || error.code.startsWith("entity.")) return "internal";
+	switch (error.code) {
+		case "actions.invalidCondition":
+		case "actions.invalidExpressionAttributePath":
+		case "queryCommand.invalidIndex":
+		case "queryCommand.invalidPartition":
+		case "queryCommand.invalidProjectionExpression":
+		case "queryCommand.invalidRange":
+		case "queryCommand.invalidReverseOption":
+		case "scanCommand.invalidProjectionExpression":
+		case "scanCommand.invalidSegmentOption":
+		case "batchGetCommand.invalidProjectionExpression":
+		case "options.invalidCapacityOption":
+		case "options.invalidClientRequestToken":
+		case "options.invalidConsistentOption":
+		case "options.invalidIndexOption":
+		case "options.invalidLimitOption":
+		case "options.invalidMaxPagesOption":
+		case "options.invalidMetricsOption":
+		case "options.invalidReturnValuesOption":
+		case "options.invalidReturnValuesOnConditionFalseOption":
+		case "options.invalidSelectOption": return "invalidInput";
+		case "actions.incompleteAction":
+		case "actions.invalidAction":
+		case "actions.missingDocumentClient":
+		case "queryCommand.invalidTagEntitiesOption":
+		case "queryCommand.noEntityMatched":
+		case "scanCommand.noEntityMatched":
+		case "options.invalidEntityAttrFilterOption":
+		case "options.invalidNoEntityMatchBehaviorOption":
+		case "options.invalidShowEntityAttrOption":
+		case "options.invalidTableNameOption":
+		case "options.unknownOption":
+		case "table.missingTableName": return "internal";
+		default: return "internal";
+	}
+}
+function toolboxField(error, includeToolboxPath) {
+	if (!includeToolboxPath || typeof error.path !== "string") return {};
+	return {
+		fieldName: error.path,
+		fieldValue: error.message
+	};
+}
+/** Classify AWS SDK / DynamoDB service errors that bubble out of Toolbox send calls. */
+function getAwsReason(error) {
+	switch (getErrorName(error)) {
+		case "ConditionalCheckFailedException": return "conditionalCheckFailed";
+		case "TransactionCanceledException": return getTransactionReason(error);
+		case "TransactionConflictException":
+		case "ReplicatedWriteConflictException":
+		case "IdempotentParameterMismatchException":
+		case "ItemCollectionSizeLimitExceededException": return "transactionConflict";
+		case "ValidationException": return "invalidInput";
+		case "ResourceNotFoundException": return "resourceNotFound";
+		case "ProvisionedThroughputExceededException":
+		case "RequestLimitExceeded":
+		case "ThrottlingException":
+		case "ThrottlingError": return "throttled";
+		case "AccessDeniedException":
+		case "ExpiredTokenException":
+		case "IncompleteSignatureException":
+		case "InvalidSignatureException":
+		case "UnrecognizedClientException": return "accessDenied";
+		default: return "internal";
+	}
+}
+/** Pick the most useful public reason from DynamoDB transaction cancellation details. */
+function getTransactionReason(error) {
+	const cancellationReasons = getCancellationReasons(error);
+	if (cancellationReasons.some((reason) => reason === "ConditionalCheckFailed")) return "conditionalCheckFailed";
+	if (cancellationReasons.some((reason) => reason === "TransactionConflict")) return "transactionConflict";
+	if (cancellationReasons.some((reason) => reason === "ValidationError")) return "invalidInput";
+	if (cancellationReasons.some((reason) => [
+		"ProvisionedThroughputExceeded",
+		"RequestLimitExceeded",
+		"ThrottlingError"
+	].includes(reason))) return "throttled";
+	return "internal";
+}
+function getCancellationReasons(error) {
+	if (!isRecord(error)) return [];
+	const cancellationReasons = error.CancellationReasons ?? error.cancellationReasons;
+	if (!Array.isArray(cancellationReasons)) return [];
+	return cancellationReasons.map((reason) => isRecord(reason) && typeof reason.Code === "string" ? reason.Code : void 0).filter((reason) => reason !== void 0);
+}
+//#endregion
+//#region src/ses/errors.ts
+const defaultErrors = {
+	invalidInput: {
+		type: "badRequest",
+		message: "Invalid SES request"
+	},
+	messageRejected: {
+		type: "badRequest",
+		message: "Email message was rejected"
+	},
+	identityNotVerified: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	notFound: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	alreadyExists: {
+		type: "conflict",
+		message: "SES resource already exists"
+	},
+	conflict: {
+		type: "conflict",
+		message: "The request conflicts with the current SES resource state"
+	},
+	throttled: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	accessDenied: {
+		type: "internal",
+		message: "Internal server error"
+	},
+	internal: {
+		type: "internal",
+		message: "Internal server error"
+	}
+};
+/** Wrap an unknown caught value as an SES-domain error for neverthrow flows. */
+function error_ses(error) {
+	return {
+		type: "ses",
+		error
+	};
+}
+/** Convert AWS SDK SES errors into a safe lambda error for API responses. */
+function error_lambda_fromSes(e, options = {}) {
+	return fromReason(getSesReason(e.error), options);
+}
+/** Apply endpoint overrides and build the concrete lambda error object. */
+function fromReason(reason, options) {
+	const base = defaultErrors[reason];
+	const override = options[reason];
+	const args = {
+		...base,
+		...override
+	};
+	switch (args.type) {
+		case "badRequest": return error_lambda_badRequest(args.message, args.fieldName, args.fieldValue);
+		case "unauthorized": return error_lambda_unauthorized(args.message);
+		case "forbidden": return error_lambda_forbidden(args.message);
+		case "notFound": return error_lambda_notFound(args.message, args.fieldName, args.fieldValue);
+		case "conflict": return error_lambda_conflict(args.message, args.fieldName, args.fieldValue);
+		default: return error_lambda_internal(args.message);
+	}
+}
+/** Classify AWS SDK / SES service errors. */
+function getSesReason(error) {
+	switch (getErrorName$1(error)) {
+		case "BadRequestException":
+		case "CustomVerificationEmailInvalidContentException":
+		case "InvalidParameterValue":
+		case "InvalidPolicyException":
+		case "InvalidRenderingParameterException":
+		case "InvalidSnsTopic":
+		case "InvalidSnsTopicException":
+		case "InvalidTemplateException":
+		case "InvalidTrackingOptionsException":
+		case "MissingRenderingAttributeException": return "invalidInput";
+		case "MessageRejected":
+		case "MessageRejectedException": return "messageRejected";
+		case "ConfigurationSetDoesNotExist":
+		case "ConfigurationSetDoesNotExistException":
+		case "NotFoundException":
+		case "RuleSetDoesNotExist":
+		case "TemplateDoesNotExist":
+		case "TemplateDoesNotExistException": return "notFound";
+		case "AlreadyExistsException":
+		case "ConfigurationSetAlreadyExists":
+		case "RuleSetNameAlreadyExists":
+		case "TemplateNameAlreadyExists": return "alreadyExists";
+		case "AccountSendingPausedException":
+		case "ConfigurationSetSendingPausedException":
+		case "ConcurrentModificationException":
+		case "ConflictException":
+		case "MailFromDomainNotVerified":
+		case "MailFromDomainNotVerifiedException":
+		case "SendingPausedException": return "conflict";
+		case "FromEmailAddressNotVerified":
+		case "IdentityNotVerifiedException": return "identityNotVerified";
+		case "LimitExceededException":
+		case "Throttling":
+		case "ThrottlingException":
+		case "TooManyRequestsException": return "throttled";
+		case "AccessDeniedException":
+		case "AccountSuspendedException":
+		case "ExpiredTokenException":
+		case "InvalidClientTokenId":
+		case "InvalidSignatureException":
+		case "ProductionAccessNotGrantedException":
+		case "SignatureDoesNotMatch":
+		case "UnauthorizedException": return "accessDenied";
+		case "InternalFailure":
+		case "InternalServerError":
+		case "InternalServiceError":
+		case "ServiceUnavailable": return "internal";
+		default: return getHttpStatusReason(error);
+	}
+}
+function getHttpStatusReason(error) {
+	const status = getHttpStatusCode(error);
+	if (status === 400) return "invalidInput";
+	if (status === 401) return "accessDenied";
+	if (status === 403) return "accessDenied";
+	if (status === 404) return "notFound";
+	if (status === 409 || status === 412) return "conflict";
+	if (status === 429) return "throttled";
+	return "internal";
+}
+function getErrorName$1(error) {
+	if (!isRecord$1(error)) return void 0;
+	const name = error.name;
+	if (typeof name === "string") return name;
+	const code = error.code ?? error.Code;
+	if (typeof code === "string") return code;
+}
+function getHttpStatusCode(error) {
+	if (!isRecord$1(error)) return void 0;
+	const metadata = error.$metadata;
+	if (!isRecord$1(metadata)) return void 0;
+	return typeof metadata.httpStatusCode === "number" ? metadata.httpStatusCode : void 0;
+}
+function isRecord$1(value) {
+	return typeof value === "object" && value !== null;
+}
+//#endregion
+//#region src/rehype/flat-toc.ts
+/**
+* This rehype plugin extracts the headings from the markdown elements but also the raw elements.
+* So we get html headings in the TOC as well
+*
+* It sets the file.data.fm.toc to a flat map of the toc
+*/
+const extractToc = () => {
+	return (tree, file) => {
+		const details = tree.children.flatMap(extractDetails);
+		if (file.data.fm === void 0) file.data.fm = {};
+		file.data.fm.toc = details;
+	};
+};
+function extractDetails(content) {
+	if (content.type === "element" && content.tagName.startsWith("h") && "id" in content.properties) {
+		const value = content.children.length === 1 && content.children[0].type === "text" ? content.children[0].value : content.properties.id;
+		return [{
+			level: parseInt(content.tagName.slice(1)),
+			id: content.properties.id,
+			value
+		}];
+	} else if (content.type === "raw") return parseRaw(content.value).flatMap(extractDetails);
+	return [];
+}
+/**
+* Parses raw HTML and returns a flat array of all heading (h1-h6) elements as HAST nodes.
+*/
+function parseRaw(raw) {
+	const tree = unified().use(rehypeParse, { fragment: true }).parse(raw);
+	function collectHeadings(node) {
+		if (node.type === "element" && /^h[1-6]$/.test(node.tagName)) return [node];
+		if ("children" in node && Array.isArray(node.children)) return node.children.flatMap(collectHeadings);
+		return [];
+	}
+	return tree.children.flatMap(collectHeadings);
+}
+//#endregion
+//#region src/utils/valibot.ts
+function isSchema(x) {
+	return !!x && typeof x === "object" && "kind" in x && x["kind"] === "schema";
+}
+function unwrap(schema) {
+	let curr = schema;
+	const seen = /* @__PURE__ */ new Set();
+	while (curr && typeof curr === "object" && !seen.has(curr) && "wrapped" in curr && isSchema(curr.wrapped)) {
+		seen.add(curr);
+		curr = curr.wrapped;
+	}
+	return curr;
+}
+function isIntegerKey(s) {
+	return /^-?\d+$/.test(s);
+}
+function getSchemaByPath(root, path, opts = {}) {
+	if (!isSchema(root)) return void 0;
+	if (!path) return root;
+	const keys = path.split(".");
+	let curr = root;
+	for (let i = 0; i < keys.length; i++) {
+		if (!curr) return void 0;
+		curr = unwrap(curr);
+		const seg = keys[i];
+		switch (curr.type) {
+			case "object": {
+				const entries = curr.entries;
+				if (!entries) return void 0;
+				curr = entries[seg];
+				break;
+			}
+			case "record":
+				curr = curr.value;
+				break;
+			case "array":
+				if (!isIntegerKey(seg)) return void 0;
+				curr = curr.item;
+				break;
+			case "tuple": {
+				if (!isIntegerKey(seg)) return void 0;
+				const idx = Number(seg);
+				const items = curr.items;
+				const rest = curr.rest;
+				if (!items) return void 0;
+				curr = idx < items.length ? items[idx] : rest;
+				break;
+			}
+			case "union": {
+				const options = curr.options;
+				if (!options?.length) return void 0;
+				const numeric = isIntegerKey(seg);
+				let next;
+				if (numeric) next = options.find((o) => {
+					const u = unwrap(o);
+					return u?.type === "array" || u?.type === "tuple";
+				}) ?? options[opts.preferOption ?? 0];
+				else next = options.find((o) => {
+					const u = unwrap(o);
+					if (u?.type === "object") {
+						const ent = u.entries;
+						return !!ent && seg in ent;
+					}
+					return u?.type === "record";
+				}) ?? options[opts.preferOption ?? 0];
+				curr = next;
+				i--;
+				break;
+			}
+			case "variant": {
+				const options = curr.options;
+				if (!options?.length) return void 0;
+				const numeric = isIntegerKey(seg);
+				let next;
+				if (numeric) next = options.find((o) => {
+					const u = unwrap(o);
+					return u?.type === "array" || u?.type === "tuple";
+				}) ?? options[opts.preferOption ?? 0];
+				else next = options.find((o) => {
+					const u = unwrap(o);
+					if (u?.type === "object") {
+						const ent = u.entries;
+						return !!ent && seg in ent;
+					}
+					return u?.type === "record";
+				}) ?? options[opts.preferOption ?? 0];
+				curr = next;
+				i--;
+				break;
+			}
+			default: return;
+		}
+	}
+	return curr ? unwrap(curr) : void 0;
+}
+//#endregion
+//#region src/utils/object.ts
+/**
+* Sets the value for an object by its dot path
+* @param obj - any object
+* @param path - the dot path eg. key1.0.1.key2
+* @param value - any value
+* @returns - the modified object
+*/
+function setByPath(obj, path, value) {
+	const keys = path.split(".");
+	let curr = obj;
+	for (let i = 0; i < keys.length - 1; i++) {
+		const k = keys[i];
+		const next = keys[i + 1];
+		if (Number.isInteger(Number(next))) curr[k] ??= [];
+		else curr[k] ??= {};
+		curr = curr[k];
+	}
+	curr[keys[keys.length - 1]] = value;
+	return obj;
+}
+/**
+* Gets the value from an object by its dot path
+* @param obj - any object
+* @param path - the dot path eg. key1.0.1.key2
+* @returns - the value at the given path or undefined
+*/
+function getByPath(obj, path) {
+	if (!obj || typeof obj !== "object") return void 0;
+	const keys = path.split(".");
+	let curr = obj;
+	for (const k of keys) {
+		if (curr == null) return void 0;
+		curr = curr[k];
+	}
+	return curr;
+}
+const isPlainRecord = (v) => isObject(v) && !Array.isArray(v);
+/**
+* Returns a deep "patch" object containing only the fields from `b`
+* that are different from `a`.
+*
+* Behavior:
+* - Only keys from `b` can appear in the result.
+* - New keys in `b` are included.
+* - Changed primitive/array values are included as the value from `b`.
+* - For nested plain objects, it recurses and returns only the differing nested fields.
+* - Arrays are treated as atomic (if different, the whole array from `b` is returned).
+*
+* Typing:
+* - Output is `DeepPartial<B>` because only a subset of `b`'s shape is returned.
+*
+* @template A
+* @template B
+* @param {A} a - Base/original object (can be a different shape than `b`).
+* @param {B} b - Updated object; output keys come from this object.
+* @returns {DeepPartial<B>} Deep partial of `b` containing only differences vs `a`.
+*/
+const deepDiff = (a, b) => {
+	const out = {};
+	for (const key of Object.keys(b)) {
+		const aVal = a?.[key];
+		const bVal = b[key];
+		if (!(key in a)) {
+			out[key] = bVal;
+			continue;
+		}
+		if (isPlainRecord(aVal) && isPlainRecord(bVal)) {
+			const nested = deepDiff(aVal, bVal);
+			if (Object.keys(nested).length) out[key] = nested;
+			continue;
+		}
+		if (!isEqual(aVal, bVal)) out[key] = bVal;
+	}
+	return out;
+};
+/**
+* Deeply prunes `source` to match the *shape* of `shape`.
+*
+* Rules:
+* - Only keys that exist on `shape` are kept.
+* - Pruning is deep for nested plain objects.
+* - Arrays are supported by using the first element of `shape` as the element-shape.
+*   - If `shape` is `[]`, returns `[]` (drops all elements).
+* - Primitive values are kept as-is (no type coercion) if the key exists in `shape`.
+* - If `shape` expects an object/array but `source` is not compatible, returns an empty object/array of that shape.
+*
+* @typeParam S - Source object type.
+* @typeParam Sh - Shape object type.
+* @param source - The object to prune.
+* @param shape - The object whose keys/structure are the allowlist.
+* @returns A new value derived from `source`, containing only fields present in `shape`, pruned deeply.
+*
+* @example
+* const source = { a: 1, b: { c: 2, d: 3 }, e: [ { x: 1, y: 2 }, { x: 3, y: 4 } ], z: 9 };
+* const shape  = { a: 0, b: { c: 0 }, e: [ { x: 0 } ] };
+* // => { a: 1, b: { c: 2 }, e: [ { x: 1 }, { x: 3 } ] }
+* const out = pruneToShape(source, shape);
+*/
+function pruneToShape(source, shape) {
+	return pruneAny(source, shape);
+	function pruneAny(src, sh) {
+		if (Array.isArray(sh)) {
+			if (!Array.isArray(src)) return [];
+			if (sh.length === 0) return [];
+			const elemShape = sh[0];
+			return src.map((v) => pruneAny(v, elemShape));
+		}
+		if (isPlainObject(sh)) {
+			const out = {};
+			const srcObj = isPlainObject(src) ? src : void 0;
+			for (const key of Object.keys(sh)) {
+				const shVal = sh[key];
+				const srcVal = srcObj ? srcObj[key] : void 0;
+				if (Array.isArray(shVal) || isPlainObject(shVal)) out[key] = pruneAny(srcVal, shVal);
+				else out[key] = srcVal;
+			}
+			return out;
+		}
+		return src;
+	}
+	function isPlainObject(v) {
+		if (v === null || typeof v !== "object") return false;
+		const proto = Object.getPrototypeOf(v);
+		return proto === Object.prototype || proto === null;
+	}
+}
+//#endregion
+//#region src/utils/fs.ts
+/**
+* @returns true if a filepath exists
+*/
+async function exists(filePath) {
+	try {
+		await lstat(filePath);
+		return true;
+	} catch {
+		return false;
+	}
+}
+/**
+* Writes data to a filepath if it is different
+* @returns true if the file is written to
+*/
+async function writeIfDifferent(filePath, newData) {
+	const directory = dirname(filePath);
+	if (!await exists(directory)) await mkdir(directory, { recursive: true });
+	if (await exists(filePath)) {
+		if (await readFile(filePath, "utf8") === newData) return false;
+	}
+	await writeFile(filePath, newData, "utf8");
+	console.log(chalk.green("Writing to"), filePath);
+	return true;
+}
+/**
+* @returns the json object packageJson or undefined if it doesnt exist
+*/
+async function readPackageJson(filePath) {
+	if (!await exists(filePath)) return void 0;
+	return JSON.parse(await readFile(filePath, { encoding: "utf-8" }));
+}
+//#endregion
+export { HTTPMethods, changePassword, computeSecretHash, confirmForgotPassword, confirmSignup, createApiRequest, deepDiff, error_cognito, error_dynamo, error_lambda_badRequest, error_lambda_conflict, error_lambda_forbidden, error_lambda_fromCognito, error_lambda_fromDynamo, error_lambda_fromS3, error_lambda_fromSes, error_lambda_internal, error_lambda_notFound, error_lambda_unauthorized, error_s3, error_ses, exists, extractAttributes, extractToc, forgotPassword, getByPath, getCognitoClient, getCookies, getErrorName, getObject, getObjectString, getS3, getSchemaByPath, getSignedUrl, getUserDetails, getUserGroups, isRecord, isSchema, is_s3_notFound, login, logout, objectExists, parseRaw, pruneToShape, readPackageJson, refreshOAuthToken, refreshTokens, resetPassword, response_error, response_ok, response_valibotError, setByPath, signUp, unwrap, verifyOAuthToken, wrapHandler, writeIfDifferent };
+
+//# sourceMappingURL=worker.mjs.map