fix(aws-lambda): validate event S3 URIs against render bucket (F-004)

[vanceingalls]

Summary

• Adds validateEventS3Uris(), called immediately after unwrapEvent() in the Lambda handler before any S3 I/O.
• If HYPERFRAMES_RENDER_BUCKET env var is set, every S3 URI in the event (ProjectS3Uri, PlanOutputS3Prefix, PlanS3Uri, ChunkOutputS3Prefix, ChunkS3Uris, AudioS3Uri, OutputS3Uri) must resolve to that bucket. Mismatches throw S3_URI_NOT_ALLOWED.
• Env var unset → validation skips (backwards-compatible; existing deployments without the var continue to work).
• CDK stack (HyperframesRenderStack) auto-wires HYPERFRAMES_RENDER_BUCKET: this.bucket.bucketName so new deployments are protected without manual config.
• S3_URI_NOT_ALLOWED added to all three NON_RETRYABLE_* lists in the Step Functions state machine so the state machine does not retry on this error.

Security

F-004 MED — The Lambda handler accepted S3 URIs from the event payload without verifying they targeted the function's own render bucket. An attacker who could inject a crafted Step Functions execution input could route GetObject / PutObject calls to arbitrary buckets in the same AWS account, potentially exfiltrating plan data or overwriting objects in unrelated buckets.

Test plan

• handler rejects a plan event whose ProjectS3Uri targets a different bucket — S3_URI_NOT_ALLOWED thrown, zero S3 ops recorded
• handler rejects an assemble event with one cross-bucket chunk URI
• Validation is skipped when HYPERFRAMES_RENDER_BUCKET is unset (no regression for existing callers)
• All 12 handler unit tests pass

[vanceingalls]

• fix(core): prevent symlink path traversal in htmlBundler safePath (F-005) #1214
• fix(aws-lambda): validate event S3 URIs against render bucket (F-004) #1213 👈 (View in Graphite)
• fix(cli): re-validate SSRF denylist on redirects + harden isPrivateUrl #1212
• fix(cli): bind studio preview server to loopback by default #1210
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[miguel-heygen]

Review: #1213 — validate event S3 URIs against render bucket

Clean, low-surface fix. Notes:

handler.ts

• validateEventS3Uris called before primeRuntimeEnv() — correct, fail-fast before any side effects. ✓
• Graceful fallback when HYPERFRAMES_RENDER_BUCKET is unset preserves backward compatibility for existing deployments. ✓
• getEventS3Uris covers all three event types and filters null AudioS3Uri. ✓
• Error name S3_URI_NOT_ALLOWED matches the non-retryable lists in CDK. ✓

HyperframesRenderStack.ts

• HYPERFRAMES_RENDER_BUCKET injected into lambda env via CDK. ✓
• S3_URI_NOT_ALLOWED added to non-retryable lists for all three event types (plan, renderChunk, assemble). ✓

Tests

• Plan event with evil bucket rejected before any S3 ops (s3.ops length check). ✓
• Assemble event with mixed chunk URIs rejected. ✓
• prevBucket save/restore pattern is clean.

One observation: validateEventS3Uris doesn't cover PlanOutputS3Prefix and ChunkOutputS3Prefix for the case where someone injects an output prefix pointing at a different bucket. Looking at getEventS3Uris, plan returns [ProjectS3Uri, PlanOutputS3Prefix] and renderChunk returns [PlanS3Uri, ChunkOutputS3Prefix] — those are included. ✓

No blocking issues. LGTM.

[miguel-heygen]

LGTM.

[miguel-heygen]

LGTM.

[graphite-app]

Merge activity

• Jun 6, 12:01 AM UTC: This pull request can not be added to the Graphite merge queue. Please try rebasing and resubmitting to merge when ready.
• Jun 6, 12:01 AM UTC: Graphite disabled "merge when ready" on this PR due to: a merge conflict with the target branch; resolve the conflict and try again..
• Jun 6, 12:45 AM UTC: Graphite rebased this pull request, because this pull request is set to merge when ready.
• Jun 6, 12:52 AM UTC: @vanceingalls merged this pull request with Graphite.

The base branch was changed.