npm - @openhi/constructs - Versions diffs - 0.0.1 → 0.0.3 - Mend

@openhi/constructs 0.0.1 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/index.js CHANGED Viewed

@@ -93,18 +93,29 @@ var require_lib = __commonJS({
 // src/index.ts
 var src_exports = {};
 __export(src_exports, {
+  ChildHostedZone: () => ChildHostedZone,
+  CognitoUserPool: () => CognitoUserPool,
+  CognitoUserPoolClient: () => CognitoUserPoolClient,
+  CognitoUserPoolDomain: () => CognitoUserPoolDomain,
+  CognitoUserPoolKmsKey: () => CognitoUserPoolKmsKey,
+  DataEventBus: () => DataEventBus,
   DiscoverableStringParameter: () => DiscoverableStringParameter,
-  OPEN_HI_SERVICE_TYPE: () => OPEN_HI_SERVICE_TYPE,
+  DynamoDbDataStore: () => DynamoDbDataStore,
   OpenHiApp: () => OpenHiApp,
   OpenHiAuthService: () => OpenHiAuthService,
-  OpenHiCoreService: () => OpenHiCoreService,
   OpenHiDataService: () => OpenHiDataService,
   OpenHiEnvironment: () => OpenHiEnvironment,
   OpenHiGlobalService: () => OpenHiGlobalService,
   OpenHiRestApiService: () => OpenHiRestApiService,
   OpenHiService: () => OpenHiService,
   OpenHiStage: () => OpenHiStage,
-  REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME
+  OpsEventBus: () => OpsEventBus,
+  REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
+  RootGraphqlApi: () => RootGraphqlApi,
+  RootHostedZone: () => RootHostedZone,
+  RootHttpApi: () => RootHttpApi,
+  RootWildcardCertificate: () => RootWildcardCertificate,
+  getDynamoDbDataStoreTableName: () => getDynamoDbDataStoreTableName
 });
 module.exports = __toCommonJS(src_exports);
@@ -319,37 +330,7 @@ var import_utils = require("@codedrifters/utils");
 var import_config3 = __toESM(require_lib());
 var import_aws_cdk_lib4 = require("aws-cdk-lib");
 var import_change_case = require("change-case");
-var OPEN_HI_SERVICE_TYPE = {
-  /**
-   * Authentication service.
-   *   *
-   * Only one instance of the auth service should exist per environment.
-   */
-  AUTH: "auth",
-  /**
-   * Root shared core services.
-   *
-   * Only one instance of the core service should exist per environment.
-   */
-  CORE: "core",
-  /**
-   * Rest API service.
-   */
-  REST_API: "rest-api",
-  /**
-   * Global Infrastructure stack (Route53, ACM).
-   */
-  GLOBAL: "global",
-  /**
-   * Data service (DynamoDB, S3, persistence).
-   */
-  DATA: "data"
-};
 var OpenHiService = class extends import_aws_cdk_lib4.Stack {
-  /**
-   * Core construct containing shared infrastructure.
-   */
-  // public core: Core;
   /**
    * Creates a new OpenHI service stack.
    *
@@ -395,16 +376,6 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
     const removalPolicy = props.removalPolicy ?? (ohEnv.ohStage.stageType === import_config3.OPEN_HI_STAGE.PROD ? import_aws_cdk_lib4.RemovalPolicy.RETAIN : import_aws_cdk_lib4.RemovalPolicy.DESTROY);
     Object.assign(props, { removalPolicy });
     const description = `OpenHi Service: ${id} [${branchName}] - ${branchHash}`;
-    const hostedZoneId = ohEnv.props.config.hostedZoneId;
-    const zoneName = ohEnv.props.config.zoneName;
-    if (hostedZoneId && zoneName) {
-      props = {
-        ...props,
-        coreProps: {
-          ...props.coreProps
-        }
-      };
-    }
     super(ohEnv, [branchHash, id, account, region].join("-"), {
       ...props,
       description
@@ -414,7 +385,6 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
     this.serviceId = id;
     this.removalPolicy = removalPolicy;
     this.config = props.config ?? ohEnv.props.config;
-    this.serviceType = props.serviceType ?? id;
     this.deploymentTargetRole = ohEnv.deploymentTargetRole;
     this.repoName = repoName;
     this.appName = appName;
@@ -425,26 +395,12 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
     this.stackHash = stackHash;
     import_aws_cdk_lib4.Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
     import_aws_cdk_lib4.Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
-    import_aws_cdk_lib4.Tags.of(this).add(
-      `${appName}:service-type`,
-      this.serviceType.slice(0, 255)
-    );
+    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
     import_aws_cdk_lib4.Tags.of(this).add(
       `${appName}:stage-type`,
       ohEnv.ohStage.stageType.slice(0, 255)
     );
   }
-  /**
-   * Creates or returns the core construct for shared infrastructure.
-   */
-  /*
-  protected createCore(props: OpenHiServiceProps = {}): Core {
-    if (!this.core) {
-      return new Core(this, props.coreProps);
-    }
-    return this.core;
-  }
-  */
   /**
    * DNS prefix for this branche's child zone.
    */
@@ -453,10 +409,61 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
   }
 };
+// src/components/acm/root-wildcard-certificate.ts
+var import_aws_certificatemanager = require("aws-cdk-lib/aws-certificatemanager");
+var import_aws_ssm = require("aws-cdk-lib/aws-ssm");
+var _RootWildcardCertificate = class _RootWildcardCertificate extends import_aws_certificatemanager.Certificate {
+  /**
+   * Using a special name here since this will be shared and used among many
+   * stacks and services. Use with OpenHiGlobalService.rootWildcardCertificateFromConstruct.
+   */
+  static ssmParameterName() {
+    return "/" + ["GLOBAL", _RootWildcardCertificate.SSM_PARAM_NAME].join("/").toUpperCase();
+  }
+  constructor(scope, props) {
+    super(scope, "root-wildcard-certificate", { ...props });
+    new import_aws_ssm.StringParameter(this, "wildcard-cert-param", {
+      parameterName: _RootWildcardCertificate.ssmParameterName(),
+      stringValue: this.certificateArn
+    });
+  }
+};
+/**
+ * Used when storing the Certificate ARN in SSM.
+ */
+_RootWildcardCertificate.SSM_PARAM_NAME = "ROOT_WILDCARD_CERT_ARN";
+var RootWildcardCertificate = _RootWildcardCertificate;
+// src/components/api-gateway/root-http-api.ts
+var import_aws_apigatewayv2 = require("aws-cdk-lib/aws-apigatewayv2");
+var RootHttpApi = class extends import_aws_apigatewayv2.HttpApi {
+  constructor(scope, props = {}) {
+    const stack = OpenHiService.of(scope);
+    super(scope, "http-api", {
+      /**
+       * User provided props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      apiName: ["root", "http", "api", stack.branchHash].join("-")
+    });
+  }
+};
+/**
+ * Used when storing the API ID in SSM.
+ */
+RootHttpApi.SSM_PARAM_NAME = "ROOT_HTTP_API";
+// src/components/app-sync/root-graphql-api.ts
+var import_aws_appsync = require("aws-cdk-lib/aws-appsync");
+var import_awscdk_appsync_utils = require("awscdk-appsync-utils");
 // src/components/ssm/discoverable-string-parameter.ts
 var import_aws_cdk_lib5 = require("aws-cdk-lib");
-var import_aws_ssm = require("aws-cdk-lib/aws-ssm");
-var DiscoverableStringParameter = class _DiscoverableStringParameter extends import_aws_ssm.StringParameter {
+var import_aws_ssm2 = require("aws-cdk-lib/aws-ssm");
+var _DiscoverableStringParameter = class _DiscoverableStringParameter extends import_aws_ssm2.StringParameter {
   /**
    * Build a param name based on predictable attributes found in services and
    * constructs. Used for storage and retrieval of SSM values across services.
@@ -464,6 +471,7 @@ var DiscoverableStringParameter = class _DiscoverableStringParameter extends imp
   static buildParameterName(scope, props) {
     const stack = OpenHiService.of(scope);
     return "/" + [
+      _DiscoverableStringParameter.version,
       props.branchHash ?? stack.branchHash,
       props.serviceType ?? stack.serviceType,
       props.account ?? stack.account,
@@ -480,7 +488,7 @@ var DiscoverableStringParameter = class _DiscoverableStringParameter extends imp
       scope,
       props
     );
-    return import_aws_ssm.StringParameter.valueForStringParameter(scope, paramName);
+    return import_aws_ssm2.StringParameter.valueForStringParameter(scope, paramName);
   }
   constructor(scope, id, props) {
     const { ssmParamName, branchHash, serviceType, account, region, ...rest } = props;
@@ -488,7 +496,7 @@ var DiscoverableStringParameter = class _DiscoverableStringParameter extends imp
       scope,
       props
     );
-    super(scope, id, {
+    super(scope, id + "-" + _DiscoverableStringParameter.version, {
       ...rest,
       parameterName
     });
@@ -496,39 +504,65 @@ var DiscoverableStringParameter = class _DiscoverableStringParameter extends imp
     import_aws_cdk_lib5.Tags.of(this).add(`${appName}:param-name`, ssmParamName);
   }
 };
+/**
+ * Version of the parameter name format / discoverability schema.
+ * Bump when buildParameterName or tagging semantics change.
+ * Also used to drive replacement of parameters during CloudFormation deploys.
+ */
+_DiscoverableStringParameter.version = "v1";
+var DiscoverableStringParameter = _DiscoverableStringParameter;
-// src/services/open-hi-core-service.ts
-var import_aws_lambda = require("aws-cdk-lib/aws-lambda");
-var OpenHiCoreService = class extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    props = {
-      ...props
-    };
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.CORE, props);
-    this.props = props;
-    new import_aws_lambda.Function(this, "test-fn", {
-      runtime: import_aws_lambda.Runtime.NODEJS_LATEST,
-      handler: "index.handler",
-      code: import_aws_lambda.Code.fromInline(
-        'exports.handler = async () => { return {statusCode:200, body:"ok"} }'
-      )
+// src/components/app-sync/root-graphql-api.ts
+var _RootGraphqlApi = class _RootGraphqlApi extends import_aws_appsync.GraphqlApi {
+  static fromConstruct(scope) {
+    const graphqlApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _RootGraphqlApi.SSM_PARAM_NAME,
+      serviceType: "graphql-api"
+    });
+    return import_aws_appsync.GraphqlApi.fromGraphqlApiAttributes(scope, "root-graphql-api", {
+      graphqlApiId
+    });
+  }
+  constructor(scope, props) {
+    const stack = OpenHiService.of(scope);
+    const schema = new import_awscdk_appsync_utils.CodeFirstSchema();
+    schema.addType(
+      new import_awscdk_appsync_utils.ObjectType("Query", {
+        definition: { HelloWorld: import_awscdk_appsync_utils.GraphqlType.string() }
+      })
+    );
+    super(scope, "root-graphql-api", {
+      /**
+       * Defaults
+       */
+      queryDepthLimit: 2,
+      resolverCountLimit: 50,
+      definition: import_aws_appsync.Definition.fromSchema(schema),
+      /**
+       * Overrideable props
+       */
+      ...props,
+      /**
+       * Required
+       */
+      name: ["root", "graphql", "api", stack.branchHash].join("-")
+    });
+    new DiscoverableStringParameter(this, "graphql-api-param", {
+      ssmParamName: _RootGraphqlApi.SSM_PARAM_NAME,
+      serviceType: "graphql-api",
+      stringValue: this.apiId
     });
   }
 };
+/**
+ * Used when storing the GraphQl API ID in SSM.
+ */
+_RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
+var RootGraphqlApi = _RootGraphqlApi;
-// src/components/auth.ts
-var import_constructs = require("constructs");
-// src/components/cognito/core-user-pool.ts
+// src/components/cognito/cognito-user-pool.ts
 var import_aws_cognito = require("aws-cdk-lib/aws-cognito");
-var _CoreUserPool = class _CoreUserPool extends import_aws_cognito.UserPool {
-  static fromConstruct(scope) {
-    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: _CoreUserPool.SSM_PARAM_NAME,
-      serviceType: OPEN_HI_SERVICE_TYPE.AUTH
-    });
-    return import_aws_cognito.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
-  }
+var CognitoUserPool = class extends import_aws_cognito.UserPool {
   constructor(scope, props = {}) {
     const service = OpenHiService.of(scope);
     super(scope, "user-pool", {
@@ -552,37 +586,18 @@ var _CoreUserPool = class _CoreUserPool extends import_aws_cognito.UserPool {
       /**
        * Required
        */
-      userPoolName: ["core", "user", "pool", service.branchHash].join("-")
-    });
-    new DiscoverableStringParameter(this, "user-pool-param", {
-      ssmParamName: _CoreUserPool.SSM_PARAM_NAME,
-      stringValue: this.userPoolId
+      userPoolName: ["cognito", "user", "pool", service.branchHash].join("-")
     });
   }
 };
 /**
  * Used when storing the User Pool ID in SSM.
  */
-_CoreUserPool.SSM_PARAM_NAME = "CORE_USER_POOL";
-var CoreUserPool = _CoreUserPool;
+CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
-// src/components/cognito/core-user-pool-client.ts
+// src/components/cognito/cognito-user-pool-client.ts
 var import_aws_cognito2 = require("aws-cdk-lib/aws-cognito");
-var _CoreUserPoolClient = class _CoreUserPoolClient extends import_aws_cognito2.UserPoolClient {
-  static fromConstruct(scope) {
-    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
-      scope,
-      {
-        ssmParamName: _CoreUserPoolClient.SSM_PARAM_NAME,
-        serviceType: OPEN_HI_SERVICE_TYPE.AUTH
-      }
-    );
-    return import_aws_cognito2.UserPoolClient.fromUserPoolClientId(
-      scope,
-      "user-pool-client",
-      userPoolClientId
-    );
-  }
+var CognitoUserPoolClient = class extends import_aws_cognito2.UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
       /**
@@ -601,62 +616,31 @@ var _CoreUserPoolClient = class _CoreUserPoolClient extends import_aws_cognito2.
        */
       ...props
     });
-    new DiscoverableStringParameter(this, "user-pool-client-param", {
-      ssmParamName: _CoreUserPoolClient.SSM_PARAM_NAME,
-      stringValue: this.userPoolClientId
-    });
   }
 };
 /**
  * Used when storing the User Pool Client ID in SSM.
  */
-_CoreUserPoolClient.SSM_PARAM_NAME = "CORE_USER_POOL_CLIENT";
-var CoreUserPoolClient = _CoreUserPoolClient;
+CognitoUserPoolClient.SSM_PARAM_NAME = "COGNITO_USER_POOL_CLIENT";
-// src/components/cognito/core-user-pool-domain.ts
+// src/components/cognito/cognito-user-pool-domain.ts
 var import_aws_cognito3 = require("aws-cdk-lib/aws-cognito");
-var _CoreUserPoolDomain = class _CoreUserPoolDomain extends import_aws_cognito3.UserPoolDomain {
-  static fromConstruct(scope) {
-    const userPoolDomain = DiscoverableStringParameter.valueForLookupName(
-      scope,
-      {
-        ssmParamName: _CoreUserPoolDomain.SSM_PARAM_NAME,
-        serviceType: OPEN_HI_SERVICE_TYPE.AUTH
-      }
-    );
-    return import_aws_cognito3.UserPoolDomain.fromDomainName(
-      scope,
-      "user-pool-domain",
-      userPoolDomain
-    );
-  }
+var CognitoUserPoolDomain = class extends import_aws_cognito3.UserPoolDomain {
   constructor(scope, props) {
     const id = props.cognitoDomain?.domainPrefix ? "cognito-domain" : "custom-domain";
     super(scope, id, {
       ...props
     });
-    new DiscoverableStringParameter(this, "user-pool-domain-param", {
-      ssmParamName: _CoreUserPoolDomain.SSM_PARAM_NAME,
-      stringValue: this.domainName
-    });
   }
 };
 /**
  * Used when storing the User Pool Domain in SSM.
  */
-_CoreUserPoolDomain.SSM_PARAM_NAME = "CORE_USER_POOL_DOMAIN";
-var CoreUserPoolDomain = _CoreUserPoolDomain;
+CognitoUserPoolDomain.SSM_PARAM_NAME = "COGNITO_USER_POOL_DOMAIN";
-// src/components/cognito/core-user-pool-kms-key.ts
+// src/components/cognito/cognito-user-pool-kms-key.ts
 var import_aws_kms = require("aws-cdk-lib/aws-kms");
-var _CoreUserPoolKmsKey = class _CoreUserPoolKmsKey extends import_aws_kms.Key {
-  static fromConstruct(scope) {
-    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: _CoreUserPoolKmsKey.SSM_PARAM_NAME,
-      serviceType: OPEN_HI_SERVICE_TYPE.AUTH
-    });
-    return import_aws_kms.Key.fromKeyArn(scope, "kms-key", keyArn);
-  }
+var CognitoUserPoolKmsKey = class extends import_aws_kms.Key {
   constructor(scope, props = {}) {
     const service = OpenHiService.of(scope);
     super(scope, "kms-key", {
@@ -665,201 +649,342 @@ var _CoreUserPoolKmsKey = class _CoreUserPoolKmsKey extends import_aws_kms.Key {
       description: `KMS Key for Cognito User Pool - ${service.branchHash}`,
       removalPolicy: props.removalPolicy ?? service.removalPolicy
     });
-    new DiscoverableStringParameter(this, "kms-key-param", {
-      ssmParamName: _CoreUserPoolKmsKey.SSM_PARAM_NAME,
-      stringValue: this.keyArn
-    });
   }
 };
 /**
  * Used when storing the KMS Key in SSM.
  */
-_CoreUserPoolKmsKey.SSM_PARAM_NAME = "CORE_USER_POOL_KMS_KEY";
-var CoreUserPoolKmsKey = _CoreUserPoolKmsKey;
+CognitoUserPoolKmsKey.SSM_PARAM_NAME = "COGNITO_USER_POOL_KMS_KEY";
-// src/components/auth.ts
-var Auth = class _Auth extends import_constructs.Construct {
-  /**
-   * Returns an Auth instance that uses resources imported from AUTH SSM
-   * parameters. Use this when creating Core or other stacks that consume
-   * auth resources; the Auth stack must be deployed first.
-   *
-   * @param scope - Construct scope (e.g. Core); must be in a stack that has
-   *   access to the same account/region as the deployed Auth stack.
-   */
-  static fromConstruct(scope) {
-    return new _Auth(scope, {});
-  }
-  constructor(scope, props = {}) {
-    super(scope, "auth");
-    const service = OpenHiService.of(this);
-    this.isAuthService = service.serviceType === OPEN_HI_SERVICE_TYPE.AUTH;
-    this.userPoolKmsKey = this.createUserPoolKmsKey();
-    this.userPool = this.createUserPool({
-      ...props.userPoolProps,
-      customSenderKmsKey: this.userPoolKmsKey
+// src/components/dynamodb/dynamo-db-data-store.ts
+var import_aws_dynamodb = require("aws-cdk-lib/aws-dynamodb");
+function getDynamoDbDataStoreTableName(scope) {
+  const stack = OpenHiService.of(scope);
+  return `data-store-${stack.branchHash}`;
+}
+var DynamoDbDataStore = class extends import_aws_dynamodb.Table {
+  constructor(scope, id, props = {}) {
+    const service = OpenHiService.of(scope);
+    super(scope, id, {
+      ...props,
+      tableName: getDynamoDbDataStoreTableName(scope),
+      partitionKey: {
+        name: "PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      billingMode: import_aws_dynamodb.BillingMode.PAY_PER_REQUEST,
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
     });
-    this.userPoolClient = this.createUserPoolClient({
-      userPool: this.userPool
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI1",
+      partitionKey: {
+        name: "GSI1PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI1SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
+      nonKeyAttributes: ["srcType", "srcId", "path", "srcPk", "srcSk", "ts"]
     });
-    this.userPoolDomain = this.createUserPoolDomain({
-      userPool: this.userPool
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI2",
+      partitionKey: {
+        name: "GSI2PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI2SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
+      nonKeyAttributes: ["resourcePk", "resourceSk", "display", "status"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI3",
+      partitionKey: {
+        name: "GSI3PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI3SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
+      nonKeyAttributes: ["resourcePk", "resourceSk"]
+    });
+    this.addGlobalSecondaryIndex({
+      indexName: "GSI4",
+      partitionKey: {
+        name: "GSI4PK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      sortKey: {
+        name: "GSI4SK",
+        type: import_aws_dynamodb.AttributeType.STRING
+      },
+      projectionType: import_aws_dynamodb.ProjectionType.ALL
     });
   }
+};
+// src/components/event-bridge/data-event-bus.ts
+var import_aws_events = require("aws-cdk-lib/aws-events");
+var DataEventBus = class _DataEventBus extends import_aws_events.EventBus {
   /*****************************************************************************
    *
-   * Auth Support
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * it's name.
    *
    ****************************************************************************/
-  createUserPoolKmsKey() {
-    return this.isAuthService ? new CoreUserPoolKmsKey(this) : CoreUserPoolKmsKey.fromConstruct(this);
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `data${stack.branchHash}`;
   }
-  createUserPool(props) {
-    return this.isAuthService ? new CoreUserPool(this, props) : CoreUserPool.fromConstruct(this);
+  constructor(scope, props) {
+    super(scope, "data-event-bus", {
+      ...props,
+      eventBusName: _DataEventBus.getEventBusName(scope)
+    });
   }
-  createUserPoolClient(props) {
-    return this.isAuthService ? new CoreUserPoolClient(this, { userPool: props.userPool }) : CoreUserPoolClient.fromConstruct(this);
+};
+// src/components/event-bridge/ops-event-bus.ts
+var import_aws_events2 = require("aws-cdk-lib/aws-events");
+var OpsEventBus = class _OpsEventBus extends import_aws_events2.EventBus {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * it's name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `ops${stack.branchHash}`;
   }
-  createUserPoolDomain(props) {
-    const service = OpenHiService.of(this);
-    return this.isAuthService ? new CoreUserPoolDomain(this, {
-      userPool: props.userPool,
-      cognitoDomain: {
-        domainPrefix: `auth-${service.branchHash}`
-      }
-    }) : CoreUserPoolDomain.fromConstruct(this);
+  constructor(scope, props) {
+    super(scope, "ops-event-bus", {
+      ...props,
+      eventBusName: _OpsEventBus.getEventBusName(scope)
+    });
   }
 };
-// src/services/open-hi-auth-service.ts
-var OpenHiAuthService = class extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.AUTH, props);
-    this.props = props;
-    this.auth = new Auth(this, props.authProps);
+// src/components/route-53/child-hosted-zone.ts
+var import_aws_cdk_lib6 = require("aws-cdk-lib");
+var import_aws_route53 = require("aws-cdk-lib/aws-route53");
+var ChildHostedZone = class extends import_aws_route53.HostedZone {
+  constructor(scope, id, props) {
+    super(scope, id, { ...props });
+    new import_aws_route53.NsRecord(this, "child-ns-record", {
+      zone: props.parentHostedZone,
+      recordName: this.zoneName,
+      values: this.hostedZoneNameServers || [],
+      ttl: import_aws_cdk_lib6.Duration.minutes(5)
+    });
   }
 };
+/**
+ * Used when storing the child zone ID in SSM. Use {@link OpenHiGlobalService.childHostedZoneFromConstruct} to look up.
+ */
+ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
-// src/components/global.ts
-var import_aws_certificatemanager2 = require("aws-cdk-lib/aws-certificatemanager");
-var import_constructs3 = require("constructs");
+// src/components/route-53/root-hosted-zone.ts
+var import_constructs = require("constructs");
+var RootHostedZone = class extends import_constructs.Construct {
+};
-// src/components/acm/root-wildcard-certificate.ts
-var import_aws_certificatemanager = require("aws-cdk-lib/aws-certificatemanager");
-var import_aws_ssm2 = require("aws-cdk-lib/aws-ssm");
-var _RootWildcardCertificate = class _RootWildcardCertificate extends import_aws_certificatemanager.Certificate {
+// src/services/open-hi-auth-service.ts
+var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
+var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
+var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    this.props = props;
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.userPool = this.createUserPool();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
+  }
   /**
-   * Using a special name here since this will be shared and used among many
-   * stacks and services.
+   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
    */
-  static ssmParameterName() {
-    return "/" + ["GLOBAL", _RootWildcardCertificate.SSM_PARAM_NAME].join("/").toUpperCase();
+  static userPoolFromConstruct(scope) {
+    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return import_aws_cognito4.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
   }
-  static fromConstruct(scope) {
-    const certificateArn = import_aws_ssm2.StringParameter.valueForStringParameter(
+  /**
+   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
+   */
+  static userPoolClientFromConstruct(scope) {
+    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
       scope,
-      _RootWildcardCertificate.ssmParameterName()
+      {
+        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+        serviceType: _OpenHiAuthService.SERVICE_TYPE
+      }
     );
-    return import_aws_certificatemanager.Certificate.fromCertificateArn(
+    return import_aws_cognito4.UserPoolClient.fromUserPoolClientId(
       scope,
-      "wildcard-certificate",
-      certificateArn
+      "user-pool-client",
+      userPoolClientId
     );
   }
-  constructor(scope, props) {
-    super(scope, "root-wildcard-certificate", { ...props });
-    new import_aws_ssm2.StringParameter(this, "wildcard-cert-param", {
-      parameterName: _RootWildcardCertificate.ssmParameterName(),
-      stringValue: this.certificateArn
+  /**
+   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   */
+  static userPoolDomainFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
   }
-};
-/**
- * Used when storing the Certificate ARN in SSM.
- */
-_RootWildcardCertificate.SSM_PARAM_NAME = "ROOT_WILDCARD_CERT_ARN";
-var RootWildcardCertificate = _RootWildcardCertificate;
-// src/components/route-53/child-hosted-zone.ts
-var import_aws_cdk_lib6 = require("aws-cdk-lib");
-var import_aws_route53 = require("aws-cdk-lib/aws-route53");
-var _ChildHostedZone = class _ChildHostedZone extends import_aws_route53.HostedZone {
-  static fromConstruct(scope, props) {
-    const hostedZoneId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: _ChildHostedZone.SSM_PARAM_NAME,
-      serviceType: props.serviceType ?? OPEN_HI_SERVICE_TYPE.GLOBAL
+  /**
+   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
+   */
+  static userPoolKmsKeyFromConstruct(scope) {
+    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
-    return import_aws_route53.HostedZone.fromHostedZoneAttributes(scope, "child-zone", {
-      hostedZoneId,
-      zoneName: props.zoneName
+    return import_aws_kms2.Key.fromKeyArn(scope, "kms-key", keyArn);
+  }
+  get serviceType() {
+    return _OpenHiAuthService.SERVICE_TYPE;
+  }
+  /**
+   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolKmsKey() {
+    const key = new CognitoUserPoolKmsKey(this);
+    new DiscoverableStringParameter(this, "kms-key-param", {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      stringValue: key.keyArn,
+      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
     });
+    return key;
   }
-  constructor(scope, id, props) {
-    super(scope, id, { ...props });
-    new import_aws_route53.NsRecord(this, "child-ns-record", {
-      zone: props.parentHostedZone,
-      recordName: this.zoneName,
-      values: this.hostedZoneNameServers || [],
-      ttl: import_aws_cdk_lib6.Duration.minutes(5)
+  /**
+   * Creates the Cognito User Pool and exports its ID to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
+   * Override to customize.
+   */
+  createUserPool() {
+    const userPool = new CognitoUserPool(this, {
+      ...this.props.userPoolProps,
+      customSenderKmsKey: this.userPoolKmsKey
+    });
+    new DiscoverableStringParameter(this, "user-pool-param", {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      stringValue: userPool.userPoolId,
+      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
+    });
+    return userPool;
+  }
+  /**
+   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
+   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolClient() {
+    const client = new CognitoUserPoolClient(this, {
+      userPool: this.userPool
+    });
+    new DiscoverableStringParameter(this, "user-pool-client-param", {
+      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
+    });
+    return client;
+  }
+  /**
+   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Override to customize.
+   */
+  createUserPoolDomain() {
+    const domain = new CognitoUserPoolDomain(this, {
+      userPool: this.userPool,
+      cognitoDomain: {
+        domainPrefix: `auth-${this.branchHash}`
+      }
     });
-    new DiscoverableStringParameter(this, "child-zone-param", {
-      ssmParamName: _ChildHostedZone.SSM_PARAM_NAME,
-      stringValue: this.hostedZoneId,
-      description: "Route53 child hosted zone ID."
+    new DiscoverableStringParameter(this, "user-pool-domain-param", {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      stringValue: domain.domainName,
+      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
     });
+    return domain;
   }
 };
-/**
- * Used when storing the API ID in SSM.
- */
-_ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
-var ChildHostedZone = _ChildHostedZone;
+_OpenHiAuthService.SERVICE_TYPE = "auth";
+var OpenHiAuthService = _OpenHiAuthService;
-// src/components/route-53/root-hosted-zone.ts
+// src/services/open-hi-global-service.ts
+var import_aws_certificatemanager2 = require("aws-cdk-lib/aws-certificatemanager");
 var import_aws_route532 = require("aws-cdk-lib/aws-route53");
-var import_constructs2 = require("constructs");
-var RootHostedZone = class extends import_constructs2.Construct {
-  static fromConstruct(scope, props) {
-    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "root-zone", {
-      hostedZoneId: props.hostedZoneId,
+var import_aws_ssm3 = require("aws-cdk-lib/aws-ssm");
+var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
+  /**
+   * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
+   */
+  static rootHostedZoneFromConstruct(scope, props) {
+    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "root-zone", props);
+  }
+  /**
+   * Returns an ICertificate by looking up the Global stack's wildcard cert ARN from SSM.
+   */
+  static rootWildcardCertificateFromConstruct(scope) {
+    const certificateArn = import_aws_ssm3.StringParameter.valueForStringParameter(
+      scope,
+      RootWildcardCertificate.ssmParameterName()
+    );
+    return import_aws_certificatemanager2.Certificate.fromCertificateArn(
+      scope,
+      "wildcard-certificate",
+      certificateArn
+    );
+  }
+  /**
+   * Returns an IHostedZone by looking up the child hosted zone ID from SSM. Defaults to GLOBAL service type.
+   */
+  static childHostedZoneFromConstruct(scope, props) {
+    const hostedZoneId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: ChildHostedZone.SSM_PARAM_NAME,
+      serviceType: props.serviceType ?? _OpenHiGlobalService.SERVICE_TYPE
+    });
+    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "child-zone", {
+      hostedZoneId,
       zoneName: props.zoneName
     });
   }
-};
-// src/components/global.ts
-var Global = class extends import_constructs3.Construct {
-  constructor(scope, id, props) {
-    super(scope, id);
-    this.props = props;
-    const { rootHostedZoneAttributes, childHostedZoneAttributes } = props;
-    const service = OpenHiService.of(this);
-    this.rootHostedZone = RootHostedZone.fromConstruct(
-      this,
-      rootHostedZoneAttributes
-    );
-    if (childHostedZoneAttributes) {
-      this.childHostedZone = new ChildHostedZone(this, "child-zone", {
-        parentHostedZone: this.rootHostedZone,
-        zoneName: childHostedZoneAttributes.zoneName
-      });
-    }
-    if (service.branchName === "main") {
-      this.rootWildcardCertificate = new RootWildcardCertificate(this, {
-        domainName: `*.${this.rootHostedZone.zoneName}`,
-        subjectAlternativeNames: [this.rootHostedZone.zoneName],
-        validation: import_aws_certificatemanager2.CertificateValidation.fromDns(this.rootHostedZone)
-      });
-    } else {
-      this.rootWildcardCertificate = RootWildcardCertificate.fromConstruct(this);
-    }
+  get serviceType() {
+    return _OpenHiGlobalService.SERVICE_TYPE;
   }
-};
-// src/services/open-hi-global-service.ts
-var OpenHiGlobalService = class extends OpenHiService {
   constructor(ohEnv, props = {}) {
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.GLOBAL, props);
+    super(ohEnv, _OpenHiGlobalService.SERVICE_TYPE, props);
+    this.validateConfig(props);
+    this.rootHostedZone = this.createRootHostedZone();
+    this.childHostedZone = this.createChildHostedZone();
+    this.rootWildcardCertificate = this.createRootWildcardCertificate();
+  }
+  /**
+   * Validates that config required for the Global stack is present.
+   */
+  validateConfig(props) {
     const { config } = props;
     if (!config) {
       throw new Error("Config is required");
@@ -870,20 +995,44 @@ var OpenHiGlobalService = class extends OpenHiService {
     if (!config.hostedZoneId) {
       throw new Error("Hosted zone ID is required to import the root zone");
     }
-    this.global = new Global(this, "global", {
-      rootHostedZoneAttributes: {
-        zoneName: config.zoneName,
-        hostedZoneId: config.hostedZoneId
-      }
-      /*
-      childHostedZoneAttributes: {
-        zoneName: `${this.childZonePrefix}.${config.zoneName}`,
-        hostedZoneId: config.hostedZoneId,
-      },
-      */
+  }
+  /**
+   * Creates the root hosted zone (imported via attributes from config).
+   * Override to customize or create the zone.
+   */
+  createRootHostedZone() {
+    return _OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
     });
   }
+  /**
+   * Creates the optional child hosted zone (e.g. branch subdomain).
+   * Override to create a child zone when config provides childHostedZoneAttributes.
+   * If you create a ChildHostedZone, also create a DiscoverableStringParameter
+   * with ChildHostedZone.SSM_PARAM_NAME and the zone's hostedZoneId.
+   */
+  createChildHostedZone() {
+    return void 0;
+  }
+  /**
+   * Creates the root wildcard certificate. On main branch, creates a new cert
+   * with DNS validation; otherwise imports from SSM.
+   * Override to customize certificate creation.
+   */
+  createRootWildcardCertificate() {
+    if (this.branchName === "main") {
+      return new RootWildcardCertificate(this, {
+        domainName: `*.${this.rootHostedZone.zoneName}`,
+        subjectAlternativeNames: [this.rootHostedZone.zoneName],
+        validation: import_aws_certificatemanager2.CertificateValidation.fromDns(this.rootHostedZone)
+      });
+    }
+    return _OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
 };
+_OpenHiGlobalService.SERVICE_TYPE = "global";
+var OpenHiGlobalService = _OpenHiGlobalService;
 // src/services/open-hi-rest-api-service.ts
 var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
@@ -891,138 +1040,81 @@ var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2
 var import_aws_route533 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
-// src/components/api-gateway/core-http-api.ts
-var import_aws_apigatewayv2 = require("aws-cdk-lib/aws-apigatewayv2");
-var _CoreHttpApi = class _CoreHttpApi extends import_aws_apigatewayv2.HttpApi {
-  static fromConstruct(scope) {
-    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: _CoreHttpApi.SSM_PARAM_NAME,
-      serviceType: OPEN_HI_SERVICE_TYPE.REST_API
-    });
-    return import_aws_apigatewayv2.HttpApi.fromHttpApiAttributes(scope, "http-api", {
-      httpApiId
-    });
+// src/services/open-hi-data-service.ts
+var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
+var import_aws_events3 = require("aws-cdk-lib/aws-events");
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
+  /**
+   * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static dataEventBusFromConstruct(scope) {
+    return import_aws_events3.EventBus.fromEventBusName(
+      scope,
+      "data-event-bus",
+      DataEventBus.getEventBusName(scope)
+    );
   }
-  constructor(scope, props = {}) {
-    const stack = OpenHiService.of(scope);
-    super(scope, "http-api", {
-      /**
-       * User provided props
-       */
-      ...props,
-      /**
-       * Required
-       */
-      apiName: ["core", "http", "api", stack.branchHash].join("-")
-    });
-    new DiscoverableStringParameter(this, "http-api-url-param", {
-      ssmParamName: _CoreHttpApi.SSM_PARAM_NAME,
-      serviceType: OPEN_HI_SERVICE_TYPE.REST_API,
-      stringValue: this.httpApiId
-    });
+  /**
+   * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static opsEventBusFromConstruct(scope) {
+    return import_aws_events3.EventBus.fromEventBusName(
+      scope,
+      "ops-event-bus",
+      OpsEventBus.getEventBusName(scope)
+    );
   }
-};
-/**
- * Used when storing the API ID in SSM.
- */
-_CoreHttpApi.SSM_PARAM_NAME = "CORE_HTTP_API";
-var CoreHttpApi = _CoreHttpApi;
-// src/components/dynamodb/dynamo-db-data-store.ts
-var import_aws_dynamodb = require("aws-cdk-lib/aws-dynamodb");
-function getDynamoDbDataStoreTableName(scope) {
-  const stack = OpenHiService.of(scope);
-  return `data-store-${stack.branchHash}`;
-}
-var DynamoDbDataStore = class extends import_aws_dynamodb.Table {
   /**
-   * Import the data store table by name for use in another stack (e.g. data
-   * service or Lambda). Uses the same naming as {@link getDynamoDbDataStoreTableName}.
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
    */
-  static fromConstruct(scope, id = "dynamo-db-data-store") {
-    return import_aws_dynamodb.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return import_aws_dynamodb2.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
   }
-  constructor(scope, id, props = {}) {
-    const service = OpenHiService.of(scope);
-    super(scope, id, {
-      ...props,
-      tableName: getDynamoDbDataStoreTableName(scope),
-      partitionKey: {
-        name: "PK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      sortKey: {
-        name: "SK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      billingMode: import_aws_dynamodb.BillingMode.PAY_PER_REQUEST,
-      removalPolicy: props.removalPolicy ?? service.removalPolicy
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI1",
-      partitionKey: {
-        name: "GSI1PK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI1SK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
-      nonKeyAttributes: ["srcType", "srcId", "path", "srcPk", "srcSk", "ts"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI2",
-      partitionKey: {
-        name: "GSI2PK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI2SK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
-      nonKeyAttributes: ["resourcePk", "resourceSk", "display", "status"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI3",
-      partitionKey: {
-        name: "GSI3PK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI3SK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
-      nonKeyAttributes: ["resourcePk", "resourceSk"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI4",
-      partitionKey: {
-        name: "GSI4PK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI4SK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      projectionType: import_aws_dynamodb.ProjectionType.ALL
-    });
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    this.dataEventBus = this.createDataEventBus();
+    this.opsEventBus = this.createOpsEventBus();
+    this.dataStore = this.createDataStore();
+  }
+  /**
+   * Creates the data event bus.
+   * Override to customize.
+   */
+  createDataEventBus() {
+    return new DataEventBus(this);
+  }
+  /**
+   * Creates the ops event bus.
+   * Override to customize.
+   */
+  createOpsEventBus() {
+    return new OpsEventBus(this);
+  }
+  /**
+   * Creates the single-table DynamoDB data store.
+   * Override to customize.
+   */
+  createDataStore() {
+    return new DynamoDbDataStore(this, "dynamo-db-data-store");
   }
 };
+_OpenHiDataService.SERVICE_TYPE = "data";
+var OpenHiDataService = _OpenHiDataService;
 // src/data/lambda/rest-api-lambda.ts
 var import_path = __toESM(require("path"));
-var import_aws_lambda2 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs4 = require("constructs");
-var RestApiLambda = class extends import_constructs4.Construct {
+var import_constructs2 = require("constructs");
+var RestApiLambda = class extends import_constructs2.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
     this.lambda = new import_aws_lambda_nodejs.NodejsFunction(this, "handler", {
       entry: import_path.default.join(__dirname, "rest-api-lambda.handler.js"),
-      runtime: import_aws_lambda2.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda.Runtime.NODEJS_LATEST,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName
       }
@@ -1032,9 +1124,45 @@ var RestApiLambda = class extends import_constructs4.Construct {
 // src/services/open-hi-rest-api-service.ts
 var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
-var OpenHiRestApiService = class extends OpenHiService {
+var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
+  /**
+   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
+   */
+  static rootHttpApiFromConstruct(scope) {
+    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+    return import_aws_apigatewayv22.HttpApi.fromHttpApiAttributes(scope, "http-api", { httpApiId });
+  }
+  /**
+   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
+   * Use in other stacks for E2E, scripts, or config.
+   */
+  static restApiBaseUrlFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiRestApiService.SERVICE_TYPE;
+  }
   constructor(ohEnv, props = {}) {
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.REST_API, props);
+    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    const certificate = this.createCertificate();
+    const apiDomainName = this.createApiDomainNameString(hostedZone);
+    this.createRestApiBaseUrlParameter(apiDomainName);
+    const domainName = this.createDomainName(hostedZone, certificate);
+    this.rootHttpApi = this.createRootHttpApi(domainName);
+    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
+  }
+  /**
+   * Validates that config required for the REST API stack is present.
+   */
+  validateConfig(props) {
     const { config } = props;
     if (!config) {
       throw new Error("Config is required");
@@ -1045,31 +1173,63 @@ var OpenHiRestApiService = class extends OpenHiService {
     if (!config.zoneName) {
       throw new Error("Zone name is required");
     }
-    const hostedZone = import_aws_route533.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
+  }
+  /**
+   * Creates the hosted zone reference (imported from config).
+   * Override to customize.
+   */
+  createHostedZone() {
+    const { config } = this.props;
+    return import_aws_route533.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
       hostedZoneId: config.hostedZoneId,
       zoneName: config.zoneName
     });
-    const certificate = RootWildcardCertificate.fromConstruct(this);
+  }
+  /**
+   * Creates the wildcard certificate (imported from Global stack via SSM).
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Returns the API domain name string (e.g. api.example.com or api-{prefix}.example.com).
+   * Override to customize.
+   */
+  createApiDomainNameString(hostedZone) {
     const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
-    const apiDomainName = [apiPrefix, hostedZone.zoneName].join(".");
+    return [apiPrefix, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Creates the SSM parameter for the REST API base URL.
+   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
+   * Override to customize.
+   */
+  createRestApiBaseUrlParameter(apiDomainName) {
     const restApiBaseUrl = `https://${apiDomainName}`;
     new DiscoverableStringParameter(this, "rest-api-base-url-param", {
       ssmParamName: REST_API_BASE_URL_SSM_NAME,
       stringValue: restApiBaseUrl,
       description: "REST API base URL for this deployment (E2E, scripts)"
     });
-    const domainName = new import_aws_apigatewayv22.DomainName(this, "domain", {
+  }
+  /**
+   * Creates the API Gateway custom domain name resource.
+   * Override to customize.
+   */
+  createDomainName(_hostedZone, certificate) {
+    const apiDomainName = this.createApiDomainNameString(_hostedZone);
+    return new import_aws_apigatewayv22.DomainName(this, "domain", {
       domainName: apiDomainName,
       certificate
     });
-    this.coreHttpApi = new CoreHttpApi(this, {
-      defaultDomainMapping: {
-        domainName,
-        mappingKey: void 0
-        // serve at root of domain
-      }
-    });
-    const dataStoreTable = DynamoDbDataStore.fromConstruct(this);
+  }
+  /**
+   * Creates the Lambda integration, HTTP routes, and API DNS record.
+   * Override to customize. Uses {@link rootHttpApi} set by the constructor.
+   */
+  createRestApiLambdaAndRoutes(hostedZone, domainName) {
+    const dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     const { lambda } = new RestApiLambda(this, {
       dynamoTableName: dataStoreTable.tableName
     });
@@ -1087,15 +1247,16 @@ var OpenHiRestApiService = class extends OpenHiService {
     );
     const integration = new import_aws_apigatewayv2_integrations.HttpLambdaIntegration("lambda-integration", lambda);
     new import_aws_apigatewayv22.HttpRoute(this, "proxy-route-root", {
-      httpApi: this.coreHttpApi,
+      httpApi: this.rootHttpApi,
       routeKey: import_aws_apigatewayv22.HttpRouteKey.with("/", import_aws_apigatewayv22.HttpMethod.ANY),
       integration
     });
     new import_aws_apigatewayv22.HttpRoute(this, "proxy-route", {
-      httpApi: this.coreHttpApi,
+      httpApi: this.rootHttpApi,
       routeKey: import_aws_apigatewayv22.HttpRouteKey.with("/{proxy+}", import_aws_apigatewayv22.HttpMethod.ANY),
       integration
     });
+    const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
     new import_aws_route533.ARecord(this, "api-a-record", {
       zone: hostedZone,
       recordName: apiPrefix,
@@ -1107,28 +1268,52 @@ var OpenHiRestApiService = class extends OpenHiService {
       )
     });
   }
-};
-// src/services/open-hi-data-service.ts
-var OpenHiDataService = class extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, OPEN_HI_SERVICE_TYPE.DATA, props);
-    this.dataStore = new DynamoDbDataStore(this, "dynamo-db-data-store");
+  /**
+   * Creates the Root HTTP API with default domain mapping and exports API ID to SSM.
+   * Look up via {@link OpenHiRestApiService.rootHttpApiFromConstruct}.
+   * Override to customize.
+   */
+  createRootHttpApi(domainName) {
+    const rootHttpApi = new RootHttpApi(this, {
+      defaultDomainMapping: {
+        domainName,
+        mappingKey: void 0
+      }
+    });
+    new DiscoverableStringParameter(this, "http-api-url-param", {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      stringValue: rootHttpApi.httpApiId,
+      description: "API Gateway HTTP API ID for this REST API stack (cross-stack reference)"
+    });
+    return rootHttpApi;
   }
 };
+_OpenHiRestApiService.SERVICE_TYPE = "rest-api";
+var OpenHiRestApiService = _OpenHiRestApiService;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ChildHostedZone,
+  CognitoUserPool,
+  CognitoUserPoolClient,
+  CognitoUserPoolDomain,
+  CognitoUserPoolKmsKey,
+  DataEventBus,
   DiscoverableStringParameter,
-  OPEN_HI_SERVICE_TYPE,
+  DynamoDbDataStore,
   OpenHiApp,
   OpenHiAuthService,
-  OpenHiCoreService,
   OpenHiDataService,
   OpenHiEnvironment,
   OpenHiGlobalService,
   OpenHiRestApiService,
   OpenHiService,
   OpenHiStage,
-  REST_API_BASE_URL_SSM_NAME
+  OpsEventBus,
+  REST_API_BASE_URL_SSM_NAME,
+  RootGraphqlApi,
+  RootHostedZone,
+  RootHttpApi,
+  RootWildcardCertificate,
+  getDynamoDbDataStoreTableName
 });
 //# sourceMappingURL=index.js.map