@jaypie/constructs 1.1.63 → 1.1.65

package/dist/esm/index.js

@@ -1,3246 +0,0 @@
-import * as cdk from 'aws-cdk-lib';
-import { Tags, Stack, Duration, RemovalPolicy, CfnStack, Fn, CfnOutput, SecretValue } from 'aws-cdk-lib';
-import * as s3 from 'aws-cdk-lib/aws-s3';
-import { Bucket, StorageClass, BucketAccessControl, EventType } from 'aws-cdk-lib/aws-s3';
-import { Construct } from 'constructs';
-import * as acm from 'aws-cdk-lib/aws-certificatemanager';
-import * as apiGateway from 'aws-cdk-lib/aws-apigateway';
-import * as route53 from 'aws-cdk-lib/aws-route53';
-import { TxtRecord, NsRecord, MxRecord, CnameRecord, ARecord, RecordTarget, HostedZone } from 'aws-cdk-lib/aws-route53';
-import * as route53Targets from 'aws-cdk-lib/aws-route53-targets';
-import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
-import { DatadogLambda } from 'datadog-cdk-constructs-v2';
-import { ConfigurationError } from '@jaypie/errors';
-import { Role, PolicyStatement, Policy, FederatedPrincipal, Effect, ServicePrincipal, ManagedPolicy } from 'aws-cdk-lib/aws-iam';
-import * as lambda from 'aws-cdk-lib/aws-lambda';
-import * as logDestinations from 'aws-cdk-lib/aws-logs-destinations';
-import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
-import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
-import * as sqs from 'aws-cdk-lib/aws-sqs';
-import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
-import * as logs from 'aws-cdk-lib/aws-logs';
-import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
-import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
-import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
-import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
-import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
-import { Nextjs } from 'cdk-nextjs-standalone';
-import * as path from 'path';
-import { Trail, ReadWriteType } from 'aws-cdk-lib/aws-cloudtrail';
-import { CfnPermissionSet, CfnAssignment } from 'aws-cdk-lib/aws-sso';
-import { CfnApplication } from 'aws-cdk-lib/aws-sam';
-
-const CDK$2 = {
-    ACCOUNT: {
-        DEVELOPMENT: "development",
-        MANAGEMENT: "management",
-        OPERATIONS: "operations",
-        PRODUCTION: "production",
-        SANDBOX: "sandbox",
-        SECURITY: "security",
-        STAGE: "stage",
-    },
-    BUILD: {
-        CONFIG: {
-            ALL: "all",
-            API: "api",
-            INFRASTRUCTURE: "infrastructure",
-            NONE: "none",
-            WEB: "web",
-        },
-        PERSONAL: "personal",
-        /**
-         * @deprecated rename "ephemeral" to "personal" (since 2/24/2025)
-         */
-        EPHEMERAL: "ephemeral",
-        /**
-         * @deprecated as even "ephemeral" builds have static assets (since 7/6/2024)
-         */
-        STATIC: "static",
-    },
-    CREATION: {
-        CDK: "cdk",
-        CLOUDFORMATION_TEMPLATE: "template",
-        MANUAL: "manual",
-    },
-    DATADOG: {
-        SITE: "datadoghq.com",
-        LAYER: {
-            // https://docs.datadoghq.com/serverless/aws_lambda/installation/nodejs/?tab=awscdk
-            NODE: 127, // 127 on 9/12/2025
-            EXTENSION: 86, // 86 on 9/12/2025
-        },
-    },
-    DEFAULT: {
-        REGION: "us-east-1",
-    },
-    DNS: {
-        CONFIG: {
-            TTL: 300, // 5 minutes in seconds for Route53
-        },
-        RECORD: {
-            A: "A",
-            CNAME: "CNAME",
-            MX: "MX",
-            NS: "NS",
-            TXT: "TXT",
-        },
-    },
-    DURATION: {
-        EXPRESS_API: 30,
-        LAMBDA_MAXIMUM: 900,
-        LAMBDA_WORKER: 900,
-    },
-    ENV: {
-        DEMO: "demo", // Mirror of production
-        DEVELOPMENT: "development", // Internal most stable development space
-        /** @deprecated */ EPHEMERAL: "ephemeral", // Alias for "build"
-        LOCAL: "local",
-        /** @deprecated */ MAIN: "main", // Alias for development
-        META: "meta", // For non-environment/infrastructure stacks
-        PERSONAL: "personal", // Personal builds using resources provided by sandbox
-        PREVIEW: "preview", // External next thing to be released
-        PRODUCTION: "production",
-        RELEASE: "release", // Internal next thing to be released
-        REVIEW: "review", // Internal place to collaborate on issues
-        SANDBOX: "sandbox", // Internal build space with no guaranteed longevity
-        TRAINING: "training", // aka "test"; mirror of production for external audiences
-    },
-    HOST: {
-        APEX: "@",
-    },
-    IMPORT: {
-        DATADOG_LOG_FORWARDER: "account-datadog-forwarder",
-        DATADOG_ROLE: "account-datadog-role",
-        DATADOG_SECRET: "account-datadog-secret",
-        LOG_BUCKET: "account-log-bucket",
-        OIDC_PROVIDER: "github-oidc-provider",
-    },
-    LAMBDA: {
-        LOG_RETENTION: 90,
-        MEMORY_SIZE: 1024,
-    },
-    PRINCIPAL: {
-        ROUTE53: "route53.amazonaws.com",
-    },
-    PRINCIPAL_TYPE: {
-        GROUP: "GROUP",
-        USER: "USER",
-    },
-    PROJECT: {
-        INFRASTRUCTURE: "infrastructure",
-    },
-    ROLE: {
-        API: "api",
-        DEPLOY: "deploy",
-        HOSTING: "hosting",
-        MONITORING: "monitoring",
-        NETWORKING: "networking",
-        PROCESSING: "processing",
-        SECURITY: "security",
-        STACK: "stack",
-        STORAGE: "storage",
-        TOY: "toy",
-    },
-    SERVICE: {
-        DATADOG: "datadog",
-        INFRASTRUCTURE: "infrastructure",
-        LIBRARIES: "libraries",
-        NONE: "none",
-        SSO: "sso",
-        TRACE: "trace",
-    },
-    TAG: {
-        BUILD_DATE: "buildDate",
-        BUILD_HEX: "buildHex",
-        BUILD_NUMBER: "buildNumber",
-        BUILD_TIME: "buildTime",
-        BUILD_TYPE: "buildType",
-        COMMIT: "commit",
-        CREATION: "creation",
-        ENV: "env",
-        NONCE: "nonce",
-        PROJECT: "project",
-        ROLE: "role",
-        SERVICE: "service",
-        SPONSOR: "sponsor",
-        STACK: "stack",
-        STACK_SHA: "stackSha",
-        VENDOR: "vendor",
-        VERSION: "version",
-    },
-    TARGET_TYPE: {
-        AWS_ACCOUNT: "AWS_ACCOUNT",
-    },
-    VENDOR: {
-        ANTHROPIC: "anthropic",
-        AUTH0: "auth0",
-        DATADOG: "datadog",
-        KNOWTRACE: "knowtrace",
-        MONGODB: "mongodb",
-        OPENAI: "openai",
-        SPLINTERLANDS: "splinterlands",
-    },
-};
-
-class JaypieAccountLoggingBucket extends Construct {
-    /**
-     * Create a new account-wide logging S3 bucket with lifecycle policies and export
-     */
-    constructor(scope, idOrProps, propsOrUndefined) {
-        // Handle overloaded constructor signatures
-        let props;
-        let id;
-        if (typeof idOrProps === "string") {
-            // First param is ID, second is props
-            props = propsOrUndefined || {};
-            id = idOrProps;
-        }
-        else {
-            // First param is props
-            props = idOrProps || {};
-            id = props.id || "AccountLoggingBucket";
-        }
-        super(scope, id);
-        // Generate default bucket name with PROJECT_NONCE
-        const defaultBucketName = process.env.PROJECT_NONCE
-            ? `account-logging-stack-${process.env.PROJECT_NONCE.toLowerCase()}`
-            : "account-logging-stack";
-        // Extract Jaypie-specific options
-        // eslint-disable-next-line @typescript-eslint/no-unused-vars
-        const { bucketName = defaultBucketName, createOutput = true, expirationDays = 365, exportName = CDK$2.IMPORT.LOG_BUCKET, glacierTransitionDays = 180, id: _id, infrequentAccessTransitionDays = 30, outputDescription = "Account-wide logging bucket", project, service = CDK$2.SERVICE.INFRASTRUCTURE, ...bucketProps } = props;
-        // Create the bucket with lifecycle rules
-        this.bucket = new Bucket(this, "Bucket", {
-            accessControl: BucketAccessControl.LOG_DELIVERY_WRITE,
-            bucketName,
-            lifecycleRules: [
-                {
-                    expiration: cdk.Duration.days(expirationDays),
-                    transitions: [
-                        {
-                            storageClass: StorageClass.INFREQUENT_ACCESS,
-                            transitionAfter: cdk.Duration.days(infrequentAccessTransitionDays),
-                        },
-                        {
-                            storageClass: StorageClass.GLACIER,
-                            transitionAfter: cdk.Duration.days(glacierTransitionDays),
-                        },
-                    ],
-                },
-            ],
-            ...bucketProps,
-        });
-        // Add tags
-        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-        if (service) {
-            cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
-        }
-        if (project) {
-            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
-        }
-        // Create CloudFormation output if enabled
-        if (createOutput) {
-            new cdk.CfnOutput(this, "BucketNameOutput", {
-                description: outputDescription,
-                exportName,
-                value: this.bucket.bucketName,
-            });
-        }
-    }
-}
-
-function addDatadogLayers(lambdaFunction, options = {}) {
-    const datadogApiKeyArn = options?.datadogApiKeyArn;
-    const resolvedDatadogApiKeyArn = datadogApiKeyArn ||
-        process.env.DATADOG_API_KEY_ARN ||
-        process.env.CDK_ENV_DATADOG_API_KEY_ARN;
-    if (!resolvedDatadogApiKeyArn) {
-        return false;
-    }
-    // Define Datadog environment variables
-    const datadogEnvVars = {
-        DD_API_KEY_SECRET_ARN: resolvedDatadogApiKeyArn,
-        DD_ENHANCED_METRICS: "true",
-        DD_ENV: process.env.PROJECT_ENV || "",
-        DD_PROFILING_ENABLED: "false",
-        DD_SERVERLESS_APPSEC_ENABLED: "false",
-        DD_SERVICE: process.env.PROJECT_SERVICE || "",
-        DD_SITE: CDK$2.DATADOG.SITE,
-        DD_TAGS: `${CDK$2.TAG.SPONSOR}:${process.env.PROJECT_SPONSOR || ""}`,
-        DD_TRACE_OTEL_ENABLED: "false",
-    };
-    // Add environment variables only if they don't already exist
-    Object.entries(datadogEnvVars).forEach(([key, value]) => {
-        lambdaFunction.addEnvironment(key, value);
-    });
-    const datadogApiKeySecret = secretsmanager.Secret.fromSecretCompleteArn(lambdaFunction, "DatadogApiKey", resolvedDatadogApiKeyArn);
-    const datadogLambda = new DatadogLambda(lambdaFunction, "DatadogLambda", {
-        apiKeySecret: datadogApiKeySecret, // apiKeySecret auto-grants secret access to the added lambdas
-        nodeLayerVersion: CDK$2.DATADOG.LAYER.NODE,
-        extensionLayerVersion: CDK$2.DATADOG.LAYER.EXTENSION,
-        env: process.env.PROJECT_ENV,
-        service: process.env.PROJECT_SERVICE,
-        version: process.env.PROJECT_VERSION,
-    });
-    datadogLambda.addLambdaFunctions([lambdaFunction]);
-    return true;
-}
-
-function constructEnvName(name, opts) {
-    const env = opts?.env ?? process.env.PROJECT_ENV ?? "build";
-    const key = opts?.key ?? process.env.PROJECT_KEY ?? "project";
-    const nonce = opts?.nonce ?? process.env.PROJECT_NONCE ?? "cfe2"; // This default is intentionally short. It is not a special value but should not be changed.
-    return `${env}-${key}-${name}-${nonce}`;
-}
-
-function constructStackName(key) {
-    if (!key) {
-        return `cdk-${process.env.PROJECT_SPONSOR}-${process.env.PROJECT_KEY}-${process.env.PROJECT_ENV}-${process.env.PROJECT_NONCE}`;
-    }
-    else {
-        return `cdk-${process.env.PROJECT_SPONSOR}-${process.env.PROJECT_KEY}-${process.env.PROJECT_ENV}-${process.env.PROJECT_NONCE}-${key}`;
-    }
-}
-
-const CDK$1 = {
-    CREATION: {
-        CDK: "cdk",
-    },
-    ROLE: {
-        STACK: "stack",
-    },
-    TAG: {
-        BUILD_DATE: "buildDate",
-        BUILD_HEX: "buildHex",
-        BUILD_TIME: "buildTime",
-        COMMIT: "commit",
-        CREATION: "creation",
-        ENV: "env",
-        NONCE: "nonce",
-        PROJECT: "project",
-        ROLE: "role",
-        SERVICE: "service",
-        SPONSOR: "sponsor",
-        STACK: "stack",
-        VERSION: "version",
-    },
-};
-function constructTagger(construct, { name } = {}) {
-    const stackName = name || constructStackName();
-    const version = process.env.npm_package_version || process.env.PROJECT_VERSION || null;
-    if (process.env.PROJECT_COMMIT && process.env.PROJECT_COMMIT.length > 8) {
-        Tags.of(construct).add(CDK$1.TAG.BUILD_HEX, process.env.PROJECT_COMMIT.slice(0, 8));
-    }
-    Tags.of(construct).add(CDK$1.TAG.BUILD_DATE, new Date().toISOString());
-    Tags.of(construct).add(CDK$1.TAG.BUILD_TIME, Date.now().toString());
-    if (process.env.PROJECT_COMMIT)
-        Tags.of(construct).add(CDK$1.TAG.COMMIT, process.env.PROJECT_COMMIT);
-    Tags.of(construct).add(CDK$1.TAG.CREATION, CDK$1.CREATION.CDK);
-    if (process.env.PROJECT_ENV)
-        Tags.of(construct).add(CDK$1.TAG.ENV, process.env.PROJECT_ENV);
-    if (process.env.PROJECT_NONCE)
-        Tags.of(construct).add(CDK$1.TAG.NONCE, process.env.PROJECT_NONCE);
-    if (process.env.PROJECT_KEY)
-        Tags.of(construct).add(CDK$1.TAG.PROJECT, process.env.PROJECT_KEY);
-    Tags.of(construct).add(CDK$1.TAG.ROLE, CDK$1.ROLE.STACK);
-    if (process.env.PROJECT_SERVICE)
-        Tags.of(construct).add(CDK$1.TAG.SERVICE, process.env.PROJECT_SERVICE);
-    if (process.env.PROJECT_SPONSOR)
-        Tags.of(construct).add(CDK$1.TAG.SPONSOR, process.env.PROJECT_SPONSOR);
-    if (stackName)
-        Tags.of(construct).add(CDK$1.TAG.STACK, stackName);
-    if (version)
-        Tags.of(construct).add(CDK$1.TAG.VERSION, version);
-    return true;
-}
-
-function envHostname({ component, domain, env, subdomain, } = {}) {
-    const resolvedDomain = domain || process.env.CDK_ENV_DOMAIN || process.env.CDK_ENV_HOSTED_ZONE;
-    if (!resolvedDomain) {
-        throw new ConfigurationError("No hostname `domain` provided. Set CDK_ENV_DOMAIN or CDK_ENV_HOSTED_ZONE to use environment domain");
-    }
-    const resolvedComponent = component === "@" || component === "" ? undefined : component;
-    const resolvedSubdomain = subdomain || process.env.CDK_ENV_SUBDOMAIN;
-    const resolvedEnv = env || process.env.PROJECT_ENV;
-    const filteredEnv = resolvedEnv === CDK$2.ENV.PRODUCTION ? undefined : resolvedEnv;
-    const parts = [
-        resolvedComponent,
-        resolvedSubdomain,
-        filteredEnv,
-        resolvedDomain,
-    ].filter((part) => part);
-    return parts.join(".");
-}
-
-/**
- * Extends the Datadog IAM role with additional permissions
- *
- * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
- * If found, creates a custom policy with:
- * - budgets:ViewBudget
- * - logs:DescribeLogGroups
- *
- * @param scope - The construct scope
- * @param options - Configuration options
- * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
- */
-function extendDatadogRole(scope, options) {
-    const datadogRoleArn = process.env.CDK_ENV_DATADOG_ROLE_ARN;
-    // Early return if no Datadog role ARN is configured
-    if (!datadogRoleArn) {
-        return undefined;
-    }
-    const { id = "DatadogCustomPolicy", project, service = CDK$2.SERVICE.DATADOG, } = options || {};
-    // Lookup the Datadog role
-    const datadogRole = Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
-    // Build policy statements
-    const statements = [
-        // Allow view budget
-        new PolicyStatement({
-            actions: ["budgets:ViewBudget"],
-            resources: ["*"],
-        }),
-        // Allow describe log groups
-        new PolicyStatement({
-            actions: ["logs:DescribeLogGroups"],
-            resources: ["*"],
-        }),
-    ];
-    // Create the custom policy
-    const datadogCustomPolicy = new Policy(scope, id, {
-        roles: [datadogRole],
-        statements,
-    });
-    // Add tags
-    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.SERVICE, service);
-    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
-    if (project) {
-        cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.PROJECT, project);
-    }
-    return datadogCustomPolicy;
-}
-
-/**
- * Check if the current environment matches the given environment
- */
-function isEnv(env) {
-    return process.env.PROJECT_ENV === env;
-}
-/**
- * Check if the current environment is production
- */
-function isProductionEnv() {
-    return isEnv(CDK$2.ENV.PRODUCTION);
-}
-/**
- * Check if the current environment is sandbox
- */
-function isSandboxEnv() {
-    return isEnv(CDK$2.ENV.SANDBOX);
-}
-
-// In short the RFC 1035 standard for valid hostnames is:
-// 1. Must be less than 253 characters
-// 2. Must start with a letter
-// 3. Must end with a letter or number
-// 4. Can only contain letters, numbers, and hyphens
-// 5. Last part of the domain must be at least 2 characters
-function validPart$1(part) {
-    if (!part.match(/^[a-z]/))
-        return false;
-    if (!part.match(/[a-z0-9]$/))
-        return false;
-    return /^[a-zA-Z0-9-]+$/.test(part);
-}
-function isValidHostname$1(hostname) {
-    // Check hostname is a string
-    if (typeof hostname !== "string")
-        return false;
-    // Convert hostname to lowercase
-    const check = hostname.toString().toLowerCase();
-    // Check hostname is less than 253 characters
-    if (check.length > 253)
-        return false;
-    // Split on dots
-    const parts = check.split(".");
-    // Check each part is validPart
-    const validParts = parts.map(validPart$1);
-    // Confirm all parts are valid
-    if (!validParts.every((part) => part))
-        return false;
-    // Confirm last part is at least 2 characters
-    const lastPart = parts[parts.length - 1];
-    if (lastPart.length < 2)
-        return false;
-    // Confirm last part is all letters
-    if (!lastPart.match(/^[a-z]+$/))
-        return false;
-    // This is a valid hostname
-    return true;
-}
-
-function validPart(part) {
-    if (!part.match(/^[a-z]/))
-        return false;
-    if (!part.match(/[a-z0-9]$/))
-        return false;
-    return /^[a-zA-Z0-9-]+$/.test(part);
-}
-function isValidSubdomain(subdomain) {
-    // Check subdomain is a string
-    if (typeof subdomain !== "string")
-        return false;
-    // Special case for apex
-    if (subdomain === CDK$2.HOST.APEX)
-        return true;
-    // Convert subdomain to lowercase
-    const check = subdomain.toString().toLowerCase();
-    // Check subdomain is less than 250 characters
-    // We use 250 instead of 253 because we need to leave room for the dot top-level domain
-    if (check.length > 250)
-        return false;
-    // Split on dots
-    const parts = check.split(".");
-    // Check each part is validPart
-    const validParts = parts.map(validPart);
-    // Confirm all parts are valid
-    if (!validParts.every((part) => part))
-        return false;
-    // Do not care if last part is at least 2 characters
-    // Do not care if last part is all letters
-    // This is a valid subdomain
-    return true;
-}
-
-function jaypieLambdaEnv(options = {}) {
-    const { initialEnvironment = {} } = options;
-    // Start with empty environment - we'll only add valid values
-    let environment = {};
-    // First, add all valid string values from initialEnvironment
-    Object.entries(initialEnvironment).forEach(([key, value]) => {
-        if (typeof value === "string") {
-            environment[key] = value;
-        }
-    });
-    // Default environment values
-    const defaultEnvValues = {
-        AWS_LAMBDA_NODEJS_DISABLE_CALLBACK_WARNING: "true",
-    };
-    // Apply default environment values with user overrides
-    Object.entries(defaultEnvValues).forEach(([key, defaultValue]) => {
-        if (key in initialEnvironment) {
-            const userValue = initialEnvironment[key];
-            // If user passes a string, it's already added above
-            // If user passes non-string falsy value, omit the key
-            if (!userValue) {
-                delete environment[key];
-            }
-            // Ignore non-string truthy values (key not added)
-        }
-        else {
-            // No user override, use default value
-            environment[key] = defaultValue;
-        }
-    });
-    // Default environment variables from process.env if present
-    const defaultEnvVars = [
-        "DATADOG_API_KEY_ARN",
-        "LOG_LEVEL",
-        "MODULE_LOGGER",
-        "MODULE_LOG_LEVEL",
-        "PROJECT_CHAOS",
-        "PROJECT_COMMIT",
-        "PROJECT_ENV",
-        "PROJECT_KEY",
-        "PROJECT_SECRET",
-        "PROJECT_SERVICE",
-        "PROJECT_SPONSOR",
-        "PROJECT_VERSION",
-    ];
-    // Add default environment variables if they exist in process.env
-    defaultEnvVars.forEach((envVar) => {
-        if (process.env[envVar] && !environment[envVar]) {
-            environment[envVar] = process.env[envVar];
-        }
-    });
-    return environment;
-}
-
-function mergeDomain(subDomain, hostedZone) {
-    if (!hostedZone) {
-        throw new ConfigurationError("hostedZone is required");
-    }
-    if (!subDomain) {
-        // Return hostedZone if subDomain is not passed
-        // Pass CDK.HOST.APEX to explicitly indicate apex domain
-        return hostedZone;
-    }
-    if (subDomain === CDK$2.HOST.APEX) {
-        return hostedZone;
-    }
-    return `${subDomain}.${hostedZone}`;
-}
-
-const DEFAULT_FUNCTION_NAME$1 = "DatadogForwarderFunction";
-// Cache to store resolved functions
-// Using nested structure to support multiple functions per scope with automatic GC
-const functionCache = new WeakMap();
-function resolveDatadogForwarderFunction(scope, options) {
-    const { import: importValue, name } = options || {};
-    const functionName = name || DEFAULT_FUNCTION_NAME$1;
-    const importKey = importValue || CDK$2.IMPORT.DATADOG_LOG_FORWARDER;
-    // Create a cache key based on name and import
-    const cacheKey = `${functionName}:${importKey}`;
-    // Get or create scope cache
-    let scopeCache = functionCache.get(scope);
-    if (!scopeCache) {
-        scopeCache = new Map();
-        functionCache.set(scope, scopeCache);
-    }
-    // Return cached function if it exists
-    const cachedFunction = scopeCache.get(cacheKey);
-    if (cachedFunction) {
-        return cachedFunction;
-    }
-    // Create and cache the function
-    const func = lambda.Function.fromFunctionArn(scope, functionName, cdk.Fn.importValue(importKey));
-    scopeCache.set(cacheKey, func);
-    return func;
-}
-
-function resolveDatadogLayers(scope, options = {}) {
-    const { datadogApiKeyArn, uniqueId } = options;
-    let resolvedRegion = Stack.of(scope).region || "us-east-1";
-    // Resolve the Datadog API key ARN from multiple sources
-    const resolvedDatadogApiKeyArn = datadogApiKeyArn ||
-        process.env.DATADOG_API_KEY_ARN ||
-        process.env.CDK_ENV_DATADOG_API_KEY_ARN;
-    // Return null if no API key is found
-    if (!resolvedDatadogApiKeyArn) {
-        return undefined;
-    }
-    const layerIdSuffix = uniqueId || process.env.PROJECT_NONCE || Date.now().toString();
-    // Create Datadog Node.js layer
-    const datadogNodeLayer = lambda.LayerVersion.fromLayerVersionArn(scope, `DatadogNodeLayer-${layerIdSuffix}`, `arn:aws:lambda:${resolvedRegion}:464622532012:layer:Datadog-Node20-x:${CDK$2.DATADOG.LAYER.NODE}`);
-    // Create Datadog Extension layer
-    const datadogExtensionLayer = lambda.LayerVersion.fromLayerVersionArn(scope, `DatadogExtensionLayer-${layerIdSuffix}`, `arn:aws:lambda:${resolvedRegion}:464622532012:layer:Datadog-Extension:${CDK$2.DATADOG.LAYER.EXTENSION}`);
-    return [datadogNodeLayer, datadogExtensionLayer];
-}
-
-const DEFAULT_FUNCTION_NAME = "DatadogForwarderFunction";
-// Cache to store resolved logging destinations
-// Using nested structure to support multiple destinations per scope with automatic GC
-const destinationCache = new WeakMap();
-function resolveDatadogLoggingDestination(scope, options) {
-    const { import: importValue, name } = options || {};
-    // Create a cache key based on name and import (same as forwarder function)
-    const functionName = name || DEFAULT_FUNCTION_NAME;
-    const importKey = importValue || CDK$2.IMPORT.DATADOG_LOG_FORWARDER;
-    const cacheKey = `${functionName}:${importKey}`;
-    // Get or create scope cache
-    let scopeCache = destinationCache.get(scope);
-    if (!scopeCache) {
-        scopeCache = new Map();
-        destinationCache.set(scope, scopeCache);
-    }
-    // Return cached destination if it exists
-    const cachedDestination = scopeCache.get(cacheKey);
-    if (cachedDestination) {
-        return cachedDestination;
-    }
-    // Resolve the Datadog forwarder function
-    const datadogForwarderFunction = resolveDatadogForwarderFunction(scope, options);
-    // Create and cache the logging destination
-    const datadogLoggingDestination = new logDestinations.LambdaDestination(datadogForwarderFunction);
-    scopeCache.set(cacheKey, datadogLoggingDestination);
-    return datadogLoggingDestination;
-}
-
-function resolveHostedZone(scope, { name = "HostedZone", zone = process.env.CDK_ENV_HOSTED_ZONE, } = {}) {
-    if (!zone) {
-        throw new ConfigurationError("No `zone` provided. Set CDK_ENV_HOSTED_ZONE to use environment zone");
-    }
-    if (typeof zone === "string") {
-        return route53.HostedZone.fromLookup(scope, name, {
-            domainName: zone,
-        });
-    }
-    return zone;
-}
-
-const resolveParamsAndSecrets = ({ paramsAndSecrets, options, } = {}) => {
-    if (paramsAndSecrets === false) {
-        return;
-    }
-    let resolvedParamsAndSecrets;
-    if (paramsAndSecrets instanceof lambda.ParamsAndSecretsLayerVersion) {
-        resolvedParamsAndSecrets = paramsAndSecrets;
-    }
-    else {
-        const resolvedOptions = options || {};
-        resolvedParamsAndSecrets = lambda.ParamsAndSecretsLayerVersion.fromVersion(lambda.ParamsAndSecretsVersions.V1_0_103, {
-            cacheSize: resolvedOptions.cacheSize,
-            logLevel: resolvedOptions.logLevel || lambda.ParamsAndSecretsLogLevel.WARN,
-            parameterStoreTtl: resolvedOptions.parameterStoreTtl,
-            secretsManagerTtl: resolvedOptions.secretsManagerTtl,
-        });
-    }
-    return resolvedParamsAndSecrets;
-};
-
-class JaypieApiGateway extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const { certificate = true, handler, host: propsHost, name, roleTag = CDK$2.ROLE.API, zone: propsZone, } = props;
-        // Determine zone from props or environment
-        let zone = propsZone;
-        if (!zone && process.env.CDK_ENV_API_HOSTED_ZONE) {
-            zone = process.env.CDK_ENV_API_HOSTED_ZONE;
-        }
-        // Determine host from props or environment
-        let host = propsHost;
-        if (!host) {
-            if (process.env.CDK_ENV_API_HOST_NAME) {
-                host = process.env.CDK_ENV_API_HOST_NAME;
-            }
-            else if (process.env.CDK_ENV_API_SUBDOMAIN &&
-                process.env.CDK_ENV_API_HOSTED_ZONE) {
-                host = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE);
-            }
-        }
-        const apiGatewayName = name || constructEnvName("ApiGateway");
-        const certificateName = constructEnvName("Certificate");
-        const apiDomainName = constructEnvName("ApiDomainName");
-        let hostedZone;
-        let certificateToUse;
-        if (host && zone) {
-            hostedZone = resolveHostedZone(this, { zone });
-            if (certificate === true) {
-                certificateToUse = new acm.Certificate(this, certificateName, {
-                    domainName: host,
-                    validation: acm.CertificateValidation.fromDns(hostedZone),
-                });
-                Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, CDK$2.ROLE.HOSTING);
-            }
-            else if (typeof certificate === "object") {
-                certificateToUse = certificate;
-            }
-            this._certificate = certificateToUse;
-            this._host = host;
-        }
-        const { 
-        // * `...lambdaRestApiProps` cannot be moved to the first const destructuring because it needs to exclude the custom properties first.
-        // Ignore the variables we already assigned to other properties
-        /* eslint-disable @typescript-eslint/no-unused-vars */
-        certificate: _certificate, host: _host, name: _name, roleTag: _roleTag, zone: _zone, handler: _handler, 
-        /* eslint-enable @typescript-eslint/no-unused-vars */
-        ...lambdaRestApiProps } = props;
-        this._api = new apiGateway.LambdaRestApi(this, apiGatewayName, {
-            handler,
-            ...lambdaRestApiProps,
-        });
-        Tags.of(this._api).add(CDK$2.TAG.ROLE, roleTag);
-        if (host && certificateToUse && hostedZone) {
-            this._domainName = this._api.addDomainName(apiDomainName, {
-                domainName: host,
-                certificate: certificateToUse,
-            });
-            Tags.of(this._domainName).add(CDK$2.TAG.ROLE, roleTag);
-            const record = new route53.ARecord(this, "AliasRecord", {
-                recordName: host,
-                target: route53.RecordTarget.fromAlias(new route53Targets.ApiGatewayDomain(this._domainName)),
-                zone: hostedZone,
-            });
-            Tags.of(record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
-        }
-    }
-    get api() {
-        return this._api;
-    }
-    get url() {
-        return this._api.url;
-    }
-    get certificateArn() {
-        return this._certificate?.certificateArn;
-    }
-    get domainName() {
-        return this._domainName?.domainName;
-    }
-    get host() {
-        return this._host;
-    }
-    get restApiId() {
-        return this._api.restApiId;
-    }
-    get restApiName() {
-        return this._api.restApiName;
-    }
-    get restApiRootResourceId() {
-        return this._api.restApiRootResourceId;
-    }
-    get deploymentStage() {
-        return this._api.deploymentStage;
-    }
-    get domainNameAliasDomainName() {
-        return this._domainName?.domainNameAliasDomainName;
-    }
-    get domainNameAliasHostedZoneId() {
-        return this._domainName?.domainNameAliasHostedZoneId;
-    }
-    get root() {
-        return this._api.root;
-    }
-    get env() {
-        return {
-            account: Stack.of(this).account,
-            region: Stack.of(this).region,
-        };
-    }
-    get stack() {
-        return this._api.stack;
-    }
-    arnForExecuteApi(method, path, stage) {
-        return this._api.arnForExecuteApi(method, path, stage);
-    }
-    metric(metricName, props) {
-        return this._api.metric(metricName, props);
-    }
-    metricCacheHitCount(props) {
-        return this._api.metricCacheHitCount(props);
-    }
-    metricCacheMissCount(props) {
-        return this._api.metricCacheMissCount(props);
-    }
-    metricClientError(props) {
-        return this._api.metricClientError(props);
-    }
-    metricCount(props) {
-        return this._api.metricCount(props);
-    }
-    metricIntegrationLatency(props) {
-        return this._api.metricIntegrationLatency(props);
-    }
-    metricLatency(props) {
-        return this._api.metricLatency(props);
-    }
-    metricServerError(props) {
-        return this._api.metricServerError(props);
-    }
-    applyRemovalPolicy(policy) {
-        this._api.applyRemovalPolicy(policy);
-    }
-    get restApiRef() {
-        return {
-            restApiId: this._api.restApiId,
-        };
-    }
-}
-
-class JaypieStack extends Stack {
-    constructor(scope, id, props = {}) {
-        const { key, ...stackProps } = props;
-        // Handle stackName
-        if (!stackProps.stackName) {
-            stackProps.stackName = constructStackName(key);
-        }
-        // Handle env
-        stackProps.env = {
-            account: process.env.CDK_DEFAULT_ACCOUNT,
-            region: process.env.CDK_DEFAULT_REGION,
-            ...stackProps.env,
-        };
-        super(scope, id, stackProps);
-        // Apply tags
-        constructTagger(this, { name: stackProps.stackName });
-    }
-}
-
-class JaypieAppStack extends JaypieStack {
-    constructor(scope, id, props = {}) {
-        const { key = "app", ...stackProps } = props;
-        // Handle stackName
-        if (!stackProps.stackName) {
-            stackProps.stackName = constructStackName(key);
-        }
-        super(scope, id, { key, ...stackProps });
-    }
-}
-
-class JaypieLambda extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture = lambda.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: initialEnvironment = {}, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = lambda.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
-        // Get base environment with defaults
-        const environment = jaypieLambdaEnv({ initialEnvironment });
-        const codeAsset = typeof code === "string" ? lambda.Code.fromAsset(code) : code;
-        // Create a working copy of layers
-        const resolvedLayers = [...layers];
-        // Process secrets environment variables
-        const secretsEnvironment = Object.entries(envSecrets).reduce((acc, [key, secret]) => ({
-            ...acc,
-            [`SECRET_${key}`]: secret.secretName,
-        }), {});
-        // Process JaypieEnvSecret array
-        const jaypieSecretsEnvironment = secrets.reduce((acc, secret) => {
-            if (secret.envKey) {
-                return {
-                    ...acc,
-                    [`SECRET_${secret.envKey}`]: secret.secretName,
-                };
-            }
-            return acc;
-        }, {});
-        // Add ParamsAndSecrets layer if configured
-        const resolvedParamsAndSecrets = resolveParamsAndSecrets({
-            paramsAndSecrets,
-            options: paramsAndSecretsOptions,
-        });
-        // Create LogGroup if not provided
-        const resolvedLogGroup = logGroup ??
-            new logs.LogGroup(this, "LogGroup", {
-                retention: logRetention,
-                removalPolicy: RemovalPolicy.DESTROY,
-            });
-        // Create Lambda Function
-        this._lambda = new lambda.Function(this, "Function", {
-            allowAllOutbound,
-            allowPublicSubnet,
-            architecture,
-            code: codeAsset,
-            deadLetterQueue,
-            deadLetterQueueEnabled,
-            deadLetterTopic,
-            description,
-            environment: {
-                ...environment,
-                ...secretsEnvironment,
-                ...jaypieSecretsEnvironment,
-            },
-            ephemeralStorageSize,
-            filesystem,
-            handler,
-            initialPolicy,
-            layers: resolvedLayers,
-            logGroup: resolvedLogGroup,
-            maxEventAge,
-            memorySize,
-            paramsAndSecrets: resolvedParamsAndSecrets,
-            profiling,
-            profilingGroup,
-            reservedConcurrentExecutions,
-            retryAttempts,
-            runtime,
-            runtimeManagementMode,
-            securityGroups,
-            timeout: typeof timeout === "number" ? Duration.seconds(timeout) : timeout,
-            tracing,
-            vpc,
-            vpcSubnets,
-            // Enable auto-publishing of versions when using provisioned concurrency
-            currentVersionOptions: provisionedConcurrentExecutions !== undefined
-                ? {
-                    removalPolicy: RemovalPolicy.RETAIN,
-                    description: "Auto-published version for provisioned concurrency",
-                    // Don't set provisioned concurrency here - it will be set on the alias
-                }
-                : undefined,
-        });
-        addDatadogLayers(this._lambda, { datadogApiKeyArn });
-        // Grant secret read permissions
-        Object.values(envSecrets).forEach((secret) => {
-            secret.grantRead(this._lambda);
-        });
-        // Grant read permissions for JaypieEnvSecrets
-        secrets.forEach((secret) => {
-            secret.grantRead(this._lambda);
-        });
-        // Configure provisioned concurrency if specified
-        if (provisionedConcurrentExecutions !== undefined) {
-            // Use currentVersion which is auto-published with proper configuration
-            const version = this._lambda.currentVersion;
-            // Create alias for provisioned concurrency
-            this._provisioned = new lambda.Alias(this, "ProvisionedAlias", {
-                aliasName: "provisioned",
-                version,
-                provisionedConcurrentExecutions,
-            });
-            // Add explicit dependencies to ensure proper creation order
-            this._provisioned.node.addDependency(version);
-        }
-        if (roleTag) {
-            Tags.of(this._lambda).add(CDK$2.TAG.ROLE, roleTag);
-        }
-        if (vendorTag) {
-            Tags.of(this._lambda).add(CDK$2.TAG.VENDOR, vendorTag);
-        }
-        // Assign _reference based on provisioned state
-        this._reference =
-            this._provisioned !== undefined ? this._provisioned : this._lambda;
-    }
-    // Public accessors
-    get lambda() {
-        return this._lambda;
-    }
-    get provisioned() {
-        return this._provisioned;
-    }
-    get reference() {
-        return this._reference;
-    }
-    // IFunction implementation
-    get functionArn() {
-        return this._reference.functionArn;
-    }
-    get functionName() {
-        return this._reference.functionName;
-    }
-    get grantPrincipal() {
-        return this._reference.grantPrincipal;
-    }
-    get role() {
-        return this._reference.role;
-    }
-    get architecture() {
-        return this._reference.architecture;
-    }
-    get connections() {
-        return this._reference.connections;
-    }
-    get isBoundToVpc() {
-        return this._reference.isBoundToVpc;
-    }
-    get latestVersion() {
-        return this._reference.latestVersion;
-    }
-    get permissionsNode() {
-        return this._reference.permissionsNode;
-    }
-    get resourceArnsForGrantInvoke() {
-        return this._reference.resourceArnsForGrantInvoke;
-    }
-    get functionRef() {
-        return {
-            functionArn: this._reference.functionArn,
-            functionName: this._reference.functionName,
-        };
-    }
-    addEventSource(source) {
-        this._reference.addEventSource(source);
-    }
-    addEventSourceMapping(id, options) {
-        return this._reference.addEventSourceMapping(id, options);
-    }
-    addFunctionUrl(options) {
-        return this._reference.addFunctionUrl(options);
-    }
-    addPermission(id, permission) {
-        this._reference.addPermission(id, permission);
-    }
-    addToRolePolicy(statement) {
-        this._reference.addToRolePolicy(statement);
-    }
-    configureAsyncInvoke(options) {
-        this._reference.configureAsyncInvoke(options);
-    }
-    grantInvoke(grantee) {
-        return this._reference.grantInvoke(grantee);
-    }
-    grantInvokeCompositePrincipal(compositePrincipal) {
-        return this._reference.grantInvokeCompositePrincipal(compositePrincipal);
-    }
-    grantInvokeUrl(grantee) {
-        return this._reference.grantInvokeUrl(grantee);
-    }
-    grantInvokeLatestVersion(grantee) {
-        return this._reference.grantInvokeLatestVersion(grantee);
-    }
-    grantInvokeVersion(grantee, version) {
-        return this._reference.grantInvokeVersion(grantee, version);
-    }
-    metric(metricName, props) {
-        return this._reference.metric(metricName, props);
-    }
-    metricDuration(props) {
-        return this._reference.metricDuration(props);
-    }
-    metricErrors(props) {
-        return this._reference.metricErrors(props);
-    }
-    metricInvocations(props) {
-        return this._reference.metricInvocations(props);
-    }
-    metricThrottles(props) {
-        return this._reference.metricThrottles(props);
-    }
-    get env() {
-        return {
-            account: Stack.of(this).account,
-            region: Stack.of(this).region,
-        };
-    }
-    get stack() {
-        return this._reference.stack;
-    }
-    applyRemovalPolicy(policy) {
-        this._reference.applyRemovalPolicy(policy);
-    }
-    addEnvironment(key, value) {
-        this._lambda.addEnvironment(key, value);
-    }
-}
-
-class JaypieQueuedLambda extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = lambda.Runtime.NODEJS_22_X, runtimeManagementMode, secrets = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
-        // Create SQS Queue
-        this._queue = new sqs.Queue(this, "Queue", {
-            fifo,
-            visibilityTimeout: typeof visibilityTimeout === "number"
-                ? Duration.seconds(visibilityTimeout)
-                : visibilityTimeout,
-        });
-        if (roleTag) {
-            Tags.of(this._queue).add(CDK$2.TAG.ROLE, roleTag);
-        }
-        if (vendorTag) {
-            Tags.of(this._queue).add(CDK$2.TAG.VENDOR, vendorTag);
-        }
-        // Create Lambda with JaypieLambda
-        this._lambdaConstruct = new JaypieLambda(this, "Function", {
-            allowAllOutbound,
-            allowPublicSubnet,
-            architecture,
-            code,
-            datadogApiKeyArn,
-            deadLetterQueue,
-            deadLetterQueueEnabled,
-            deadLetterTopic,
-            description,
-            environment: {
-                ...environment,
-                CDK_ENV_QUEUE_URL: this._queue.queueUrl,
-            },
-            envSecrets,
-            ephemeralStorageSize,
-            filesystem,
-            handler,
-            initialPolicy,
-            layers,
-            logGroup,
-            logRetention,
-            maxEventAge,
-            memorySize,
-            paramsAndSecrets,
-            paramsAndSecretsOptions,
-            profiling,
-            profilingGroup,
-            provisionedConcurrentExecutions,
-            reservedConcurrentExecutions,
-            retryAttempts,
-            roleTag,
-            runtime,
-            runtimeManagementMode,
-            secrets,
-            securityGroups,
-            timeout,
-            tracing,
-            vendorTag,
-            vpc,
-            vpcSubnets,
-        });
-        // Set up queue and lambda integration
-        this._queue.grantConsumeMessages(this._lambdaConstruct);
-        this._queue.grantSendMessages(this._lambdaConstruct);
-        this._lambdaConstruct.addEventSource(new lambdaEventSources.SqsEventSource(this._queue, {
-            batchSize,
-        }));
-    }
-    // Public accessors
-    get queue() {
-        return this._queue;
-    }
-    get lambda() {
-        return this._lambdaConstruct.lambda;
-    }
-    // IFunction implementation
-    get functionArn() {
-        return this._lambdaConstruct.functionArn;
-    }
-    get functionName() {
-        return this._lambdaConstruct.functionName;
-    }
-    get grantPrincipal() {
-        return this._lambdaConstruct.grantPrincipal;
-    }
-    get role() {
-        return this._lambdaConstruct.role;
-    }
-    get architecture() {
-        return this._lambdaConstruct.architecture;
-    }
-    get connections() {
-        return this._lambdaConstruct.connections;
-    }
-    get isBoundToVpc() {
-        return this._lambdaConstruct.isBoundToVpc;
-    }
-    get latestVersion() {
-        return this._lambdaConstruct.latestVersion;
-    }
-    get permissionsNode() {
-        return this._lambdaConstruct.permissionsNode;
-    }
-    get resourceArnsForGrantInvoke() {
-        return this._lambdaConstruct.resourceArnsForGrantInvoke;
-    }
-    get functionRef() {
-        return this._lambdaConstruct.functionRef;
-    }
-    addEventSource(source) {
-        this._lambdaConstruct.addEventSource(source);
-    }
-    addEventSourceMapping(id, options) {
-        return this._lambdaConstruct.addEventSourceMapping(id, options);
-    }
-    addFunctionUrl(options) {
-        return this._lambdaConstruct.addFunctionUrl(options);
-    }
-    addPermission(id, permission) {
-        this._lambdaConstruct.addPermission(id, permission);
-    }
-    addToRolePolicy(statement) {
-        this._lambdaConstruct.addToRolePolicy(statement);
-    }
-    configureAsyncInvoke(options) {
-        this._lambdaConstruct.configureAsyncInvoke(options);
-    }
-    grantInvoke(grantee) {
-        return this._lambdaConstruct.grantInvoke(grantee);
-    }
-    grantInvokeCompositePrincipal(compositePrincipal) {
-        return this._lambdaConstruct.grantInvokeCompositePrincipal(compositePrincipal);
-    }
-    grantInvokeUrl(grantee) {
-        return this._lambdaConstruct.grantInvokeUrl(grantee);
-    }
-    metric(metricName, props) {
-        return this._lambdaConstruct.metric(metricName, props);
-    }
-    metricDuration(props) {
-        return this._lambdaConstruct.metricDuration(props);
-    }
-    metricErrors(props) {
-        return this._lambdaConstruct.metricErrors(props);
-    }
-    metricInvocations(props) {
-        return this._lambdaConstruct.metricInvocations(props);
-    }
-    metricThrottles(props) {
-        return this._lambdaConstruct.metricThrottles(props);
-    }
-    // Additional IFunction implementation
-    grantInvokeLatestVersion(grantee) {
-        return this._lambdaConstruct.grantInvokeLatestVersion(grantee);
-    }
-    grantInvokeVersion(grantee, version) {
-        return this._lambdaConstruct.grantInvokeVersion(grantee, version);
-    }
-    get env() {
-        return {
-            account: Stack.of(this).account,
-            region: Stack.of(this).region,
-        };
-    }
-    get stack() {
-        return Stack.of(this);
-    }
-    applyRemovalPolicy(policy) {
-        this._lambdaConstruct.applyRemovalPolicy(policy);
-        this._queue.applyRemovalPolicy(policy);
-    }
-    // IQueue implementation
-    get fifo() {
-        return this._queue.fifo;
-    }
-    get queueArn() {
-        return this._queue.queueArn;
-    }
-    get queueName() {
-        return this._queue.queueName;
-    }
-    get queueUrl() {
-        return this._queue.queueUrl;
-    }
-    get encryptionMasterKey() {
-        return this._queue.encryptionMasterKey;
-    }
-    addToResourcePolicy(statement) {
-        return this._queue.addToResourcePolicy(statement);
-    }
-    grant(grantee, ...actions) {
-        return this._queue.grant(grantee, ...actions);
-    }
-    grantConsumeMessages(grantee) {
-        return this._queue.grantConsumeMessages(grantee);
-    }
-    grantPurge(grantee) {
-        return this._queue.grantPurge(grantee);
-    }
-    grantSendMessages(grantee) {
-        return this._queue.grantSendMessages(grantee);
-    }
-    // Queue metrics
-    metricApproximateAgeOfOldestMessage(props) {
-        return this._queue.metricApproximateAgeOfOldestMessage(props);
-    }
-    metricApproximateNumberOfMessagesDelayed(props) {
-        return this._queue.metricApproximateNumberOfMessagesDelayed(props);
-    }
-    metricApproximateNumberOfMessagesNotVisible(props) {
-        return this._queue.metricApproximateNumberOfMessagesNotVisible(props);
-    }
-    metricApproximateNumberOfMessagesVisible(props) {
-        return this._queue.metricApproximateNumberOfMessagesVisible(props);
-    }
-    metricNumberOfEmptyReceives(props) {
-        return this._queue.metricNumberOfEmptyReceives(props);
-    }
-    metricNumberOfMessagesDeleted(props) {
-        return this._queue.metricNumberOfMessagesDeleted(props);
-    }
-    metricNumberOfMessagesReceived(props) {
-        return this._queue.metricNumberOfMessagesReceived(props);
-    }
-    metricNumberOfMessagesSent(props) {
-        return this._queue.metricNumberOfMessagesSent(props);
-    }
-    metricSentMessageSize(props) {
-        return this._queue.metricSentMessageSize(props);
-    }
-    addEnvironment(key, value) {
-        this._lambdaConstruct.addEnvironment(key, value);
-    }
-}
-
-class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
-    constructor(scope, id, props) {
-        props.fifo = false; // S3 event notifications are not supported for FIFO queues
-        super(scope, id, props);
-        const { bucketName, roleTag, vendorTag, bucketOptions = {} } = props;
-        // Create S3 Bucket
-        this._bucket = new s3.Bucket(this, "Bucket", {
-            bucketName: bucketOptions.bucketName || bucketName,
-            removalPolicy: bucketOptions.removalPolicy || RemovalPolicy.RETAIN,
-            ...bucketOptions,
-        });
-        // Add tags to bucket
-        if (roleTag) {
-            Tags.of(this._bucket).add(CDK$2.TAG.ROLE, roleTag);
-        }
-        if (vendorTag) {
-            Tags.of(this._bucket).add(CDK$2.TAG.VENDOR, vendorTag);
-        }
-        // Add an event notification from the bucket to the queue
-        this._bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.SqsDestination(this.queue));
-        // Grant the lambda access to the bucket
-        this._bucket.grantReadWrite(this);
-        // Add environment variable for bucket name
-        this.lambda.addEnvironment("CDK_ENV_BUCKET_NAME", this._bucket.bucketName);
-    }
-    // Public accessors
-    get bucket() {
-        return this._bucket;
-    }
-    // IBucket implementation
-    get bucketArn() {
-        return this._bucket.bucketArn;
-    }
-    get bucketDomainName() {
-        return this._bucket.bucketDomainName;
-    }
-    get bucketDualStackDomainName() {
-        return this._bucket.bucketDualStackDomainName;
-    }
-    get bucketName() {
-        return this._bucket.bucketName;
-    }
-    get bucketRegionalDomainName() {
-        return this._bucket.bucketRegionalDomainName;
-    }
-    get bucketWebsiteDomainName() {
-        return this._bucket.bucketWebsiteDomainName;
-    }
-    get bucketWebsiteUrl() {
-        return this._bucket.bucketWebsiteUrl;
-    }
-    get encryptionKey() {
-        return this._bucket.encryptionKey;
-    }
-    get isWebsite() {
-        return this._bucket.isWebsite || false;
-    }
-    get policy() {
-        return this._bucket.policy;
-    }
-    addEventNotification(event, dest, ...filters) {
-        this._bucket.addEventNotification(event, dest, ...filters);
-    }
-    addObjectCreatedNotification(dest, ...filters) {
-        this._bucket.addObjectCreatedNotification(dest, ...filters);
-    }
-    addObjectRemovedNotification(dest, ...filters) {
-        this._bucket.addObjectRemovedNotification(dest, ...filters);
-    }
-    addToResourcePolicy(permission) {
-        return this._bucket.addToResourcePolicy(permission);
-    }
-    arnForObjects(objectKeyPattern) {
-        return this._bucket.arnForObjects(objectKeyPattern);
-    }
-    enableEventBridgeNotification() {
-        this._bucket.enableEventBridgeNotification();
-    }
-    grantDelete(grantee, objectsKeyPattern) {
-        return this._bucket.grantDelete(grantee, objectsKeyPattern);
-    }
-    grantPublicAccess(keyPrefix, ...allowedActions) {
-        return this._bucket.grantPublicAccess(keyPrefix, ...allowedActions);
-    }
-    grantPut(grantee, objectsKeyPattern) {
-        return this._bucket.grantPut(grantee, objectsKeyPattern);
-    }
-    grantPutAcl(grantee, objectsKeyPattern) {
-        return this._bucket.grantPutAcl(grantee, objectsKeyPattern);
-    }
-    grantRead(grantee, objectsKeyPattern) {
-        return this._bucket.grantRead(grantee, objectsKeyPattern);
-    }
-    grantReadWrite(grantee, objectsKeyPattern) {
-        return this._bucket.grantReadWrite(grantee, objectsKeyPattern);
-    }
-    grantWrite(grantee, objectsKeyPattern) {
-        return this._bucket.grantWrite(grantee, objectsKeyPattern);
-    }
-    onCloudTrailEvent(id, options) {
-        return this._bucket.onCloudTrailEvent(id, options);
-    }
-    onCloudTrailPutObject(id, options) {
-        return this._bucket.onCloudTrailPutObject(id, options);
-    }
-    onCloudTrailWriteObject(id, options) {
-        return this._bucket.onCloudTrailWriteObject(id, options);
-    }
-    s3UrlForObject(key) {
-        return this._bucket.s3UrlForObject(key);
-    }
-    transferAccelerationUrlForObject(key, options) {
-        return this._bucket.transferAccelerationUrlForObject(key, options);
-    }
-    urlForObject(key) {
-        return this._bucket.urlForObject(key);
-    }
-    virtualHostedUrlForObject(key, options) {
-        return this._bucket.virtualHostedUrlForObject(key, options);
-    }
-    grantReplicationPermission(identity, props) {
-        return this._bucket.grantReplicationPermission(identity, props);
-    }
-    addReplicationPolicy(policy) {
-        this._bucket.addReplicationPolicy(policy);
-    }
-    get bucketRef() {
-        return {
-            bucketArn: this._bucket.bucketArn,
-            bucketName: this._bucket.bucketName,
-        };
-    }
-    // Override applyRemovalPolicy to apply to all resources
-    applyRemovalPolicy(policy) {
-        super.applyRemovalPolicy(policy);
-        this._bucket.applyRemovalPolicy(policy);
-    }
-}
-
-class JaypieDatadogBucket extends Construct {
-    /**
-     * Create a new S3 bucket for Datadog log archiving with automatic IAM permissions
-     */
-    constructor(scope, idOrProps, propsOrUndefined) {
-        // Handle overloaded constructor signatures
-        let props;
-        let id;
-        if (typeof idOrProps === "string") {
-            // First param is ID, second is props
-            props = propsOrUndefined || {};
-            id = idOrProps;
-        }
-        else {
-            // First param is props
-            props = idOrProps || {};
-            id = props.id || "JaypieDatadogBucket";
-        }
-        super(scope, id);
-        // Extract Jaypie-specific options
-        const { bucketId = "DatadogArchiveBucket", bucketScope, grantDatadogAccess = true, project, service = CDK$2.SERVICE.DATADOG, ...bucketProps } = props;
-        // Create the bucket using bucketScope (defaults to this) and bucketId
-        const effectiveBucketScope = bucketScope || this;
-        this.bucket = new Bucket(effectiveBucketScope, bucketId, bucketProps);
-        // Add tags to bucket
-        cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
-        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-        if (project) {
-            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
-        }
-        // Grant Datadog role access to bucket if enabled
-        if (grantDatadogAccess) {
-            this.policy = this.grantDatadogRoleBucketAccess({ project, service });
-        }
-    }
-    /**
-     * Grants the Datadog IAM role access to this bucket
-     *
-     * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
-     * If found, creates a custom policy with:
-     * - s3:ListBucket on bucket
-     * - s3:GetObject and s3:PutObject on bucket/*
-     *
-     * @param options - Configuration options
-     * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
-     */
-    grantDatadogRoleBucketAccess(options) {
-        const datadogRoleArn = process.env.CDK_ENV_DATADOG_ROLE_ARN;
-        // Early return if no Datadog role ARN is configured
-        if (!datadogRoleArn) {
-            return undefined;
-        }
-        const { project, service = CDK$2.SERVICE.DATADOG } = options || {};
-        // Lookup the Datadog role
-        const datadogRole = Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
-        // Build policy statements for bucket access
-        const statements = [
-            // Allow list bucket
-            new PolicyStatement({
-                actions: ["s3:ListBucket"],
-                resources: [this.bucket.bucketArn],
-            }),
-            // Allow read and write to the bucket
-            new PolicyStatement({
-                actions: ["s3:GetObject", "s3:PutObject"],
-                resources: [`${this.bucket.bucketArn}/*`],
-            }),
-        ];
-        // Create the custom policy
-        const datadogBucketPolicy = new Policy(this, "DatadogBucketPolicy", {
-            roles: [datadogRole],
-            statements,
-        });
-        // Add tags
-        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.SERVICE, service);
-        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
-        if (project) {
-            cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.PROJECT, project);
-        }
-        return datadogBucketPolicy;
-    }
-}
-
-const DATADOG_FORWARDER_TEMPLATE_URL = "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml";
-const DEFAULT_RESERVED_CONCURRENCY = "10";
-class JaypieDatadogForwarder extends Construct {
-    /**
-     * Create a new Datadog forwarder with CloudFormation nested stack
-     */
-    constructor(scope, idOrProps, propsOrUndefined) {
-        // Handle overloaded constructor signatures
-        let props;
-        let id;
-        if (typeof idOrProps === "string") {
-            // First param is ID, second is props
-            props = propsOrUndefined || {};
-            id = idOrProps;
-        }
-        else {
-            // First param is props
-            props = idOrProps || {};
-            id = props.id || "DatadogForwarder";
-        }
-        super(scope, id);
-        // Resolve options with defaults
-        const { account = process.env.CDK_ENV_ACCOUNT, additionalTags, createOutput = true, datadogApiKey = process.env.CDK_ENV_DATADOG_API_KEY, enableCloudFormationEvents = true, enableRoleExtension = true, exportName = CDK$2.IMPORT.DATADOG_LOG_FORWARDER, project, reservedConcurrency = DEFAULT_RESERVED_CONCURRENCY, service = CDK$2.VENDOR.DATADOG, templateUrl = DATADOG_FORWARDER_TEMPLATE_URL, } = props;
-        // Validate required parameters
-        if (!datadogApiKey) {
-            throw new Error("Datadog API key is required. Provide via datadogApiKey prop or CDK_ENV_DATADOG_API_KEY environment variable.");
-        }
-        // Build Datadog tags
-        let ddTags = account ? `account:${account}` : "";
-        if (additionalTags) {
-            ddTags = ddTags ? `${ddTags},${additionalTags}` : additionalTags;
-        }
-        // Deploy Datadog CloudFormation stack
-        this.cfnStack = new CfnStack(this, "Stack", {
-            parameters: {
-                DdApiKey: datadogApiKey,
-                DdTags: ddTags,
-                ReservedConcurrency: reservedConcurrency,
-            },
-            templateUrl,
-        });
-        // Add tags to stack
-        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.SERVICE, service);
-        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
-        if (project) {
-            cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.PROJECT, project);
-        }
-        // Extract forwarder function from stack outputs
-        this.forwarderFunction = lambda.Function.fromFunctionArn(this, "Function", this.cfnStack.getAtt("Outputs.DatadogForwarderArn").toString());
-        // Extend Datadog role with custom permissions if enabled
-        if (enableRoleExtension) {
-            extendDatadogRole(this, { project, service });
-        }
-        // Create CloudFormation events rule if enabled
-        if (enableCloudFormationEvents) {
-            this.eventsRule = new Rule(this, "CloudFormationEventsRule", {
-                eventPattern: {
-                    source: ["aws.cloudformation"],
-                },
-                targets: [
-                    new LambdaFunction(this.forwarderFunction, {
-                        event: RuleTargetInput.fromEventPath("$"),
-                    }),
-                ],
-            });
-            // Add tags to events rule
-            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.SERVICE, service);
-            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
-            if (project) {
-                cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.PROJECT, project);
-            }
-        }
-        // Create CloudFormation output if enabled
-        if (createOutput) {
-            new cdk.CfnOutput(this, "ForwarderArnOutput", {
-                description: "Datadog Log Forwarder Lambda ARN",
-                exportName,
-                value: this.cfnStack.getAtt("Outputs.DatadogForwarderArn").toString(),
-            });
-        }
-    }
-}
-
-class JaypieDistribution extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, invokeMode = lambda.InvokeMode.BUFFERED, roleTag = CDK$2.ROLE.API, zone: propsZone, ...distributionProps } = props;
-        // Validate environment variables
-        if (process.env.CDK_ENV_API_SUBDOMAIN &&
-            !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
-            throw new Error("CDK_ENV_API_SUBDOMAIN is not a valid subdomain");
-        }
-        if (process.env.CDK_ENV_API_HOSTED_ZONE &&
-            !isValidHostname$1(process.env.CDK_ENV_API_HOSTED_ZONE)) {
-            throw new Error("CDK_ENV_API_HOSTED_ZONE is not a valid hostname");
-        }
-        if (process.env.CDK_ENV_HOSTED_ZONE &&
-            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
-            throw new Error("CDK_ENV_HOSTED_ZONE is not a valid hostname");
-        }
-        // Determine host from props or environment
-        let host = propsHost;
-        if (!host) {
-            try {
-                if (process.env.CDK_ENV_API_HOST_NAME) {
-                    host = process.env.CDK_ENV_API_HOST_NAME;
-                }
-                else if (process.env.CDK_ENV_API_SUBDOMAIN) {
-                    host = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE ||
-                        process.env.CDK_ENV_HOSTED_ZONE ||
-                        "");
-                }
-            }
-            catch {
-                host = undefined;
-            }
-        }
-        if (host && !isValidHostname$1(host)) {
-            throw new Error("Host is not a valid hostname");
-        }
-        this.host = host;
-        // Determine zone from props or environment
-        const zone = propsZone || process.env.CDK_ENV_HOSTED_ZONE;
-        // Resolve the origin from handler
-        // Check order matters: IFunctionUrl before IOrigin (FunctionUrl also has bind method)
-        // IFunction before IFunctionUrl (IFunction doesn't have functionUrlId)
-        let origin;
-        if (handler) {
-            if (this.isIFunction(handler)) {
-                // Create FunctionUrl for the Lambda function
-                const functionUrl = new lambda.FunctionUrl(this, "FunctionUrl", {
-                    function: handler,
-                    authType: lambda.FunctionUrlAuthType.NONE,
-                    invokeMode,
-                });
-                this.functionUrl = functionUrl;
-                origin = new origins.FunctionUrlOrigin(functionUrl);
-            }
-            else if (this.isIFunctionUrl(handler)) {
-                origin = new origins.FunctionUrlOrigin(handler);
-            }
-            else if (this.isIOrigin(handler)) {
-                origin = handler;
-            }
-        }
-        // Build default behavior
-        let defaultBehavior;
-        if (propsDefaultBehavior) {
-            defaultBehavior = propsDefaultBehavior;
-        }
-        else if (origin) {
-            defaultBehavior = {
-                allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
-                cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
-                origin,
-                originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
-                viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-            };
-        }
-        else {
-            throw new Error("Either handler or defaultBehavior must be provided to JaypieDistribution");
-        }
-        // Resolve hosted zone and certificate
-        // Only resolve zone when we need it (for certificate or DNS)
-        let hostedZone;
-        let certificateToUse;
-        if (host && zone && certificateProp !== false) {
-            hostedZone = resolveHostedZone(this, { zone });
-            if (certificateProp === true) {
-                certificateToUse = new acm.Certificate(this, constructEnvName("Certificate"), {
-                    domainName: host,
-                    validation: acm.CertificateValidation.fromDns(hostedZone),
-                });
-                Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, roleTag);
-            }
-            else if (typeof certificateProp === "object") {
-                certificateToUse = certificateProp;
-            }
-            this.certificate = certificateToUse;
-        }
-        // Create log bucket if logging is enabled
-        let logBucket;
-        if (destinationProp !== false) {
-            logBucket = new s3.Bucket(this, constructEnvName("LogBucket"), {
-                objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
-                removalPolicy: RemovalPolicy.DESTROY,
-                autoDeleteObjects: true,
-                lifecycleRules: [
-                    {
-                        expiration: Duration.days(90),
-                        transitions: [
-                            {
-                                storageClass: s3.StorageClass.INFREQUENT_ACCESS,
-                                transitionAfter: Duration.days(30),
-                            },
-                        ],
-                    },
-                ],
-            });
-            Tags.of(logBucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.STORAGE);
-            // Add S3 notification to Datadog forwarder
-            const lambdaDestination = destinationProp === true
-                ? new LambdaDestination(resolveDatadogForwarderFunction(this))
-                : destinationProp;
-            logBucket.addEventNotification(s3.EventType.OBJECT_CREATED, lambdaDestination);
-            this.logBucket = logBucket;
-        }
-        // Create the CloudFront distribution
-        this.distribution = new cloudfront.Distribution(this, constructEnvName("Distribution"), {
-            defaultBehavior,
-            ...(host && certificateToUse
-                ? {
-                    certificate: certificateToUse,
-                    domainNames: [host],
-                }
-                : {}),
-            ...(logBucket
-                ? {
-                    enableLogging: true,
-                    logBucket,
-                    logFilePrefix: "cloudfront-logs/",
-                }
-                : {}),
-            ...distributionProps,
-        });
-        Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
-        this.distributionArn = `arn:aws:cloudfront::${Stack.of(this).account}:distribution/${this.distribution.distributionId}`;
-        this.distributionDomainName = this.distribution.distributionDomainName;
-        this.distributionId = this.distribution.distributionId;
-        this.domainName = this.distribution.domainName;
-        // Create DNS records if we have host and zone
-        if (host && hostedZone) {
-            const aRecord = new route53.ARecord(this, "AliasRecord", {
-                recordName: host,
-                target: route53.RecordTarget.fromAlias(new route53Targets.CloudFrontTarget(this.distribution)),
-                zone: hostedZone,
-            });
-            Tags.of(aRecord).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
-            const aaaaRecord = new route53.AaaaRecord(this, "AaaaAliasRecord", {
-                recordName: host,
-                target: route53.RecordTarget.fromAlias(new route53Targets.CloudFrontTarget(this.distribution)),
-                zone: hostedZone,
-            });
-            Tags.of(aaaaRecord).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
-        }
-    }
-    // Type guards for handler types
-    isIOrigin(handler) {
-        return (typeof handler === "object" &&
-            handler !== null &&
-            "bind" in handler &&
-            typeof handler.bind === "function");
-    }
-    isIFunctionUrl(handler) {
-        // FunctionUrl has 'url' property which is the function URL string
-        // IFunction does not have 'url' property
-        return (typeof handler === "object" &&
-            handler !== null &&
-            "url" in handler &&
-            "functionArn" in handler);
-    }
-    isIFunction(handler) {
-        // IFunction has functionArn and functionName but NOT 'url'
-        // (FunctionUrl also has functionArn but also has 'url')
-        return (typeof handler === "object" &&
-            handler !== null &&
-            "functionArn" in handler &&
-            "functionName" in handler &&
-            !("url" in handler));
-    }
-    // Implement IDistribution interface
-    get env() {
-        return {
-            account: Stack.of(this).account,
-            region: Stack.of(this).region,
-        };
-    }
-    get stack() {
-        return this.distribution.stack;
-    }
-    applyRemovalPolicy(policy) {
-        this.distribution.applyRemovalPolicy(policy);
-    }
-    grant(identity, ...actions) {
-        return this.distribution.grant(identity, ...actions);
-    }
-    grantCreateInvalidation(identity) {
-        return this.distribution.grantCreateInvalidation(identity);
-    }
-    get distributionRef() {
-        return {
-            distributionId: this.distribution.distributionId,
-        };
-    }
-}
-
-// It is a consumer if the environment is ephemeral
-function checkEnvIsConsumer(env = process.env) {
-    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
-        !!env.CDK_ENV_PERSONAL ||
-        /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
-        /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
-}
-function checkEnvIsProvider(env = process.env) {
-    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
-}
-function cleanName(name) {
-    return name.replace(/[^a-zA-Z0-9:-]/g, "");
-}
-function exportEnvName(name, env = process.env) {
-    let rawName;
-    if (checkEnvIsProvider(env)) {
-        rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
-        // Clean the entire name to only allow alphanumeric, colons, and hyphens
-        return cleanName(rawName);
-    }
-    else {
-        if (checkEnvIsConsumer(env)) {
-            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
-        }
-        else {
-            rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
-        }
-    }
-    return cleanName(rawName);
-}
-class JaypieEnvSecret extends Construct {
-    constructor(scope, idOrEnvKey, props) {
-        // Check if idOrEnvKey should be treated as envKey:
-        // - No props provided OR props.envKey is not set
-        // - AND idOrEnvKey exists as a non-empty string in process.env
-        const treatAsEnvKey = (!props || props.envKey === undefined) &&
-            typeof process.env[idOrEnvKey] === "string" &&
-            process.env[idOrEnvKey] !== "";
-        const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
-        super(scope, id);
-        const { consumer = checkEnvIsConsumer(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider(), roleTag, vendorTag, value, } = props || {};
-        const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
-        this._envKey = envKey;
-        let exportName;
-        if (!exportParam) {
-            exportName = exportEnvName(id);
-        }
-        else {
-            exportName = cleanName(exportParam);
-        }
-        if (consumer) {
-            const secretName = Fn.importValue(exportName);
-            this._secret = secretsmanager.Secret.fromSecretNameV2(this, id, secretName);
-            // Add CfnOutput for consumer secrets
-            new CfnOutput(this, `ConsumedName`, {
-                value: this._secret.secretName,
-            });
-        }
-        else {
-            const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
-            const secretProps = {
-                generateSecretString,
-                secretStringValue: !generateSecretString && secretValue
-                    ? SecretValue.unsafePlainText(secretValue)
-                    : undefined,
-            };
-            this._secret = new secretsmanager.Secret(this, id, secretProps);
-            if (roleTag) {
-                Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
-            }
-            if (vendorTag) {
-                Tags.of(this._secret).add(CDK$2.TAG.VENDOR, vendorTag);
-            }
-            if (provider) {
-                new CfnOutput(this, `ProvidedName`, {
-                    value: this._secret.secretName,
-                    exportName,
-                });
-            }
-            else {
-                new CfnOutput(this, `CreatedName`, {
-                    value: this._secret.secretName,
-                });
-            }
-        }
-    }
-    // IResource implementation
-    get stack() {
-        return Stack.of(this);
-    }
-    get env() {
-        return {
-            account: Stack.of(this).account,
-            region: Stack.of(this).region,
-        };
-    }
-    applyRemovalPolicy(policy) {
-        this._secret.applyRemovalPolicy(policy);
-    }
-    // ISecret implementation
-    get secretArn() {
-        return this._secret.secretArn;
-    }
-    get secretName() {
-        return this._secret.secretName;
-    }
-    get secretFullArn() {
-        return this._secret.secretFullArn;
-    }
-    get encryptionKey() {
-        return this._secret.encryptionKey;
-    }
-    get secretValue() {
-        return this._secret.secretValue;
-    }
-    secretValueFromJson(key) {
-        return this._secret.secretValueFromJson(key);
-    }
-    grantRead(grantee, versionStages) {
-        return this._secret.grantRead(grantee, versionStages);
-    }
-    grantWrite(grantee) {
-        return this._secret.grantWrite(grantee);
-    }
-    addRotationSchedule(id, options) {
-        return this._secret.addRotationSchedule(id, options);
-    }
-    addToResourcePolicy(statement) {
-        return this._secret.addToResourcePolicy(statement);
-    }
-    denyAccountRootDelete() {
-        this._secret.denyAccountRootDelete();
-    }
-    attach(target) {
-        return this._secret.attach(target);
-    }
-    get envKey() {
-        return this._envKey;
-    }
-}
-
-class JaypieDatadogSecret extends JaypieEnvSecret {
-    constructor(scope, id = "MongoConnectionString", props) {
-        const defaultProps = {
-            envKey: "DATADOG_API_KEY",
-            roleTag: CDK$2.ROLE.MONITORING,
-            vendorTag: CDK$2.VENDOR.DATADOG,
-            ...props,
-        };
-        super(scope, id, defaultProps);
-    }
-}
-
-class JaypieDnsRecord extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const { comment, recordName, type, values } = props;
-        const ttl = props.ttl || cdk.Duration.seconds(CDK$2.DNS.CONFIG.TTL);
-        // Resolve the hosted zone (supports both string and IHostedZone)
-        const zone = resolveHostedZone(scope, {
-            name: `${id}HostedZone`,
-            zone: props.zone,
-        });
-        // Common properties for all record types
-        const baseProps = {
-            comment,
-            recordName,
-            ttl,
-            zone,
-        };
-        // Create the appropriate record based on type
-        switch (type) {
-            case CDK$2.DNS.RECORD.A: {
-                if (!Array.isArray(values) || values.length === 0) {
-                    throw new ConfigurationError("A record requires at least one IP address");
-                }
-                this.record = new ARecord(this, "Record", {
-                    ...baseProps,
-                    target: RecordTarget.fromIpAddresses(...values),
-                });
-                break;
-            }
-            case CDK$2.DNS.RECORD.CNAME: {
-                if (!Array.isArray(values) || values.length === 0) {
-                    throw new ConfigurationError("CNAME record requires a domain name");
-                }
-                this.record = new CnameRecord(this, "Record", {
-                    ...baseProps,
-                    domainName: values[0],
-                });
-                break;
-            }
-            case CDK$2.DNS.RECORD.MX: {
-                if (!Array.isArray(values) || values.length === 0) {
-                    throw new ConfigurationError("MX record requires at least one mail server");
-                }
-                this.record = new MxRecord(this, "Record", {
-                    ...baseProps,
-                    values: values,
-                });
-                break;
-            }
-            case CDK$2.DNS.RECORD.NS: {
-                if (!Array.isArray(values) || values.length === 0) {
-                    throw new ConfigurationError("NS record requires at least one name server");
-                }
-                this.record = new NsRecord(this, "Record", {
-                    ...baseProps,
-                    values: values,
-                });
-                break;
-            }
-            case CDK$2.DNS.RECORD.TXT: {
-                if (!Array.isArray(values) || values.length === 0) {
-                    throw new ConfigurationError("TXT record requires at least one value");
-                }
-                this.record = new TxtRecord(this, "Record", {
-                    ...baseProps,
-                    values: values,
-                });
-                break;
-            }
-            default:
-                throw new ConfigurationError(`Unsupported DNS record type: ${type}. Supported types: A, CNAME, MX, NS, TXT`);
-        }
-        // Add standard tags to the DNS record
-        cdk.Tags.of(this.record).add(CDK$2.TAG.SERVICE, CDK$2.SERVICE.INFRASTRUCTURE);
-        cdk.Tags.of(this.record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
-    }
-}
-
-class JaypieEventsRule extends Construct {
-    /**
-     * Create a new EventBridge rule that targets a Lambda function
-     */
-    constructor(scope, idOrSourceOrProps, propsOrUndefined) {
-        // Handle overloaded constructor signatures
-        let props;
-        let id;
-        if (typeof idOrSourceOrProps === "string") {
-            // Check if it looks like an AWS source (starts with "aws.")
-            if (idOrSourceOrProps.startsWith("aws.")) {
-                // First param is source, second is props
-                props = propsOrUndefined || {};
-                props.source = idOrSourceOrProps;
-                // Generate ID from source
-                const sourceName = idOrSourceOrProps
-                    .replace("aws.", "")
-                    .split(".")
-                    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
-                    .join("");
-                id = props.id || `${sourceName}EventsRule`;
-            }
-            else {
-                // First param is ID, second is props
-                props = propsOrUndefined || {};
-                id = idOrSourceOrProps;
-            }
-        }
-        else {
-            // First param is props
-            props = idOrSourceOrProps || {};
-            if (props.source) {
-                const sourceName = typeof props.source === "string"
-                    ? props.source
-                        .replace("aws.", "")
-                        .split(".")
-                        .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
-                        .join("")
-                    : "Events";
-                id = props.id || `${sourceName}EventsRule`;
-            }
-            else {
-                id = props.id || "EventsRule";
-            }
-        }
-        super(scope, id);
-        // Extract Jaypie-specific options
-        const { id: _id, project, service = CDK$2.SERVICE.DATADOG, source, targetFunction, vendor = CDK$2.VENDOR.DATADOG, ...ruleProps } = props;
-        // Resolve target function
-        this.targetFunction =
-            targetFunction || resolveDatadogForwarderFunction(scope);
-        // Build event pattern if source is specified
-        const eventPattern = source
-            ? {
-                ...ruleProps.eventPattern,
-                source: Array.isArray(source) ? source : [source],
-            }
-            : ruleProps.eventPattern;
-        // Build rule props
-        const finalRuleProps = {
-            ...ruleProps,
-            eventPattern,
-            targets: [
-                new LambdaFunction(this.targetFunction, {
-                    event: RuleTargetInput.fromEventPath("$"),
-                }),
-            ],
-        };
-        // Create the rule
-        this.rule = new Rule(this, "Rule", finalRuleProps);
-        // Add tags
-        cdk.Tags.of(this.rule).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-        cdk.Tags.of(this.rule).add(CDK$2.TAG.SERVICE, service);
-        cdk.Tags.of(this.rule).add(CDK$2.TAG.VENDOR, vendor);
-        if (project) {
-            cdk.Tags.of(this.rule).add(CDK$2.TAG.PROJECT, project);
-        }
-    }
-}
-
-class JaypieGitHubDeployRole extends Construct {
-    constructor(scope, id = "GitHubDeployRole", props = {}) {
-        super(scope, id);
-        const { oidcProviderArn = Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), output = true, repoRestriction: propsRepoRestriction, } = props;
-        // Extract account ID from the scope
-        const accountId = Stack.of(this).account;
-        // Resolve repoRestriction from props or environment variables
-        let repoRestriction = propsRepoRestriction;
-        if (!repoRestriction) {
-            const envRepo = process.env.CDK_ENV_REPO || process.env.PROJECT_REPO;
-            if (!envRepo) {
-                throw new ConfigurationError("No repoRestriction provided. Set repoRestriction prop, CDK_ENV_REPO, or PROJECT_REPO environment variable");
-            }
-            // Extract organization from owner/repo format and create org-wide restriction
-            const organization = envRepo.split("/")[0];
-            repoRestriction = `repo:${organization}/*:*`;
-        }
-        // Create the IAM role
-        this._role = new Role(this, "GitHubActionsRole", {
-            assumedBy: new FederatedPrincipal(oidcProviderArn, {
-                StringLike: {
-                    "token.actions.githubusercontent.com:sub": repoRestriction,
-                },
-            }, "sts:AssumeRoleWithWebIdentity"),
-            maxSessionDuration: Duration.hours(1),
-            path: "/",
-        });
-        Tags.of(this._role).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
-        // Allow the role to access the GitHub OIDC provider
-        this._role.addToPolicy(new PolicyStatement({
-            actions: ["sts:AssumeRoleWithWebIdentity"],
-            resources: [`arn:aws:iam::${accountId}:oidc-provider/*`],
-        }));
-        // Allow the role to deploy CDK apps
-        this._role.addToPolicy(new PolicyStatement({
-            actions: [
-                "cloudformation:CreateStack",
-                "cloudformation:DeleteStack",
-                "cloudformation:DescribeStackEvents",
-                "cloudformation:DescribeStackResource",
-                "cloudformation:DescribeStackResources",
-                "cloudformation:DescribeStacks",
-                "cloudformation:GetTemplate",
-                "cloudformation:SetStackPolicy",
-                "cloudformation:UpdateStack",
-                "cloudformation:ValidateTemplate",
-                "iam:PassRole",
-                "route53:ListHostedZones*",
-                "s3:GetObject",
-                "s3:ListBucket",
-            ],
-            effect: Effect.ALLOW,
-            resources: ["*"],
-        }));
-        this._role.addToPolicy(new PolicyStatement({
-            actions: ["iam:PassRole", "sts:AssumeRole"],
-            effect: Effect.ALLOW,
-            resources: [
-                "arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
-                "arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
-                "arn:aws:iam::*:role/cdk-readOnlyRole",
-            ],
-        }));
-        // Export the ARN of the role
-        if (output !== false) {
-            const outputId = typeof output === "string" ? output : "GitHubActionsRoleArn";
-            new CfnOutput(this, outputId, {
-                value: this._role.roleArn,
-            });
-        }
-    }
-    get role() {
-        return this._role;
-    }
-    get roleArn() {
-        return this._role.roleArn;
-    }
-    get roleName() {
-        return this._role.roleName;
-    }
-}
-
-class JaypieExpressLambda extends JaypieLambda {
-    constructor(scope, id, props) {
-        super(scope, id, {
-            timeout: Duration.seconds(CDK$2.DURATION.EXPRESS_API),
-            roleTag: CDK$2.ROLE.API,
-            ...props,
-        });
-    }
-}
-
-const SERVICE = {
-    ROUTE53: "route53.amazonaws.com",
-};
-/**
- * Check if a string is a valid hostname
- */
-function isValidHostname(str) {
-    // Check if it contains a dot and matches hostname pattern
-    if (!str.includes("."))
-        return false;
-    // Basic hostname validation: alphanumeric, hyphens, dots
-    // Each label must start and end with alphanumeric
-    const hostnameRegex = /^([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$/i;
-    return hostnameRegex.test(str);
-}
-class JaypieHostedZone extends Construct {
-    /**
-     * Create a new hosted zone with query logging and optional DNS records
-     */
-    constructor(scope, idOrProps, propsOrRecords) {
-        // Handle overloaded constructor signatures
-        let props;
-        let id;
-        if (typeof idOrProps === "string") {
-            // If it's a valid hostname, treat it as zoneName
-            if (isValidHostname(idOrProps)) {
-                // Third param can be props object or records array
-                if (Array.isArray(propsOrRecords)) {
-                    props = { zoneName: idOrProps, records: propsOrRecords };
-                }
-                else {
-                    props = propsOrRecords || { zoneName: idOrProps };
-                    // Set zoneName if not already set
-                    if (!props.zoneName) {
-                        props = { ...props, zoneName: idOrProps };
-                    }
-                }
-                // Use id from props if provided, otherwise derive from zoneName
-                id = props.id || `${idOrProps}-HostedZone`;
-            }
-            else {
-                // Otherwise treat it as an explicit id
-                props = propsOrRecords;
-                id = idOrProps;
-            }
-        }
-        else {
-            // idOrProps is props
-            props = idOrProps;
-            id = props.id || `${props.zoneName}-HostedZone`;
-        }
-        super(scope, id);
-        const { zoneName, project } = props;
-        const destination = props.destination ?? true;
-        const service = props.service || CDK$2.SERVICE.INFRASTRUCTURE;
-        // Create the log group
-        this.logGroup = new LogGroup(this, "LogGroup", {
-            logGroupName: process.env.PROJECT_NONCE
-                ? `/aws/route53/${zoneName}-${process.env.PROJECT_NONCE}`
-                : `/aws/route53/${zoneName}`,
-            retention: RetentionDays.ONE_WEEK,
-        });
-        // Add tags
-        cdk.Tags.of(this.logGroup).add(CDK$2.TAG.SERVICE, service);
-        cdk.Tags.of(this.logGroup).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
-        if (project) {
-            cdk.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
-        }
-        // Grant Route 53 permissions to write to the log group
-        this.logGroup.grantWrite(new ServicePrincipal(SERVICE.ROUTE53));
-        // Add destination based on configuration
-        if (destination !== false) {
-            const lambdaDestination = destination === true
-                ? resolveDatadogLoggingDestination(scope)
-                : destination;
-            this.logGroup.addSubscriptionFilter("DatadogLambdaDestination", {
-                destination: lambdaDestination,
-                filterPattern: FilterPattern.allEvents(),
-            });
-        }
-        // Create the hosted zone
-        this.hostedZone = new HostedZone(this, "HostedZone", {
-            queryLogsLogGroupArn: this.logGroup.logGroupArn,
-            zoneName,
-        });
-        // Add tags
-        cdk.Tags.of(this.hostedZone).add(CDK$2.TAG.SERVICE, service);
-        cdk.Tags.of(this.hostedZone).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
-        if (project) {
-            cdk.Tags.of(this.hostedZone).add(CDK$2.TAG.PROJECT, project);
-        }
-        // Create DNS records if provided
-        this.dnsRecords = [];
-        if (props.records) {
-            props.records.forEach((recordConfig, index) => {
-                const { id, ...recordProps } = recordConfig;
-                // Generate a default ID if not provided
-                const recordId = id ||
-                    `${recordProps.type}${recordProps.recordName ? `-${recordProps.recordName}` : ""}-${index}`;
-                const dnsRecord = new JaypieDnsRecord(this, recordId, {
-                    ...recordProps,
-                    zone: this.hostedZone,
-                });
-                this.dnsRecords.push(dnsRecord);
-            });
-        }
-    }
-}
-
-const CDK = {
-    TAG: {
-        STACK_SHA: "stackSha",
-    },
-};
-class JaypieInfrastructureStack extends JaypieStack {
-    constructor(scope, id, props = {}) {
-        const { key = "infra", ...stackProps } = props;
-        // Handle stackName
-        if (!stackProps.stackName) {
-            stackProps.stackName = constructStackName(key);
-        }
-        super(scope, id, { key, ...stackProps });
-        // Add infrastructure-specific tag
-        if (process.env.CDK_ENV_INFRASTRUCTURE_STACK_SHA) {
-            Tags.of(this).add(CDK.TAG.STACK_SHA, process.env.CDK_ENV_INFRASTRUCTURE_STACK_SHA);
-        }
-    }
-}
-
-class JaypieMongoDbSecret extends JaypieEnvSecret {
-    constructor(scope, id = "MongoConnectionString", props) {
-        const defaultProps = {
-            envKey: "MONGODB_URI",
-            roleTag: CDK$2.ROLE.STORAGE,
-            vendorTag: CDK$2.VENDOR.MONGODB,
-            ...props,
-        };
-        super(scope, id, defaultProps);
-    }
-}
-
-class JaypieNextJs extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const domainName = props?.domainName || envHostname();
-        this.domainName = domainName;
-        const domainNameSanitized = domainName
-            .replace(/\./g, "-")
-            .replace(/[^a-zA-Z0-9]/g, "_");
-        const envSecrets = props?.envSecrets || {};
-        const nextjsPath = props?.nextjsPath?.startsWith("..")
-            ? path.join(process.cwd(), props.nextjsPath)
-            : props?.nextjsPath || path.join(process.cwd(), "..", "nextjs");
-        const paramsAndSecrets = resolveParamsAndSecrets();
-        const secrets = props?.secrets || [];
-        // Process secrets environment variables
-        const secretsEnvironment = Object.entries(envSecrets).reduce((acc, [key, secret]) => ({
-            ...acc,
-            [`SECRET_${key}`]: secret.secretName,
-        }), {});
-        // Process JaypieEnvSecret array
-        const jaypieSecretsEnvironment = secrets.reduce((acc, secret) => {
-            if (secret.envKey) {
-                return {
-                    ...acc,
-                    [`SECRET_${secret.envKey}`]: secret.secretName,
-                };
-            }
-            return acc;
-        }, {});
-        // Process NEXT_PUBLIC_ environment variables
-        const nextPublicEnv = Object.entries(process.env).reduce((acc, [key, value]) => {
-            if (key.startsWith("NEXT_PUBLIC_") && value) {
-                return {
-                    ...acc,
-                    [key]: value,
-                };
-            }
-            return acc;
-        }, {});
-        const nextjs = new Nextjs(this, "NextJsApp", {
-            nextjsPath,
-            domainProps: {
-                domainName,
-                hostedZone: resolveHostedZone(this, {
-                    zone: props?.hostedZone,
-                }),
-            },
-            environment: {
-                ...jaypieLambdaEnv(),
-                ...secretsEnvironment,
-                ...jaypieSecretsEnvironment,
-                ...nextPublicEnv,
-                NEXT_PUBLIC_SITE_URL: `https://${domainName}`,
-            },
-            overrides: {
-                nextjsDistribution: {
-                    imageCachePolicyProps: {
-                        cachePolicyName: `NextJsImageCachePolicy-${domainNameSanitized}`,
-                    },
-                    serverCachePolicyProps: {
-                        cachePolicyName: `NextJsServerCachePolicy-${domainNameSanitized}`,
-                    },
-                },
-                nextjsImage: {
-                    functionProps: {
-                        paramsAndSecrets,
-                    },
-                },
-                nextjsServer: {
-                    functionProps: {
-                        paramsAndSecrets,
-                    },
-                },
-            },
-        });
-        addDatadogLayers(nextjs.imageOptimizationFunction);
-        addDatadogLayers(nextjs.serverFunction.lambdaFunction);
-        // Grant secret read permissions
-        Object.values(envSecrets).forEach((secret) => {
-            secret.grantRead(nextjs.serverFunction.lambdaFunction);
-        });
-        // Grant read permissions for JaypieEnvSecrets
-        secrets.forEach((secret) => {
-            secret.grantRead(nextjs.serverFunction.lambdaFunction);
-        });
-    }
-}
-
-class JaypieOpenAiSecret extends JaypieEnvSecret {
-    constructor(scope, id = "OpenAiApiKey", props) {
-        const defaultProps = {
-            envKey: "OPENAI_API_KEY",
-            roleTag: CDK$2.ROLE.PROCESSING,
-            vendorTag: CDK$2.VENDOR.OPENAI,
-            ...props,
-        };
-        super(scope, id, defaultProps);
-    }
-}
-
-class JaypieOrganizationTrail extends Construct {
-    /**
-     * Create a new organization CloudTrail with S3 bucket and lifecycle policies
-     */
-    constructor(scope, idOrProps, propsOrUndefined) {
-        // Handle overloaded constructor signatures
-        let props;
-        let id;
-        if (typeof idOrProps === "string") {
-            // First param is ID, second is props
-            props = propsOrUndefined || {};
-            id = idOrProps;
-        }
-        else {
-            // First param is props
-            props = idOrProps || {};
-            const defaultName = process.env.PROJECT_NONCE
-                ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
-                : "organization-cloudtrail";
-            id = props.id || `${props.trailName || defaultName}-Trail`;
-        }
-        super(scope, id);
-        // Resolve options with defaults
-        const { bucketName = process.env.PROJECT_NONCE
-            ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
-            : "organization-cloudtrail", enableDatadogNotifications = true, enableFileValidation = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
-            ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
-            : "organization-cloudtrail", } = props;
-        // Create the S3 bucket for CloudTrail logs
-        this.bucket = new Bucket(this, "Bucket", {
-            accessControl: BucketAccessControl.LOG_DELIVERY_WRITE,
-            bucketName,
-            lifecycleRules: [
-                {
-                    expiration: cdk.Duration.days(expirationDays),
-                    transitions: [
-                        {
-                            storageClass: StorageClass.INFREQUENT_ACCESS,
-                            transitionAfter: cdk.Duration.days(infrequentAccessTransitionDays),
-                        },
-                        {
-                            storageClass: StorageClass.GLACIER,
-                            transitionAfter: cdk.Duration.days(glacierTransitionDays),
-                        },
-                    ],
-                },
-            ],
-        });
-        // Add CloudTrail bucket policies
-        this.bucket.addToResourcePolicy(new PolicyStatement({
-            actions: ["s3:GetBucketAcl"],
-            effect: Effect.ALLOW,
-            principals: [new ServicePrincipal("cloudtrail.amazonaws.com")],
-            resources: [this.bucket.bucketArn],
-        }));
-        this.bucket.addToResourcePolicy(new PolicyStatement({
-            actions: ["s3:PutObject"],
-            conditions: {
-                StringEquals: {
-                    "s3:x-amz-acl": "bucket-owner-full-control",
-                },
-            },
-            effect: Effect.ALLOW,
-            principals: [new ServicePrincipal("cloudtrail.amazonaws.com")],
-            resources: [`${this.bucket.bucketArn}/*`],
-        }));
-        // Add tags to bucket
-        cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
-        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-        if (project) {
-            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
-        }
-        // Add Datadog notifications if enabled
-        if (enableDatadogNotifications) {
-            const datadogForwarderFunction = resolveDatadogForwarderFunction(scope);
-            this.bucket.addEventNotification(EventType.OBJECT_CREATED, new LambdaDestination(datadogForwarderFunction));
-        }
-        // Create the organization trail
-        this.trail = new Trail(this, "Trail", {
-            bucket: this.bucket,
-            enableFileValidation,
-            isOrganizationTrail: true,
-            managementEvents: ReadWriteType.ALL,
-            trailName,
-        });
-        // Add tags to trail
-        cdk.Tags.of(this.trail).add(CDK$2.TAG.SERVICE, service);
-        cdk.Tags.of(this.trail).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
-        if (project) {
-            cdk.Tags.of(this.trail).add(CDK$2.TAG.PROJECT, project);
-        }
-    }
-}
-
-/**
- * JaypieSsoPermissions Construct
- *
- * Creates and manages AWS IAM Identity Center (SSO) permission sets and assignments
- *
- * @example
- * const permissionSets = new JaypieSsoPermissions(this, "PermissionSets", {
- *   iamIdentityCenterArn: "arn:aws:sso:::instance/...",
- *   administratorGroupId: "b4c8b438-4031-7000-782d-5046945fb956",
- *   analystGroupId: "2488f4e8-d061-708e-abe1-c315f0e30005",
- *   developerGroupId: "b438a4f8-e0e1-707c-c6e8-21841daf9ad1",
- *   administratorAccountAssignments: {
- *     "211125635435": ["Administrator", "Analyst", "Developer"],
- *     "381492033431": ["Administrator", "Analyst"],
- *   },
- *   analystAccountAssignments: {
- *     "211125635435": ["Analyst", "Developer"],
- *     "381492033431": [],
- *   },
- *   developerAccountAssignments: {
- *     "211125635435": ["Analyst", "Developer"],
- *     "381492033431": [],
- *   },
- * });
- */
-class JaypieSsoPermissions extends Construct {
-    constructor(scope, id, props) {
-        super(scope, id);
-        const { iamIdentityCenterArn: iamIdentityCenterArnProp, administratorGroupId, analystGroupId, developerGroupId, administratorAccountAssignments, analystAccountAssignments, developerAccountAssignments, } = props;
-        const iamIdentityCenterArn = iamIdentityCenterArnProp || process.env.CDK_ENV_IAM_IDENTITY_CENTER_ARN;
-        if (!iamIdentityCenterArn) {
-            // If no IAM Identity Center ARN provided, skip SSO setup
-            return;
-        }
-        //
-        // Permission Sets
-        //
-        this.administratorPermissionSet = new CfnPermissionSet(this, "AdministratorPermissionSet", {
-            // Required
-            instanceArn: iamIdentityCenterArn,
-            name: "Administrator",
-            // Optional
-            description: "Unrestricted access",
-            inlinePolicy: {
-                Version: "2012-10-17",
-                Statement: [
-                    {
-                        Effect: "Allow",
-                        Action: [
-                            "aws-portal:ViewUsage",
-                            "aws-portal:ViewBilling",
-                            "budgets:*",
-                            "cur:DescribeReportDefinitions",
-                            "cur:PutReportDefinition",
-                            "cur:DeleteReportDefinition",
-                            "cur:ModifyReportDefinition",
-                        ],
-                        Resource: "*",
-                    },
-                ],
-            },
-            managedPolicies: [
-                ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
-                    .managedPolicyArn,
-                ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
-            ],
-            sessionDuration: Duration.hours(1).toIsoString(),
-            tags: [
-                {
-                    key: CDK$2.TAG.SERVICE,
-                    value: CDK$2.SERVICE.SSO,
-                },
-                {
-                    key: CDK$2.TAG.ROLE,
-                    value: CDK$2.ROLE.SECURITY,
-                },
-            ],
-        });
-        this.analystPermissionSet = new CfnPermissionSet(this, "AnalystPermissionSet", {
-            // Required
-            instanceArn: iamIdentityCenterArn,
-            name: "Analyst",
-            // Optional
-            description: "Read-only access; may expand to limited write access",
-            inlinePolicy: {
-                Version: "2012-10-17",
-                Statement: [
-                    {
-                        Effect: "Allow",
-                        Action: [
-                            "aws-portal:ViewUsage",
-                            "aws-portal:ViewBilling",
-                            "budgets:Describe*",
-                            "budgets:View*",
-                            "ce:Get*",
-                            "ce:List*",
-                            "cloudformation:Describe*",
-                            "cloudformation:Get*",
-                            "cloudformation:List*",
-                            "cloudwatch:BatchGet*",
-                            "cloudwatch:Get*",
-                            "cloudwatch:List*",
-                            "cost-optimization-hub:Get*",
-                            "cost-optimization-hub:List*",
-                            "ec2:Describe*",
-                            "ec2:Get*",
-                            "ec2:List*",
-                            "ec2:Search*",
-                            "iam:Get*",
-                            "iam:List*",
-                            "iam:PassRole",
-                            "lambda:Get*",
-                            "lambda:List*",
-                            "logs:Describe*",
-                            "logs:Get*",
-                            "logs:List*",
-                            "pipes:Describe*",
-                            "pipes:List*",
-                            "s3:Get*",
-                            "s3:List*",
-                            "secretsmanager:GetRandomPassword",
-                            "secretsmanager:GetResourcePolicy",
-                            "secretsmanager:List*",
-                            "securityhub:Describe*",
-                            "securityhub:Get*",
-                            "securityhub:List*",
-                            "servicecatalog:Describe*",
-                            "sns:Get*",
-                            "sns:List*",
-                            "sqs:Get*",
-                            "sqs:List*",
-                            "states:Describe*",
-                            "states:Get*",
-                            "states:List*",
-                            "tag:*",
-                            "uxc:*",
-                            "xray:*",
-                        ],
-                        Resource: "*",
-                    },
-                ],
-            },
-            managedPolicies: [
-                ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
-                    .managedPolicyArn,
-                ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
-                ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
-                    .managedPolicyArn,
-            ],
-            sessionDuration: Duration.hours(12).toIsoString(),
-            tags: [
-                {
-                    key: CDK$2.TAG.SERVICE,
-                    value: CDK$2.SERVICE.SSO,
-                },
-                {
-                    key: CDK$2.TAG.ROLE,
-                    value: CDK$2.ROLE.SECURITY,
-                },
-            ],
-        });
-        this.developerPermissionSet = new CfnPermissionSet(this, "DeveloperPermissionSet", {
-            // Required
-            instanceArn: iamIdentityCenterArn,
-            name: "Developer",
-            // Optional
-            description: "Administrative access with limited restrictions",
-            inlinePolicy: {
-                Version: "2012-10-17",
-                Statement: [
-                    {
-                        Effect: "Allow",
-                        Action: [
-                            "budgets:*",
-                            "ce:*",
-                            "cloudformation:*",
-                            "cloudwatch:*",
-                            "cost-optimization-hub:*",
-                            "ec2:*",
-                            "iam:Get*",
-                            "iam:List*",
-                            "iam:PassRole",
-                            "lambda:*",
-                            "logs:*",
-                            "pipes:*",
-                            "s3:*",
-                            "secretsmanager:*",
-                            "securityhub:*",
-                            "servicecatalog:*",
-                            "sns:*",
-                            "sqs:*",
-                            "states:*",
-                            "tag:*",
-                            "uxc:*",
-                            "xray:*",
-                        ],
-                        Resource: "*",
-                    },
-                ],
-            },
-            managedPolicies: [
-                ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
-                    .managedPolicyArn,
-                ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
-                ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
-                    .managedPolicyArn,
-                ManagedPolicy.fromAwsManagedPolicyName("job-function/SystemAdministrator").managedPolicyArn,
-            ],
-            sessionDuration: Duration.hours(4).toIsoString(),
-            tags: [
-                {
-                    key: CDK$2.TAG.SERVICE,
-                    value: CDK$2.SERVICE.SSO,
-                },
-                {
-                    key: CDK$2.TAG.ROLE,
-                    value: CDK$2.ROLE.SECURITY,
-                },
-            ],
-        });
-        // Map permission set names to their ARNs and labels
-        const permissionSetMap = {
-            Administrator: {
-                arn: this.administratorPermissionSet.attrPermissionSetArn,
-                label: "Administrator",
-            },
-            Analyst: {
-                arn: this.analystPermissionSet.attrPermissionSetArn,
-                label: "Analyst",
-            },
-            Developer: {
-                arn: this.developerPermissionSet.attrPermissionSetArn,
-                label: "Developer",
-            },
-        };
-        //
-        // Assignments
-        //
-        // Helper function to create assignments for a group
-        const createAssignments = (groupId, accountAssignments) => {
-            if (!groupId || !accountAssignments) {
-                return; // Skip if group ID or assignments not provided
-            }
-            Object.keys(accountAssignments).forEach((accountId) => {
-                const permissionSetNames = accountAssignments[accountId];
-                permissionSetNames.forEach((permissionSetName) => {
-                    const permissionSet = permissionSetMap[permissionSetName];
-                    if (!permissionSet) {
-                        throw new ConfigurationError(`Unknown permission set: ${permissionSetName}. Valid options: ${Object.keys(permissionSetMap).join(", ")}`);
-                    }
-                    const accountAssignment = new CfnAssignment(this, `AccountAssignment-${accountId}-${permissionSet.label}Role-${groupId}Group`, {
-                        // Required
-                        instanceArn: iamIdentityCenterArn,
-                        permissionSetArn: permissionSet.arn,
-                        principalId: groupId,
-                        principalType: CDK$2.PRINCIPAL_TYPE.GROUP,
-                        targetId: accountId,
-                        targetType: CDK$2.TARGET_TYPE.AWS_ACCOUNT,
-                    });
-                    Tags.of(accountAssignment).add(CDK$2.TAG.SERVICE, CDK$2.SERVICE.SSO);
-                    Tags.of(accountAssignment).add(CDK$2.TAG.ROLE, CDK$2.ROLE.SECURITY);
-                });
-            });
-        };
-        // Create assignments for each group
-        createAssignments(administratorGroupId, administratorAccountAssignments);
-        createAssignments(analystGroupId, analystAccountAssignments);
-        createAssignments(developerGroupId, developerAccountAssignments);
-    }
-}
-
-//
-//
-// Constants
-//
-const DEFAULT_APPLICATION_ID = "arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync";
-const DEFAULT_APPLICATION_VERSION = "2.3.3";
-const DEFAULT_GOOGLE_GROUP_MATCH = "name:AWS*";
-//
-//
-// Class
-//
-class JaypieSsoSyncApplication extends Construct {
-    constructor(scope, id = "SsoSyncApplication", props = {}) {
-        super(scope, id);
-        const { googleAdminEmail, googleAdminEmailEnvKey = "CDK_ENV_SSOSYNC_GOOGLE_ADMIN_EMAIL", googleCredentials, googleCredentialsEnvKey = "CDK_ENV_SSOSYNC_GOOGLE_CREDENTIALS", googleGroupMatch, googleGroupMatchEnvKey = "CDK_ENV_SSOSYNC_GOOGLE_GROUP_MATCH", identityStoreId, identityStoreIdEnvKey = "CDK_ENV_SSOSYNC_IDENTITY_STORE_ID", scimEndpointAccessToken, scimEndpointAccessTokenEnvKey = "CDK_ENV_SCIM_ENDPOINT_ACCESS_TOKEN", scimEndpointUrl, scimEndpointUrlEnvKey = "CDK_ENV_SSOSYNC_SCIM_ENDPOINT_URL", semanticVersion, semanticVersionEnvKey = "CDK_ENV_SSOSYNC_SEMANTIC_VERSION", ssoSyncApplicationId = DEFAULT_APPLICATION_ID, tags, } = props;
-        // Resolve all values from props or environment variables
-        const resolvedGoogleAdminEmail = googleAdminEmail || process.env[googleAdminEmailEnvKey];
-        const resolvedGoogleCredentials = googleCredentials || process.env[googleCredentialsEnvKey];
-        const resolvedGoogleGroupMatch = googleGroupMatch ||
-            process.env[googleGroupMatchEnvKey] ||
-            DEFAULT_GOOGLE_GROUP_MATCH;
-        const resolvedIdentityStoreId = identityStoreId || process.env[identityStoreIdEnvKey];
-        const resolvedScimEndpointAccessToken = scimEndpointAccessToken || process.env[scimEndpointAccessTokenEnvKey];
-        const resolvedScimEndpointUrl = scimEndpointUrl || process.env[scimEndpointUrlEnvKey];
-        const resolvedSemanticVersion = semanticVersion ||
-            process.env[semanticVersionEnvKey] ||
-            DEFAULT_APPLICATION_VERSION;
-        // Validate required parameters
-        const missingParams = [];
-        if (!resolvedGoogleAdminEmail) {
-            missingParams.push(`googleAdminEmail or ${googleAdminEmailEnvKey} environment variable`);
-        }
-        if (!resolvedGoogleCredentials) {
-            missingParams.push(`googleCredentials or ${googleCredentialsEnvKey} environment variable`);
-        }
-        if (!resolvedIdentityStoreId) {
-            missingParams.push(`identityStoreId or ${identityStoreIdEnvKey} environment variable`);
-        }
-        if (!resolvedScimEndpointAccessToken) {
-            missingParams.push(`scimEndpointAccessToken or ${scimEndpointAccessTokenEnvKey} environment variable`);
-        }
-        if (!resolvedScimEndpointUrl) {
-            missingParams.push(`scimEndpointUrl or ${scimEndpointUrlEnvKey} environment variable`);
-        }
-        if (missingParams.length > 0) {
-            throw new ConfigurationError(`JaypieSsoSyncApplication missing required configuration: ${missingParams.join(", ")}`);
-        }
-        // Create the SSO Sync Application
-        // Type assertion is safe because we validated all required values above
-        this._application = new CfnApplication(this, "Application", {
-            location: {
-                applicationId: ssoSyncApplicationId,
-                semanticVersion: resolvedSemanticVersion,
-            },
-            parameters: {
-                GoogleAdminEmail: resolvedGoogleAdminEmail,
-                GoogleCredentials: resolvedGoogleCredentials,
-                GoogleGroupMatch: resolvedGoogleGroupMatch,
-                IdentityStoreID: resolvedIdentityStoreId,
-                Region: Stack.of(this).region,
-                SCIMEndpointAccessToken: resolvedScimEndpointAccessToken,
-                SCIMEndpointUrl: resolvedScimEndpointUrl,
-            },
-        });
-        // Add tags
-        const defaultTags = {
-            [CDK$2.TAG.ROLE]: CDK$2.ROLE.SECURITY,
-        };
-        const allTags = { ...defaultTags, ...tags };
-        Object.entries(allTags).forEach(([key, value]) => {
-            Tags.of(this._application).add(key, value);
-        });
-    }
-    get application() {
-        return this._application;
-    }
-}
-
-class JaypieWebDeploymentBucket extends Construct {
-    constructor(scope, id, props = {}) {
-        super(scope, id);
-        const roleTag = props.roleTag || CDK$2.ROLE.HOSTING;
-        // Environment variable validation
-        if (process.env.CDK_ENV_WEB_SUBDOMAIN &&
-            !isValidSubdomain(process.env.CDK_ENV_WEB_SUBDOMAIN)) {
-            throw new ConfigurationError("CDK_ENV_WEB_SUBDOMAIN is not a valid subdomain");
-        }
-        if (process.env.CDK_ENV_WEB_HOSTED_ZONE &&
-            !isValidHostname$1(process.env.CDK_ENV_WEB_HOSTED_ZONE)) {
-            throw new ConfigurationError("CDK_ENV_WEB_HOSTED_ZONE is not a valid hostname");
-        }
-        if (process.env.CDK_ENV_HOSTED_ZONE &&
-            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
-            throw new ConfigurationError("CDK_ENV_HOSTED_ZONE is not a valid hostname");
-        }
-        // Determine host from props or environment
-        let host = props.host;
-        if (!host) {
-            try {
-                host =
-                    process.env.CDK_ENV_WEB_HOST ||
-                        mergeDomain(process.env.CDK_ENV_WEB_SUBDOMAIN || "", process.env.CDK_ENV_WEB_HOSTED_ZONE ||
-                            process.env.CDK_ENV_HOSTED_ZONE ||
-                            "");
-            }
-            catch {
-                host = undefined;
-            }
-        }
-        if (host && !isValidHostname$1(host)) {
-            throw new ConfigurationError("Host is not a valid hostname");
-        }
-        // Determine zone from props or environment
-        const zone = props.zone ||
-            process.env.CDK_ENV_WEB_HOSTED_ZONE ||
-            process.env.CDK_ENV_HOSTED_ZONE;
-        // Create the S3 bucket
-        this.bucket = new s3.Bucket(this, "DestinationBucket", {
-            accessControl: s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
-            autoDeleteObjects: true,
-            blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS_ONLY,
-            bucketName: props.name || constructEnvName("web"),
-            publicReadAccess: true,
-            removalPolicy: RemovalPolicy.DESTROY,
-            versioned: false,
-            websiteErrorDocument: "index.html",
-            websiteIndexDocument: "index.html",
-            ...props,
-        });
-        // Delegate IBucket properties to the bucket
-        this.bucketArn = this.bucket.bucketArn;
-        this.bucketDomainName = this.bucket.bucketDomainName;
-        this.bucketDualStackDomainName = this.bucket.bucketDualStackDomainName;
-        this.bucketName = this.bucket.bucketName;
-        this.bucketRegionalDomainName = this.bucket.bucketRegionalDomainName;
-        this.bucketWebsiteDomainName = this.bucket.bucketWebsiteDomainName;
-        this.bucketWebsiteUrl = this.bucket.bucketWebsiteUrl;
-        this.encryptionKey = this.bucket.encryptionKey;
-        this.isWebsite = this.bucket.isWebsite;
-        this.notificationsHandlerRole = undefined;
-        this.policy = this.bucket.policy;
-        Tags.of(this.bucket).add(CDK$2.TAG.ROLE, roleTag);
-        // Create deployment role if repository is configured
-        let repo;
-        if (process.env.CDK_ENV_REPO) {
-            repo = `repo:${process.env.CDK_ENV_REPO}:*`;
-        }
-        if (repo) {
-            const bucketDeployRole = new Role(this, "DestinationBucketDeployRole", {
-                assumedBy: new FederatedPrincipal(Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
-                    StringLike: {
-                        "token.actions.githubusercontent.com:sub": repo,
-                    },
-                }, "sts:AssumeRoleWithWebIdentity"),
-                maxSessionDuration: Duration.hours(1),
-            });
-            Tags.of(bucketDeployRole).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
-            // Allow the role to write to the bucket
-            bucketDeployRole.addToPolicy(new PolicyStatement({
-                effect: Effect.ALLOW,
-                actions: [
-                    "s3:DeleteObject",
-                    "s3:GetObject",
-                    "s3:ListObjectsV2",
-                    "s3:PutObject",
-                ],
-                resources: [`${this.bucket.bucketArn}/*`],
-            }));
-            bucketDeployRole.addToPolicy(new PolicyStatement({
-                effect: Effect.ALLOW,
-                actions: ["s3:ListBucket"],
-                resources: [this.bucket.bucketArn],
-            }));
-            // Allow the role to describe the current stack
-            const stack = Stack.of(this);
-            bucketDeployRole.addToPolicy(new PolicyStatement({
-                actions: ["cloudformation:DescribeStacks"],
-                effect: Effect.ALLOW,
-                resources: [
-                    `arn:aws:cloudformation:${stack.region}:${stack.account}:stack/${stack.stackName}/*`,
-                ],
-            }));
-            this.deployRoleArn = bucketDeployRole.roleArn;
-            // Output the deploy role ARN
-            new CfnOutput(this, "DestinationBucketDeployRoleArn", {
-                value: bucketDeployRole.roleArn,
-            });
-        }
-        // Create CloudFront distribution and certificate if host and zone are provided
-        if (host && zone) {
-            let hostedZone;
-            if (typeof zone === "string") {
-                hostedZone = route53.HostedZone.fromLookup(this, "HostedZone", {
-                    domainName: zone,
-                });
-            }
-            else if (zone instanceof JaypieHostedZone) {
-                hostedZone = zone.hostedZone;
-            }
-            else {
-                hostedZone = zone;
-            }
-            // Create certificate if not provided
-            if (props.certificate !== false) {
-                this.certificate =
-                    typeof props.certificate === "object"
-                        ? props.certificate
-                        : new acm.Certificate(this, "Certificate", {
-                            domainName: host,
-                            validation: acm.CertificateValidation.fromDns(hostedZone),
-                        });
-                new CfnOutput(this, "CertificateArn", {
-                    value: this.certificate.certificateArn,
-                });
-                Tags.of(this.certificate).add(CDK$2.TAG.ROLE, roleTag);
-            }
-            // Create CloudFront distribution
-            this.distribution = new cloudfront.Distribution(this, "Distribution", {
-                defaultBehavior: {
-                    cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
-                    origin: new origins.S3StaticWebsiteOrigin(this.bucket),
-                    viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-                },
-                certificate: this.certificate,
-                domainNames: [host],
-            });
-            Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
-            // If this is production, enable caching on everything but index.html
-            if (isProductionEnv()) {
-                this.distribution.addBehavior("/*", new origins.S3StaticWebsiteOrigin(this.bucket), {
-                    viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
-                    cachePolicy: cloudfront.CachePolicy.CACHING_OPTIMIZED,
-                });
-            }
-            // Create DNS record
-            const record = new route53.ARecord(this, "AliasRecord", {
-                recordName: host,
-                target: route53.RecordTarget.fromAlias(new route53Targets.CloudFrontTarget(this.distribution)),
-                zone: hostedZone,
-            });
-            Tags.of(record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
-            this.distributionDomainName = this.distribution.distributionDomainName;
-        }
-    }
-    // Implement remaining IBucket methods by delegating to the bucket
-    addEventNotification(event, dest, ...filters) {
-        this.bucket.addEventNotification(event, dest, ...filters);
-    }
-    addObjectCreatedNotification(dest, ...filters) {
-        this.bucket.addObjectCreatedNotification(dest, ...filters);
-    }
-    addObjectRemovedNotification(dest, ...filters) {
-        this.bucket.addObjectRemovedNotification(dest, ...filters);
-    }
-    addToResourcePolicy(permission) {
-        return this.bucket.addToResourcePolicy(permission);
-    }
-    arnForObjects(keyPattern) {
-        return this.bucket.arnForObjects(keyPattern);
-    }
-    grantDelete(identity, objectsKeyPattern) {
-        return this.bucket.grantDelete(identity, objectsKeyPattern);
-    }
-    grantPublicAccess(allowedActions, keyPrefix) {
-        return keyPrefix
-            ? this.bucket.grantPublicAccess(allowedActions, keyPrefix)
-            : this.bucket.grantPublicAccess(allowedActions);
-    }
-    grantPut(identity, objectsKeyPattern) {
-        return this.bucket.grantPut(identity, objectsKeyPattern);
-    }
-    grantPutAcl(identity, objectsKeyPattern) {
-        return this.bucket.grantPutAcl(identity, objectsKeyPattern);
-    }
-    grantRead(identity, objectsKeyPattern) {
-        return this.bucket.grantRead(identity, objectsKeyPattern);
-    }
-    grantReadWrite(identity, objectsKeyPattern) {
-        return this.bucket.grantReadWrite(identity, objectsKeyPattern);
-    }
-    grantWrite(identity, objectsKeyPattern) {
-        return this.bucket.grantWrite(identity, objectsKeyPattern);
-    }
-    grantReplicationPermission(identity, props) {
-        return this.bucket.grantReplicationPermission(identity, props);
-    }
-    s3UrlForObject(key) {
-        return this.bucket.s3UrlForObject(key);
-    }
-    urlForObject(key) {
-        return this.bucket.urlForObject(key);
-    }
-    virtualHostedUrlForObject(key, options) {
-        return this.bucket.virtualHostedUrlForObject(key, options);
-    }
-    transferAccelerationUrlForObject(key) {
-        return this.bucket.transferAccelerationUrlForObject(key);
-    }
-    onCloudTrailEvent(id, options) {
-        return this.bucket.onCloudTrailEvent(id, options);
-    }
-    onCloudTrailPutObject(id, options) {
-        return this.bucket.onCloudTrailPutObject(id, options);
-    }
-    onCloudTrailWriteObject(id, options) {
-        return this.bucket.onCloudTrailWriteObject(id, options);
-    }
-    addCorsRule(rule) {
-        this.bucket.addCorsRule(rule);
-    }
-    addInventory(inventory) {
-        this.bucket.addInventory(inventory);
-    }
-    addLifecycleRule(rule) {
-        this.bucket.addLifecycleRule(rule);
-    }
-    addMetric(metric) {
-        this.bucket.addMetric(metric);
-    }
-    enableEventBridgeNotification() {
-        this.bucket.enableEventBridgeNotification();
-    }
-    addReplicationPolicy(policy) {
-        this.bucket.addReplicationPolicy(policy);
-    }
-    get stack() {
-        return this.bucket.stack;
-    }
-    get env() {
-        return this.bucket.env;
-    }
-    applyRemovalPolicy(policy) {
-        this.bucket.applyRemovalPolicy(policy);
-    }
-    get bucketRef() {
-        return {
-            bucketArn: this.bucket.bucketArn,
-            bucketName: this.bucket.bucketName,
-        };
-    }
-}
-
-class JaypieStaticWebBucket extends JaypieWebDeploymentBucket {
-    constructor(scope, id, props = {}) {
-        // Handle overloaded signatures: (scope), (scope, props), (scope, id, props)
-        let resolvedId;
-        let resolvedProps;
-        if (typeof id === "string") {
-            resolvedId = id;
-            resolvedProps = props;
-        }
-        else if (typeof id === "object") {
-            resolvedId = "JaypieStaticWebBucket";
-            resolvedProps = id;
-        }
-        else {
-            resolvedId = "JaypieStaticWebBucket";
-            resolvedProps = props;
-        }
-        const host = resolvedProps.host ?? envHostname({ subdomain: "static" });
-        const name = resolvedProps.name ?? constructEnvName("static");
-        const roleTag = resolvedProps.roleTag ?? CDK$2.ROLE.HOSTING;
-        // Only use default zone if zone is not explicitly provided (including undefined)
-        const zone = "zone" in resolvedProps
-            ? resolvedProps.zone
-            : process.env.CDK_ENV_DOMAIN || process.env.CDK_ENV_HOSTED_ZONE;
-        super(scope, resolvedId, {
-            ...resolvedProps,
-            host,
-            name,
-            roleTag,
-            zone,
-        });
-    }
-}
-
-class JaypieTraceSigningKeySecret extends JaypieEnvSecret {
-    constructor(scope, id = "TraceSigningKey", props) {
-        const defaultProps = {
-            envKey: "TRACE_SIGNING_KEY",
-            roleTag: CDK$2.ROLE.API,
-            vendorTag: CDK$2.VENDOR.KNOWTRACE,
-            ...props,
-        };
-        super(scope, id, defaultProps);
-    }
-}
-
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, addDatadogLayers, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveHostedZone, resolveParamsAndSecrets };
-//# sourceMappingURL=index.js.map