@openhi/constructs 0.0.115 → 0.0.116

package/lib/index.js

@@ -816,6 +816,7 @@ __export(src_exports, {
   OpenHiRestApiService: () => OpenHiRestApiService,
   OpenHiService: () => OpenHiService,
   OpenHiStage: () => OpenHiStage,
+  OpenHiWebsiteService: () => OpenHiWebsiteService,
   OpsEventBus: () => OpsEventBus,
   OwningDeleteCascadeLambdas: () => OwningDeleteCascadeLambdas,
   OwningDeleteCascadeWorkflow: () => OwningDeleteCascadeWorkflow,
@@ -851,11 +852,13 @@ __export(src_exports, {
   SEED_SYSTEM_DATA_ACTOR_SYSTEM: () => SEED_SYSTEM_DATA_ACTOR_SYSTEM,
   SEED_SYSTEM_DATA_CONSUMER_NAME: () => SEED_SYSTEM_DATA_CONSUMER_NAME,
   SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR: () => SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
+  SSM_PARAM_NAME_FULL_DOMAIN: () => SSM_PARAM_NAME_FULL_DOMAIN,
   STATIC_HOSTING_SERVICE_TYPE: () => STATIC_HOSTING_SERVICE_TYPE,
   SeedDemoDataLambda: () => SeedDemoDataLambda,
   SeedDemoDataWorkflow: () => SeedDemoDataWorkflow,
   SeedSystemDataLambda: () => SeedSystemDataLambda,
   SeedSystemDataWorkflow: () => SeedSystemDataWorkflow,
+  StaticContent: () => StaticContent,
   StaticHosting: () => StaticHosting,
   USER_ONBOARDING_EVENT_SOURCE: () => USER_ONBOARDING_EVENT_SOURCE,
   UserOnboardingWorkflow: () => UserOnboardingWorkflow,
@@ -2272,11 +2275,24 @@ var import_constructs7 = require("constructs");
 var RootHostedZone = class extends import_constructs7.Construct {
 };
 
+// src/components/static-hosting/static-content.ts
+var import_aws_s32 = require("aws-cdk-lib/aws-s3");
+var import_aws_s3_deployment = require("aws-cdk-lib/aws-s3-deployment");
+var import_change_case2 = require("change-case");
+var import_constructs9 = require("constructs");
+
 // src/components/static-hosting/static-hosting.ts
+var fs6 = __toESM(require("fs"));
+var path6 = __toESM(require("path"));
+var import_aws_cdk_lib10 = require("aws-cdk-lib");
 var import_aws_cloudfront = require("aws-cdk-lib/aws-cloudfront");
 var import_aws_cloudfront_origins = require("aws-cdk-lib/aws-cloudfront-origins");
+var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_aws_logs = require("aws-cdk-lib/aws-logs");
+var import_aws_route532 = require("aws-cdk-lib/aws-route53");
+var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
 var import_aws_s3 = require("aws-cdk-lib/aws-s3");
-var import_core = require("aws-cdk-lib/core");
 var import_constructs8 = require("constructs");
 var STATIC_HOSTING_SERVICE_TYPE = "website";
 var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
@@ -2284,6 +2300,7 @@ var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
     super(scope, id);
     const stack = OpenHiService.of(scope);
     const serviceType = props.serviceType ?? STATIC_HOSTING_SERVICE_TYPE;
+    const hostingMode = props.hostingMode ?? "spa";
     this.bucket = new import_aws_s3.Bucket(this, "bucket", {
       blockPublicAccess: {
         blockPublicAcls: true,
@@ -2293,30 +2310,105 @@ var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
       },
       ...props.bucketProps
     });
-    const origin = import_aws_cloudfront_origins.S3BucketOrigin.withOriginAccessControl(this.bucket);
+    const handlerJs = path6.join(
+      __dirname,
+      "static-hosting.viewer-request-handler.js"
+    );
+    const handlerTs = path6.join(
+      __dirname,
+      "static-hosting.viewer-request-handler.ts"
+    );
+    const handlerEntry = fs6.existsSync(handlerJs) ? handlerJs : handlerTs;
+    this.viewerRequestHandler = new import_aws_lambda_nodejs6.NodejsFunction(
+      this,
+      "viewer-request-handler",
+      {
+        entry: handlerEntry,
+        handler: hostingMode === "static" ? "staticHandler" : "spaHandler",
+        memorySize: 128,
+        runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+        logGroup: new import_aws_logs.LogGroup(this, "viewer-request-handler-log-group", {
+          retention: import_aws_logs.RetentionDays.ONE_MONTH
+        })
+      }
+    );
     const cachePolicy = new import_aws_cloudfront.CachePolicy(this, "cache-policy", {
-      cachePolicyName: `static-hosting-10s-${stack.branchHash}`,
-      comment: "Low TTL (10s) for static hosting; no invalidation",
-      defaultTtl: import_core.Duration.seconds(10),
-      minTtl: import_core.Duration.seconds(0),
-      maxTtl: import_core.Duration.seconds(10)
+      cachePolicyName: `static-hosting-${stack.branchHash}`,
+      comment: "Static hosting default: 60s default / 300s max, gzip+brotli.",
+      defaultTtl: import_aws_cdk_lib10.Duration.seconds(60),
+      minTtl: import_aws_cdk_lib10.Duration.seconds(0),
+      maxTtl: import_aws_cdk_lib10.Duration.seconds(300),
+      headerBehavior: import_aws_cloudfront.CacheHeaderBehavior.none(),
+      queryStringBehavior: import_aws_cloudfront.CacheQueryStringBehavior.none(),
+      cookieBehavior: import_aws_cloudfront.CacheCookieBehavior.none(),
+      enableAcceptEncodingGzip: true,
+      enableAcceptEncodingBrotli: true,
+      ...props.cachePolicyProps
+    });
+    const oac = new import_aws_cloudfront.S3OriginAccessControl(this, "origin-access-control", {
+      signing: import_aws_cloudfront.Signing.SIGV4_NO_OVERRIDE
+    });
+    const origin = import_aws_cloudfront_origins.S3BucketOrigin.withOriginAccessControl(this.bucket, {
+      originAccessControl: oac,
+      originAccessLevels: [import_aws_cloudfront.AccessLevel.READ]
     });
+    const hasCustomDomain = props.certificate !== void 0 && props.hostedZone !== void 0 && props.domainNames !== void 0 && props.domainNames.length > 0;
     this.distribution = new import_aws_cloudfront.Distribution(this, "distribution", {
+      comment: `Static hosting distribution for ${props.description ?? id}`,
+      ...hasCustomDomain ? {
+        certificate: props.certificate,
+        domainNames: [...props.domainNames]
+      } : {},
+      defaultRootObject: "index.html",
       defaultBehavior: {
         origin,
-        cachePolicy
+        viewerProtocolPolicy: import_aws_cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        cachePolicy,
+        allowedMethods: import_aws_cloudfront.AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
+        edgeLambdas: [
+          {
+            functionVersion: this.viewerRequestHandler.currentVersion,
+            eventType: import_aws_cloudfront.LambdaEdgeEventType.VIEWER_REQUEST,
+            includeBody: false
+          }
+        ]
       },
       ...props.distributionProps
     });
+    if (hasCustomDomain) {
+      props.domainNames.forEach((domainName, index) => {
+        new import_aws_route532.ARecord(this, `dns-record-${index}`, {
+          zone: props.hostedZone,
+          recordName: domainName,
+          target: import_aws_route532.RecordTarget.fromAlias(
+            new import_aws_route53_targets.CloudFrontTarget(this.distribution)
+          )
+        });
+      });
+    }
     new DiscoverableStringParameter(this, "bucket-arn-param", {
       ssmParamName: _StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
       serviceType,
-      stringValue: this.bucket.bucketArn
+      stringValue: this.bucket.bucketArn,
+      description: `Static hosting bucket ARN (${props.description ?? id})`
     });
     new DiscoverableStringParameter(this, "distribution-arn-param", {
       ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
       serviceType,
-      stringValue: this.distribution.distributionArn
+      stringValue: this.distribution.distributionArn,
+      description: `Static hosting distribution ARN (${props.description ?? id})`
+    });
+    new DiscoverableStringParameter(this, "distribution-domain-param", {
+      ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType,
+      stringValue: this.distribution.domainName,
+      description: `Static hosting distribution domain (${props.description ?? id})`
+    });
+    new DiscoverableStringParameter(this, "distribution-id-param", {
+      ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType,
+      stringValue: this.distribution.distributionId,
+      description: `Static hosting distribution ID (${props.description ?? id})`
     });
   }
 };
@@ -2328,13 +2420,51 @@ _StaticHosting.SSM_PARAM_NAME_BUCKET_ARN = "STATIC_HOSTING_BUCKET_ARN";
  * SSM parameter name for the CloudFront distribution ARN.
  */
 _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_ARN";
+/**
+ * SSM parameter name for the CloudFront distribution domain
+ * (e.g. dXXXXX.cloudfront.net).
+ */
+_StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN = "STATIC_HOSTING_DISTRIBUTION_DOMAIN";
+/**
+ * SSM parameter name for the CloudFront distribution ID.
+ */
+_StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID = "STATIC_HOSTING_DISTRIBUTION_ID";
 var StaticHosting = _StaticHosting;
 
+// src/components/static-hosting/static-content.ts
+var StaticContent = class extends import_constructs9.Construct {
+  constructor(scope, id, props) {
+    super(scope, id);
+    const stack = OpenHiService.of(scope);
+    const {
+      contentSourceDirectory,
+      contentDestinationDirectory = "/",
+      subDomain = stack.branchName,
+      fullDomain,
+      serviceType = STATIC_HOSTING_SERVICE_TYPE
+    } = props;
+    const keyPrefix = [(0, import_change_case2.paramCase)(subDomain), fullDomain].join(".");
+    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType
+    });
+    const bucket = import_aws_s32.Bucket.fromBucketArn(this, "bucket", bucketArn);
+    const isTestEnv = process.env.JEST_WORKER_ID !== void 0;
+    const sources = isTestEnv ? [] : [import_aws_s3_deployment.Source.asset(contentSourceDirectory)];
+    new import_aws_s3_deployment.BucketDeployment(this, "deploy", {
+      sources,
+      destinationBucket: bucket,
+      retainOnDelete: false,
+      destinationKeyPrefix: `${keyPrefix}${contentDestinationDirectory}`
+    });
+  }
+};
+
 // src/services/open-hi-auth-service.ts
 var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
 var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
-var import_core2 = require("aws-cdk-lib/core");
+var import_core = require("aws-cdk-lib/core");
 
 // src/services/open-hi-data-service.ts
 var import_config4 = __toESM(require_lib());
@@ -2344,7 +2474,7 @@ var kinesis = __toESM(require("aws-cdk-lib/aws-kinesis"));
 // src/services/open-hi-global-service.ts
 var import_aws_certificatemanager2 = require("aws-cdk-lib/aws-certificatemanager");
 var import_aws_events5 = require("aws-cdk-lib/aws-events");
-var import_aws_route532 = require("aws-cdk-lib/aws-route53");
+var import_aws_route533 = require("aws-cdk-lib/aws-route53");
 var import_aws_ssm3 = require("aws-cdk-lib/aws-ssm");
 
 // src/workflows/control-plane/platform-deploy-bridge/events.ts
@@ -2357,18 +2487,18 @@ var OPENHI_TAG_KEY_PREFIX_ENV_VAR = "OPENHI_TAG_KEY_PREFIX";
 var PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM = "platform-deploy-bridge";
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
-var import_constructs10 = require("constructs");
+var import_constructs11 = require("constructs");
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
 var import_node_fs6 = __toESM(require("fs"));
 var import_node_path6 = __toESM(require("path"));
-var import_aws_cdk_lib10 = require("aws-cdk-lib");
+var import_aws_cdk_lib11 = require("aws-cdk-lib");
 var import_aws_events4 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
-var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs9 = require("constructs");
+var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs10 = require("constructs");
 var HANDLER_NAME6 = "platform-deploy-bridge.handler.js";
 function resolveHandlerEntry6(dirname) {
   const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
@@ -2377,7 +2507,7 @@ function resolveHandlerEntry6(dirname) {
   }
   return import_node_path6.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
 }
-var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
+var PlatformDeployBridgeLambda = class extends import_constructs10.Construct {
   constructor(scope, props) {
     super(scope, "platform-deploy-bridge-lambda");
     const service = OpenHiService.of(this);
@@ -2386,15 +2516,15 @@ var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
       OPENHI_TAG_SUFFIX_REPO_NAME
     );
     const tagKeyPrefix = `${service.appName}:`;
-    const ownStackName = import_aws_cdk_lib10.Stack.of(this).stackName;
-    const ownSuffix = `-${service.serviceId}-${import_aws_cdk_lib10.Stack.of(this).account}-${import_aws_cdk_lib10.Stack.of(this).region}`;
+    const ownStackName = import_aws_cdk_lib11.Stack.of(this).stackName;
+    const ownSuffix = `-${service.serviceId}-${import_aws_cdk_lib11.Stack.of(this).account}-${import_aws_cdk_lib11.Stack.of(this).region}`;
     const sharedPrefix = ownStackName.endsWith(ownSuffix) ? ownStackName.slice(0, -ownSuffix.length) : service.branchHash;
-    const stackIdPrefix = `arn:aws:cloudformation:${import_aws_cdk_lib10.Stack.of(this).region}:${import_aws_cdk_lib10.Stack.of(this).account}:stack/${sharedPrefix}-`;
-    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
+    const stackIdPrefix = `arn:aws:cloudformation:${import_aws_cdk_lib11.Stack.of(this).region}:${import_aws_cdk_lib11.Stack.of(this).account}:stack/${sharedPrefix}-`;
+    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry6(__dirname),
-      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
       memorySize: 256,
-      timeout: import_aws_cdk_lib10.Duration.seconds(30),
+      timeout: import_aws_cdk_lib11.Duration.seconds(30),
       environment: {
         [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
         [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
@@ -2406,7 +2536,7 @@ var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
         effect: import_aws_iam2.Effect.ALLOW,
         actions: ["cloudformation:DescribeStacks"],
         resources: [
-          `arn:aws:cloudformation:${import_aws_cdk_lib10.Stack.of(this).region}:${import_aws_cdk_lib10.Stack.of(this).account}:stack/*`
+          `arn:aws:cloudformation:${import_aws_cdk_lib11.Stack.of(this).region}:${import_aws_cdk_lib11.Stack.of(this).account}:stack/*`
         ]
       })
     );
@@ -2425,7 +2555,7 @@ var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
       targets: [
         new import_aws_events_targets.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib10.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib11.Duration.hours(2)
         })
       ]
     });
@@ -2433,7 +2563,7 @@ var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
 };
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
-var PlatformDeployBridge = class extends import_constructs10.Construct {
+var PlatformDeployBridge = class extends import_constructs11.Construct {
   constructor(scope, props) {
     super(scope, "platform-deploy-bridge");
     this.bridgeLambda = new PlatformDeployBridgeLambda(this, {
@@ -2448,7 +2578,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
    */
   static rootHostedZoneFromConstruct(scope, props) {
-    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "root-zone", props);
+    return import_aws_route533.HostedZone.fromHostedZoneAttributes(scope, "root-zone", props);
   }
   /**
    * Returns an ICertificate by looking up the Global stack's wildcard cert ARN from SSM.
@@ -2472,7 +2602,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
       ssmParamName: ChildHostedZone.SSM_PARAM_NAME,
       serviceType: props.serviceType ?? _OpenHiGlobalService.SERVICE_TYPE
     });
-    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "child-zone", {
+    return import_aws_route533.HostedZone.fromHostedZoneAttributes(scope, "child-zone", {
       hostedZoneId,
       zoneName: props.zoneName
     });
@@ -3138,13 +3268,13 @@ _validateFixturesAgainstTenantSpecs();
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
 var import_node_fs7 = __toESM(require("fs"));
 var import_node_path7 = __toESM(require("path"));
-var import_aws_cdk_lib11 = require("aws-cdk-lib");
+var import_aws_cdk_lib12 = require("aws-cdk-lib");
 var import_aws_events6 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets2 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam3 = require("aws-cdk-lib/aws-iam");
-var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs11 = require("constructs");
+var import_aws_lambda8 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs8 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs12 = require("constructs");
 
 // src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
 var import_node_crypto = require("crypto");
@@ -6025,14 +6155,14 @@ function resolveHandlerEntry7(dirname) {
   }
   return import_node_path7.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME7);
 }
-var SeedDemoDataLambda = class extends import_constructs11.Construct {
+var SeedDemoDataLambda = class extends import_constructs12.Construct {
   constructor(scope, props) {
     super(scope, "seed-demo-data-lambda");
-    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
+    this.lambda = new import_aws_lambda_nodejs8.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry7(__dirname),
-      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda8.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib11.Duration.minutes(2),
+      timeout: import_aws_cdk_lib12.Duration.minutes(2),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
@@ -6061,7 +6191,7 @@ var SeedDemoDataLambda = class extends import_constructs11.Construct {
           "cognito-idp:AdminSetUserPassword"
         ],
         resources: [
-          import_aws_cdk_lib11.Stack.of(this).formatArn({
+          import_aws_cdk_lib12.Stack.of(this).formatArn({
             service: "cognito-idp",
             resource: "userpool",
             resourceName: props.userPool.userPoolId
@@ -6078,7 +6208,7 @@ var SeedDemoDataLambda = class extends import_constructs11.Construct {
       targets: [
         new import_aws_events_targets2.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib11.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib12.Duration.hours(2)
         })
       ]
     });
@@ -6086,8 +6216,8 @@ var SeedDemoDataLambda = class extends import_constructs11.Construct {
 };
 
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-workflow.ts
-var import_constructs12 = require("constructs");
-var SeedDemoDataWorkflow = class extends import_constructs12.Construct {
+var import_constructs13 = require("constructs");
+var SeedDemoDataWorkflow = class extends import_constructs13.Construct {
   constructor(scope, props) {
     super(scope, "seed-demo-data-workflow");
     this.seedDemoData = new SeedDemoDataLambda(this, {
@@ -6113,13 +6243,13 @@ var SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
 var import_node_fs8 = __toESM(require("fs"));
 var import_node_path8 = __toESM(require("path"));
 var import_types13 = require("@openhi/types");
-var import_aws_cdk_lib12 = require("aws-cdk-lib");
+var import_aws_cdk_lib13 = require("aws-cdk-lib");
 var import_aws_events7 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets3 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam4 = require("aws-cdk-lib/aws-iam");
-var import_aws_lambda8 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs8 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs13 = require("constructs");
+var import_aws_lambda9 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs9 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs14 = require("constructs");
 var HANDLER_NAME8 = "seed-system-data.handler.js";
 function resolveHandlerEntry8(dirname) {
   const sameDir = import_node_path8.default.join(dirname, HANDLER_NAME8);
@@ -6128,14 +6258,14 @@ function resolveHandlerEntry8(dirname) {
   }
   return import_node_path8.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME8);
 }
-var SeedSystemDataLambda = class extends import_constructs13.Construct {
+var SeedSystemDataLambda = class extends import_constructs14.Construct {
   constructor(scope, props) {
     super(scope, "seed-system-data-lambda");
-    this.lambda = new import_aws_lambda_nodejs8.NodejsFunction(this, "handler", {
+    this.lambda = new import_aws_lambda_nodejs9.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry8(__dirname),
-      runtime: import_aws_lambda8.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda9.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib12.Duration.minutes(1),
+      timeout: import_aws_cdk_lib13.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
@@ -6157,7 +6287,7 @@ var SeedSystemDataLambda = class extends import_constructs13.Construct {
       })
     );
     props.controlEventBus.grantPutEventsTo(this.lambda);
-    const hostStackName = import_aws_cdk_lib12.Stack.of(this).stackName;
+    const hostStackName = import_aws_cdk_lib13.Stack.of(this).stackName;
     this.rule = new import_aws_events7.Rule(this, "rule", {
       eventBus: props.controlEventBus,
       eventPattern: {
@@ -6172,7 +6302,7 @@ var SeedSystemDataLambda = class extends import_constructs13.Construct {
       targets: [
         new import_aws_events_targets3.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib12.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib13.Duration.hours(2)
         })
       ]
     });
@@ -6180,8 +6310,8 @@ var SeedSystemDataLambda = class extends import_constructs13.Construct {
 };
 
 // src/workflows/control-plane/seed-system-data/seed-system-data-workflow.ts
-var import_constructs14 = require("constructs");
-var SeedSystemDataWorkflow = class extends import_constructs14.Construct {
+var import_constructs15 = require("constructs");
+var SeedSystemDataWorkflow = class extends import_constructs15.Construct {
   constructor(scope, props) {
     super(scope, "seed-system-data-workflow");
     this.seedSystemData = new SeedSystemDataLambda(this, {
@@ -6334,13 +6464,13 @@ var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
 // src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
 var import_node_fs9 = __toESM(require("fs"));
 var import_node_path9 = __toESM(require("path"));
-var import_aws_cdk_lib13 = require("aws-cdk-lib");
+var import_aws_cdk_lib14 = require("aws-cdk-lib");
 var import_aws_events8 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam5 = require("aws-cdk-lib/aws-iam");
-var import_aws_lambda9 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs9 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs15 = require("constructs");
+var import_aws_lambda10 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs10 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs16 = require("constructs");
 var HANDLER_NAME9 = "provision-default-workspace.handler.js";
 function resolveHandlerEntry9(dirname) {
   const sameDir = import_node_path9.default.join(dirname, HANDLER_NAME9);
@@ -6349,12 +6479,12 @@ function resolveHandlerEntry9(dirname) {
   }
   return import_node_path9.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
 }
-var ProvisionDefaultWorkspaceLambda = class extends import_constructs15.Construct {
+var ProvisionDefaultWorkspaceLambda = class extends import_constructs16.Construct {
   constructor(scope, props) {
     super(scope, "provision-default-workspace-lambda");
-    this.lambda = new import_aws_lambda_nodejs9.NodejsFunction(this, "handler", {
+    this.lambda = new import_aws_lambda_nodejs10.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry9(__dirname),
-      runtime: import_aws_lambda9.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda10.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
@@ -6381,7 +6511,7 @@ var ProvisionDefaultWorkspaceLambda = class extends import_constructs15.Construc
       targets: [
         new import_aws_events_targets4.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib13.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib14.Duration.hours(2)
         })
       ]
     });
@@ -6389,8 +6519,8 @@ var ProvisionDefaultWorkspaceLambda = class extends import_constructs15.Construc
 };
 
 // src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
-var import_constructs16 = require("constructs");
-var UserOnboardingWorkflow = class extends import_constructs16.Construct {
+var import_constructs17 = require("constructs");
+var UserOnboardingWorkflow = class extends import_constructs17.Construct {
   constructor(scope, props) {
     super(scope, "user-onboarding-workflow");
     this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
@@ -6608,7 +6738,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       new import_aws_iam6.PolicyStatement({
         actions: ["cognito-idp:AdminUserGlobalSignOut"],
         resources: [
-          import_core2.Stack.of(this).formatArn({
+          import_core.Stack.of(this).formatArn({
             service: "cognito-idp",
             resource: "userpool",
             resourceName: "*"
@@ -6668,16 +6798,16 @@ var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
 var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
 var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
 var import_aws_iam7 = require("aws-cdk-lib/aws-iam");
-var import_aws_route533 = require("aws-cdk-lib/aws-route53");
-var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
-var import_core3 = require("aws-cdk-lib/core");
+var import_aws_route534 = require("aws-cdk-lib/aws-route53");
+var import_aws_route53_targets2 = require("aws-cdk-lib/aws-route53-targets");
+var import_core2 = require("aws-cdk-lib/core");
 
 // src/data/lambda/cors-options-lambda.ts
 var import_node_fs10 = __toESM(require("fs"));
 var import_node_path10 = __toESM(require("path"));
-var import_aws_lambda10 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs10 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs17 = require("constructs");
+var import_aws_lambda11 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs11 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs18 = require("constructs");
 var HANDLER_NAME10 = "cors-options-lambda.handler.js";
 function resolveHandlerEntry10(dirname) {
   const sameDir = import_node_path10.default.join(dirname, HANDLER_NAME10);
@@ -6687,12 +6817,12 @@ function resolveHandlerEntry10(dirname) {
   const fromLib = import_node_path10.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
   return fromLib;
 }
-var CorsOptionsLambda = class extends import_constructs17.Construct {
+var CorsOptionsLambda = class extends import_constructs18.Construct {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs10.NodejsFunction(this, "handler", {
+    this.lambda = new import_aws_lambda_nodejs11.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry10(__dirname),
-      runtime: import_aws_lambda10.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda11.Runtime.NODEJS_LATEST,
       memorySize: 128
     });
   }
@@ -6701,9 +6831,9 @@ var CorsOptionsLambda = class extends import_constructs17.Construct {
 // src/data/lambda/rest-api-lambda.ts
 var import_node_fs11 = __toESM(require("fs"));
 var import_node_path11 = __toESM(require("path"));
-var import_aws_lambda11 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs11 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs18 = require("constructs");
+var import_aws_lambda12 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs12 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs19 = require("constructs");
 var HANDLER_NAME11 = "rest-api-lambda.handler.js";
 function resolveHandlerEntry11(dirname) {
   const sameDir = import_node_path11.default.join(dirname, HANDLER_NAME11);
@@ -6713,12 +6843,12 @@ function resolveHandlerEntry11(dirname) {
   const fromLib = import_node_path11.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
   return fromLib;
 }
-var RestApiLambda = class extends import_constructs18.Construct {
+var RestApiLambda = class extends import_constructs19.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs11.NodejsFunction(this, "handler", {
+    this.lambda = new import_aws_lambda_nodejs12.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry11(__dirname),
-      runtime: import_aws_lambda11.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -6796,7 +6926,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
    */
   createHostedZone() {
     const { config } = this.props;
-    return import_aws_route533.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
+    return import_aws_route534.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
       hostedZoneId: config.hostedZoneId,
       zoneName: config.zoneName
     });
@@ -6936,11 +7066,11 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       integration
     });
     const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
-    new import_aws_route533.ARecord(this, "api-a-record", {
+    new import_aws_route534.ARecord(this, "api-a-record", {
       zone: hostedZone,
       recordName: apiPrefix,
-      target: import_aws_route533.RecordTarget.fromAlias(
-        new import_aws_route53_targets.ApiGatewayv2DomainProperties(
+      target: import_aws_route534.RecordTarget.fromAlias(
+        new import_aws_route53_targets2.ApiGatewayv2DomainProperties(
           domainName.regionalDomainName,
           domainName.regionalHostedZoneId
         )
@@ -6977,7 +7107,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? import_core3.Duration.days(1),
+      maxAge: cors.maxAge ?? import_core2.Duration.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -7039,6 +7169,158 @@ var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
 _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 
+// src/services/open-hi-website-service.ts
+var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
+var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
+  /**
+   * Looks up the static-hosting bucket ARN published by the release-branch
+   * deploy of this service.
+   */
+  static bucketArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ARN published by the release-branch
+   * deploy of this service.
+   */
+  static distributionArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution domain
+   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   */
+  static distributionDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ID published by the release-branch
+   * deploy of this service.
+   */
+  static distributionIdFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the website's full domain (e.g. www.example.com) published by
+   * the release-branch deploy of this service.
+   */
+  static fullDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiWebsiteService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props) {
+    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    this.fullDomain = this.computeFullDomain(hostedZone);
+    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? this.branchName === this.defaultReleaseBranch;
+    if (shouldCreateHostingInfra) {
+      const certificate = this.createCertificate();
+      this.staticHosting = this.createStaticHosting({
+        certificate,
+        hostedZone
+      });
+      this.createFullDomainParameter();
+    }
+    this.staticContent = this.createStaticContent();
+  }
+  /**
+   * Validates that config required for the website stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
+  }
+  /**
+   * Looks up the child hosted zone published by the Global service.
+   * Override to customize.
+   */
+  createHostedZone() {
+    return OpenHiGlobalService.childHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName
+    });
+  }
+  /**
+   * Returns the wildcard certificate looked up from the Global service.
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Computes the full website domain from `domainPrefix` and the child
+   * zone name.
+   */
+  computeFullDomain(hostedZone) {
+    const prefix = this.props.domainPrefix ?? "www";
+    return [prefix, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Creates the StaticHosting infrastructure (bucket + distribution +
+   * Lambda@Edge + 4 SSM params + DNS).
+   */
+  createStaticHosting(deps) {
+    return new StaticHosting(this, "static-hosting", {
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      certificate: deps.certificate,
+      hostedZone: deps.hostedZone,
+      domainNames: [this.fullDomain],
+      description: `OpenHI website (${this.fullDomain})`
+    });
+  }
+  /**
+   * Creates the SSM parameter that publishes the website's full domain.
+   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   */
+  createFullDomainParameter() {
+    new DiscoverableStringParameter(this, "full-domain-param", {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      stringValue: this.fullDomain,
+      description: "Full website domain (e.g. www.example.com)"
+    });
+  }
+  /**
+   * Creates the StaticContent uploader. Always created so feature-branch
+   * deploys can publish content to their own sub-domain folder against the
+   * release-branch bucket.
+   */
+  createStaticContent() {
+    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
+    return new StaticContent(this, "static-content", {
+      contentSourceDirectory,
+      contentDestinationDirectory,
+      fullDomain: this.fullDomain,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+};
+_OpenHiWebsiteService.SERVICE_TYPE = "website";
+var OpenHiWebsiteService = _OpenHiWebsiteService;
+
 // src/workflows/control-plane/owning-delete-cascade/events.ts
 var import_workflows5 = __toESM(require_lib2());
 var OWNING_DELETE_CASCADE_CONSUMER_NAME = "owning-delete-cascade";
@@ -7049,11 +7331,11 @@ var OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR = "OWNING_DELETE_OPS_EVENT_BUS_NAME";
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
 var import_node_fs12 = __toESM(require("fs"));
 var import_node_path12 = __toESM(require("path"));
-var import_aws_cdk_lib14 = require("aws-cdk-lib");
+var import_aws_cdk_lib15 = require("aws-cdk-lib");
 var import_aws_iam8 = require("aws-cdk-lib/aws-iam");
-var import_aws_lambda12 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs12 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs19 = require("constructs");
+var import_aws_lambda13 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs13 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs20 = require("constructs");
 function resolveHandlerEntry12(dirname, handlerName) {
   const sameDir = import_node_path12.default.join(dirname, handlerName);
   if (import_node_fs12.default.existsSync(sameDir)) {
@@ -7062,18 +7344,18 @@ function resolveHandlerEntry12(dirname, handlerName) {
   const libDir = import_node_path12.default.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
+var OwningDeleteCascadeLambdas = class extends import_constructs20.Construct {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-lambdas");
     const listResolved = resolveHandlerEntry12(
       __dirname,
       "list-chunks.handler.js"
     );
-    this.listChunks = new import_aws_lambda_nodejs12.NodejsFunction(this, "list-chunks-handler", {
+    this.listChunks = new import_aws_lambda_nodejs13.NodejsFunction(this, "list-chunks-handler", {
       entry: listResolved.entry,
-      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib14.Duration.minutes(1),
+      timeout: import_aws_cdk_lib15.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -7083,11 +7365,11 @@ var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
       __dirname,
       "delete-chunk.handler.js"
     );
-    this.deleteChunk = new import_aws_lambda_nodejs12.NodejsFunction(this, "delete-chunk-handler", {
+    this.deleteChunk = new import_aws_lambda_nodejs13.NodejsFunction(this, "delete-chunk-handler", {
       entry: deleteResolved.entry,
-      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib14.Duration.minutes(1),
+      timeout: import_aws_cdk_lib15.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -7102,11 +7384,11 @@ var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
       __dirname,
       "finalize.handler.js"
     );
-    this.finalize = new import_aws_lambda_nodejs12.NodejsFunction(this, "finalize-handler", {
+    this.finalize = new import_aws_lambda_nodejs13.NodejsFunction(this, "finalize-handler", {
       entry: finalizeResolved.entry,
-      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib14.Duration.minutes(1),
+      timeout: import_aws_cdk_lib15.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
@@ -7124,13 +7406,13 @@ var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
 };
 
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.ts
-var import_aws_cdk_lib15 = require("aws-cdk-lib");
+var import_aws_cdk_lib16 = require("aws-cdk-lib");
 var import_aws_events9 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets5 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_stepfunctions = require("aws-cdk-lib/aws-stepfunctions");
 var import_aws_stepfunctions_tasks = require("aws-cdk-lib/aws-stepfunctions-tasks");
-var import_constructs20 = require("constructs");
-var OwningDeleteCascadeWorkflow = class extends import_constructs20.Construct {
+var import_constructs21 = require("constructs");
+var OwningDeleteCascadeWorkflow = class extends import_constructs21.Construct {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-workflow");
     this.lambdas = new OwningDeleteCascadeLambdas(this, {
@@ -7239,7 +7521,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs20.Construct {
       }
     });
     const interPageWait = new import_aws_stepfunctions.Wait(this, "inter-page-wait", {
-      time: import_aws_stepfunctions.WaitTime.duration(import_aws_cdk_lib15.Duration.seconds(0))
+      time: import_aws_stepfunctions.WaitTime.duration(import_aws_cdk_lib16.Duration.seconds(0))
     });
     const isExhausted = new import_aws_stepfunctions.Choice(this, "is-exhausted");
     const finalize = new import_aws_stepfunctions_tasks.LambdaInvoke(this, "finalize", {
@@ -7270,7 +7552,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs20.Construct {
       // Long timeout because real-world cascades can run minutes when
       // a workspace has thousands of members. The stuck-cascade alarm
       // fires at 15 minutes; the state machine itself does not abort.
-      timeout: import_aws_cdk_lib15.Duration.hours(2)
+      timeout: import_aws_cdk_lib16.Duration.hours(2)
     });
     this.rule = new import_aws_events9.Rule(this, "rule", {
       eventBus: props.dataEventBus,
@@ -7281,7 +7563,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs20.Construct {
       targets: [
         new import_aws_events_targets5.SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib15.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib16.Duration.hours(2)
         })
       ]
     });
@@ -7299,11 +7581,11 @@ var RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR = "RENAME_CASCADE_OPS_EVENT_BUS_NAME";
 // src/workflows/control-plane/rename-cascade/rename-cascade-lambdas.ts
 var import_node_fs13 = __toESM(require("fs"));
 var import_node_path13 = __toESM(require("path"));
-var import_aws_cdk_lib16 = require("aws-cdk-lib");
+var import_aws_cdk_lib17 = require("aws-cdk-lib");
 var import_aws_iam9 = require("aws-cdk-lib/aws-iam");
-var import_aws_lambda13 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs13 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs21 = require("constructs");
+var import_aws_lambda14 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs14 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs22 = require("constructs");
 function resolveHandlerEntry13(dirname, handlerName) {
   const sameDir = import_node_path13.default.join(dirname, handlerName);
   if (import_node_fs13.default.existsSync(sameDir)) {
@@ -7312,18 +7594,18 @@ function resolveHandlerEntry13(dirname, handlerName) {
   const libDir = import_node_path13.default.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var RenameCascadeLambdas = class extends import_constructs21.Construct {
+var RenameCascadeLambdas = class extends import_constructs22.Construct {
   constructor(scope, props) {
     super(scope, "rename-cascade-lambdas");
     const listResolved = resolveHandlerEntry13(
       __dirname,
       "rename-list-targets.handler.js"
     );
-    this.listTargets = new import_aws_lambda_nodejs13.NodejsFunction(this, "list-targets-handler", {
+    this.listTargets = new import_aws_lambda_nodejs14.NodejsFunction(this, "list-targets-handler", {
       entry: listResolved.entry,
-      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda14.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib16.Duration.minutes(1),
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -7333,11 +7615,11 @@ var RenameCascadeLambdas = class extends import_constructs21.Construct {
       __dirname,
       "rename-rewrite-chunk.handler.js"
     );
-    this.rewriteChunk = new import_aws_lambda_nodejs13.NodejsFunction(this, "rewrite-chunk-handler", {
+    this.rewriteChunk = new import_aws_lambda_nodejs14.NodejsFunction(this, "rewrite-chunk-handler", {
       entry: rewriteResolved.entry,
-      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda14.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib16.Duration.minutes(1),
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -7352,11 +7634,11 @@ var RenameCascadeLambdas = class extends import_constructs21.Construct {
       __dirname,
       "rename-finalize.handler.js"
     );
-    this.finalize = new import_aws_lambda_nodejs13.NodejsFunction(this, "finalize-handler", {
+    this.finalize = new import_aws_lambda_nodejs14.NodejsFunction(this, "finalize-handler", {
       entry: finalizeResolved.entry,
-      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
+      runtime: import_aws_lambda14.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib16.Duration.minutes(1),
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
       environment: {
         [RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
       }
@@ -7372,13 +7654,13 @@ var RenameCascadeLambdas = class extends import_constructs21.Construct {
 };
 
 // src/workflows/control-plane/rename-cascade/rename-cascade-workflow.ts
-var import_aws_cdk_lib17 = require("aws-cdk-lib");
+var import_aws_cdk_lib18 = require("aws-cdk-lib");
 var import_aws_events10 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets6 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_stepfunctions2 = require("aws-cdk-lib/aws-stepfunctions");
 var import_aws_stepfunctions_tasks2 = require("aws-cdk-lib/aws-stepfunctions-tasks");
-var import_constructs22 = require("constructs");
-var RenameCascadeWorkflow = class extends import_constructs22.Construct {
+var import_constructs23 = require("constructs");
+var RenameCascadeWorkflow = class extends import_constructs23.Construct {
   constructor(scope, props) {
     super(scope, "rename-cascade-workflow");
     this.lambdas = new RenameCascadeLambdas(this, {
@@ -7522,7 +7804,7 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
       // Long timeout — large renames may rewrite thousands of rows;
       // the `CascadeSlow` alarm fires at 300s p99 but the state
       // machine itself does not abort.
-      timeout: import_aws_cdk_lib17.Duration.hours(2)
+      timeout: import_aws_cdk_lib18.Duration.hours(2)
     });
     this.rule = new import_aws_events10.Rule(this, "rule", {
       eventBus: props.dataEventBus,
@@ -7533,7 +7815,7 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
       targets: [
         new import_aws_events_targets6.SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib17.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib18.Duration.hours(2)
         })
       ]
     });
@@ -7591,6 +7873,7 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
   OpenHiRestApiService,
   OpenHiService,
   OpenHiStage,
+  OpenHiWebsiteService,
   OpsEventBus,
   OwningDeleteCascadeLambdas,
   OwningDeleteCascadeWorkflow,
@@ -7626,11 +7909,13 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
   SEED_SYSTEM_DATA_ACTOR_SYSTEM,
   SEED_SYSTEM_DATA_CONSUMER_NAME,
   SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
+  SSM_PARAM_NAME_FULL_DOMAIN,
   STATIC_HOSTING_SERVICE_TYPE,
   SeedDemoDataLambda,
   SeedDemoDataWorkflow,
   SeedSystemDataLambda,
   SeedSystemDataWorkflow,
+  StaticContent,
   StaticHosting,
   USER_ONBOARDING_EVENT_SOURCE,
   UserOnboardingWorkflow,