docs(architecture): add filtering diagrams

alukach · alukach · commit 109eec085e39 · 2025-08-05T11:46:40.000-07:00
diff --git a/docs/architecture/filtering-data.md b/docs/architecture/filtering-data.md
@@ -0,0 +1,31 @@
+# Filtering Data
+
+> [!NOTE]
+>
+> For more information on using filters to solve authorization needs, more information can be found in the [user guide](../user-guide/record-level-auth.md).
+
+## Example Request Flow for multi-record endpoints
+
+```mermaid
+sequenceDiagram
+    Client->>Proxy: GET /collections
+    Note over Proxy: EnforceAuth checks credentials
+    Note over Proxy: BuildCql2Filter creates filter
+    Note over Proxy: ApplyCql2Filter applies filter to request
+    Proxy->>STAC API: GET /collection?filter=(collection=landsat)
+    STAC API->>Client: Response
+```
+
+## Example Request Flow for single-record endpoints
+
+The Filter Extension does not apply to fetching individual records. As such, we must validate the record _after_ it is returned from the upstream API but _before_ it is returned to the user:
+
+```mermaid
+sequenceDiagram
+    Client->>Proxy: GET /collections/abc123
+    Note over Proxy: EnforceAuth checks credentials
+    Note over Proxy: BuildCql2Filter creates filter
+    Proxy->>STAC API: GET /collection/abc123
+    Note over Proxy: ApplyCql2Filter validates the response
+    STAC API->>Client: Response
+```
diff --git a/docs/user-guide/deployment.md b/docs/user-guide/deployment.md
@@ -0,0 +1 @@
+# Deployment
diff --git a/docs/user-guide/record-level-auth.md b/docs/user-guide/record-level-auth.md
@@ -17,6 +17,10 @@ Record-level authorization is implemented through **data filtering**—a strateg
 
 For endpoints where the filter extension doesn't apply (such as single-item endpoints), the filters are used to validate response data from the upstream STAC API before the user receives the data, ensuring complete authorization coverage.
 
+> [!NOTE]
+>
+> For more information on _how_ data filtering works, some more information can be found in the [architecture section](../architecture/filtering-data.md) of the docs.
+
 ## Supported Operations
 
 ### Collection-Level Filtering
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -37,6 +37,7 @@ nav:
       - Tips: user-guide/tips.md
   - Architecture:
       - Middleware Stack: architecture/middleware-stack.md
+      - Filtering Data: architecture/filtering-data.md
   - Changelog: changelog.md
 
 plugins:
diff --git a/src/stac_auth_proxy/lambda.py b/src/stac_auth_proxy/lambda.py
@@ -0,0 +1,17 @@
+"""Handler for AWS Lambda."""
+
+from stac_auth_proxy import create_app
+
+try:
+    from mangum import Mangum
+except ImportError:
+    raise ImportError(
+        "mangum is required to use the Lambda handler. Install stac-auth-proxy[lambda]."
+    )
+
+
+handler = Mangum(
+    create_app(),
+    # NOTE: lifespan="off" skips conformance check and upstream health checks on startup
+    lifespan="off",
+)
