fix(discord): split Function URL permissions and trim credentials (#41)

## Summary

- **`terraform/interactions.tf`**: The single `aws_lambda_permission`
with `action = lambda:InvokeFunction` + `function_url_auth_type = NONE`
was rejected by AWS with `InvalidParameterValueException` — AWS only
accepts `function_url_auth_type` paired with `lambda:InvokeFunctionUrl`.
Split into two statements: one for `lambda:InvokeFunctionUrl` (with
`function_url_auth_type = NONE`) and one for `lambda:InvokeFunction`
(without it). Both permissions are required since October 2025 for
Discord's endpoint validation to pass.
- **`app/packages/shared/src/secrets/secretsStore.ts`**: Added `.trim()`
to all four credential accessors (`getBotToken`, `getPublicKey`,
`putBotToken`, `putPublicKey`) to strip surrounding whitespace from
pasted Discord credentials — a common copy-paste artifact that causes
401s from the Discord API.
- **`.gitignore`**: Added `.claude/worktrees/` and
`app/packages/server/src/generated/tfstate.ts` (auto-generated; should
never be committed with real state).

## Test plan

- [ ] `terraform plan` shows two `aws_lambda_permission` resources, no
destructive changes
- [ ] `terraform apply` completes without
`InvalidParameterValueException`
- [ ] Discord endpoint validation succeeds after apply (re-enter URL in
Developer Portal if needed)
- [ ] Pasting a bot token or public key with leading/trailing whitespace
via the UI saves and reads back trimmed

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: CoderCoco

.gitignore

@@ -27,5 +27,10 @@ Thumbs.db
 # lives at .claude/settings.json (commit that instead if you want the
 # allowlist shared across the team).
 .claude/settings.local.json
+.claude/worktrees/
+
+# Auto-generated at dev/build time — committed as null, real state must not
+# be committed (contains AWS ARNs/account IDs).
+app/packages/server/src/generated/tfstate.ts
 
 .make

app/packages/server/src/generated/tfstate.ts

@@ -53,26 +53,28 @@ async function putSecret(secretId: string, value: string): Promise<void> {
 
 /** Return the configured bot token, or `null` if not set / still on the placeholder. */
 export async function getBotToken(secretArn: string): Promise<string | null> {
-  const value = await getSecret(secretArn);
+  const raw = await getSecret(secretArn);
+  const value = raw?.trim() ?? null;
   if (!value || value === SECRET_PLACEHOLDER) return null;
   return value;
 }
 
 /** Return the configured Ed25519 public key (hex), or `null` if not set / still on the placeholder. */
 export async function getPublicKey(secretArn: string): Promise<string | null> {
-  const value = await getSecret(secretArn);
+  const raw = await getSecret(secretArn);
+  const value = raw?.trim() ?? null;
   if (!value || value === SECRET_PLACEHOLDER) return null;
   return value;
 }
 
-/** Persist a new bot token. */
+/** Persist a new bot token, trimmed of surrounding whitespace. */
 export async function putBotToken(secretArn: string, value: string): Promise<void> {
-  await putSecret(secretArn, value);
+  await putSecret(secretArn, value.trim());
 }
 
-/** Persist a new public key (hex). */
+/** Persist a new public key (hex), trimmed of surrounding whitespace. */
 export async function putPublicKey(secretArn: string, value: string): Promise<void> {
-  await putSecret(secretArn, value);
+  await putSecret(secretArn, value.trim());
 }
 
 /** Drop the in-process secrets cache. Exposed for the Nest app's "save credentials" path. */

app/packages/shared/src/secrets/secretsStore.ts

@@ -74,12 +74,12 @@ resource "aws_lambda_function" "interactions" {
 
   environment {
     variables = {
-      AWS_REGION_                    = var.aws_region
-      TABLE_NAME                     = aws_dynamodb_table.discord.name
-      DISCORD_PUBLIC_KEY_SECRET_ARN  = aws_secretsmanager_secret.discord_public_key.arn
-      FOLLOWUP_LAMBDA_NAME           = aws_lambda_function.followup.function_name
-      GAME_NAMES                     = join(",", keys(var.game_servers))
-      HOSTED_ZONE_NAME               = var.hosted_zone_name
+      AWS_REGION_                   = var.aws_region
+      TABLE_NAME                    = aws_dynamodb_table.discord.name
+      DISCORD_PUBLIC_KEY_SECRET_ARN = aws_secretsmanager_secret.discord_public_key.arn
+      FOLLOWUP_LAMBDA_NAME          = aws_lambda_function.followup.function_name
+      GAME_NAMES                    = join(",", keys(var.game_servers))
+      HOSTED_ZONE_NAME              = var.hosted_zone_name
     }
   }
 
@@ -105,16 +105,26 @@ resource "aws_lambda_function_url" "interactions" {
   }
 }
 
-# Since October 2025, Lambda Function URLs require both lambda:InvokeFunctionUrl
-# (created automatically by aws_lambda_function_url) and lambda:InvokeFunction.
-resource "aws_lambda_permission" "interactions_url_invoke" {
-  statement_id           = "FunctionURLInvokeAllowPublicAccess"
-  action                 = "lambda:InvokeFunction"
+# Since October 2025, Lambda Function URLs require BOTH lambda:InvokeFunctionUrl
+# AND lambda:InvokeFunction in the resource policy — without the second one,
+# Discord's endpoint validation gets 403 before the handler runs. AWS only
+# accepts function_url_auth_type paired with lambda:InvokeFunctionUrl, so the
+# two grants are split into two statements.
+resource "aws_lambda_permission" "interactions_url_invoke_url" {
+  statement_id           = "FunctionURLInvokeUrlAllowPublicAccess"
+  action                 = "lambda:InvokeFunctionUrl"
   function_name          = aws_lambda_function.interactions.function_name
   principal              = "*"
   function_url_auth_type = "NONE"
 }
 
+resource "aws_lambda_permission" "interactions_url_invoke" {
+  statement_id  = "FunctionURLInvokeAllowPublicAccess"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.interactions.function_name
+  principal     = "*"
+}
+
 output "interactions_invoke_url" {
   description = "Paste this into the 'Interactions Endpoint URL' field in the Discord Developer Portal"
   value       = "https://discord.${var.hosted_zone_name}/"