@jaypie/constructs 1.1.65 → 1.1.66

package/dist/esm/index.js

@@ -0,0 +1,3423 @@
+import * as cdk from 'aws-cdk-lib';
+import { Tags, Stack, Fn, CfnOutput, SecretValue, Duration, RemovalPolicy, CfnStack } from 'aws-cdk-lib';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import { Bucket, StorageClass, BucketAccessControl, EventType } from 'aws-cdk-lib/aws-s3';
+import { Construct } from 'constructs';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
+import * as apiGateway from 'aws-cdk-lib/aws-apigateway';
+import * as route53 from 'aws-cdk-lib/aws-route53';
+import { TxtRecord, NsRecord, MxRecord, CnameRecord, ARecord, RecordTarget, HostedZone } from 'aws-cdk-lib/aws-route53';
+import * as route53Targets from 'aws-cdk-lib/aws-route53-targets';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import { DatadogLambda } from 'datadog-cdk-constructs-v2';
+import { ConfigurationError } from '@jaypie/errors';
+import { Role, PolicyStatement, Policy, FederatedPrincipal, Effect, ServicePrincipal, ManagedPolicy } from 'aws-cdk-lib/aws-iam';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as logDestinations from 'aws-cdk-lib/aws-logs-destinations';
+import * as s3n from 'aws-cdk-lib/aws-s3-notifications';
+import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+import * as lambdaEventSources from 'aws-cdk-lib/aws-lambda-event-sources';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import { LogGroup, RetentionDays, FilterPattern } from 'aws-cdk-lib/aws-logs';
+import { Rule, RuleTargetInput } from 'aws-cdk-lib/aws-events';
+import { LambdaFunction } from 'aws-cdk-lib/aws-events-targets';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
+import { Nextjs } from 'cdk-nextjs-standalone';
+import * as path from 'path';
+import { Trail, ReadWriteType } from 'aws-cdk-lib/aws-cloudtrail';
+import { CfnPermissionSet, CfnAssignment } from 'aws-cdk-lib/aws-sso';
+import { CfnApplication } from 'aws-cdk-lib/aws-sam';
+
+const CDK$2 = {
+    ACCOUNT: {
+        DEVELOPMENT: "development",
+        MANAGEMENT: "management",
+        OPERATIONS: "operations",
+        PRODUCTION: "production",
+        SANDBOX: "sandbox",
+        SECURITY: "security",
+        STAGE: "stage",
+    },
+    BUILD: {
+        CONFIG: {
+            ALL: "all",
+            API: "api",
+            INFRASTRUCTURE: "infrastructure",
+            NONE: "none",
+            WEB: "web",
+        },
+        PERSONAL: "personal",
+        /**
+         * @deprecated rename "ephemeral" to "personal" (since 2/24/2025)
+         */
+        EPHEMERAL: "ephemeral",
+        /**
+         * @deprecated as even "ephemeral" builds have static assets (since 7/6/2024)
+         */
+        STATIC: "static",
+    },
+    CREATION: {
+        CDK: "cdk",
+        CLOUDFORMATION_TEMPLATE: "template",
+        MANUAL: "manual",
+    },
+    DATADOG: {
+        SITE: "datadoghq.com",
+        LAYER: {
+            // https://docs.datadoghq.com/serverless/aws_lambda/installation/nodejs/?tab=awscdk
+            NODE: 127, // 127 on 9/12/2025
+            EXTENSION: 86, // 86 on 9/12/2025
+        },
+    },
+    DEFAULT: {
+        REGION: "us-east-1",
+    },
+    DNS: {
+        CONFIG: {
+            TTL: 300, // 5 minutes in seconds for Route53
+        },
+        RECORD: {
+            A: "A",
+            CNAME: "CNAME",
+            MX: "MX",
+            NS: "NS",
+            TXT: "TXT",
+        },
+    },
+    DURATION: {
+        EXPRESS_API: 30,
+        LAMBDA_MAXIMUM: 900,
+        LAMBDA_WORKER: 900,
+    },
+    ENV: {
+        DEMO: "demo", // Mirror of production
+        DEVELOPMENT: "development", // Internal most stable development space
+        /** @deprecated */ EPHEMERAL: "ephemeral", // Alias for "build"
+        LOCAL: "local",
+        /** @deprecated */ MAIN: "main", // Alias for development
+        META: "meta", // For non-environment/infrastructure stacks
+        PERSONAL: "personal", // Personal builds using resources provided by sandbox
+        PREVIEW: "preview", // External next thing to be released
+        PRODUCTION: "production",
+        RELEASE: "release", // Internal next thing to be released
+        REVIEW: "review", // Internal place to collaborate on issues
+        SANDBOX: "sandbox", // Internal build space with no guaranteed longevity
+        TRAINING: "training", // aka "test"; mirror of production for external audiences
+    },
+    HOST: {
+        APEX: "@",
+    },
+    IMPORT: {
+        DATADOG_LOG_FORWARDER: "account-datadog-forwarder",
+        DATADOG_ROLE: "account-datadog-role",
+        DATADOG_SECRET: "account-datadog-secret",
+        LOG_BUCKET: "account-log-bucket",
+        OIDC_PROVIDER: "github-oidc-provider",
+    },
+    LAMBDA: {
+        LOG_RETENTION: 90,
+        MEMORY_SIZE: 1024,
+    },
+    PRINCIPAL: {
+        ROUTE53: "route53.amazonaws.com",
+    },
+    PRINCIPAL_TYPE: {
+        GROUP: "GROUP",
+        USER: "USER",
+    },
+    PROJECT: {
+        INFRASTRUCTURE: "infrastructure",
+    },
+    ROLE: {
+        API: "api",
+        DEPLOY: "deploy",
+        HOSTING: "hosting",
+        MONITORING: "monitoring",
+        NETWORKING: "networking",
+        PROCESSING: "processing",
+        SECURITY: "security",
+        STACK: "stack",
+        STORAGE: "storage",
+        TOY: "toy",
+    },
+    SERVICE: {
+        DATADOG: "datadog",
+        INFRASTRUCTURE: "infrastructure",
+        LIBRARIES: "libraries",
+        NONE: "none",
+        SSO: "sso",
+        TRACE: "trace",
+    },
+    TAG: {
+        BUILD_DATE: "buildDate",
+        BUILD_HEX: "buildHex",
+        BUILD_NUMBER: "buildNumber",
+        BUILD_TIME: "buildTime",
+        BUILD_TYPE: "buildType",
+        COMMIT: "commit",
+        CREATION: "creation",
+        ENV: "env",
+        NONCE: "nonce",
+        PROJECT: "project",
+        ROLE: "role",
+        SERVICE: "service",
+        SPONSOR: "sponsor",
+        STACK: "stack",
+        STACK_SHA: "stackSha",
+        VENDOR: "vendor",
+        VERSION: "version",
+    },
+    TARGET_TYPE: {
+        AWS_ACCOUNT: "AWS_ACCOUNT",
+    },
+    VENDOR: {
+        ANTHROPIC: "anthropic",
+        AUTH0: "auth0",
+        DATADOG: "datadog",
+        KNOWTRACE: "knowtrace",
+        MONGODB: "mongodb",
+        OPENAI: "openai",
+        SPLINTERLANDS: "splinterlands",
+    },
+};
+
+class JaypieAccountLoggingBucket extends Construct {
+    /**
+     * Create a new account-wide logging S3 bucket with lifecycle policies and export
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "AccountLoggingBucket";
+        }
+        super(scope, id);
+        // Generate default bucket name with PROJECT_NONCE
+        const defaultBucketName = process.env.PROJECT_NONCE
+            ? `account-logging-stack-${process.env.PROJECT_NONCE.toLowerCase()}`
+            : "account-logging-stack";
+        // Extract Jaypie-specific options
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        const { bucketName = defaultBucketName, createOutput = true, expirationDays = 365, exportName = CDK$2.IMPORT.LOG_BUCKET, glacierTransitionDays = 180, id: _id, infrequentAccessTransitionDays = 30, outputDescription = "Account-wide logging bucket", project, service = CDK$2.SERVICE.INFRASTRUCTURE, ...bucketProps } = props;
+        // Create the bucket with lifecycle rules
+        this.bucket = new Bucket(this, "Bucket", {
+            accessControl: BucketAccessControl.LOG_DELIVERY_WRITE,
+            bucketName,
+            lifecycleRules: [
+                {
+                    expiration: cdk.Duration.days(expirationDays),
+                    transitions: [
+                        {
+                            storageClass: StorageClass.INFREQUENT_ACCESS,
+                            transitionAfter: cdk.Duration.days(infrequentAccessTransitionDays),
+                        },
+                        {
+                            storageClass: StorageClass.GLACIER,
+                            transitionAfter: cdk.Duration.days(glacierTransitionDays),
+                        },
+                    ],
+                },
+            ],
+            ...bucketProps,
+        });
+        // Add tags
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (service) {
+            cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        }
+        if (project) {
+            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Create CloudFormation output if enabled
+        if (createOutput) {
+            new cdk.CfnOutput(this, "BucketNameOutput", {
+                description: outputDescription,
+                exportName,
+                value: this.bucket.bucketName,
+            });
+        }
+    }
+}
+
+function addDatadogLayers(lambdaFunction, options = {}) {
+    const datadogApiKeyArn = options?.datadogApiKeyArn;
+    const resolvedDatadogApiKeyArn = datadogApiKeyArn ||
+        process.env.DATADOG_API_KEY_ARN ||
+        process.env.CDK_ENV_DATADOG_API_KEY_ARN;
+    if (!resolvedDatadogApiKeyArn) {
+        return false;
+    }
+    // Define Datadog environment variables
+    const datadogEnvVars = {
+        DD_API_KEY_SECRET_ARN: resolvedDatadogApiKeyArn,
+        DD_ENHANCED_METRICS: "true",
+        DD_ENV: process.env.PROJECT_ENV || "",
+        DD_PROFILING_ENABLED: "false",
+        DD_SERVERLESS_APPSEC_ENABLED: "false",
+        DD_SERVICE: process.env.PROJECT_SERVICE || "",
+        DD_SITE: CDK$2.DATADOG.SITE,
+        DD_TAGS: `${CDK$2.TAG.SPONSOR}:${process.env.PROJECT_SPONSOR || ""}`,
+        DD_TRACE_OTEL_ENABLED: "false",
+    };
+    // Add environment variables only if they don't already exist
+    Object.entries(datadogEnvVars).forEach(([key, value]) => {
+        lambdaFunction.addEnvironment(key, value);
+    });
+    const datadogApiKeySecret = secretsmanager.Secret.fromSecretCompleteArn(lambdaFunction, "DatadogApiKey", resolvedDatadogApiKeyArn);
+    const datadogLambda = new DatadogLambda(lambdaFunction, "DatadogLambda", {
+        apiKeySecret: datadogApiKeySecret, // apiKeySecret auto-grants secret access to the added lambdas
+        nodeLayerVersion: CDK$2.DATADOG.LAYER.NODE,
+        extensionLayerVersion: CDK$2.DATADOG.LAYER.EXTENSION,
+        env: process.env.PROJECT_ENV,
+        service: process.env.PROJECT_SERVICE,
+        version: process.env.PROJECT_VERSION,
+    });
+    datadogLambda.addLambdaFunctions([lambdaFunction]);
+    return true;
+}
+
+function constructEnvName(name, opts) {
+    const env = opts?.env ?? process.env.PROJECT_ENV ?? "build";
+    const key = opts?.key ?? process.env.PROJECT_KEY ?? "project";
+    const nonce = opts?.nonce ?? process.env.PROJECT_NONCE ?? "cfe2"; // This default is intentionally short. It is not a special value but should not be changed.
+    return `${env}-${key}-${name}-${nonce}`;
+}
+
+function constructStackName(key) {
+    if (!key) {
+        return `cdk-${process.env.PROJECT_SPONSOR}-${process.env.PROJECT_KEY}-${process.env.PROJECT_ENV}-${process.env.PROJECT_NONCE}`;
+    }
+    else {
+        return `cdk-${process.env.PROJECT_SPONSOR}-${process.env.PROJECT_KEY}-${process.env.PROJECT_ENV}-${process.env.PROJECT_NONCE}-${key}`;
+    }
+}
+
+const CDK$1 = {
+    CREATION: {
+        CDK: "cdk",
+    },
+    ROLE: {
+        STACK: "stack",
+    },
+    TAG: {
+        BUILD_DATE: "buildDate",
+        BUILD_HEX: "buildHex",
+        BUILD_TIME: "buildTime",
+        COMMIT: "commit",
+        CREATION: "creation",
+        ENV: "env",
+        NONCE: "nonce",
+        PROJECT: "project",
+        ROLE: "role",
+        SERVICE: "service",
+        SPONSOR: "sponsor",
+        STACK: "stack",
+        VERSION: "version",
+    },
+};
+function constructTagger(construct, { name } = {}) {
+    const stackName = name || constructStackName();
+    const version = process.env.npm_package_version || process.env.PROJECT_VERSION || null;
+    if (process.env.PROJECT_COMMIT && process.env.PROJECT_COMMIT.length > 8) {
+        Tags.of(construct).add(CDK$1.TAG.BUILD_HEX, process.env.PROJECT_COMMIT.slice(0, 8));
+    }
+    Tags.of(construct).add(CDK$1.TAG.BUILD_DATE, new Date().toISOString());
+    Tags.of(construct).add(CDK$1.TAG.BUILD_TIME, Date.now().toString());
+    if (process.env.PROJECT_COMMIT)
+        Tags.of(construct).add(CDK$1.TAG.COMMIT, process.env.PROJECT_COMMIT);
+    Tags.of(construct).add(CDK$1.TAG.CREATION, CDK$1.CREATION.CDK);
+    if (process.env.PROJECT_ENV)
+        Tags.of(construct).add(CDK$1.TAG.ENV, process.env.PROJECT_ENV);
+    if (process.env.PROJECT_NONCE)
+        Tags.of(construct).add(CDK$1.TAG.NONCE, process.env.PROJECT_NONCE);
+    if (process.env.PROJECT_KEY)
+        Tags.of(construct).add(CDK$1.TAG.PROJECT, process.env.PROJECT_KEY);
+    Tags.of(construct).add(CDK$1.TAG.ROLE, CDK$1.ROLE.STACK);
+    if (process.env.PROJECT_SERVICE)
+        Tags.of(construct).add(CDK$1.TAG.SERVICE, process.env.PROJECT_SERVICE);
+    if (process.env.PROJECT_SPONSOR)
+        Tags.of(construct).add(CDK$1.TAG.SPONSOR, process.env.PROJECT_SPONSOR);
+    if (stackName)
+        Tags.of(construct).add(CDK$1.TAG.STACK, stackName);
+    if (version)
+        Tags.of(construct).add(CDK$1.TAG.VERSION, version);
+    return true;
+}
+
+function envHostname({ component, domain, env, subdomain, } = {}) {
+    const resolvedDomain = domain || process.env.CDK_ENV_DOMAIN || process.env.CDK_ENV_HOSTED_ZONE;
+    if (!resolvedDomain) {
+        throw new ConfigurationError("No hostname `domain` provided. Set CDK_ENV_DOMAIN or CDK_ENV_HOSTED_ZONE to use environment domain");
+    }
+    const resolvedComponent = component === "@" || component === "" ? undefined : component;
+    const resolvedSubdomain = subdomain || process.env.CDK_ENV_SUBDOMAIN;
+    const resolvedEnv = env || process.env.PROJECT_ENV;
+    const filteredEnv = resolvedEnv === CDK$2.ENV.PRODUCTION ? undefined : resolvedEnv;
+    const parts = [
+        resolvedComponent,
+        resolvedSubdomain,
+        filteredEnv,
+        resolvedDomain,
+    ].filter((part) => part);
+    return parts.join(".");
+}
+
+/**
+ * Extends the Datadog IAM role with additional permissions
+ *
+ * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
+ * If found, creates a custom policy with:
+ * - budgets:ViewBudget
+ * - logs:DescribeLogGroups
+ *
+ * @param scope - The construct scope
+ * @param options - Configuration options
+ * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
+ */
+function extendDatadogRole(scope, options) {
+    const datadogRoleArn = process.env.CDK_ENV_DATADOG_ROLE_ARN;
+    // Early return if no Datadog role ARN is configured
+    if (!datadogRoleArn) {
+        return undefined;
+    }
+    const { id = "DatadogCustomPolicy", project, service = CDK$2.SERVICE.DATADOG, } = options || {};
+    // Lookup the Datadog role
+    const datadogRole = Role.fromRoleArn(scope, "DatadogRole", datadogRoleArn);
+    // Build policy statements
+    const statements = [
+        // Allow view budget
+        new PolicyStatement({
+            actions: ["budgets:ViewBudget"],
+            resources: ["*"],
+        }),
+        // Allow describe log groups
+        new PolicyStatement({
+            actions: ["logs:DescribeLogGroups"],
+            resources: ["*"],
+        }),
+    ];
+    // Create the custom policy
+    const datadogCustomPolicy = new Policy(scope, id, {
+        roles: [datadogRole],
+        statements,
+    });
+    // Add tags
+    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.SERVICE, service);
+    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+    cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+    if (project) {
+        cdk.Tags.of(datadogCustomPolicy).add(CDK$2.TAG.PROJECT, project);
+    }
+    return datadogCustomPolicy;
+}
+
+/**
+ * Check if the current environment matches the given environment
+ */
+function isEnv(env) {
+    return process.env.PROJECT_ENV === env;
+}
+/**
+ * Check if the current environment is production
+ */
+function isProductionEnv() {
+    return isEnv(CDK$2.ENV.PRODUCTION);
+}
+/**
+ * Check if the current environment is sandbox
+ */
+function isSandboxEnv() {
+    return isEnv(CDK$2.ENV.SANDBOX);
+}
+
+// In short the RFC 1035 standard for valid hostnames is:
+// 1. Must be less than 253 characters
+// 2. Must start with a letter
+// 3. Must end with a letter or number
+// 4. Can only contain letters, numbers, and hyphens
+// 5. Last part of the domain must be at least 2 characters
+function validPart$1(part) {
+    if (!part.match(/^[a-z]/))
+        return false;
+    if (!part.match(/[a-z0-9]$/))
+        return false;
+    return /^[a-zA-Z0-9-]+$/.test(part);
+}
+function isValidHostname$1(hostname) {
+    // Check hostname is a string
+    if (typeof hostname !== "string")
+        return false;
+    // Convert hostname to lowercase
+    const check = hostname.toString().toLowerCase();
+    // Check hostname is less than 253 characters
+    if (check.length > 253)
+        return false;
+    // Split on dots
+    const parts = check.split(".");
+    // Check each part is validPart
+    const validParts = parts.map(validPart$1);
+    // Confirm all parts are valid
+    if (!validParts.every((part) => part))
+        return false;
+    // Confirm last part is at least 2 characters
+    const lastPart = parts[parts.length - 1];
+    if (lastPart.length < 2)
+        return false;
+    // Confirm last part is all letters
+    if (!lastPart.match(/^[a-z]+$/))
+        return false;
+    // This is a valid hostname
+    return true;
+}
+
+function validPart(part) {
+    if (!part.match(/^[a-z]/))
+        return false;
+    if (!part.match(/[a-z0-9]$/))
+        return false;
+    return /^[a-zA-Z0-9-]+$/.test(part);
+}
+function isValidSubdomain(subdomain) {
+    // Check subdomain is a string
+    if (typeof subdomain !== "string")
+        return false;
+    // Special case for apex
+    if (subdomain === CDK$2.HOST.APEX)
+        return true;
+    // Convert subdomain to lowercase
+    const check = subdomain.toString().toLowerCase();
+    // Check subdomain is less than 250 characters
+    // We use 250 instead of 253 because we need to leave room for the dot top-level domain
+    if (check.length > 250)
+        return false;
+    // Split on dots
+    const parts = check.split(".");
+    // Check each part is validPart
+    const validParts = parts.map(validPart);
+    // Confirm all parts are valid
+    if (!validParts.every((part) => part))
+        return false;
+    // Do not care if last part is at least 2 characters
+    // Do not care if last part is all letters
+    // This is a valid subdomain
+    return true;
+}
+
+function jaypieLambdaEnv(options = {}) {
+    const { initialEnvironment = {} } = options;
+    // Start with empty environment - we'll only add valid values
+    let environment = {};
+    // First, add all valid string values from initialEnvironment
+    Object.entries(initialEnvironment).forEach(([key, value]) => {
+        if (typeof value === "string") {
+            environment[key] = value;
+        }
+    });
+    // Default environment values
+    const defaultEnvValues = {
+        AWS_LAMBDA_NODEJS_DISABLE_CALLBACK_WARNING: "true",
+    };
+    // Apply default environment values with user overrides
+    Object.entries(defaultEnvValues).forEach(([key, defaultValue]) => {
+        if (key in initialEnvironment) {
+            const userValue = initialEnvironment[key];
+            // If user passes a string, it's already added above
+            // If user passes non-string falsy value, omit the key
+            if (!userValue) {
+                delete environment[key];
+            }
+            // Ignore non-string truthy values (key not added)
+        }
+        else {
+            // No user override, use default value
+            environment[key] = defaultValue;
+        }
+    });
+    // Default environment variables from process.env if present
+    const defaultEnvVars = [
+        "DATADOG_API_KEY_ARN",
+        "LOG_LEVEL",
+        "MODULE_LOGGER",
+        "MODULE_LOG_LEVEL",
+        "PROJECT_CHAOS",
+        "PROJECT_COMMIT",
+        "PROJECT_ENV",
+        "PROJECT_KEY",
+        "PROJECT_SECRET",
+        "PROJECT_SERVICE",
+        "PROJECT_SPONSOR",
+        "PROJECT_VERSION",
+    ];
+    // Add default environment variables if they exist in process.env
+    defaultEnvVars.forEach((envVar) => {
+        if (process.env[envVar] && !environment[envVar]) {
+            environment[envVar] = process.env[envVar];
+        }
+    });
+    return environment;
+}
+
+function mergeDomain(subDomain, hostedZone) {
+    if (!hostedZone) {
+        throw new ConfigurationError("hostedZone is required");
+    }
+    if (!subDomain) {
+        // Return hostedZone if subDomain is not passed
+        // Pass CDK.HOST.APEX to explicitly indicate apex domain
+        return hostedZone;
+    }
+    if (subDomain === CDK$2.HOST.APEX) {
+        return hostedZone;
+    }
+    return `${subDomain}.${hostedZone}`;
+}
+
+const DEFAULT_FUNCTION_NAME$1 = "DatadogForwarderFunction";
+// Cache to store resolved functions
+// Using nested structure to support multiple functions per scope with automatic GC
+const functionCache = new WeakMap();
+function resolveDatadogForwarderFunction(scope, options) {
+    const { import: importValue, name } = options || {};
+    const functionName = name || DEFAULT_FUNCTION_NAME$1;
+    const importKey = importValue || CDK$2.IMPORT.DATADOG_LOG_FORWARDER;
+    // Create a cache key based on name and import
+    const cacheKey = `${functionName}:${importKey}`;
+    // Get or create scope cache
+    let scopeCache = functionCache.get(scope);
+    if (!scopeCache) {
+        scopeCache = new Map();
+        functionCache.set(scope, scopeCache);
+    }
+    // Return cached function if it exists
+    const cachedFunction = scopeCache.get(cacheKey);
+    if (cachedFunction) {
+        return cachedFunction;
+    }
+    // Create and cache the function
+    const func = lambda.Function.fromFunctionArn(scope, functionName, cdk.Fn.importValue(importKey));
+    scopeCache.set(cacheKey, func);
+    return func;
+}
+
+function resolveDatadogLayers(scope, options = {}) {
+    const { datadogApiKeyArn, uniqueId } = options;
+    let resolvedRegion = Stack.of(scope).region || "us-east-1";
+    // Resolve the Datadog API key ARN from multiple sources
+    const resolvedDatadogApiKeyArn = datadogApiKeyArn ||
+        process.env.DATADOG_API_KEY_ARN ||
+        process.env.CDK_ENV_DATADOG_API_KEY_ARN;
+    // Return null if no API key is found
+    if (!resolvedDatadogApiKeyArn) {
+        return undefined;
+    }
+    const layerIdSuffix = uniqueId || process.env.PROJECT_NONCE || Date.now().toString();
+    // Create Datadog Node.js layer
+    const datadogNodeLayer = lambda.LayerVersion.fromLayerVersionArn(scope, `DatadogNodeLayer-${layerIdSuffix}`, `arn:aws:lambda:${resolvedRegion}:464622532012:layer:Datadog-Node20-x:${CDK$2.DATADOG.LAYER.NODE}`);
+    // Create Datadog Extension layer
+    const datadogExtensionLayer = lambda.LayerVersion.fromLayerVersionArn(scope, `DatadogExtensionLayer-${layerIdSuffix}`, `arn:aws:lambda:${resolvedRegion}:464622532012:layer:Datadog-Extension:${CDK$2.DATADOG.LAYER.EXTENSION}`);
+    return [datadogNodeLayer, datadogExtensionLayer];
+}
+
+const DEFAULT_FUNCTION_NAME = "DatadogForwarderFunction";
+// Cache to store resolved logging destinations
+// Using nested structure to support multiple destinations per scope with automatic GC
+const destinationCache = new WeakMap();
+function resolveDatadogLoggingDestination(scope, options) {
+    const { import: importValue, name } = options || {};
+    // Create a cache key based on name and import (same as forwarder function)
+    const functionName = name || DEFAULT_FUNCTION_NAME;
+    const importKey = importValue || CDK$2.IMPORT.DATADOG_LOG_FORWARDER;
+    const cacheKey = `${functionName}:${importKey}`;
+    // Get or create scope cache
+    let scopeCache = destinationCache.get(scope);
+    if (!scopeCache) {
+        scopeCache = new Map();
+        destinationCache.set(scope, scopeCache);
+    }
+    // Return cached destination if it exists
+    const cachedDestination = scopeCache.get(cacheKey);
+    if (cachedDestination) {
+        return cachedDestination;
+    }
+    // Resolve the Datadog forwarder function
+    const datadogForwarderFunction = resolveDatadogForwarderFunction(scope, options);
+    // Create and cache the logging destination
+    const datadogLoggingDestination = new logDestinations.LambdaDestination(datadogForwarderFunction);
+    scopeCache.set(cacheKey, datadogLoggingDestination);
+    return datadogLoggingDestination;
+}
+
+/**
+ * Resolves environment input to a plain object.
+ *
+ * When environment is an object (legacy syntax), returns it as-is.
+ * When environment is an array:
+ *   - Strings are treated as keys to lookup in process.env
+ *   - Objects have their key-value pairs merged in
+ *
+ * @example
+ * // Legacy object syntax
+ * resolveEnvironment({ FOO: "bar" })
+ * // => { FOO: "bar" }
+ *
+ * @example
+ * // Array syntax with process.env lookup
+ * // Given process.env.MY_VAR = "hello"
+ * resolveEnvironment(["MY_VAR"])
+ * // => { MY_VAR: "hello" }
+ *
+ * @example
+ * // Array syntax with objects
+ * resolveEnvironment([{ FOO: "bar", BAZ: "qux" }])
+ * // => { FOO: "bar", BAZ: "qux" }
+ *
+ * @example
+ * // Mixed array syntax
+ * // Given process.env.MY_VAR = "hello"
+ * resolveEnvironment(["MY_VAR", { FOO: "bar" }])
+ * // => { MY_VAR: "hello", FOO: "bar" }
+ */
+function resolveEnvironment(environment, env = process.env) {
+    if (!environment) {
+        return {};
+    }
+    // Legacy object syntax - return as-is
+    if (!Array.isArray(environment)) {
+        return environment;
+    }
+    // Array syntax - process each item
+    return environment.reduce((acc, item) => {
+        if (typeof item === "string") {
+            // String: lookup in process.env
+            const value = env[item];
+            if (value !== undefined) {
+                return {
+                    ...acc,
+                    [item]: value,
+                };
+            }
+            // Skip if not found in process.env
+            return acc;
+        }
+        // Object: merge key-value pairs
+        return {
+            ...acc,
+            ...item,
+        };
+    }, {});
+}
+
+function resolveHostedZone(scope, { name = "HostedZone", zone = process.env.CDK_ENV_HOSTED_ZONE, } = {}) {
+    if (!zone) {
+        throw new ConfigurationError("No `zone` provided. Set CDK_ENV_HOSTED_ZONE to use environment zone");
+    }
+    if (typeof zone === "string") {
+        return route53.HostedZone.fromLookup(scope, name, {
+            domainName: zone,
+        });
+    }
+    return zone;
+}
+
+const resolveParamsAndSecrets = ({ paramsAndSecrets, options, } = {}) => {
+    if (paramsAndSecrets === false) {
+        return;
+    }
+    let resolvedParamsAndSecrets;
+    if (paramsAndSecrets instanceof lambda.ParamsAndSecretsLayerVersion) {
+        resolvedParamsAndSecrets = paramsAndSecrets;
+    }
+    else {
+        const resolvedOptions = options || {};
+        resolvedParamsAndSecrets = lambda.ParamsAndSecretsLayerVersion.fromVersion(lambda.ParamsAndSecretsVersions.V1_0_103, {
+            cacheSize: resolvedOptions.cacheSize,
+            logLevel: resolvedOptions.logLevel || lambda.ParamsAndSecretsLogLevel.WARN,
+            parameterStoreTtl: resolvedOptions.parameterStoreTtl,
+            secretsManagerTtl: resolvedOptions.secretsManagerTtl,
+        });
+    }
+    return resolvedParamsAndSecrets;
+};
+
+// It is a consumer if the environment is ephemeral
+function checkEnvIsConsumer(env = process.env) {
+    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
+        !!env.CDK_ENV_PERSONAL ||
+        /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
+        /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
+}
+function checkEnvIsProvider(env = process.env) {
+    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
+}
+function cleanName(name) {
+    return name.replace(/[^a-zA-Z0-9:-]/g, "");
+}
+function exportEnvName(name, env = process.env) {
+    let rawName;
+    if (checkEnvIsProvider(env)) {
+        rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
+        // Clean the entire name to only allow alphanumeric, colons, and hyphens
+        return cleanName(rawName);
+    }
+    else {
+        if (checkEnvIsConsumer(env)) {
+            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
+        }
+        else {
+            rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
+        }
+    }
+    return cleanName(rawName);
+}
+class JaypieEnvSecret extends Construct {
+    constructor(scope, idOrEnvKey, props) {
+        // Check if idOrEnvKey should be treated as envKey:
+        // - No props provided OR props.envKey is not set
+        // - AND idOrEnvKey exists as a non-empty string in process.env
+        const treatAsEnvKey = (!props || props.envKey === undefined) &&
+            typeof process.env[idOrEnvKey] === "string" &&
+            process.env[idOrEnvKey] !== "";
+        const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
+        super(scope, id);
+        const { consumer = checkEnvIsConsumer(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider(), roleTag, vendorTag, value, } = props || {};
+        const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
+        this._envKey = envKey;
+        let exportName;
+        if (!exportParam) {
+            exportName = exportEnvName(id);
+        }
+        else {
+            exportName = cleanName(exportParam);
+        }
+        if (consumer) {
+            const secretName = Fn.importValue(exportName);
+            this._secret = secretsmanager.Secret.fromSecretNameV2(this, id, secretName);
+            // Add CfnOutput for consumer secrets
+            new CfnOutput(this, `ConsumedName`, {
+                value: this._secret.secretName,
+            });
+        }
+        else {
+            const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
+            const secretProps = {
+                generateSecretString,
+                secretStringValue: !generateSecretString && secretValue
+                    ? SecretValue.unsafePlainText(secretValue)
+                    : undefined,
+            };
+            this._secret = new secretsmanager.Secret(this, id, secretProps);
+            if (roleTag) {
+                Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
+            }
+            if (vendorTag) {
+                Tags.of(this._secret).add(CDK$2.TAG.VENDOR, vendorTag);
+            }
+            if (provider) {
+                new CfnOutput(this, `ProvidedName`, {
+                    value: this._secret.secretName,
+                    exportName,
+                });
+            }
+            else {
+                new CfnOutput(this, `CreatedName`, {
+                    value: this._secret.secretName,
+                });
+            }
+        }
+    }
+    // IResource implementation
+    get stack() {
+        return Stack.of(this);
+    }
+    get env() {
+        return {
+            account: Stack.of(this).account,
+            region: Stack.of(this).region,
+        };
+    }
+    applyRemovalPolicy(policy) {
+        this._secret.applyRemovalPolicy(policy);
+    }
+    // ISecret implementation
+    get secretArn() {
+        return this._secret.secretArn;
+    }
+    get secretName() {
+        return this._secret.secretName;
+    }
+    get secretFullArn() {
+        return this._secret.secretFullArn;
+    }
+    get encryptionKey() {
+        return this._secret.encryptionKey;
+    }
+    get secretValue() {
+        return this._secret.secretValue;
+    }
+    secretValueFromJson(key) {
+        return this._secret.secretValueFromJson(key);
+    }
+    grantRead(grantee, versionStages) {
+        return this._secret.grantRead(grantee, versionStages);
+    }
+    grantWrite(grantee) {
+        return this._secret.grantWrite(grantee);
+    }
+    addRotationSchedule(id, options) {
+        return this._secret.addRotationSchedule(id, options);
+    }
+    addToResourcePolicy(statement) {
+        return this._secret.addToResourcePolicy(statement);
+    }
+    denyAccountRootDelete() {
+        this._secret.denyAccountRootDelete();
+    }
+    attach(target) {
+        return this._secret.attach(target);
+    }
+    cfnDynamicReferenceKey(options) {
+        return this._secret.cfnDynamicReferenceKey(options);
+    }
+    get envKey() {
+        return this._envKey;
+    }
+}
+
+/**
+ * Cache for secrets by scope to avoid creating duplicates.
+ * Uses WeakMap to allow garbage collection when scopes are no longer referenced.
+ */
+const secretsByScope = new WeakMap();
+/**
+ * Gets or creates the secrets cache for a given scope.
+ */
+function getSecretsCache(scope) {
+    let cache = secretsByScope.get(scope);
+    if (!cache) {
+        cache = new Map();
+        secretsByScope.set(scope, cache);
+    }
+    return cache;
+}
+/**
+ * Gets an existing secret from the cache or creates a new one.
+ * This ensures that multiple constructs within the same scope share secrets.
+ */
+function getOrCreateSecret(scope, envKey, props) {
+    const cache = getSecretsCache(scope);
+    const existingSecret = cache.get(envKey);
+    if (existingSecret) {
+        return existingSecret;
+    }
+    // Create new secret - JaypieEnvSecret's smart constructor handles envKey detection
+    const secret = new JaypieEnvSecret(scope, envKey, {
+        ...props,
+        envKey,
+    });
+    cache.set(envKey, secret);
+    return secret;
+}
+/**
+ * Resolves secrets input to an array of JaypieEnvSecret instances.
+ *
+ * When an item is already a JaypieEnvSecret, it's passed through as-is.
+ * When an item is a string, a JaypieEnvSecret is created (or reused from cache)
+ * with the string as the envKey.
+ *
+ * Secrets are cached per scope to avoid creating duplicate secrets when
+ * multiple constructs in the same scope reference the same secret.
+ *
+ * @example
+ * // JaypieEnvSecret instances pass through
+ * const secret = new JaypieEnvSecret(scope, "MySecret", { envKey: "MY_KEY" });
+ * resolveSecrets(scope, [secret])
+ * // => [secret]
+ *
+ * @example
+ * // Strings create JaypieEnvSecret instances
+ * resolveSecrets(scope, ["AUTH0_SECRET", "MONGODB_URI"])
+ * // => [JaypieEnvSecret(envKey: "AUTH0_SECRET"), JaypieEnvSecret(envKey: "MONGODB_URI")]
+ *
+ * @example
+ * // Mixed input
+ * const existingSecret = new JaypieEnvSecret(scope, "Existing", { envKey: "EXISTING" });
+ * resolveSecrets(scope, [existingSecret, "NEW_SECRET"])
+ * // => [existingSecret, JaypieEnvSecret(envKey: "NEW_SECRET")]
+ *
+ * @example
+ * // Secrets are shared across calls with the same scope
+ * const secrets1 = resolveSecrets(scope, ["SHARED_SECRET"]);
+ * const secrets2 = resolveSecrets(scope, ["SHARED_SECRET"]);
+ * // secrets1[0] === secrets2[0] (same instance)
+ */
+function resolveSecrets(scope, secrets) {
+    if (!secrets || secrets.length === 0) {
+        return [];
+    }
+    return secrets.map((item) => {
+        if (typeof item === "string") {
+            return getOrCreateSecret(scope, item);
+        }
+        // Already a JaypieEnvSecret instance
+        return item;
+    });
+}
+/**
+ * Clears the secrets cache for a given scope.
+ * Primarily useful for testing.
+ */
+function clearSecretsCache(scope) {
+    secretsByScope.delete(scope);
+}
+/**
+ * Clears all secrets caches.
+ * Primarily useful for testing.
+ */
+function clearAllSecretsCaches() {
+    // WeakMap doesn't have a clear() method, so we create a new one
+    // This relies on the module being reloaded or the function being called
+    // between test runs. For testing, use clearSecretsCache(scope) instead.
+}
+
+class JaypieApiGateway extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { certificate = true, handler, host: propsHost, name, roleTag = CDK$2.ROLE.API, zone: propsZone, } = props;
+        // Determine zone from props or environment
+        let zone = propsZone;
+        if (!zone && process.env.CDK_ENV_API_HOSTED_ZONE) {
+            zone = process.env.CDK_ENV_API_HOSTED_ZONE;
+        }
+        // Determine host from props or environment
+        let host = propsHost;
+        if (!host) {
+            if (process.env.CDK_ENV_API_HOST_NAME) {
+                host = process.env.CDK_ENV_API_HOST_NAME;
+            }
+            else if (process.env.CDK_ENV_API_SUBDOMAIN &&
+                process.env.CDK_ENV_API_HOSTED_ZONE) {
+                host = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE);
+            }
+        }
+        const apiGatewayName = name || constructEnvName("ApiGateway");
+        const certificateName = constructEnvName("Certificate");
+        const apiDomainName = constructEnvName("ApiDomainName");
+        let hostedZone;
+        let certificateToUse;
+        if (host && zone) {
+            hostedZone = resolveHostedZone(this, { zone });
+            if (certificate === true) {
+                certificateToUse = new acm.Certificate(this, certificateName, {
+                    domainName: host,
+                    validation: acm.CertificateValidation.fromDns(hostedZone),
+                });
+                Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, CDK$2.ROLE.HOSTING);
+            }
+            else if (typeof certificate === "object") {
+                certificateToUse = certificate;
+            }
+            this._certificate = certificateToUse;
+            this._host = host;
+        }
+        const { 
+        // * `...lambdaRestApiProps` cannot be moved to the first const destructuring because it needs to exclude the custom properties first.
+        // Ignore the variables we already assigned to other properties
+        /* eslint-disable @typescript-eslint/no-unused-vars */
+        certificate: _certificate, host: _host, name: _name, roleTag: _roleTag, zone: _zone, handler: _handler, 
+        /* eslint-enable @typescript-eslint/no-unused-vars */
+        ...lambdaRestApiProps } = props;
+        this._api = new apiGateway.LambdaRestApi(this, apiGatewayName, {
+            handler,
+            ...lambdaRestApiProps,
+        });
+        Tags.of(this._api).add(CDK$2.TAG.ROLE, roleTag);
+        if (host && certificateToUse && hostedZone) {
+            this._domainName = this._api.addDomainName(apiDomainName, {
+                domainName: host,
+                certificate: certificateToUse,
+            });
+            Tags.of(this._domainName).add(CDK$2.TAG.ROLE, roleTag);
+            const record = new route53.ARecord(this, "AliasRecord", {
+                recordName: host,
+                target: route53.RecordTarget.fromAlias(new route53Targets.ApiGatewayDomain(this._domainName)),
+                zone: hostedZone,
+            });
+            Tags.of(record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+        }
+    }
+    get api() {
+        return this._api;
+    }
+    get url() {
+        return this._api.url;
+    }
+    get certificateArn() {
+        return this._certificate?.certificateArn;
+    }
+    get domainName() {
+        return this._domainName?.domainName;
+    }
+    get host() {
+        return this._host;
+    }
+    get restApiId() {
+        return this._api.restApiId;
+    }
+    get restApiName() {
+        return this._api.restApiName;
+    }
+    get restApiRootResourceId() {
+        return this._api.restApiRootResourceId;
+    }
+    get deploymentStage() {
+        return this._api.deploymentStage;
+    }
+    get domainNameAliasDomainName() {
+        return this._domainName?.domainNameAliasDomainName;
+    }
+    get domainNameAliasHostedZoneId() {
+        return this._domainName?.domainNameAliasHostedZoneId;
+    }
+    get root() {
+        return this._api.root;
+    }
+    get env() {
+        return {
+            account: Stack.of(this).account,
+            region: Stack.of(this).region,
+        };
+    }
+    get stack() {
+        return this._api.stack;
+    }
+    arnForExecuteApi(method, path, stage) {
+        return this._api.arnForExecuteApi(method, path, stage);
+    }
+    metric(metricName, props) {
+        return this._api.metric(metricName, props);
+    }
+    metricCacheHitCount(props) {
+        return this._api.metricCacheHitCount(props);
+    }
+    metricCacheMissCount(props) {
+        return this._api.metricCacheMissCount(props);
+    }
+    metricClientError(props) {
+        return this._api.metricClientError(props);
+    }
+    metricCount(props) {
+        return this._api.metricCount(props);
+    }
+    metricIntegrationLatency(props) {
+        return this._api.metricIntegrationLatency(props);
+    }
+    metricLatency(props) {
+        return this._api.metricLatency(props);
+    }
+    metricServerError(props) {
+        return this._api.metricServerError(props);
+    }
+    applyRemovalPolicy(policy) {
+        this._api.applyRemovalPolicy(policy);
+    }
+    get restApiRef() {
+        return {
+            restApiId: this._api.restApiId,
+        };
+    }
+}
+
+class JaypieStack extends Stack {
+    constructor(scope, id, props = {}) {
+        const { key, ...stackProps } = props;
+        // Handle stackName
+        if (!stackProps.stackName) {
+            stackProps.stackName = constructStackName(key);
+        }
+        // Handle env
+        stackProps.env = {
+            account: process.env.CDK_DEFAULT_ACCOUNT,
+            region: process.env.CDK_DEFAULT_REGION,
+            ...stackProps.env,
+        };
+        super(scope, id, stackProps);
+        // Apply tags
+        constructTagger(this, { name: stackProps.stackName });
+    }
+}
+
+class JaypieAppStack extends JaypieStack {
+    constructor(scope, id, props = {}) {
+        const { key = "app", ...stackProps } = props;
+        // Handle stackName
+        if (!stackProps.stackName) {
+            stackProps.stackName = constructStackName(key);
+        }
+        super(scope, id, { key, ...stackProps });
+    }
+}
+
+class JaypieLambda extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { allowAllOutbound, allowPublicSubnet, architecture = lambda.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment: environmentInput, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = new lambda.Runtime("nodejs24.x", lambda.RuntimeFamily.NODEJS, {
+            supportsInlineCode: true,
+        }), runtimeManagementMode, secrets: secretsInput = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
+        // Resolve environment from array or object syntax
+        const initialEnvironment = resolveEnvironment(environmentInput);
+        // Get base environment with defaults
+        const environment = jaypieLambdaEnv({ initialEnvironment });
+        // Resolve secrets from mixed array (strings and JaypieEnvSecret instances)
+        const secrets = resolveSecrets(scope, secretsInput);
+        const codeAsset = typeof code === "string" ? lambda.Code.fromAsset(code) : code;
+        // Create a working copy of layers
+        const resolvedLayers = [...layers];
+        // Process secrets environment variables
+        const secretsEnvironment = Object.entries(envSecrets).reduce((acc, [key, secret]) => ({
+            ...acc,
+            [`SECRET_${key}`]: secret.secretName,
+        }), {});
+        // Process JaypieEnvSecret array
+        const jaypieSecretsEnvironment = secrets.reduce((acc, secret) => {
+            if (secret.envKey) {
+                return {
+                    ...acc,
+                    [`SECRET_${secret.envKey}`]: secret.secretName,
+                };
+            }
+            return acc;
+        }, {});
+        // Add ParamsAndSecrets layer if configured
+        const resolvedParamsAndSecrets = resolveParamsAndSecrets({
+            paramsAndSecrets,
+            options: paramsAndSecretsOptions,
+        });
+        // Create LogGroup if not provided
+        const resolvedLogGroup = logGroup ??
+            new logs.LogGroup(this, "LogGroup", {
+                retention: logRetention,
+                removalPolicy: RemovalPolicy.DESTROY,
+            });
+        // Create Lambda Function
+        this._lambda = new lambda.Function(this, "Function", {
+            allowAllOutbound,
+            allowPublicSubnet,
+            architecture,
+            code: codeAsset,
+            deadLetterQueue,
+            deadLetterQueueEnabled,
+            deadLetterTopic,
+            description,
+            environment: {
+                ...environment,
+                ...secretsEnvironment,
+                ...jaypieSecretsEnvironment,
+            },
+            ephemeralStorageSize,
+            filesystem,
+            handler,
+            initialPolicy,
+            layers: resolvedLayers,
+            logGroup: resolvedLogGroup,
+            maxEventAge,
+            memorySize,
+            paramsAndSecrets: resolvedParamsAndSecrets,
+            profiling,
+            profilingGroup,
+            reservedConcurrentExecutions,
+            retryAttempts,
+            runtime,
+            runtimeManagementMode,
+            securityGroups,
+            timeout: typeof timeout === "number" ? Duration.seconds(timeout) : timeout,
+            tracing,
+            vpc,
+            vpcSubnets,
+            // Enable auto-publishing of versions when using provisioned concurrency
+            currentVersionOptions: provisionedConcurrentExecutions !== undefined
+                ? {
+                    removalPolicy: RemovalPolicy.RETAIN,
+                    description: "Auto-published version for provisioned concurrency",
+                    // Don't set provisioned concurrency here - it will be set on the alias
+                }
+                : undefined,
+        });
+        addDatadogLayers(this._lambda, { datadogApiKeyArn });
+        // Grant secret read permissions
+        Object.values(envSecrets).forEach((secret) => {
+            secret.grantRead(this._lambda);
+        });
+        // Grant read permissions for JaypieEnvSecrets
+        secrets.forEach((secret) => {
+            secret.grantRead(this._lambda);
+        });
+        // Configure provisioned concurrency if specified
+        if (provisionedConcurrentExecutions !== undefined) {
+            // Use currentVersion which is auto-published with proper configuration
+            const version = this._lambda.currentVersion;
+            // Create alias for provisioned concurrency
+            this._provisioned = new lambda.Alias(this, "ProvisionedAlias", {
+                aliasName: "provisioned",
+                version,
+                provisionedConcurrentExecutions,
+            });
+            // Add explicit dependencies to ensure proper creation order
+            this._provisioned.node.addDependency(version);
+        }
+        if (roleTag) {
+            Tags.of(this._lambda).add(CDK$2.TAG.ROLE, roleTag);
+        }
+        if (vendorTag) {
+            Tags.of(this._lambda).add(CDK$2.TAG.VENDOR, vendorTag);
+        }
+        // Assign _reference based on provisioned state
+        this._reference =
+            this._provisioned !== undefined ? this._provisioned : this._lambda;
+    }
+    // Public accessors
+    get lambda() {
+        return this._lambda;
+    }
+    get provisioned() {
+        return this._provisioned;
+    }
+    get reference() {
+        return this._reference;
+    }
+    // IFunction implementation
+    get functionArn() {
+        return this._reference.functionArn;
+    }
+    get functionName() {
+        return this._reference.functionName;
+    }
+    get grantPrincipal() {
+        return this._reference.grantPrincipal;
+    }
+    get role() {
+        return this._reference.role;
+    }
+    get architecture() {
+        return this._reference.architecture;
+    }
+    get connections() {
+        return this._reference.connections;
+    }
+    get isBoundToVpc() {
+        return this._reference.isBoundToVpc;
+    }
+    get latestVersion() {
+        return this._reference.latestVersion;
+    }
+    get permissionsNode() {
+        return this._reference.permissionsNode;
+    }
+    get resourceArnsForGrantInvoke() {
+        return this._reference.resourceArnsForGrantInvoke;
+    }
+    get functionRef() {
+        return {
+            functionArn: this._reference.functionArn,
+            functionName: this._reference.functionName,
+        };
+    }
+    addEventSource(source) {
+        this._reference.addEventSource(source);
+    }
+    addEventSourceMapping(id, options) {
+        return this._reference.addEventSourceMapping(id, options);
+    }
+    addFunctionUrl(options) {
+        return this._reference.addFunctionUrl(options);
+    }
+    addPermission(id, permission) {
+        this._reference.addPermission(id, permission);
+    }
+    addToRolePolicy(statement) {
+        this._reference.addToRolePolicy(statement);
+    }
+    configureAsyncInvoke(options) {
+        this._reference.configureAsyncInvoke(options);
+    }
+    grantInvoke(grantee) {
+        return this._reference.grantInvoke(grantee);
+    }
+    grantInvokeCompositePrincipal(compositePrincipal) {
+        return this._reference.grantInvokeCompositePrincipal(compositePrincipal);
+    }
+    grantInvokeUrl(grantee) {
+        return this._reference.grantInvokeUrl(grantee);
+    }
+    grantInvokeLatestVersion(grantee) {
+        return this._reference.grantInvokeLatestVersion(grantee);
+    }
+    grantInvokeVersion(grantee, version) {
+        return this._reference.grantInvokeVersion(grantee, version);
+    }
+    metric(metricName, props) {
+        return this._reference.metric(metricName, props);
+    }
+    metricDuration(props) {
+        return this._reference.metricDuration(props);
+    }
+    metricErrors(props) {
+        return this._reference.metricErrors(props);
+    }
+    metricInvocations(props) {
+        return this._reference.metricInvocations(props);
+    }
+    metricThrottles(props) {
+        return this._reference.metricThrottles(props);
+    }
+    get env() {
+        return {
+            account: Stack.of(this).account,
+            region: Stack.of(this).region,
+        };
+    }
+    get stack() {
+        return this._reference.stack;
+    }
+    applyRemovalPolicy(policy) {
+        this._reference.applyRemovalPolicy(policy);
+    }
+    addEnvironment(key, value) {
+        this._lambda.addEnvironment(key, value);
+    }
+}
+
+class JaypieQueuedLambda extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = new lambda.Runtime("nodejs24.x", lambda.RuntimeFamily.NODEJS, {
+            supportsInlineCode: true,
+        }), runtimeManagementMode, secrets = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
+        // Create SQS Queue
+        this._queue = new sqs.Queue(this, "Queue", {
+            fifo,
+            visibilityTimeout: typeof visibilityTimeout === "number"
+                ? Duration.seconds(visibilityTimeout)
+                : visibilityTimeout,
+        });
+        if (roleTag) {
+            Tags.of(this._queue).add(CDK$2.TAG.ROLE, roleTag);
+        }
+        if (vendorTag) {
+            Tags.of(this._queue).add(CDK$2.TAG.VENDOR, vendorTag);
+        }
+        // Create Lambda with JaypieLambda
+        this._lambdaConstruct = new JaypieLambda(this, "Function", {
+            allowAllOutbound,
+            allowPublicSubnet,
+            architecture,
+            code,
+            datadogApiKeyArn,
+            deadLetterQueue,
+            deadLetterQueueEnabled,
+            deadLetterTopic,
+            description,
+            environment: {
+                ...environment,
+                CDK_ENV_QUEUE_URL: this._queue.queueUrl,
+            },
+            envSecrets,
+            ephemeralStorageSize,
+            filesystem,
+            handler,
+            initialPolicy,
+            layers,
+            logGroup,
+            logRetention,
+            maxEventAge,
+            memorySize,
+            paramsAndSecrets,
+            paramsAndSecretsOptions,
+            profiling,
+            profilingGroup,
+            provisionedConcurrentExecutions,
+            reservedConcurrentExecutions,
+            retryAttempts,
+            roleTag,
+            runtime,
+            runtimeManagementMode,
+            secrets,
+            securityGroups,
+            timeout,
+            tracing,
+            vendorTag,
+            vpc,
+            vpcSubnets,
+        });
+        // Set up queue and lambda integration
+        this._queue.grantConsumeMessages(this._lambdaConstruct);
+        this._queue.grantSendMessages(this._lambdaConstruct);
+        this._lambdaConstruct.addEventSource(new lambdaEventSources.SqsEventSource(this._queue, {
+            batchSize,
+        }));
+    }
+    // Public accessors
+    get queue() {
+        return this._queue;
+    }
+    get lambda() {
+        return this._lambdaConstruct.lambda;
+    }
+    // IFunction implementation
+    get functionArn() {
+        return this._lambdaConstruct.functionArn;
+    }
+    get functionName() {
+        return this._lambdaConstruct.functionName;
+    }
+    get grantPrincipal() {
+        return this._lambdaConstruct.grantPrincipal;
+    }
+    get role() {
+        return this._lambdaConstruct.role;
+    }
+    get architecture() {
+        return this._lambdaConstruct.architecture;
+    }
+    get connections() {
+        return this._lambdaConstruct.connections;
+    }
+    get isBoundToVpc() {
+        return this._lambdaConstruct.isBoundToVpc;
+    }
+    get latestVersion() {
+        return this._lambdaConstruct.latestVersion;
+    }
+    get permissionsNode() {
+        return this._lambdaConstruct.permissionsNode;
+    }
+    get resourceArnsForGrantInvoke() {
+        return this._lambdaConstruct.resourceArnsForGrantInvoke;
+    }
+    get functionRef() {
+        return this._lambdaConstruct.functionRef;
+    }
+    addEventSource(source) {
+        this._lambdaConstruct.addEventSource(source);
+    }
+    addEventSourceMapping(id, options) {
+        return this._lambdaConstruct.addEventSourceMapping(id, options);
+    }
+    addFunctionUrl(options) {
+        return this._lambdaConstruct.addFunctionUrl(options);
+    }
+    addPermission(id, permission) {
+        this._lambdaConstruct.addPermission(id, permission);
+    }
+    addToRolePolicy(statement) {
+        this._lambdaConstruct.addToRolePolicy(statement);
+    }
+    configureAsyncInvoke(options) {
+        this._lambdaConstruct.configureAsyncInvoke(options);
+    }
+    grantInvoke(grantee) {
+        return this._lambdaConstruct.grantInvoke(grantee);
+    }
+    grantInvokeCompositePrincipal(compositePrincipal) {
+        return this._lambdaConstruct.grantInvokeCompositePrincipal(compositePrincipal);
+    }
+    grantInvokeUrl(grantee) {
+        return this._lambdaConstruct.grantInvokeUrl(grantee);
+    }
+    metric(metricName, props) {
+        return this._lambdaConstruct.metric(metricName, props);
+    }
+    metricDuration(props) {
+        return this._lambdaConstruct.metricDuration(props);
+    }
+    metricErrors(props) {
+        return this._lambdaConstruct.metricErrors(props);
+    }
+    metricInvocations(props) {
+        return this._lambdaConstruct.metricInvocations(props);
+    }
+    metricThrottles(props) {
+        return this._lambdaConstruct.metricThrottles(props);
+    }
+    // Additional IFunction implementation
+    grantInvokeLatestVersion(grantee) {
+        return this._lambdaConstruct.grantInvokeLatestVersion(grantee);
+    }
+    grantInvokeVersion(grantee, version) {
+        return this._lambdaConstruct.grantInvokeVersion(grantee, version);
+    }
+    get env() {
+        return {
+            account: Stack.of(this).account,
+            region: Stack.of(this).region,
+        };
+    }
+    get stack() {
+        return Stack.of(this);
+    }
+    applyRemovalPolicy(policy) {
+        this._lambdaConstruct.applyRemovalPolicy(policy);
+        this._queue.applyRemovalPolicy(policy);
+    }
+    // IQueue implementation
+    get queueRef() {
+        return {
+            queueUrl: this._queue.queueUrl,
+            queueArn: this._queue.queueArn,
+        };
+    }
+    get fifo() {
+        return this._queue.fifo;
+    }
+    get queueArn() {
+        return this._queue.queueArn;
+    }
+    get queueName() {
+        return this._queue.queueName;
+    }
+    get queueUrl() {
+        return this._queue.queueUrl;
+    }
+    get encryptionMasterKey() {
+        return this._queue.encryptionMasterKey;
+    }
+    addToResourcePolicy(statement) {
+        return this._queue.addToResourcePolicy(statement);
+    }
+    grant(grantee, ...actions) {
+        return this._queue.grant(grantee, ...actions);
+    }
+    grantConsumeMessages(grantee) {
+        return this._queue.grantConsumeMessages(grantee);
+    }
+    grantPurge(grantee) {
+        return this._queue.grantPurge(grantee);
+    }
+    grantSendMessages(grantee) {
+        return this._queue.grantSendMessages(grantee);
+    }
+    // Queue metrics
+    metricApproximateAgeOfOldestMessage(props) {
+        return this._queue.metricApproximateAgeOfOldestMessage(props);
+    }
+    metricApproximateNumberOfMessagesDelayed(props) {
+        return this._queue.metricApproximateNumberOfMessagesDelayed(props);
+    }
+    metricApproximateNumberOfMessagesNotVisible(props) {
+        return this._queue.metricApproximateNumberOfMessagesNotVisible(props);
+    }
+    metricApproximateNumberOfMessagesVisible(props) {
+        return this._queue.metricApproximateNumberOfMessagesVisible(props);
+    }
+    metricNumberOfEmptyReceives(props) {
+        return this._queue.metricNumberOfEmptyReceives(props);
+    }
+    metricNumberOfMessagesDeleted(props) {
+        return this._queue.metricNumberOfMessagesDeleted(props);
+    }
+    metricNumberOfMessagesReceived(props) {
+        return this._queue.metricNumberOfMessagesReceived(props);
+    }
+    metricNumberOfMessagesSent(props) {
+        return this._queue.metricNumberOfMessagesSent(props);
+    }
+    metricSentMessageSize(props) {
+        return this._queue.metricSentMessageSize(props);
+    }
+    addEnvironment(key, value) {
+        this._lambdaConstruct.addEnvironment(key, value);
+    }
+}
+
+class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
+    constructor(scope, id, props) {
+        props.fifo = false; // S3 event notifications are not supported for FIFO queues
+        super(scope, id, props);
+        const { bucketName, roleTag, vendorTag, bucketOptions = {} } = props;
+        // Create S3 Bucket
+        this._bucket = new s3.Bucket(this, "Bucket", {
+            bucketName: bucketOptions.bucketName || bucketName,
+            removalPolicy: bucketOptions.removalPolicy || RemovalPolicy.RETAIN,
+            ...bucketOptions,
+        });
+        // Add tags to bucket
+        if (roleTag) {
+            Tags.of(this._bucket).add(CDK$2.TAG.ROLE, roleTag);
+        }
+        if (vendorTag) {
+            Tags.of(this._bucket).add(CDK$2.TAG.VENDOR, vendorTag);
+        }
+        // Add an event notification from the bucket to the queue
+        this._bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.SqsDestination(this.queue));
+        // Grant the lambda access to the bucket
+        this._bucket.grantReadWrite(this);
+        // Add environment variable for bucket name
+        this.lambda.addEnvironment("CDK_ENV_BUCKET_NAME", this._bucket.bucketName);
+    }
+    // Public accessors
+    get bucket() {
+        return this._bucket;
+    }
+    // IBucket implementation
+    get bucketArn() {
+        return this._bucket.bucketArn;
+    }
+    get bucketDomainName() {
+        return this._bucket.bucketDomainName;
+    }
+    get bucketDualStackDomainName() {
+        return this._bucket.bucketDualStackDomainName;
+    }
+    get bucketName() {
+        return this._bucket.bucketName;
+    }
+    get bucketRegionalDomainName() {
+        return this._bucket.bucketRegionalDomainName;
+    }
+    get bucketWebsiteDomainName() {
+        return this._bucket.bucketWebsiteDomainName;
+    }
+    get bucketWebsiteUrl() {
+        return this._bucket.bucketWebsiteUrl;
+    }
+    get encryptionKey() {
+        return this._bucket.encryptionKey;
+    }
+    get isWebsite() {
+        return this._bucket.isWebsite || false;
+    }
+    get policy() {
+        return this._bucket.policy;
+    }
+    addEventNotification(event, dest, ...filters) {
+        this._bucket.addEventNotification(event, dest, ...filters);
+    }
+    addObjectCreatedNotification(dest, ...filters) {
+        this._bucket.addObjectCreatedNotification(dest, ...filters);
+    }
+    addObjectRemovedNotification(dest, ...filters) {
+        this._bucket.addObjectRemovedNotification(dest, ...filters);
+    }
+    addToResourcePolicy(permission) {
+        return this._bucket.addToResourcePolicy(permission);
+    }
+    arnForObjects(objectKeyPattern) {
+        return this._bucket.arnForObjects(objectKeyPattern);
+    }
+    enableEventBridgeNotification() {
+        this._bucket.enableEventBridgeNotification();
+    }
+    grantDelete(grantee, objectsKeyPattern) {
+        return this._bucket.grantDelete(grantee, objectsKeyPattern);
+    }
+    grantPublicAccess(keyPrefix, ...allowedActions) {
+        return this._bucket.grantPublicAccess(keyPrefix, ...allowedActions);
+    }
+    grantPut(grantee, objectsKeyPattern) {
+        return this._bucket.grantPut(grantee, objectsKeyPattern);
+    }
+    grantPutAcl(grantee, objectsKeyPattern) {
+        return this._bucket.grantPutAcl(grantee, objectsKeyPattern);
+    }
+    grantRead(grantee, objectsKeyPattern) {
+        return this._bucket.grantRead(grantee, objectsKeyPattern);
+    }
+    grantReadWrite(grantee, objectsKeyPattern) {
+        return this._bucket.grantReadWrite(grantee, objectsKeyPattern);
+    }
+    grantWrite(grantee, objectsKeyPattern) {
+        return this._bucket.grantWrite(grantee, objectsKeyPattern);
+    }
+    onCloudTrailEvent(id, options) {
+        return this._bucket.onCloudTrailEvent(id, options);
+    }
+    onCloudTrailPutObject(id, options) {
+        return this._bucket.onCloudTrailPutObject(id, options);
+    }
+    onCloudTrailWriteObject(id, options) {
+        return this._bucket.onCloudTrailWriteObject(id, options);
+    }
+    s3UrlForObject(key) {
+        return this._bucket.s3UrlForObject(key);
+    }
+    transferAccelerationUrlForObject(key, options) {
+        return this._bucket.transferAccelerationUrlForObject(key, options);
+    }
+    urlForObject(key) {
+        return this._bucket.urlForObject(key);
+    }
+    virtualHostedUrlForObject(key, options) {
+        return this._bucket.virtualHostedUrlForObject(key, options);
+    }
+    grantReplicationPermission(identity, props) {
+        return this._bucket.grantReplicationPermission(identity, props);
+    }
+    addReplicationPolicy(policy) {
+        this._bucket.addReplicationPolicy(policy);
+    }
+    get bucketRef() {
+        return {
+            bucketArn: this._bucket.bucketArn,
+            bucketName: this._bucket.bucketName,
+        };
+    }
+    // Override applyRemovalPolicy to apply to all resources
+    applyRemovalPolicy(policy) {
+        super.applyRemovalPolicy(policy);
+        this._bucket.applyRemovalPolicy(policy);
+    }
+}
+
+class JaypieDatadogBucket extends Construct {
+    /**
+     * Create a new S3 bucket for Datadog log archiving with automatic IAM permissions
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "JaypieDatadogBucket";
+        }
+        super(scope, id);
+        // Extract Jaypie-specific options
+        const { bucketId = "DatadogArchiveBucket", bucketScope, grantDatadogAccess = true, project, service = CDK$2.SERVICE.DATADOG, ...bucketProps } = props;
+        // Create the bucket using bucketScope (defaults to this) and bucketId
+        const effectiveBucketScope = bucketScope || this;
+        this.bucket = new Bucket(effectiveBucketScope, bucketId, bucketProps);
+        // Add tags to bucket
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Grant Datadog role access to bucket if enabled
+        if (grantDatadogAccess) {
+            this.policy = this.grantDatadogRoleBucketAccess({ project, service });
+        }
+    }
+    /**
+     * Grants the Datadog IAM role access to this bucket
+     *
+     * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
+     * If found, creates a custom policy with:
+     * - s3:ListBucket on bucket
+     * - s3:GetObject and s3:PutObject on bucket/*
+     *
+     * @param options - Configuration options
+     * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
+     */
+    grantDatadogRoleBucketAccess(options) {
+        const datadogRoleArn = process.env.CDK_ENV_DATADOG_ROLE_ARN;
+        // Early return if no Datadog role ARN is configured
+        if (!datadogRoleArn) {
+            return undefined;
+        }
+        const { project, service = CDK$2.SERVICE.DATADOG } = options || {};
+        // Lookup the Datadog role
+        const datadogRole = Role.fromRoleArn(this, "DatadogRole", datadogRoleArn);
+        // Build policy statements for bucket access
+        const statements = [
+            // Allow list bucket
+            new PolicyStatement({
+                actions: ["s3:ListBucket"],
+                resources: [this.bucket.bucketArn],
+            }),
+            // Allow read and write to the bucket
+            new PolicyStatement({
+                actions: ["s3:GetObject", "s3:PutObject"],
+                resources: [`${this.bucket.bucketArn}/*`],
+            }),
+        ];
+        // Create the custom policy
+        const datadogBucketPolicy = new Policy(this, "DatadogBucketPolicy", {
+            roles: [datadogRole],
+            statements,
+        });
+        // Add tags
+        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+        if (project) {
+            cdk.Tags.of(datadogBucketPolicy).add(CDK$2.TAG.PROJECT, project);
+        }
+        return datadogBucketPolicy;
+    }
+}
+
+const DATADOG_FORWARDER_TEMPLATE_URL = "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml";
+const DEFAULT_RESERVED_CONCURRENCY = "10";
+class JaypieDatadogForwarder extends Construct {
+    /**
+     * Create a new Datadog forwarder with CloudFormation nested stack
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            id = props.id || "DatadogForwarder";
+        }
+        super(scope, id);
+        // Resolve options with defaults
+        const { account = process.env.CDK_ENV_ACCOUNT, additionalTags, createOutput = true, datadogApiKey = process.env.CDK_ENV_DATADOG_API_KEY, enableCloudFormationEvents = true, enableRoleExtension = true, exportName = CDK$2.IMPORT.DATADOG_LOG_FORWARDER, project, reservedConcurrency = DEFAULT_RESERVED_CONCURRENCY, service = CDK$2.VENDOR.DATADOG, templateUrl = DATADOG_FORWARDER_TEMPLATE_URL, } = props;
+        // Validate required parameters
+        if (!datadogApiKey) {
+            throw new Error("Datadog API key is required. Provide via datadogApiKey prop or CDK_ENV_DATADOG_API_KEY environment variable.");
+        }
+        // Build Datadog tags
+        let ddTags = account ? `account:${account}` : "";
+        if (additionalTags) {
+            ddTags = ddTags ? `${ddTags},${additionalTags}` : additionalTags;
+        }
+        // Deploy Datadog CloudFormation stack
+        this.cfnStack = new CfnStack(this, "Stack", {
+            parameters: {
+                DdApiKey: datadogApiKey,
+                DdTags: ddTags,
+                ReservedConcurrency: reservedConcurrency,
+            },
+            templateUrl,
+        });
+        // Add tags to stack
+        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+        if (project) {
+            cdk.Tags.of(this.cfnStack).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Extract forwarder function from stack outputs
+        this.forwarderFunction = lambda.Function.fromFunctionArn(this, "Function", this.cfnStack.getAtt("Outputs.DatadogForwarderArn").toString());
+        // Extend Datadog role with custom permissions if enabled
+        if (enableRoleExtension) {
+            extendDatadogRole(this, { project, service });
+        }
+        // Create CloudFormation events rule if enabled
+        if (enableCloudFormationEvents) {
+            this.eventsRule = new Rule(this, "CloudFormationEventsRule", {
+                eventPattern: {
+                    source: ["aws.cloudformation"],
+                },
+                targets: [
+                    new LambdaFunction(this.forwarderFunction, {
+                        event: RuleTargetInput.fromEventPath("$"),
+                    }),
+                ],
+            });
+            // Add tags to events rule
+            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.SERVICE, service);
+            cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.VENDOR, CDK$2.VENDOR.DATADOG);
+            if (project) {
+                cdk.Tags.of(this.eventsRule).add(CDK$2.TAG.PROJECT, project);
+            }
+        }
+        // Create CloudFormation output if enabled
+        if (createOutput) {
+            new cdk.CfnOutput(this, "ForwarderArnOutput", {
+                description: "Datadog Log Forwarder Lambda ARN",
+                exportName,
+                value: this.cfnStack.getAtt("Outputs.DatadogForwarderArn").toString(),
+            });
+        }
+    }
+}
+
+class JaypieDistribution extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { certificate: certificateProp = true, defaultBehavior: propsDefaultBehavior, destination: destinationProp = true, handler, host: propsHost, invokeMode = lambda.InvokeMode.BUFFERED, roleTag = CDK$2.ROLE.API, zone: propsZone, ...distributionProps } = props;
+        // Validate environment variables
+        if (process.env.CDK_ENV_API_SUBDOMAIN &&
+            !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
+            throw new Error("CDK_ENV_API_SUBDOMAIN is not a valid subdomain");
+        }
+        if (process.env.CDK_ENV_API_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_API_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_API_HOSTED_ZONE is not a valid hostname");
+        }
+        if (process.env.CDK_ENV_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_HOSTED_ZONE is not a valid hostname");
+        }
+        // Determine host from props or environment
+        let host = propsHost;
+        if (!host) {
+            try {
+                if (process.env.CDK_ENV_API_HOST_NAME) {
+                    host = process.env.CDK_ENV_API_HOST_NAME;
+                }
+                else if (process.env.CDK_ENV_API_SUBDOMAIN) {
+                    host = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE ||
+                        process.env.CDK_ENV_HOSTED_ZONE ||
+                        "");
+                }
+            }
+            catch {
+                host = undefined;
+            }
+        }
+        if (host && !isValidHostname$1(host)) {
+            throw new Error("Host is not a valid hostname");
+        }
+        this.host = host;
+        // Determine zone from props or environment
+        const zone = propsZone || process.env.CDK_ENV_HOSTED_ZONE;
+        // Resolve the origin from handler
+        // Check order matters: IFunctionUrl before IOrigin (FunctionUrl also has bind method)
+        // IFunction before IFunctionUrl (IFunction doesn't have functionUrlId)
+        let origin;
+        if (handler) {
+            if (this.isIFunction(handler)) {
+                // Create FunctionUrl for the Lambda function
+                const functionUrl = new lambda.FunctionUrl(this, "FunctionUrl", {
+                    function: handler,
+                    authType: lambda.FunctionUrlAuthType.NONE,
+                    invokeMode,
+                });
+                this.functionUrl = functionUrl;
+                origin = new origins.FunctionUrlOrigin(functionUrl);
+            }
+            else if (this.isIFunctionUrl(handler)) {
+                origin = new origins.FunctionUrlOrigin(handler);
+            }
+            else if (this.isIOrigin(handler)) {
+                origin = handler;
+            }
+        }
+        // Build default behavior
+        let defaultBehavior;
+        if (propsDefaultBehavior) {
+            defaultBehavior = propsDefaultBehavior;
+        }
+        else if (origin) {
+            defaultBehavior = {
+                allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
+                cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
+                origin,
+                originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
+                viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+            };
+        }
+        else {
+            throw new Error("Either handler or defaultBehavior must be provided to JaypieDistribution");
+        }
+        // Resolve hosted zone and certificate
+        // Only resolve zone when we need it (for certificate or DNS)
+        let hostedZone;
+        let certificateToUse;
+        if (host && zone && certificateProp !== false) {
+            hostedZone = resolveHostedZone(this, { zone });
+            if (certificateProp === true) {
+                certificateToUse = new acm.Certificate(this, constructEnvName("Certificate"), {
+                    domainName: host,
+                    validation: acm.CertificateValidation.fromDns(hostedZone),
+                });
+                Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, roleTag);
+            }
+            else if (typeof certificateProp === "object") {
+                certificateToUse = certificateProp;
+            }
+            this.certificate = certificateToUse;
+        }
+        // Create log bucket if logging is enabled
+        let logBucket;
+        if (destinationProp !== false) {
+            logBucket = new s3.Bucket(this, constructEnvName("LogBucket"), {
+                objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
+                removalPolicy: RemovalPolicy.DESTROY,
+                autoDeleteObjects: true,
+                lifecycleRules: [
+                    {
+                        expiration: Duration.days(90),
+                        transitions: [
+                            {
+                                storageClass: s3.StorageClass.INFREQUENT_ACCESS,
+                                transitionAfter: Duration.days(30),
+                            },
+                        ],
+                    },
+                ],
+            });
+            Tags.of(logBucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.STORAGE);
+            // Add S3 notification to Datadog forwarder
+            const lambdaDestination = destinationProp === true
+                ? new LambdaDestination(resolveDatadogForwarderFunction(this))
+                : destinationProp;
+            logBucket.addEventNotification(s3.EventType.OBJECT_CREATED, lambdaDestination);
+            this.logBucket = logBucket;
+        }
+        // Create the CloudFront distribution
+        this.distribution = new cloudfront.Distribution(this, constructEnvName("Distribution"), {
+            defaultBehavior,
+            ...(host && certificateToUse
+                ? {
+                    certificate: certificateToUse,
+                    domainNames: [host],
+                }
+                : {}),
+            ...(logBucket
+                ? {
+                    enableLogging: true,
+                    logBucket,
+                    logFilePrefix: "cloudfront-logs/",
+                }
+                : {}),
+            ...distributionProps,
+        });
+        Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
+        this.distributionArn = `arn:aws:cloudfront::${Stack.of(this).account}:distribution/${this.distribution.distributionId}`;
+        this.distributionDomainName = this.distribution.distributionDomainName;
+        this.distributionId = this.distribution.distributionId;
+        this.domainName = this.distribution.domainName;
+        // Create DNS records if we have host and zone
+        if (host && hostedZone) {
+            const aRecord = new route53.ARecord(this, "AliasRecord", {
+                recordName: host,
+                target: route53.RecordTarget.fromAlias(new route53Targets.CloudFrontTarget(this.distribution)),
+                zone: hostedZone,
+            });
+            Tags.of(aRecord).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+            const aaaaRecord = new route53.AaaaRecord(this, "AaaaAliasRecord", {
+                recordName: host,
+                target: route53.RecordTarget.fromAlias(new route53Targets.CloudFrontTarget(this.distribution)),
+                zone: hostedZone,
+            });
+            Tags.of(aaaaRecord).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+        }
+    }
+    // Type guards for handler types
+    isIOrigin(handler) {
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "bind" in handler &&
+            typeof handler.bind === "function");
+    }
+    isIFunctionUrl(handler) {
+        // FunctionUrl has 'url' property which is the function URL string
+        // IFunction does not have 'url' property
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "url" in handler &&
+            "functionArn" in handler);
+    }
+    isIFunction(handler) {
+        // IFunction has functionArn and functionName but NOT 'url'
+        // (FunctionUrl also has functionArn but also has 'url')
+        return (typeof handler === "object" &&
+            handler !== null &&
+            "functionArn" in handler &&
+            "functionName" in handler &&
+            !("url" in handler));
+    }
+    // Implement IDistribution interface
+    get env() {
+        return {
+            account: Stack.of(this).account,
+            region: Stack.of(this).region,
+        };
+    }
+    get stack() {
+        return this.distribution.stack;
+    }
+    applyRemovalPolicy(policy) {
+        this.distribution.applyRemovalPolicy(policy);
+    }
+    grant(identity, ...actions) {
+        return this.distribution.grant(identity, ...actions);
+    }
+    grantCreateInvalidation(identity) {
+        return this.distribution.grantCreateInvalidation(identity);
+    }
+    get distributionRef() {
+        return {
+            distributionId: this.distribution.distributionId,
+        };
+    }
+}
+
+class JaypieDatadogSecret extends JaypieEnvSecret {
+    constructor(scope, id = "MongoConnectionString", props) {
+        const defaultProps = {
+            envKey: "DATADOG_API_KEY",
+            roleTag: CDK$2.ROLE.MONITORING,
+            vendorTag: CDK$2.VENDOR.DATADOG,
+            ...props,
+        };
+        super(scope, id, defaultProps);
+    }
+}
+
+class JaypieDnsRecord extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { comment, recordName, type, values } = props;
+        const ttl = props.ttl || cdk.Duration.seconds(CDK$2.DNS.CONFIG.TTL);
+        // Resolve the hosted zone (supports both string and IHostedZone)
+        const zone = resolveHostedZone(scope, {
+            name: `${id}HostedZone`,
+            zone: props.zone,
+        });
+        // Common properties for all record types
+        const baseProps = {
+            comment,
+            recordName,
+            ttl,
+            zone,
+        };
+        // Create the appropriate record based on type
+        switch (type) {
+            case CDK$2.DNS.RECORD.A: {
+                if (!Array.isArray(values) || values.length === 0) {
+                    throw new ConfigurationError("A record requires at least one IP address");
+                }
+                this.record = new ARecord(this, "Record", {
+                    ...baseProps,
+                    target: RecordTarget.fromIpAddresses(...values),
+                });
+                break;
+            }
+            case CDK$2.DNS.RECORD.CNAME: {
+                if (!Array.isArray(values) || values.length === 0) {
+                    throw new ConfigurationError("CNAME record requires a domain name");
+                }
+                this.record = new CnameRecord(this, "Record", {
+                    ...baseProps,
+                    domainName: values[0],
+                });
+                break;
+            }
+            case CDK$2.DNS.RECORD.MX: {
+                if (!Array.isArray(values) || values.length === 0) {
+                    throw new ConfigurationError("MX record requires at least one mail server");
+                }
+                this.record = new MxRecord(this, "Record", {
+                    ...baseProps,
+                    values: values,
+                });
+                break;
+            }
+            case CDK$2.DNS.RECORD.NS: {
+                if (!Array.isArray(values) || values.length === 0) {
+                    throw new ConfigurationError("NS record requires at least one name server");
+                }
+                this.record = new NsRecord(this, "Record", {
+                    ...baseProps,
+                    values: values,
+                });
+                break;
+            }
+            case CDK$2.DNS.RECORD.TXT: {
+                if (!Array.isArray(values) || values.length === 0) {
+                    throw new ConfigurationError("TXT record requires at least one value");
+                }
+                this.record = new TxtRecord(this, "Record", {
+                    ...baseProps,
+                    values: values,
+                });
+                break;
+            }
+            default:
+                throw new ConfigurationError(`Unsupported DNS record type: ${type}. Supported types: A, CNAME, MX, NS, TXT`);
+        }
+        // Add standard tags to the DNS record
+        cdk.Tags.of(this.record).add(CDK$2.TAG.SERVICE, CDK$2.SERVICE.INFRASTRUCTURE);
+        cdk.Tags.of(this.record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+    }
+}
+
+class JaypieEventsRule extends Construct {
+    /**
+     * Create a new EventBridge rule that targets a Lambda function
+     */
+    constructor(scope, idOrSourceOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrSourceOrProps === "string") {
+            // Check if it looks like an AWS source (starts with "aws.")
+            if (idOrSourceOrProps.startsWith("aws.")) {
+                // First param is source, second is props
+                props = propsOrUndefined || {};
+                props.source = idOrSourceOrProps;
+                // Generate ID from source
+                const sourceName = idOrSourceOrProps
+                    .replace("aws.", "")
+                    .split(".")
+                    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+                    .join("");
+                id = props.id || `${sourceName}EventsRule`;
+            }
+            else {
+                // First param is ID, second is props
+                props = propsOrUndefined || {};
+                id = idOrSourceOrProps;
+            }
+        }
+        else {
+            // First param is props
+            props = idOrSourceOrProps || {};
+            if (props.source) {
+                const sourceName = typeof props.source === "string"
+                    ? props.source
+                        .replace("aws.", "")
+                        .split(".")
+                        .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+                        .join("")
+                    : "Events";
+                id = props.id || `${sourceName}EventsRule`;
+            }
+            else {
+                id = props.id || "EventsRule";
+            }
+        }
+        super(scope, id);
+        // Extract Jaypie-specific options
+        const { id: _id, project, service = CDK$2.SERVICE.DATADOG, source, targetFunction, vendor = CDK$2.VENDOR.DATADOG, ...ruleProps } = props;
+        // Resolve target function
+        this.targetFunction =
+            targetFunction || resolveDatadogForwarderFunction(scope);
+        // Build event pattern if source is specified
+        const eventPattern = source
+            ? {
+                ...ruleProps.eventPattern,
+                source: Array.isArray(source) ? source : [source],
+            }
+            : ruleProps.eventPattern;
+        // Build rule props
+        const finalRuleProps = {
+            ...ruleProps,
+            eventPattern,
+            targets: [
+                new LambdaFunction(this.targetFunction, {
+                    event: RuleTargetInput.fromEventPath("$"),
+                }),
+            ],
+        };
+        // Create the rule
+        this.rule = new Rule(this, "Rule", finalRuleProps);
+        // Add tags
+        cdk.Tags.of(this.rule).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        cdk.Tags.of(this.rule).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.rule).add(CDK$2.TAG.VENDOR, vendor);
+        if (project) {
+            cdk.Tags.of(this.rule).add(CDK$2.TAG.PROJECT, project);
+        }
+    }
+}
+
+class JaypieGitHubDeployRole extends Construct {
+    constructor(scope, id = "GitHubDeployRole", props = {}) {
+        super(scope, id);
+        const { oidcProviderArn = Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), output = true, repoRestriction: propsRepoRestriction, } = props;
+        // Extract account ID from the scope
+        const accountId = Stack.of(this).account;
+        // Resolve repoRestriction from props or environment variables
+        let repoRestriction = propsRepoRestriction;
+        if (!repoRestriction) {
+            const envRepo = process.env.CDK_ENV_REPO || process.env.PROJECT_REPO;
+            if (!envRepo) {
+                throw new ConfigurationError("No repoRestriction provided. Set repoRestriction prop, CDK_ENV_REPO, or PROJECT_REPO environment variable");
+            }
+            // Extract organization from owner/repo format and create org-wide restriction
+            const organization = envRepo.split("/")[0];
+            repoRestriction = `repo:${organization}/*:*`;
+        }
+        // Create the IAM role
+        this._role = new Role(this, "GitHubActionsRole", {
+            assumedBy: new FederatedPrincipal(oidcProviderArn, {
+                StringLike: {
+                    "token.actions.githubusercontent.com:sub": repoRestriction,
+                },
+            }, "sts:AssumeRoleWithWebIdentity"),
+            maxSessionDuration: Duration.hours(1),
+            path: "/",
+        });
+        Tags.of(this._role).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
+        // Allow the role to access the GitHub OIDC provider
+        this._role.addToPolicy(new PolicyStatement({
+            actions: ["sts:AssumeRoleWithWebIdentity"],
+            resources: [`arn:aws:iam::${accountId}:oidc-provider/*`],
+        }));
+        // Allow the role to deploy CDK apps
+        this._role.addToPolicy(new PolicyStatement({
+            actions: [
+                "cloudformation:CreateStack",
+                "cloudformation:DeleteStack",
+                "cloudformation:DescribeStackEvents",
+                "cloudformation:DescribeStackResource",
+                "cloudformation:DescribeStackResources",
+                "cloudformation:DescribeStacks",
+                "cloudformation:GetTemplate",
+                "cloudformation:SetStackPolicy",
+                "cloudformation:UpdateStack",
+                "cloudformation:ValidateTemplate",
+                "iam:PassRole",
+                "route53:ListHostedZones*",
+                "s3:GetObject",
+                "s3:ListBucket",
+            ],
+            effect: Effect.ALLOW,
+            resources: ["*"],
+        }));
+        this._role.addToPolicy(new PolicyStatement({
+            actions: ["iam:PassRole", "sts:AssumeRole"],
+            effect: Effect.ALLOW,
+            resources: [
+                "arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
+                "arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
+                "arn:aws:iam::*:role/cdk-readOnlyRole",
+            ],
+        }));
+        // Export the ARN of the role
+        if (output !== false) {
+            const outputId = typeof output === "string" ? output : "GitHubActionsRoleArn";
+            new CfnOutput(this, outputId, {
+                value: this._role.roleArn,
+            });
+        }
+    }
+    get role() {
+        return this._role;
+    }
+    get roleArn() {
+        return this._role.roleArn;
+    }
+    get roleName() {
+        return this._role.roleName;
+    }
+}
+
+class JaypieExpressLambda extends JaypieLambda {
+    constructor(scope, id, props) {
+        super(scope, id, {
+            timeout: Duration.seconds(CDK$2.DURATION.EXPRESS_API),
+            roleTag: CDK$2.ROLE.API,
+            ...props,
+        });
+    }
+}
+
+const SERVICE = {
+    ROUTE53: "route53.amazonaws.com",
+};
+/**
+ * Check if a string is a valid hostname
+ */
+function isValidHostname(str) {
+    // Check if it contains a dot and matches hostname pattern
+    if (!str.includes("."))
+        return false;
+    // Basic hostname validation: alphanumeric, hyphens, dots
+    // Each label must start and end with alphanumeric
+    const hostnameRegex = /^([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$/i;
+    return hostnameRegex.test(str);
+}
+class JaypieHostedZone extends Construct {
+    /**
+     * Create a new hosted zone with query logging and optional DNS records
+     */
+    constructor(scope, idOrProps, propsOrRecords) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // If it's a valid hostname, treat it as zoneName
+            if (isValidHostname(idOrProps)) {
+                // Third param can be props object or records array
+                if (Array.isArray(propsOrRecords)) {
+                    props = { zoneName: idOrProps, records: propsOrRecords };
+                }
+                else {
+                    props = propsOrRecords || { zoneName: idOrProps };
+                    // Set zoneName if not already set
+                    if (!props.zoneName) {
+                        props = { ...props, zoneName: idOrProps };
+                    }
+                }
+                // Use id from props if provided, otherwise derive from zoneName
+                id = props.id || `${idOrProps}-HostedZone`;
+            }
+            else {
+                // Otherwise treat it as an explicit id
+                props = propsOrRecords;
+                id = idOrProps;
+            }
+        }
+        else {
+            // idOrProps is props
+            props = idOrProps;
+            id = props.id || `${props.zoneName}-HostedZone`;
+        }
+        super(scope, id);
+        const { zoneName, project } = props;
+        const destination = props.destination ?? true;
+        const service = props.service || CDK$2.SERVICE.INFRASTRUCTURE;
+        // Create the log group
+        this.logGroup = new LogGroup(this, "LogGroup", {
+            logGroupName: process.env.PROJECT_NONCE
+                ? `/aws/route53/${zoneName}-${process.env.PROJECT_NONCE}`
+                : `/aws/route53/${zoneName}`,
+            retention: RetentionDays.ONE_WEEK,
+        });
+        // Add tags
+        cdk.Tags.of(this.logGroup).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.logGroup).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+        if (project) {
+            cdk.Tags.of(this.logGroup).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Grant Route 53 permissions to write to the log group
+        this.logGroup.grantWrite(new ServicePrincipal(SERVICE.ROUTE53));
+        // Add destination based on configuration
+        if (destination !== false) {
+            const lambdaDestination = destination === true
+                ? resolveDatadogLoggingDestination(scope)
+                : destination;
+            this.logGroup.addSubscriptionFilter("DatadogLambdaDestination", {
+                destination: lambdaDestination,
+                filterPattern: FilterPattern.allEvents(),
+            });
+        }
+        // Create the hosted zone
+        this.hostedZone = new HostedZone(this, "HostedZone", {
+            queryLogsLogGroupArn: this.logGroup.logGroupArn,
+            zoneName,
+        });
+        // Add tags
+        cdk.Tags.of(this.hostedZone).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.hostedZone).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+        if (project) {
+            cdk.Tags.of(this.hostedZone).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Create DNS records if provided
+        this.dnsRecords = [];
+        if (props.records) {
+            props.records.forEach((recordConfig, index) => {
+                const { id, ...recordProps } = recordConfig;
+                // Generate a default ID if not provided
+                const recordId = id ||
+                    `${recordProps.type}${recordProps.recordName ? `-${recordProps.recordName}` : ""}-${index}`;
+                const dnsRecord = new JaypieDnsRecord(this, recordId, {
+                    ...recordProps,
+                    zone: this.hostedZone,
+                });
+                this.dnsRecords.push(dnsRecord);
+            });
+        }
+    }
+}
+
+const CDK = {
+    TAG: {
+        STACK_SHA: "stackSha",
+    },
+};
+class JaypieInfrastructureStack extends JaypieStack {
+    constructor(scope, id, props = {}) {
+        const { key = "infra", ...stackProps } = props;
+        // Handle stackName
+        if (!stackProps.stackName) {
+            stackProps.stackName = constructStackName(key);
+        }
+        super(scope, id, { key, ...stackProps });
+        // Add infrastructure-specific tag
+        if (process.env.CDK_ENV_INFRASTRUCTURE_STACK_SHA) {
+            Tags.of(this).add(CDK.TAG.STACK_SHA, process.env.CDK_ENV_INFRASTRUCTURE_STACK_SHA);
+        }
+    }
+}
+
+class JaypieMongoDbSecret extends JaypieEnvSecret {
+    constructor(scope, id = "MongoConnectionString", props) {
+        const defaultProps = {
+            envKey: "MONGODB_URI",
+            roleTag: CDK$2.ROLE.STORAGE,
+            vendorTag: CDK$2.VENDOR.MONGODB,
+            ...props,
+        };
+        super(scope, id, defaultProps);
+    }
+}
+
+class JaypieNextJs extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const domainName = props?.domainName || envHostname();
+        this.domainName = domainName;
+        const domainNameSanitized = domainName
+            .replace(/\./g, "-")
+            .replace(/[^a-zA-Z0-9]/g, "_");
+        // Resolve environment from array or object syntax
+        const environment = resolveEnvironment(props?.environment);
+        const envSecrets = props?.envSecrets || {};
+        const nextjsPath = props?.nextjsPath?.startsWith("..")
+            ? path.join(process.cwd(), props.nextjsPath)
+            : props?.nextjsPath || path.join(process.cwd(), "..", "nextjs");
+        const paramsAndSecrets = resolveParamsAndSecrets();
+        // Resolve secrets from mixed array (strings and JaypieEnvSecret instances)
+        const secrets = resolveSecrets(scope, props?.secrets);
+        // Process secrets environment variables
+        const secretsEnvironment = Object.entries(envSecrets).reduce((acc, [key, secret]) => ({
+            ...acc,
+            [`SECRET_${key}`]: secret.secretName,
+        }), {});
+        // Process JaypieEnvSecret array
+        const jaypieSecretsEnvironment = secrets.reduce((acc, secret) => {
+            if (secret.envKey) {
+                return {
+                    ...acc,
+                    [`SECRET_${secret.envKey}`]: secret.secretName,
+                };
+            }
+            return acc;
+        }, {});
+        // Process NEXT_PUBLIC_ environment variables
+        const nextPublicEnv = Object.entries(process.env).reduce((acc, [key, value]) => {
+            if (key.startsWith("NEXT_PUBLIC_") && value) {
+                return {
+                    ...acc,
+                    [key]: value,
+                };
+            }
+            return acc;
+        }, {});
+        const nextjs = new Nextjs(this, "NextJsApp", {
+            nextjsPath,
+            domainProps: {
+                domainName,
+                hostedZone: resolveHostedZone(this, {
+                    zone: props?.hostedZone,
+                }),
+            },
+            environment: {
+                ...jaypieLambdaEnv(),
+                ...environment,
+                ...secretsEnvironment,
+                ...jaypieSecretsEnvironment,
+                ...nextPublicEnv,
+                NEXT_PUBLIC_SITE_URL: `https://${domainName}`,
+            },
+            overrides: {
+                nextjsDistribution: {
+                    imageCachePolicyProps: {
+                        cachePolicyName: `NextJsImageCachePolicy-${domainNameSanitized}`,
+                    },
+                    serverCachePolicyProps: {
+                        cachePolicyName: `NextJsServerCachePolicy-${domainNameSanitized}`,
+                    },
+                },
+                nextjsImage: {
+                    functionProps: {
+                        paramsAndSecrets,
+                    },
+                },
+                nextjsServer: {
+                    functionProps: {
+                        paramsAndSecrets,
+                    },
+                },
+            },
+        });
+        addDatadogLayers(nextjs.imageOptimizationFunction);
+        addDatadogLayers(nextjs.serverFunction.lambdaFunction);
+        // Grant secret read permissions
+        Object.values(envSecrets).forEach((secret) => {
+            secret.grantRead(nextjs.serverFunction.lambdaFunction);
+        });
+        // Grant read permissions for JaypieEnvSecrets
+        secrets.forEach((secret) => {
+            secret.grantRead(nextjs.serverFunction.lambdaFunction);
+        });
+    }
+}
+
+class JaypieOpenAiSecret extends JaypieEnvSecret {
+    constructor(scope, id = "OpenAiApiKey", props) {
+        const defaultProps = {
+            envKey: "OPENAI_API_KEY",
+            roleTag: CDK$2.ROLE.PROCESSING,
+            vendorTag: CDK$2.VENDOR.OPENAI,
+            ...props,
+        };
+        super(scope, id, defaultProps);
+    }
+}
+
+class JaypieOrganizationTrail extends Construct {
+    /**
+     * Create a new organization CloudTrail with S3 bucket and lifecycle policies
+     */
+    constructor(scope, idOrProps, propsOrUndefined) {
+        // Handle overloaded constructor signatures
+        let props;
+        let id;
+        if (typeof idOrProps === "string") {
+            // First param is ID, second is props
+            props = propsOrUndefined || {};
+            id = idOrProps;
+        }
+        else {
+            // First param is props
+            props = idOrProps || {};
+            const defaultName = process.env.PROJECT_NONCE
+                ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+                : "organization-cloudtrail";
+            id = props.id || `${props.trailName || defaultName}-Trail`;
+        }
+        super(scope, id);
+        // Resolve options with defaults
+        const { bucketName = process.env.PROJECT_NONCE
+            ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+            : "organization-cloudtrail", enableDatadogNotifications = true, enableFileValidation = false, expirationDays = 365, glacierTransitionDays = 180, infrequentAccessTransitionDays = 30, project, service = CDK$2.SERVICE.INFRASTRUCTURE, trailName = process.env.PROJECT_NONCE
+            ? `organization-cloudtrail-${process.env.PROJECT_NONCE}`
+            : "organization-cloudtrail", } = props;
+        // Create the S3 bucket for CloudTrail logs
+        this.bucket = new Bucket(this, "Bucket", {
+            accessControl: BucketAccessControl.LOG_DELIVERY_WRITE,
+            bucketName,
+            lifecycleRules: [
+                {
+                    expiration: cdk.Duration.days(expirationDays),
+                    transitions: [
+                        {
+                            storageClass: StorageClass.INFREQUENT_ACCESS,
+                            transitionAfter: cdk.Duration.days(infrequentAccessTransitionDays),
+                        },
+                        {
+                            storageClass: StorageClass.GLACIER,
+                            transitionAfter: cdk.Duration.days(glacierTransitionDays),
+                        },
+                    ],
+                },
+            ],
+        });
+        // Add CloudTrail bucket policies
+        this.bucket.addToResourcePolicy(new PolicyStatement({
+            actions: ["s3:GetBucketAcl"],
+            effect: Effect.ALLOW,
+            principals: [new ServicePrincipal("cloudtrail.amazonaws.com")],
+            resources: [this.bucket.bucketArn],
+        }));
+        this.bucket.addToResourcePolicy(new PolicyStatement({
+            actions: ["s3:PutObject"],
+            conditions: {
+                StringEquals: {
+                    "s3:x-amz-acl": "bucket-owner-full-control",
+                },
+            },
+            effect: Effect.ALLOW,
+            principals: [new ServicePrincipal("cloudtrail.amazonaws.com")],
+            resources: [`${this.bucket.bucketArn}/*`],
+        }));
+        // Add tags to bucket
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.bucket).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk.Tags.of(this.bucket).add(CDK$2.TAG.PROJECT, project);
+        }
+        // Add Datadog notifications if enabled
+        if (enableDatadogNotifications) {
+            const datadogForwarderFunction = resolveDatadogForwarderFunction(scope);
+            this.bucket.addEventNotification(EventType.OBJECT_CREATED, new LambdaDestination(datadogForwarderFunction));
+        }
+        // Create the organization trail
+        this.trail = new Trail(this, "Trail", {
+            bucket: this.bucket,
+            enableFileValidation,
+            isOrganizationTrail: true,
+            managementEvents: ReadWriteType.ALL,
+            trailName,
+        });
+        // Add tags to trail
+        cdk.Tags.of(this.trail).add(CDK$2.TAG.SERVICE, service);
+        cdk.Tags.of(this.trail).add(CDK$2.TAG.ROLE, CDK$2.ROLE.MONITORING);
+        if (project) {
+            cdk.Tags.of(this.trail).add(CDK$2.TAG.PROJECT, project);
+        }
+    }
+}
+
+/**
+ * JaypieSsoPermissions Construct
+ *
+ * Creates and manages AWS IAM Identity Center (SSO) permission sets and assignments
+ *
+ * @example
+ * const permissionSets = new JaypieSsoPermissions(this, "PermissionSets", {
+ *   iamIdentityCenterArn: "arn:aws:sso:::instance/...",
+ *   administratorGroupId: "b4c8b438-4031-7000-782d-5046945fb956",
+ *   analystGroupId: "2488f4e8-d061-708e-abe1-c315f0e30005",
+ *   developerGroupId: "b438a4f8-e0e1-707c-c6e8-21841daf9ad1",
+ *   administratorAccountAssignments: {
+ *     "211125635435": ["Administrator", "Analyst", "Developer"],
+ *     "381492033431": ["Administrator", "Analyst"],
+ *   },
+ *   analystAccountAssignments: {
+ *     "211125635435": ["Analyst", "Developer"],
+ *     "381492033431": [],
+ *   },
+ *   developerAccountAssignments: {
+ *     "211125635435": ["Analyst", "Developer"],
+ *     "381492033431": [],
+ *   },
+ * });
+ */
+class JaypieSsoPermissions extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { iamIdentityCenterArn: iamIdentityCenterArnProp, administratorGroupId, analystGroupId, developerGroupId, administratorAccountAssignments, analystAccountAssignments, developerAccountAssignments, } = props;
+        const iamIdentityCenterArn = iamIdentityCenterArnProp || process.env.CDK_ENV_IAM_IDENTITY_CENTER_ARN;
+        if (!iamIdentityCenterArn) {
+            // If no IAM Identity Center ARN provided, skip SSO setup
+            return;
+        }
+        //
+        // Permission Sets
+        //
+        this.administratorPermissionSet = new CfnPermissionSet(this, "AdministratorPermissionSet", {
+            // Required
+            instanceArn: iamIdentityCenterArn,
+            name: "Administrator",
+            // Optional
+            description: "Unrestricted access",
+            inlinePolicy: {
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Effect: "Allow",
+                        Action: [
+                            "aws-portal:ViewUsage",
+                            "aws-portal:ViewBilling",
+                            "budgets:*",
+                            "cur:DescribeReportDefinitions",
+                            "cur:PutReportDefinition",
+                            "cur:DeleteReportDefinition",
+                            "cur:ModifyReportDefinition",
+                        ],
+                        Resource: "*",
+                    },
+                ],
+            },
+            managedPolicies: [
+                ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
+                    .managedPolicyArn,
+                ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
+            ],
+            sessionDuration: Duration.hours(1).toIsoString(),
+            tags: [
+                {
+                    key: CDK$2.TAG.SERVICE,
+                    value: CDK$2.SERVICE.SSO,
+                },
+                {
+                    key: CDK$2.TAG.ROLE,
+                    value: CDK$2.ROLE.SECURITY,
+                },
+            ],
+        });
+        this.analystPermissionSet = new CfnPermissionSet(this, "AnalystPermissionSet", {
+            // Required
+            instanceArn: iamIdentityCenterArn,
+            name: "Analyst",
+            // Optional
+            description: "Read-only access; may expand to limited write access",
+            inlinePolicy: {
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Effect: "Allow",
+                        Action: [
+                            "aws-portal:ViewUsage",
+                            "aws-portal:ViewBilling",
+                            "budgets:Describe*",
+                            "budgets:View*",
+                            "ce:Get*",
+                            "ce:List*",
+                            "cloudformation:Describe*",
+                            "cloudformation:Get*",
+                            "cloudformation:List*",
+                            "cloudwatch:BatchGet*",
+                            "cloudwatch:Get*",
+                            "cloudwatch:List*",
+                            "cost-optimization-hub:Get*",
+                            "cost-optimization-hub:List*",
+                            "ec2:Describe*",
+                            "ec2:Get*",
+                            "ec2:List*",
+                            "ec2:Search*",
+                            "iam:Get*",
+                            "iam:List*",
+                            "iam:PassRole",
+                            "lambda:Get*",
+                            "lambda:List*",
+                            "logs:Describe*",
+                            "logs:Get*",
+                            "logs:List*",
+                            "pipes:Describe*",
+                            "pipes:List*",
+                            "s3:Get*",
+                            "s3:List*",
+                            "secretsmanager:GetRandomPassword",
+                            "secretsmanager:GetResourcePolicy",
+                            "secretsmanager:List*",
+                            "securityhub:Describe*",
+                            "securityhub:Get*",
+                            "securityhub:List*",
+                            "servicecatalog:Describe*",
+                            "sns:Get*",
+                            "sns:List*",
+                            "sqs:Get*",
+                            "sqs:List*",
+                            "states:Describe*",
+                            "states:Get*",
+                            "states:List*",
+                            "tag:*",
+                            "uxc:*",
+                            "xray:*",
+                        ],
+                        Resource: "*",
+                    },
+                ],
+            },
+            managedPolicies: [
+                ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
+                    .managedPolicyArn,
+                ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
+                ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
+                    .managedPolicyArn,
+            ],
+            sessionDuration: Duration.hours(12).toIsoString(),
+            tags: [
+                {
+                    key: CDK$2.TAG.SERVICE,
+                    value: CDK$2.SERVICE.SSO,
+                },
+                {
+                    key: CDK$2.TAG.ROLE,
+                    value: CDK$2.ROLE.SECURITY,
+                },
+            ],
+        });
+        this.developerPermissionSet = new CfnPermissionSet(this, "DeveloperPermissionSet", {
+            // Required
+            instanceArn: iamIdentityCenterArn,
+            name: "Developer",
+            // Optional
+            description: "Administrative access with limited restrictions",
+            inlinePolicy: {
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Effect: "Allow",
+                        Action: [
+                            "budgets:*",
+                            "ce:*",
+                            "cloudformation:*",
+                            "cloudwatch:*",
+                            "cost-optimization-hub:*",
+                            "ec2:*",
+                            "iam:Get*",
+                            "iam:List*",
+                            "iam:PassRole",
+                            "lambda:*",
+                            "logs:*",
+                            "pipes:*",
+                            "s3:*",
+                            "secretsmanager:*",
+                            "securityhub:*",
+                            "servicecatalog:*",
+                            "sns:*",
+                            "sqs:*",
+                            "states:*",
+                            "tag:*",
+                            "uxc:*",
+                            "xray:*",
+                        ],
+                        Resource: "*",
+                    },
+                ],
+            },
+            managedPolicies: [
+                ManagedPolicy.fromAwsManagedPolicyName("AmazonQDeveloperAccess")
+                    .managedPolicyArn,
+                ManagedPolicy.fromAwsManagedPolicyName("AWSManagementConsoleBasicUserAccess").managedPolicyArn,
+                ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess")
+                    .managedPolicyArn,
+                ManagedPolicy.fromAwsManagedPolicyName("job-function/SystemAdministrator").managedPolicyArn,
+            ],
+            sessionDuration: Duration.hours(4).toIsoString(),
+            tags: [
+                {
+                    key: CDK$2.TAG.SERVICE,
+                    value: CDK$2.SERVICE.SSO,
+                },
+                {
+                    key: CDK$2.TAG.ROLE,
+                    value: CDK$2.ROLE.SECURITY,
+                },
+            ],
+        });
+        // Map permission set names to their ARNs and labels
+        const permissionSetMap = {
+            Administrator: {
+                arn: this.administratorPermissionSet.attrPermissionSetArn,
+                label: "Administrator",
+            },
+            Analyst: {
+                arn: this.analystPermissionSet.attrPermissionSetArn,
+                label: "Analyst",
+            },
+            Developer: {
+                arn: this.developerPermissionSet.attrPermissionSetArn,
+                label: "Developer",
+            },
+        };
+        //
+        // Assignments
+        //
+        // Helper function to create assignments for a group
+        const createAssignments = (groupId, accountAssignments) => {
+            if (!groupId || !accountAssignments) {
+                return; // Skip if group ID or assignments not provided
+            }
+            Object.keys(accountAssignments).forEach((accountId) => {
+                const permissionSetNames = accountAssignments[accountId];
+                permissionSetNames.forEach((permissionSetName) => {
+                    const permissionSet = permissionSetMap[permissionSetName];
+                    if (!permissionSet) {
+                        throw new ConfigurationError(`Unknown permission set: ${permissionSetName}. Valid options: ${Object.keys(permissionSetMap).join(", ")}`);
+                    }
+                    const accountAssignment = new CfnAssignment(this, `AccountAssignment-${accountId}-${permissionSet.label}Role-${groupId}Group`, {
+                        // Required
+                        instanceArn: iamIdentityCenterArn,
+                        permissionSetArn: permissionSet.arn,
+                        principalId: groupId,
+                        principalType: CDK$2.PRINCIPAL_TYPE.GROUP,
+                        targetId: accountId,
+                        targetType: CDK$2.TARGET_TYPE.AWS_ACCOUNT,
+                    });
+                    Tags.of(accountAssignment).add(CDK$2.TAG.SERVICE, CDK$2.SERVICE.SSO);
+                    Tags.of(accountAssignment).add(CDK$2.TAG.ROLE, CDK$2.ROLE.SECURITY);
+                });
+            });
+        };
+        // Create assignments for each group
+        createAssignments(administratorGroupId, administratorAccountAssignments);
+        createAssignments(analystGroupId, analystAccountAssignments);
+        createAssignments(developerGroupId, developerAccountAssignments);
+    }
+}
+
+//
+//
+// Constants
+//
+const DEFAULT_APPLICATION_ID = "arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync";
+const DEFAULT_APPLICATION_VERSION = "2.3.3";
+const DEFAULT_GOOGLE_GROUP_MATCH = "name:AWS*";
+//
+//
+// Class
+//
+class JaypieSsoSyncApplication extends Construct {
+    constructor(scope, id = "SsoSyncApplication", props = {}) {
+        super(scope, id);
+        const { googleAdminEmail, googleAdminEmailEnvKey = "CDK_ENV_SSOSYNC_GOOGLE_ADMIN_EMAIL", googleCredentials, googleCredentialsEnvKey = "CDK_ENV_SSOSYNC_GOOGLE_CREDENTIALS", googleGroupMatch, googleGroupMatchEnvKey = "CDK_ENV_SSOSYNC_GOOGLE_GROUP_MATCH", identityStoreId, identityStoreIdEnvKey = "CDK_ENV_SSOSYNC_IDENTITY_STORE_ID", scimEndpointAccessToken, scimEndpointAccessTokenEnvKey = "CDK_ENV_SCIM_ENDPOINT_ACCESS_TOKEN", scimEndpointUrl, scimEndpointUrlEnvKey = "CDK_ENV_SSOSYNC_SCIM_ENDPOINT_URL", semanticVersion, semanticVersionEnvKey = "CDK_ENV_SSOSYNC_SEMANTIC_VERSION", ssoSyncApplicationId = DEFAULT_APPLICATION_ID, tags, } = props;
+        // Resolve all values from props or environment variables
+        const resolvedGoogleAdminEmail = googleAdminEmail || process.env[googleAdminEmailEnvKey];
+        const resolvedGoogleCredentials = googleCredentials || process.env[googleCredentialsEnvKey];
+        const resolvedGoogleGroupMatch = googleGroupMatch ||
+            process.env[googleGroupMatchEnvKey] ||
+            DEFAULT_GOOGLE_GROUP_MATCH;
+        const resolvedIdentityStoreId = identityStoreId || process.env[identityStoreIdEnvKey];
+        const resolvedScimEndpointAccessToken = scimEndpointAccessToken || process.env[scimEndpointAccessTokenEnvKey];
+        const resolvedScimEndpointUrl = scimEndpointUrl || process.env[scimEndpointUrlEnvKey];
+        const resolvedSemanticVersion = semanticVersion ||
+            process.env[semanticVersionEnvKey] ||
+            DEFAULT_APPLICATION_VERSION;
+        // Validate required parameters
+        const missingParams = [];
+        if (!resolvedGoogleAdminEmail) {
+            missingParams.push(`googleAdminEmail or ${googleAdminEmailEnvKey} environment variable`);
+        }
+        if (!resolvedGoogleCredentials) {
+            missingParams.push(`googleCredentials or ${googleCredentialsEnvKey} environment variable`);
+        }
+        if (!resolvedIdentityStoreId) {
+            missingParams.push(`identityStoreId or ${identityStoreIdEnvKey} environment variable`);
+        }
+        if (!resolvedScimEndpointAccessToken) {
+            missingParams.push(`scimEndpointAccessToken or ${scimEndpointAccessTokenEnvKey} environment variable`);
+        }
+        if (!resolvedScimEndpointUrl) {
+            missingParams.push(`scimEndpointUrl or ${scimEndpointUrlEnvKey} environment variable`);
+        }
+        if (missingParams.length > 0) {
+            throw new ConfigurationError(`JaypieSsoSyncApplication missing required configuration: ${missingParams.join(", ")}`);
+        }
+        // Create the SSO Sync Application
+        // Type assertion is safe because we validated all required values above
+        this._application = new CfnApplication(this, "Application", {
+            location: {
+                applicationId: ssoSyncApplicationId,
+                semanticVersion: resolvedSemanticVersion,
+            },
+            parameters: {
+                GoogleAdminEmail: resolvedGoogleAdminEmail,
+                GoogleCredentials: resolvedGoogleCredentials,
+                GoogleGroupMatch: resolvedGoogleGroupMatch,
+                IdentityStoreID: resolvedIdentityStoreId,
+                Region: Stack.of(this).region,
+                SCIMEndpointAccessToken: resolvedScimEndpointAccessToken,
+                SCIMEndpointUrl: resolvedScimEndpointUrl,
+            },
+        });
+        // Add tags
+        const defaultTags = {
+            [CDK$2.TAG.ROLE]: CDK$2.ROLE.SECURITY,
+        };
+        const allTags = { ...defaultTags, ...tags };
+        Object.entries(allTags).forEach(([key, value]) => {
+            Tags.of(this._application).add(key, value);
+        });
+    }
+    get application() {
+        return this._application;
+    }
+}
+
+class JaypieWebDeploymentBucket extends Construct {
+    constructor(scope, id, props = {}) {
+        super(scope, id);
+        const roleTag = props.roleTag || CDK$2.ROLE.HOSTING;
+        // Environment variable validation
+        if (process.env.CDK_ENV_WEB_SUBDOMAIN &&
+            !isValidSubdomain(process.env.CDK_ENV_WEB_SUBDOMAIN)) {
+            throw new ConfigurationError("CDK_ENV_WEB_SUBDOMAIN is not a valid subdomain");
+        }
+        if (process.env.CDK_ENV_WEB_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_WEB_HOSTED_ZONE)) {
+            throw new ConfigurationError("CDK_ENV_WEB_HOSTED_ZONE is not a valid hostname");
+        }
+        if (process.env.CDK_ENV_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
+            throw new ConfigurationError("CDK_ENV_HOSTED_ZONE is not a valid hostname");
+        }
+        // Determine host from props or environment
+        let host = props.host;
+        if (!host) {
+            try {
+                host =
+                    process.env.CDK_ENV_WEB_HOST ||
+                        mergeDomain(process.env.CDK_ENV_WEB_SUBDOMAIN || "", process.env.CDK_ENV_WEB_HOSTED_ZONE ||
+                            process.env.CDK_ENV_HOSTED_ZONE ||
+                            "");
+            }
+            catch {
+                host = undefined;
+            }
+        }
+        if (host && !isValidHostname$1(host)) {
+            throw new ConfigurationError("Host is not a valid hostname");
+        }
+        // Determine zone from props or environment
+        const zone = props.zone ||
+            process.env.CDK_ENV_WEB_HOSTED_ZONE ||
+            process.env.CDK_ENV_HOSTED_ZONE;
+        // Create the S3 bucket
+        this.bucket = new s3.Bucket(this, "DestinationBucket", {
+            accessControl: s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
+            autoDeleteObjects: true,
+            blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS_ONLY,
+            bucketName: props.name || constructEnvName("web"),
+            publicReadAccess: true,
+            removalPolicy: RemovalPolicy.DESTROY,
+            versioned: false,
+            websiteErrorDocument: "index.html",
+            websiteIndexDocument: "index.html",
+            ...props,
+        });
+        // Delegate IBucket properties to the bucket
+        this.bucketArn = this.bucket.bucketArn;
+        this.bucketDomainName = this.bucket.bucketDomainName;
+        this.bucketDualStackDomainName = this.bucket.bucketDualStackDomainName;
+        this.bucketName = this.bucket.bucketName;
+        this.bucketRegionalDomainName = this.bucket.bucketRegionalDomainName;
+        this.bucketWebsiteDomainName = this.bucket.bucketWebsiteDomainName;
+        this.bucketWebsiteUrl = this.bucket.bucketWebsiteUrl;
+        this.encryptionKey = this.bucket.encryptionKey;
+        this.isWebsite = this.bucket.isWebsite;
+        this.notificationsHandlerRole = undefined;
+        this.policy = this.bucket.policy;
+        Tags.of(this.bucket).add(CDK$2.TAG.ROLE, roleTag);
+        // Create deployment role if repository is configured
+        let repo;
+        if (process.env.CDK_ENV_REPO) {
+            repo = `repo:${process.env.CDK_ENV_REPO}:*`;
+        }
+        if (repo) {
+            const bucketDeployRole = new Role(this, "DestinationBucketDeployRole", {
+                assumedBy: new FederatedPrincipal(Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
+                    StringLike: {
+                        "token.actions.githubusercontent.com:sub": repo,
+                    },
+                }, "sts:AssumeRoleWithWebIdentity"),
+                maxSessionDuration: Duration.hours(1),
+            });
+            Tags.of(bucketDeployRole).add(CDK$2.TAG.ROLE, CDK$2.ROLE.DEPLOY);
+            // Allow the role to write to the bucket
+            bucketDeployRole.addToPolicy(new PolicyStatement({
+                effect: Effect.ALLOW,
+                actions: [
+                    "s3:DeleteObject",
+                    "s3:GetObject",
+                    "s3:ListObjectsV2",
+                    "s3:PutObject",
+                ],
+                resources: [`${this.bucket.bucketArn}/*`],
+            }));
+            bucketDeployRole.addToPolicy(new PolicyStatement({
+                effect: Effect.ALLOW,
+                actions: ["s3:ListBucket"],
+                resources: [this.bucket.bucketArn],
+            }));
+            // Allow the role to describe the current stack
+            const stack = Stack.of(this);
+            bucketDeployRole.addToPolicy(new PolicyStatement({
+                actions: ["cloudformation:DescribeStacks"],
+                effect: Effect.ALLOW,
+                resources: [
+                    `arn:aws:cloudformation:${stack.region}:${stack.account}:stack/${stack.stackName}/*`,
+                ],
+            }));
+            this.deployRoleArn = bucketDeployRole.roleArn;
+            // Output the deploy role ARN
+            new CfnOutput(this, "DestinationBucketDeployRoleArn", {
+                value: bucketDeployRole.roleArn,
+            });
+        }
+        // Create CloudFront distribution and certificate if host and zone are provided
+        if (host && zone) {
+            let hostedZone;
+            if (typeof zone === "string") {
+                hostedZone = route53.HostedZone.fromLookup(this, "HostedZone", {
+                    domainName: zone,
+                });
+            }
+            else if (zone instanceof JaypieHostedZone) {
+                hostedZone = zone.hostedZone;
+            }
+            else {
+                hostedZone = zone;
+            }
+            // Create certificate if not provided
+            if (props.certificate !== false) {
+                this.certificate =
+                    typeof props.certificate === "object"
+                        ? props.certificate
+                        : new acm.Certificate(this, "Certificate", {
+                            domainName: host,
+                            validation: acm.CertificateValidation.fromDns(hostedZone),
+                        });
+                new CfnOutput(this, "CertificateArn", {
+                    value: this.certificate.certificateArn,
+                });
+                Tags.of(this.certificate).add(CDK$2.TAG.ROLE, roleTag);
+            }
+            // Create CloudFront distribution
+            this.distribution = new cloudfront.Distribution(this, "Distribution", {
+                defaultBehavior: {
+                    cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
+                    origin: new origins.S3StaticWebsiteOrigin(this.bucket),
+                    viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+                },
+                certificate: this.certificate,
+                domainNames: [host],
+            });
+            Tags.of(this.distribution).add(CDK$2.TAG.ROLE, roleTag);
+            // If this is production, enable caching on everything but index.html
+            if (isProductionEnv()) {
+                this.distribution.addBehavior("/*", new origins.S3StaticWebsiteOrigin(this.bucket), {
+                    viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+                    cachePolicy: cloudfront.CachePolicy.CACHING_OPTIMIZED,
+                });
+            }
+            // Create DNS record
+            const record = new route53.ARecord(this, "AliasRecord", {
+                recordName: host,
+                target: route53.RecordTarget.fromAlias(new route53Targets.CloudFrontTarget(this.distribution)),
+                zone: hostedZone,
+            });
+            Tags.of(record).add(CDK$2.TAG.ROLE, CDK$2.ROLE.NETWORKING);
+            this.distributionDomainName = this.distribution.distributionDomainName;
+        }
+    }
+    // Implement remaining IBucket methods by delegating to the bucket
+    addEventNotification(event, dest, ...filters) {
+        this.bucket.addEventNotification(event, dest, ...filters);
+    }
+    addObjectCreatedNotification(dest, ...filters) {
+        this.bucket.addObjectCreatedNotification(dest, ...filters);
+    }
+    addObjectRemovedNotification(dest, ...filters) {
+        this.bucket.addObjectRemovedNotification(dest, ...filters);
+    }
+    addToResourcePolicy(permission) {
+        return this.bucket.addToResourcePolicy(permission);
+    }
+    arnForObjects(keyPattern) {
+        return this.bucket.arnForObjects(keyPattern);
+    }
+    grantDelete(identity, objectsKeyPattern) {
+        return this.bucket.grantDelete(identity, objectsKeyPattern);
+    }
+    grantPublicAccess(allowedActions, keyPrefix) {
+        return keyPrefix
+            ? this.bucket.grantPublicAccess(allowedActions, keyPrefix)
+            : this.bucket.grantPublicAccess(allowedActions);
+    }
+    grantPut(identity, objectsKeyPattern) {
+        return this.bucket.grantPut(identity, objectsKeyPattern);
+    }
+    grantPutAcl(identity, objectsKeyPattern) {
+        return this.bucket.grantPutAcl(identity, objectsKeyPattern);
+    }
+    grantRead(identity, objectsKeyPattern) {
+        return this.bucket.grantRead(identity, objectsKeyPattern);
+    }
+    grantReadWrite(identity, objectsKeyPattern) {
+        return this.bucket.grantReadWrite(identity, objectsKeyPattern);
+    }
+    grantWrite(identity, objectsKeyPattern) {
+        return this.bucket.grantWrite(identity, objectsKeyPattern);
+    }
+    grantReplicationPermission(identity, props) {
+        return this.bucket.grantReplicationPermission(identity, props);
+    }
+    s3UrlForObject(key) {
+        return this.bucket.s3UrlForObject(key);
+    }
+    urlForObject(key) {
+        return this.bucket.urlForObject(key);
+    }
+    virtualHostedUrlForObject(key, options) {
+        return this.bucket.virtualHostedUrlForObject(key, options);
+    }
+    transferAccelerationUrlForObject(key) {
+        return this.bucket.transferAccelerationUrlForObject(key);
+    }
+    onCloudTrailEvent(id, options) {
+        return this.bucket.onCloudTrailEvent(id, options);
+    }
+    onCloudTrailPutObject(id, options) {
+        return this.bucket.onCloudTrailPutObject(id, options);
+    }
+    onCloudTrailWriteObject(id, options) {
+        return this.bucket.onCloudTrailWriteObject(id, options);
+    }
+    addCorsRule(rule) {
+        this.bucket.addCorsRule(rule);
+    }
+    addInventory(inventory) {
+        this.bucket.addInventory(inventory);
+    }
+    addLifecycleRule(rule) {
+        this.bucket.addLifecycleRule(rule);
+    }
+    addMetric(metric) {
+        this.bucket.addMetric(metric);
+    }
+    enableEventBridgeNotification() {
+        this.bucket.enableEventBridgeNotification();
+    }
+    addReplicationPolicy(policy) {
+        this.bucket.addReplicationPolicy(policy);
+    }
+    get stack() {
+        return this.bucket.stack;
+    }
+    get env() {
+        return this.bucket.env;
+    }
+    applyRemovalPolicy(policy) {
+        this.bucket.applyRemovalPolicy(policy);
+    }
+    get bucketRef() {
+        return {
+            bucketArn: this.bucket.bucketArn,
+            bucketName: this.bucket.bucketName,
+        };
+    }
+}
+
+class JaypieStaticWebBucket extends JaypieWebDeploymentBucket {
+    constructor(scope, id, props = {}) {
+        // Handle overloaded signatures: (scope), (scope, props), (scope, id, props)
+        let resolvedId;
+        let resolvedProps;
+        if (typeof id === "string") {
+            resolvedId = id;
+            resolvedProps = props;
+        }
+        else if (typeof id === "object") {
+            resolvedId = "JaypieStaticWebBucket";
+            resolvedProps = id;
+        }
+        else {
+            resolvedId = "JaypieStaticWebBucket";
+            resolvedProps = props;
+        }
+        const host = resolvedProps.host ?? envHostname({ subdomain: "static" });
+        const name = resolvedProps.name ?? constructEnvName("static");
+        const roleTag = resolvedProps.roleTag ?? CDK$2.ROLE.HOSTING;
+        // Only use default zone if zone is not explicitly provided (including undefined)
+        const zone = "zone" in resolvedProps
+            ? resolvedProps.zone
+            : process.env.CDK_ENV_DOMAIN || process.env.CDK_ENV_HOSTED_ZONE;
+        super(scope, resolvedId, {
+            ...resolvedProps,
+            host,
+            name,
+            roleTag,
+            zone,
+        });
+    }
+}
+
+class JaypieTraceSigningKeySecret extends JaypieEnvSecret {
+    constructor(scope, id = "TraceSigningKey", props) {
+        const defaultProps = {
+            envKey: "TRACE_SIGNING_KEY",
+            roleTag: CDK$2.ROLE.API,
+            vendorTag: CDK$2.VENDOR.KNOWTRACE,
+            ...props,
+        };
+        super(scope, id, defaultProps);
+    }
+}
+
+export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, addDatadogLayers, clearAllSecretsCaches, clearSecretsCache, constructEnvName, constructStackName, constructTagger, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
+//# sourceMappingURL=index.js.map