@openhi/constructs 0.0.0 → 0.0.2

package/lib/index.mjs

@@ -0,0 +1,1303 @@
+import {
+  __commonJS,
+  __toESM
+} from "./chunk-LZOMFHX3.mjs";
+
+// ../config/lib/open-hi-config.js
+var require_open_hi_config = __commonJS({
+  "../config/lib/open-hi-config.js"(exports) {
+    "use strict";
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.OPEN_HI_DEPLOYMENT_TARGET_ROLE = exports.OPEN_HI_STAGE = void 0;
+    exports.OPEN_HI_STAGE = {
+      /**
+       * Development environment, typically used for testing and development.
+       */
+      DEV: "dev",
+      /**
+       * Staging environment, used for pre-production testing.
+       */
+      STAGE: "stage",
+      /**
+       * Production environment, used for live deployments.
+       */
+      PROD: "prod"
+    };
+    exports.OPEN_HI_DEPLOYMENT_TARGET_ROLE = {
+      /**
+       * The primary deployment target for this stage (main account/region).
+       * For example, the base DynamoDB region for global tables.
+       */
+      PRIMARY: "primary",
+      /**
+       * A secondary deployment target for this stage (additional account/region).
+       * For example, a replica region for a global DynamoDB table, or another cell in the same region.
+       */
+      SECONDARY: "secondary"
+    };
+  }
+});
+
+// ../config/lib/index.js
+var require_lib = __commonJS({
+  "../config/lib/index.js"(exports) {
+    "use strict";
+    var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports && exports.__exportStar || function(m, exports2) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports2, p)) __createBinding(exports2, m, p);
+    };
+    Object.defineProperty(exports, "__esModule", { value: true });
+    __exportStar(require_open_hi_config(), exports);
+  }
+});
+
+// src/app/open-hi-app.ts
+var import_config2 = __toESM(require_lib());
+import { App } from "aws-cdk-lib";
+
+// src/app/open-hi-environment.ts
+var import_config = __toESM(require_lib());
+import { Stage } from "aws-cdk-lib";
+var OPEN_HI_ENVIRONMENT_SYMBOL = /* @__PURE__ */ Symbol.for(
+  "@openhi/constructs/core.OpenHiEnvironment"
+);
+var OpenHiEnvironment = class _OpenHiEnvironment extends Stage {
+  /**
+   * Creates a new OpenHiEnvironment.
+   */
+  constructor(ohStage, props) {
+    if (props.config.account && props.config.region) {
+      props = {
+        ...props,
+        env: {
+          account: props.config.account,
+          region: props.config.region
+        }
+      };
+    }
+    const stageName = props.deploymentTargetRole === import_config.OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY ? props.deploymentTargetRole : [props.deploymentTargetRole, ohStage.environments.length].join("-");
+    super(ohStage, stageName, {
+      env: props.env ?? ohStage.props.env,
+      ...props
+    });
+    this.ohStage = ohStage;
+    this.props = props;
+    Object.defineProperty(this, OPEN_HI_ENVIRONMENT_SYMBOL, { value: true });
+    this.deploymentTargetRole = props.deploymentTargetRole;
+    this.config = props.config;
+  }
+  /**
+   * Finds the OpenHiEnvironment that contains the given construct.
+   * ```
+   */
+  static of(construct) {
+    return construct.node.scopes.reverse().find(_OpenHiEnvironment.isOpenHiEnvironment);
+  }
+  /**
+   * Type guard to check if a value is an OpenHiEnvironment instance.
+   */
+  static isOpenHiEnvironment(x) {
+    return x !== null && typeof x === "object" && OPEN_HI_ENVIRONMENT_SYMBOL in x;
+  }
+};
+
+// src/app/open-hi-stage.ts
+import { Stage as Stage2 } from "aws-cdk-lib";
+var OPEN_HI_STAGE_SYMBOL = /* @__PURE__ */ Symbol.for("@openhi/constructs/core.OpenHiStage");
+var OpenHiStage = class _OpenHiStage extends Stage2 {
+  /**
+   * Creates a new OpenHiStage instance.
+   */
+  constructor(ohApp, props) {
+    super(ohApp, props.stageType, props);
+    this.ohApp = ohApp;
+    this.props = props;
+    Object.defineProperty(this, OPEN_HI_STAGE_SYMBOL, { value: true });
+    this.stageType = props.stageType;
+  }
+  /**
+   * Finds the OpenHiStage that contains the given construct.
+   */
+  static of(construct) {
+    return construct.node.scopes.reverse().find(_OpenHiStage.isOpenHiStage);
+  }
+  /**
+   * Type guard to check if a value is an OpenHiStage instance.
+   */
+  static isOpenHiStage(x) {
+    return x !== null && typeof x === "object" && OPEN_HI_STAGE_SYMBOL in x;
+  }
+  /**
+   * Gets all OpenHiEnvironment instances contained within this stage.
+   */
+  get environments() {
+    return this.node.children.filter(OpenHiEnvironment.isOpenHiEnvironment);
+  }
+  /**
+   * Gets the primary OpenHiEnvironment for this stage, if one exists.
+   */
+  get primaryEnvironment() {
+    return this.environments.find(
+      (env) => env.deploymentTargetRole === "primary"
+    );
+  }
+  /**
+   * Gets all secondary OpenHiEnvironment instances for this stage.
+   */
+  get secondaryEnvironments() {
+    return this.environments.filter(
+      (env) => env.deploymentTargetRole === "secondary"
+    );
+  }
+};
+
+// src/app/open-hi-app.ts
+var OPEN_HI_APP_SYMBOL = /* @__PURE__ */ Symbol.for("@openhi/constructs/core.OpenHiApp");
+var OpenHiApp = class _OpenHiApp extends App {
+  /**
+   * Finds the OpenHiApp instance that contains the given construct in its
+   * construct tree.
+   */
+  static of(construct) {
+    return construct.node.scopes.reverse().find(_OpenHiApp.isOpenHiApp);
+  }
+  /**
+   * Type guard that checks if a value is an OpenHiApp instance.
+   */
+  static isOpenHiApp(x) {
+    return x !== null && typeof x === "object" && OPEN_HI_APP_SYMBOL in x;
+  }
+  /**
+   * Creates a new OpenHiApp instance.
+   */
+  constructor(props) {
+    super(props);
+    Object.defineProperty(this, OPEN_HI_APP_SYMBOL, { value: true });
+    this.appName = props.appName ?? "openhi";
+    this.config = props.config;
+    Object.values(import_config2.OPEN_HI_STAGE).forEach((stageType) => {
+      if (this.config.deploymentTargets?.[stageType]) {
+        const stage = new OpenHiStage(this, { stageType });
+        if (this.config.deploymentTargets?.[stageType]?.[import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY]) {
+          const envConfig = this.config.deploymentTargets[stageType][import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY];
+          new OpenHiEnvironment(stage, {
+            deploymentTargetRole: import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY,
+            config: envConfig,
+            env: { account: envConfig.account, region: envConfig.region }
+          });
+        }
+        if (this.config.deploymentTargets?.[stageType]?.[import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY]) {
+          this.config.deploymentTargets[stageType][import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY].forEach((envConfig) => {
+            new OpenHiEnvironment(stage, {
+              deploymentTargetRole: import_config2.OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY,
+              config: envConfig,
+              env: { account: envConfig.account, region: envConfig.region }
+            });
+          });
+        }
+      }
+    });
+  }
+  /*****************************************************************************
+   *
+   * Stages
+   *
+   ****************************************************************************/
+  /**
+     * Gets all OpenHiStage instances that are direct children of this app.
+  
+     */
+  get stages() {
+    return this.node.children.filter(OpenHiStage.isOpenHiStage);
+  }
+  /**
+   * Gets the development stage, if it exists.
+   */
+  get devStage() {
+    return this.stages.find((stage) => stage.stageType === import_config2.OPEN_HI_STAGE.DEV);
+  }
+  /**
+   * Gets the staging stage, if it exists.
+   */
+  get stageStage() {
+    return this.stages.find((stage) => stage.stageType === import_config2.OPEN_HI_STAGE.STAGE);
+  }
+  /**
+   * Gets the production stage, if it exists.
+   */
+  get prodStage() {
+    return this.stages.find((stage) => stage.stageType === import_config2.OPEN_HI_STAGE.PROD);
+  }
+  /*****************************************************************************
+   *
+   * Environments
+   *
+   ****************************************************************************/
+  /**
+   * Gets all OpenHiEnvironment instances across all stages in this app.
+   */
+  get environments() {
+    return this.stages.flatMap((stage) => stage.environments);
+  }
+  /**
+   * Gets all primary environments across all stages in this app.
+   */
+  get primaryEnvironments() {
+    return this.environments.filter(
+      (env) => env.deploymentTargetRole === "primary"
+    );
+  }
+  /**
+   * Gets all secondary environments across all stages in this app.
+   */
+  get secondaryEnvironments() {
+    return this.environments.filter(
+      (env) => env.deploymentTargetRole === "secondary"
+    );
+  }
+};
+
+// src/app/open-hi-service.ts
+var import_config3 = __toESM(require_lib());
+import {
+  findGitBranch,
+  findGitRepoName,
+  hashString
+} from "@codedrifters/utils";
+import { RemovalPolicy, Stack, Tags } from "aws-cdk-lib";
+import { paramCase } from "change-case";
+var OpenHiService = class extends Stack {
+  /**
+   * Creates a new OpenHI service stack.
+   *
+   * @param ohEnv - The OpenHI environment (stage) this service belongs to
+   * @param id - Unique identifier for this service stack (e.g., "user-service")
+   * @param props - Optional properties for configuring the service
+   *
+   * @throws {Error} If account and region are not defined in props or environment
+   *
+   */
+  constructor(ohEnv, id, props = {}) {
+    const { account, region } = props.env || ohEnv;
+    if (!account || !region) {
+      throw new Error(
+        "Account and region must be defined in OpenHiServiceProps or OpenHiEnvironment"
+      );
+    }
+    const appName = props.appName ?? ohEnv.ohStage.ohApp.appName ?? "openhi";
+    const repoName = props.repoName ?? findGitRepoName();
+    const defaultReleaseBranch = props.defaultReleaseBranch ?? "main";
+    const branchName = props.branchName ?? (process.env.JEST_WORKER_ID ? "test-branch" : ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.DEV ? findGitBranch() : defaultReleaseBranch);
+    const environmentHash = hashString(
+      [appName, ohEnv.deploymentTargetRole, account, region].join("-"),
+      6
+    );
+    const branchHash = hashString(
+      [appName, ohEnv.deploymentTargetRole, account, region, branchName].join(
+        "-"
+      ),
+      6
+    );
+    const stackHash = hashString(
+      [
+        appName,
+        ohEnv.deploymentTargetRole,
+        account,
+        region,
+        branchName,
+        id
+      ].join("-"),
+      6
+    );
+    const removalPolicy = props.removalPolicy ?? (ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.PROD ? RemovalPolicy.RETAIN : RemovalPolicy.DESTROY);
+    Object.assign(props, { removalPolicy });
+    const description = `OpenHi Service: ${id} [${branchName}] - ${branchHash}`;
+    super(ohEnv, [branchHash, id, account, region].join("-"), {
+      ...props,
+      description
+    });
+    this.ohEnv = ohEnv;
+    this.props = props;
+    this.serviceId = id;
+    this.removalPolicy = removalPolicy;
+    this.config = props.config ?? ohEnv.props.config;
+    this.deploymentTargetRole = ohEnv.deploymentTargetRole;
+    this.repoName = repoName;
+    this.appName = appName;
+    this.defaultReleaseBranch = defaultReleaseBranch;
+    this.branchName = branchName;
+    this.environmentHash = environmentHash;
+    this.branchHash = branchHash;
+    this.stackHash = stackHash;
+    Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
+    Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
+    Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
+    Tags.of(this).add(
+      `${appName}:stage-type`,
+      ohEnv.ohStage.stageType.slice(0, 255)
+    );
+  }
+  /**
+   * DNS prefix for this branche's child zone.
+   */
+  get childZonePrefix() {
+    return paramCase(this.branchName).slice(0, 200);
+  }
+};
+
+// src/components/acm/root-wildcard-certificate.ts
+import {
+  Certificate
+} from "aws-cdk-lib/aws-certificatemanager";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
+var _RootWildcardCertificate = class _RootWildcardCertificate extends Certificate {
+  /**
+   * Using a special name here since this will be shared and used among many
+   * stacks and services. Use with OpenHiGlobalService.rootWildcardCertificateFromConstruct.
+   */
+  static ssmParameterName() {
+    return "/" + ["GLOBAL", _RootWildcardCertificate.SSM_PARAM_NAME].join("/").toUpperCase();
+  }
+  constructor(scope, props) {
+    super(scope, "root-wildcard-certificate", { ...props });
+    new StringParameter(this, "wildcard-cert-param", {
+      parameterName: _RootWildcardCertificate.ssmParameterName(),
+      stringValue: this.certificateArn
+    });
+  }
+};
+/**
+ * Used when storing the Certificate ARN in SSM.
+ */
+_RootWildcardCertificate.SSM_PARAM_NAME = "ROOT_WILDCARD_CERT_ARN";
+var RootWildcardCertificate = _RootWildcardCertificate;
+
+// src/components/api-gateway/root-http-api.ts
+import { HttpApi } from "aws-cdk-lib/aws-apigatewayv2";
+var RootHttpApi = class extends HttpApi {
+  constructor(scope, props = {}) {
+    const stack = OpenHiService.of(scope);
+    super(scope, "http-api", {
+      /**
+       * User provided props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      apiName: ["root", "http", "api", stack.branchHash].join("-")
+    });
+  }
+};
+/**
+ * Used when storing the API ID in SSM.
+ */
+RootHttpApi.SSM_PARAM_NAME = "ROOT_HTTP_API";
+
+// src/components/app-sync/root-graphql-api.ts
+import {
+  Definition,
+  GraphqlApi
+} from "aws-cdk-lib/aws-appsync";
+import { CodeFirstSchema, GraphqlType, ObjectType } from "awscdk-appsync-utils";
+
+// src/components/ssm/discoverable-string-parameter.ts
+import { Tags as Tags2 } from "aws-cdk-lib";
+import {
+  StringParameter as StringParameter2
+} from "aws-cdk-lib/aws-ssm";
+var _DiscoverableStringParameter = class _DiscoverableStringParameter extends StringParameter2 {
+  /**
+   * Build a param name based on predictable attributes found in services and
+   * constructs. Used for storage and retrieval of SSM values across services.
+   */
+  static buildParameterName(scope, props) {
+    const stack = OpenHiService.of(scope);
+    return "/" + [
+      _DiscoverableStringParameter.version,
+      props.branchHash ?? stack.branchHash,
+      props.serviceType ?? stack.serviceType,
+      props.account ?? stack.account,
+      props.region ?? stack.region,
+      props.ssmParamName
+    ].join("/").toUpperCase();
+  }
+  /**
+   * Read the string value of an SSM parameter created with DiscoverableStringParameter,
+   * using props that include ssmParamName and optional overrides (e.g. serviceType).
+   */
+  static valueForLookupName(scope, props) {
+    const paramName = _DiscoverableStringParameter.buildParameterName(
+      scope,
+      props
+    );
+    return StringParameter2.valueForStringParameter(scope, paramName);
+  }
+  constructor(scope, id, props) {
+    const { ssmParamName, branchHash, serviceType, account, region, ...rest } = props;
+    const parameterName = _DiscoverableStringParameter.buildParameterName(
+      scope,
+      props
+    );
+    super(scope, id + "-" + _DiscoverableStringParameter.version, {
+      ...rest,
+      parameterName
+    });
+    const { appName } = OpenHiService.of(scope);
+    Tags2.of(this).add(`${appName}:param-name`, ssmParamName);
+  }
+};
+/**
+ * Version of the parameter name format / discoverability schema.
+ * Bump when buildParameterName or tagging semantics change.
+ * Also used to drive replacement of parameters during CloudFormation deploys.
+ */
+_DiscoverableStringParameter.version = "v1";
+var DiscoverableStringParameter = _DiscoverableStringParameter;
+
+// src/components/app-sync/root-graphql-api.ts
+var _RootGraphqlApi = class _RootGraphqlApi extends GraphqlApi {
+  static fromConstruct(scope) {
+    const graphqlApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _RootGraphqlApi.SSM_PARAM_NAME,
+      serviceType: "graphql-api"
+    });
+    return GraphqlApi.fromGraphqlApiAttributes(scope, "root-graphql-api", {
+      graphqlApiId
+    });
+  }
+  constructor(scope, props) {
+    const stack = OpenHiService.of(scope);
+    const schema = new CodeFirstSchema();
+    schema.addType(
+      new ObjectType("Query", {
+        definition: { HelloWorld: GraphqlType.string() }
+      })
+    );
+    super(scope, "root-graphql-api", {
+      /**
+       * Defaults
+       */
+      queryDepthLimit: 2,
+      resolverCountLimit: 50,
+      definition: Definition.fromSchema(schema),
+      /**
+       * Overrideable props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      name: ["root", "graphql", "api", stack.branchHash].join("-")
+    });
+    new DiscoverableStringParameter(this, "graphql-api-param", {
+      ssmParamName: _RootGraphqlApi.SSM_PARAM_NAME,
+      serviceType: "graphql-api",
+      stringValue: this.apiId
+    });
+  }
+};
+/**
+ * Used when storing the GraphQl API ID in SSM.
+ */
+_RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
+var RootGraphqlApi = _RootGraphqlApi;
+
+// src/components/cognito/cognito-user-pool.ts
+import {
+  UserPool,
+  VerificationEmailStyle
+} from "aws-cdk-lib/aws-cognito";
+var CognitoUserPool = class extends UserPool {
+  constructor(scope, props = {}) {
+    const service = OpenHiService.of(scope);
+    super(scope, "user-pool", {
+      /**
+       * Defaults
+       */
+      selfSignUpEnabled: true,
+      signInAliases: {
+        email: true
+      },
+      userVerification: {
+        emailSubject: "Verify your email!",
+        emailBody: "Your verification code is {####}.",
+        emailStyle: VerificationEmailStyle.CODE
+      },
+      removalPolicy: props.removalPolicy ?? service.removalPolicy,
+      /**
+       * Over-rideable props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      userPoolName: ["cognito", "user", "pool", service.branchHash].join("-")
+    });
+  }
+};
+/**
+ * Used when storing the User Pool ID in SSM.
+ */
+CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
+
+// src/components/cognito/cognito-user-pool-client.ts
+import { UserPoolClient } from "aws-cdk-lib/aws-cognito";
+var CognitoUserPoolClient = class extends UserPoolClient {
+  constructor(scope, props) {
+    super(scope, "user-pool-client", {
+      /**
+       * Defaults
+       */
+      generateSecret: false,
+      oAuth: {
+        flows: {
+          authorizationCodeGrant: true,
+          implicitCodeGrant: true
+        },
+        callbackUrls: [`https://localhost:3000/oauth/callback`]
+      },
+      /**
+       * Overrideable props
+       */
+      ...props
+    });
+  }
+};
+/**
+ * Used when storing the User Pool Client ID in SSM.
+ */
+CognitoUserPoolClient.SSM_PARAM_NAME = "COGNITO_USER_POOL_CLIENT";
+
+// src/components/cognito/cognito-user-pool-domain.ts
+import { UserPoolDomain } from "aws-cdk-lib/aws-cognito";
+var CognitoUserPoolDomain = class extends UserPoolDomain {
+  constructor(scope, props) {
+    const id = props.cognitoDomain?.domainPrefix ? "cognito-domain" : "custom-domain";
+    super(scope, id, {
+      ...props
+    });
+  }
+};
+/**
+ * Used when storing the User Pool Domain in SSM.
+ */
+CognitoUserPoolDomain.SSM_PARAM_NAME = "COGNITO_USER_POOL_DOMAIN";
+
+// src/components/cognito/cognito-user-pool-kms-key.ts
+import { Key } from "aws-cdk-lib/aws-kms";
+var CognitoUserPoolKmsKey = class extends Key {
+  constructor(scope, props = {}) {
+    const service = OpenHiService.of(scope);
+    super(scope, "kms-key", {
+      ...props,
+      // alias: ["alias", "cognito", service.branchHash].join("/"),
+      description: `KMS Key for Cognito User Pool - ${service.branchHash}`,
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
+    });
+  }
+};
+/**
+ * Used when storing the KMS Key in SSM.
+ */
+CognitoUserPoolKmsKey.SSM_PARAM_NAME = "COGNITO_USER_POOL_KMS_KEY";
+
+// src/components/dynamodb/dynamo-db-data-store.ts
+import {
+  AttributeType,
+  BillingMode,
+  ProjectionType,
+  Table
+} from "aws-cdk-lib/aws-dynamodb";
+function getDynamoDbDataStoreTableName(scope) {
+  const stack = OpenHiService.of(scope);
+  return `data-store-${stack.branchHash}`;
+}
+var DynamoDbDataStore = class extends Table {
+  constructor(scope, id, props = {}) {
+    const service = OpenHiService.of(scope);
+    super(scope, id, {
+      ...props,
+      tableName: getDynamoDbDataStoreTableName(scope),
+      partitionKey: {
+        name: "PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "SK",
+        type: AttributeType.STRING
+      },
+      billingMode: BillingMode.PAY_PER_REQUEST,
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI1",
+      partitionKey: {
+        name: "GSI1PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI1SK",
+        type: AttributeType.STRING
+      },
+      projectionType: ProjectionType.INCLUDE,
+      nonKeyAttributes: ["srcType", "srcId", "path", "srcPk", "srcSk", "ts"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI2",
+      partitionKey: {
+        name: "GSI2PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI2SK",
+        type: AttributeType.STRING
+      },
+      projectionType: ProjectionType.INCLUDE,
+      nonKeyAttributes: ["resourcePk", "resourceSk", "display", "status"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI3",
+      partitionKey: {
+        name: "GSI3PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI3SK",
+        type: AttributeType.STRING
+      },
+      projectionType: ProjectionType.INCLUDE,
+      nonKeyAttributes: ["resourcePk", "resourceSk"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI4",
+      partitionKey: {
+        name: "GSI4PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI4SK",
+        type: AttributeType.STRING
+      },
+      projectionType: ProjectionType.ALL
+    });
+  }
+};
+
+// src/components/event-bridge/data-event-bus.ts
+import { EventBus } from "aws-cdk-lib/aws-events";
+var DataEventBus = class _DataEventBus extends EventBus {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * it's name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `data${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "data-event-bus", {
+      ...props,
+      eventBusName: _DataEventBus.getEventBusName(scope)
+    });
+  }
+};
+
+// src/components/event-bridge/ops-event-bus.ts
+import { EventBus as EventBus2 } from "aws-cdk-lib/aws-events";
+var OpsEventBus = class _OpsEventBus extends EventBus2 {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * it's name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `ops${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "ops-event-bus", {
+      ...props,
+      eventBusName: _OpsEventBus.getEventBusName(scope)
+    });
+  }
+};
+
+// src/components/route-53/child-hosted-zone.ts
+import { Duration } from "aws-cdk-lib";
+import {
+  HostedZone,
+  NsRecord
+} from "aws-cdk-lib/aws-route53";
+var ChildHostedZone = class extends HostedZone {
+  constructor(scope, id, props) {
+    super(scope, id, { ...props });
+    new NsRecord(this, "child-ns-record", {
+      zone: props.parentHostedZone,
+      recordName: this.zoneName,
+      values: this.hostedZoneNameServers || [],
+      ttl: Duration.minutes(5)
+    });
+  }
+};
+/**
+ * Used when storing the child zone ID in SSM. Use {@link OpenHiGlobalService.childHostedZoneFromConstruct} to look up.
+ */
+ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
+
+// src/components/route-53/root-hosted-zone.ts
+import { Construct } from "constructs";
+var RootHostedZone = class extends Construct {
+};
+
+// src/services/open-hi-auth-service.ts
+import {
+  UserPool as UserPool2,
+  UserPoolClient as UserPoolClient2,
+  UserPoolDomain as UserPoolDomain2
+} from "aws-cdk-lib/aws-cognito";
+import { Key as Key2 } from "aws-cdk-lib/aws-kms";
+var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    this.props = props;
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.userPool = this.createUserPool();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
+  }
+  /**
+   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
+   */
+  static userPoolFromConstruct(scope) {
+    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return UserPool2.fromUserPoolId(scope, "user-pool", userPoolId);
+  }
+  /**
+   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
+   */
+  static userPoolClientFromConstruct(scope) {
+    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
+      scope,
+      {
+        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+        serviceType: _OpenHiAuthService.SERVICE_TYPE
+      }
+    );
+    return UserPoolClient2.fromUserPoolClientId(
+      scope,
+      "user-pool-client",
+      userPoolClientId
+    );
+  }
+  /**
+   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   */
+  static userPoolDomainFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return UserPoolDomain2.fromDomainName(scope, "user-pool-domain", domainName);
+  }
+  /**
+   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
+   */
+  static userPoolKmsKeyFromConstruct(scope) {
+    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return Key2.fromKeyArn(scope, "kms-key", keyArn);
+  }
+  get serviceType() {
+    return _OpenHiAuthService.SERVICE_TYPE;
+  }
+  /**
+   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolKmsKey() {
+    const key = new CognitoUserPoolKmsKey(this);
+    new DiscoverableStringParameter(this, "kms-key-param", {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      stringValue: key.keyArn,
+      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
+    });
+    return key;
+  }
+  /**
+   * Creates the Cognito User Pool and exports its ID to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
+   * Override to customize.
+   */
+  createUserPool() {
+    const userPool = new CognitoUserPool(this, {
+      ...this.props.userPoolProps,
+      customSenderKmsKey: this.userPoolKmsKey
+    });
+    new DiscoverableStringParameter(this, "user-pool-param", {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      stringValue: userPool.userPoolId,
+      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
+    });
+    return userPool;
+  }
+  /**
+   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
+   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolClient() {
+    const client = new CognitoUserPoolClient(this, {
+      userPool: this.userPool
+    });
+    new DiscoverableStringParameter(this, "user-pool-client-param", {
+      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
+    });
+    return client;
+  }
+  /**
+   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolDomain() {
+    const domain = new CognitoUserPoolDomain(this, {
+      userPool: this.userPool,
+      cognitoDomain: {
+        domainPrefix: `auth-${this.branchHash}`
+      }
+    });
+    new DiscoverableStringParameter(this, "user-pool-domain-param", {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      stringValue: domain.domainName,
+      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
+    });
+    return domain;
+  }
+};
+_OpenHiAuthService.SERVICE_TYPE = "auth";
+var OpenHiAuthService = _OpenHiAuthService;
+
+// src/services/open-hi-global-service.ts
+import {
+  Certificate as Certificate2,
+  CertificateValidation
+} from "aws-cdk-lib/aws-certificatemanager";
+import {
+  HostedZone as HostedZone2
+} from "aws-cdk-lib/aws-route53";
+import { StringParameter as StringParameter3 } from "aws-cdk-lib/aws-ssm";
+var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
+  /**
+   * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
+   */
+  static rootHostedZoneFromConstruct(scope, props) {
+    return HostedZone2.fromHostedZoneAttributes(scope, "root-zone", props);
+  }
+  /**
+   * Returns an ICertificate by looking up the Global stack's wildcard cert ARN from SSM.
+   */
+  static rootWildcardCertificateFromConstruct(scope) {
+    const certificateArn = StringParameter3.valueForStringParameter(
+      scope,
+      RootWildcardCertificate.ssmParameterName()
+    );
+    return Certificate2.fromCertificateArn(
+      scope,
+      "wildcard-certificate",
+      certificateArn
+    );
+  }
+  /**
+   * Returns an IHostedZone by looking up the child hosted zone ID from SSM. Defaults to GLOBAL service type.
+   */
+  static childHostedZoneFromConstruct(scope, props) {
+    const hostedZoneId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: ChildHostedZone.SSM_PARAM_NAME,
+      serviceType: props.serviceType ?? _OpenHiGlobalService.SERVICE_TYPE
+    });
+    return HostedZone2.fromHostedZoneAttributes(scope, "child-zone", {
+      hostedZoneId,
+      zoneName: props.zoneName
+    });
+  }
+  get serviceType() {
+    return _OpenHiGlobalService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiGlobalService.SERVICE_TYPE, props);
+    this.validateConfig(props);
+    this.rootHostedZone = this.createRootHostedZone();
+    this.childHostedZone = this.createChildHostedZone();
+    this.rootWildcardCertificate = this.createRootWildcardCertificate();
+  }
+  /**
+   * Validates that config required for the Global stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required to import the root zone");
+    }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required to import the root zone");
+    }
+  }
+  /**
+   * Creates the root hosted zone (imported via attributes from config).
+   * Override to customize or create the zone.
+   */
+  createRootHostedZone() {
+    return _OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
+    });
+  }
+  /**
+   * Creates the optional child hosted zone (e.g. branch subdomain).
+   * Override to create a child zone when config provides childHostedZoneAttributes.
+   * If you create a ChildHostedZone, also create a DiscoverableStringParameter
+   * with ChildHostedZone.SSM_PARAM_NAME and the zone's hostedZoneId.
+   */
+  createChildHostedZone() {
+    return void 0;
+  }
+  /**
+   * Creates the root wildcard certificate. On main branch, creates a new cert
+   * with DNS validation; otherwise imports from SSM.
+   * Override to customize certificate creation.
+   */
+  createRootWildcardCertificate() {
+    if (this.branchName === "main") {
+      return new RootWildcardCertificate(this, {
+        domainName: `*.${this.rootHostedZone.zoneName}`,
+        subjectAlternativeNames: [this.rootHostedZone.zoneName],
+        validation: CertificateValidation.fromDns(this.rootHostedZone)
+      });
+    }
+    return _OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+};
+_OpenHiGlobalService.SERVICE_TYPE = "global";
+var OpenHiGlobalService = _OpenHiGlobalService;
+
+// src/services/open-hi-rest-api-service.ts
+import {
+  DomainName,
+  HttpApi as HttpApi2,
+  HttpMethod,
+  HttpRoute,
+  HttpRouteKey
+} from "aws-cdk-lib/aws-apigatewayv2";
+import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
+import {
+  ARecord,
+  HostedZone as HostedZone3,
+  RecordTarget
+} from "aws-cdk-lib/aws-route53";
+import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
+
+// src/services/open-hi-data-service.ts
+import { Table as Table2 } from "aws-cdk-lib/aws-dynamodb";
+import { EventBus as EventBus3 } from "aws-cdk-lib/aws-events";
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
+  /**
+   * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static dataEventBusFromConstruct(scope) {
+    return EventBus3.fromEventBusName(
+      scope,
+      "data-event-bus",
+      DataEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static opsEventBusFromConstruct(scope) {
+    return EventBus3.fromEventBusName(
+      scope,
+      "ops-event-bus",
+      OpsEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
+   */
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return Table2.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  }
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    this.dataEventBus = this.createDataEventBus();
+    this.opsEventBus = this.createOpsEventBus();
+    this.dataStore = this.createDataStore();
+  }
+  /**
+   * Creates the data event bus.
+   * Override to customize.
+   */
+  createDataEventBus() {
+    return new DataEventBus(this);
+  }
+  /**
+   * Creates the ops event bus.
+   * Override to customize.
+   */
+  createOpsEventBus() {
+    return new OpsEventBus(this);
+  }
+  /**
+   * Creates the single-table DynamoDB data store.
+   * Override to customize.
+   */
+  createDataStore() {
+    return new DynamoDbDataStore(this, "dynamo-db-data-store");
+  }
+};
+_OpenHiDataService.SERVICE_TYPE = "data";
+var OpenHiDataService = _OpenHiDataService;
+
+// src/data/lambda/rest-api-lambda.ts
+import path from "path";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct2 } from "constructs";
+var RestApiLambda = class extends Construct2 {
+  constructor(scope, props) {
+    super(scope, "rest-api-lambda");
+    this.lambda = new NodejsFunction(this, "handler", {
+      entry: path.join(__dirname, "rest-api-lambda.handler.js"),
+      runtime: Runtime.NODEJS_LATEST,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
+    });
+  }
+};
+
+// src/services/open-hi-rest-api-service.ts
+var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
+var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
+  /**
+   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
+   */
+  static rootHttpApiFromConstruct(scope) {
+    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+    return HttpApi2.fromHttpApiAttributes(scope, "http-api", { httpApiId });
+  }
+  /**
+   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
+   * Use in other stacks for E2E, scripts, or config.
+   */
+  static restApiBaseUrlFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiRestApiService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    const certificate = this.createCertificate();
+    const apiDomainName = this.createApiDomainNameString(hostedZone);
+    this.createRestApiBaseUrlParameter(apiDomainName);
+    const domainName = this.createDomainName(hostedZone, certificate);
+    this.rootHttpApi = this.createRootHttpApi(domainName);
+    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
+  }
+  /**
+   * Validates that config required for the REST API stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
+  }
+  /**
+   * Creates the hosted zone reference (imported from config).
+   * Override to customize.
+   */
+  createHostedZone() {
+    const { config } = this.props;
+    return HostedZone3.fromHostedZoneAttributes(this, "root-zone", {
+      hostedZoneId: config.hostedZoneId,
+      zoneName: config.zoneName
+    });
+  }
+  /**
+   * Creates the wildcard certificate (imported from Global stack via SSM).
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Returns the API domain name string (e.g. api.example.com or api-{prefix}.example.com).
+   * Override to customize.
+   */
+  createApiDomainNameString(hostedZone) {
+    const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
+    return [apiPrefix, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Creates the SSM parameter for the REST API base URL.
+   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
+   * Override to customize.
+   */
+  createRestApiBaseUrlParameter(apiDomainName) {
+    const restApiBaseUrl = `https://${apiDomainName}`;
+    new DiscoverableStringParameter(this, "rest-api-base-url-param", {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      stringValue: restApiBaseUrl,
+      description: "REST API base URL for this deployment (E2E, scripts)"
+    });
+  }
+  /**
+   * Creates the API Gateway custom domain name resource.
+   * Override to customize.
+   */
+  createDomainName(_hostedZone, certificate) {
+    const apiDomainName = this.createApiDomainNameString(_hostedZone);
+    return new DomainName(this, "domain", {
+      domainName: apiDomainName,
+      certificate
+    });
+  }
+  /**
+   * Creates the Lambda integration, HTTP routes, and API DNS record.
+   * Override to customize. Uses {@link rootHttpApi} set by the constructor.
+   */
+  createRestApiLambdaAndRoutes(hostedZone, domainName) {
+    const dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+    const { lambda } = new RestApiLambda(this, {
+      dynamoTableName: dataStoreTable.tableName
+    });
+    dataStoreTable.grant(
+      lambda,
+      "dynamodb:GetItem",
+      "dynamodb:Query",
+      "dynamodb:BatchGetItem",
+      "dynamodb:ConditionCheckItem",
+      "dynamodb:DescribeTable",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem",
+      "dynamodb:DeleteItem"
+    );
+    const integration = new HttpLambdaIntegration("lambda-integration", lambda);
+    new HttpRoute(this, "proxy-route-root", {
+      httpApi: this.rootHttpApi,
+      routeKey: HttpRouteKey.with("/", HttpMethod.ANY),
+      integration
+    });
+    new HttpRoute(this, "proxy-route", {
+      httpApi: this.rootHttpApi,
+      routeKey: HttpRouteKey.with("/{proxy+}", HttpMethod.ANY),
+      integration
+    });
+    const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
+    new ARecord(this, "api-a-record", {
+      zone: hostedZone,
+      recordName: apiPrefix,
+      target: RecordTarget.fromAlias(
+        new ApiGatewayv2DomainProperties(
+          domainName.regionalDomainName,
+          domainName.regionalHostedZoneId
+        )
+      )
+    });
+  }
+  /**
+   * Creates the Root HTTP API with default domain mapping and exports API ID to SSM.
+   * Look up via {@link OpenHiRestApiService.rootHttpApiFromConstruct}.
+   * Override to customize.
+   */
+  createRootHttpApi(domainName) {
+    const rootHttpApi = new RootHttpApi(this, {
+      defaultDomainMapping: {
+        domainName,
+        mappingKey: void 0
+      }
+    });
+    new DiscoverableStringParameter(this, "http-api-url-param", {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      stringValue: rootHttpApi.httpApiId,
+      description: "API Gateway HTTP API ID for this REST API stack (cross-stack reference)"
+    });
+    return rootHttpApi;
+  }
+};
+_OpenHiRestApiService.SERVICE_TYPE = "rest-api";
+var OpenHiRestApiService = _OpenHiRestApiService;
+export {
+  ChildHostedZone,
+  CognitoUserPool,
+  CognitoUserPoolClient,
+  CognitoUserPoolDomain,
+  CognitoUserPoolKmsKey,
+  DataEventBus,
+  DiscoverableStringParameter,
+  DynamoDbDataStore,
+  OpenHiApp,
+  OpenHiAuthService,
+  OpenHiDataService,
+  OpenHiEnvironment,
+  OpenHiGlobalService,
+  OpenHiRestApiService,
+  OpenHiService,
+  OpenHiStage,
+  OpsEventBus,
+  REST_API_BASE_URL_SSM_NAME,
+  RootGraphqlApi,
+  RootHostedZone,
+  RootHttpApi,
+  RootWildcardCertificate,
+  getDynamoDbDataStoreTableName
+};
+//# sourceMappingURL=index.mjs.map