Rewrite aws-sst on SST v4 with pnpm 11 supply-chain hardening

.github/workflows/aws-sst-ci.yml

@@ -0,0 +1,64 @@
+name: aws-sst CI
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - examples/aws-sst/**
+      - .github/workflows/aws-sst-ci.yml
+  pull_request:
+    paths:
+      - examples/aws-sst/**
+      - .github/workflows/aws-sst-ci.yml
+
+# Cancel older runs on the same branch when a new commit is pushed.
+concurrency:
+  group: aws-sst-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ci:
+    name: install / lint / test / build
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: examples/aws-sst
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 11.1.1
+          run_install: false
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: examples/aws-sst/pnpm-lock.yaml
+
+      - name: Install dependencies
+        # `preinstall` runs `pnpm audit && pnpm audit signatures`, so a
+        # vulnerable or unsigned package will fail the install before
+        # any of the later steps run.
+        run: pnpm install --frozen-lockfile
+
+      - name: Bootstrap SST platform types
+        # SST v4 generates `.sst/platform/config.d.ts` (used by
+        # sst.config.ts) the first time it runs. `sst install` only
+        # downloads the platform/provider code — it does not touch AWS
+        # — so it works without credentials and unblocks the typecheck.
+        run: pnpm exec sst install
+
+      - name: Lint
+        run: pnpm run lint
+
+      - name: Test
+        run: pnpm run test
+
+      - name: Build
+        run: pnpm run build

examples/aws-sst/.gitignore

@@ -3,6 +3,10 @@
 # dependencies
 /node_modules
 
+# Block npm/yarn lockfiles — this project is pnpm-only
+package-lock.json
+yarn.lock
+
 # testing
 /coverage
 

examples/aws-sst/README.md

@@ -1,52 +1,66 @@
 # Pluggy - AWS Serverless (SST) Example
 
-AWS serverless infrastructure for Pluggy integration using Lambda, DynamoDB, and the [Serverless Stack (SST)](https://sst.dev/) framework.
+AWS serverless infrastructure for Pluggy integration using Lambda, DynamoDB, and [SST v4](https://sst.dev/).
 
-> **Note**: This example uses SST v1 (`@serverless-stack/*`), which is deprecated. For new projects, consider using [SST v3](https://sst.dev/) or the [Vercel quickdeploy](../vercel-quickdeploy-nextjs) example.
+This example rewrites the previous SST v1 quickstart on the modern Ion engine. Two Lambda functions are exposed via API Gateway:
+
+- `POST /connect-token` — generates a connect token for the Connect Widget
+- `POST /notification` — handles Pluggy webhook events and stores items in DynamoDB
 
 ## Prerequisites
 
-- Node.js 18+
-- AWS account with configured credentials ([IAM setup guide](https://docs.sst.dev/advanced/iam-credentials))
+- Node.js 24+
+- pnpm 11+ (the repo pins it via `packageManager`; corepack will activate the right version automatically)
+- AWS account with configured credentials ([SST IAM guide](https://sst.dev/docs/iam-credentials))
 - Pluggy API credentials from [dashboard.pluggy.ai](https://dashboard.pluggy.ai)
 
 ## Setup
 
-1. Create a `.env` file with:
+1. Install dependencies:
+
+   ```bash
+   pnpm install
+   ```
+
+   The first install runs `pnpm audit && pnpm audit signatures` via the `preinstall` hook, so any vulnerable or unsigned package will surface immediately.
+
+2. Create a `.env` file with:
 
-- AWS credentials
-- `PLUGGY_CLIENT_ID`
-- `PLUGGY_CLIENT_SECRET`
+   ```
+   PLUGGY_CLIENT_ID=...
+   PLUGGY_CLIENT_SECRET=...
+   AWS_ACCESS_KEY_ID=...
+   AWS_SECRET_ACCESS_KEY=...
+   AWS_REGION=sa-east-1
+   ```
 
-2. Install and run:
+3. Start the local dev environment:
 
-```bash
-npm install
-npm start
-```
+   ```bash
+   pnpm dev
+   ```
 
 ## Architecture
 
 ![Architecture](docs/diagram.png)
 
 | Resource | Purpose |
 |----------|---------|
-| **DynamoDB** | Stores items created via Pluggy |
-| **Lambda (Notification)** | Processes Pluggy webhook events |
-| **Lambda (Connect Token)** | Generates connect tokens for the widget |
+| **DynamoDB** | Stores items created via Pluggy (`ItemsTable`) |
+| **Lambda (`/connect-token`)** | Issues connect tokens for the widget |
+| **Lambda (`/notification`)** | Processes Pluggy webhook events |
 
 ## Commands
 
 | Command | Description |
 |---------|-------------|
-| `npm start` | Start local Lambda dev environment |
-| `npm run build` | Build and synthesize CloudFormation stacks |
-| `npm run deploy` | Deploy to AWS |
-| `npm run remove` | Remove all stacks from AWS |
-| `npm test` | Run tests |
+| `pnpm dev` | Start local Lambda dev environment |
+| `pnpm build` | Build the SST app |
+| `pnpm deploy` | Deploy the stack to AWS |
+| `pnpm remove` | Tear down the deployed stack |
 
 ## Resources
 
 - [Pluggy Documentation](https://docs.pluggy.ai)
 - [Pluggy Webhooks](https://docs.pluggy.ai/#webhooks)
-- [SST Documentation](https://docs.sst.dev)
+- [SST Documentation](https://sst.dev/docs)