@openhi/constructs 0.0.0 → 0.0.2

package/lib/index.js

@@ -1,20 +1,1319 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./app"), exports);
-__exportStar(require("./components"), exports);
-__exportStar(require("./services"), exports);
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLHdDQUFzQjtBQUN0QiwrQ0FBNkI7QUFDN0IsNkNBQTJCIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0ICogZnJvbSBcIi4vYXBwXCI7XG5leHBvcnQgKiBmcm9tIFwiLi9jb21wb25lbnRzXCI7XG5leHBvcnQgKiBmcm9tIFwiLi9zZXJ2aWNlc1wiO1xuIl19
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// ../config/lib/open-hi-config.js
+var require_open_hi_config = __commonJS({
+  "../config/lib/open-hi-config.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.OPEN_HI_DEPLOYMENT_TARGET_ROLE = exports2.OPEN_HI_STAGE = void 0;
+    exports2.OPEN_HI_STAGE = {
+      /**
+       * Development environment, typically used for testing and development.
+       */
+      DEV: "dev",
+      /**
+       * Staging environment, used for pre-production testing.
+       */
+      STAGE: "stage",
+      /**
+       * Production environment, used for live deployments.
+       */
+      PROD: "prod"
+    };
+    exports2.OPEN_HI_DEPLOYMENT_TARGET_ROLE = {
+      /**
+       * The primary deployment target for this stage (main account/region).
+       * For example, the base DynamoDB region for global tables.
+       */
+      PRIMARY: "primary",
+      /**
+       * A secondary deployment target for this stage (additional account/region).
+       * For example, a replica region for a global DynamoDB table, or another cell in the same region.
+       */
+      SECONDARY: "secondary"
+    };
+  }
+});
+
+// ../config/lib/index.js
+var require_lib = __commonJS({
+  "../config/lib/index.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_open_hi_config(), exports2);
+  }
+});
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  ChildHostedZone: () => ChildHostedZone,
+  CognitoUserPool: () => CognitoUserPool,
+  CognitoUserPoolClient: () => CognitoUserPoolClient,
+  CognitoUserPoolDomain: () => CognitoUserPoolDomain,
+  CognitoUserPoolKmsKey: () => CognitoUserPoolKmsKey,
+  DataEventBus: () => DataEventBus,
+  DiscoverableStringParameter: () => DiscoverableStringParameter,
+  DynamoDbDataStore: () => DynamoDbDataStore,
+  OpenHiApp: () => OpenHiApp,
+  OpenHiAuthService: () => OpenHiAuthService,
+  OpenHiDataService: () => OpenHiDataService,
+  OpenHiEnvironment: () => OpenHiEnvironment,
+  OpenHiGlobalService: () => OpenHiGlobalService,
+  OpenHiRestApiService: () => OpenHiRestApiService,
+  OpenHiService: () => OpenHiService,
+  OpenHiStage: () => OpenHiStage,
+  OpsEventBus: () => OpsEventBus,
+  REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
+  RootGraphqlApi: () => RootGraphqlApi,
+  RootHostedZone: () => RootHostedZone,
+  RootHttpApi: () => RootHttpApi,
+  RootWildcardCertificate: () => RootWildcardCertificate,
+  getDynamoDbDataStoreTableName: () => getDynamoDbDataStoreTableName
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/app/open-hi-app.ts
+var import_config2 = __toESM(require_lib());
+var import_aws_cdk_lib3 = require("aws-cdk-lib");
+
+// src/app/open-hi-environment.ts
+var import_config = __toESM(require_lib());
+var import_aws_cdk_lib = require("aws-cdk-lib");
+var OPEN_HI_ENVIRONMENT_SYMBOL = /* @__PURE__ */ Symbol.for(
+  "@openhi/constructs/core.OpenHiEnvironment"
+);
+var OpenHiEnvironment = class _OpenHiEnvironment extends import_aws_cdk_lib.Stage {
+  /**
+   * Creates a new OpenHiEnvironment.
+   */
+  constructor(ohStage, props) {
+    if (props.config.account && props.config.region) {
+      props = {
+        ...props,
+        env: {
+          account: props.config.account,
+          region: props.config.region
+        }
+      };
+    }
+    const stageName = props.deploymentTargetRole === import_config.OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY ? props.deploymentTargetRole : [props.deploymentTargetRole, ohStage.environments.length].join("-");
+    super(ohStage, stageName, {
+      env: props.env ?? ohStage.props.env,
+      ...props
+    });
+    this.ohStage = ohStage;
+    this.props = props;
+    Object.defineProperty(this, OPEN_HI_ENVIRONMENT_SYMBOL, { value: true });
+    this.deploymentTargetRole = props.deploymentTargetRole;
+    this.config = props.config;
+  }
+  /**
+   * Finds the OpenHiEnvironment that contains the given construct.
+   * ```
+   */
+  static of(construct) {
+    return construct.node.scopes.reverse().find(_OpenHiEnvironment.isOpenHiEnvironment);
+  }
+  /**
+   * Type guard to check if a value is an OpenHiEnvironment instance.
+   */
+  static isOpenHiEnvironment(x) {
+    return x !== null && typeof x === "object" && OPEN_HI_ENVIRONMENT_SYMBOL in x;
+  }
+};
+
+// src/app/open-hi-stage.ts
+var import_aws_cdk_lib2 = require("aws-cdk-lib");
+var OPEN_HI_STAGE_SYMBOL = /* @__PURE__ */ Symbol.for("@openhi/constructs/core.OpenHiStage");
+var OpenHiStage = class _OpenHiStage extends import_aws_cdk_lib2.Stage {
+  /**
+   * Creates a new OpenHiStage instance.
+   */
+  constructor(ohApp, props) {
+    super(ohApp, props.stageType, props);
+    this.ohApp = ohApp;
+    this.props = props;
+    Object.defineProperty(this, OPEN_HI_STAGE_SYMBOL, { value: true });
+    this.stageType = props.stageType;
+  }
+  /**
+   * Finds the OpenHiStage that contains the given construct.
+   */
+  static of(construct) {
+    return construct.node.scopes.reverse().find(_OpenHiStage.isOpenHiStage);
+  }
+  /**
+   * Type guard to check if a value is an OpenHiStage instance.
+   */
+  static isOpenHiStage(x) {
+    return x !== null && typeof x === "object" && OPEN_HI_STAGE_SYMBOL in x;
+  }
+  /**
+   * Gets all OpenHiEnvironment instances contained within this stage.
+   */
+  get environments() {
+    return this.node.children.filter(OpenHiEnvironment.isOpenHiEnvironment);
+  }
+  /**
+   * Gets the primary OpenHiEnvironment for this stage, if one exists.
+   */
+  get primaryEnvironment() {
+    return this.environments.find(
+      (env) => env.deploymentTargetRole === "primary"
+    );
+  }
+  /**
+   * Gets all secondary OpenHiEnvironment instances for this stage.
+   */
+  get secondaryEnvironments() {
+    return this.environments.filter(
+      (env) => env.deploymentTargetRole === "secondary"
+    );
+  }
+};
+
+// src/app/open-hi-app.ts
+var OPEN_HI_APP_SYMBOL = /* @__PURE__ */ Symbol.for("@openhi/constructs/core.OpenHiApp");
+var OpenHiApp = class _OpenHiApp extends import_aws_cdk_lib3.App {
+  /**
+   * Finds the OpenHiApp instance that contains the given construct in its
+   * construct tree.
+   */
+  static of(construct) {
+    return construct.node.scopes.reverse().find(_OpenHiApp.isOpenHiApp);
+  }
+  /**
+   * Type guard that checks if a value is an OpenHiApp instance.
+   */
+  static isOpenHiApp(x) {
+    return x !== null && typeof x === "object" && OPEN_HI_APP_SYMBOL in x;
+  }
+  /**
+   * Creates a new OpenHiApp instance.
+   */
+  constructor(props) {
+    super(props);
+    Object.defineProperty(this, OPEN_HI_APP_SYMBOL, { value: true });
+    this.appName = props.appName ?? "openhi";
+    this.config = props.config;
+    Object.values(import_config2.OPEN_HI_STAGE).forEach((stageType) => {
+      if (this.config.deploymentTargets?.[stageType]) {
+        const stage = new OpenHiStage(this, { stageType });
+        if (this.config.deploymentTargets?.[stageType]?.[import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY]) {
+          const envConfig = this.config.deploymentTargets[stageType][import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY];
+          new OpenHiEnvironment(stage, {
+            deploymentTargetRole: import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY,
+            config: envConfig,
+            env: { account: envConfig.account, region: envConfig.region }
+          });
+        }
+        if (this.config.deploymentTargets?.[stageType]?.[import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY]) {
+          this.config.deploymentTargets[stageType][import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY].forEach((envConfig) => {
+            new OpenHiEnvironment(stage, {
+              deploymentTargetRole: import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY,
+              config: envConfig,
+              env: { account: envConfig.account, region: envConfig.region }
+            });
+          });
+        }
+      }
+    });
+  }
+  /*****************************************************************************
+   *
+   * Stages
+   *
+   ****************************************************************************/
+  /**
+     * Gets all OpenHiStage instances that are direct children of this app.
+  
+     */
+  get stages() {
+    return this.node.children.filter(OpenHiStage.isOpenHiStage);
+  }
+  /**
+   * Gets the development stage, if it exists.
+   */
+  get devStage() {
+    return this.stages.find((stage) => stage.stageType === import_config2.OPEN_HI_STAGE.DEV);
+  }
+  /**
+   * Gets the staging stage, if it exists.
+   */
+  get stageStage() {
+    return this.stages.find((stage) => stage.stageType === import_config2.OPEN_HI_STAGE.STAGE);
+  }
+  /**
+   * Gets the production stage, if it exists.
+   */
+  get prodStage() {
+    return this.stages.find((stage) => stage.stageType === import_config2.OPEN_HI_STAGE.PROD);
+  }
+  /*****************************************************************************
+   *
+   * Environments
+   *
+   ****************************************************************************/
+  /**
+   * Gets all OpenHiEnvironment instances across all stages in this app.
+   */
+  get environments() {
+    return this.stages.flatMap((stage) => stage.environments);
+  }
+  /**
+   * Gets all primary environments across all stages in this app.
+   */
+  get primaryEnvironments() {
+    return this.environments.filter(
+      (env) => env.deploymentTargetRole === "primary"
+    );
+  }
+  /**
+   * Gets all secondary environments across all stages in this app.
+   */
+  get secondaryEnvironments() {
+    return this.environments.filter(
+      (env) => env.deploymentTargetRole === "secondary"
+    );
+  }
+};
+
+// src/app/open-hi-service.ts
+var import_utils = require("@codedrifters/utils");
+var import_config3 = __toESM(require_lib());
+var import_aws_cdk_lib4 = require("aws-cdk-lib");
+var import_change_case = require("change-case");
+var OpenHiService = class extends import_aws_cdk_lib4.Stack {
+  /**
+   * Creates a new OpenHI service stack.
+   *
+   * @param ohEnv - The OpenHI environment (stage) this service belongs to
+   * @param id - Unique identifier for this service stack (e.g., "user-service")
+   * @param props - Optional properties for configuring the service
+   *
+   * @throws {Error} If account and region are not defined in props or environment
+   *
+   */
+  constructor(ohEnv, id, props = {}) {
+    const { account, region } = props.env || ohEnv;
+    if (!account || !region) {
+      throw new Error(
+        "Account and region must be defined in OpenHiServiceProps or OpenHiEnvironment"
+      );
+    }
+    const appName = props.appName ?? ohEnv.ohStage.ohApp.appName ?? "openhi";
+    const repoName = props.repoName ?? (0, import_utils.findGitRepoName)();
+    const defaultReleaseBranch = props.defaultReleaseBranch ?? "main";
+    const branchName = props.branchName ?? (process.env.JEST_WORKER_ID ? "test-branch" : ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.DEV ? (0, import_utils.findGitBranch)() : defaultReleaseBranch);
+    const environmentHash = (0, import_utils.hashString)(
+      [appName, ohEnv.deploymentTargetRole, account, region].join("-"),
+      6
+    );
+    const branchHash = (0, import_utils.hashString)(
+      [appName, ohEnv.deploymentTargetRole, account, region, branchName].join(
+        "-"
+      ),
+      6
+    );
+    const stackHash = (0, import_utils.hashString)(
+      [
+        appName,
+        ohEnv.deploymentTargetRole,
+        account,
+        region,
+        branchName,
+        id
+      ].join("-"),
+      6
+    );
+    const removalPolicy = props.removalPolicy ?? (ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.PROD ? import_aws_cdk_lib4.RemovalPolicy.RETAIN : import_aws_cdk_lib4.RemovalPolicy.DESTROY);
+    Object.assign(props, { removalPolicy });
+    const description = `OpenHi Service: ${id} [${branchName}] - ${branchHash}`;
+    super(ohEnv, [branchHash, id, account, region].join("-"), {
+      ...props,
+      description
+    });
+    this.ohEnv = ohEnv;
+    this.props = props;
+    this.serviceId = id;
+    this.removalPolicy = removalPolicy;
+    this.config = props.config ?? ohEnv.props.config;
+    this.deploymentTargetRole = ohEnv.deploymentTargetRole;
+    this.repoName = repoName;
+    this.appName = appName;
+    this.defaultReleaseBranch = defaultReleaseBranch;
+    this.branchName = branchName;
+    this.environmentHash = environmentHash;
+    this.branchHash = branchHash;
+    this.stackHash = stackHash;
+    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
+    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
+    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
+    import_aws_cdk_lib4.Tags.of(this).add(
+      `${appName}:stage-type`,
+      ohEnv.ohStage.stageType.slice(0, 255)
+    );
+  }
+  /**
+   * DNS prefix for this branche's child zone.
+   */
+  get childZonePrefix() {
+    return (0, import_change_case.paramCase)(this.branchName).slice(0, 200);
+  }
+};
+
+// src/components/acm/root-wildcard-certificate.ts
+var import_aws_certificatemanager = require("aws-cdk-lib/aws-certificatemanager");
+var import_aws_ssm = require("aws-cdk-lib/aws-ssm");
+var _RootWildcardCertificate = class _RootWildcardCertificate extends import_aws_certificatemanager.Certificate {
+  /**
+   * Using a special name here since this will be shared and used among many
+   * stacks and services. Use with OpenHiGlobalService.rootWildcardCertificateFromConstruct.
+   */
+  static ssmParameterName() {
+    return "/" + ["GLOBAL", _RootWildcardCertificate.SSM_PARAM_NAME].join("/").toUpperCase();
+  }
+  constructor(scope, props) {
+    super(scope, "root-wildcard-certificate", { ...props });
+    new import_aws_ssm.StringParameter(this, "wildcard-cert-param", {
+      parameterName: _RootWildcardCertificate.ssmParameterName(),
+      stringValue: this.certificateArn
+    });
+  }
+};
+/**
+ * Used when storing the Certificate ARN in SSM.
+ */
+_RootWildcardCertificate.SSM_PARAM_NAME = "ROOT_WILDCARD_CERT_ARN";
+var RootWildcardCertificate = _RootWildcardCertificate;
+
+// src/components/api-gateway/root-http-api.ts
+var import_aws_apigatewayv2 = require("aws-cdk-lib/aws-apigatewayv2");
+var RootHttpApi = class extends import_aws_apigatewayv2.HttpApi {
+  constructor(scope, props = {}) {
+    const stack = OpenHiService.of(scope);
+    super(scope, "http-api", {
+      /**
+       * User provided props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      apiName: ["root", "http", "api", stack.branchHash].join("-")
+    });
+  }
+};
+/**
+ * Used when storing the API ID in SSM.
+ */
+RootHttpApi.SSM_PARAM_NAME = "ROOT_HTTP_API";
+
+// src/components/app-sync/root-graphql-api.ts
+var import_aws_appsync = require("aws-cdk-lib/aws-appsync");
+var import_awscdk_appsync_utils = require("awscdk-appsync-utils");
+
+// src/components/ssm/discoverable-string-parameter.ts
+var import_aws_cdk_lib5 = require("aws-cdk-lib");
+var import_aws_ssm2 = require("aws-cdk-lib/aws-ssm");
+var _DiscoverableStringParameter = class _DiscoverableStringParameter extends import_aws_ssm2.StringParameter {
+  /**
+   * Build a param name based on predictable attributes found in services and
+   * constructs. Used for storage and retrieval of SSM values across services.
+   */
+  static buildParameterName(scope, props) {
+    const stack = OpenHiService.of(scope);
+    return "/" + [
+      _DiscoverableStringParameter.version,
+      props.branchHash ?? stack.branchHash,
+      props.serviceType ?? stack.serviceType,
+      props.account ?? stack.account,
+      props.region ?? stack.region,
+      props.ssmParamName
+    ].join("/").toUpperCase();
+  }
+  /**
+   * Read the string value of an SSM parameter created with DiscoverableStringParameter,
+   * using props that include ssmParamName and optional overrides (e.g. serviceType).
+   */
+  static valueForLookupName(scope, props) {
+    const paramName = _DiscoverableStringParameter.buildParameterName(
+      scope,
+      props
+    );
+    return import_aws_ssm2.StringParameter.valueForStringParameter(scope, paramName);
+  }
+  constructor(scope, id, props) {
+    const { ssmParamName, branchHash, serviceType, account, region, ...rest } = props;
+    const parameterName = _DiscoverableStringParameter.buildParameterName(
+      scope,
+      props
+    );
+    super(scope, id + "-" + _DiscoverableStringParameter.version, {
+      ...rest,
+      parameterName
+    });
+    const { appName } = OpenHiService.of(scope);
+    import_aws_cdk_lib5.Tags.of(this).add(`${appName}:param-name`, ssmParamName);
+  }
+};
+/**
+ * Version of the parameter name format / discoverability schema.
+ * Bump when buildParameterName or tagging semantics change.
+ * Also used to drive replacement of parameters during CloudFormation deploys.
+ */
+_DiscoverableStringParameter.version = "v1";
+var DiscoverableStringParameter = _DiscoverableStringParameter;
+
+// src/components/app-sync/root-graphql-api.ts
+var _RootGraphqlApi = class _RootGraphqlApi extends import_aws_appsync.GraphqlApi {
+  static fromConstruct(scope) {
+    const graphqlApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _RootGraphqlApi.SSM_PARAM_NAME,
+      serviceType: "graphql-api"
+    });
+    return import_aws_appsync.GraphqlApi.fromGraphqlApiAttributes(scope, "root-graphql-api", {
+      graphqlApiId
+    });
+  }
+  constructor(scope, props) {
+    const stack = OpenHiService.of(scope);
+    const schema = new import_awscdk_appsync_utils.CodeFirstSchema();
+    schema.addType(
+      new import_awscdk_appsync_utils.ObjectType("Query", {
+        definition: { HelloWorld: import_awscdk_appsync_utils.GraphqlType.string() }
+      })
+    );
+    super(scope, "root-graphql-api", {
+      /**
+       * Defaults
+       */
+      queryDepthLimit: 2,
+      resolverCountLimit: 50,
+      definition: import_aws_appsync.Definition.fromSchema(schema),
+      /**
+       * Overrideable props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      name: ["root", "graphql", "api", stack.branchHash].join("-")
+    });
+    new DiscoverableStringParameter(this, "graphql-api-param", {
+      ssmParamName: _RootGraphqlApi.SSM_PARAM_NAME,
+      serviceType: "graphql-api",
+      stringValue: this.apiId
+    });
+  }
+};
+/**
+ * Used when storing the GraphQl API ID in SSM.
+ */
+_RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
+var RootGraphqlApi = _RootGraphqlApi;
+
+// src/components/cognito/cognito-user-pool.ts
+var import_aws_cognito = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPool = class extends import_aws_cognito.UserPool {
+  constructor(scope, props = {}) {
+    const service = OpenHiService.of(scope);
+    super(scope, "user-pool", {
+      /**
+       * Defaults
+       */
+      selfSignUpEnabled: true,
+      signInAliases: {
+        email: true
+      },
+      userVerification: {
+        emailSubject: "Verify your email!",
+        emailBody: "Your verification code is {####}.",
+        emailStyle: import_aws_cognito.VerificationEmailStyle.CODE
+      },
+      removalPolicy: props.removalPolicy ?? service.removalPolicy,
+      /**
+       * Over-rideable props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      userPoolName: ["cognito", "user", "pool", service.branchHash].join("-")
+    });
+  }
+};
+/**
+ * Used when storing the User Pool ID in SSM.
+ */
+CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
+
+// src/components/cognito/cognito-user-pool-client.ts
+var import_aws_cognito2 = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPoolClient = class extends import_aws_cognito2.UserPoolClient {
+  constructor(scope, props) {
+    super(scope, "user-pool-client", {
+      /**
+       * Defaults
+       */
+      generateSecret: false,
+      oAuth: {
+        flows: {
+          authorizationCodeGrant: true,
+          implicitCodeGrant: true
+        },
+        callbackUrls: [`https://localhost:3000/oauth/callback`]
+      },
+      /**
+       * Overrideable props
+       */
+      ...props
+    });
+  }
+};
+/**
+ * Used when storing the User Pool Client ID in SSM.
+ */
+CognitoUserPoolClient.SSM_PARAM_NAME = "COGNITO_USER_POOL_CLIENT";
+
+// src/components/cognito/cognito-user-pool-domain.ts
+var import_aws_cognito3 = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPoolDomain = class extends import_aws_cognito3.UserPoolDomain {
+  constructor(scope, props) {
+    const id = props.cognitoDomain?.domainPrefix ? "cognito-domain" : "custom-domain";
+    super(scope, id, {
+      ...props
+    });
+  }
+};
+/**
+ * Used when storing the User Pool Domain in SSM.
+ */
+CognitoUserPoolDomain.SSM_PARAM_NAME = "COGNITO_USER_POOL_DOMAIN";
+
+// src/components/cognito/cognito-user-pool-kms-key.ts
+var import_aws_kms = require("aws-cdk-lib/aws-kms");
+var CognitoUserPoolKmsKey = class extends import_aws_kms.Key {
+  constructor(scope, props = {}) {
+    const service = OpenHiService.of(scope);
+    super(scope, "kms-key", {
+      ...props,
+      // alias: ["alias", "cognito", service.branchHash].join("/"),
+      description: `KMS Key for Cognito User Pool - ${service.branchHash}`,
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
+    });
+  }
+};
+/**
+ * Used when storing the KMS Key in SSM.
+ */
+CognitoUserPoolKmsKey.SSM_PARAM_NAME = "COGNITO_USER_POOL_KMS_KEY";
+
+// src/components/dynamodb/dynamo-db-data-store.ts
+var import_aws_dynamodb = require("aws-cdk-lib/aws-dynamodb");
+function getDynamoDbDataStoreTableName(scope) {
+  const stack = OpenHiService.of(scope);
+  return `data-store-${stack.branchHash}`;
+}
+var DynamoDbDataStore = class extends import_aws_dynamodb.Table {
+  constructor(scope, id, props = {}) {
+    const service = OpenHiService.of(scope);
+    super(scope, id, {
+      ...props,
+      tableName: getDynamoDbDataStoreTableName(scope),
+      partitionKey: {
+        name: "PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      billingMode: import_aws_dynamodb.BillingMode.PAY_PER_REQUEST,
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI1",
+      partitionKey: {
+        name: "GSI1PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI1SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
+      nonKeyAttributes: ["srcType", "srcId", "path", "srcPk", "srcSk", "ts"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI2",
+      partitionKey: {
+        name: "GSI2PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI2SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
+      nonKeyAttributes: ["resourcePk", "resourceSk", "display", "status"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI3",
+      partitionKey: {
+        name: "GSI3PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI3SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
+      nonKeyAttributes: ["resourcePk", "resourceSk"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI4",
+      partitionKey: {
+        name: "GSI4PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI4SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      projectionType: import_aws_dynamodb.ProjectionType.ALL
+    });
+  }
+};
+
+// src/components/event-bridge/data-event-bus.ts
+var import_aws_events = require("aws-cdk-lib/aws-events");
+var DataEventBus = class _DataEventBus extends import_aws_events.EventBus {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * it's name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `data${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "data-event-bus", {
+      ...props,
+      eventBusName: _DataEventBus.getEventBusName(scope)
+    });
+  }
+};
+
+// src/components/event-bridge/ops-event-bus.ts
+var import_aws_events2 = require("aws-cdk-lib/aws-events");
+var OpsEventBus = class _OpsEventBus extends import_aws_events2.EventBus {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * it's name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `ops${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "ops-event-bus", {
+      ...props,
+      eventBusName: _OpsEventBus.getEventBusName(scope)
+    });
+  }
+};
+
+// src/components/route-53/child-hosted-zone.ts
+var import_aws_cdk_lib6 = require("aws-cdk-lib");
+var import_aws_route53 = require("aws-cdk-lib/aws-route53");
+var ChildHostedZone = class extends import_aws_route53.HostedZone {
+  constructor(scope, id, props) {
+    super(scope, id, { ...props });
+    new import_aws_route53.NsRecord(this, "child-ns-record", {
+      zone: props.parentHostedZone,
+      recordName: this.zoneName,
+      values: this.hostedZoneNameServers || [],
+      ttl: import_aws_cdk_lib6.Duration.minutes(5)
+    });
+  }
+};
+/**
+ * Used when storing the child zone ID in SSM. Use {@link OpenHiGlobalService.childHostedZoneFromConstruct} to look up.
+ */
+ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
+
+// src/components/route-53/root-hosted-zone.ts
+var import_constructs = require("constructs");
+var RootHostedZone = class extends import_constructs.Construct {
+};
+
+// src/services/open-hi-auth-service.ts
+var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
+var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
+var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    this.props = props;
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.userPool = this.createUserPool();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
+  }
+  /**
+   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
+   */
+  static userPoolFromConstruct(scope) {
+    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return import_aws_cognito4.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
+  }
+  /**
+   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
+   */
+  static userPoolClientFromConstruct(scope) {
+    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
+      scope,
+      {
+        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+        serviceType: _OpenHiAuthService.SERVICE_TYPE
+      }
+    );
+    return import_aws_cognito4.UserPoolClient.fromUserPoolClientId(
+      scope,
+      "user-pool-client",
+      userPoolClientId
+    );
+  }
+  /**
+   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   */
+  static userPoolDomainFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
+  }
+  /**
+   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
+   */
+  static userPoolKmsKeyFromConstruct(scope) {
+    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return import_aws_kms2.Key.fromKeyArn(scope, "kms-key", keyArn);
+  }
+  get serviceType() {
+    return _OpenHiAuthService.SERVICE_TYPE;
+  }
+  /**
+   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolKmsKey() {
+    const key = new CognitoUserPoolKmsKey(this);
+    new DiscoverableStringParameter(this, "kms-key-param", {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      stringValue: key.keyArn,
+      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
+    });
+    return key;
+  }
+  /**
+   * Creates the Cognito User Pool and exports its ID to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
+   * Override to customize.
+   */
+  createUserPool() {
+    const userPool = new CognitoUserPool(this, {
+      ...this.props.userPoolProps,
+      customSenderKmsKey: this.userPoolKmsKey
+    });
+    new DiscoverableStringParameter(this, "user-pool-param", {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      stringValue: userPool.userPoolId,
+      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
+    });
+    return userPool;
+  }
+  /**
+   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
+   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolClient() {
+    const client = new CognitoUserPoolClient(this, {
+      userPool: this.userPool
+    });
+    new DiscoverableStringParameter(this, "user-pool-client-param", {
+      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
+    });
+    return client;
+  }
+  /**
+   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolDomain() {
+    const domain = new CognitoUserPoolDomain(this, {
+      userPool: this.userPool,
+      cognitoDomain: {
+        domainPrefix: `auth-${this.branchHash}`
+      }
+    });
+    new DiscoverableStringParameter(this, "user-pool-domain-param", {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      stringValue: domain.domainName,
+      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
+    });
+    return domain;
+  }
+};
+_OpenHiAuthService.SERVICE_TYPE = "auth";
+var OpenHiAuthService = _OpenHiAuthService;
+
+// src/services/open-hi-global-service.ts
+var import_aws_certificatemanager2 = require("aws-cdk-lib/aws-certificatemanager");
+var import_aws_route532 = require("aws-cdk-lib/aws-route53");
+var import_aws_ssm3 = require("aws-cdk-lib/aws-ssm");
+var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
+  /**
+   * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
+   */
+  static rootHostedZoneFromConstruct(scope, props) {
+    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "root-zone", props);
+  }
+  /**
+   * Returns an ICertificate by looking up the Global stack's wildcard cert ARN from SSM.
+   */
+  static rootWildcardCertificateFromConstruct(scope) {
+    const certificateArn = import_aws_ssm3.StringParameter.valueForStringParameter(
+      scope,
+      RootWildcardCertificate.ssmParameterName()
+    );
+    return import_aws_certificatemanager2.Certificate.fromCertificateArn(
+      scope,
+      "wildcard-certificate",
+      certificateArn
+    );
+  }
+  /**
+   * Returns an IHostedZone by looking up the child hosted zone ID from SSM. Defaults to GLOBAL service type.
+   */
+  static childHostedZoneFromConstruct(scope, props) {
+    const hostedZoneId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: ChildHostedZone.SSM_PARAM_NAME,
+      serviceType: props.serviceType ?? _OpenHiGlobalService.SERVICE_TYPE
+    });
+    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "child-zone", {
+      hostedZoneId,
+      zoneName: props.zoneName
+    });
+  }
+  get serviceType() {
+    return _OpenHiGlobalService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiGlobalService.SERVICE_TYPE, props);
+    this.validateConfig(props);
+    this.rootHostedZone = this.createRootHostedZone();
+    this.childHostedZone = this.createChildHostedZone();
+    this.rootWildcardCertificate = this.createRootWildcardCertificate();
+  }
+  /**
+   * Validates that config required for the Global stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required to import the root zone");
+    }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required to import the root zone");
+    }
+  }
+  /**
+   * Creates the root hosted zone (imported via attributes from config).
+   * Override to customize or create the zone.
+   */
+  createRootHostedZone() {
+    return _OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
+    });
+  }
+  /**
+   * Creates the optional child hosted zone (e.g. branch subdomain).
+   * Override to create a child zone when config provides childHostedZoneAttributes.
+   * If you create a ChildHostedZone, also create a DiscoverableStringParameter
+   * with ChildHostedZone.SSM_PARAM_NAME and the zone's hostedZoneId.
+   */
+  createChildHostedZone() {
+    return void 0;
+  }
+  /**
+   * Creates the root wildcard certificate. On main branch, creates a new cert
+   * with DNS validation; otherwise imports from SSM.
+   * Override to customize certificate creation.
+   */
+  createRootWildcardCertificate() {
+    if (this.branchName === "main") {
+      return new RootWildcardCertificate(this, {
+        domainName: `*.${this.rootHostedZone.zoneName}`,
+        subjectAlternativeNames: [this.rootHostedZone.zoneName],
+        validation: import_aws_certificatemanager2.CertificateValidation.fromDns(this.rootHostedZone)
+      });
+    }
+    return _OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+};
+_OpenHiGlobalService.SERVICE_TYPE = "global";
+var OpenHiGlobalService = _OpenHiGlobalService;
+
+// src/services/open-hi-rest-api-service.ts
+var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
+var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
+var import_aws_route533 = require("aws-cdk-lib/aws-route53");
+var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
+
+// src/services/open-hi-data-service.ts
+var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
+var import_aws_events3 = require("aws-cdk-lib/aws-events");
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
+  /**
+   * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static dataEventBusFromConstruct(scope) {
+    return import_aws_events3.EventBus.fromEventBusName(
+      scope,
+      "data-event-bus",
+      DataEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static opsEventBusFromConstruct(scope) {
+    return import_aws_events3.EventBus.fromEventBusName(
+      scope,
+      "ops-event-bus",
+      OpsEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
+   */
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return import_aws_dynamodb2.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  }
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    this.dataEventBus = this.createDataEventBus();
+    this.opsEventBus = this.createOpsEventBus();
+    this.dataStore = this.createDataStore();
+  }
+  /**
+   * Creates the data event bus.
+   * Override to customize.
+   */
+  createDataEventBus() {
+    return new DataEventBus(this);
+  }
+  /**
+   * Creates the ops event bus.
+   * Override to customize.
+   */
+  createOpsEventBus() {
+    return new OpsEventBus(this);
+  }
+  /**
+   * Creates the single-table DynamoDB data store.
+   * Override to customize.
+   */
+  createDataStore() {
+    return new DynamoDbDataStore(this, "dynamo-db-data-store");
+  }
+};
+_OpenHiDataService.SERVICE_TYPE = "data";
+var OpenHiDataService = _OpenHiDataService;
+
+// src/data/lambda/rest-api-lambda.ts
+var import_path = __toESM(require("path"));
+var import_aws_lambda = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs2 = require("constructs");
+var RestApiLambda = class extends import_constructs2.Construct {
+  constructor(scope, props) {
+    super(scope, "rest-api-lambda");
+    this.lambda = new import_aws_lambda_nodejs.NodejsFunction(this, "handler", {
+      entry: import_path.default.join(__dirname, "rest-api-lambda.handler.js"),
+      runtime: import_aws_lambda.Runtime.NODEJS_LATEST,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
+    });
+  }
+};
+
+// src/services/open-hi-rest-api-service.ts
+var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
+var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
+  /**
+   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
+   */
+  static rootHttpApiFromConstruct(scope) {
+    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+    return import_aws_apigatewayv22.HttpApi.fromHttpApiAttributes(scope, "http-api", { httpApiId });
+  }
+  /**
+   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
+   * Use in other stacks for E2E, scripts, or config.
+   */
+  static restApiBaseUrlFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiRestApiService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    const certificate = this.createCertificate();
+    const apiDomainName = this.createApiDomainNameString(hostedZone);
+    this.createRestApiBaseUrlParameter(apiDomainName);
+    const domainName = this.createDomainName(hostedZone, certificate);
+    this.rootHttpApi = this.createRootHttpApi(domainName);
+    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
+  }
+  /**
+   * Validates that config required for the REST API stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
+  }
+  /**
+   * Creates the hosted zone reference (imported from config).
+   * Override to customize.
+   */
+  createHostedZone() {
+    const { config } = this.props;
+    return import_aws_route533.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
+      hostedZoneId: config.hostedZoneId,
+      zoneName: config.zoneName
+    });
+  }
+  /**
+   * Creates the wildcard certificate (imported from Global stack via SSM).
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Returns the API domain name string (e.g. api.example.com or api-{prefix}.example.com).
+   * Override to customize.
+   */
+  createApiDomainNameString(hostedZone) {
+    const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
+    return [apiPrefix, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Creates the SSM parameter for the REST API base URL.
+   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
+   * Override to customize.
+   */
+  createRestApiBaseUrlParameter(apiDomainName) {
+    const restApiBaseUrl = `https://${apiDomainName}`;
+    new DiscoverableStringParameter(this, "rest-api-base-url-param", {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      stringValue: restApiBaseUrl,
+      description: "REST API base URL for this deployment (E2E, scripts)"
+    });
+  }
+  /**
+   * Creates the API Gateway custom domain name resource.
+   * Override to customize.
+   */
+  createDomainName(_hostedZone, certificate) {
+    const apiDomainName = this.createApiDomainNameString(_hostedZone);
+    return new import_aws_apigatewayv22.DomainName(this, "domain", {
+      domainName: apiDomainName,
+      certificate
+    });
+  }
+  /**
+   * Creates the Lambda integration, HTTP routes, and API DNS record.
+   * Override to customize. Uses {@link rootHttpApi} set by the constructor.
+   */
+  createRestApiLambdaAndRoutes(hostedZone, domainName) {
+    const dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+    const { lambda } = new RestApiLambda(this, {
+      dynamoTableName: dataStoreTable.tableName
+    });
+    dataStoreTable.grant(
+      lambda,
+      "dynamodb:GetItem",
+      "dynamodb:Query",
+      "dynamodb:BatchGetItem",
+      "dynamodb:ConditionCheckItem",
+      "dynamodb:DescribeTable",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem",
+      "dynamodb:DeleteItem"
+    );
+    const integration = new import_aws_apigatewayv2_integrations.HttpLambdaIntegration("lambda-integration", lambda);
+    new import_aws_apigatewayv22.HttpRoute(this, "proxy-route-root", {
+      httpApi: this.rootHttpApi,
+      routeKey: import_aws_apigatewayv22.HttpRouteKey.with("/", import_aws_apigatewayv22.HttpMethod.ANY),
+      integration
+    });
+    new import_aws_apigatewayv22.HttpRoute(this, "proxy-route", {
+      httpApi: this.rootHttpApi,
+      routeKey: import_aws_apigatewayv22.HttpRouteKey.with("/{proxy+}", import_aws_apigatewayv22.HttpMethod.ANY),
+      integration
+    });
+    const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
+    new import_aws_route533.ARecord(this, "api-a-record", {
+      zone: hostedZone,
+      recordName: apiPrefix,
+      target: import_aws_route533.RecordTarget.fromAlias(
+        new import_aws_route53_targets.ApiGatewayv2DomainProperties(
+          domainName.regionalDomainName,
+          domainName.regionalHostedZoneId
+        )
+      )
+    });
+  }
+  /**
+   * Creates the Root HTTP API with default domain mapping and exports API ID to SSM.
+   * Look up via {@link OpenHiRestApiService.rootHttpApiFromConstruct}.
+   * Override to customize.
+   */
+  createRootHttpApi(domainName) {
+    const rootHttpApi = new RootHttpApi(this, {
+      defaultDomainMapping: {
+        domainName,
+        mappingKey: void 0
+      }
+    });
+    new DiscoverableStringParameter(this, "http-api-url-param", {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      stringValue: rootHttpApi.httpApiId,
+      description: "API Gateway HTTP API ID for this REST API stack (cross-stack reference)"
+    });
+    return rootHttpApi;
+  }
+};
+_OpenHiRestApiService.SERVICE_TYPE = "rest-api";
+var OpenHiRestApiService = _OpenHiRestApiService;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ChildHostedZone,
+  CognitoUserPool,
+  CognitoUserPoolClient,
+  CognitoUserPoolDomain,
+  CognitoUserPoolKmsKey,
+  DataEventBus,
+  DiscoverableStringParameter,
+  DynamoDbDataStore,
+  OpenHiApp,
+  OpenHiAuthService,
+  OpenHiDataService,
+  OpenHiEnvironment,
+  OpenHiGlobalService,
+  OpenHiRestApiService,
+  OpenHiService,
+  OpenHiStage,
+  OpsEventBus,
+  REST_API_BASE_URL_SSM_NAME,
+  RootGraphqlApi,
+  RootHostedZone,
+  RootHttpApi,
+  RootWildcardCertificate,
+  getDynamoDbDataStoreTableName
+});
+//# sourceMappingURL=index.js.map