SmooaiNextEdge: auto-validate us-east-1 viewer cert via DNS adapter (0.1.4)

[brentrager]

Problem

Dogfooding Stage C (SMOODEV-1791) on smooai's apps/web surfaced a real gap in SmooaiNextEdge: it creates the ACM viewer cert with validationMethod: 'DNS' but never publishes the validation records and never gates on aws.acm.CertificateValidation. On a Cloudflare-DNS app the cert sits in PENDING_VALIDATION, so when the CloudFront Distribution tries to attach it the deploy fails ("certificate doesn't exist, isn't valid…").

Fix

Mirror SST's own DnsValidatedCertificate:

• Extend DnsAdapter with optional provider / createRecord / createCaa (the surface sst.cloudflare.dns() / sst.aws.dns() already expose).
• When the adapter has createRecord: publish the ACM DNS-validation CNAMEs (de-duped across domain + SANs), add a CAA 0 issue "amazonaws.com" for non-Route53 zones, and gate viewerCertificate on a CertificateValidation (us-east-1 provider, dependsOn the records).
• Validation CNAMEs stay grey-cloud — SST's cloudflare adapter only proxies alias records, exactly what ACM needs.
• No createRecord (or no dns) → unchanged behavior: raw (PENDING) arn, manual/out-of-band validation.

Bumps @smooai/deploy → 0.1.4.

Test

pnpm sst install && pnpm typecheck green against the SST platform ambient types (the PR-checks constructs gate). Behavior validated end-to-end by Stage C Phase 1 (smooai web-next.smoo.ai).

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: b7ba2da

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR