@jaypie/mcp 0.7.39 → 0.7.40

package/dist/suites/docs/index.js

@@ -9,7 +9,7 @@ import { gt } from 'semver';
 /**
  * Docs Suite - Documentation services (skill, version, release_notes)
  */
-const BUILD_VERSION_STRING = "@jaypie/mcp@0.7.39#e7380f8a"
+const BUILD_VERSION_STRING = "@jaypie/mcp@0.7.40#a0a6ea1d"
     ;
 const __filename$1 = fileURLToPath(import.meta.url);
 const __dirname$1 = path.dirname(__filename$1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jaypie/mcp",
-  "version": "0.7.39",
+  "version": "0.7.40",
   "description": "Jaypie MCP",
   "repository": {
     "type": "git",

package/release-notes/constructs/1.2.33.md

@@ -0,0 +1,20 @@
+---
+version: 1.2.33
+date: 2026-03-17
+summary: Add WAF WebACL, WAF logging, file validation, Lambda data events, and IAM Access Analyzer to JaypieDistribution and JaypieOrganizationTrail
+---
+
+## Changes
+
+### JaypieDistribution — WAF WebACL (#230)
+- Creates and attaches a WAFv2 WebACL by default with AWSManagedRulesCommonRuleSet, AWSManagedRulesKnownBadInputsRuleSet, and IP rate limiting (2000 req/5min)
+- `waf: false` to opt out, `waf: { rateLimitPerIp: 500 }` to customize, `waf: { webAclArn: "..." }` for existing WebACL
+- Creates an inline `aws-waf-logs-*` S3 bucket with Datadog forwarder notifications and CfnLoggingConfiguration
+- `waf: { logBucket: false }` to disable WAF logging, `waf: { logBucket: myBucket }` to bring your own
+- Exports `JaypieWafConfig` interface
+
+### JaypieOrganizationTrail — Security defaults (#229, #231)
+- `enableFileValidation` now defaults to `true` (was `false`)
+- Added `enableLambdaDataEvents` prop (default `true`) — records Lambda invocations in CloudTrail
+- Added `enableS3DataEvents` prop (default `false`) — opt-in due to cost
+- Added `enableAccessAnalyzer` prop (default `true`) — creates organization-level IAM Access Analyzer

package/skills/cdk.md

@@ -278,6 +278,74 @@ new JaypieDistribution(this, "Dist", {
 });
 ```
 
+## WAF (Web Application Firewall)
+
+`JaypieDistribution` attaches a WAFv2 WebACL by default with:
+
+- **AWSManagedRulesCommonRuleSet** — OWASP top 10 (SQLi, XSS, etc.)
+- **AWSManagedRulesKnownBadInputsRuleSet** — known bad patterns (Log4j, etc.)
+- **Rate limiting** — 2000 requests per 5 minutes per IP
+- **WAF logging** — S3 bucket with Datadog forwarder notifications
+
+```typescript
+// Default: WAF enabled with logging
+new JaypieDistribution(this, "Dist", { handler });
+
+// Disable WAF entirely
+new JaypieDistribution(this, "Dist", { handler, waf: false });
+
+// Customize rate limit
+new JaypieDistribution(this, "Dist", {
+  handler,
+  waf: { rateLimitPerIp: 500 },
+});
+
+// Use existing WebACL
+new JaypieDistribution(this, "Dist", {
+  handler,
+  waf: { webAclArn: "arn:aws:wafv2:..." },
+});
+
+// Disable WAF logging only
+new JaypieDistribution(this, "Dist", {
+  handler,
+  waf: { logBucket: false },
+});
+
+// Bring your own WAF logging bucket
+new JaypieDistribution(this, "Dist", {
+  handler,
+  waf: { logBucket: myWafBucket },
+});
+```
+
+Cost: $5/month per WebACL + $1/month per rule + $0.60 per million requests. Use `waf: false` to opt out.
+
+## Organization Trail Security Baseline
+
+`JaypieOrganizationTrail` provides organization-wide security monitoring:
+
+- **CloudTrail** with file validation enabled by default
+- **Lambda data events** recorded by default
+- **IAM Access Analyzer** (ORGANIZATION type) enabled by default
+- **S3 data events** opt-in (cost consideration)
+
+```typescript
+const orgTrail = new JaypieOrganizationTrail(this, "OrgTrail");
+// File validation, Lambda data events, and Access Analyzer all on by default
+
+// Opt out of specific features
+new JaypieOrganizationTrail(this, "OrgTrail", {
+  enableAccessAnalyzer: false,
+  enableLambdaDataEvents: false,
+});
+
+// Opt in to S3 data events
+new JaypieOrganizationTrail(this, "OrgTrail", {
+  enableS3DataEvents: true,
+});
+```
+
 ## See Also
 
 - **`skill("apikey")`** - API key generation, validation, and hashing