@jaypie/constructs 1.1.52 → 1.1.54

package/dist/cjs/index.cjs

@@ -1,25 +1,27 @@
 'use strict';
 
-var cdk = require('@jaypie/cdk');
+var cdk = require('aws-cdk-lib');
+var s3 = require('aws-cdk-lib/aws-s3');
 var constructs = require('constructs');
-var cdk$1 = require('aws-cdk-lib');
 var acm = require('aws-cdk-lib/aws-certificatemanager');
 var apiGateway = require('aws-cdk-lib/aws-apigateway');
 var route53 = require('aws-cdk-lib/aws-route53');
 var route53Targets = require('aws-cdk-lib/aws-route53-targets');
 var secretsmanager = require('aws-cdk-lib/aws-secretsmanager');
 var datadogCdkConstructsV2 = require('datadog-cdk-constructs-v2');
+var errors = require('@jaypie/errors');
+var awsIam = require('aws-cdk-lib/aws-iam');
 var lambda = require('aws-cdk-lib/aws-lambda');
 var logDestinations = require('aws-cdk-lib/aws-logs-destinations');
-var s3 = require('aws-cdk-lib/aws-s3');
 var s3n = require('aws-cdk-lib/aws-s3-notifications');
 var sqs = require('aws-cdk-lib/aws-sqs');
 var lambdaEventSources = require('aws-cdk-lib/aws-lambda-event-sources');
-var awsIam = require('aws-cdk-lib/aws-iam');
+var awsEvents = require('aws-cdk-lib/aws-events');
+var awsEventsTargets = require('aws-cdk-lib/aws-events-targets');
 var awsLogs = require('aws-cdk-lib/aws-logs');
+var awsCloudtrail = require('aws-cdk-lib/aws-cloudtrail');
 var awsSso = require('aws-cdk-lib/aws-sso');
 var awsSam = require('aws-cdk-lib/aws-sam');
-var errors = require('@jaypie/errors');
 var cloudfront = require('aws-cdk-lib/aws-cloudfront');
 var origins = require('aws-cdk-lib/aws-cloudfront-origins');
 
@@ -40,7 +42,8 @@ function _interopNamespaceDefault(e) {
     return Object.freeze(n);
 }
 
-var cdk__namespace = /*#__PURE__*/_interopNamespaceDefault(cdk$1);
+var cdk__namespace = /*#__PURE__*/_interopNamespaceDefault(cdk);
+var s3__namespace = /*#__PURE__*/_interopNamespaceDefault(s3);
 var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
 var apiGateway__namespace = /*#__PURE__*/_interopNamespaceDefault(apiGateway);
 var route53__namespace = /*#__PURE__*/_interopNamespaceDefault(route53);
@@ -48,13 +51,231 @@ var route53Targets__namespace = /*#__PURE__*/_interopNamespaceDefault(route53Tar
 var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsmanager);
 var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
 var logDestinations__namespace = /*#__PURE__*/_interopNamespaceDefault(logDestinations);
-var s3__namespace = /*#__PURE__*/_interopNamespaceDefault(s3);
 var s3n__namespace = /*#__PURE__*/_interopNamespaceDefault(s3n);
 var sqs__namespace = /*#__PURE__*/_interopNamespaceDefault(sqs);
 var lambdaEventSources__namespace = /*#__PURE__*/_interopNamespaceDefault(lambdaEventSources);
 var cloudfront__namespace = /*#__PURE__*/_interopNamespaceDefault(cloudfront);
 var origins__namespace = /*#__PURE__*/_interopNamespaceDefault(origins);
 
+const CDK$2 = {
+    ACCOUNT: {
+        DEVELOPMENT: "development",
+        MANAGEMENT: "management",
+        OPERATIONS: "operations",
+        PRODUCTION: "production",
+        SANDBOX: "sandbox",
+        SECURITY: "security",
+        STAGE: "stage",
+    },
+    BUILD: {
+        CONFIG: {
+            ALL: "all",
+            API: "api",
+            INFRASTRUCTURE: "infrastructure",
+            NONE: "none",
+            WEB: "web",
+        },
+        PERSONAL: "personal",
+        /**
+         * @deprecated rename "ephemeral" to "personal" (since 2/24/2025)
+         */
+        EPHEMERAL: "ephemeral",
+        /**
+         * @deprecated as even "ephemeral" builds have static assets (since 7/6/2024)
+         */
+        STATIC: "static",
+    },
+    CREATION: {
+        CDK: "cdk",
+        CLOUDFORMATION_TEMPLATE: "template",
+        MANUAL: "manual",
+    },
+    DATADOG: {
+        SITE: "datadoghq.com",
+        LAYER: {
+            // https://docs.datadoghq.com/serverless/aws_lambda/installation/nodejs/?tab=awscdk
+            NODE: 127, // 127 on 9/12/2025
+            EXTENSION: 86, // 86 on 9/12/2025
+        },
+    },
+    DEFAULT: {
+        REGION: "us-east-1",
+    },
+    DNS: {
+        CONFIG: {
+            TTL: 300, // 5 minutes in seconds for Route53
+        },
+        RECORD: {
+            A: "A",
+            CNAME: "CNAME",
+            MX: "MX",
+            NS: "NS",
+            TXT: "TXT",
+        },
+    },
+    DURATION: {
+        EXPRESS_API: 30,
+        LAMBDA_MAXIMUM: 900,
+        LAMBDA_WORKER: 900,
+    },
+    ENV: {
+        DEMO: "demo", // Mirror of production
+        DEVELOPMENT: "development", // Internal most stable development space
+        /** @deprecated */ EPHEMERAL: "ephemeral", // Alias for "build"
+        LOCAL: "local",
+        /** @deprecated */ MAIN: "main", // Alias for development
+        META: "meta", // For non-environment/infrastructure stacks
+        PERSONAL: "personal", // Personal builds using resources provided by sandbox
+        PREVIEW: "preview", // External next thing to be released
+        PRODUCTION: "production",
+        RELEASE: "release", // Internal next thing to be released
+        REVIEW: "review", // Internal place to collaborate on issues
+        SANDBOX: "sandbox", // Internal build space with no guaranteed longevity
+        TRAINING: "training", // aka "test"; mirror of production for external audiences
+    },
+    HOST: {
+        APEX: "@",
+    },
+    IMPORT: {
+        DATADOG_LOG_FORWARDER: "account-datadog-forwarder",
+        DATADOG_ROLE: "account-datadog-role",
+        DATADOG_SECRET: "account-datadog-secret",
+        LOG_BUCKET: "account-log-bucket",
+        OIDC_PROVIDER: "github-oidc-provider",
+    },
+    LAMBDA: {
+        LOG_RETENTION: 90,
+        MEMORY_SIZE: 1024,
+    },
+    PRINCIPAL: {
+        ROUTE53: "route53.amazonaws.com",
+    },
+    PRINCIPAL_TYPE: {
+        GROUP: "GROUP",
+        USER: "USER",
+    },
+    PROJECT: {
+        INFRASTRUCTURE: "infrastructure",
+    },
+    ROLE: {
+        API: "api",
+        DEPLOY: "deploy",
+        HOSTING: "hosting",
+        MONITORING: "monitoring",
+        NETWORKING: "networking",
+        PROCESSING: "processing",
+        SECURITY: "security",
+        STACK: "stack",
+        STORAGE: "storage",
+        TOY: "toy",
+    },
+    SERVICE: {
+        DATADOG: "datadog",
+        INFRASTRUCTURE: "infrastructure",
+        LIBRARIES: "libraries",
+        NONE: "none",
+        SSO: "sso",
+        TRACE: "trace",
+    },
+    TAG: {
+        BUILD_DATE: "buildDate",
+        BUILD_HEX: "buildHex",
+        BUILD_NUMBER: "buildNumber",
+        BUILD_TIME: "buildTime",
+        BUILD_TYPE: "buildType",
+        COMMIT: "commit",
+        CREATION: "creation",
+        ENV: "env",
+        NONCE: "nonce",
+        PROJECT: "project",
+        ROLE: "role",
+        SERVICE: "service",
+        SPONSOR: "sponsor",
+        STACK: "stack",
+        STACK_SHA: "stackSha",
+        VENDOR: "vendor",
+        VERSION: "version",
+    },
+    TARGET_TYPE: {
+        AWS_ACCOUNT: "AWS_ACCOUNT",
+    },
+    VENDOR: {
+        ANTHROPIC: "anthropic",
+        AUTH0: "auth0",
+        DATADOG: "datadog",
+        KNOWTRACE: "knowtrace",
+        MONGODB: "mongodb",
+        OPENAI: "openai",
+        SPLINTERLANDS: "splinterlands",
+    },
+};
+
+class JaypieAccountLoggingBucket extends constructs.Construct {
+    /**
+     * Create a new account-wide logging S3 bucket with lifecycle policies and export
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "AccountLoggingBucket";
+        }
+        super(scope, id);
+        // Generate default bucket name with PROJECT_NONCE
+        const defaultBucketName = process.env.PROJECT_NONCE
+            ? `account-logging-stack-${process.env.PROJECT_NONCE.toLowerCase()}`
+            : "account-logging-stack";
+        // Extract Jaypie-specific options
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        const { bucketName = defaultBucketName, createOutput = true, expirationDays = 365, exportName = CDK$2.IMPORT.LOG_BUCKET, glacierTransitionDays = 180, id: _id, infrequentAccessTransitionDays = 30, outputDescription = "Account-wide logging bucket", project, service = CDK$2.SERVICE.INFRASTRUCTURE, ...bucketProps } = props;
+        // Create the bucket with lifecycle rules
+        this.bucket = new s3.Bucket(this, "Bucket", {
+            accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE,
+            bucketName,
+            lifecycleRules: [
+                {
+                    expiration: cdk__namespace.Duration.days(expirationDays),
+                    transitions: [
+                        {
+                            storageClass: s3.StorageClass.INFREQUENT_ACCESS,
+                            transitionAfter: cdk__namespace.Duration.days(infrequentAccessTransitionDays),
+                        },
+                        {
+                            storageClass: s3.StorageClass.GLACIER,
+                            transitionAfter: cdk__namespace.Duration.days(glacierTransitionDays),
+                        },
+                    ],
+                },
+            ],
+            ...bucketProps,
+        });
+        // Add tags
+        cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (service) {
+            cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        }
+        if (project) {
+            cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Create CloudFormation output if enabled
+        if (createOutput) {
+            new cdk__namespace.CfnOutput(this, "BucketNameOutput", {
+                description: outputDescription,
+                exportName,
+                value: this.bucket.bucketName,
+            });
+        }
+    }
+}
+
 function addDatadogLayers(lambdaFunction, options = {}) {
     const datadogApiKeyArn = options?.datadogApiKeyArn;
     const resolvedDatadogApiKeyArn = datadogApiKeyArn ||
@@ -71,8 +292,8 @@ function addDatadogLayers(lambdaFunction, options = {}) {
         DD_PROFILING_ENABLED: "false",
         DD_SERVERLESS_APPSEC_ENABLED: "false",
         DD_SERVICE: process.env.PROJECT_SERVICE || "",
-        DD_SITE: cdk.CDK.DATADOG.SITE,
-        DD_TAGS: `${cdk.CDK.TAG.SPONSOR}:${process.env.PROJECT_SPONSOR || ""}`,
+        DD_SITE: CDK$2.DATADOG.SITE,
+        DD_TAGS: `${CDK$2.TAG.SPONSOR}:${process.env.PROJECT_SPONSOR || ""}`,
         DD_TRACE_OTEL_ENABLED: "false",
     };
     // Add environment variables only if they don't already exist
@@ -82,8 +303,8 @@ function addDatadogLayers(lambdaFunction, options = {}) {
     const datadogApiKeySecret = secretsmanager__namespace.Secret.fromSecretCompleteArn(lambdaFunction, "DatadogApiKey", resolvedDatadogApiKeyArn);
     const datadogLambda = new datadogCdkConstructsV2.DatadogLambda(lambdaFunction, "DatadogLambda", {
         apiKeySecret: datadogApiKeySecret, // apiKeySecret auto-grants secret access to the added lambdas
-        nodeLayerVersion: cdk.CDK.DATADOG.LAYER.NODE,
-        extensionLayerVersion: cdk.CDK.DATADOG.LAYER.EXTENSION,
+        nodeLayerVersion: CDK$2.DATADOG.LAYER.NODE,
+        extensionLayerVersion: CDK$2.DATADOG.LAYER.EXTENSION,
         env: process.env.PROJECT_ENV,
         service: process.env.PROJECT_SERVICE,
         version: process.env.PROJECT_VERSION,
@@ -135,35 +356,35 @@ function constructTagger(construct, { name } = {}) {
     const stackName = name || constructStackName();
     const version = process.env.npm_package_version || process.env.PROJECT_VERSION || null;
     if (process.env.PROJECT_COMMIT && process.env.PROJECT_COMMIT.length > 8) {
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.BUILD_HEX, process.env.PROJECT_COMMIT.slice(0, 8));
+        cdk.Tags.of(construct).add(CDK$1.TAG.BUILD_HEX, process.env.PROJECT_COMMIT.slice(0, 8));
     }
-    cdk$1.Tags.of(construct).add(CDK$1.TAG.BUILD_DATE, new Date().toISOString());
-    cdk$1.Tags.of(construct).add(CDK$1.TAG.BUILD_TIME, Date.now().toString());
+    cdk.Tags.of(construct).add(CDK$1.TAG.BUILD_DATE, new Date().toISOString());
+    cdk.Tags.of(construct).add(CDK$1.TAG.BUILD_TIME, Date.now().toString());
     if (process.env.PROJECT_COMMIT)
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.COMMIT, process.env.PROJECT_COMMIT);
-    cdk$1.Tags.of(construct).add(CDK$1.TAG.CREATION, CDK$1.CREATION.CDK);
+        cdk.Tags.of(construct).add(CDK$1.TAG.COMMIT, process.env.PROJECT_COMMIT);
+    cdk.Tags.of(construct).add(CDK$1.TAG.CREATION, CDK$1.CREATION.CDK);
     if (process.env.PROJECT_ENV)
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.ENV, process.env.PROJECT_ENV);
+        cdk.Tags.of(construct).add(CDK$1.TAG.ENV, process.env.PROJECT_ENV);
     if (process.env.PROJECT_NONCE)
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.NONCE, process.env.PROJECT_NONCE);
+        cdk.Tags.of(construct).add(CDK$1.TAG.NONCE, process.env.PROJECT_NONCE);
     if (process.env.PROJECT_KEY)
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.PROJECT, process.env.PROJECT_KEY);
-    cdk$1.Tags.of(construct).add(CDK$1.TAG.ROLE, CDK$1.ROLE.STACK);
+        cdk.Tags.of(construct).add(CDK$1.TAG.PROJECT, process.env.PROJECT_KEY);
+    cdk.Tags.of(construct).add(CDK$1.TAG.ROLE, CDK$1.ROLE.STACK);
     if (process.env.PROJECT_SERVICE)
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.SERVICE, process.env.PROJECT_SERVICE);
+        cdk.Tags.of(construct).add(CDK$1.TAG.SERVICE, process.env.PROJECT_SERVICE);
     if (process.env.PROJECT_SPONSOR)
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.SPONSOR, process.env.PROJECT_SPONSOR);
+        cdk.Tags.of(construct).add(CDK$1.TAG.SPONSOR, process.env.PROJECT_SPONSOR);
     if (stackName)
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.STACK, stackName);
+        cdk.Tags.of(construct).add(CDK$1.TAG.STACK, stackName);
     if (version)
-        cdk$1.Tags.of(construct).add(CDK$1.TAG.VERSION, version);
+        cdk.Tags.of(construct).add(CDK$1.TAG.VERSION, version);
     return true;
 }
 
 function envHostname({ component, domain, env, subdomain, } = {}) {
     const resolvedDomain = domain || process.env.CDK_ENV_DOMAIN || process.env.CDK_ENV_HOSTED_ZONE;
     if (!resolvedDomain) {
-        throw new cdk.ConfigurationError("No hostname `domain` provided. Set CDK_ENV_DOMAIN or CDK_ENV_HOSTED_ZONE to use environment domain");
+        throw new errors.ConfigurationError("No hostname `domain` provided. Set CDK_ENV_DOMAIN or CDK_ENV_HOSTED_ZONE to use environment domain");
     }
     const resolvedComponent = component === "@" || component === "" ? undefined : component;
     const resolvedSubdomain = subdomain || process.env.CDK_ENV_SUBDOMAIN;
@@ -177,6 +398,55 @@ function envHostname({ component, domain, env, subdomain, } = {}) {
     return parts.join(".");
 }
 
+/**
+ * Extends the Datadog IAM role with additional permissions
+ *
+ * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
+ * If found, creates a custom policy with:
+ * - budgets:ViewBudget
+ * - logs:DescribeLogGroups
+ *
+ * @param scope - The construct scope
+ * @param options - Configuration options
+ * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
+ */
+function extendDatadogRole(scope, options) {
+    const datadogRoleArn = process.env.CDK_ENV_DATADOG_ROLE_ARN;
+    // Early return if no Datadog role ARN is configured
+    if (!datadogRoleArn) {
+        return undefined;
+    }
+    const { id = "DatadogCustomPolicy", project, service = CDK$2.SERVICE.DATADOG, } = options || {};
+    // Lookup the Datadog role
+    const datadogRole = awsIam.Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
+    // Build policy statements
+    const statements = [
+        // Allow view budget
+        new awsIam.PolicyStatement({
+            actions: ["budgets:ViewBudget"],
+            resources: ["*"],
+        }),
+        // Allow describe log groups
+        new awsIam.PolicyStatement({
+            actions: ["logs:DescribeLogGroups"],
+            resources: ["*"],
+        }),
+    ];
+    // Create the custom policy
+    const datadogCustomPolicy = new awsIam.Policy(scope, id, {
+        roles: [datadogRole],
+        statements,
+    });
+    // Add tags
+    cdk__namespace.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.SERVICE, service);
+    cdk__namespace.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+    cdk__namespace.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+    if (project) {
+        cdk__namespace.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.PROJECT, project);
+    }
+    return datadogCustomPolicy;
+}
+
 /**
  * Check if the current environment matches the given environment
  */
@@ -187,13 +457,86 @@ function isEnv(env) {
  * Check if the current environment is production
  */
 function isProductionEnv() {
-    return isEnv(cdk.CDK.ENV.PRODUCTION);
+    return isEnv(CDK$2.ENV.PRODUCTION);
 }
 /**
  * Check if the current environment is sandbox
  */
 function isSandboxEnv() {
-    return isEnv(cdk.CDK.ENV.SANDBOX);
+    return isEnv(CDK$2.ENV.SANDBOX);
+}
+
+// In short the RFC 1035 standard for valid hostnames is:
+// 1. Must be less than 253 characters
+// 2. Must start with a letter
+// 3. Must end with a letter or number
+// 4. Can only contain letters, numbers, and hyphens
+// 5. Last part of the domain must be at least 2 characters
+function validPart$1(part) {
+    if (!part.match(/^[a-z]/))
+        return false;
+    if (!part.match(/[a-z0-9]$/))
+        return false;
+    return /^[a-zA-Z0-9-]+$/.test(part);
+}
+function isValidHostname$1(hostname) {
+    // Check hostname is a string
+    if (typeof hostname !== "string")
+        return false;
+    // Convert hostname to lowercase
+    const check = hostname.toString().toLowerCase();
+    // Check hostname is less than 253 characters
+    if (check.length > 253)
+        return false;
+    // Split on dots
+    const parts = check.split(".");
+    // Check each part is validPart
+    const validParts = parts.map(validPart$1);
+    // Confirm all parts are valid
+    if (!validParts.every((part) => part))
+        return false;
+    // Confirm last part is at least 2 characters
+    const lastPart = parts[parts.length - 1];
+    if (lastPart.length < 2)
+        return false;
+    // Confirm last part is all letters
+    if (!lastPart.match(/^[a-z]+$/))
+        return false;
+    // This is a valid hostname
+    return true;
+}
+
+function validPart(part) {
+    if (!part.match(/^[a-z]/))
+        return false;
+    if (!part.match(/[a-z0-9]$/))
+        return false;
+    return /^[a-zA-Z0-9-]+$/.test(part);
+}
+function isValidSubdomain(subdomain) {
+    // Check subdomain is a string
+    if (typeof subdomain !== "string")
+        return false;
+    // Special case for apex
+    if (subdomain === CDK$2.HOST.APEX)
+        return true;
+    // Convert subdomain to lowercase
+    const check = subdomain.toString().toLowerCase();
+    // Check subdomain is less than 250 characters
+    // We use 250 instead of 253 because we need to leave room for the dot top-level domain
+    if (check.length > 250)
+        return false;
+    // Split on dots
+    const parts = check.split(".");
+    // Check each part is validPart
+    const validParts = parts.map(validPart);
+    // Confirm all parts are valid
+    if (!validParts.every((part) => part))
+        return false;
+    // Do not care if last part is at least 2 characters
+    // Do not care if last part is all letters
+    // This is a valid subdomain
+    return true;
 }
 
 function jaypieLambdaEnv(options = {}) {
@@ -250,6 +593,21 @@ function jaypieLambdaEnv(options = {}) {
     return environment;
 }
 
+function mergeDomain(subDomain, hostedZone) {
+    if (!hostedZone) {
+        throw new errors.ConfigurationError("hostedZone is required");
+    }
+    if (!subDomain) {
+        // Return hostedZone if subDomain is not passed
+        // Pass CDK.HOST.APEX to explicitly indicate apex domain
+        return hostedZone;
+    }
+    if (subDomain === CDK$2.HOST.APEX) {
+        return hostedZone;
+    }
+    return `${subDomain}.${hostedZone}`;
+}
+
 const DEFAULT_FUNCTION_NAME$1 = "DatadogForwarderFunction";
 // Cache to store resolved functions
 // Using nested structure to support multiple functions per scope with automatic GC
@@ -257,7 +615,7 @@ const functionCache = new WeakMap();
 function resolveDatadogForwarderFunction(scope, options) {
     const { import: importValue, name } = options || {};
     const functionName = name || DEFAULT_FUNCTION_NAME$1;
-    const importKey = importValue || cdk.CDK.IMPORT.DATADOG_LOG_FORWARDER;
+    const importKey = importValue || CDK$2.IMPORT.DATADOG_LOG_FORWARDER;
     // Create a cache key based on name and import
     const cacheKey = `${functionName}:${importKey}`;
     // Get or create scope cache
@@ -279,7 +637,7 @@ function resolveDatadogForwarderFunction(scope, options) {
 
 function resolveDatadogLayers(scope, options = {}) {
     const { datadogApiKeyArn, uniqueId } = options;
-    let resolvedRegion = cdk$1.Stack.of(scope).region || "us-east-1";
+    let resolvedRegion = cdk.Stack.of(scope).region || "us-east-1";
     // Resolve the Datadog API key ARN from multiple sources
     const resolvedDatadogApiKeyArn = datadogApiKeyArn ||
         process.env.DATADOG_API_KEY_ARN ||
@@ -290,9 +648,9 @@ function resolveDatadogLayers(scope, options = {}) {
     }
     const layerIdSuffix = uniqueId || process.env.PROJECT_NONCE || Date.now().toString();
     // Create Datadog Node.js layer
-    const datadogNodeLayer = lambda__namespace.LayerVersion.fromLayerVersionArn(scope, `DatadogNodeLayer-${layerIdSuffix}`, `arn:aws:lambda:${resolvedRegion}:464622532012:layer:Datadog-Node20-x:${cdk.CDK.DATADOG.LAYER.NODE}`);
+    const datadogNodeLayer = lambda__namespace.LayerVersion.fromLayerVersionArn(scope, `DatadogNodeLayer-${layerIdSuffix}`, `arn:aws:lambda:${resolvedRegion}:464622532012:layer:Datadog-Node20-x:${CDK$2.DATADOG.LAYER.NODE}`);
     // Create Datadog Extension layer
-    const datadogExtensionLayer = lambda__namespace.LayerVersion.fromLayerVersionArn(scope, `DatadogExtensionLayer-${layerIdSuffix}`, `arn:aws:lambda:${resolvedRegion}:464622532012:layer:Datadog-Extension:${cdk.CDK.DATADOG.LAYER.EXTENSION}`);
+    const datadogExtensionLayer = lambda__namespace.LayerVersion.fromLayerVersionArn(scope, `DatadogExtensionLayer-${layerIdSuffix}`, `arn:aws:lambda:${resolvedRegion}:464622532012:layer:Datadog-Extension:${CDK$2.DATADOG.LAYER.EXTENSION}`);
     return [datadogNodeLayer, datadogExtensionLayer];
 }
 
@@ -304,7 +662,7 @@ function resolveDatadogLoggingDestination(scope, options) {
     const { import: importValue, name } = options || {};
     // Create a cache key based on name and import (same as forwarder function)
     const functionName = name || DEFAULT_FUNCTION_NAME;
-    const importKey = importValue || cdk.CDK.IMPORT.DATADOG_LOG_FORWARDER;
+    const importKey = importValue || CDK$2.IMPORT.DATADOG_LOG_FORWARDER;
     const cacheKey = `${functionName}:${importKey}`;
     // Get or create scope cache
     let scopeCache = destinationCache.get(scope);
@@ -327,7 +685,7 @@ function resolveDatadogLoggingDestination(scope, options) {
 
 function resolveHostedZone(scope, { name = "HostedZone", zone = process.env.CDK_ENV_HOSTED_ZONE, } = {}) {
     if (!zone) {
-        throw new cdk.ConfigurationError("No `zone` provided. Set CDK_ENV_HOSTED_ZONE to use environment zone");
+        throw new errors.ConfigurationError("No `zone` provided. Set CDK_ENV_HOSTED_ZONE to use environment zone");
     }
     if (typeof zone === "string") {
         return route53__namespace.HostedZone.fromLookup(scope, name, {
@@ -360,7 +718,7 @@ const resolveParamsAndSecrets = ({ paramsAndSecrets, options, }) => {
 class JaypieApiGateway extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { certificate = true, handler, host: propsHost, name, roleTag = cdk.CDK.ROLE.API, zone: propsZone, } = props;
+        const { certificate = true, handler, host: propsHost, name, roleTag = CDK$2.ROLE.API, zone: propsZone, } = props;
         // Determine zone from props or environment
         let zone = propsZone;
         if (!zone && process.env.CDK_ENV_API_HOSTED_ZONE) {
@@ -374,7 +732,7 @@ class JaypieApiGateway extends constructs.Construct {
             }
             else if (process.env.CDK_ENV_API_SUBDOMAIN &&
                 process.env.CDK_ENV_API_HOSTED_ZONE) {
-                host = cdk.mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE);
+                host = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE);
             }
         }
         const apiGatewayName = name || constructEnvName("ApiGateway");
@@ -389,7 +747,7 @@ class JaypieApiGateway extends constructs.Construct {
                     domainName: host,
                     validation: acm__namespace.CertificateValidation.fromDns(hostedZone),
                 });
-                cdk$1.Tags.of(certificateToUse).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.HOSTING);
+                cdk.Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, CDK$2.ROLE.HOSTING);
             }
             else if (typeof certificate === "object") {
                 certificateToUse = certificate;
@@ -408,19 +766,19 @@ class JaypieApiGateway extends constructs.Construct {
             handler,
             ...lambdaRestApiProps,
         });
-        cdk$1.Tags.of(this._api).add(cdk.CDK.TAG.ROLE, roleTag);
+        cdk.Tags.of(this._api).add(CDK$2.TAG.ROLE, roleTag);
         if (host && certificateToUse && hostedZone) {
             this._domainName = this._api.addDomainName(apiDomainName, {
                 domainName: host,
                 certificate: certificateToUse,
             });
-            cdk$1.Tags.of(this._domainName).add(cdk.CDK.TAG.ROLE, roleTag);
+            cdk.Tags.of(this._domainName).add(CDK$2.TAG.ROLE, roleTag);
             const record = new route53__namespace.ARecord(this, "AliasRecord", {
                 recordName: host,
                 target: route53__namespace.RecordTarget.fromAlias(new route53Targets__namespace.ApiGatewayDomain(this._domainName)),
                 zone: hostedZone,
             });
-            cdk$1.Tags.of(record).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.NETWORKING);
+            cdk.Tags.of(record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
         }
     }
     get api() {
@@ -461,8 +819,8 @@ class JaypieApiGateway extends constructs.Construct {
     }
     get env() {
         return {
-            account: cdk$1.Stack.of(this).account,
-            region: cdk$1.Stack.of(this).region,
+            account: cdk.Stack.of(this).account,
+            region: cdk.Stack.of(this).region,
         };
     }
     get stack() {
@@ -505,7 +863,7 @@ class JaypieApiGateway extends constructs.Construct {
     }
 }
 
-class JaypieStack extends cdk$1.Stack {
+class JaypieStack extends cdk.Stack {
     constructor(scope, id, props = {}) {
         const { key, ...stackProps } = props;
         // Handle stackName
@@ -538,7 +896,7 @@ class JaypieAppStack extends JaypieStack {
 class JaypieLambda extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture = lambda__namespace.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: initialEnvironment = {}, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logRetention = cdk.CDK.LAMBDA.LOG_RETENTION, logRetentionRole, logRetentionRetryOptions, maxEventAge, memorySize = cdk.CDK.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = cdk.CDK.ROLE.PROCESSING, runtime = lambda__namespace.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = cdk$1.Duration.seconds(cdk.CDK.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
+        const { allowAllOutbound, allowPublicSubnet, architecture = lambda__namespace.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: initialEnvironment = {}, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logRetention = CDK$2.LAMBDA.LOG_RETENTION, logRetentionRole, logRetentionRetryOptions, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = lambda__namespace.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
         // Get base environment with defaults
         const environment = jaypieLambdaEnv({ initialEnvironment });
         const codeAsset = typeof code === "string" ? lambda__namespace.Code.fromAsset(code) : code;
@@ -597,14 +955,14 @@ class JaypieLambda extends constructs.Construct {
             runtime,
             runtimeManagementMode,
             securityGroups,
-            timeout: typeof timeout === "number" ? cdk$1.Duration.seconds(timeout) : timeout,
+            timeout: typeof timeout === "number" ? cdk.Duration.seconds(timeout) : timeout,
             tracing,
             vpc,
             vpcSubnets,
             // Enable auto-publishing of versions when using provisioned concurrency
             currentVersionOptions: provisionedConcurrentExecutions !== undefined
                 ? {
-                    removalPolicy: cdk$1.RemovalPolicy.RETAIN,
+                    removalPolicy: cdk.RemovalPolicy.RETAIN,
                     description: "Auto-published version for provisioned concurrency",
                     // Don't set provisioned concurrency here - it will be set on the alias
                 }
@@ -633,10 +991,10 @@ class JaypieLambda extends constructs.Construct {
             this._provisioned.node.addDependency(version);
         }
         if (roleTag) {
-            cdk$1.Tags.of(this._lambda).add(cdk.CDK.TAG.ROLE, roleTag);
+            cdk.Tags.of(this._lambda).add(CDK$2.TAG.ROLE, roleTag);
         }
         if (vendorTag) {
-            cdk$1.Tags.of(this._lambda).add(cdk.CDK.TAG.VENDOR, vendorTag);
+            cdk.Tags.of(this._lambda).add(CDK$2.TAG.VENDOR, vendorTag);
         }
         // Assign _reference based on provisioned state
         this._reference =
@@ -739,8 +1097,8 @@ class JaypieLambda extends constructs.Construct {
     }
     get env() {
         return {
-            account: cdk$1.Stack.of(this).account,
-            region: cdk$1.Stack.of(this).region,
+            account: cdk.Stack.of(this).account,
+            region: cdk.Stack.of(this).region,
         };
     }
     get stack() {
@@ -757,19 +1115,19 @@ class JaypieLambda extends constructs.Construct {
 class JaypieQueuedLambda extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logRetention = cdk.CDK.LAMBDA.LOG_RETENTION, logRetentionRole, logRetentionRetryOptions, maxEventAge, memorySize = cdk.CDK.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = lambda__namespace.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = cdk$1.Duration.seconds(cdk.CDK.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = cdk$1.Duration.seconds(cdk.CDK.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
+        const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logRetention = CDK$2.LAMBDA.LOG_RETENTION, logRetentionRole, logRetentionRetryOptions, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = lambda__namespace.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = cdk.Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
         // Create SQS Queue
         this._queue = new sqs__namespace.Queue(this, "Queue", {
             fifo,
             visibilityTimeout: typeof visibilityTimeout === "number"
-                ? cdk$1.Duration.seconds(visibilityTimeout)
+                ? cdk.Duration.seconds(visibilityTimeout)
                 : visibilityTimeout,
         });
         if (roleTag) {
-            cdk$1.Tags.of(this._queue).add(cdk.CDK.TAG.ROLE, roleTag);
+            cdk.Tags.of(this._queue).add(CDK$2.TAG.ROLE, roleTag);
         }
         if (vendorTag) {
-            cdk$1.Tags.of(this._queue).add(cdk.CDK.TAG.VENDOR, vendorTag);
+            cdk.Tags.of(this._queue).add(CDK$2.TAG.VENDOR, vendorTag);
         }
         // Create Lambda with JaypieLambda
         this._lambdaConstruct = new JaypieLambda(this, "Function", {
@@ -914,12 +1272,12 @@ class JaypieQueuedLambda extends constructs.Construct {
     }
     get env() {
         return {
-            account: cdk$1.Stack.of(this).account,
-            region: cdk$1.Stack.of(this).region,
+            account: cdk.Stack.of(this).account,
+            region: cdk.Stack.of(this).region,
         };
     }
     get stack() {
-        return cdk$1.Stack.of(this);
+        return cdk.Stack.of(this);
     }
     applyRemovalPolicy(policy) {
         this._lambdaConstruct.applyRemovalPolicy(policy);
@@ -997,15 +1355,15 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
         // Create S3 Bucket
         this._bucket = new s3__namespace.Bucket(this, "Bucket", {
             bucketName: bucketOptions.bucketName || bucketName,
-            removalPolicy: bucketOptions.removalPolicy || cdk$1.RemovalPolicy.RETAIN,
+            removalPolicy: bucketOptions.removalPolicy || cdk.RemovalPolicy.RETAIN,
             ...bucketOptions,
         });
         // Add tags to bucket
         if (roleTag) {
-            cdk$1.Tags.of(this._bucket).add(cdk.CDK.TAG.ROLE, roleTag);
+            cdk.Tags.of(this._bucket).add(CDK$2.TAG.ROLE, roleTag);
         }
         if (vendorTag) {
-            cdk$1.Tags.of(this._bucket).add(cdk.CDK.TAG.VENDOR, vendorTag);
+            cdk.Tags.of(this._bucket).add(CDK$2.TAG.VENDOR, vendorTag);
         }
         // Add an event notification from the bucket to the queue
         this._bucket.addEventNotification(s3__namespace.EventType.OBJECT_CREATED, new s3n__namespace.SqsDestination(this.queue));
@@ -1128,15 +1486,184 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
     }
 }
 
+class JaypieDatadogBucket extends constructs.Construct {
+    /**
+     * Create a new S3 bucket for Datadog log archiving with automatic IAM permissions
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "DatadogArchiveBucket";
+        }
+        super(scope, id);
+        // Extract Jaypie-specific options
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        const { grantDatadogAccess = true, id: _id, project, service = CDK$2.SERVICE.DATADOG, ...bucketProps } = props;
+        // Create the bucket
+        this.bucket = new s3.Bucket(this, "Bucket", bucketProps);
+        // Add tags to bucket
+        cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Grant Datadog role access to bucket if enabled
+        if (grantDatadogAccess) {
+            this.policy = this.grantDatadogRoleBucketAccess({ project, service });
+        }
+    }
+    /**
+     * Grants the Datadog IAM role access to this bucket
+     *
+     * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
+     * If found, creates a custom policy with:
+     * - s3:ListBucket on bucket
+     * - s3:GetObject and s3:PutObject on bucket/*
+     *
+     * @param options - Configuration options
+     * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
+     */
+    grantDatadogRoleBucketAccess(options) {
+        const datadogRoleArn = process.env.CDK_ENV_DATADOG_ROLE_ARN;
+        // Early return if no Datadog role ARN is configured
+        if (!datadogRoleArn) {
+            return undefined;
+        }
+        const { project, service = CDK$2.SERVICE.DATADOG } = options || {};
+        // Lookup the Datadog role
+        const datadogRole = awsIam.Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
+        // Build policy statements for bucket access
+        const statements = [
+            // Allow list bucket
+            new awsIam.PolicyStatement({
+                actions: ["s3:ListBucket"],
+                resources: [this.bucket.bucketArn],
+            }),
+            // Allow read and write to the bucket
+            new awsIam.PolicyStatement({
+                actions: ["s3:GetObject", "s3:PutObject"],
+                resources: [`${this.bucket.bucketArn}/*`],
+            }),
+        ];
+        // Create the custom policy
+        const datadogBucketPolicy = new awsIam.Policy(this, "DatadogBucketPolicy", {
+            roles: [datadogRole],
+            statements,
+        });
+        // Add tags
+        cdk__namespace.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.SERVICE, service);
+        cdk__namespace.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk__namespace.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+        if (project) {
+            cdk__namespace.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.PROJECT, project);
+        }
+        return datadogBucketPolicy;
+    }
+}
+
+const DATADOG_FORWARDER_TEMPLATE_URL = "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml";
+const DEFAULT_RESERVED_CONCURRENCY = "10";
+class JaypieDatadogForwarder extends constructs.Construct {
+    /**
+     * Create a new Datadog forwarder with CloudFormation nested stack
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "DatadogForwarder";
+        }
+        super(scope, id);
+        // Resolve options with defaults
+        const { account = process.env.CDK_ENV_ACCOUNT, additionalTags, createOutput = true, datadogApiKey = process.env.CDK_ENV_DATADOG_API_KEY, enableCloudFormationEvents = true, enableRoleExtension = true, exportName = CDK$2.IMPORT.DATADOG_LOG_FORWARDER, project, reservedConcurrency = DEFAULT_RESERVED_CONCURRENCY, service = CDK$2.VENDOR.DATADOG, templateUrl = DATADOG_FORWARDER_TEMPLATE_URL, } = props;
+        // Validate required parameters
+        if (!datadogApiKey) {
+            throw new Error("Datadog API key is required. Provide via datadogApiKey prop or CDK_ENV_DATADOG_API_KEY environment variable.");
+        }
+        // Build Datadog tags
+        let ddTags = account ? `account:${account}` : "";
+        if (additionalTags) {
+            ddTags = ddTags ? `${ddTags},${additionalTags}` : additionalTags;
+        }
+        // Deploy Datadog CloudFormation stack
+        this.cfnStack = new cdk.CfnStack(this, "Stack", {
+            parameters: {
+                DdApiKey: datadogApiKey,
+                DdTags: ddTags,
+                ReservedConcurrency: reservedConcurrency,
+            },
+            templateUrl,
+        });
+        // Add tags to stack
+        cdk__namespace.Tags.of(this.cfnStack).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk__namespace.Tags.of(this.cfnStack).add(CDK$2.TAG.SERVICE, service);
+        cdk__namespace.Tags.of(this.cfnStack).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+        if (project) {
+            cdk__namespace.Tags.of(this.cfnStack).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Extract forwarder function from stack outputs
+        this.forwarderFunction = lambda__namespace.Function.fromFunctionArn(this, "Function", this.cfnStack.getAtt("Outputs.DatadogForwarderArn").toString());
+        // Extend Datadog role with custom permissions if enabled
+        if (enableRoleExtension) {
+            extendDatadogRole(this, { project, service });
+        }
+        // Create CloudFormation events rule if enabled
+        if (enableCloudFormationEvents) {
+            this.eventsRule = new awsEvents.Rule(this, "CloudFormationEventsRule", {
+                eventPattern: {
+                    source: ["aws.cloudformation"],
+                },
+                targets: [
+                    new awsEventsTargets.LambdaFunction(this.forwarderFunction, {
+                        event: awsEvents.RuleTargetInput.fromEventPath("$"),
+                    }),
+                ],
+            });
+            // Add tags to events rule
+            cdk__namespace.Tags.of(this.eventsRule).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+            cdk__namespace.Tags.of(this.eventsRule).add(CDK$2.TAG.SERVICE, service);
+            cdk__namespace.Tags.of(this.eventsRule).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+            if (project) {
+                cdk__namespace.Tags.of(this.eventsRule).add(CDK$2.TAG.PROJECT, project);
+            }
+        }
+        // Create CloudFormation output if enabled
+        if (createOutput) {
+            new cdk__namespace.CfnOutput(this, "ForwarderArnOutput", {
+                description: "Datadog Log Forwarder Lambda ARN",
+                exportName,
+                value: this.cfnStack.getAtt("Outputs.DatadogForwarderArn").toString(),
+            });
+        }
+    }
+}
+
 // It is a consumer if the environment is ephemeral
 function checkEnvIsConsumer(env = process.env) {
-    return (env.PROJECT_ENV === cdk.CDK.ENV.PERSONAL ||
+    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
         !!env.CDK_ENV_PERSONAL ||
         /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
         /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
 }
 function checkEnvIsProvider(env = process.env) {
-    return env.PROJECT_ENV === cdk.CDK.ENV.SANDBOX;
+    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
 }
 function cleanName(name) {
     return name.replace(/[^a-zA-Z0-9:-]/g, "");
@@ -1150,7 +1677,7 @@ function exportEnvName(name, env = process.env) {
     }
     else {
         if (checkEnvIsConsumer(env)) {
-            rawName = `env-${cdk.CDK.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
+            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
         }
         else {
             rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
@@ -1171,10 +1698,10 @@ class JaypieEnvSecret extends constructs.Construct {
             exportName = cleanName(exportParam);
         }
         if (consumer) {
-            const secretName = cdk$1.Fn.importValue(exportName);
+            const secretName = cdk.Fn.importValue(exportName);
             this._secret = secretsmanager__namespace.Secret.fromSecretNameV2(this, id, secretName);
             // Add CfnOutput for consumer secrets
-            new cdk$1.CfnOutput(this, `ConsumedName`, {
+            new cdk.CfnOutput(this, `ConsumedName`, {
                 value: this._secret.secretName,
             });
         }
@@ -1183,24 +1710,24 @@ class JaypieEnvSecret extends constructs.Construct {
             const secretProps = {
                 generateSecretString,
                 secretStringValue: !generateSecretString && secretValue
-                    ? cdk$1.SecretValue.unsafePlainText(secretValue)
+                    ? cdk.SecretValue.unsafePlainText(secretValue)
                     : undefined,
             };
             this._secret = new secretsmanager__namespace.Secret(this, id, secretProps);
             if (roleTag) {
-                cdk$1.Tags.of(this._secret).add(cdk.CDK.TAG.ROLE, roleTag);
+                cdk.Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
             }
             if (vendorTag) {
-                cdk$1.Tags.of(this._secret).add(cdk.CDK.TAG.VENDOR, vendorTag);
+                cdk.Tags.of(this._secret).add(CDK$2.TAG.VENDOR, vendorTag);
             }
             if (provider) {
-                new cdk$1.CfnOutput(this, `ProvidedName`, {
+                new cdk.CfnOutput(this, `ProvidedName`, {
                     value: this._secret.secretName,
                     exportName,
                 });
             }
             else {
-                new cdk$1.CfnOutput(this, `CreatedName`, {
+                new cdk.CfnOutput(this, `CreatedName`, {
                     value: this._secret.secretName,
                 });
             }
@@ -1208,12 +1735,12 @@ class JaypieEnvSecret extends constructs.Construct {
     }
     // IResource implementation
     get stack() {
-        return cdk$1.Stack.of(this);
+        return cdk.Stack.of(this);
     }
     get env() {
         return {
-            account: cdk$1.Stack.of(this).account,
-            region: cdk$1.Stack.of(this).region,
+            account: cdk.Stack.of(this).account,
+            region: cdk.Stack.of(this).region,
         };
     }
     applyRemovalPolicy(policy) {
@@ -1265,8 +1792,8 @@ class JaypieDatadogSecret extends JaypieEnvSecret {
     constructor(scope, id = "MongoConnectionString", props) {
         const defaultProps = {
             envKey: "DATADOG_API_KEY",
-            roleTag: cdk.CDK.ROLE.MONITORING,
-            vendorTag: cdk.CDK.VENDOR.DATADOG,
+            roleTag: CDK$2.ROLE.MONITORING,
+            vendorTag: CDK$2.VENDOR.DATADOG,
             ...props,
         };
         super(scope, id, defaultProps);
@@ -1277,7 +1804,7 @@ class JaypieDnsRecord extends constructs.Construct {
     constructor(scope, id, props) {
         super(scope, id);
         const { comment, recordName, type, values } = props;
-        const ttl = props.ttl || cdk__namespace.Duration.seconds(cdk.CDK.DNS.CONFIG.TTL);
+        const ttl = props.ttl || cdk__namespace.Duration.seconds(CDK$2.DNS.CONFIG.TTL);
         // Resolve the hosted zone (supports both string and IHostedZone)
         const zone = resolveHostedZone(scope, {
             name: `${id}HostedZone`,
@@ -1292,9 +1819,9 @@ class JaypieDnsRecord extends constructs.Construct {
         };
         // Create the appropriate record based on type
         switch (type) {
-            case cdk.CDK.DNS.RECORD.A: {
+            case CDK$2.DNS.RECORD.A: {
                 if (!Array.isArray(values) || values.length === 0) {
-                    throw new cdk.ConfigurationError("A record requires at least one IP address");
+                    throw new errors.ConfigurationError("A record requires at least one IP address");
                 }
                 this.record = new route53.ARecord(this, "Record", {
                     ...baseProps,
@@ -1302,9 +1829,9 @@ class JaypieDnsRecord extends constructs.Construct {
                 });
                 break;
             }
-            case cdk.CDK.DNS.RECORD.CNAME: {
+            case CDK$2.DNS.RECORD.CNAME: {
                 if (!Array.isArray(values) || values.length === 0) {
-                    throw new cdk.ConfigurationError("CNAME record requires a domain name");
+                    throw new errors.ConfigurationError("CNAME record requires a domain name");
                 }
                 this.record = new route53.CnameRecord(this, "Record", {
                     ...baseProps,
@@ -1312,9 +1839,9 @@ class JaypieDnsRecord extends constructs.Construct {
                 });
                 break;
             }
-            case cdk.CDK.DNS.RECORD.MX: {
+            case CDK$2.DNS.RECORD.MX: {
                 if (!Array.isArray(values) || values.length === 0) {
-                    throw new cdk.ConfigurationError("MX record requires at least one mail server");
+                    throw new errors.ConfigurationError("MX record requires at least one mail server");
                 }
                 this.record = new route53.MxRecord(this, "Record", {
                     ...baseProps,
@@ -1322,9 +1849,9 @@ class JaypieDnsRecord extends constructs.Construct {
                 });
                 break;
             }
-            case cdk.CDK.DNS.RECORD.NS: {
+            case CDK$2.DNS.RECORD.NS: {
                 if (!Array.isArray(values) || values.length === 0) {
-                    throw new cdk.ConfigurationError("NS record requires at least one name server");
+                    throw new errors.ConfigurationError("NS record requires at least one name server");
                 }
                 this.record = new route53.NsRecord(this, "Record", {
                     ...baseProps,
@@ -1332,9 +1859,9 @@ class JaypieDnsRecord extends constructs.Construct {
                 });
                 break;
             }
-            case cdk.CDK.DNS.RECORD.TXT: {
+            case CDK$2.DNS.RECORD.TXT: {
                 if (!Array.isArray(values) || values.length === 0) {
-                    throw new cdk.ConfigurationError("TXT record requires at least one value");
+                    throw new errors.ConfigurationError("TXT record requires at least one value");
                 }
                 this.record = new route53.TxtRecord(this, "Record", {
                     ...baseProps,
@@ -1343,26 +1870,106 @@ class JaypieDnsRecord extends constructs.Construct {
                 break;
             }
             default:
-                throw new cdk.ConfigurationError(`Unsupported DNS record type: ${type}. Supported types: A, CNAME, MX, NS, TXT`);
+                throw new errors.ConfigurationError(`Unsupported DNS record type: ${type}. Supported types: A, CNAME, MX, NS, TXT`);
         }
         // Add standard tags to the DNS record
-        cdk__namespace.Tags.of(this.record).add(cdk.CDK.TAG.SERVICE, cdk.CDK.SERVICE.INFRASTRUCTURE);
-        cdk__namespace.Tags.of(this.record).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.NETWORKING);
+        cdk__namespace.Tags.of(this.record).add(CDK$2.TAG.SERVICE, CDK$2.SERVICE.INFRASTRUCTURE);
+        cdk__namespace.Tags.of(this.record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+    }
+}
+
+class JaypieEventsRule extends constructs.Construct {
+    /**
+     * Create a new EventBridge rule that targets a Lambda function
+     */
+    constructor(scope, idOrSourceOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrSourceOrProps === "string") {
+            // Check if it looks like an AWS source (starts with "aws.")
+            if (idOrSourceOrProps.startsWith("aws.")) {
+                // First param is source, second is props
+                props = propsOrUndefined || {};
+                props.source = idOrSourceOrProps;
+                // Generate ID from source
+                const sourceName = idOrSourceOrProps
+                    .replace("aws.", "")
+                    .split(".")
+                    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+                    .join("");
+                id = props.id || `${sourceName}EventsRule`;
+            }
+            else {
+                // First param is ID, second is props
+                props = propsOrUndefined || {};
+                id = idOrSourceOrProps;
+            }
+        }
+        else {
+            // First param is props
+            props = idOrSourceOrProps || {};
+            if (props.source) {
+                const sourceName = typeof props.source === "string"
+                    ? props.source
+                        .replace("aws.", "")
+                        .split(".")
+                        .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+                        .join("")
+                    : "Events";
+                id = props.id || `${sourceName}EventsRule`;
+            }
+            else {
+                id = props.id || "EventsRule";
+            }
+        }
+        super(scope, id);
+        // Extract Jaypie-specific options
+        const { id: _id, project, service = CDK$2.SERVICE.DATADOG, source, targetFunction, vendor = CDK$2.VENDOR.DATADOG, ...ruleProps } = props;
+        // Resolve target function
+        this.targetFunction =
+            targetFunction || resolveDatadogForwarderFunction(scope);
+        // Build event pattern if source is specified
+        const eventPattern = source
+            ? {
+                ...ruleProps.eventPattern,
+                source: Array.isArray(source) ? source : [source],
+            }
+            : ruleProps.eventPattern;
+        // Build rule props
+        const finalRuleProps = {
+            ...ruleProps,
+            eventPattern,
+            targets: [
+                new awsEventsTargets.LambdaFunction(this.targetFunction, {
+                    event: awsEvents.RuleTargetInput.fromEventPath("$"),
+                }),
+            ],
+        };
+        // Create the rule
+        this.rule = new awsEvents.Rule(this, "Rule", finalRuleProps);
+        // Add tags
+        cdk__namespace.Tags.of(this.rule).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk__namespace.Tags.of(this.rule).add(CDK$2.TAG.SERVICE, service);
+        cdk__namespace.Tags.of(this.rule).add(CDK$2.TAG.VENDOR, vendor);
+        if (project) {
+            cdk__namespace.Tags.of(this.rule).add(CDK$2.TAG.PROJECT, project);
+        }
     }
 }
 
 class JaypieGitHubDeployRole extends constructs.Construct {
     constructor(scope, id = "GitHubDeployRole", props = {}) {
         super(scope, id);
-        const { oidcProviderArn = cdk$1.Fn.importValue(cdk.CDK.IMPORT.OIDC_PROVIDER), output = true, repoRestriction: propsRepoRestriction, } = props;
+        const { oidcProviderArn = cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), output = true, repoRestriction: propsRepoRestriction, } = props;
         // Extract account ID from the scope
-        const accountId = cdk$1.Stack.of(this).account;
+        const accountId = cdk.Stack.of(this).account;
         // Resolve repoRestriction from props or environment variables
         let repoRestriction = propsRepoRestriction;
         if (!repoRestriction) {
             const envRepo = process.env.CDK_ENV_REPO || process.env.PROJECT_REPO;
             if (!envRepo) {
-                throw new cdk.ConfigurationError("No repoRestriction provided. Set repoRestriction prop, CDK_ENV_REPO, or PROJECT_REPO environment variable");
+                throw new errors.ConfigurationError("No repoRestriction provided. Set repoRestriction prop, CDK_ENV_REPO, or PROJECT_REPO environment variable");
             }
             // Extract organization from owner/repo format and create org-wide restriction
             const organization = envRepo.split("/")[0];
@@ -1375,10 +1982,10 @@ class JaypieGitHubDeployRole extends constructs.Construct {
                     "token.actions.githubusercontent.com:sub": repoRestriction,
                 },
             }, "sts:AssumeRoleWithWebIdentity"),
-            maxSessionDuration: cdk$1.Duration.hours(1),
+            maxSessionDuration: cdk.Duration.hours(1),
             path: "/",
         });
-        cdk$1.Tags.of(this._role).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.DEPLOY);
+        cdk.Tags.of(this._role).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
         // Allow the role to access the GitHub OIDC provider
         this._role.addToPolicy(new awsIam.PolicyStatement({
             actions: ["sts:AssumeRoleWithWebIdentity"],
@@ -1417,7 +2024,7 @@ class JaypieGitHubDeployRole extends constructs.Construct {
         // Export the ARN of the role
         if (output !== false) {
             const outputId = typeof output === "string" ? output : "GitHubActionsRoleArn";
-            new cdk$1.CfnOutput(this, outputId, {
+            new cdk.CfnOutput(this, outputId, {
                 value: this._role.roleArn,
             });
         }
@@ -1436,8 +2043,8 @@ class JaypieGitHubDeployRole extends constructs.Construct {
 class JaypieExpressLambda extends JaypieLambda {
     constructor(scope, id, props) {
         super(scope, id, {
-            timeout: cdk$1.Duration.seconds(cdk.CDK.DURATION.EXPRESS_API),
-            roleTag: cdk.CDK.ROLE.API,
+            timeout: cdk.Duration.seconds(CDK$2.DURATION.EXPRESS_API),
+            roleTag: CDK$2.ROLE.API,
             ...props,
         });
     }
@@ -1497,7 +2104,7 @@ class JaypieHostedZone extends constructs.Construct {
         super(scope, id);
         const { zoneName, project } = props;
         const destination = props.destination ?? true;
-        const service = props.service || cdk.CDK.SERVICE.INFRASTRUCTURE;
+        const service = props.service || CDK$2.SERVICE.INFRASTRUCTURE;
         // Create the log group
         this.logGroup = new awsLogs.LogGroup(this, "LogGroup", {
             logGroupName: process.env.PROJECT_NONCE
@@ -1506,10 +2113,10 @@ class JaypieHostedZone extends constructs.Construct {
             retention: awsLogs.RetentionDays.ONE_WEEK,
         });
         // Add tags
-        cdk__namespace.Tags.of(this.logGroup).add(cdk.CDK.TAG.SERVICE, service);
-        cdk__namespace.Tags.of(this.logGroup).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.NETWORKING);
+        cdk__namespace.Tags.of(this.logGroup).add(CDK$2.TAG.SERVICE, service);
+        cdk__namespace.Tags.of(this.logGroup).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
         if (project) {
-            cdk__namespace.Tags.of(this.logGroup).add(cdk.CDK.TAG.PROJECT, project);
+            cdk__namespace.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
         }
         // Grant Route 53 permissions to write to the log group
         this.logGroup.grantWrite(new awsIam.ServicePrincipal(SERVICE.ROUTE53));
@@ -1529,10 +2136,10 @@ class JaypieHostedZone extends constructs.Construct {
             zoneName,
         });
         // Add tags
-        cdk__namespace.Tags.of(this.hostedZone).add(cdk.CDK.TAG.SERVICE, service);
-        cdk__namespace.Tags.of(this.hostedZone).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.NETWORKING);
+        cdk__namespace.Tags.of(this.hostedZone).add(CDK$2.TAG.SERVICE, service);
+        cdk__namespace.Tags.of(this.hostedZone).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
         if (project) {
-            cdk__namespace.Tags.of(this.hostedZone).add(cdk.CDK.TAG.PROJECT, project);
+            cdk__namespace.Tags.of(this.hostedZone).add(CDK$2.TAG.PROJECT, project);
         }
         // Create DNS records if provided
         this.dnsRecords = [];
@@ -1567,7 +2174,7 @@ class JaypieInfrastructureStack extends JaypieStack {
         super(scope, id, { key, ...stackProps });
         // Add infrastructure-specific tag
         if (process.env.CDK_ENV_INFRASTRUCTURE_STACK_SHA) {
-            cdk$1.Tags.of(this).add(CDK.TAG.STACK_SHA, process.env.CDK_ENV_INFRASTRUCTURE_STACK_SHA);
+            cdk.Tags.of(this).add(CDK.TAG.STACK_SHA, process.env.CDK_ENV_INFRASTRUCTURE_STACK_SHA);
         }
     }
 }
@@ -1576,8 +2183,8 @@ class JaypieMongoDbSecret extends JaypieEnvSecret {
     constructor(scope, id = "MongoConnectionString", props) {
         const defaultProps = {
             envKey: "MONGODB_URI",
-            roleTag: cdk.CDK.ROLE.STORAGE,
-            vendorTag: cdk.CDK.VENDOR.MONGODB,
+            roleTag: CDK$2.ROLE.STORAGE,
+            vendorTag: CDK$2.VENDOR.MONGODB,
             ...props,
         };
         super(scope, id, defaultProps);
@@ -1588,14 +2195,108 @@ class JaypieOpenAiSecret extends JaypieEnvSecret {
     constructor(scope, id = "OpenAiApiKey", props) {
         const defaultProps = {
             envKey: "OPENAI_API_KEY",
-            roleTag: cdk.CDK.ROLE.PROCESSING,
-            vendorTag: cdk.CDK.VENDOR.OPENAI,
+            roleTag: CDK$2.ROLE.PROCESSING,
+            vendorTag: CDK$2.VENDOR.OPENAI,
             ...props,
         };
         super(scope, id, defaultProps);
     }
 }
 
+class JaypieOrganizationTrail extends constructs.Construct {
+    /**
+     * Create a new organization CloudTrail with S3 bucket and lifecycle policies
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            const defaultName = process.env.PROJECT_NONCE
+                ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+                : "organization-cloudtrail";
+            id = props.id || `${props.trailName || defaultName}-Trail`;
+        }
+        super(scope, id);
+        // Resolve options with defaults
+        const { bucketName = process.env.PROJECT_NONCE
+            ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+            : "organization-cloudtrail", enableDatadogNotifications = true, enableFileValidation = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
+            ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+            : "organization-cloudtrail", } = props;
+        // Create the S3 bucket for CloudTrail logs
+        this.bucket = new s3.Bucket(this, "Bucket", {
+            accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE,
+            bucketName,
+            lifecycleRules: [
+                {
+                    expiration: cdk__namespace.Duration.days(expirationDays),
+                    transitions: [
+                        {
+                            storageClass: s3.StorageClass.INFREQUENT_ACCESS,
+                            transitionAfter: cdk__namespace.Duration.days(infrequentAccessTransitionDays),
+                        },
+                        {
+                            storageClass: s3.StorageClass.GLACIER,
+                            transitionAfter: cdk__namespace.Duration.days(glacierTransitionDays),
+                        },
+                    ],
+                },
+            ],
+        });
+        // Add CloudTrail bucket policies
+        this.bucket.addToResourcePolicy(new awsIam.PolicyStatement({
+            actions: ["s3:GetBucketAcl"],
+            effect: awsIam.Effect.ALLOW,
+            principals: [new awsIam.ServicePrincipal("cloudtrail.amazonaws.com")],
+            resources: [this.bucket.bucketArn],
+        }));
+        this.bucket.addToResourcePolicy(new awsIam.PolicyStatement({
+            actions: ["s3:PutObject"],
+            conditions: {
+                StringEquals: {
+                    "s3:x-amz-acl": "bucket-owner-full-control",
+                },
+            },
+            effect: awsIam.Effect.ALLOW,
+            principals: [new awsIam.ServicePrincipal("cloudtrail.amazonaws.com")],
+            resources: [`${this.bucket.bucketArn}/*`],
+        }));
+        // Add tags to bucket
+        cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk__namespace.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Add Datadog notifications if enabled
+        if (enableDatadogNotifications) {
+            const datadogForwarderFunction = resolveDatadogForwarderFunction(scope);
+            this.bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(datadogForwarderFunction));
+        }
+        // Create the organization trail
+        this.trail = new awsCloudtrail.Trail(this, "Trail", {
+            bucket: this.bucket,
+            enableFileValidation,
+            isOrganizationTrail: true,
+            managementEvents: awsCloudtrail.ReadWriteType.ALL,
+            trailName,
+        });
+        // Add tags to trail
+        cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.SERVICE, service);
+        cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk__namespace.Tags.of(this.trail).add(CDK$2.TAG.PROJECT, project);
+        }
+    }
+}
+
 /**
  * JaypieSsoPermissions Construct
  *
@@ -1662,15 +2363,15 @@ class JaypieSsoPermissions extends constructs.Construct {
                     .managedPolicyArn,
                 awsIam.ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
             ],
-            sessionDuration: cdk$1.Duration.hours(1).toIsoString(),
+            sessionDuration: cdk.Duration.hours(1).toIsoString(),
             tags: [
                 {
-                    key: cdk.CDK.TAG.SERVICE,
-                    value: cdk.CDK.SERVICE.SSO,
+                    key: CDK$2.TAG.SERVICE,
+                    value: CDK$2.SERVICE.SSO,
                 },
                 {
-                    key: cdk.CDK.TAG.ROLE,
-                    value: cdk.CDK.ROLE.SECURITY,
+                    key: CDK$2.TAG.ROLE,
+                    value: CDK$2.ROLE.SECURITY,
                 },
             ],
         });
@@ -1744,15 +2445,15 @@ class JaypieSsoPermissions extends constructs.Construct {
                 awsIam.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
                     .managedPolicyArn,
             ],
-            sessionDuration: cdk$1.Duration.hours(12).toIsoString(),
+            sessionDuration: cdk.Duration.hours(12).toIsoString(),
             tags: [
                 {
-                    key: cdk.CDK.TAG.SERVICE,
-                    value: cdk.CDK.SERVICE.SSO,
+                    key: CDK$2.TAG.SERVICE,
+                    value: CDK$2.SERVICE.SSO,
                 },
                 {
-                    key: cdk.CDK.TAG.ROLE,
-                    value: cdk.CDK.ROLE.SECURITY,
+                    key: CDK$2.TAG.ROLE,
+                    value: CDK$2.ROLE.SECURITY,
                 },
             ],
         });
@@ -1802,15 +2503,15 @@ class JaypieSsoPermissions extends constructs.Construct {
                     .managedPolicyArn,
                 awsIam.ManagedPolicy.fromAwsManagedPolicyName("job-function/SystemAdministrator").managedPolicyArn,
             ],
-            sessionDuration: cdk$1.Duration.hours(4).toIsoString(),
+            sessionDuration: cdk.Duration.hours(4).toIsoString(),
             tags: [
                 {
-                    key: cdk.CDK.TAG.SERVICE,
-                    value: cdk.CDK.SERVICE.SSO,
+                    key: CDK$2.TAG.SERVICE,
+                    value: CDK$2.SERVICE.SSO,
                 },
                 {
-                    key: cdk.CDK.TAG.ROLE,
-                    value: cdk.CDK.ROLE.SECURITY,
+                    key: CDK$2.TAG.ROLE,
+                    value: CDK$2.ROLE.SECURITY,
                 },
             ],
         });
@@ -1842,19 +2543,19 @@ class JaypieSsoPermissions extends constructs.Construct {
                 permissionSetNames.forEach((permissionSetName) => {
                     const permissionSet = permissionSetMap[permissionSetName];
                     if (!permissionSet) {
-                        throw new cdk.ConfigurationError(`Unknown permission set: ${permissionSetName}. Valid options: ${Object.keys(permissionSetMap).join(", ")}`);
+                        throw new errors.ConfigurationError(`Unknown permission set: ${permissionSetName}. Valid options: ${Object.keys(permissionSetMap).join(", ")}`);
                     }
                     const accountAssignment = new awsSso.CfnAssignment(this, `AccountAssignment-${accountId}-${permissionSet.label}Role-${groupId}Group`, {
                         // Required
                         instanceArn: iamIdentityCenterArn,
                         permissionSetArn: permissionSet.arn,
                         principalId: groupId,
-                        principalType: cdk.CDK.PRINCIPAL_TYPE.GROUP,
+                        principalType: CDK$2.PRINCIPAL_TYPE.GROUP,
                         targetId: accountId,
-                        targetType: cdk.CDK.TARGET_TYPE.AWS_ACCOUNT,
+                        targetType: CDK$2.TARGET_TYPE.AWS_ACCOUNT,
                     });
-                    cdk$1.Tags.of(accountAssignment).add(cdk.CDK.TAG.SERVICE, cdk.CDK.SERVICE.SSO);
-                    cdk$1.Tags.of(accountAssignment).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.SECURITY);
+                    cdk.Tags.of(accountAssignment).add(CDK$2.TAG.SERVICE, CDK$2.SERVICE.SSO);
+                    cdk.Tags.of(accountAssignment).add(CDK$2.TAG.ROLE, CDK$2.ROLE.SECURITY);
                 });
             });
         };
@@ -1924,18 +2625,18 @@ class JaypieSsoSyncApplication extends constructs.Construct {
                 GoogleCredentials: resolvedGoogleCredentials,
                 GoogleGroupMatch: resolvedGoogleGroupMatch,
                 IdentityStoreID: resolvedIdentityStoreId,
-                Region: cdk$1.Stack.of(this).region,
+                Region: cdk.Stack.of(this).region,
                 SCIMEndpointAccessToken: resolvedScimEndpointAccessToken,
                 SCIMEndpointUrl: resolvedScimEndpointUrl,
             },
         });
         // Add tags
         const defaultTags = {
-            [cdk.CDK.TAG.ROLE]: cdk.CDK.ROLE.SECURITY,
+            [CDK$2.TAG.ROLE]: CDK$2.ROLE.SECURITY,
         };
         const allTags = { ...defaultTags, ...tags };
         Object.entries(allTags).forEach(([key, value]) => {
-            cdk$1.Tags.of(this._application).add(key, value);
+            cdk.Tags.of(this._application).add(key, value);
         });
     }
     get application() {
@@ -1947,8 +2648,8 @@ class JaypieTraceSigningKeySecret extends JaypieEnvSecret {
     constructor(scope, id = "TraceSigningKey", props) {
         const defaultProps = {
             envKey: "TRACE_SIGNING_KEY",
-            roleTag: cdk.CDK.ROLE.API,
-            vendorTag: cdk.CDK.VENDOR.KNOWTRACE,
+            roleTag: CDK$2.ROLE.API,
+            vendorTag: CDK$2.VENDOR.KNOWTRACE,
             ...props,
         };
         super(scope, id, defaultProps);
@@ -1958,19 +2659,19 @@ class JaypieTraceSigningKeySecret extends JaypieEnvSecret {
 class JaypieWebDeploymentBucket extends constructs.Construct {
     constructor(scope, id, props = {}) {
         super(scope, id);
-        const roleTag = props.roleTag || cdk.CDK.ROLE.HOSTING;
+        const roleTag = props.roleTag || CDK$2.ROLE.HOSTING;
         // Environment variable validation
         if (process.env.CDK_ENV_WEB_SUBDOMAIN &&
-            !cdk.isValidSubdomain(process.env.CDK_ENV_WEB_SUBDOMAIN)) {
-            throw new cdk.ConfigurationError("CDK_ENV_WEB_SUBDOMAIN is not a valid subdomain");
+            !isValidSubdomain(process.env.CDK_ENV_WEB_SUBDOMAIN)) {
+            throw new errors.ConfigurationError("CDK_ENV_WEB_SUBDOMAIN is not a valid subdomain");
         }
         if (process.env.CDK_ENV_WEB_HOSTED_ZONE &&
-            !cdk.isValidHostname(process.env.CDK_ENV_WEB_HOSTED_ZONE)) {
-            throw new cdk.ConfigurationError("CDK_ENV_WEB_HOSTED_ZONE is not a valid hostname");
+            !isValidHostname$1(process.env.CDK_ENV_WEB_HOSTED_ZONE)) {
+            throw new errors.ConfigurationError("CDK_ENV_WEB_HOSTED_ZONE is not a valid hostname");
         }
         if (process.env.CDK_ENV_HOSTED_ZONE &&
-            !cdk.isValidHostname(process.env.CDK_ENV_HOSTED_ZONE)) {
-            throw new cdk.ConfigurationError("CDK_ENV_HOSTED_ZONE is not a valid hostname");
+            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
+            throw new errors.ConfigurationError("CDK_ENV_HOSTED_ZONE is not a valid hostname");
         }
         // Determine host from props or environment
         let host = props.host;
@@ -1978,7 +2679,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             try {
                 host =
                     process.env.CDK_ENV_WEB_HOST ||
-                        cdk.mergeDomain(process.env.CDK_ENV_WEB_SUBDOMAIN || "", process.env.CDK_ENV_WEB_HOSTED_ZONE ||
+                        mergeDomain(process.env.CDK_ENV_WEB_SUBDOMAIN || "", process.env.CDK_ENV_WEB_HOSTED_ZONE ||
                             process.env.CDK_ENV_HOSTED_ZONE ||
                             "");
             }
@@ -1986,8 +2687,8 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
                 host = undefined;
             }
         }
-        if (host && !cdk.isValidHostname(host)) {
-            throw new cdk.ConfigurationError("Host is not a valid hostname");
+        if (host && !isValidHostname$1(host)) {
+            throw new errors.ConfigurationError("Host is not a valid hostname");
         }
         // Determine zone from props or environment
         const zone = props.zone ||
@@ -2000,7 +2701,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             blockPublicAccess: s3__namespace.BlockPublicAccess.BLOCK_ACLS,
             bucketName: props.name || constructEnvName("web"),
             publicReadAccess: true,
-            removalPolicy: cdk$1.RemovalPolicy.DESTROY,
+            removalPolicy: cdk.RemovalPolicy.DESTROY,
             versioned: false,
             websiteErrorDocument: "index.html",
             websiteIndexDocument: "index.html",
@@ -2018,7 +2719,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
         this.isWebsite = this.bucket.isWebsite;
         this.notificationsHandlerRole = undefined;
         this.policy = this.bucket.policy;
-        cdk$1.Tags.of(this.bucket).add(cdk.CDK.TAG.ROLE, roleTag);
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, roleTag);
         // Create deployment role if repository is configured
         let repo;
         if (process.env.CDK_ENV_REPO) {
@@ -2026,14 +2727,14 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
         }
         if (repo) {
             const bucketDeployRole = new awsIam.Role(this, "DestinationBucketDeployRole", {
-                assumedBy: new awsIam.FederatedPrincipal(cdk$1.Fn.importValue(cdk.CDK.IMPORT.OIDC_PROVIDER), {
+                assumedBy: new awsIam.FederatedPrincipal(cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
                     StringLike: {
                         "token.actions.githubusercontent.com:sub": repo,
                     },
                 }, "sts:AssumeRoleWithWebIdentity"),
-                maxSessionDuration: cdk$1.Duration.hours(1),
+                maxSessionDuration: cdk.Duration.hours(1),
             });
-            cdk$1.Tags.of(bucketDeployRole).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.DEPLOY);
+            cdk.Tags.of(bucketDeployRole).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
             // Allow the role to write to the bucket
             bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
                 effect: awsIam.Effect.ALLOW,
@@ -2058,7 +2759,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             }));
             this.deployRoleArn = bucketDeployRole.roleArn;
             // Output the deploy role ARN
-            new cdk$1.CfnOutput(this, "DestinationBucketDeployRoleArn", {
+            new cdk.CfnOutput(this, "DestinationBucketDeployRoleArn", {
                 value: bucketDeployRole.roleArn,
             });
         }
@@ -2078,10 +2779,10 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
                             domainName: host,
                             validation: acm__namespace.CertificateValidation.fromDns(hostedZone),
                         });
-                new cdk$1.CfnOutput(this, "CertificateArn", {
+                new cdk.CfnOutput(this, "CertificateArn", {
                     value: this.certificate.certificateArn,
                 });
-                cdk$1.Tags.of(this.certificate).add(cdk.CDK.TAG.ROLE, roleTag);
+                cdk.Tags.of(this.certificate).add(CDK$2.TAG.ROLE, roleTag);
             }
             // Create CloudFront distribution
             this.distribution = new cloudfront__namespace.Distribution(this, "Distribution", {
@@ -2093,7 +2794,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
                 certificate: this.certificate,
                 domainNames: [host],
             });
-            cdk$1.Tags.of(this.distribution).add(cdk.CDK.TAG.ROLE, roleTag);
+            cdk.Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
             // If this is production, enable caching on everything but index.html
             if (isProductionEnv()) {
                 this.distribution.addBehavior("/*", new origins__namespace.S3Origin(this.bucket), {
@@ -2107,7 +2808,7 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
                 target: route53__namespace.RecordTarget.fromAlias(new route53Targets__namespace.CloudFrontTarget(this.distribution)),
                 zone: hostedZone,
             });
-            cdk$1.Tags.of(record).add(cdk.CDK.TAG.ROLE, cdk.CDK.ROLE.NETWORKING);
+            cdk.Tags.of(record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
             this.distributionDomainName = this.distribution.distributionDomainName;
         }
     }
@@ -2209,16 +2910,17 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
     }
 }
 
-Object.defineProperty(exports, "CDK", {
-    enumerable: true,
-    get: function () { return cdk.CDK; }
-});
+exports.CDK = CDK$2;
+exports.JaypieAccountLoggingBucket = JaypieAccountLoggingBucket;
 exports.JaypieApiGateway = JaypieApiGateway;
 exports.JaypieAppStack = JaypieAppStack;
 exports.JaypieBucketQueuedLambda = JaypieBucketQueuedLambda;
+exports.JaypieDatadogBucket = JaypieDatadogBucket;
+exports.JaypieDatadogForwarder = JaypieDatadogForwarder;
 exports.JaypieDatadogSecret = JaypieDatadogSecret;
 exports.JaypieDnsRecord = JaypieDnsRecord;
 exports.JaypieEnvSecret = JaypieEnvSecret;
+exports.JaypieEventsRule = JaypieEventsRule;
 exports.JaypieExpressLambda = JaypieExpressLambda;
 exports.JaypieGitHubDeployRole = JaypieGitHubDeployRole;
 exports.JaypieHostedZone = JaypieHostedZone;
@@ -2226,6 +2928,7 @@ exports.JaypieInfrastructureStack = JaypieInfrastructureStack;
 exports.JaypieLambda = JaypieLambda;
 exports.JaypieMongoDbSecret = JaypieMongoDbSecret;
 exports.JaypieOpenAiSecret = JaypieOpenAiSecret;
+exports.JaypieOrganizationTrail = JaypieOrganizationTrail;
 exports.JaypieQueuedLambda = JaypieQueuedLambda;
 exports.JaypieSsoPermissions = JaypieSsoPermissions;
 exports.JaypieSsoSyncApplication = JaypieSsoSyncApplication;
@@ -2237,10 +2940,14 @@ exports.constructEnvName = constructEnvName;
 exports.constructStackName = constructStackName;
 exports.constructTagger = constructTagger;
 exports.envHostname = envHostname;
+exports.extendDatadogRole = extendDatadogRole;
 exports.isEnv = isEnv;
 exports.isProductionEnv = isProductionEnv;
 exports.isSandboxEnv = isSandboxEnv;
+exports.isValidHostname = isValidHostname$1;
+exports.isValidSubdomain = isValidSubdomain;
 exports.jaypieLambdaEnv = jaypieLambdaEnv;
+exports.mergeDomain = mergeDomain;
 exports.resolveDatadogForwarderFunction = resolveDatadogForwarderFunction;
 exports.resolveDatadogLayers = resolveDatadogLayers;
 exports.resolveDatadogLoggingDestination = resolveDatadogLoggingDestination;