@openhi/constructs 0.0.1 → 0.0.2

package/lib/index.mjs

@@ -278,37 +278,7 @@ import {
 } from "@codedrifters/utils";
 import { RemovalPolicy, Stack, Tags } from "aws-cdk-lib";
 import { paramCase } from "change-case";
-var OPEN_HI_SERVICE_TYPE = {
-  /**
-   * Authentication service.
-   *   *
-   * Only one instance of the auth service should exist per environment.
-   */
-  AUTH: "auth",
-  /**
-   * Root shared core services.
-   *
-   * Only one instance of the core service should exist per environment.
-   */
-  CORE: "core",
-  /**
-   * Rest API service.
-   */
-  REST_API: "rest-api",
-  /**
-   * Global Infrastructure stack (Route53, ACM).
-   */
-  GLOBAL: "global",
-  /**
-   * Data service (DynamoDB, S3, persistence).
-   */
-  DATA: "data"
-};
 var OpenHiService = class extends Stack {
-  /**
-   * Core construct containing shared infrastructure.
-   */
-  // public core: Core;
   /**
    * Creates a new OpenHI service stack.
    *
@@ -354,16 +324,6 @@ var OpenHiService = class extends Stack {
     const removalPolicy = props.removalPolicy ?? (ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.PROD ? RemovalPolicy.RETAIN : RemovalPolicy.DESTROY);
     Object.assign(props, { removalPolicy });
     const description = `OpenHi Service: ${id} [${branchName}] - ${branchHash}`;
-    const hostedZoneId = ohEnv.props.config.hostedZoneId;
-    const zoneName = ohEnv.props.config.zoneName;
-    if (hostedZoneId && zoneName) {
-      props = {
-        ...props,
-        coreProps: {
-          ...props.coreProps
-        }
-      };
-    }
     super(ohEnv, [branchHash, id, account, region].join("-"), {
       ...props,
       description
@@ -373,7 +333,6 @@ var OpenHiService = class extends Stack {
     this.serviceId = id;
     this.removalPolicy = removalPolicy;
     this.config = props.config ?? ohEnv.props.config;
-    this.serviceType = props.serviceType ?? id;
     this.deploymentTargetRole = ohEnv.deploymentTargetRole;
     this.repoName = repoName;
     this.appName = appName;
@@ -384,26 +343,12 @@ var OpenHiService = class extends Stack {
     this.stackHash = stackHash;
     Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
     Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
-    Tags.of(this).add(
-      `${appName}:service-type`,
-      this.serviceType.slice(0, 255)
-    );
+    Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
     Tags.of(this).add(
       `${appName}:stage-type`,
       ohEnv.ohStage.stageType.slice(0, 255)
     );
   }
-  /**
-   * Creates or returns the core construct for shared infrastructure.
-   */
-  /*
-  protected createCore(props: OpenHiServiceProps = {}): Core {
-    if (!this.core) {
-      return new Core(this, props.coreProps);
-    }
-    return this.core;
-  }
-  */
   /**
    * DNS prefix for this branche's child zone.
    */
@@ -412,12 +357,68 @@ var OpenHiService = class extends Stack {
   }
 };
 
+// src/components/acm/root-wildcard-certificate.ts
+import {
+  Certificate
+} from "aws-cdk-lib/aws-certificatemanager";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
+var _RootWildcardCertificate = class _RootWildcardCertificate extends Certificate {
+  /**
+   * Using a special name here since this will be shared and used among many
+   * stacks and services. Use with OpenHiGlobalService.rootWildcardCertificateFromConstruct.
+   */
+  static ssmParameterName() {
+    return "/" + ["GLOBAL", _RootWildcardCertificate.SSM_PARAM_NAME].join("/").toUpperCase();
+  }
+  constructor(scope, props) {
+    super(scope, "root-wildcard-certificate", { ...props });
+    new StringParameter(this, "wildcard-cert-param", {
+      parameterName: _RootWildcardCertificate.ssmParameterName(),
+      stringValue: this.certificateArn
+    });
+  }
+};
+/**
+ * Used when storing the Certificate ARN in SSM.
+ */
+_RootWildcardCertificate.SSM_PARAM_NAME = "ROOT_WILDCARD_CERT_ARN";
+var RootWildcardCertificate = _RootWildcardCertificate;
+
+// src/components/api-gateway/root-http-api.ts
+import { HttpApi } from "aws-cdk-lib/aws-apigatewayv2";
+var RootHttpApi = class extends HttpApi {
+  constructor(scope, props = {}) {
+    const stack = OpenHiService.of(scope);
+    super(scope, "http-api", {
+      /**
+       * User provided props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      apiName: ["root", "http", "api", stack.branchHash].join("-")
+    });
+  }
+};
+/**
+ * Used when storing the API ID in SSM.
+ */
+RootHttpApi.SSM_PARAM_NAME = "ROOT_HTTP_API";
+
+// src/components/app-sync/root-graphql-api.ts
+import {
+  Definition,
+  GraphqlApi
+} from "aws-cdk-lib/aws-appsync";
+import { CodeFirstSchema, GraphqlType, ObjectType } from "awscdk-appsync-utils";
+
 // src/components/ssm/discoverable-string-parameter.ts
 import { Tags as Tags2 } from "aws-cdk-lib";
 import {
-  StringParameter
+  StringParameter as StringParameter2
 } from "aws-cdk-lib/aws-ssm";
-var DiscoverableStringParameter = class _DiscoverableStringParameter extends StringParameter {
+var _DiscoverableStringParameter = class _DiscoverableStringParameter extends StringParameter2 {
   /**
    * Build a param name based on predictable attributes found in services and
    * constructs. Used for storage and retrieval of SSM values across services.
@@ -425,6 +426,7 @@ var DiscoverableStringParameter = class _DiscoverableStringParameter extends Str
   static buildParameterName(scope, props) {
     const stack = OpenHiService.of(scope);
     return "/" + [
+      _DiscoverableStringParameter.version,
       props.branchHash ?? stack.branchHash,
       props.serviceType ?? stack.serviceType,
       props.account ?? stack.account,
@@ -441,7 +443,7 @@ var DiscoverableStringParameter = class _DiscoverableStringParameter extends Str
       scope,
       props
     );
-    return StringParameter.valueForStringParameter(scope, paramName);
+    return StringParameter2.valueForStringParameter(scope, paramName);
   }
   constructor(scope, id, props) {
     const { ssmParamName, branchHash, serviceType, account, region, ...rest } = props;
@@ -449,7 +451,7 @@ var DiscoverableStringParameter = class _DiscoverableStringParameter extends Str
       scope,
       props
     );
-    super(scope, id, {
+    super(scope, id + "-" + _DiscoverableStringParameter.version, {
       ...rest,
       parameterName
     });
@@ -457,42 +459,68 @@ var DiscoverableStringParameter = class _DiscoverableStringParameter extends Str
     Tags2.of(this).add(`${appName}:param-name`, ssmParamName);
   }
 };
+/**
+ * Version of the parameter name format / discoverability schema.
+ * Bump when buildParameterName or tagging semantics change.
+ * Also used to drive replacement of parameters during CloudFormation deploys.
+ */
+_DiscoverableStringParameter.version = "v1";
+var DiscoverableStringParameter = _DiscoverableStringParameter;
 
-// src/services/open-hi-core-service.ts
-import { Code, Function, Runtime } from "aws-cdk-lib/aws-lambda";
-var OpenHiCoreService = class extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    props = {
-      ...props
-    };
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.CORE, props);
-    this.props = props;
-    new Function(this, "test-fn", {
-      runtime: Runtime.NODEJS_LATEST,
-      handler: "index.handler",
-      code: Code.fromInline(
-        'exports.handler = async () => { return {statusCode:200, body:"ok"} }'
-      )
+// src/components/app-sync/root-graphql-api.ts
+var _RootGraphqlApi = class _RootGraphqlApi extends GraphqlApi {
+  static fromConstruct(scope) {
+    const graphqlApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _RootGraphqlApi.SSM_PARAM_NAME,
+      serviceType: "graphql-api"
+    });
+    return GraphqlApi.fromGraphqlApiAttributes(scope, "root-graphql-api", {
+      graphqlApiId
+    });
+  }
+  constructor(scope, props) {
+    const stack = OpenHiService.of(scope);
+    const schema = new CodeFirstSchema();
+    schema.addType(
+      new ObjectType("Query", {
+        definition: { HelloWorld: GraphqlType.string() }
+      })
+    );
+    super(scope, "root-graphql-api", {
+      /**
+       * Defaults
+       */
+      queryDepthLimit: 2,
+      resolverCountLimit: 50,
+      definition: Definition.fromSchema(schema),
+      /**
+       * Overrideable props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      name: ["root", "graphql", "api", stack.branchHash].join("-")
+    });
+    new DiscoverableStringParameter(this, "graphql-api-param", {
+      ssmParamName: _RootGraphqlApi.SSM_PARAM_NAME,
+      serviceType: "graphql-api",
+      stringValue: this.apiId
     });
   }
 };
+/**
+ * Used when storing the GraphQl API ID in SSM.
+ */
+_RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
+var RootGraphqlApi = _RootGraphqlApi;
 
-// src/components/auth.ts
-import { Construct } from "constructs";
-
-// src/components/cognito/core-user-pool.ts
+// src/components/cognito/cognito-user-pool.ts
 import {
   UserPool,
   VerificationEmailStyle
 } from "aws-cdk-lib/aws-cognito";
-var _CoreUserPool = class _CoreUserPool extends UserPool {
-  static fromConstruct(scope) {
-    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: _CoreUserPool.SSM_PARAM_NAME,
-      serviceType: OPEN_HI_SERVICE_TYPE.AUTH
-    });
-    return UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
-  }
+var CognitoUserPool = class extends UserPool {
   constructor(scope, props = {}) {
     const service = OpenHiService.of(scope);
     super(scope, "user-pool", {
@@ -516,39 +544,18 @@ var _CoreUserPool = class _CoreUserPool extends UserPool {
       /**
        * Required
        */
-      userPoolName: ["core", "user", "pool", service.branchHash].join("-")
-    });
-    new DiscoverableStringParameter(this, "user-pool-param", {
-      ssmParamName: _CoreUserPool.SSM_PARAM_NAME,
-      stringValue: this.userPoolId
+      userPoolName: ["cognito", "user", "pool", service.branchHash].join("-")
     });
   }
 };
 /**
  * Used when storing the User Pool ID in SSM.
  */
-_CoreUserPool.SSM_PARAM_NAME = "CORE_USER_POOL";
-var CoreUserPool = _CoreUserPool;
+CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
 
-// src/components/cognito/core-user-pool-client.ts
-import {
-  UserPoolClient
-} from "aws-cdk-lib/aws-cognito";
-var _CoreUserPoolClient = class _CoreUserPoolClient extends UserPoolClient {
-  static fromConstruct(scope) {
-    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
-      scope,
-      {
-        ssmParamName: _CoreUserPoolClient.SSM_PARAM_NAME,
-        serviceType: OPEN_HI_SERVICE_TYPE.AUTH
-      }
-    );
-    return UserPoolClient.fromUserPoolClientId(
-      scope,
-      "user-pool-client",
-      userPoolClientId
-    );
-  }
+// src/components/cognito/cognito-user-pool-client.ts
+import { UserPoolClient } from "aws-cdk-lib/aws-cognito";
+var CognitoUserPoolClient = class extends UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
       /**
@@ -567,64 +574,31 @@ var _CoreUserPoolClient = class _CoreUserPoolClient extends UserPoolClient {
        */
       ...props
     });
-    new DiscoverableStringParameter(this, "user-pool-client-param", {
-      ssmParamName: _CoreUserPoolClient.SSM_PARAM_NAME,
-      stringValue: this.userPoolClientId
-    });
   }
 };
 /**
  * Used when storing the User Pool Client ID in SSM.
  */
-_CoreUserPoolClient.SSM_PARAM_NAME = "CORE_USER_POOL_CLIENT";
-var CoreUserPoolClient = _CoreUserPoolClient;
+CognitoUserPoolClient.SSM_PARAM_NAME = "COGNITO_USER_POOL_CLIENT";
 
-// src/components/cognito/core-user-pool-domain.ts
-import {
-  UserPoolDomain
-} from "aws-cdk-lib/aws-cognito";
-var _CoreUserPoolDomain = class _CoreUserPoolDomain extends UserPoolDomain {
-  static fromConstruct(scope) {
-    const userPoolDomain = DiscoverableStringParameter.valueForLookupName(
-      scope,
-      {
-        ssmParamName: _CoreUserPoolDomain.SSM_PARAM_NAME,
-        serviceType: OPEN_HI_SERVICE_TYPE.AUTH
-      }
-    );
-    return UserPoolDomain.fromDomainName(
-      scope,
-      "user-pool-domain",
-      userPoolDomain
-    );
-  }
+// src/components/cognito/cognito-user-pool-domain.ts
+import { UserPoolDomain } from "aws-cdk-lib/aws-cognito";
+var CognitoUserPoolDomain = class extends UserPoolDomain {
   constructor(scope, props) {
     const id = props.cognitoDomain?.domainPrefix ? "cognito-domain" : "custom-domain";
     super(scope, id, {
       ...props
     });
-    new DiscoverableStringParameter(this, "user-pool-domain-param", {
-      ssmParamName: _CoreUserPoolDomain.SSM_PARAM_NAME,
-      stringValue: this.domainName
-    });
   }
 };
 /**
  * Used when storing the User Pool Domain in SSM.
  */
-_CoreUserPoolDomain.SSM_PARAM_NAME = "CORE_USER_POOL_DOMAIN";
-var CoreUserPoolDomain = _CoreUserPoolDomain;
+CognitoUserPoolDomain.SSM_PARAM_NAME = "COGNITO_USER_POOL_DOMAIN";
 
-// src/components/cognito/core-user-pool-kms-key.ts
+// src/components/cognito/cognito-user-pool-kms-key.ts
 import { Key } from "aws-cdk-lib/aws-kms";
-var _CoreUserPoolKmsKey = class _CoreUserPoolKmsKey extends Key {
-  static fromConstruct(scope) {
-    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: _CoreUserPoolKmsKey.SSM_PARAM_NAME,
-      serviceType: OPEN_HI_SERVICE_TYPE.AUTH
-    });
-    return Key.fromKeyArn(scope, "kms-key", keyArn);
-  }
+var CognitoUserPoolKmsKey = class extends Key {
   constructor(scope, props = {}) {
     const service = OpenHiService.of(scope);
     super(scope, "kms-key", {
@@ -633,142 +607,146 @@ var _CoreUserPoolKmsKey = class _CoreUserPoolKmsKey extends Key {
       description: `KMS Key for Cognito User Pool - ${service.branchHash}`,
       removalPolicy: props.removalPolicy ?? service.removalPolicy
     });
-    new DiscoverableStringParameter(this, "kms-key-param", {
-      ssmParamName: _CoreUserPoolKmsKey.SSM_PARAM_NAME,
-      stringValue: this.keyArn
-    });
   }
 };
 /**
  * Used when storing the KMS Key in SSM.
  */
-_CoreUserPoolKmsKey.SSM_PARAM_NAME = "CORE_USER_POOL_KMS_KEY";
-var CoreUserPoolKmsKey = _CoreUserPoolKmsKey;
+CognitoUserPoolKmsKey.SSM_PARAM_NAME = "COGNITO_USER_POOL_KMS_KEY";
 
-// src/components/auth.ts
-var Auth = class _Auth extends Construct {
-  /**
-   * Returns an Auth instance that uses resources imported from AUTH SSM
-   * parameters. Use this when creating Core or other stacks that consume
-   * auth resources; the Auth stack must be deployed first.
-   *
-   * @param scope - Construct scope (e.g. Core); must be in a stack that has
-   *   access to the same account/region as the deployed Auth stack.
-   */
-  static fromConstruct(scope) {
-    return new _Auth(scope, {});
-  }
-  constructor(scope, props = {}) {
-    super(scope, "auth");
-    const service = OpenHiService.of(this);
-    this.isAuthService = service.serviceType === OPEN_HI_SERVICE_TYPE.AUTH;
-    this.userPoolKmsKey = this.createUserPoolKmsKey();
-    this.userPool = this.createUserPool({
-      ...props.userPoolProps,
-      customSenderKmsKey: this.userPoolKmsKey
+// src/components/dynamodb/dynamo-db-data-store.ts
+import {
+  AttributeType,
+  BillingMode,
+  ProjectionType,
+  Table
+} from "aws-cdk-lib/aws-dynamodb";
+function getDynamoDbDataStoreTableName(scope) {
+  const stack = OpenHiService.of(scope);
+  return `data-store-${stack.branchHash}`;
+}
+var DynamoDbDataStore = class extends Table {
+  constructor(scope, id, props = {}) {
+    const service = OpenHiService.of(scope);
+    super(scope, id, {
+      ...props,
+      tableName: getDynamoDbDataStoreTableName(scope),
+      partitionKey: {
+        name: "PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "SK",
+        type: AttributeType.STRING
+      },
+      billingMode: BillingMode.PAY_PER_REQUEST,
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
     });
-    this.userPoolClient = this.createUserPoolClient({
-      userPool: this.userPool
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI1",
+      partitionKey: {
+        name: "GSI1PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI1SK",
+        type: AttributeType.STRING
+      },
+      projectionType: ProjectionType.INCLUDE,
+      nonKeyAttributes: ["srcType", "srcId", "path", "srcPk", "srcSk", "ts"]
     });
-    this.userPoolDomain = this.createUserPoolDomain({
-      userPool: this.userPool
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI2",
+      partitionKey: {
+        name: "GSI2PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI2SK",
+        type: AttributeType.STRING
+      },
+      projectionType: ProjectionType.INCLUDE,
+      nonKeyAttributes: ["resourcePk", "resourceSk", "display", "status"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI3",
+      partitionKey: {
+        name: "GSI3PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI3SK",
+        type: AttributeType.STRING
+      },
+      projectionType: ProjectionType.INCLUDE,
+      nonKeyAttributes: ["resourcePk", "resourceSk"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI4",
+      partitionKey: {
+        name: "GSI4PK",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI4SK",
+        type: AttributeType.STRING
+      },
+      projectionType: ProjectionType.ALL
     });
   }
+};
+
+// src/components/event-bridge/data-event-bus.ts
+import { EventBus } from "aws-cdk-lib/aws-events";
+var DataEventBus = class _DataEventBus extends EventBus {
   /*****************************************************************************
    *
-   * Auth Support
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * it's name.
    *
    ****************************************************************************/
-  createUserPoolKmsKey() {
-    return this.isAuthService ? new CoreUserPoolKmsKey(this) : CoreUserPoolKmsKey.fromConstruct(this);
-  }
-  createUserPool(props) {
-    return this.isAuthService ? new CoreUserPool(this, props) : CoreUserPool.fromConstruct(this);
-  }
-  createUserPoolClient(props) {
-    return this.isAuthService ? new CoreUserPoolClient(this, { userPool: props.userPool }) : CoreUserPoolClient.fromConstruct(this);
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `data${stack.branchHash}`;
   }
-  createUserPoolDomain(props) {
-    const service = OpenHiService.of(this);
-    return this.isAuthService ? new CoreUserPoolDomain(this, {
-      userPool: props.userPool,
-      cognitoDomain: {
-        domainPrefix: `auth-${service.branchHash}`
-      }
-    }) : CoreUserPoolDomain.fromConstruct(this);
+  constructor(scope, props) {
+    super(scope, "data-event-bus", {
+      ...props,
+      eventBusName: _DataEventBus.getEventBusName(scope)
+    });
   }
 };
 
-// src/services/open-hi-auth-service.ts
-var OpenHiAuthService = class extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.AUTH, props);
-    this.props = props;
-    this.auth = new Auth(this, props.authProps);
+// src/components/event-bridge/ops-event-bus.ts
+import { EventBus as EventBus2 } from "aws-cdk-lib/aws-events";
+var OpsEventBus = class _OpsEventBus extends EventBus2 {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * it's name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `ops${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "ops-event-bus", {
+      ...props,
+      eventBusName: _OpsEventBus.getEventBusName(scope)
+    });
   }
 };
 
-// src/components/global.ts
-import {
-  CertificateValidation
-} from "aws-cdk-lib/aws-certificatemanager";
-import { Construct as Construct3 } from "constructs";
-
-// src/components/acm/root-wildcard-certificate.ts
-import {
-  Certificate
-} from "aws-cdk-lib/aws-certificatemanager";
-import { StringParameter as StringParameter2 } from "aws-cdk-lib/aws-ssm";
-var _RootWildcardCertificate = class _RootWildcardCertificate extends Certificate {
-  /**
-   * Using a special name here since this will be shared and used among many
-   * stacks and services.
-   */
-  static ssmParameterName() {
-    return "/" + ["GLOBAL", _RootWildcardCertificate.SSM_PARAM_NAME].join("/").toUpperCase();
-  }
-  static fromConstruct(scope) {
-    const certificateArn = StringParameter2.valueForStringParameter(
-      scope,
-      _RootWildcardCertificate.ssmParameterName()
-    );
-    return Certificate.fromCertificateArn(
-      scope,
-      "wildcard-certificate",
-      certificateArn
-    );
-  }
-  constructor(scope, props) {
-    super(scope, "root-wildcard-certificate", { ...props });
-    new StringParameter2(this, "wildcard-cert-param", {
-      parameterName: _RootWildcardCertificate.ssmParameterName(),
-      stringValue: this.certificateArn
-    });
-  }
-};
-/**
- * Used when storing the Certificate ARN in SSM.
- */
-_RootWildcardCertificate.SSM_PARAM_NAME = "ROOT_WILDCARD_CERT_ARN";
-var RootWildcardCertificate = _RootWildcardCertificate;
-
-// src/components/route-53/child-hosted-zone.ts
-import { Duration } from "aws-cdk-lib";
+// src/components/route-53/child-hosted-zone.ts
+import { Duration } from "aws-cdk-lib";
 import {
   HostedZone,
   NsRecord
 } from "aws-cdk-lib/aws-route53";
-var _ChildHostedZone = class _ChildHostedZone extends HostedZone {
-  static fromConstruct(scope, props) {
-    const hostedZoneId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: _ChildHostedZone.SSM_PARAM_NAME,
-      serviceType: props.serviceType ?? OPEN_HI_SERVICE_TYPE.GLOBAL
-    });
-    return HostedZone.fromHostedZoneAttributes(scope, "child-zone", {
-      hostedZoneId,
-      zoneName: props.zoneName
-    });
-  }
+var ChildHostedZone = class extends HostedZone {
   constructor(scope, id, props) {
     super(scope, id, { ...props });
     new NsRecord(this, "child-ns-record", {
@@ -777,66 +755,211 @@ var _ChildHostedZone = class _ChildHostedZone extends HostedZone {
       values: this.hostedZoneNameServers || [],
       ttl: Duration.minutes(5)
     });
-    new DiscoverableStringParameter(this, "child-zone-param", {
-      ssmParamName: _ChildHostedZone.SSM_PARAM_NAME,
-      stringValue: this.hostedZoneId,
-      description: "Route53 child hosted zone ID."
-    });
   }
 };
 /**
- * Used when storing the API ID in SSM.
+ * Used when storing the child zone ID in SSM. Use {@link OpenHiGlobalService.childHostedZoneFromConstruct} to look up.
  */
-_ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
-var ChildHostedZone = _ChildHostedZone;
+ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-import {
-  HostedZone as HostedZone2
-} from "aws-cdk-lib/aws-route53";
-import { Construct as Construct2 } from "constructs";
-var RootHostedZone = class extends Construct2 {
-  static fromConstruct(scope, props) {
-    return HostedZone2.fromHostedZoneAttributes(scope, "root-zone", {
-      hostedZoneId: props.hostedZoneId,
-      zoneName: props.zoneName
-    });
-  }
+import { Construct } from "constructs";
+var RootHostedZone = class extends Construct {
 };
 
-// src/components/global.ts
-var Global = class extends Construct3 {
-  constructor(scope, id, props) {
-    super(scope, id);
+// src/services/open-hi-auth-service.ts
+import {
+  UserPool as UserPool2,
+  UserPoolClient as UserPoolClient2,
+  UserPoolDomain as UserPoolDomain2
+} from "aws-cdk-lib/aws-cognito";
+import { Key as Key2 } from "aws-cdk-lib/aws-kms";
+var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
     this.props = props;
-    const { rootHostedZoneAttributes, childHostedZoneAttributes } = props;
-    const service = OpenHiService.of(this);
-    this.rootHostedZone = RootHostedZone.fromConstruct(
-      this,
-      rootHostedZoneAttributes
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.userPool = this.createUserPool();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
+  }
+  /**
+   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
+   */
+  static userPoolFromConstruct(scope) {
+    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return UserPool2.fromUserPoolId(scope, "user-pool", userPoolId);
+  }
+  /**
+   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
+   */
+  static userPoolClientFromConstruct(scope) {
+    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
+      scope,
+      {
+        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+        serviceType: _OpenHiAuthService.SERVICE_TYPE
+      }
     );
-    if (childHostedZoneAttributes) {
-      this.childHostedZone = new ChildHostedZone(this, "child-zone", {
-        parentHostedZone: this.rootHostedZone,
-        zoneName: childHostedZoneAttributes.zoneName
-      });
-    }
-    if (service.branchName === "main") {
-      this.rootWildcardCertificate = new RootWildcardCertificate(this, {
-        domainName: `*.${this.rootHostedZone.zoneName}`,
-        subjectAlternativeNames: [this.rootHostedZone.zoneName],
-        validation: CertificateValidation.fromDns(this.rootHostedZone)
-      });
-    } else {
-      this.rootWildcardCertificate = RootWildcardCertificate.fromConstruct(this);
-    }
+    return UserPoolClient2.fromUserPoolClientId(
+      scope,
+      "user-pool-client",
+      userPoolClientId
+    );
+  }
+  /**
+   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   */
+  static userPoolDomainFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return UserPoolDomain2.fromDomainName(scope, "user-pool-domain", domainName);
+  }
+  /**
+   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
+   */
+  static userPoolKmsKeyFromConstruct(scope) {
+    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return Key2.fromKeyArn(scope, "kms-key", keyArn);
+  }
+  get serviceType() {
+    return _OpenHiAuthService.SERVICE_TYPE;
+  }
+  /**
+   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolKmsKey() {
+    const key = new CognitoUserPoolKmsKey(this);
+    new DiscoverableStringParameter(this, "kms-key-param", {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      stringValue: key.keyArn,
+      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
+    });
+    return key;
+  }
+  /**
+   * Creates the Cognito User Pool and exports its ID to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
+   * Override to customize.
+   */
+  createUserPool() {
+    const userPool = new CognitoUserPool(this, {
+      ...this.props.userPoolProps,
+      customSenderKmsKey: this.userPoolKmsKey
+    });
+    new DiscoverableStringParameter(this, "user-pool-param", {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      stringValue: userPool.userPoolId,
+      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
+    });
+    return userPool;
+  }
+  /**
+   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
+   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolClient() {
+    const client = new CognitoUserPoolClient(this, {
+      userPool: this.userPool
+    });
+    new DiscoverableStringParameter(this, "user-pool-client-param", {
+      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
+    });
+    return client;
+  }
+  /**
+   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolDomain() {
+    const domain = new CognitoUserPoolDomain(this, {
+      userPool: this.userPool,
+      cognitoDomain: {
+        domainPrefix: `auth-${this.branchHash}`
+      }
+    });
+    new DiscoverableStringParameter(this, "user-pool-domain-param", {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      stringValue: domain.domainName,
+      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
+    });
+    return domain;
   }
 };
+_OpenHiAuthService.SERVICE_TYPE = "auth";
+var OpenHiAuthService = _OpenHiAuthService;
 
 // src/services/open-hi-global-service.ts
-var OpenHiGlobalService = class extends OpenHiService {
+import {
+  Certificate as Certificate2,
+  CertificateValidation
+} from "aws-cdk-lib/aws-certificatemanager";
+import {
+  HostedZone as HostedZone2
+} from "aws-cdk-lib/aws-route53";
+import { StringParameter as StringParameter3 } from "aws-cdk-lib/aws-ssm";
+var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
+  /**
+   * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
+   */
+  static rootHostedZoneFromConstruct(scope, props) {
+    return HostedZone2.fromHostedZoneAttributes(scope, "root-zone", props);
+  }
+  /**
+   * Returns an ICertificate by looking up the Global stack's wildcard cert ARN from SSM.
+   */
+  static rootWildcardCertificateFromConstruct(scope) {
+    const certificateArn = StringParameter3.valueForStringParameter(
+      scope,
+      RootWildcardCertificate.ssmParameterName()
+    );
+    return Certificate2.fromCertificateArn(
+      scope,
+      "wildcard-certificate",
+      certificateArn
+    );
+  }
+  /**
+   * Returns an IHostedZone by looking up the child hosted zone ID from SSM. Defaults to GLOBAL service type.
+   */
+  static childHostedZoneFromConstruct(scope, props) {
+    const hostedZoneId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: ChildHostedZone.SSM_PARAM_NAME,
+      serviceType: props.serviceType ?? _OpenHiGlobalService.SERVICE_TYPE
+    });
+    return HostedZone2.fromHostedZoneAttributes(scope, "child-zone", {
+      hostedZoneId,
+      zoneName: props.zoneName
+    });
+  }
+  get serviceType() {
+    return _OpenHiGlobalService.SERVICE_TYPE;
+  }
   constructor(ohEnv, props = {}) {
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.GLOBAL, props);
+    super(ohEnv, _OpenHiGlobalService.SERVICE_TYPE, props);
+    this.validateConfig(props);
+    this.rootHostedZone = this.createRootHostedZone();
+    this.childHostedZone = this.createChildHostedZone();
+    this.rootWildcardCertificate = this.createRootWildcardCertificate();
+  }
+  /**
+   * Validates that config required for the Global stack is present.
+   */
+  validateConfig(props) {
     const { config } = props;
     if (!config) {
       throw new Error("Config is required");
@@ -847,169 +970,136 @@ var OpenHiGlobalService = class extends OpenHiService {
     if (!config.hostedZoneId) {
       throw new Error("Hosted zone ID is required to import the root zone");
     }
-    this.global = new Global(this, "global", {
-      rootHostedZoneAttributes: {
-        zoneName: config.zoneName,
-        hostedZoneId: config.hostedZoneId
-      }
-      /*
-      childHostedZoneAttributes: {
-        zoneName: `${this.childZonePrefix}.${config.zoneName}`,
-        hostedZoneId: config.hostedZoneId,
-      },
-      */
+  }
+  /**
+   * Creates the root hosted zone (imported via attributes from config).
+   * Override to customize or create the zone.
+   */
+  createRootHostedZone() {
+    return _OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
     });
   }
+  /**
+   * Creates the optional child hosted zone (e.g. branch subdomain).
+   * Override to create a child zone when config provides childHostedZoneAttributes.
+   * If you create a ChildHostedZone, also create a DiscoverableStringParameter
+   * with ChildHostedZone.SSM_PARAM_NAME and the zone's hostedZoneId.
+   */
+  createChildHostedZone() {
+    return void 0;
+  }
+  /**
+   * Creates the root wildcard certificate. On main branch, creates a new cert
+   * with DNS validation; otherwise imports from SSM.
+   * Override to customize certificate creation.
+   */
+  createRootWildcardCertificate() {
+    if (this.branchName === "main") {
+      return new RootWildcardCertificate(this, {
+        domainName: `*.${this.rootHostedZone.zoneName}`,
+        subjectAlternativeNames: [this.rootHostedZone.zoneName],
+        validation: CertificateValidation.fromDns(this.rootHostedZone)
+      });
+    }
+    return _OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
 };
+_OpenHiGlobalService.SERVICE_TYPE = "global";
+var OpenHiGlobalService = _OpenHiGlobalService;
 
 // src/services/open-hi-rest-api-service.ts
 import {
   DomainName,
+  HttpApi as HttpApi2,
   HttpMethod,
   HttpRoute,
   HttpRouteKey
 } from "aws-cdk-lib/aws-apigatewayv2";
 import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
-import { ARecord, HostedZone as HostedZone3, RecordTarget } from "aws-cdk-lib/aws-route53";
+import {
+  ARecord,
+  HostedZone as HostedZone3,
+  RecordTarget
+} from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
 
-// src/components/api-gateway/core-http-api.ts
-import { HttpApi } from "aws-cdk-lib/aws-apigatewayv2";
-var _CoreHttpApi = class _CoreHttpApi extends HttpApi {
-  static fromConstruct(scope) {
-    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: _CoreHttpApi.SSM_PARAM_NAME,
-      serviceType: OPEN_HI_SERVICE_TYPE.REST_API
-    });
-    return HttpApi.fromHttpApiAttributes(scope, "http-api", {
-      httpApiId
-    });
+// src/services/open-hi-data-service.ts
+import { Table as Table2 } from "aws-cdk-lib/aws-dynamodb";
+import { EventBus as EventBus3 } from "aws-cdk-lib/aws-events";
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
+  /**
+   * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static dataEventBusFromConstruct(scope) {
+    return EventBus3.fromEventBusName(
+      scope,
+      "data-event-bus",
+      DataEventBus.getEventBusName(scope)
+    );
   }
-  constructor(scope, props = {}) {
-    const stack = OpenHiService.of(scope);
-    super(scope, "http-api", {
-      /**
-       * User provided props
-       */
-      ...props,
-      /**
-       * Required
-       */
-      apiName: ["core", "http", "api", stack.branchHash].join("-")
-    });
-    new DiscoverableStringParameter(this, "http-api-url-param", {
-      ssmParamName: _CoreHttpApi.SSM_PARAM_NAME,
-      serviceType: OPEN_HI_SERVICE_TYPE.REST_API,
-      stringValue: this.httpApiId
-    });
+  /**
+   * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static opsEventBusFromConstruct(scope) {
+    return EventBus3.fromEventBusName(
+      scope,
+      "ops-event-bus",
+      OpsEventBus.getEventBusName(scope)
+    );
   }
-};
-/**
- * Used when storing the API ID in SSM.
- */
-_CoreHttpApi.SSM_PARAM_NAME = "CORE_HTTP_API";
-var CoreHttpApi = _CoreHttpApi;
-
-// src/components/dynamodb/dynamo-db-data-store.ts
-import {
-  AttributeType,
-  BillingMode,
-  ProjectionType,
-  Table
-} from "aws-cdk-lib/aws-dynamodb";
-function getDynamoDbDataStoreTableName(scope) {
-  const stack = OpenHiService.of(scope);
-  return `data-store-${stack.branchHash}`;
-}
-var DynamoDbDataStore = class extends Table {
   /**
-   * Import the data store table by name for use in another stack (e.g. data
-   * service or Lambda). Uses the same naming as {@link getDynamoDbDataStoreTableName}.
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
    */
-  static fromConstruct(scope, id = "dynamo-db-data-store") {
-    return Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return Table2.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
   }
-  constructor(scope, id, props = {}) {
-    const service = OpenHiService.of(scope);
-    super(scope, id, {
-      ...props,
-      tableName: getDynamoDbDataStoreTableName(scope),
-      partitionKey: {
-        name: "PK",
-        type: AttributeType.STRING
-      },
-      sortKey: {
-        name: "SK",
-        type: AttributeType.STRING
-      },
-      billingMode: BillingMode.PAY_PER_REQUEST,
-      removalPolicy: props.removalPolicy ?? service.removalPolicy
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI1",
-      partitionKey: {
-        name: "GSI1PK",
-        type: AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI1SK",
-        type: AttributeType.STRING
-      },
-      projectionType: ProjectionType.INCLUDE,
-      nonKeyAttributes: ["srcType", "srcId", "path", "srcPk", "srcSk", "ts"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI2",
-      partitionKey: {
-        name: "GSI2PK",
-        type: AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI2SK",
-        type: AttributeType.STRING
-      },
-      projectionType: ProjectionType.INCLUDE,
-      nonKeyAttributes: ["resourcePk", "resourceSk", "display", "status"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI3",
-      partitionKey: {
-        name: "GSI3PK",
-        type: AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI3SK",
-        type: AttributeType.STRING
-      },
-      projectionType: ProjectionType.INCLUDE,
-      nonKeyAttributes: ["resourcePk", "resourceSk"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI4",
-      partitionKey: {
-        name: "GSI4PK",
-        type: AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI4SK",
-        type: AttributeType.STRING
-      },
-      projectionType: ProjectionType.ALL
-    });
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    this.dataEventBus = this.createDataEventBus();
+    this.opsEventBus = this.createOpsEventBus();
+    this.dataStore = this.createDataStore();
+  }
+  /**
+   * Creates the data event bus.
+   * Override to customize.
+   */
+  createDataEventBus() {
+    return new DataEventBus(this);
+  }
+  /**
+   * Creates the ops event bus.
+   * Override to customize.
+   */
+  createOpsEventBus() {
+    return new OpsEventBus(this);
+  }
+  /**
+   * Creates the single-table DynamoDB data store.
+   * Override to customize.
+   */
+  createDataStore() {
+    return new DynamoDbDataStore(this, "dynamo-db-data-store");
   }
 };
+_OpenHiDataService.SERVICE_TYPE = "data";
+var OpenHiDataService = _OpenHiDataService;
 
 // src/data/lambda/rest-api-lambda.ts
 import path from "path";
-import { Runtime as Runtime2 } from "aws-cdk-lib/aws-lambda";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct4 } from "constructs";
-var RestApiLambda = class extends Construct4 {
+import { Construct as Construct2 } from "constructs";
+var RestApiLambda = class extends Construct2 {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
     this.lambda = new NodejsFunction(this, "handler", {
       entry: path.join(__dirname, "rest-api-lambda.handler.js"),
-      runtime: Runtime2.NODEJS_LATEST,
+      runtime: Runtime.NODEJS_LATEST,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName
       }
@@ -1019,9 +1109,45 @@ var RestApiLambda = class extends Construct4 {
 
 // src/services/open-hi-rest-api-service.ts
 var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
-var OpenHiRestApiService = class extends OpenHiService {
+var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
+  /**
+   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
+   */
+  static rootHttpApiFromConstruct(scope) {
+    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+    return HttpApi2.fromHttpApiAttributes(scope, "http-api", { httpApiId });
+  }
+  /**
+   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
+   * Use in other stacks for E2E, scripts, or config.
+   */
+  static restApiBaseUrlFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiRestApiService.SERVICE_TYPE;
+  }
   constructor(ohEnv, props = {}) {
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.REST_API, props);
+    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    const certificate = this.createCertificate();
+    const apiDomainName = this.createApiDomainNameString(hostedZone);
+    this.createRestApiBaseUrlParameter(apiDomainName);
+    const domainName = this.createDomainName(hostedZone, certificate);
+    this.rootHttpApi = this.createRootHttpApi(domainName);
+    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
+  }
+  /**
+   * Validates that config required for the REST API stack is present.
+   */
+  validateConfig(props) {
     const { config } = props;
     if (!config) {
       throw new Error("Config is required");
@@ -1032,31 +1158,63 @@ var OpenHiRestApiService = class extends OpenHiService {
     if (!config.zoneName) {
       throw new Error("Zone name is required");
     }
-    const hostedZone = HostedZone3.fromHostedZoneAttributes(this, "root-zone", {
+  }
+  /**
+   * Creates the hosted zone reference (imported from config).
+   * Override to customize.
+   */
+  createHostedZone() {
+    const { config } = this.props;
+    return HostedZone3.fromHostedZoneAttributes(this, "root-zone", {
       hostedZoneId: config.hostedZoneId,
       zoneName: config.zoneName
     });
-    const certificate = RootWildcardCertificate.fromConstruct(this);
+  }
+  /**
+   * Creates the wildcard certificate (imported from Global stack via SSM).
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Returns the API domain name string (e.g. api.example.com or api-{prefix}.example.com).
+   * Override to customize.
+   */
+  createApiDomainNameString(hostedZone) {
     const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
-    const apiDomainName = [apiPrefix, hostedZone.zoneName].join(".");
+    return [apiPrefix, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Creates the SSM parameter for the REST API base URL.
+   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
+   * Override to customize.
+   */
+  createRestApiBaseUrlParameter(apiDomainName) {
     const restApiBaseUrl = `https://${apiDomainName}`;
     new DiscoverableStringParameter(this, "rest-api-base-url-param", {
       ssmParamName: REST_API_BASE_URL_SSM_NAME,
       stringValue: restApiBaseUrl,
       description: "REST API base URL for this deployment (E2E, scripts)"
     });
-    const domainName = new DomainName(this, "domain", {
+  }
+  /**
+   * Creates the API Gateway custom domain name resource.
+   * Override to customize.
+   */
+  createDomainName(_hostedZone, certificate) {
+    const apiDomainName = this.createApiDomainNameString(_hostedZone);
+    return new DomainName(this, "domain", {
       domainName: apiDomainName,
       certificate
     });
-    this.coreHttpApi = new CoreHttpApi(this, {
-      defaultDomainMapping: {
-        domainName,
-        mappingKey: void 0
-        // serve at root of domain
-      }
-    });
-    const dataStoreTable = DynamoDbDataStore.fromConstruct(this);
+  }
+  /**
+   * Creates the Lambda integration, HTTP routes, and API DNS record.
+   * Override to customize. Uses {@link rootHttpApi} set by the constructor.
+   */
+  createRestApiLambdaAndRoutes(hostedZone, domainName) {
+    const dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     const { lambda } = new RestApiLambda(this, {
       dynamoTableName: dataStoreTable.tableName
     });
@@ -1074,15 +1232,16 @@ var OpenHiRestApiService = class extends OpenHiService {
     );
     const integration = new HttpLambdaIntegration("lambda-integration", lambda);
     new HttpRoute(this, "proxy-route-root", {
-      httpApi: this.coreHttpApi,
+      httpApi: this.rootHttpApi,
       routeKey: HttpRouteKey.with("/", HttpMethod.ANY),
       integration
     });
     new HttpRoute(this, "proxy-route", {
-      httpApi: this.coreHttpApi,
+      httpApi: this.rootHttpApi,
       routeKey: HttpRouteKey.with("/{proxy+}", HttpMethod.ANY),
       integration
     });
+    const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
     new ARecord(this, "api-a-record", {
       zone: hostedZone,
       recordName: apiPrefix,
@@ -1094,27 +1253,51 @@ var OpenHiRestApiService = class extends OpenHiService {
       )
     });
   }
-};
-
-// src/services/open-hi-data-service.ts
-var OpenHiDataService = class extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.DATA, props);
-    this.dataStore = new DynamoDbDataStore(this, "dynamo-db-data-store");
+  /**
+   * Creates the Root HTTP API with default domain mapping and exports API ID to SSM.
+   * Look up via {@link OpenHiRestApiService.rootHttpApiFromConstruct}.
+   * Override to customize.
+   */
+  createRootHttpApi(domainName) {
+    const rootHttpApi = new RootHttpApi(this, {
+      defaultDomainMapping: {
+        domainName,
+        mappingKey: void 0
+      }
+    });
+    new DiscoverableStringParameter(this, "http-api-url-param", {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      stringValue: rootHttpApi.httpApiId,
+      description: "API Gateway HTTP API ID for this REST API stack (cross-stack reference)"
+    });
+    return rootHttpApi;
   }
 };
+_OpenHiRestApiService.SERVICE_TYPE = "rest-api";
+var OpenHiRestApiService = _OpenHiRestApiService;
 export {
+  ChildHostedZone,
+  CognitoUserPool,
+  CognitoUserPoolClient,
+  CognitoUserPoolDomain,
+  CognitoUserPoolKmsKey,
+  DataEventBus,
   DiscoverableStringParameter,
-  OPEN_HI_SERVICE_TYPE,
+  DynamoDbDataStore,
   OpenHiApp,
   OpenHiAuthService,
-  OpenHiCoreService,
   OpenHiDataService,
   OpenHiEnvironment,
   OpenHiGlobalService,
   OpenHiRestApiService,
   OpenHiService,
   OpenHiStage,
-  REST_API_BASE_URL_SSM_NAME
+  OpsEventBus,
+  REST_API_BASE_URL_SSM_NAME,
+  RootGraphqlApi,
+  RootHostedZone,
+  RootHttpApi,
+  RootWildcardCertificate,
+  getDynamoDbDataStoreTableName
 };
 //# sourceMappingURL=index.mjs.map