@jaypie/constructs 1.2.68 → 1.2.69

package/dist/esm/index.d.ts

@@ -1,37 +1,2513 @@
-export { CDK } from "./constants";
-export { JaypieAccountLoggingBucket, JaypieAccountLoggingBucketProps, } from "./JaypieAccountLoggingBucket";
-export { JaypieApiGateway, JaypieApiGatewayProps } from "./JaypieApiGateway";
-export { JaypieAppStack } from "./JaypieAppStack";
-export { JaypieBucketQueuedLambda } from "./JaypieBucketQueuedLambda";
-export { JaypieCertificate, JaypieCertificateProps } from "./JaypieCertificate";
-export { JaypieDatadogBucket, JaypieDatadogBucketProps, } from "./JaypieDatadogBucket";
-export { JaypieDatadogForwarder, JaypieDatadogForwarderProps, } from "./JaypieDatadogForwarder";
-export { JaypieDatadogSecret } from "./JaypieDatadogSecret";
-export { JaypieDistribution, JaypieDistributionProps, JaypieWafConfig, SecurityHeadersOverrides, } from "./JaypieDistribution";
-export { JaypieDnsRecord, JaypieDnsRecordProps } from "./JaypieDnsRecord";
-export { JaypieDynamoDb, JaypieDynamoDbProps } from "./JaypieDynamoDb";
-export type { IndexDefinition } from "./types/IndexDefinition";
-export { JaypieEnvSecret } from "./JaypieEnvSecret";
-export { JaypieEventsRule, JaypieEventsRuleProps } from "./JaypieEventsRule";
-export { JaypieExpressLambda } from "./JaypieExpressLambda";
-export { JaypieGitHubDeployRole, JaypieGitHubDeployRoleProps, } from "./JaypieGitHubDeployRole";
-export { JaypieHostedZone, JaypieHostedZoneRecordProps, } from "./JaypieHostedZone";
-export { JaypieInfrastructureStack } from "./JaypieInfrastructureStack";
-export { JaypieLambda, JaypieLambdaProps } from "./JaypieLambda";
-export { JaypieMigration, JaypieMigrationProps } from "./JaypieMigration";
-export { JaypieMongoDbSecret } from "./JaypieMongoDbSecret";
-export { DomainNameConfig, JaypieNextJs, JaypieNextjsProps, } from "./JaypieNextJs";
-export { JaypieOpenAiSecret } from "./JaypieOpenAiSecret";
-export { JaypieOrganizationTrail, JaypieOrganizationTrailProps, } from "./JaypieOrganizationTrail";
-export { JaypieQueuedLambda } from "./JaypieQueuedLambda";
-export { JaypieSecret, JaypieSecretProps } from "./JaypieSecret";
-export { AccountAssignments, JaypieSsoPermissions, JaypieSsoPermissionsProps, } from "./JaypieSsoPermissions";
-export { JaypieSsoSyncApplication, JaypieSsoSyncApplicationProps, } from "./JaypieSsoSyncApplication";
-export { JaypieStack, JaypieStackProps } from "./JaypieStack";
-export { JaypieStaticWebBucket, JaypieStaticWebBucketProps, } from "./JaypieStaticWebBucket";
-export { JaypieTraceSigningKeySecret } from "./JaypieTraceSigningKeySecret";
-export { JaypieWebDeploymentBucket } from "./JaypieWebDeploymentBucket";
-export { JaypieWebSocket, JaypieWebSocketProps } from "./JaypieWebSocket";
-export { JaypieWebSocketLambda } from "./JaypieWebSocketLambda";
-export { JaypieWebSocketTable, JaypieWebSocketTableProps, } from "./JaypieWebSocketTable";
-export * from "./helpers";
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import { IBucket, BucketProps } from 'aws-cdk-lib/aws-s3';
+import * as constructs from 'constructs';
+import { Construct } from 'constructs';
+import * as aws_cdk_lib_aws_cloudwatch from 'aws-cdk-lib/aws-cloudwatch';
+import * as cdk from 'aws-cdk-lib';
+import { Stack, Duration, RemovalPolicy, SecretValue, StackProps, CfnStack, CfnOutput } from 'aws-cdk-lib';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
+import * as apiGateway from 'aws-cdk-lib/aws-apigateway';
+import * as route53 from 'aws-cdk-lib/aws-route53';
+import { ARecord, CnameRecord, MxRecord, NsRecord, TxtRecord, IHostedZone } from 'aws-cdk-lib/aws-route53';
+import * as aws_cdk_lib_aws_events from 'aws-cdk-lib/aws-events';
+import { Rule, RuleProps } from 'aws-cdk-lib/aws-events';
+import * as aws_cdk_lib_aws_kms from 'aws-cdk-lib/aws-kms';
+import { IKey } from 'aws-cdk-lib/aws-kms';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { Policy, IGrantable, Grant, PolicyStatement, AddToResourcePolicyResult, Role } from 'aws-cdk-lib/aws-iam';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { IFunction } from 'aws-cdk-lib/aws-lambda';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+import * as aws_cdk_lib_aws_codeguruprofiler from 'aws-cdk-lib/aws-codeguruprofiler';
+import * as aws_cdk_lib_aws_sns from 'aws-cdk-lib/aws-sns';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import { CfnResourcePolicy, ILogGroup } from 'aws-cdk-lib/aws-logs';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import { ISecret, RotationScheduleOptions, RotationSchedule, ISecretAttachmentTarget } from 'aws-cdk-lib/aws-secretsmanager';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
+import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
+import * as logDestinations from 'aws-cdk-lib/aws-logs-destinations';
+import { LambdaDestination as LambdaDestination$1 } from 'aws-cdk-lib/aws-logs-destinations';
+import * as cdk_nextjs_standalone from 'cdk-nextjs-standalone';
+import { CfnAnalyzer } from 'aws-cdk-lib/aws-accessanalyzer';
+import { Trail } from 'aws-cdk-lib/aws-cloudtrail';
+import { CfnPermissionSet } from 'aws-cdk-lib/aws-sso';
+import { CfnApplication } from 'aws-cdk-lib/aws-sam';
+import * as apigatewayv2 from 'aws-cdk-lib/aws-apigatewayv2';
+
+declare const CDK: {
+    ACCOUNT: {
+        DEVELOPMENT: string;
+        MANAGEMENT: string;
+        OPERATIONS: string;
+        PRODUCTION: string;
+        SANDBOX: string;
+        SECURITY: string;
+        STAGE: string;
+    };
+    BUILD: {
+        CONFIG: {
+            ALL: string;
+            API: string;
+            INFRASTRUCTURE: string;
+            NONE: string;
+            WEB: string;
+        };
+        PERSONAL: string;
+        /**
+         * @deprecated rename "ephemeral" to "personal" (since 2/24/2025)
+         */
+        EPHEMERAL: string;
+        /**
+         * @deprecated as even "ephemeral" builds have static assets (since 7/6/2024)
+         */
+        STATIC: string;
+    };
+    CREATION: {
+        CDK: string;
+        CLOUDFORMATION_TEMPLATE: string;
+        MANUAL: string;
+    };
+    DATADOG: {
+        SITE: string;
+        LAYER: {
+            NODE: number;
+            EXTENSION: number;
+        };
+    };
+    DEFAULT: {
+        REGION: string;
+    };
+    DNS: {
+        CONFIG: {
+            TTL: number;
+        };
+        RECORD: {
+            A: string;
+            CNAME: string;
+            MX: string;
+            NS: string;
+            TXT: string;
+        };
+    };
+    DURATION: {
+        EXPRESS_API: number;
+        CLOUDFRONT_API: number;
+        LAMBDA_MAXIMUM: number;
+        LAMBDA_WORKER: number;
+    };
+    ENV: {
+        DEMO: string;
+        DEVELOPMENT: string;
+        /** @deprecated */ EPHEMERAL: string;
+        LOCAL: string;
+        /** @deprecated */ MAIN: string;
+        META: string;
+        PERSONAL: string;
+        PREVIEW: string;
+        PRODUCTION: string;
+        RELEASE: string;
+        REVIEW: string;
+        SANDBOX: string;
+        TRAINING: string;
+    };
+    HOST: {
+        APEX: string;
+    };
+    IMPORT: {
+        DATADOG_LOG_FORWARDER: string;
+        DATADOG_ROLE: string;
+        DATADOG_SECRET: string;
+        LOG_BUCKET: string;
+        OIDC_PROVIDER: string;
+    };
+    LAMBDA: {
+        LOG_RETENTION: number;
+        MEMORY_SIZE: number;
+    };
+    PRINCIPAL: {
+        ROUTE53: string;
+    };
+    PRINCIPAL_TYPE: {
+        GROUP: string;
+        USER: string;
+    };
+    PROJECT: {
+        INFRASTRUCTURE: string;
+    };
+    SECURITY_HEADERS: {
+        CONTENT_SECURITY_POLICY: string;
+        HSTS_MAX_AGE: number;
+        PERMISSIONS_POLICY: string;
+    };
+    ROLE: {
+        API: string;
+        DEPLOY: string;
+        HOSTING: string;
+        MONITORING: string;
+        NETWORKING: string;
+        PROCESSING: string;
+        SECURITY: string;
+        STACK: string;
+        STORAGE: string;
+        TOY: string;
+    };
+    SERVICE: {
+        DATADOG: string;
+        INFRASTRUCTURE: string;
+        LIBRARIES: string;
+        NONE: string;
+        SSO: string;
+        TRACE: string;
+    };
+    TAG: {
+        BUILD_DATE: string;
+        BUILD_HEX: string;
+        BUILD_NUMBER: string;
+        BUILD_TIME: string;
+        BUILD_TYPE: string;
+        COMMIT: string;
+        CREATION: string;
+        ENV: string;
+        NONCE: string;
+        PROJECT: string;
+        ROLE: string;
+        SERVICE: string;
+        SPONSOR: string;
+        STACK: string;
+        STACK_SHA: string;
+        VENDOR: string;
+        VERSION: string;
+    };
+    TARGET_TYPE: {
+        AWS_ACCOUNT: string;
+    };
+    VENDOR: {
+        ANTHROPIC: string;
+        AUTH0: string;
+        DATADOG: string;
+        KNOWTRACE: string;
+        MONGODB: string;
+        OPENAI: string;
+        SPLINTERLANDS: string;
+    };
+};
+
+interface JaypieAccountLoggingBucketProps extends BucketProps {
+    /**
+     * Optional construct ID
+     * @default "AccountLoggingBucket"
+     */
+    id?: string;
+    /**
+     * Bucket name
+     * @default `account-logging-stack-${PROJECT_NONCE}`
+     */
+    bucketName?: string;
+    /**
+     * The service tag value
+     * @default CDK.SERVICE.INFRASTRUCTURE
+     */
+    service?: string;
+    /**
+     * Optional project tag value
+     */
+    project?: string;
+    /**
+     * Number of days before logs expire
+     * @default 365
+     */
+    expirationDays?: number;
+    /**
+     * Number of days before transitioning to INFREQUENT_ACCESS storage
+     * @default 30
+     */
+    infrequentAccessTransitionDays?: number;
+    /**
+     * Number of days before transitioning to GLACIER storage
+     * @default 180
+     */
+    glacierTransitionDays?: number;
+    /**
+     * Whether to create CloudFormation output for bucket name
+     * @default true
+     */
+    createOutput?: boolean;
+    /**
+     * Custom export name for the bucket name output
+     * @default CDK.IMPORT.LOG_BUCKET
+     */
+    exportName?: string;
+    /**
+     * Description for the CloudFormation output
+     * @default "Account-wide logging bucket"
+     */
+    outputDescription?: string;
+}
+declare class JaypieAccountLoggingBucket extends Construct {
+    readonly bucket: IBucket;
+    /**
+     * Create a new account-wide logging S3 bucket with lifecycle policies and export
+     */
+    constructor(scope: Construct, idOrProps?: string | JaypieAccountLoggingBucketProps, propsOrUndefined?: JaypieAccountLoggingBucketProps);
+}
+
+interface AddDatadogLayerOptions {
+    datadogApiKeyArn?: string;
+    serviceTag?: string;
+}
+declare function addDatadogLayers(lambdaFunction: lambda.Function, options?: AddDatadogLayerOptions): boolean;
+
+declare function constructEnvName(name: string, opts?: {
+    env?: string;
+    key?: string;
+    nonce?: string;
+}): string;
+
+declare function constructStackName(key?: string): string;
+
+declare function constructTagger(construct: Construct, { name }?: {
+    name?: string;
+}): boolean;
+
+/**
+ * Build a WAF log bucket name shaped like
+ * `aws-waf-logs-${env}-${key}-${name}-waf-${nonce}` (or `-waf-` only when
+ * `name` is empty). The `aws-waf-logs-` prefix is required by AWS WAF, and
+ * `-${PROJECT_NONCE}` is preserved verbatim for uniqueness; the middle is
+ * truncated when needed to fit S3's 63-char limit.
+ */
+declare function constructWafLogBucketName(name?: string): string;
+
+/**
+ * Configuration for resolving a hostname from parts.
+ * Used by envHostname() to construct domain names from environment and config.
+ */
+interface HostConfig {
+    component?: string;
+    domain?: string;
+    env?: string;
+    subdomain?: string;
+}
+declare function envHostname({ component, domain, env, subdomain, }?: HostConfig): string;
+
+interface ExtendDatadogRoleOptions {
+    /**
+     * Optional construct ID for the policy
+     * @default "DatadogCustomPolicy"
+     */
+    id?: string;
+    /**
+     * The service tag value
+     * @default CDK.SERVICE.DATADOG
+     */
+    service?: string;
+    /**
+     * Optional project tag value
+     */
+    project?: string;
+}
+/**
+ * Extends the Datadog IAM role with additional permissions
+ *
+ * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
+ * If found, creates a custom policy with:
+ * - budgets:ViewBudget
+ * - logs:DescribeLogGroups
+ * - trustedadvisor:ListRecommendations
+ *
+ * @param scope - The construct scope
+ * @param options - Configuration options
+ * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
+ */
+declare function extendDatadogRole(scope: Construct, options?: ExtendDatadogRoleOptions): Policy | undefined;
+
+interface ResolveCertificateOptions {
+    /** Certificate input - true creates at stack level, false skips, ICertificate uses as-is, string imports from ARN */
+    certificate?: boolean | acm.ICertificate | string;
+    /** Domain name for the certificate (required if certificate is true) */
+    domainName: string;
+    /** Construct ID name prefix (defaults to "Certificate") */
+    name?: string;
+    /** Role tag for tagging (defaults to CDK.ROLE.API) */
+    roleTag?: string;
+    /** Hosted zone for DNS validation (required if certificate is true) */
+    zone: route53.IHostedZone;
+}
+/**
+ * Resolves a certificate based on input type.
+ *
+ * Key behavior: When certificate is `true`, the certificate is created at the
+ * STACK level (not construct level) and cached by domain name. This allows
+ * swapping between constructs (e.g., JaypieDistribution to JaypieApiGateway)
+ * without recreating the certificate.
+ *
+ * @param scope - The construct scope (used to find the stack)
+ * @param options - Certificate resolution options
+ * @returns The resolved certificate, or undefined if certificate is false
+ *
+ * @example
+ * // Create or get cached certificate at stack level
+ * const cert = resolveCertificate(this, {
+ *   certificate: true,
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ *
+ * @example
+ * // Use existing certificate
+ * const cert = resolveCertificate(this, {
+ *   certificate: existingCert,
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ *
+ * @example
+ * // Import certificate from ARN
+ * const cert = resolveCertificate(this, {
+ *   certificate: "arn:aws:acm:us-east-1:123456789:certificate/abc-123",
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ */
+declare function resolveCertificate(scope: Construct, options: ResolveCertificateOptions): acm.ICertificate | undefined;
+/**
+ * Clears the certificate cache for a specific stack.
+ * Primarily useful for testing.
+ */
+declare function clearCertificateCache(stack: Stack): void;
+/**
+ * Clears all certificate caches.
+ * Primarily useful for testing.
+ */
+declare function clearAllCertificateCaches(): void;
+
+/**
+ * Create (or return the existing) stack-level CloudWatch Logs resource policy
+ * that grants Route53 permission to write query logs to any `/aws/route53/*`
+ * log group in the stack's account and region.
+ *
+ * Consolidates what would otherwise be one `AWS::Logs::ResourcePolicy` per
+ * hosted zone into a single wildcard policy, keeping the stack well clear of
+ * the 10-resource-policy-per-region account quota.
+ */
+declare function ensureRoute53QueryLoggingPolicy(scope: Construct): CfnResourcePolicy;
+
+/**
+ * Check if the current environment matches the given environment
+ */
+declare function isEnv(env: string): boolean;
+/**
+ * Check if the current environment is production
+ */
+declare function isProductionEnv(): boolean;
+/**
+ * Check if the current environment is sandbox
+ */
+declare function isSandboxEnv(): boolean;
+
+declare function isValidHostname(hostname: string): boolean;
+
+declare function isValidSubdomain(subdomain: string): boolean;
+
+interface JaypieLambdaEnvOptions {
+    initialEnvironment?: {
+        [key: string]: string;
+    };
+    serviceTag?: string;
+}
+declare function jaypieLambdaEnv(options?: JaypieLambdaEnvOptions): {
+    [key: string]: string;
+};
+
+declare function mergeDomain(subDomain: string, hostedZone: string): string;
+
+interface ResolveDatadogForwarderFunctionOptions {
+    import?: string;
+    name?: string;
+}
+declare function resolveDatadogForwarderFunction(scope: Construct, options?: ResolveDatadogForwarderFunctionOptions): lambda.IFunction;
+
+interface ResolveDatadogLayerOptions {
+    datadogApiKeyArn?: string;
+    uniqueId?: string;
+}
+declare function resolveDatadogLayers(scope: Construct, options?: ResolveDatadogLayerOptions): lambda.ILayerVersion[] | undefined;
+
+declare function resolveDatadogLoggingDestination(scope: Construct, options?: ResolveDatadogForwarderFunctionOptions): logDestinations.LambdaDestination;
+
+/**
+ * Environment value type for the new array syntax
+ * - string: key to lookup in process.env
+ * - object: key-value pairs to include directly
+ */
+type EnvironmentArrayItem = string | {
+    [key: string]: string;
+};
+/**
+ * Environment type that supports both legacy object syntax and new array syntax
+ */
+type EnvironmentInput = {
+    [key: string]: string;
+} | EnvironmentArrayItem[];
+/**
+ * Resolves environment input to a plain object.
+ *
+ * When environment is an object (legacy syntax), returns it as-is.
+ * When environment is an array:
+ *   - Strings are treated as keys to lookup in process.env
+ *   - Objects have their key-value pairs merged in
+ *
+ * @example
+ * // Legacy object syntax
+ * resolveEnvironment({ FOO: "bar" })
+ * // => { FOO: "bar" }
+ *
+ * @example
+ * // Array syntax with process.env lookup
+ * // Given process.env.MY_VAR = "hello"
+ * resolveEnvironment(["MY_VAR"])
+ * // => { MY_VAR: "hello" }
+ *
+ * @example
+ * // Array syntax with objects
+ * resolveEnvironment([{ FOO: "bar", BAZ: "qux" }])
+ * // => { FOO: "bar", BAZ: "qux" }
+ *
+ * @example
+ * // Mixed array syntax
+ * // Given process.env.MY_VAR = "hello"
+ * resolveEnvironment(["MY_VAR", { FOO: "bar" }])
+ * // => { MY_VAR: "hello", FOO: "bar" }
+ */
+declare function resolveEnvironment(environment?: EnvironmentInput, env?: Record<string, string | undefined>): {
+    [key: string]: string;
+};
+
+declare function resolveHostedZone(scope: Construct, { name, zone, }?: {
+    name?: string;
+    zone?: string | route53.IHostedZone;
+}): route53.IHostedZone;
+
+interface ResolveParamsAndSecretsOptions {
+    cacheSize?: number;
+    logLevel?: lambda.ParamsAndSecretsLogLevel;
+    parameterStoreTtl?: Duration;
+    secretsManagerTtl?: Duration;
+}
+declare const resolveParamsAndSecrets: ({ paramsAndSecrets, options, }?: {
+    paramsAndSecrets?: lambda.ParamsAndSecretsLayerVersion | boolean;
+    options?: ResolveParamsAndSecretsOptions;
+}) => lambda.ParamsAndSecretsLayerVersion | undefined;
+
+interface JaypieSecretProps {
+    envKey?: string;
+    generateSecretString?: secretsmanager.SecretStringGenerator;
+    removalPolicy?: boolean | RemovalPolicy;
+    roleTag?: string;
+    vendorTag?: string;
+    value?: string;
+}
+/**
+ * Context handed to {@link JaypieSecret.buildSecret} so subclasses can build the
+ * underlying secret differently (e.g. import vs. create) while reusing the
+ * shared id/envKey resolution and the full ISecret passthrough.
+ */
+interface BuildSecretContext {
+    envKey?: string;
+    id: string;
+    props: JaypieSecretProps;
+    treatAsEnvKey: boolean;
+}
+declare class JaypieSecret extends Construct implements ISecret {
+    protected static readonly shorthandPrefix: string;
+    protected readonly _envKey?: string;
+    protected readonly _secret: secretsmanager.ISecret;
+    constructor(scope: Construct, idOrEnvKey: string, props?: JaypieSecretProps);
+    /**
+     * Builds the underlying secret. The base implementation always creates a new
+     * Secrets Manager secret from an envKey value, an explicit value, or a
+     * generated string. Subclasses may override to import an existing secret or
+     * emit cross-stack outputs.
+     */
+    protected buildSecret(context: BuildSecretContext): secretsmanager.ISecret;
+    get stack(): Stack;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    get secretArn(): string;
+    get secretFullArn(): string | undefined;
+    get secretName(): string;
+    get secretRef(): secretsmanager.SecretReference;
+    get encryptionKey(): IKey | undefined;
+    get secretValue(): SecretValue;
+    secretValueFromJson(key: string): SecretValue;
+    grantRead(grantee: IGrantable, versionStages?: string[]): Grant;
+    grantWrite(grantee: IGrantable): Grant;
+    addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
+    addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
+    denyAccountRootDelete(): void;
+    attach(target: ISecretAttachmentTarget): ISecret;
+    cfnDynamicReferenceKey(options?: Parameters<ISecret["cfnDynamicReferenceKey"]>[0]): string;
+    get envKey(): string | undefined;
+}
+
+/**
+ * Secrets input type that supports both JaypieSecret instances and strings
+ * - JaypieSecret (including JaypieEnvSecret subclasses): passed through as-is
+ * - string: converted to a JaypieEnvSecret with the string as envKey
+ */
+type SecretsArrayItem = JaypieSecret | string;
+/**
+ * Resolves secrets input to an array of JaypieSecret instances.
+ *
+ * When an item is already a JaypieSecret (including a JaypieEnvSecret), it's
+ * passed through as-is. When an item is a string, a JaypieEnvSecret is created
+ * (or reused from cache) with the string as the envKey.
+ *
+ * Secrets are cached per scope to avoid creating duplicate secrets when
+ * multiple constructs in the same scope reference the same secret.
+ *
+ * @example
+ * // JaypieEnvSecret instances pass through
+ * const secret = new JaypieEnvSecret(scope, "MySecret", { envKey: "MY_KEY" });
+ * resolveSecrets(scope, [secret])
+ * // => [secret]
+ *
+ * @example
+ * // Strings create JaypieEnvSecret instances
+ * resolveSecrets(scope, ["AUTH0_SECRET", "MONGODB_URI"])
+ * // => [JaypieEnvSecret(envKey: "AUTH0_SECRET"), JaypieEnvSecret(envKey: "MONGODB_URI")]
+ *
+ * @example
+ * // Mixed input
+ * const existingSecret = new JaypieEnvSecret(scope, "Existing", { envKey: "EXISTING" });
+ * resolveSecrets(scope, [existingSecret, "NEW_SECRET"])
+ * // => [existingSecret, JaypieEnvSecret(envKey: "NEW_SECRET")]
+ *
+ * @example
+ * // Secrets are shared across calls with the same scope
+ * const secrets1 = resolveSecrets(scope, ["SHARED_SECRET"]);
+ * const secrets2 = resolveSecrets(scope, ["SHARED_SECRET"]);
+ * // secrets1[0] === secrets2[0] (same instance)
+ */
+declare function resolveSecrets(scope: Construct, secrets?: SecretsArrayItem[]): JaypieSecret[];
+/**
+ * Clears the secrets cache for a given scope.
+ * Primarily useful for testing.
+ */
+declare function clearSecretsCache(scope: Construct): void;
+/**
+ * Clears all secrets caches.
+ * Primarily useful for testing.
+ */
+declare function clearAllSecretsCaches(): void;
+
+/**
+ * Canonical sub-rule names for each AWS managed rule group, as published in the
+ * AWS WAF developer guide. Used to validate `waf.allow` and
+ * `waf.managedRuleOverrides` rule names at synth time — AWS WAF matches
+ * `RuleActionOverride` on the exact rule *name* and silently ignores names that
+ * match no rule, so a typo or a label/name casing mismatch (e.g. the label
+ * `…:NoUserAgent_Header` vs the rule name `NoUserAgent_HEADER`) becomes an
+ * undiagnosable no-op.
+ *
+ * Groups absent from this map (custom rule groups, or AWS groups not yet
+ * mirrored here) are not validated.
+ *
+ * @see https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
+ */
+declare const AWS_MANAGED_RULE_GROUPS: Record<string, readonly string[]>;
+/** One entry in a `waf.allow` list. Mirrors JaypieWafAllowEntry structurally. */
+interface WafAllowEntryLike {
+    path: string | string[];
+    [ruleGroupKey: string]: string | string[] | undefined;
+}
+interface AssertValidWafRuleNamesOptions {
+    allow?: WafAllowEntryLike | WafAllowEntryLike[];
+    managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+}
+/**
+ * Throw a ConfigurationError if any `waf.allow` or `waf.managedRuleOverrides`
+ * rule name does not exist in its AWS managed rule group. Groups not present in
+ * AWS_MANAGED_RULE_GROUPS (custom groups) are skipped. A name that matches no
+ * rule would otherwise be silently ignored by AWS WAF.
+ */
+declare function assertValidWafRuleNames({ allow, managedRuleOverrides, }?: AssertValidWafRuleNamesOptions): void;
+
+interface JaypieApiGatewayProps extends apiGateway.LambdaRestApiProps {
+    certificate?: boolean | acm.ICertificate;
+    /**
+     * Force-delete any existing Route53 A record with the same name before
+     * creating the alias record. Useful when migrating from another construct
+     * (e.g., JaypieDistribution) that already owns the same hostname, where the
+     * default CloudFormation create-before-delete ordering would otherwise
+     * collide on the record name.
+     * @default false
+     */
+    deleteExistingRecord?: boolean;
+    /**
+     * The domain name for the API Gateway.
+     *
+     * Supports both string and config object:
+     * - String: used directly as the domain name (e.g., "api.example.com")
+     * - Object: passed to envHostname() to construct the domain name
+     *   - { subdomain, domain, env, component }
+     *
+     * @example
+     * // Direct string
+     * host: "api.example.com"
+     *
+     * @example
+     * // Config object - resolves using envHostname()
+     * host: { subdomain: "api" }
+     */
+    host?: string | HostConfig;
+    name?: string;
+    roleTag?: string;
+    zone?: string | route53.IHostedZone;
+}
+declare class JaypieApiGateway extends Construct implements apiGateway.IRestApi {
+    private readonly _api;
+    private readonly _certificate?;
+    private readonly _domainName?;
+    private readonly _host?;
+    constructor(scope: Construct, id: string, props: JaypieApiGatewayProps);
+    get api(): apiGateway.LambdaRestApi;
+    get url(): string;
+    get certificateArn(): string | undefined;
+    get domainName(): string | undefined;
+    get host(): string | undefined;
+    get restApiId(): string;
+    get restApiName(): string;
+    get restApiRootResourceId(): string;
+    get deploymentStage(): apiGateway.Stage;
+    get domainNameAliasDomainName(): string | undefined;
+    get domainNameAliasHostedZoneId(): string | undefined;
+    get root(): apiGateway.IResource;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    get stack(): Stack;
+    arnForExecuteApi(method?: string, path?: string, stage?: string): string;
+    metric(metricName: string, props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricCacheHitCount(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricCacheMissCount(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricClientError(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricCount(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricIntegrationLatency(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricLatency(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricServerError(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    get restApiRef(): apiGateway.RestApiReference;
+}
+
+interface JaypieStackProps extends StackProps {
+    key?: string;
+}
+declare class JaypieStack extends Stack {
+    constructor(scope: Construct, id: string, props?: JaypieStackProps);
+}
+
+declare class JaypieAppStack extends JaypieStack {
+    constructor(scope: Construct, id: string, props?: JaypieStackProps);
+}
+
+interface JaypieLambdaProps {
+    allowAllOutbound?: boolean;
+    allowPublicSubnet?: boolean;
+    architecture?: lambda.Architecture;
+    code: lambda.Code | string;
+    datadogApiKeyArn?: string;
+    deadLetterQueue?: sqs.IQueue;
+    deadLetterQueueEnabled?: boolean;
+    deadLetterTopic?: aws_cdk_lib_aws_sns.ITopic;
+    description?: string;
+    /**
+     * DynamoDB tables to grant read/write access to the Lambda function.
+     * Each table is granted read/write access and if exactly one table is provided,
+     * the DYNAMODB_TABLE_NAME environment variable is set to the table name.
+     */
+    tables?: dynamodb.ITable[];
+    /**
+     * Environment variables for the Lambda function.
+     *
+     * Supports both legacy object syntax and new array syntax:
+     * - Object: { KEY: "value" } - directly sets environment variables
+     * - Array: ["KEY1", "KEY2", { KEY3: "value" }]
+     *   - Strings: lookup value from process.env
+     *   - Objects: merge key-value pairs directly
+     */
+    environment?: EnvironmentInput;
+    envSecrets?: {
+        [key: string]: secretsmanager.ISecret;
+    };
+    ephemeralStorageSize?: cdk.Size;
+    filesystem?: lambda.FileSystem;
+    handler: string;
+    initialPolicy?: iam.PolicyStatement[];
+    layers?: lambda.ILayerVersion[];
+    logGroup?: logs.ILogGroup;
+    logRetention?: logs.RetentionDays | number;
+    maxEventAge?: Duration;
+    memorySize?: number;
+    paramsAndSecrets?: lambda.ParamsAndSecretsLayerVersion | boolean;
+    paramsAndSecretsOptions?: {
+        cacheSize?: number;
+        logLevel?: lambda.ParamsAndSecretsLogLevel;
+        parameterStoreTtl?: Duration;
+        secretsManagerTtl?: Duration;
+    };
+    profiling?: boolean;
+    profilingGroup?: aws_cdk_lib_aws_codeguruprofiler.IProfilingGroup;
+    provisionedConcurrentExecutions?: number;
+    reservedConcurrentExecutions?: number;
+    retryAttempts?: number;
+    roleTag?: string;
+    runtime?: lambda.Runtime;
+    runtimeManagementMode?: lambda.RuntimeManagementMode;
+    /**
+     * Secrets to make available to the Lambda function.
+     *
+     * Supports both JaypieSecret instances and strings:
+     * - JaypieSecret (including JaypieEnvSecret): used directly
+     * - String: creates a JaypieEnvSecret with the string as envKey
+     *   (reuses existing secrets within the same scope)
+     */
+    secrets?: SecretsArrayItem[];
+    securityGroups?: ec2.ISecurityGroup[];
+    serviceTag?: string;
+    timeout?: Duration | number;
+    tracing?: lambda.Tracing;
+    vendorTag?: string;
+    vpc?: ec2.IVpc;
+    vpcSubnets?: ec2.SubnetSelection;
+}
+declare class JaypieLambda extends Construct implements lambda.IFunction {
+    private readonly _lambda;
+    private readonly _provisioned?;
+    private readonly _reference;
+    constructor(scope: Construct, id: string, props: JaypieLambdaProps);
+    get lambda(): lambda.Function;
+    get provisioned(): lambda.Alias | undefined;
+    get reference(): lambda.IFunction;
+    get functionArn(): string;
+    get functionName(): string;
+    get grantPrincipal(): iam.IPrincipal;
+    get role(): iam.IRole | undefined;
+    get architecture(): lambda.Architecture;
+    get connections(): ec2.Connections;
+    get isBoundToVpc(): boolean;
+    get latestVersion(): lambda.IVersion;
+    get permissionsNode(): constructs.Node;
+    get resourceArnsForGrantInvoke(): string[];
+    get functionRef(): lambda.FunctionReference;
+    addEventSource(source: lambda.IEventSource): void;
+    addEventSourceMapping(id: string, options: lambda.EventSourceMappingOptions): lambda.EventSourceMapping;
+    addFunctionUrl(options?: lambda.FunctionUrlOptions): lambda.FunctionUrl;
+    addPermission(id: string, permission: lambda.Permission): void;
+    addToRolePolicy(statement: iam.PolicyStatement): void;
+    configureAsyncInvoke(options: lambda.EventInvokeConfigOptions): void;
+    grantInvoke(grantee: iam.IGrantable): iam.Grant;
+    grantInvokeCompositePrincipal(compositePrincipal: iam.CompositePrincipal): iam.Grant[];
+    grantInvokeUrl(grantee: iam.IGrantable): iam.Grant;
+    grantInvokeLatestVersion(grantee: iam.IGrantable): iam.Grant;
+    grantInvokeVersion(grantee: iam.IGrantable, version: lambda.IVersion): iam.Grant;
+    metric(metricName: string, props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricDuration(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricErrors(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricInvocations(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricThrottles(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    get stack(): Stack;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    addEnvironment(key: string, value: string): void;
+}
+
+interface JaypieQueuedLambdaProps extends JaypieLambdaProps {
+    batchSize?: number;
+    fifo?: boolean;
+    visibilityTimeout?: Duration | number;
+}
+declare class JaypieQueuedLambda extends Construct implements lambda.IFunction, sqs.IQueue {
+    private readonly _queue;
+    private readonly _lambdaConstruct;
+    constructor(scope: Construct, id: string, props: JaypieQueuedLambdaProps);
+    get queue(): sqs.Queue;
+    get lambda(): lambda.Function;
+    get functionArn(): string;
+    get functionName(): string;
+    get grantPrincipal(): iam.IPrincipal;
+    get role(): iam.IRole | undefined;
+    get architecture(): lambda.Architecture;
+    get connections(): ec2.Connections;
+    get isBoundToVpc(): boolean;
+    get latestVersion(): lambda.IVersion;
+    get permissionsNode(): constructs.Node;
+    get resourceArnsForGrantInvoke(): string[];
+    get functionRef(): lambda.FunctionReference;
+    addEventSource(source: lambda.IEventSource): void;
+    addEventSourceMapping(id: string, options: lambda.EventSourceMappingOptions): lambda.EventSourceMapping;
+    addFunctionUrl(options?: lambda.FunctionUrlOptions): lambda.FunctionUrl;
+    addPermission(id: string, permission: lambda.Permission): void;
+    addToRolePolicy(statement: iam.PolicyStatement): void;
+    configureAsyncInvoke(options: lambda.EventInvokeConfigOptions): void;
+    grantInvoke(grantee: iam.IGrantable): iam.Grant;
+    grantInvokeCompositePrincipal(compositePrincipal: iam.CompositePrincipal): iam.Grant[];
+    grantInvokeUrl(grantee: iam.IGrantable): iam.Grant;
+    metric(metricName: string, props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricDuration(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricErrors(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricInvocations(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricThrottles(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    grantInvokeLatestVersion(grantee: iam.IGrantable): iam.Grant;
+    grantInvokeVersion(grantee: iam.IGrantable, version: lambda.Version): iam.Grant;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    get stack(): Stack;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    get queueRef(): {
+        queueUrl: string;
+        queueArn: string;
+    };
+    get fifo(): boolean;
+    get queueArn(): string;
+    get queueName(): string;
+    get queueUrl(): string;
+    get encryptionMasterKey(): aws_cdk_lib_aws_kms.IKey | undefined;
+    addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult;
+    grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+    grantConsumeMessages(grantee: iam.IGrantable): iam.Grant;
+    grantPurge(grantee: iam.IGrantable): iam.Grant;
+    grantSendMessages(grantee: iam.IGrantable): iam.Grant;
+    metricApproximateAgeOfOldestMessage(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricApproximateNumberOfMessagesDelayed(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricApproximateNumberOfMessagesNotVisible(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricApproximateNumberOfMessagesVisible(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricNumberOfEmptyReceives(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricNumberOfMessagesDeleted(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricNumberOfMessagesReceived(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricNumberOfMessagesSent(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricSentMessageSize(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    addEnvironment(key: string, value: string): void;
+}
+
+interface JaypieBucketQueuedLambdaProps extends JaypieQueuedLambdaProps {
+    bucketName?: string;
+    bucketOptions?: s3.BucketProps;
+}
+declare class JaypieBucketQueuedLambda extends JaypieQueuedLambda implements s3.IBucket {
+    private readonly _bucket;
+    constructor(scope: Construct, id: string, props: JaypieBucketQueuedLambdaProps);
+    get bucket(): s3.Bucket;
+    get bucketArn(): string;
+    get bucketDomainName(): string;
+    get bucketDualStackDomainName(): string;
+    get bucketName(): string;
+    get bucketRegionalDomainName(): string;
+    get bucketWebsiteDomainName(): string;
+    get bucketWebsiteUrl(): string;
+    get encryptionKey(): undefined | aws_cdk_lib_aws_kms.IKey;
+    get isWebsite(): boolean;
+    get policy(): s3.BucketPolicy | undefined;
+    addEventNotification(event: s3.EventType, dest: s3.IBucketNotificationDestination, ...filters: s3.NotificationKeyFilter[]): void;
+    addObjectCreatedNotification(dest: s3.IBucketNotificationDestination, ...filters: s3.NotificationKeyFilter[]): void;
+    addObjectRemovedNotification(dest: s3.IBucketNotificationDestination, ...filters: s3.NotificationKeyFilter[]): void;
+    addToResourcePolicy(permission: iam.PolicyStatement): iam.AddToResourcePolicyResult;
+    arnForObjects(objectKeyPattern: string): string;
+    enableEventBridgeNotification(): void;
+    grantDelete(grantee: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
+    grantPublicAccess(keyPrefix?: string, ...allowedActions: string[]): iam.Grant;
+    grantPut(grantee: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
+    grantPutAcl(grantee: iam.IGrantable, objectsKeyPattern?: string): iam.Grant;
+    grantRead(grantee: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
+    grantReadWrite(grantee: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
+    grantWrite(grantee: iam.IGrantable, objectsKeyPattern?: any): iam.Grant;
+    onCloudTrailEvent(id: string, options?: s3.OnCloudTrailBucketEventOptions): aws_cdk_lib_aws_events.Rule;
+    onCloudTrailPutObject(id: string, options?: s3.OnCloudTrailBucketEventOptions): aws_cdk_lib_aws_events.Rule;
+    onCloudTrailWriteObject(id: string, options?: s3.OnCloudTrailBucketEventOptions): aws_cdk_lib_aws_events.Rule;
+    s3UrlForObject(key?: string): string;
+    transferAccelerationUrlForObject(key?: string, options?: s3.TransferAccelerationUrlOptions): string;
+    urlForObject(key?: string): string;
+    virtualHostedUrlForObject(key?: string, options?: s3.VirtualHostedStyleUrlOptions): string;
+    grantReplicationPermission(identity: iam.IGrantable, props: any): iam.Grant;
+    addReplicationPolicy(policy: any): void;
+    get bucketRef(): s3.BucketReference;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+}
+
+interface JaypieCertificateProps {
+    /**
+     * Import certificate from a provider stack instead of creating one.
+     * When true, imports the certificate ARN via CloudFormation export.
+     * @default false
+     */
+    consumer?: boolean;
+    /**
+     * The domain name for the certificate.
+     * @default Derived from CDK_ENV_API_HOST_NAME or CDK_ENV_API_SUBDOMAIN + CDK_ENV_API_HOSTED_ZONE
+     */
+    domainName?: string;
+    /**
+     * Export name override for cross-stack sharing.
+     * Only used when provider is true.
+     * @default Generated from environment and domain
+     */
+    export?: string;
+    /**
+     * Construct ID override. When not provided, ID is auto-generated from domain.
+     * Use this to align with certificates created by other constructs.
+     * @default Auto-generated as "JaypieCert-{sanitized-domain}"
+     */
+    id?: string;
+    /**
+     * Export certificate ARN for other stacks to import.
+     * When true, creates a CloudFormation export that consumer stacks can import.
+     * @default false
+     */
+    provider?: boolean;
+    /**
+     * Role tag for tagging the certificate.
+     * @default CDK.ROLE.API
+     */
+    roleTag?: string;
+    /**
+     * The hosted zone for DNS validation.
+     * @default CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE
+     */
+    zone?: string | route53.IHostedZone;
+}
+/**
+ * A standalone certificate construct that can be shared across constructs.
+ *
+ * Key feature: Uses the same `resolveCertificate()` helper as JaypieDistribution,
+ * JaypieApiGateway, etc. This means:
+ * - Certificates are created at the stack level and cached by domain
+ * - You can "take over" a certificate from another construct by using the same domain
+ * - Swapping between JaypieDistribution and JaypieApiGateway won't recreate certs
+ *
+ * Supports flexible constructor signatures:
+ * - `new JaypieCertificate(scope)` - uses environment defaults
+ * - `new JaypieCertificate(scope, props)` - ID auto-generated from domain
+ * - `new JaypieCertificate(scope, id, props)` - explicit ID
+ *
+ * @example
+ * // Minimal - uses environment variables for domain/zone
+ * const cert = new JaypieCertificate(this);
+ *
+ * @example
+ * // With options - ID auto-generated as "JaypieCert-api-example-com"
+ * const cert = new JaypieCertificate(this, {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Explicit ID - useful when you need a specific construct ID
+ * const cert = new JaypieCertificate(this, "MyApiCert", {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Take over from JaypieDistribution (uses same ID format)
+ * // After removing JaypieDistribution with certificate: true
+ * const cert = new JaypieCertificate(this, {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Optional: Provider/consumer pattern for cross-stack sharing
+ * // In sandbox stack (explicitly export):
+ * new JaypieCertificate(this, { provider: true });
+ *
+ * // In personal build (explicitly import):
+ * new JaypieCertificate(this, { consumer: true });
+ */
+declare class JaypieCertificate extends Construct implements acm.ICertificate {
+    readonly certificate: acm.ICertificate;
+    readonly certificateArn: string;
+    readonly domainName: string;
+    /**
+     * Create a certificate with environment defaults.
+     */
+    constructor(scope: Construct);
+    /**
+     * Create a certificate with options (ID auto-generated from domain).
+     */
+    constructor(scope: Construct, props: JaypieCertificateProps);
+    /**
+     * Create a certificate with explicit ID.
+     */
+    constructor(scope: Construct, id: string, props?: JaypieCertificateProps);
+    get stack(): Stack;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    get certificateRef(): acm.CertificateReference;
+    metricDaysToExpiry(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+}
+
+interface JaypieDatadogBucketProps extends BucketProps {
+    /**
+     * Optional construct ID
+     * @default "JaypieDatadogBucket"
+     */
+    id?: string;
+    /**
+     * The scope to use when creating the S3 bucket
+     * @default this (the construct itself)
+     */
+    bucketScope?: Construct;
+    /**
+     * The ID to use for the S3 bucket construct
+     * @default "DatadogArchiveBucket"
+     */
+    bucketId?: string;
+    /**
+     * The service tag value
+     * @default CDK.SERVICE.DATADOG
+     */
+    service?: string;
+    /**
+     * Optional project tag value
+     */
+    project?: string;
+    /**
+     * Whether to grant Datadog role access to this bucket
+     * Uses CDK_ENV_DATADOG_ROLE_ARN if set
+     * @default true
+     */
+    grantDatadogAccess?: boolean;
+}
+declare class JaypieDatadogBucket extends Construct {
+    readonly bucket: IBucket;
+    readonly policy?: Policy;
+    /**
+     * Create a new S3 bucket for Datadog log archiving with automatic IAM permissions
+     */
+    constructor(scope: Construct, idOrProps?: string | JaypieDatadogBucketProps, propsOrUndefined?: JaypieDatadogBucketProps);
+    /**
+     * Grants the Datadog IAM role access to this bucket
+     *
+     * Checks for CDK_ENV_DATADOG_ROLE_ARN environment variable.
+     * If found, creates a custom policy with:
+     * - s3:ListBucket on bucket
+     * - s3:GetObject and s3:PutObject on bucket/*
+     *
+     * @param options - Configuration options
+     * @returns The created Policy, or undefined if CDK_ENV_DATADOG_ROLE_ARN is not set
+     */
+    private grantDatadogRoleBucketAccess;
+}
+
+interface JaypieDatadogForwarderProps {
+    /**
+     * Optional construct ID
+     * @default "DatadogForwarder"
+     */
+    id?: string;
+    /**
+     * Datadog API key
+     * @default process.env.CDK_ENV_DATADOG_API_KEY
+     */
+    datadogApiKey?: string;
+    /**
+     * Account identifier for Datadog tags
+     * @default process.env.CDK_ENV_ACCOUNT
+     */
+    account?: string;
+    /**
+     * Reserved concurrency for the forwarder Lambda
+     * Must be a string as required by the CloudFormation template
+     * @default "10"
+     */
+    reservedConcurrency?: string;
+    /**
+     * Additional Datadog tags (comma-separated)
+     * Will be appended to account tag
+     */
+    additionalTags?: string;
+    /**
+     * The service tag value
+     * @default CDK.VENDOR.DATADOG
+     */
+    service?: string;
+    /**
+     * Optional project tag value
+     */
+    project?: string;
+    /**
+     * Whether to create CloudFormation events rule
+     * @default true
+     */
+    enableCloudFormationEvents?: boolean;
+    /**
+     * Whether to extend Datadog role with custom permissions
+     * Uses CDK_ENV_DATADOG_ROLE_ARN if set
+     * @default true
+     */
+    enableRoleExtension?: boolean;
+    /**
+     * Whether to create CloudFormation output for forwarder ARN
+     * @default true
+     */
+    createOutput?: boolean;
+    /**
+     * Custom export name for the forwarder ARN output
+     * @default CDK.IMPORT.DATADOG_LOG_FORWARDER
+     */
+    exportName?: string;
+    /**
+     * URL to Datadog forwarder CloudFormation template
+     * @default "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml"
+     */
+    templateUrl?: string;
+}
+declare class JaypieDatadogForwarder extends Construct {
+    readonly cfnStack: CfnStack;
+    readonly forwarderFunction: IFunction;
+    readonly eventsRule?: Rule;
+    /**
+     * Create a new Datadog forwarder with CloudFormation nested stack
+     */
+    constructor(scope: Construct, idOrProps?: string | JaypieDatadogForwarderProps, propsOrUndefined?: JaypieDatadogForwarderProps);
+}
+
+interface JaypieEnvSecretProps extends JaypieSecretProps {
+    consumer?: boolean;
+    export?: string;
+    provider?: boolean;
+}
+/**
+ * @deprecated Use {@link JaypieSecret}. JaypieEnvSecret layers an
+ * environment-driven provider/consumer cross-stack pattern on top of
+ * JaypieSecret and will be removed in 2.0.
+ */
+declare class JaypieEnvSecret extends JaypieSecret {
+    protected static readonly shorthandPrefix: string;
+    constructor(scope: Construct, idOrEnvKey: string, props?: JaypieEnvSecretProps);
+    protected buildSecret(context: BuildSecretContext): secretsmanager.ISecret;
+}
+
+declare class JaypieDatadogSecret extends JaypieEnvSecret {
+    constructor(scope: Construct, id?: string, props?: JaypieEnvSecretProps);
+}
+
+/**
+ * One entry in a `waf.allow` list. Names one or more URL paths and, for each
+ * managed rule group key, the sub-rule names to flip from `block` to `count`
+ * on that path set. See JaypieWafConfig.allow.
+ */
+interface JaypieWafAllowEntry {
+    /** URL path or paths. Trailing `*` → STARTS_WITH; otherwise EXACTLY. */
+    path: string | string[];
+    /** Managed-rule-group keys (e.g. AWSManagedRulesCommonRuleSet) → sub-rule names. */
+    [ruleGroupKey: string]: string | string[] | undefined;
+}
+interface JaypieWafConfig {
+    /**
+     * Unique name for this distribution's WAF resources. Required when passing a
+     * WAF config object. Injected into the WebACL name and WAF log bucket name
+     * so multiple JaypieDistribution instances can coexist in the same
+     * account/env without S3/WAFv2 name collisions.
+     *
+     * Pass `waf: true` (or omit) to retain the legacy, non-namespaced names.
+     */
+    name: string;
+    /**
+     * Whether WAF is enabled
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * WAF logging bucket.
+     * - true/undefined: create a logging bucket with Datadog forwarding (default)
+     * - false: disable WAF logging
+     * - IBucket: use an existing bucket (must have "aws-waf-logs-" prefix)
+     * @default true
+     */
+    logBucket?: boolean | s3.IBucket;
+    /**
+     * Override actions for specific rules within managed rule groups.
+     * Key is the managed rule group name; value is an array of rule action overrides.
+     * @example
+     * managedRuleOverrides: {
+     *   AWSManagedRulesCommonRuleSet: [
+     *     { name: "SizeRestrictions_BODY", actionToUse: { count: {} } },
+     *   ],
+     * }
+     */
+    managedRuleOverrides?: Record<string, wafv2.CfnWebACL.RuleActionOverrideProperty[]>;
+    /**
+     * Optional scope-down statements per managed rule group. When supplied,
+     * the managed rule group only evaluates requests that match the
+     * scope-down statement. Key is the managed rule group name; value is a
+     * `CfnWebACL.StatementProperty`.
+     *
+     * @example
+     * // Only run AWSManagedRulesCommonRuleSet for non-/chat paths
+     * managedRuleScopeDowns: {
+     *   AWSManagedRulesCommonRuleSet: {
+     *     notStatement: {
+     *       statement: {
+     *         byteMatchStatement: {
+     *           fieldToMatch: { uriPath: {} },
+     *           positionalConstraint: "STARTS_WITH",
+     *           searchString: "/chat",
+     *           textTransformations: [{ priority: 0, type: "NONE" }],
+     *         },
+     *       },
+     *     },
+     *   },
+     * }
+     */
+    managedRuleScopeDowns?: Record<string, wafv2.CfnWebACL.StatementProperty>;
+    /**
+     * Managed rule group names to apply
+     * @default ["AWSManagedRulesCommonRuleSet", "AWSManagedRulesKnownBadInputsRuleSet"]
+     */
+    managedRules?: string[];
+    /**
+     * Rate limit per IP per 5-minute window
+     * @default 2000
+     */
+    rateLimitPerIp?: number;
+    /**
+     * Path-scoped relaxations layered on top of the default managed-rule groups.
+     * Each entry names one or more URL paths and, for each managed rule group
+     * key, the sub-rule names to flip from `block` to `count` on that path set.
+     * Strict default action is preserved on every other path.
+     *
+     * Composes with `managedRuleOverrides`: the baseline override list applies
+     * to both the relaxed and strict emissions of a group; entries in `allow`
+     * additionally relax specific (path × sub-rule) intersections.
+     *
+     * @example
+     * allow: [
+     *   {
+     *     path: "/hooks/*",
+     *     AWSManagedRulesCommonRuleSet: ["ExploitablePaths_URIPATH"],
+     *     AWSManagedRulesKnownBadInputsRuleSet: ["CrossSiteScripting_BODY"],
+     *   },
+     * ]
+     */
+    allow?: JaypieWafAllowEntry | JaypieWafAllowEntry[];
+    /**
+     * Use an existing WebACL ARN instead of creating one
+     */
+    webAclArn?: string;
+}
+interface SecurityHeadersOverrides {
+    contentSecurityPolicy?: string;
+    frameOption?: cloudfront.HeadersFrameOption;
+    hstsIncludeSubdomains?: boolean;
+    hstsMaxAge?: number;
+    permissionsPolicy?: string;
+    referrerPolicy?: cloudfront.HeadersReferrerPolicy;
+}
+interface JaypieDistributionProps extends Omit<cloudfront.DistributionProps, "certificate" | "defaultBehavior" | "logBucket"> {
+    /**
+     * SSL certificate for the CloudFront distribution
+     * @default true (creates a new certificate)
+     */
+    certificate?: boolean | acm.ICertificate;
+    /**
+     * Override default behavior (optional if handler is provided)
+     */
+    defaultBehavior?: cloudfront.BehaviorOptions;
+    /**
+     * Force-delete any existing Route53 A and AAAA records with the same name
+     * before creating the alias records. Useful when migrating from another
+     * construct (e.g., JaypieApiGateway) that already owns the same hostname,
+     * where the default CloudFormation create-before-delete ordering would
+     * otherwise collide on the record name.
+     * @default false
+     */
+    deleteExistingRecord?: boolean;
+    /**
+     * Log destination configuration for CloudFront access logs
+     * - LambdaDestination: Use a specific Lambda destination for S3 notifications
+     * - true: Use Datadog forwarder for S3 notifications (default)
+     * - false: Disable S3 notifications (logging still occurs if logBucket is set)
+     * @default true
+     */
+    destination?: LambdaDestination | boolean;
+    /**
+     * External log bucket for CloudFront access logs.
+     * - IBucket: Use existing bucket directly
+     * - string: Bucket name to import
+     * - { exportName: string }: CloudFormation export name to import
+     * - true: Use account logging bucket (CDK.IMPORT.LOG_BUCKET)
+     * @default undefined (creates new bucket if destination !== false)
+     */
+    logBucket?: s3.IBucket | string | {
+        exportName: string;
+    } | true;
+    /**
+     * The origin handler - can be an IOrigin, IFunctionUrl, or IFunction
+     * If IFunction, a FunctionUrl will be created with auth NONE
+     */
+    handler?: cloudfront.IOrigin | lambda.IFunctionUrl | lambda.IFunction;
+    /**
+     * The domain name for the distribution.
+     *
+     * Supports both string and config object:
+     * - String: used directly as the domain name (e.g., "api.example.com")
+     * - Object: passed to envHostname() to construct the domain name
+     *   - { subdomain, domain, env, component }
+     *
+     * @default mergeDomain(CDK_ENV_API_SUBDOMAIN, CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE)
+     *
+     * @example
+     * // Direct string
+     * host: "api.example.com"
+     *
+     * @example
+     * // Config object - resolves using envHostname()
+     * host: { subdomain: "api" }
+     */
+    host?: string | HostConfig;
+    /**
+     * Enable response streaming for Lambda Function URLs.
+     * Use with createLambdaStreamHandler for SSE/streaming responses.
+     * @default false
+     */
+    streaming?: boolean;
+    /**
+     * Origin read timeout - how long CloudFront waits for a response from the origin.
+     * This is the maximum time allowed for the origin to respond.
+     * @default CDK.DURATION.CLOUDFRONT_API (120 seconds)
+     * @max Duration.seconds(120)
+     */
+    originReadTimeout?: Duration;
+    /**
+     * Full override for the response headers policy.
+     * When provided, bypasses all default security header logic.
+     */
+    responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    /**
+     * Security headers configuration.
+     * - true/undefined: apply sensible defaults (HSTS, X-Frame-Options, CSP, etc.)
+     * - false: disable security headers entirely
+     * - SecurityHeadersOverrides object: merge overrides with defaults
+     * @default true
+     */
+    securityHeaders?: boolean | SecurityHeadersOverrides;
+    /**
+     * Role tag for tagging resources
+     * @default CDK.ROLE.HOSTING
+     */
+    roleTag?: string;
+    /**
+     * Service tag for attributing this distribution to a service (parallel to
+     * `roleTag`, matching `JaypieLambda`). When set, the distribution is tagged
+     * with `CDK.TAG.SERVICE` (so metrics carry `service:<value>` instead of
+     * `service:N/A`) and the created access-log and WAF-log buckets are tagged
+     * with the same value, so the Datadog forwarder attributes their forwarded
+     * logs to the service instead of the generic `cloudfront`/source default.
+     *
+     * Omit to preserve current behavior (no service tag). Has no effect on
+     * external/imported log buckets, which this construct does not own.
+     * @default undefined (no service tag)
+     */
+    serviceTag?: string;
+    /**
+     * WAF WebACL configuration for the CloudFront distribution.
+     * - true/undefined: create and attach a WebACL with sensible defaults
+     * - false: disable WAF
+     * - JaypieWafConfig: customize WAF behavior
+     * @default true
+     */
+    waf?: boolean | JaypieWafConfig;
+    /**
+     * The hosted zone for DNS records
+     * @default CDK_ENV_API_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE
+     */
+    zone?: string | route53.IHostedZone;
+}
+declare class JaypieDistribution extends Construct implements cloudfront.IDistribution {
+    readonly certificate?: acm.ICertificate;
+    readonly distribution: cloudfront.Distribution;
+    readonly distributionArn: string;
+    readonly distributionDomainName: string;
+    readonly distributionId: string;
+    readonly domainName: string;
+    readonly functionUrl?: lambda.FunctionUrl;
+    readonly host?: string;
+    readonly logBucket?: s3.IBucket;
+    readonly responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    readonly wafLogBucket?: s3.IBucket;
+    readonly webAcl?: wafv2.CfnWebACL;
+    constructor(scope: Construct, id: string, props: JaypieDistributionProps);
+    private isIOrigin;
+    private isIFunctionUrl;
+    private isIFunction;
+    private isExportNameObject;
+    private resolveWafConfig;
+    private resolveLogBucket;
+    get env(): {
+        account: string;
+        region: string;
+    };
+    get stack(): Stack;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    grant(identity: iam.IGrantable, ...actions: string[]): iam.Grant;
+    grantCreateInvalidation(identity: iam.IGrantable): iam.Grant;
+    get distributionRef(): cloudfront.DistributionReference;
+}
+
+interface JaypieDnsRecordProps {
+    /**
+     * Optional comment to add to the DNS record
+     */
+    comment?: string;
+    /**
+     * Optional record name (subdomain). If not provided, creates record at zone apex
+     */
+    recordName?: string;
+    /**
+     * Time to live for the DNS record
+     * @default CDK.DNS.CONFIG.TTL (5 minutes)
+     */
+    ttl?: cdk.Duration;
+    /**
+     * The DNS record type (A, CNAME, MX, NS, TXT)
+     */
+    type: string;
+    /**
+     * Values for the DNS record. Format depends on record type:
+     * - A: Array of IPv4 addresses (e.g., ["1.2.3.4", "5.6.7.8"])
+     * - CNAME: Single domain name as first element (e.g., ["example.com"])
+     * - MX: Array of objects with priority and hostName (e.g., [{priority: 10, hostName: "mail.example.com"}])
+     * - NS: Array of name server addresses (e.g., ["ns1.example.com", "ns2.example.com"])
+     * - TXT: Array of text values (e.g., ["v=spf1 include:example.com ~all"])
+     */
+    values: string[] | Array<{
+        hostName: string;
+        priority: number;
+    }>;
+    /**
+     * The hosted zone where the record will be created.
+     * Can be either:
+     * - A string (zone name) - will lookup the hosted zone by domain name
+     * - An IHostedZone object - will use the provided zone directly
+     */
+    zone: string | IHostedZone;
+}
+declare class JaypieDnsRecord extends Construct {
+    readonly record: ARecord | CnameRecord | MxRecord | NsRecord | TxtRecord;
+    constructor(scope: Construct, id: string, props: JaypieDnsRecordProps);
+}
+
+/**
+ * GSI index definition for JaypieDynamoDb.
+ *
+ * Shape mirrors `@jaypie/fabric`'s IndexDefinition so a single object can be
+ * shared between CDK provisioning (here) and runtime model code (fabric).
+ * The type is owned locally so `@jaypie/constructs` does not take a runtime
+ * dependency on the pre-1.0 `@jaypie/fabric` package.
+ *
+ * - `pk` fields are combined with a separator to form the partition key attribute
+ * - `sk` with one field uses that field directly as the GSI sort key
+ * - `sk` with multiple fields produces a composite `{indexName}Sk` attribute
+ */
+interface IndexDefinition {
+    /** Name of the index (auto-generated from pk fields if not provided) */
+    name?: string;
+    /** Partition key fields - combined with separator */
+    pk: string[];
+    /** Sort key fields - combined with separator when composite */
+    sk?: string[];
+    /** Advisory: index key is only written when all pk/sk fields are present */
+    sparse?: boolean;
+}
+
+interface JaypieDynamoDbProps extends Omit<dynamodb.TablePropsV2, "globalSecondaryIndexes" | "partitionKey" | "sortKey"> {
+    /**
+     * Configure GSIs for the table using the IndexDefinition format.
+     * - `undefined`: No GSIs (default)
+     * - Array of IndexDefinition: Use the specified indexes
+     *
+     * @example
+     * // No GSIs (default)
+     * new JaypieDynamoDb(this, "myTable");
+     *
+     * @example
+     * // Inline indexes
+     * new JaypieDynamoDb(this, "myTable", {
+     *   indexes: [
+     *     { name: "indexModel", pk: ["model"], sk: ["scope", "updatedAt"] },
+     *     { name: "indexModelAlias", pk: ["model", "alias"], sk: ["scope", "updatedAt"], sparse: true },
+     *   ],
+     * });
+     */
+    indexes?: IndexDefinition[];
+    /**
+     * Partition key attribute definition.
+     * @default { name: "id", type: AttributeType.STRING }
+     */
+    partitionKey?: dynamodb.Attribute;
+    /**
+     * Optional project identifier for tagging
+     */
+    project?: string;
+    /**
+     * Optional role tag for the table
+     */
+    roleTag?: string;
+    /**
+     * Optional service identifier for tagging
+     */
+    service?: string;
+    /**
+     * Sort key attribute definition. Defaults to `undefined` (no sort key) —
+     * the Jaypie single-table pattern uses `id` as a unique partition key.
+     */
+    sortKey?: dynamodb.Attribute;
+    /**
+     * Optional vendor tag for the table
+     */
+    vendorTag?: string;
+}
+/**
+ * DynamoDB table with Jaypie single-table design patterns.
+ *
+ * Creates a table with:
+ * - Partition key: `id` (String), no sort key
+ * - Billing: PAY_PER_REQUEST (on-demand)
+ * - Removal policy: RETAIN in production, DESTROY otherwise
+ * - No GSIs by default (use `indexes` prop to add them)
+ * - Table name: CDK-generated (includes stack name and unique suffix)
+ *
+ * @example
+ * // Shorthand: construct id is "JaypieDynamoDb-myApp", table name is CDK-generated
+ * const table = new JaypieDynamoDb(this, "myApp");
+ *
+ * @example
+ * // With inline IndexDefinition for GSIs
+ * const table = new JaypieDynamoDb(this, "MyTable", {
+ *   tableName: "custom-table-name",
+ *   indexes: [
+ *     { name: "indexModel", pk: ["model"], sk: ["scope", "updatedAt"] },
+ *     { name: "indexModelAlias", pk: ["model", "alias"], sk: ["scope", "updatedAt"], sparse: true },
+ *   ],
+ * });
+ */
+declare class JaypieDynamoDb extends Construct implements dynamodb.ITableV2 {
+    private readonly _table;
+    constructor(scope: Construct, id: string, props?: JaypieDynamoDbProps);
+    /**
+     * The underlying DynamoDB TableV2 construct
+     */
+    get table(): dynamodb.TableV2;
+    get env(): cdk.ResourceEnvironment;
+    get stack(): cdk.Stack;
+    get tableArn(): string;
+    get tableId(): string | undefined;
+    get tableName(): string;
+    get tableRef(): dynamodb.TableReference;
+    get tableStreamArn(): string | undefined;
+    get encryptionKey(): aws_cdk_lib_aws_kms.IKey | undefined;
+    get grants(): dynamodb.TableGrants;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+    grantFullAccess(grantee: iam.IGrantable): iam.Grant;
+    grantReadData(grantee: iam.IGrantable): iam.Grant;
+    grantReadWriteData(grantee: iam.IGrantable): iam.Grant;
+    grantStream(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+    grantStreamRead(grantee: iam.IGrantable): iam.Grant;
+    grantTableListStreams(grantee: iam.IGrantable): iam.Grant;
+    grantWriteData(grantee: iam.IGrantable): iam.Grant;
+    metric(metricName: string, props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricConditionalCheckFailedRequests(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricConsumedReadCapacityUnits(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricConsumedWriteCapacityUnits(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricSuccessfulRequestLatency(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricSystemErrorsForOperations(props?: dynamodb.SystemErrorsForOperationsMetricOptions): aws_cdk_lib_aws_cloudwatch.IMetric;
+    metricThrottledRequests(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+    metricThrottledRequestsForOperations(props?: dynamodb.OperationsMetricOptions): aws_cdk_lib_aws_cloudwatch.IMetric;
+    metricUserErrors(props?: aws_cdk_lib_aws_cloudwatch.MetricOptions): aws_cdk_lib_aws_cloudwatch.Metric;
+}
+
+interface JaypieEventsRuleProps extends Omit<RuleProps, "targets"> {
+    /**
+     * Optional construct ID
+     * @default Generated from source or "EventsRule"
+     */
+    id?: string;
+    /**
+     * Event source(s) to match
+     * @default undefined
+     */
+    source?: string | string[];
+    /**
+     * Lambda function to target
+     * Can be:
+     * - An IFunction instance
+     * - undefined (will resolve Datadog forwarder)
+     * @default Resolves Datadog forwarder via resolveDatadogForwarderFunction
+     */
+    targetFunction?: IFunction;
+    /**
+     * The service tag value
+     * @default CDK.SERVICE.DATADOG
+     */
+    service?: string;
+    /**
+     * The vendor tag value
+     * @default CDK.VENDOR.DATADOG
+     */
+    vendor?: string;
+    /**
+     * Optional project tag value
+     */
+    project?: string;
+}
+declare class JaypieEventsRule extends Construct {
+    readonly rule: Rule;
+    readonly targetFunction: IFunction;
+    /**
+     * Create a new EventBridge rule that targets a Lambda function
+     */
+    constructor(scope: Construct, idOrSourceOrProps?: string | JaypieEventsRuleProps, propsOrUndefined?: JaypieEventsRuleProps);
+}
+
+declare class JaypieExpressLambda extends JaypieLambda {
+    constructor(scope: Construct, id: string, props: JaypieLambdaProps);
+}
+
+interface JaypieGitHubDeployRoleProps {
+    ecr?: boolean;
+    oidcProviderArn?: string;
+    output?: boolean | string;
+    repoRestriction?: string;
+    sponsor?: string;
+}
+declare class JaypieGitHubDeployRole extends Construct {
+    private readonly _role;
+    constructor(scope: Construct, id?: string, props?: JaypieGitHubDeployRoleProps);
+    get role(): Role;
+    get roleArn(): string;
+    get roleName(): string;
+}
+
+/**
+ * DNS record configuration for JaypieHostedZone
+ * Omits 'zone' since it will be automatically set to the created hosted zone
+ */
+interface JaypieHostedZoneRecordProps extends Omit<JaypieDnsRecordProps, "zone"> {
+    /**
+     * Optional ID for the DNS record construct
+     * @default Generated from record type and name
+     */
+    id?: string;
+}
+interface JaypieHostedZoneProps {
+    /**
+     * Optional construct ID
+     * @default `${zoneName}-HostedZone`
+     */
+    id?: string;
+    /**
+     * The domain name for the hosted zone
+     */
+    zoneName: string;
+    /**
+     * The service tag value
+     * @default CDK.SERVICE.INFRASTRUCTURE
+     */
+    service?: string;
+    /**
+     * Optional project tag value
+     */
+    project?: string;
+    /**
+     * Log destination configuration
+     * - LambdaDestination: Use a specific Lambda destination
+     * - true: Use Datadog logging destination (default)
+     * - false: Do not use a destination
+     * @default true
+     */
+    destination?: LambdaDestination$1 | boolean;
+    /**
+     * Optional DNS records to create for this hosted zone
+     * Each record will be created as a JaypieDnsRecord construct
+     */
+    records?: JaypieHostedZoneRecordProps[];
+    /**
+     * Control the CloudWatch Logs resource policy that grants Route53 permission
+     * to write query logs. Defaults to `true`, which ensures a single
+     * stack-level wildcard policy covering every `/aws/route53/*` log group.
+     * Set to `false` to skip creating a managed policy (useful when an
+     * account-wide policy is provisioned externally).
+     * @default true
+     */
+    queryLoggingPolicy?: boolean;
+}
+declare class JaypieHostedZone extends Construct {
+    readonly hostedZone: IHostedZone;
+    readonly logGroup: ILogGroup;
+    readonly dnsRecords: JaypieDnsRecord[];
+    /**
+     * Create a new hosted zone with query logging and optional DNS records
+     */
+    constructor(scope: Construct, idOrProps: string | JaypieHostedZoneProps, propsOrRecords?: JaypieHostedZoneProps | JaypieHostedZoneRecordProps[]);
+}
+
+declare class JaypieInfrastructureStack extends JaypieStack {
+    constructor(scope: Construct, id: string, props?: JaypieStackProps);
+}
+
+interface JaypieMigrationProps {
+    /** Path to the bundled migration code (esbuild output directory) */
+    code: lambda.Code | string;
+    /** Constructs that must be created before the migration runs */
+    dependencies?: Construct[];
+    /** Environment variables for the migration Lambda */
+    environment?: Record<string, string> | (Record<string, string> | string)[];
+    /** Lambda handler entry point */
+    handler?: string;
+    /** Polling interval between isCompleteHandler invocations. Default: 60 seconds. */
+    queryInterval?: cdk.Duration;
+    /** Secrets to make available to the migration Lambda */
+    secrets?: SecretsArrayItem[];
+    /** DynamoDB tables to grant read/write access */
+    tables?: dynamodb.ITable[];
+    /** Lambda timeout per invocation. Defaults to 15 minutes (Lambda max). */
+    timeout?: cdk.Duration;
+    /** Maximum total wall time across all isCompleteHandler invocations. Default: 2 hours. */
+    totalTimeout?: cdk.Duration;
+}
+declare class JaypieMigration extends Construct {
+    readonly lambda: JaypieLambda;
+    constructor(scope: Construct, id: string, props: JaypieMigrationProps);
+}
+
+declare class JaypieMongoDbSecret extends JaypieEnvSecret {
+    constructor(scope: Construct, id?: string, props?: JaypieEnvSecretProps);
+}
+
+/**
+ * @deprecated Use HostConfig instead. This alias is kept for backwards compatibility.
+ */
+type DomainNameConfig = HostConfig;
+interface JaypieNextjsProps {
+    datadogApiKeyArn?: string;
+    /**
+     * Domain name for the Next.js application.
+     *
+     * Supports both string and config object:
+     * - String: used directly as the domain name
+     * - Object: passed to envHostname() to construct the domain name
+     *   - { component, domain, env, subdomain }
+     *
+     * To deploy without a domain (CloudFront URL only), set domainProps: false
+     */
+    domainName?: string | DomainNameConfig;
+    /**
+     * Set to false to deploy without a custom domain.
+     * When false, the application will only be accessible via CloudFront URL.
+     * This overrides any domainName configuration.
+     */
+    domainProps?: false;
+    /**
+     * Environment variables for the Next.js application.
+     *
+     * Supports both legacy object syntax and new array syntax:
+     * - Object: { KEY: "value" } - directly sets environment variables
+     * - Array: ["KEY1", "KEY2", { KEY3: "value" }]
+     *   - Strings: lookup value from process.env
+     *   - Objects: merge key-value pairs directly
+     */
+    environment?: EnvironmentInput;
+    envSecrets?: {
+        [key: string]: secretsmanager.ISecret;
+    };
+    hostedZone?: IHostedZone | string;
+    nextjsPath?: string;
+    /**
+     * Secrets to make available to the Next.js application.
+     *
+     * Supports both JaypieSecret instances and strings:
+     * - JaypieSecret (including JaypieEnvSecret): used directly
+     * - String: creates a JaypieEnvSecret with the string as envKey
+     *   (reuses existing secrets within the same scope)
+     */
+    secrets?: SecretsArrayItem[];
+    /**
+     * Enable response streaming for the Next.js server function.
+     * When true, enables Lambda response streaming for faster TTFB.
+     */
+    streaming?: boolean;
+    /**
+     * DynamoDB tables to grant read/write access to the Next.js server function.
+     * Each table is granted read/write access and if exactly one table is provided,
+     * the DYNAMODB_TABLE_NAME environment variable is set to the table name.
+     */
+    tables?: dynamodb.ITable[];
+}
+declare class JaypieNextJs extends Construct {
+    private readonly _nextjs;
+    readonly domainName?: string;
+    constructor(scope: Construct, id: string, props?: JaypieNextjsProps);
+    /** S3 bucket for static assets */
+    get bucket(): s3.IBucket;
+    /** CloudFront distribution */
+    get distribution(): cdk_nextjs_standalone.NextjsDistribution;
+    /** Route53 domain configuration */
+    get domain(): cdk_nextjs_standalone.NextjsDomain | undefined;
+    /** Image optimization Lambda function */
+    get imageOptimizationFunction(): cdk_nextjs_standalone.NextjsImage;
+    /** Image optimization Lambda function URL */
+    get imageOptimizationLambdaFunctionUrl(): lambda.FunctionUrl;
+    /** Server Lambda function URL */
+    get lambdaFunctionUrl(): lambda.FunctionUrl;
+    /** Next.js build output */
+    get nextBuild(): cdk_nextjs_standalone.NextjsBuild;
+    /** ISR revalidation configuration */
+    get revalidation(): cdk_nextjs_standalone.NextjsRevalidation;
+    /** Next.js server function */
+    get serverFunction(): cdk_nextjs_standalone.NextjsServer;
+    /** Static assets configuration */
+    get staticAssets(): cdk_nextjs_standalone.NextjsStaticAssets;
+    /** CloudFront distribution URL */
+    get url(): string;
+}
+
+declare class JaypieOpenAiSecret extends JaypieEnvSecret {
+    constructor(scope: Construct, id?: string, props?: JaypieEnvSecretProps);
+}
+
+interface JaypieOrganizationTrailProps {
+    /**
+     * Optional construct ID
+     * @default Generated from trail name
+     */
+    id?: string;
+    /**
+     * The name of the CloudTrail trail
+     * @default Uses PROJECT_NONCE: `organization-cloudtrail-${PROJECT_NONCE}`
+     */
+    trailName?: string;
+    /**
+     * The name of the S3 bucket for CloudTrail logs
+     * @default Uses PROJECT_NONCE: `organization-cloudtrail-${PROJECT_NONCE}`
+     */
+    bucketName?: string;
+    /**
+     * The service tag value
+     * @default CDK.SERVICE.INFRASTRUCTURE
+     */
+    service?: string;
+    /**
+     * Optional project tag value
+     */
+    project?: string;
+    /**
+     * Whether to enable IAM Access Analyzer (organization-level)
+     * @default true
+     */
+    enableAccessAnalyzer?: boolean;
+    /**
+     * Whether to enable file validation for the trail
+     * @default true
+     */
+    enableFileValidation?: boolean;
+    /**
+     * Whether to enable Lambda data events in CloudTrail
+     * @default true
+     */
+    enableLambdaDataEvents?: boolean;
+    /**
+     * Whether to enable S3 data events in CloudTrail
+     * @default false (opt-in due to potential high volume/cost)
+     */
+    enableS3DataEvents?: boolean;
+    /**
+     * Number of days before logs expire
+     * @default 365
+     */
+    expirationDays?: number;
+    /**
+     * Number of days before transitioning to INFREQUENT_ACCESS storage
+     * @default 30
+     */
+    infrequentAccessTransitionDays?: number;
+    /**
+     * Number of days before transitioning to GLACIER storage
+     * @default 180
+     */
+    glacierTransitionDays?: number;
+    /**
+     * Whether to send S3 notifications to Datadog forwarder
+     * @default true
+     */
+    enableDatadogNotifications?: boolean;
+}
+declare class JaypieOrganizationTrail extends Construct {
+    readonly analyzer?: CfnAnalyzer;
+    readonly bucket: IBucket;
+    readonly trail: Trail;
+    /**
+     * Create a new organization CloudTrail with S3 bucket and lifecycle policies
+     */
+    constructor(scope: Construct, idOrProps?: string | JaypieOrganizationTrailProps, propsOrUndefined?: JaypieOrganizationTrailProps);
+}
+
+/**
+ * Mapping of account IDs to permission set names
+ * Key: AWS account ID
+ * Value: Array of permission set names to assign to this account
+ */
+interface AccountAssignments {
+    [accountId: string]: string[];
+}
+/**
+ * Properties for the JaypieSsoPermissions construct
+ */
+interface JaypieSsoPermissionsProps {
+    /**
+     * ARN of the IAM Identity Center instance
+     * If not provided, falls back to CDK_ENV_IAM_IDENTITY_CENTER_ARN
+     * If neither is set, SSO setup will be skipped
+     */
+    iamIdentityCenterArn?: string;
+    /**
+     * Google Workspace group GUID for administrators
+     * Example: "b4c8b438-4031-7000-782d-5046945fb956"
+     */
+    administratorGroupId?: string;
+    /**
+     * Google Workspace group GUID for analysts
+     * Example: "2488f4e8-d061-708e-abe1-c315f0e30005"
+     */
+    analystGroupId?: string;
+    /**
+     * Google Workspace group GUID for developers
+     * Example: "b438a4f8-e0e1-707c-c6e8-21841daf9ad1"
+     */
+    developerGroupId?: string;
+    /**
+     * Account assignments for administrator group
+     * Maps account IDs to arrays of permission set names
+     * Example:
+     * {
+     *   "211125635435": ["Administrator", "Analyst"],
+     *   "381492033431": ["Administrator"],
+     * }
+     */
+    administratorAccountAssignments?: AccountAssignments;
+    /**
+     * Account assignments for analyst group
+     * Maps account IDs to arrays of permission set names
+     * Example:
+     * {
+     *   "211125635435": ["Analyst"],
+     *   "381492033431": ["Analyst"],
+     * }
+     */
+    analystAccountAssignments?: AccountAssignments;
+    /**
+     * Account assignments for developer group
+     * Maps account IDs to arrays of permission set names
+     * Example:
+     * {
+     *   "211125635435": ["Developer"],
+     * }
+     */
+    developerAccountAssignments?: AccountAssignments;
+}
+/**
+ * JaypieSsoPermissions Construct
+ *
+ * Creates and manages AWS IAM Identity Center (SSO) permission sets and assignments
+ *
+ * @example
+ * const permissionSets = new JaypieSsoPermissions(this, "PermissionSets", {
+ *   iamIdentityCenterArn: "arn:aws:sso:::instance/...",
+ *   administratorGroupId: "b4c8b438-4031-7000-782d-5046945fb956",
+ *   analystGroupId: "2488f4e8-d061-708e-abe1-c315f0e30005",
+ *   developerGroupId: "b438a4f8-e0e1-707c-c6e8-21841daf9ad1",
+ *   administratorAccountAssignments: {
+ *     "211125635435": ["Administrator", "Analyst", "Developer"],
+ *     "381492033431": ["Administrator", "Analyst"],
+ *   },
+ *   analystAccountAssignments: {
+ *     "211125635435": ["Analyst", "Developer"],
+ *     "381492033431": [],
+ *   },
+ *   developerAccountAssignments: {
+ *     "211125635435": ["Analyst", "Developer"],
+ *     "381492033431": [],
+ *   },
+ * });
+ */
+declare class JaypieSsoPermissions extends Construct {
+    readonly administratorPermissionSet?: CfnPermissionSet;
+    readonly analystPermissionSet?: CfnPermissionSet;
+    readonly developerPermissionSet?: CfnPermissionSet;
+    constructor(scope: Construct, id: string, props: JaypieSsoPermissionsProps);
+}
+
+interface JaypieSsoSyncApplicationProps {
+    googleAdminEmail?: string;
+    googleAdminEmailEnvKey?: string;
+    googleCredentials?: string;
+    googleCredentialsEnvKey?: string;
+    googleGroupMatch?: string;
+    googleGroupMatchEnvKey?: string;
+    identityStoreId?: string;
+    identityStoreIdEnvKey?: string;
+    scimEndpointAccessToken?: string;
+    scimEndpointAccessTokenEnvKey?: string;
+    scimEndpointUrl?: string;
+    scimEndpointUrlEnvKey?: string;
+    semanticVersion?: string;
+    semanticVersionEnvKey?: string;
+    ssoSyncApplicationId?: string;
+    tags?: {
+        [key: string]: string;
+    };
+}
+declare class JaypieSsoSyncApplication extends Construct {
+    private readonly _application;
+    constructor(scope: Construct, id?: string, props?: JaypieSsoSyncApplicationProps);
+    get application(): CfnApplication;
+}
+
+/**
+ * WAF configuration for JaypieWebDeploymentBucket. Same shape as
+ * JaypieDistribution's JaypieWafConfig, but `name` is optional — when omitted,
+ * the construct id is used to namespace the WebACL and WAF log bucket.
+ */
+type JaypieWebDeploymentBucketWafConfig = Omit<JaypieWafConfig, "name"> & {
+    name?: string;
+};
+interface JaypieWebDeploymentBucketProps extends s3.BucketProps {
+    /**
+     * SSL certificate for the CloudFront distribution
+     * @default true (creates a new certificate)
+     */
+    certificate?: boolean | acm.ICertificate;
+    /**
+     * Log destination configuration for CloudFront access logs.
+     * - LambdaDestination: Use a specific Lambda destination for S3 notifications
+     * - true: Use Datadog forwarder for S3 notifications (default)
+     * - false: Disable S3 notifications (logging still occurs if logBucket is set)
+     * @default true
+     */
+    destination?: LambdaDestination | boolean;
+    /**
+     * The domain name for the website.
+     *
+     * Supports both string and config object:
+     * - String: used directly as the domain name (e.g., "app.example.com")
+     * - Object: passed to envHostname() to construct the domain name
+     *   - { subdomain, domain, env, component }
+     *
+     * @default mergeDomain(CDK_ENV_WEB_SUBDOMAIN, CDK_ENV_WEB_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE)
+     *
+     * @example
+     * // Direct string
+     * host: "app.example.com"
+     *
+     * @example
+     * // Config object - resolves using envHostname()
+     * host: { subdomain: "app" }
+     */
+    host?: string | HostConfig;
+    /**
+     * External log bucket for CloudFront access logs.
+     * - IBucket: Use existing bucket directly
+     * - string: Bucket name to import
+     * - { exportName: string }: CloudFormation export name to import
+     * - true: Use account logging bucket (CDK.IMPORT.LOG_BUCKET)
+     * @default undefined (creates new bucket if destination !== false)
+     */
+    logBucket?: s3.IBucket | string | {
+        exportName: string;
+    } | true;
+    /**
+     * Optional bucket name
+     */
+    name?: string;
+    /**
+     * Full override for the response headers policy.
+     * When provided, bypasses all default security header logic.
+     */
+    responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    /**
+     * Role tag for tagging resources
+     * @default CDK.ROLE.HOSTING
+     */
+    roleTag?: string;
+    /**
+     * Security headers configuration.
+     * - true/undefined: apply sensible defaults (HSTS, X-Frame-Options, CSP, etc.)
+     * - false: disable security headers entirely
+     * - SecurityHeadersOverrides object: merge overrides with defaults
+     * @default true
+     */
+    securityHeaders?: boolean | SecurityHeadersOverrides;
+    /**
+     * WAF WebACL configuration for the CloudFront distribution.
+     * - true/undefined: create and attach a WebACL with sensible defaults; the
+     *   construct id is used to namespace the WebACL and WAF log bucket
+     * - false: disable WAF
+     * - JaypieWebDeploymentBucketWafConfig: customize WAF behavior; if `name`
+     *   is omitted the construct id is used
+     * @default true
+     */
+    waf?: boolean | JaypieWebDeploymentBucketWafConfig;
+    /**
+     * The hosted zone for DNS records
+     * @default CDK_ENV_WEB_HOSTED_ZONE || CDK_ENV_HOSTED_ZONE
+     */
+    zone?: string | route53.IHostedZone | JaypieHostedZone;
+}
+declare class JaypieWebDeploymentBucket extends Construct implements s3.IBucket {
+    readonly bucket: s3.Bucket;
+    readonly bucketArn: string;
+    readonly bucketDomainName: string;
+    readonly bucketDualStackDomainName: string;
+    readonly bucketName: string;
+    readonly bucketRegionalDomainName: string;
+    readonly bucketWebsiteDomainName: string;
+    readonly bucketWebsiteUrl: string;
+    readonly encryptionKey?: aws_cdk_lib_aws_kms.IKey;
+    readonly isWebsite?: boolean;
+    readonly notificationsHandlerRole?: string;
+    readonly policy?: s3.BucketPolicy;
+    readonly deployRoleArn?: string;
+    readonly distributionDomainName?: string;
+    readonly certificate?: acm.ICertificate;
+    readonly distribution?: cloudfront.Distribution;
+    readonly logBucket?: s3.IBucket;
+    readonly responseHeadersPolicy?: cloudfront.IResponseHeadersPolicy;
+    readonly wafLogBucket?: s3.IBucket;
+    readonly webAcl?: wafv2.CfnWebACL;
+    constructor(scope: Construct, id: string, props?: JaypieWebDeploymentBucketProps);
+    /**
+     * Emit stack-level CfnOutputs with stable, hash-free logical IDs so they can
+     * be read directly from `cdk-outputs.json` without prefix-matching. Skips
+     * outputs whose underlying resource is absent.
+     *
+     * Logical IDs (with optional `prefix`):
+     * - `${prefix}DestinationBucketName`
+     * - `${prefix}DestinationBucketDeployRoleArn` (when a deploy role exists)
+     * - `${prefix}DistributionId` (when a distribution exists)
+     * - `${prefix}CertificateArn` (when a certificate exists)
+     *
+     * @returns map of created outputs keyed by their logical ID
+     */
+    exportOutputs(options?: {
+        prefix?: string;
+        scope?: Construct;
+    }): Record<string, CfnOutput>;
+    private resolveWafConfig;
+    private isExportNameObject;
+    private resolveLogBucket;
+    addEventNotification(event: s3.EventType, dest: s3.IBucketNotificationDestination, ...filters: s3.NotificationKeyFilter[]): void;
+    addObjectCreatedNotification(dest: s3.IBucketNotificationDestination, ...filters: s3.NotificationKeyFilter[]): void;
+    addObjectRemovedNotification(dest: s3.IBucketNotificationDestination, ...filters: s3.NotificationKeyFilter[]): void;
+    addToResourcePolicy(permission: PolicyStatement): AddToResourcePolicyResult;
+    arnForObjects(keyPattern: string): string;
+    grantDelete(identity: any, objectsKeyPattern?: any): any;
+    grantPublicAccess(allowedActions: string, keyPrefix?: string): any;
+    grantPut(identity: any, objectsKeyPattern?: any): any;
+    grantPutAcl(identity: any, objectsKeyPattern?: string): any;
+    grantRead(identity: any, objectsKeyPattern?: any): any;
+    grantReadWrite(identity: any, objectsKeyPattern?: any): any;
+    grantWrite(identity: any, objectsKeyPattern?: any): any;
+    grantReplicationPermission(identity: any, props: any): any;
+    s3UrlForObject(key?: string): string;
+    urlForObject(key?: string): string;
+    virtualHostedUrlForObject(key?: string, options?: s3.VirtualHostedStyleUrlOptions): string;
+    transferAccelerationUrlForObject(key?: string): string;
+    onCloudTrailEvent(id: string, options?: s3.OnCloudTrailBucketEventOptions): any;
+    onCloudTrailPutObject(id: string, options?: s3.OnCloudTrailBucketEventOptions): any;
+    onCloudTrailWriteObject(id: string, options?: s3.OnCloudTrailBucketEventOptions): any;
+    addCorsRule(rule: s3.CorsRule): void;
+    addInventory(inventory: s3.Inventory): void;
+    addLifecycleRule(rule: s3.LifecycleRule): void;
+    addMetric(metric: s3.BucketMetrics): void;
+    enableEventBridgeNotification(): void;
+    addReplicationPolicy(policy: any): void;
+    get stack(): any;
+    get env(): any;
+    applyRemovalPolicy(policy: RemovalPolicy): void;
+    get bucketRef(): s3.BucketReference;
+}
+
+interface JaypieStaticWebBucketProps extends Omit<JaypieWebDeploymentBucketProps, "host" | "name" | "roleTag"> {
+    /**
+     * The domain name for the website. Accepts a string or a HostConfig
+     * object resolved via envHostname().
+     * @default envHostname({ subdomain: "static" })
+     */
+    host?: string | HostConfig;
+    /**
+     * Optional bucket name
+     * @default constructEnvName("static")
+     */
+    name?: string;
+    /**
+     * Role tag for tagging resources
+     * @default CDK.ROLE.HOSTING
+     */
+    roleTag?: string;
+}
+declare class JaypieStaticWebBucket extends JaypieWebDeploymentBucket {
+    constructor(scope: Construct, id?: string | JaypieStaticWebBucketProps, props?: JaypieStaticWebBucketProps);
+}
+
+declare class JaypieTraceSigningKeySecret extends JaypieEnvSecret {
+    constructor(scope: Construct, id?: string, props?: JaypieEnvSecretProps);
+}
+
+interface JaypieWebSocketProps {
+    /**
+     * Certificate configuration.
+     * - true: Create certificate at stack level (default, reusable)
+     * - false: No certificate (use regional endpoint)
+     * - ICertificate: Use provided certificate
+     * - string: Import certificate from ARN
+     */
+    certificate?: boolean | acm.ICertificate | string;
+    /**
+     * Lambda handler for $connect route (connection established).
+     * Use this to validate connections (e.g., auth tokens) and store connection IDs.
+     */
+    connect?: lambda.IFunction;
+    /**
+     * Lambda handler for $default route (catches unmatched messages).
+     * Use this as the main message handler.
+     */
+    default?: lambda.IFunction;
+    /**
+     * Lambda handler for $disconnect route (connection closed).
+     * Use this to clean up connection IDs from storage.
+     */
+    disconnect?: lambda.IFunction;
+    /**
+     * Single Lambda handler for all routes.
+     * Alternative to providing separate connect/disconnect/default handlers.
+     * The handler receives routeKey in the context to determine which route was invoked.
+     */
+    handler?: lambda.IFunction;
+    /**
+     * The domain name for the WebSocket API.
+     *
+     * Supports both string and config object:
+     * - String: used directly as the domain name (e.g., "ws.example.com")
+     * - Object: passed to envHostname() to construct the domain name
+     *   - { subdomain, domain, env, component }
+     *
+     * @example
+     * // Direct string
+     * host: "ws.example.com"
+     *
+     * @example
+     * // Config object - resolves using envHostname()
+     * host: { component: "ws" }
+     */
+    host?: string | HostConfig;
+    /**
+     * Log retention for WebSocket API access logs.
+     * @default logs.RetentionDays.THREE_MONTHS
+     */
+    logRetention?: logs.RetentionDays;
+    /**
+     * Construct name (used for resource naming).
+     */
+    name?: string;
+    /**
+     * Role tag for tagging resources.
+     * @default CDK.ROLE.API
+     */
+    roleTag?: string;
+    /**
+     * Additional named routes beyond $connect, $disconnect, and $default.
+     * Keys are route keys (e.g., "sendMessage", "subscribe").
+     */
+    routes?: Record<string, lambda.IFunction>;
+    /**
+     * Stage name for the WebSocket API.
+     * @default "production"
+     */
+    stageName?: string;
+    /**
+     * Route53 hosted zone for DNS records.
+     * - string: Zone domain name (looked up or imported)
+     * - IHostedZone: Use provided hosted zone
+     */
+    zone?: string | route53.IHostedZone;
+}
+declare class JaypieWebSocket extends Construct {
+    private readonly _api;
+    private readonly _certificate?;
+    private readonly _domainName?;
+    private readonly _host?;
+    private readonly _stage;
+    constructor(scope: Construct, id: string, props?: JaypieWebSocketProps);
+    get api(): apigatewayv2.WebSocketApi;
+    get apiId(): string;
+    get certificate(): acm.ICertificate | undefined;
+    get domainName(): string | undefined;
+    /**
+     * The WebSocket endpoint URL.
+     * Uses custom domain if configured, otherwise returns the default stage URL.
+     */
+    get endpoint(): string;
+    get host(): string | undefined;
+    get stage(): apigatewayv2.WebSocketStage;
+    /**
+     * The callback URL for API Gateway Management API.
+     * Use this URL to send messages to connected clients.
+     */
+    get callbackUrl(): string;
+    /**
+     * Grant a Lambda function permission to manage WebSocket connections
+     * (post messages to connections, get connection info, delete connections).
+     */
+    grantManageConnections(grantee: lambda.IFunction): iam.Grant;
+}
+
+/**
+ * JaypieWebSocketLambda - A Lambda function optimized for WebSocket handlers.
+ *
+ * Provides sensible defaults for WebSocket event handling:
+ * - 30 second timeout (same as API handlers)
+ * - API role tag
+ *
+ * @example
+ * ```typescript
+ * const handler = new JaypieWebSocketLambda(this, "ChatHandler", {
+ *   code: "dist/handlers",
+ *   handler: "chat.handler",
+ *   secrets: ["MONGODB_URI"],
+ * });
+ *
+ * new JaypieWebSocket(this, "Chat", {
+ *   host: "ws.example.com",
+ *   handler,
+ * });
+ * ```
+ */
+declare class JaypieWebSocketLambda extends JaypieLambda {
+    constructor(scope: Construct, id: string, props: JaypieLambdaProps);
+}
+
+interface JaypieWebSocketTableProps {
+    /**
+     * Explicit table name. If not provided, uses CDK-generated name.
+     */
+    tableName?: string;
+    /**
+     * Time-to-live duration for connections.
+     * Connections will be automatically deleted after this duration.
+     * @default Duration.hours(24)
+     */
+    ttl?: Duration;
+    /**
+     * Whether to create a GSI for looking up connections by user ID.
+     * @default false
+     */
+    userIndex?: boolean;
+    /**
+     * Role tag for tagging resources.
+     * @default CDK.ROLE.STORAGE
+     */
+    roleTag?: string;
+}
+/**
+ * JaypieWebSocketTable - DynamoDB table for storing WebSocket connection IDs.
+ *
+ * Provides a simple table structure for tracking active WebSocket connections:
+ * - Partition key: connectionId (String)
+ * - TTL attribute: expiresAt (for automatic cleanup)
+ * - Optional GSI: userId-index (for looking up connections by user)
+ *
+ * @example
+ * ```typescript
+ * const connectionTable = new JaypieWebSocketTable(this, "Connections");
+ *
+ * const ws = new JaypieWebSocket(this, "Chat", {
+ *   host: "ws.example.com",
+ *   handler: chatHandler,
+ * });
+ *
+ * // Grant Lambda access to the table
+ * connectionTable.grantReadWriteData(chatHandler);
+ *
+ * // Pass table name to Lambda
+ * chatHandler.addEnvironment("CONNECTION_TABLE", connectionTable.tableName);
+ * ```
+ *
+ * @example
+ * // With user index for looking up all connections for a user
+ * const connectionTable = new JaypieWebSocketTable(this, "Connections", {
+ *   userIndex: true,
+ *   ttl: Duration.hours(12),
+ * });
+ */
+declare class JaypieWebSocketTable extends Construct {
+    private readonly _table;
+    private readonly _ttlDuration;
+    constructor(scope: Construct, id: string, props?: JaypieWebSocketTableProps);
+    /**
+     * The underlying DynamoDB TableV2 construct.
+     */
+    get table(): dynamodb.TableV2;
+    /**
+     * The name of the DynamoDB table.
+     */
+    get tableName(): string;
+    /**
+     * The ARN of the DynamoDB table.
+     */
+    get tableArn(): string;
+    /**
+     * TTL duration for connections in seconds.
+     * Use this to calculate expiresAt when storing connections.
+     */
+    get ttlSeconds(): number;
+    /**
+     * Grant read permissions to the table.
+     */
+    grantReadData(grantee: iam.IGrantable): iam.Grant;
+    /**
+     * Grant write permissions to the table.
+     */
+    grantWriteData(grantee: iam.IGrantable): iam.Grant;
+    /**
+     * Grant read and write permissions to the table.
+     */
+    grantReadWriteData(grantee: iam.IGrantable): iam.Grant;
+    /**
+     * Add the table name to a Lambda function's environment variables.
+     * Also grants read/write access to the table.
+     */
+    connectLambda(lambdaFunction: lambda.IFunction, options?: {
+        envKey?: string;
+        readOnly?: boolean;
+    }): void;
+}
+
+export { AWS_MANAGED_RULE_GROUPS, CDK, JaypieAccountLoggingBucket, JaypieApiGateway, JaypieAppStack, JaypieBucketQueuedLambda, JaypieCertificate, JaypieDatadogBucket, JaypieDatadogForwarder, JaypieDatadogSecret, JaypieDistribution, JaypieDnsRecord, JaypieDynamoDb, JaypieEnvSecret, JaypieEventsRule, JaypieExpressLambda, JaypieGitHubDeployRole, JaypieHostedZone, JaypieInfrastructureStack, JaypieLambda, JaypieMigration, JaypieMongoDbSecret, JaypieNextJs, JaypieOpenAiSecret, JaypieOrganizationTrail, JaypieQueuedLambda, JaypieSecret, JaypieSsoPermissions, JaypieSsoSyncApplication, JaypieStack, JaypieStaticWebBucket, JaypieTraceSigningKeySecret, JaypieWebDeploymentBucket, JaypieWebSocket, JaypieWebSocketLambda, JaypieWebSocketTable, addDatadogLayers, assertValidWafRuleNames, clearAllCertificateCaches, clearAllSecretsCaches, clearCertificateCache, clearSecretsCache, constructEnvName, constructStackName, constructTagger, constructWafLogBucketName, ensureRoute53QueryLoggingPolicy, envHostname, extendDatadogRole, isEnv, isProductionEnv, isSandboxEnv, isValidHostname, isValidSubdomain, jaypieLambdaEnv, mergeDomain, resolveCertificate, resolveDatadogForwarderFunction, resolveDatadogLayers, resolveDatadogLoggingDestination, resolveEnvironment, resolveHostedZone, resolveParamsAndSecrets, resolveSecrets };
+export type { AccountAssignments, DomainNameConfig, EnvironmentArrayItem, EnvironmentInput, ExtendDatadogRoleOptions, HostConfig, IndexDefinition, JaypieAccountLoggingBucketProps, JaypieApiGatewayProps, JaypieCertificateProps, JaypieDatadogBucketProps, JaypieDatadogForwarderProps, JaypieDistributionProps, JaypieDnsRecordProps, JaypieDynamoDbProps, JaypieEventsRuleProps, JaypieGitHubDeployRoleProps, JaypieHostedZoneRecordProps, JaypieLambdaProps, JaypieMigrationProps, JaypieNextjsProps, JaypieOrganizationTrailProps, JaypieSecretProps, JaypieSsoPermissionsProps, JaypieSsoSyncApplicationProps, JaypieStackProps, JaypieStaticWebBucketProps, JaypieWafConfig, JaypieWebSocketProps, JaypieWebSocketTableProps, ResolveCertificateOptions, SecretsArrayItem, SecurityHeadersOverrides };