feat(admin): Phase 2 — nightly AI content review cron + metadata

Adds the AI content pipeline backing the admin cockpit:

Schema (migration 0038, additive + idempotent topic seed):
- post_metadata (1:1): sentiment, sentimentScore, qualityScore, modelId,
  analyzedAt watermark, schemaVersion.
- topic / post_topic: controlled vocab + provenance-aware edges (ai|manual);
  the cron only ever rewrites its own 'ai' edges.
- comments.moderatedAt watermark; reports.source (user|system) + nullable
  reporter so AI flags share the existing moderation queue.

server/lib/contentAnalysis.ts: one Bedrock call per post returns topics +
sentiment + quality + a moderation verdict. Gated + fail-open like autoReview;
heuristic fallback when Bedrock is off. Unit-tested (7 cases).

app/api/cron/daily-review: incremental, capped, per-item-isolated cron doing
four passes (tag/sentiment, quality, re-screen posts+comments, digest email).
Auth via CRON_SECRET. Wired into CDK via a new dailyReview invoker Lambda +
daily EventBridge rule (cron-stack.ts), mirroring promoteScheduled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: NiallJoeMaher

app/api/cron/daily-review/route.ts

@@ -0,0 +1,69 @@
+import { SSMClient, GetParameterCommand } from "@aws-sdk/client-ssm";
+
+// Thin invoker: on a daily schedule, POST the app's /api/cron/daily-review route
+// (which does the actual topic tagging / sentiment / quality scoring / moderation
+// re-screen / digest). This Lambda only authenticates with CRON_SECRET and
+// reports back. Mirrors promoteScheduled/index.ts.
+
+const ssmClient = new SSMClient({ region: "eu-west-1" });
+
+// Read a decrypted SecureString from SSM (matches rssFetcher's `/env/...` convention).
+async function getSsmValue(secretName: string): Promise<string> {
+  const params = {
+    Name: secretName,
+    WithDecryption: true,
+  };
+
+  try {
+    const command = new GetParameterCommand(params);
+    const response = await ssmClient.send(command);
+    if (!response.Parameter || !response.Parameter.Value) {
+      throw new Error(`Parameter not found: ${secretName}`);
+    }
+    return response.Parameter.Value;
+  } catch (error) {
+    console.error(`Error retrieving secret: ${error}`);
+    throw error;
+  }
+}
+
+// Site base URL from the required `/env/siteUrl` param. FAIL CLOSED: a missing
+// or unreadable param throws (visible Lambda failure) rather than falling back
+// to production — otherwise a non-prod deploy would silently POST prod.
+async function getBaseUrl(): Promise<string> {
+  const value = await getSsmValue("/env/siteUrl");
+  return value.replace(/\/+$/, "");
+}
+
+// Main Lambda handler
+exports.handler = async function () {
+  console.log("Daily Review invoker Lambda running");
+
+  const secret = await getSsmValue("/env/cronSecret");
+  const base = await getBaseUrl();
+  const url = `${base}/api/cron/daily-review`;
+
+  console.log(`Invoking ${url}`);
+
+  // Node 20 runtime ships a global fetch — no node-fetch dependency needed.
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${secret}`,
+    },
+  });
+
+  const body = await response.text();
+  console.log(`Response ${response.status}: ${body}`);
+
+  // Surface failures in CloudWatch so a broken route / bad secret is visible.
+  if (!response.ok) {
+    throw new Error(`daily-review returned ${response.status}: ${body}`);
+  }
+
+  return {
+    statusCode: 200,
+    headers: { "Content-Type": "application/json" },
+    body,
+  };
+};