Changelog

infrastructure repository (v2.26.0)

Added ASSETS_DOMAIN_PREFIX, ASSETS_DOMAIN, assetsDomain(), assetsUrl() to ari-configuration.ts
Added assets.arda.cards hosted zone to RootConfigurationStack with assetsZone export
Added <infra>.assets.arda.cards subdomain zone, NS delegation, and ACM wildcard cert to InfrastructureIngress
Added assetsHostedZone import to ImportingStack
Created deploy-root.sh (profile: Admin-PlatformRoot)
Created tools/ci-root-check.js for root configuration synth validation
Fixed camelCase filenames in npm scripts (r53Zones.ts → r53-zones.ts, liveUrl.ts → live-url.ts)

Created ImageAssetBucket construct (versioned, RETAIN, SSE-S3, CORS POST, embedded presigning role)
Created CloudFrontSigningKeyGroup construct (Lambda custom resource for RSA key generation, keyVersion param)
Created ImageAssetCdn construct (S3 OAC origin, signed cookies, HTTPS-only, CachingOptimized, Route53 alias)
Created ImageStorageStack (co-locates bucket + CDN + signing keys; 6 cross-stack exports)
Wired ImageStorageStack into partition.ts (buildPartition())
Created jest.config.js, 42 unit tests across 4 suites
Added npm test to CI build job (ci.yaml)
Created tools/verify-image-cdn.ts (11-step end-to-end verification)
Added cdk-nag, @aws-sdk/s3-presigned-post devDependencies
Created knowledge-base/ with 5 reference documents

Fixed Lambda handler to use CDK Provider framework return pattern (not raw CloudFormation response)
Fixed Route53 recordName to use zone-relative locator.id (not full FQDN)
Fixed ingress stack to export actual zone domain name (not parent domain)
Fixed CORS logic: add CORS when appUrls has entries, omit when empty
Added clientRoleArn validation to ImageStorageStack
Made --presign-role-arn optional in verify script