feat(upload-client): add hashContent, putToPresignedUrl, fetchFromUrl exports

[pyramation]

Summary

Adds three new atomic exports to @constructive-io/upload-client for custom presigned URL flows:

• hashContent(content: string) — SHA-256 hex digest of a plain string via Web Crypto API (crypto.subtle.digest). Complements hashFile (which accepts File/Blob). New file: hash-content.ts.
• putToPresignedUrl(url, body, contentType, signal?) — Extracted from the private putWithFetch in upload.ts into a standalone export in put.ts. The internal putToS3 now delegates to this for its fetch path.
• fetchFromUrl(url, signal?) — Fetch GET wrapper with structured UploadError on failure. Useful for verifying downloads from presigned or CDN URLs.

Isomorphic HTTP via @constructive-io/fetch

put.ts uses createFetch() from @constructive-io/fetch (added as a new dependency) instead of raw globalThis.fetch. This resolves *.localhost subdomain DNS and Host header issues in Node.js — the same pattern used in @constructive-io/graphql-query/runtime. In browsers, createFetch() returns globalThis.fetch as-is.

The internal putWithFetch function is removed; putToS3 now calls putToPresignedUrl directly. Existing tests (24/24) pass unchanged.

Motivation: The constructive-db storage security tests currently hand-roll putToPresignedUrl() and hashContent() helpers inline. After this ships, those tests can import from this package instead — dogfooding our own tools. Related: constructive-db#1093.

Review & Testing Checklist for Human

• fetchFromUrl reuses PUT_UPLOAD_FAILED error code — both error paths in fetchFromUrl throw with code 'PUT_UPLOAD_FAILED', which is semantically wrong for a GET operation. Decide whether to add a new error code (e.g. 'FETCH_FAILED') to the UploadErrorCode union, or accept the reuse for now.
• No new unit tests for put.ts or hash-content.ts — the existing upload.test.ts indirectly covers putToPresignedUrl via the uploadFile orchestrator, but hashContent and fetchFromUrl have zero test coverage. Consider whether to add them before merging.
• Module-level createFetch() call — const fetch = createFetch() in put.ts runs at import time. createFetch() is synchronous and cached, so this should be safe, but verify no side effects at import in edge/serverless environments.
• Run pnpm test in packages/upload-client and verify 24/24 pass after merge.

Notes

• body: BodyInit | string — string is technically already in BodyInit in modern TS DOM libs, but kept explicit for compatibility with environments that may not include it. The body is cast to BodyInit when passed to the createFetch() result since the wrapper's type signature expects standard fetch args.
• The putToPresignedUrl return type is Promise<Response> (the old putWithFetch returned void). The internal putToS3 caller discards the return value, so no behavioral change for uploadFile.
• The lockfile diff is large due to formatting normalization by pnpm; the only substantive addition is @constructive-io/fetch@1.0.0.

Link to Devin session: https://app.devin.ai/sessions/7903d2a3e7a34c6daa605e12d6b80d9e
Requested by: @pyramation

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​constructive-io/​fetch@​1.0.0

View full report