feat: add @constructive-io/bucket-provisioner package

[pyramation]

Summary

New TypeScript library package @constructive-io/bucket-provisioner that programmatically provisions S3-compatible buckets with correct privacy configurations for the Constructive storage module.

What it does:

• Creates S3 buckets and configures Block Public Access, bucket policies, CORS, versioning, and lifecycle rules based on access type (private, public, temp)
• Supports AWS S3, MinIO, Cloudflare R2, GCS, and DigitalOcean Spaces via provider-aware S3Client factory
• Provides an inspect() method to audit existing bucket configurations
• Exposes standalone builder functions (policies, CORS, lifecycle) for custom composition

Privacy model:

Access Type	Block Public Access	Bucket Policy	CORS Methods	Lifecycle
private	All blocked	None (deleted)	PUT, HEAD	None
public	Partially relaxed	Public-read	PUT, GET, HEAD	None
temp	All blocked	None (deleted)	PUT, GET, HEAD	Auto-expire (1 day)

84 tests across 6 test suites, all passing. Build passes.

Updates since last revision

• Added packages/bucket-provisioner and packages/upload-client to the CI test matrix in run-tests.yaml. Both packages had passing tests locally but were not being picked up by the CI workflow (the matrix uses an explicit include list, not autodiscovery).

Review & Testing Checklist for Human

• Privacy model correctness (provisioner.ts:124-180) — This is security-critical. Verify that private/temp buckets truly get full Block Public Access lockdown, public buckets get the right partial relaxation, and leftover policies are cleaned up on private/temp provision. Cross-reference with policies.ts:38-55.
• any casts in error handling — provisioner.ts uses err: any in every catch block and as any casts on lines 191 and 502. These are pragmatic for AWS SDK error shapes but could mask type issues. Decide if this is acceptable or if you'd prefer stricter typing (e.g., via @aws-sdk/smithy-client ServiceException).
• No input validation on lifecycle builders — buildTempCleanupRule(0) and buildAbortIncompleteMultipartRule(-5) will silently create rules with invalid expiration. Consider whether guard clauses are needed.
• All tests are mock-based — No integration tests against real S3/MinIO. The mocks verify command ordering and parameter correctness but can't catch actual API incompatibilities. Now that CI runs these tests, they at least gate merges, but real provider validation is still deferred.
• Lockfile changes — The pnpm-lock.yaml diff includes dependency deduplication (removing older @smithy/* duplicates). Verify these are benign and not introducing version conflicts.

Suggested test plan: Import the library in an existing test or script, instantiate BucketProvisioner with MinIO credentials, and run provision() + inspect() against a real MinIO instance to confirm the S3 commands actually work end-to-end.

Notes

• This is a library-only package (no CLI). A CLI wrapper may follow as a separate package per user's direction.
• The package follows the same conventions as @constructive-io/upload-client (tsconfig structure, jest config, README header format).
• buildCloudFrontOacPolicy and buildPresignedUrlIamPolicy are exported as standalone utilities but not used by the provisioner's provision() flow — they're reference implementations for DevOps setup.
• packages/upload-client was also missing from the CI matrix (merged in PR feat: add @constructive-io/upload-client package (Phase 2B) + README header fixes #960 without it); this PR adds it alongside bucket-provisioner.

Link to Devin session: https://app.devin.ai/sessions/4c882ba2dfbf4045adf85fb83cde6f77
Requested by: @pyramation

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pgpm@​1.4.2

View full report