fix(cf-function): guard against null metadata to prevent 502s

[nicholasgubbins]

Summary

• When the KV store returns null/undefined for the metadata key — which can happen transiently as the KV entry propagates to edge nodes after a deployment — routeSite throws an uncaught TypeError accessing metadata.base, causing CloudFront to return a 502.
• The same guard is applied to both static-site.ts and ssr-site.ts.
• The fix fails open: if metadata is unavailable, the request is passed through to the default origin unchanged rather than crashing.

Root cause

The issue is most visible when errorPage is configured on a StaticSite. When errorPage is set, SST stores errorResponseCode: 404 in the KV metadata and omits custom404, disabling the function-level SPA fallback in favour of distribution-level customErrorResponses. This means unmatched requests go through an extra round-trip (original request → S3 403 → CloudFront fetches error page → function invoked again), doubling the exposure to the KV propagation window and making the 502 appear inconsistently depending on which edge node handles the request.

Test plan

• Deploy a StaticSite with errorPage set, request a non-existent path — should return 404 with the error page, not 502
• Simulate a missing metadata key (e.g. delete the KV entry temporarily) — should pass through to origin rather than 502

🤖 Generated with Claude Code

[nicholasgubbins]

1. You request a non-existent path
2. Function runs → KV lookup succeeds → sets S3 origin → S3 returns 403/404
3. CloudFront's customErrorResponses fires → second function invocation for /404.html
4. That second invocation hits a cold edge that hasn't cached the routing metadata yet → KV read fails → returns event.request →
   placeholder.sst.dev → 502

The second invocation is essentially always a "fresh" request from CloudFront's perspective — it's not the same cache key as the original
request, so it bypasses whatever warming the edge node had. Valid pages don't go through this second invocation at all, so you only see
the cold-edge failure on 404s.

[nicholasgubbins]

this is the issue i faced yesterday with #6848

[vimtor]

i don’t think this fully fixes the 502. when metadata is missing, returning event.request still sends the request to the default origin, which is placeholder.sst.dev

for standalone sites, that origin does not resolve, so CloudFront still returns 502 Failed to contact the origin instead of the intended site/error response

[ekaya97]

i monkey patched this successfully in static-site.ts - same logic applies to ssr-site.ts as well.

Replaced the placeholder origin with S3 + OAC in createDistribution() (starting at line 1168):

Before:

    function createDistribution() {
      return new Cdn(
        ...transform(
          args.transform?.cdn,
          `${name}Cdn`,
          {
            comment: `${name} site`,
            domain: args.domain,
            origins: [
              {
                originId: "default",
                domainName: "placeholder.sst.dev",
                customOriginConfig: {
                  httpPort: 80,
                  httpsPort: 443,
                  originProtocolPolicy: "https-only",
                  originReadTimeout: 20,
                  originSslProtocols: ["TLSv1.2"],
                },
              },
            ],

After:

    function createDistribution() {
      const oac = new OriginAccessControl(
        `${name}OAC`,
        { name: physicalName(64, name) },
        { parent: self, ignoreChanges: ["name"] },
      );

      return new Cdn(
        ...transform(
          args.transform?.cdn,
          `${name}Cdn`,
          {
            comment: `${name} site`,
            domain: args.domain,
            origins: [
              {
                originId: "default",
                domainName: bucketDomain,
                originAccessControlId: oac.id,
                s3OriginConfig: {
                  originAccessIdentity: "",
                },
              },
            ],