@jaypie/constructs 1.2.57 → 1.2.59

package/dist/cjs/index.d.ts

@@ -24,6 +24,7 @@ export { DomainNameConfig, JaypieNextJs, JaypieNextjsProps, } from "./JaypieNext
 export { JaypieOpenAiSecret } from "./JaypieOpenAiSecret";
 export { JaypieOrganizationTrail, JaypieOrganizationTrailProps, } from "./JaypieOrganizationTrail";
 export { JaypieQueuedLambda } from "./JaypieQueuedLambda";
+export { JaypieSecret, JaypieSecretProps } from "./JaypieSecret";
 export { AccountAssignments, JaypieSsoPermissions, JaypieSsoPermissionsProps, } from "./JaypieSsoPermissions";
 export { JaypieSsoSyncApplication, JaypieSsoSyncApplicationProps, } from "./JaypieSsoSyncApplication";
 export { JaypieStack, JaypieStackProps } from "./JaypieStack";

package/dist/esm/JaypieEnvSecret.d.ts

@@ -1,43 +1,18 @@
 import { Construct } from "constructs";
-import { SecretValue, RemovalPolicy, Stack } from "aws-cdk-lib";
 import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
-import { ISecret, ISecretAttachmentTarget, RotationSchedule, RotationScheduleOptions } from "aws-cdk-lib/aws-secretsmanager";
-import { IKey } from "aws-cdk-lib/aws-kms";
-import { Grant, IGrantable, PolicyStatement, AddToResourcePolicyResult } from "aws-cdk-lib/aws-iam";
-export interface JaypieEnvSecretProps {
+import { BuildSecretContext, JaypieSecret, JaypieSecretProps } from "./JaypieSecret";
+export interface JaypieEnvSecretProps extends JaypieSecretProps {
     consumer?: boolean;
-    envKey?: string;
     export?: string;
-    generateSecretString?: secretsmanager.SecretStringGenerator;
     provider?: boolean;
-    removalPolicy?: boolean | RemovalPolicy;
-    roleTag?: string;
-    vendorTag?: string;
-    value?: string;
 }
-export declare class JaypieEnvSecret extends Construct implements ISecret {
-    private readonly _envKey?;
-    private readonly _secret;
+/**
+ * @deprecated Use {@link JaypieSecret}. JaypieEnvSecret layers an
+ * environment-driven provider/consumer cross-stack pattern on top of
+ * JaypieSecret and will be removed in 2.0.
+ */
+export declare class JaypieEnvSecret extends JaypieSecret {
+    protected static readonly shorthandPrefix: string;
     constructor(scope: Construct, idOrEnvKey: string, props?: JaypieEnvSecretProps);
-    get stack(): Stack;
-    get env(): {
-        account: string;
-        region: string;
-    };
-    applyRemovalPolicy(policy: RemovalPolicy): void;
-    get secretArn(): string;
-    get secretFullArn(): string | undefined;
-    get secretName(): string;
-    get secretRef(): secretsmanager.SecretReference;
-    get encryptionKey(): IKey | undefined;
-    get secretValue(): SecretValue;
-    secretValueFromJson(key: string): SecretValue;
-    grantRead(grantee: IGrantable, versionStages?: string[]): Grant;
-    grantWrite(grantee: IGrantable): Grant;
-    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
-    addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
-    denyAccountRootDelete(): void;
-    attach(target: ISecretAttachmentTarget): ISecret;
-    cfnDynamicReferenceKey(options?: Parameters<ISecret["cfnDynamicReferenceKey"]>[0]): string;
-    get envKey(): string | undefined;
+    protected buildSecret(context: BuildSecretContext): secretsmanager.ISecret;
 }

package/dist/esm/JaypieLambda.d.ts

@@ -64,13 +64,14 @@ export interface JaypieLambdaProps {
     /**
      * Secrets to make available to the Lambda function.
      *
-     * Supports both JaypieEnvSecret instances and strings:
-     * - JaypieEnvSecret: used directly
+     * Supports both JaypieSecret instances and strings:
+     * - JaypieSecret (including JaypieEnvSecret): used directly
      * - String: creates a JaypieEnvSecret with the string as envKey
      *   (reuses existing secrets within the same scope)
      */
     secrets?: SecretsArrayItem[];
     securityGroups?: ec2.ISecurityGroup[];
+    serviceTag?: string;
     timeout?: Duration | number;
     tracing?: lambda.Tracing;
     vendorTag?: string;

package/dist/esm/JaypieNextJs.d.ts

@@ -44,8 +44,8 @@ export interface JaypieNextjsProps {
     /**
      * Secrets to make available to the Next.js application.
      *
-     * Supports both JaypieEnvSecret instances and strings:
-     * - JaypieEnvSecret: used directly
+     * Supports both JaypieSecret instances and strings:
+     * - JaypieSecret (including JaypieEnvSecret): used directly
      * - String: creates a JaypieEnvSecret with the string as envKey
      *   (reuses existing secrets within the same scope)
      */

package/dist/esm/JaypieSecret.d.ts

@@ -0,0 +1,59 @@
+import { Construct } from "constructs";
+import { RemovalPolicy, SecretValue, Stack } from "aws-cdk-lib";
+import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
+import { ISecret, ISecretAttachmentTarget, RotationSchedule, RotationScheduleOptions } from "aws-cdk-lib/aws-secretsmanager";
+import { IKey } from "aws-cdk-lib/aws-kms";
+import { AddToResourcePolicyResult, Grant, IGrantable, PolicyStatement } from "aws-cdk-lib/aws-iam";
+export interface JaypieSecretProps {
+    envKey?: string;
+    generateSecretString?: secretsmanager.SecretStringGenerator;
+    removalPolicy?: boolean | RemovalPolicy;
+    roleTag?: string;
+    vendorTag?: string;
+    value?: string;
+}
+/**
+ * Context handed to {@link JaypieSecret.buildSecret} so subclasses can build the
+ * underlying secret differently (e.g. import vs. create) while reusing the
+ * shared id/envKey resolution and the full ISecret passthrough.
+ */
+export interface BuildSecretContext {
+    envKey?: string;
+    id: string;
+    props: JaypieSecretProps;
+    treatAsEnvKey: boolean;
+}
+export declare class JaypieSecret extends Construct implements ISecret {
+    protected static readonly shorthandPrefix: string;
+    protected readonly _envKey?: string;
+    protected readonly _secret: secretsmanager.ISecret;
+    constructor(scope: Construct, idOrEnvKey: string, props?: JaypieSecretProps);
+    /**
+     * Builds the underlying secret. The base implementation always creates a new
+     * Secrets Manager secret from an envKey value, an explicit value, or a
+     * generated string. Subclasses may override to import an existing secret or
+     * emit cross-stack outputs.
+     */
+    protected buildSecret(context: BuildSecretContext): secretsmanager.ISecret;
+    get stack(): Stack;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    get secretArn(): string;
+    get secretFullArn(): string | undefined;
+    get secretName(): string;
+    get secretRef(): secretsmanager.SecretReference;
+    get encryptionKey(): IKey | undefined;
+    get secretValue(): SecretValue;
+    secretValueFromJson(key: string): SecretValue;
+    grantRead(grantee: IGrantable, versionStages?: string[]): Grant;
+    grantWrite(grantee: IGrantable): Grant;
+    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
+    addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
+    denyAccountRootDelete(): void;
+    attach(target: ISecretAttachmentTarget): ISecret;
+    cfnDynamicReferenceKey(options?: Parameters<ISecret["cfnDynamicReferenceKey"]>[0]): string;
+    get envKey(): string | undefined;
+}

package/dist/esm/__tests__/JaypieSecret.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/esm/helpers/resolveSecrets.d.ts

@@ -1,17 +1,17 @@
 import { Construct } from "constructs";
-import { JaypieEnvSecret } from "../JaypieEnvSecret.js";
+import { JaypieSecret } from "../JaypieSecret.js";
 /**
- * Secrets input type that supports both JaypieEnvSecret instances and strings
- * - JaypieEnvSecret: passed through as-is
- * - string: converted to JaypieEnvSecret with the string as envKey
+ * Secrets input type that supports both JaypieSecret instances and strings
+ * - JaypieSecret (including JaypieEnvSecret subclasses): passed through as-is
+ * - string: converted to a JaypieEnvSecret with the string as envKey
  */
-export type SecretsArrayItem = JaypieEnvSecret | string;
+export type SecretsArrayItem = JaypieSecret | string;
 /**
- * Resolves secrets input to an array of JaypieEnvSecret instances.
+ * Resolves secrets input to an array of JaypieSecret instances.
  *
- * When an item is already a JaypieEnvSecret, it's passed through as-is.
- * When an item is a string, a JaypieEnvSecret is created (or reused from cache)
- * with the string as the envKey.
+ * When an item is already a JaypieSecret (including a JaypieEnvSecret), it's
+ * passed through as-is. When an item is a string, a JaypieEnvSecret is created
+ * (or reused from cache) with the string as the envKey.
  *
  * Secrets are cached per scope to avoid creating duplicate secrets when
  * multiple constructs in the same scope reference the same secret.
@@ -39,7 +39,7 @@ export type SecretsArrayItem = JaypieEnvSecret | string;
  * const secrets2 = resolveSecrets(scope, ["SHARED_SECRET"]);
  * // secrets1[0] === secrets2[0] (same instance)
  */
-export declare function resolveSecrets(scope: Construct, secrets?: SecretsArrayItem[]): JaypieEnvSecret[];
+export declare function resolveSecrets(scope: Construct, secrets?: SecretsArrayItem[]): JaypieSecret[];
 /**
  * Clears the secrets cache for a given scope.
  * Primarily useful for testing.

package/dist/esm/index.d.ts

@@ -24,6 +24,7 @@ export { DomainNameConfig, JaypieNextJs, JaypieNextjsProps, } from "./JaypieNext
 export { JaypieOpenAiSecret } from "./JaypieOpenAiSecret";
 export { JaypieOrganizationTrail, JaypieOrganizationTrailProps, } from "./JaypieOrganizationTrail";
 export { JaypieQueuedLambda } from "./JaypieQueuedLambda";
+export { JaypieSecret, JaypieSecretProps } from "./JaypieSecret";
 export { AccountAssignments, JaypieSsoPermissions, JaypieSsoPermissionsProps, } from "./JaypieSsoPermissions";
 export { JaypieSsoSyncApplication, JaypieSsoSyncApplicationProps, } from "./JaypieSsoSyncApplication";
 export { JaypieStack, JaypieStackProps } from "./JaypieStack";

package/dist/esm/index.js

@@ -1,5 +1,5 @@
 import * as cdk from 'aws-cdk-lib';
-import { Tags, Stack, Fn, CfnOutput, SecretValue, RemovalPolicy, Duration, CfnStack } from 'aws-cdk-lib';
+import { Tags, Stack, SecretValue, RemovalPolicy, Fn, CfnOutput, Duration, CfnStack } from 'aws-cdk-lib';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import { Bucket, StorageClass, BucketAccessControl, EventType } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
@@ -937,115 +937,67 @@ const resolveParamsAndSecrets = ({ paramsAndSecrets, options, } = {}) => {
     return resolvedParamsAndSecrets;
 };
 
-// It is a consumer if the environment is ephemeral
-function checkEnvIsConsumer$1(env = process.env) {
-    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
-        !!env.CDK_ENV_PERSONAL ||
-        /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
-        /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
-}
-function checkEnvIsProvider$1(env = process.env) {
-    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
-}
-function cleanName$1(name) {
-    return name.replace(/[^a-zA-Z0-9:-]/g, "");
-}
-function exportEnvName$1(name, env = process.env, consumer = false) {
-    let rawName;
-    if (checkEnvIsProvider$1(env)) {
-        rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
-        // Clean the entire name to only allow alphanumeric, colons, and hyphens
-        return cleanName$1(rawName);
-    }
-    else {
-        if (consumer || checkEnvIsConsumer$1(env)) {
-            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
-        }
-        else {
-            rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
-        }
-    }
-    return cleanName$1(rawName);
-}
-class JaypieEnvSecret extends Construct {
+class JaypieSecret extends Construct {
     constructor(scope, idOrEnvKey, props) {
         // Shorthand detection: treat idOrEnvKey as envKey when envKey prop is
         // not set and idOrEnvKey either looks like a SCREAMING_SNAKE_CASE env
         // var name or is already present in process.env. Convention-based
         // detection ensures missing env vars still go through envKey validation
         // instead of silently creating an empty secret.
+        const prefix = new.target.shorthandPrefix;
         const looksLikeEnvKey = /^[A-Z][A-Z0-9_]*$/.test(idOrEnvKey);
         const treatAsEnvKey = (!props || props.envKey === undefined) &&
             (looksLikeEnvKey ||
                 (typeof process.env[idOrEnvKey] === "string" &&
                     process.env[idOrEnvKey] !== ""));
-        const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
+        const id = treatAsEnvKey ? `${prefix}${idOrEnvKey}` : idOrEnvKey;
         super(scope, id);
-        const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), removalPolicy, roleTag, vendorTag, value, } = props || {};
-        const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
+        const envKey = treatAsEnvKey ? idOrEnvKey : props?.envKey;
         this._envKey = envKey;
-        let exportName;
-        if (!exportParam) {
-            // When shorthand detection is active, use the full construct id (which
-            // includes the "EnvSecret_" prefix) so the export name matches what was
-            // produced by earlier versions of this construct. Using the raw envKey
-            // here produces a shorter name that breaks existing cross-stack imports.
-            const exportSource = treatAsEnvKey ? id : envKey || id;
-            exportName = exportEnvName$1(exportSource, process.env, consumer);
-        }
-        else {
-            exportName = cleanName$1(exportParam);
-        }
-        if (!consumer &&
-            envKey &&
+        this._secret = this.buildSecret({
+            envKey,
+            id,
+            props: props || {},
+            treatAsEnvKey,
+        });
+    }
+    /**
+     * Builds the underlying secret. The base implementation always creates a new
+     * Secrets Manager secret from an envKey value, an explicit value, or a
+     * generated string. Subclasses may override to import an existing secret or
+     * emit cross-stack outputs.
+     */
+    buildSecret(context) {
+        const { envKey, id, props } = context;
+        const { generateSecretString, removalPolicy, roleTag, vendorTag, value } = props;
+        if (envKey &&
             !process.env[envKey] &&
             value === undefined &&
             !generateSecretString) {
-            throw new ConfigurationError(`JaypieEnvSecret(${id}): envKey "${envKey}" is empty in process.env and no value or generateSecretString was provided`);
+            throw new ConfigurationError(`JaypieSecret(${id}): envKey "${envKey}" is empty in process.env and no value or generateSecretString was provided`);
         }
-        if (consumer) {
-            const secretName = Fn.importValue(exportName);
-            this._secret = secretsmanager.Secret.fromSecretNameV2(this, id, secretName);
-            // Add CfnOutput for consumer secrets
-            new CfnOutput(this, `ConsumedName`, {
-                value: this._secret.secretName,
-            });
+        const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
+        const secret = new secretsmanager.Secret(this, id, {
+            generateSecretString,
+            secretStringValue: !generateSecretString && secretValue
+                ? SecretValue.unsafePlainText(secretValue)
+                : undefined,
+        });
+        if (removalPolicy !== undefined) {
+            const policy = typeof removalPolicy === "boolean"
+                ? removalPolicy
+                    ? RemovalPolicy.RETAIN
+                    : RemovalPolicy.DESTROY
+                : removalPolicy;
+            secret.applyRemovalPolicy(policy);
         }
-        else {
-            const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
-            const secretProps = {
-                generateSecretString,
-                secretStringValue: !generateSecretString && secretValue
-                    ? SecretValue.unsafePlainText(secretValue)
-                    : undefined,
-            };
-            this._secret = new secretsmanager.Secret(this, id, secretProps);
-            if (removalPolicy !== undefined) {
-                const policy = typeof removalPolicy === "boolean"
-                    ? removalPolicy
-                        ? RemovalPolicy.RETAIN
-                        : RemovalPolicy.DESTROY
-                    : removalPolicy;
-                this._secret.applyRemovalPolicy(policy);
-            }
-            if (roleTag) {
-                Tags.of(this._secret).add(CDK$2.TAG.ROLE, roleTag);
-            }
-            if (vendorTag) {
-                Tags.of(this._secret).add(CDK$2.TAG.VENDOR, vendorTag);
-            }
-            if (provider) {
-                new CfnOutput(this, `ProvidedName`, {
-                    value: this._secret.secretName,
-                    exportName,
-                });
-            }
-            else {
-                new CfnOutput(this, `CreatedName`, {
-                    value: this._secret.secretName,
-                });
-            }
+        if (roleTag) {
+            Tags.of(secret).add(CDK$2.TAG.ROLE, roleTag);
+        }
+        if (vendorTag) {
+            Tags.of(secret).add(CDK$2.TAG.VENDOR, vendorTag);
         }
+        return secret;
     }
     // IResource implementation
     get stack() {
@@ -1107,6 +1059,117 @@ class JaypieEnvSecret extends Construct {
         return this._envKey;
     }
 }
+// Construct id prefix used when an envKey is detected via shorthand.
+// Subclasses override this to preserve their own naming conventions.
+JaypieSecret.shorthandPrefix = "Secret_";
+
+// It is a consumer if the environment is ephemeral
+function checkEnvIsConsumer$1(env = process.env) {
+    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
+        !!env.CDK_ENV_PERSONAL ||
+        /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
+        /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
+}
+function checkEnvIsProvider$1(env = process.env) {
+    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
+}
+function cleanName$1(name) {
+    return name.replace(/[^a-zA-Z0-9:-]/g, "");
+}
+function exportEnvName$1(name, env = process.env, consumer = false) {
+    let rawName;
+    if (checkEnvIsProvider$1(env)) {
+        rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
+        // Clean the entire name to only allow alphanumeric, colons, and hyphens
+        return cleanName$1(rawName);
+    }
+    else {
+        if (consumer || checkEnvIsConsumer$1(env)) {
+            rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
+        }
+        else {
+            rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
+        }
+    }
+    return cleanName$1(rawName);
+}
+/**
+ * @deprecated Use {@link JaypieSecret}. JaypieEnvSecret layers an
+ * environment-driven provider/consumer cross-stack pattern on top of
+ * JaypieSecret and will be removed in 2.0.
+ */
+class JaypieEnvSecret extends JaypieSecret {
+    constructor(scope, idOrEnvKey, props) {
+        super(scope, idOrEnvKey, props);
+    }
+    buildSecret(context) {
+        const { envKey, id, treatAsEnvKey } = context;
+        const props = context.props;
+        const { consumer = checkEnvIsConsumer$1(), export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), removalPolicy, roleTag, vendorTag, value, } = props;
+        let exportName;
+        if (!exportParam) {
+            // When shorthand detection is active, use the full construct id (which
+            // includes the "EnvSecret_" prefix) so the export name matches what was
+            // produced by earlier versions of this construct. Using the raw envKey
+            // here produces a shorter name that breaks existing cross-stack imports.
+            const exportSource = treatAsEnvKey ? id : envKey || id;
+            exportName = exportEnvName$1(exportSource, process.env, consumer);
+        }
+        else {
+            exportName = cleanName$1(exportParam);
+        }
+        if (!consumer &&
+            envKey &&
+            !process.env[envKey] &&
+            value === undefined &&
+            !generateSecretString) {
+            throw new ConfigurationError(`JaypieEnvSecret(${id}): envKey "${envKey}" is empty in process.env and no value or generateSecretString was provided`);
+        }
+        if (consumer) {
+            const secretName = Fn.importValue(exportName);
+            const secret = secretsmanager.Secret.fromSecretNameV2(this, id, secretName);
+            // Add CfnOutput for consumer secrets
+            new CfnOutput(this, `ConsumedName`, {
+                value: secret.secretName,
+            });
+            return secret;
+        }
+        const secretValue = envKey && process.env[envKey] ? process.env[envKey] : value;
+        const secret = new secretsmanager.Secret(this, id, {
+            generateSecretString,
+            secretStringValue: !generateSecretString && secretValue
+                ? SecretValue.unsafePlainText(secretValue)
+                : undefined,
+        });
+        if (removalPolicy !== undefined) {
+            const policy = typeof removalPolicy === "boolean"
+                ? removalPolicy
+                    ? RemovalPolicy.RETAIN
+                    : RemovalPolicy.DESTROY
+                : removalPolicy;
+            secret.applyRemovalPolicy(policy);
+        }
+        if (roleTag) {
+            Tags.of(secret).add(CDK$2.TAG.ROLE, roleTag);
+        }
+        if (vendorTag) {
+            Tags.of(secret).add(CDK$2.TAG.VENDOR, vendorTag);
+        }
+        if (provider) {
+            new CfnOutput(this, `ProvidedName`, {
+                value: secret.secretName,
+                exportName,
+            });
+        }
+        else {
+            new CfnOutput(this, `CreatedName`, {
+                value: secret.secretName,
+            });
+        }
+        return secret;
+    }
+}
+JaypieEnvSecret.shorthandPrefix = "EnvSecret_";
 
 /**
  * Cache for secrets by scope to avoid creating duplicates.
@@ -1143,11 +1206,11 @@ function getOrCreateSecret(scope, envKey, props) {
     return secret;
 }
 /**
- * Resolves secrets input to an array of JaypieEnvSecret instances.
+ * Resolves secrets input to an array of JaypieSecret instances.
  *
- * When an item is already a JaypieEnvSecret, it's passed through as-is.
- * When an item is a string, a JaypieEnvSecret is created (or reused from cache)
- * with the string as the envKey.
+ * When an item is already a JaypieSecret (including a JaypieEnvSecret), it's
+ * passed through as-is. When an item is a string, a JaypieEnvSecret is created
+ * (or reused from cache) with the string as the envKey.
  *
  * Secrets are cached per scope to avoid creating duplicate secrets when
  * multiple constructs in the same scope reference the same secret.
@@ -1183,7 +1246,7 @@ function resolveSecrets(scope, secrets) {
         if (typeof item === "string") {
             return getOrCreateSecret(scope, item);
         }
-        // Already a JaypieEnvSecret instance
+        // Already a JaypieSecret (or JaypieEnvSecret) instance
         return item;
     });
 }
@@ -1393,12 +1456,12 @@ class JaypieLambda extends Construct {
         super(scope, id);
         const { allowAllOutbound, allowPublicSubnet, architecture = lambda.Architecture.X86_64, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, tables = [], environment: environmentInput, envSecrets = {}, ephemeralStorageSize, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag = CDK$2.ROLE.PROCESSING, runtime = new lambda.Runtime("nodejs24.x", lambda.RuntimeFamily.NODEJS, {
             supportsInlineCode: true,
-        }), runtimeManagementMode, secrets: secretsInput = [], securityGroups, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
+        }), runtimeManagementMode, secrets: secretsInput = [], securityGroups, serviceTag, timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, vpc, vpcSubnets, } = props;
         // Resolve environment from array or object syntax
         const initialEnvironment = resolveEnvironment(environmentInput);
         // Get base environment with defaults
         const environment = jaypieLambdaEnv({ initialEnvironment });
-        // Resolve secrets from mixed array (strings and JaypieEnvSecret instances)
+        // Resolve secrets from mixed array (strings and JaypieSecret instances)
         // Use Stack.of(this) to ensure secrets are shared at stack level across all constructs
         const secrets = resolveSecrets(Stack.of(this), secretsInput);
         const codeAsset = typeof code === "string" ? lambda.Code.fromAsset(code) : code;
@@ -1409,7 +1472,7 @@ class JaypieLambda extends Construct {
             ...acc,
             [`SECRET_${key}`]: secret.secretName,
         }), {});
-        // Process JaypieEnvSecret array
+        // Process JaypieSecret array
         const jaypieSecretsEnvironment = secrets.reduce((acc, secret) => {
             if (secret.envKey) {
                 return {
@@ -1479,7 +1542,7 @@ class JaypieLambda extends Construct {
         Object.values(envSecrets).forEach((secret) => {
             secret.grantRead(this._lambda);
         });
-        // Grant read permissions for JaypieEnvSecrets
+        // Grant read permissions for JaypieSecrets
         secrets.forEach((secret) => {
             secret.grantRead(this._lambda);
         });
@@ -1507,6 +1570,9 @@ class JaypieLambda extends Construct {
         if (roleTag) {
             Tags.of(this._lambda).add(CDK$2.TAG.ROLE, roleTag);
         }
+        if (serviceTag) {
+            Tags.of(this._lambda).add(CDK$2.TAG.SERVICE, serviceTag);
+        }
         if (vendorTag) {
             Tags.of(this._lambda).add(CDK$2.TAG.VENDOR, vendorTag);
         }
@@ -1631,7 +1697,7 @@ class JaypieQueuedLambda extends Construct {
         super(scope, id);
         const { allowAllOutbound, allowPublicSubnet, architecture, batchSize = 1, code, datadogApiKeyArn, deadLetterQueue, deadLetterQueueEnabled, deadLetterTopic, description, environment = {}, envSecrets = {}, ephemeralStorageSize, fifo = true, filesystem, handler = "index.handler", initialPolicy, layers = [], logGroup, logRetention = CDK$2.LAMBDA.LOG_RETENTION, maxEventAge, memorySize = CDK$2.LAMBDA.MEMORY_SIZE, paramsAndSecrets, paramsAndSecretsOptions, profiling, profilingGroup, provisionedConcurrentExecutions, reservedConcurrentExecutions, retryAttempts, roleTag, runtime = new lambda.Runtime("nodejs24.x", lambda.RuntimeFamily.NODEJS, {
             supportsInlineCode: true,
-        }), runtimeManagementMode, secrets = [], securityGroups, tables = [], timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
+        }), runtimeManagementMode, secrets = [], securityGroups, serviceTag, tables = [], timeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), tracing, vendorTag, visibilityTimeout = Duration.seconds(CDK$2.DURATION.LAMBDA_WORKER), vpc, vpcSubnets, } = props;
         // Create SQS Queue
         this._queue = new sqs.Queue(this, "Queue", {
             fifo,
@@ -1642,6 +1708,9 @@ class JaypieQueuedLambda extends Construct {
         if (roleTag) {
             Tags.of(this._queue).add(CDK$2.TAG.ROLE, roleTag);
         }
+        if (serviceTag) {
+            Tags.of(this._queue).add(CDK$2.TAG.SERVICE, serviceTag);
+        }
         if (vendorTag) {
             Tags.of(this._queue).add(CDK$2.TAG.VENDOR, vendorTag);
         }
@@ -1679,6 +1748,7 @@ class JaypieQueuedLambda extends Construct {
             runtimeManagementMode,
             secrets,
             securityGroups,
+            serviceTag,
             tables,
             timeout,
             tracing,
@@ -1873,7 +1943,7 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
     constructor(scope, id, props) {
         props.fifo = false; // S3 event notifications are not supported for FIFO queues
         super(scope, id, props);
-        const { bucketName, roleTag, vendorTag, bucketOptions = {} } = props;
+        const { bucketName, roleTag, serviceTag, vendorTag, bucketOptions = {}, } = props;
         // Create S3 Bucket
         this._bucket = new s3.Bucket(this, "Bucket", {
             bucketName: bucketOptions.bucketName || bucketName,
@@ -1884,6 +1954,9 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
         if (roleTag) {
             Tags.of(this._bucket).add(CDK$2.TAG.ROLE, roleTag);
         }
+        if (serviceTag) {
+            Tags.of(this._bucket).add(CDK$2.TAG.SERVICE, serviceTag);
+        }
         if (vendorTag) {
             Tags.of(this._bucket).add(CDK$2.TAG.VENDOR, vendorTag);
         }
@@ -3721,7 +3794,7 @@ class JaypieNextJs extends Construct {
             ? path.join(process.cwd(), props.nextjsPath)
             : props?.nextjsPath || path.join(process.cwd(), "..", "nextjs");
         const paramsAndSecrets = resolveParamsAndSecrets();
-        // Resolve secrets from mixed array (strings and JaypieEnvSecret instances)
+        // Resolve secrets from mixed array (strings and JaypieSecret instances)
         // Use Stack.of(this) to ensure secrets are shared at stack level across all constructs
         const secrets = resolveSecrets(Stack.of(this), props?.secrets);
         // Process secrets environment variables
@@ -3729,7 +3802,7 @@ class JaypieNextJs extends Construct {
             ...acc,
             [`SECRET_${key}`]: secret.secretName,
         }), {});
-        // Process JaypieEnvSecret array
+        // Process JaypieSecret array
         const jaypieSecretsEnvironment = secrets.reduce((acc, secret) => {
             if (secret.envKey) {
                 return {
@@ -3804,7 +3877,7 @@ class JaypieNextJs extends Construct {
         Object.values(envSecrets).forEach((secret) => {
             secret.grantRead(nextjs.serverFunction.lambdaFunction);
         });
-        // Grant read permissions for JaypieEnvSecrets
+        // Grant read permissions for JaypieSecrets
         secrets.forEach((secret) => {
             secret.grantRead(nextjs.serverFunction.lambdaFunction);
         });
@@ -4168,6 +4241,9 @@ class JaypieSsoPermissions extends Construct {
                     {
                         Effect: "Allow",
                         Action: [
+                            "bedrock-agent:*",
+                            "bedrock-agentcore:*",
+                            "bedrock:*",
                             "budgets:*",
                             "ce:*",
                             "cloudformation:*",
@@ -5343,5 +5419,5 @@ class JaypieWebSocketTable extends Construct {
     }
 }
 
-export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
+export { CDK$2 as CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSecret, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname$1 as isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
 //# sourceMappingURL=index.js.map