@openhi/constructs 0.0.115 → 0.0.117

package/lib/index.mjs

@@ -1176,7 +1176,9 @@ var WorkflowDedupConsumerNameInvalidError = class extends Error {
 };
 
 // src/components/event-bridge/data-event-bus.ts
-import { EventBus } from "aws-cdk-lib/aws-events";
+import { Duration as Duration2, Stack as Stack2 } from "aws-cdk-lib";
+import { Archive, EventBus } from "aws-cdk-lib/aws-events";
+var DEFAULT_ARCHIVE_RETENTION = Duration2.days(7);
 var DataEventBus = class _DataEventBus extends EventBus {
   /*****************************************************************************
    *
@@ -1189,11 +1191,19 @@ var DataEventBus = class _DataEventBus extends EventBus {
     const stack = OpenHiService.of(scope);
     return `datav1${stack.branchHash}`;
   }
-  constructor(scope, props) {
+  constructor(scope, props = void 0) {
+    const { archiveRetention, ...busProps } = props ?? {};
     super(scope, "data-event-bus-v1", {
-      ...props,
+      ...busProps,
       eventBusName: _DataEventBus.getEventBusName(scope)
     });
+    this.replayArchive = new Archive(this, "Archive", {
+      sourceEventBus: this,
+      archiveName: `${_DataEventBus.getEventBusName(scope)}-archive`,
+      description: "Replay archive for the OpenHI data event bus (data-store change notifications).",
+      eventPattern: { account: [Stack2.of(this).account] },
+      retention: archiveRetention ?? DEFAULT_ARCHIVE_RETENTION
+    });
   }
 };
 
@@ -1244,7 +1254,7 @@ var ControlEventBus = class _ControlEventBus extends EventBus3 {
 // src/components/postgres/data-store-postgres-replica.ts
 import fs5 from "fs";
 import path5 from "path";
-import { Duration as Duration2, Stack as Stack2 } from "aws-cdk-lib";
+import { Duration as Duration3, Stack as Stack3 } from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import { Runtime as Runtime5, StartingPosition } from "aws-cdk-lib/aws-lambda";
 import { KinesisEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
@@ -1310,7 +1320,7 @@ var DataStorePostgresReplica = class extends Construct6 {
     super(scope, id);
     this.databaseName = props.databaseName ?? DEFAULT_DATABASE_NAME;
     this.schemaName = getPostgresReplicaSchemaName(props.branchHash);
-    const region = Stack2.of(this).region;
+    const region = Stack3.of(this).region;
     this.vpc = props.vpc ?? new ec2.Vpc(this, "Vpc", {
       availabilityZones: [`${region}a`, `${region}b`],
       natGateways: 0,
@@ -1346,7 +1356,7 @@ var DataStorePostgresReplica = class extends Construct6 {
       entry: resolveHandlerEntry5(__dirname),
       runtime: Runtime5.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration2.minutes(1),
+      timeout: Duration3.minutes(1),
       vpc: this.vpc,
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
       description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
@@ -1373,7 +1383,7 @@ var DataStorePostgresReplica = class extends Construct6 {
       new KinesisEventSource(props.kinesisStream, {
         startingPosition: StartingPosition.LATEST,
         batchSize: 100,
-        maxBatchingWindow: Duration2.seconds(5),
+        maxBatchingWindow: Duration3.seconds(5),
         retryAttempts: 10,
         bisectBatchOnError: true,
         parallelizationFactor: 2,
@@ -1406,7 +1416,7 @@ var DataStorePostgresReplica = class extends Construct6 {
 };
 
 // src/components/route-53/child-hosted-zone.ts
-import { Duration as Duration3 } from "aws-cdk-lib";
+import { Duration as Duration4 } from "aws-cdk-lib";
 import {
   HostedZone,
   NsRecord
@@ -1418,7 +1428,7 @@ var ChildHostedZone = class extends HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: Duration3.minutes(5)
+      ttl: Duration4.minutes(5)
     });
   }
 };
@@ -1432,14 +1442,39 @@ import { Construct as Construct7 } from "constructs";
 var RootHostedZone = class extends Construct7 {
 };
 
+// src/components/static-hosting/static-content.ts
+import { Bucket as Bucket3 } from "aws-cdk-lib/aws-s3";
+import { BucketDeployment, Source } from "aws-cdk-lib/aws-s3-deployment";
+import { paramCase as paramCase2 } from "change-case";
+import { Construct as Construct9 } from "constructs";
+
 // src/components/static-hosting/static-hosting.ts
+import * as fs6 from "fs";
+import * as path6 from "path";
+import { Duration as Duration5 } from "aws-cdk-lib";
 import {
+  AccessLevel,
+  AllowedMethods,
+  CacheCookieBehavior,
+  CacheHeaderBehavior,
   CachePolicy,
-  Distribution
+  CacheQueryStringBehavior,
+  Distribution,
+  LambdaEdgeEventType,
+  S3OriginAccessControl,
+  Signing,
+  ViewerProtocolPolicy
 } from "aws-cdk-lib/aws-cloudfront";
 import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
+import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
+import {
+  ARecord,
+  RecordTarget
+} from "aws-cdk-lib/aws-route53";
+import { CloudFrontTarget } from "aws-cdk-lib/aws-route53-targets";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
-import { Duration as Duration4 } from "aws-cdk-lib/core";
 import { Construct as Construct8 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
 var _StaticHosting = class _StaticHosting extends Construct8 {
@@ -1447,6 +1482,7 @@ var _StaticHosting = class _StaticHosting extends Construct8 {
     super(scope, id);
     const stack = OpenHiService.of(scope);
     const serviceType = props.serviceType ?? STATIC_HOSTING_SERVICE_TYPE;
+    const hostingMode = props.hostingMode ?? "spa";
     this.bucket = new Bucket2(this, "bucket", {
       blockPublicAccess: {
         blockPublicAcls: true,
@@ -1456,30 +1492,105 @@ var _StaticHosting = class _StaticHosting extends Construct8 {
       },
       ...props.bucketProps
     });
-    const origin = S3BucketOrigin.withOriginAccessControl(this.bucket);
+    const handlerJs = path6.join(
+      __dirname,
+      "static-hosting.viewer-request-handler.js"
+    );
+    const handlerTs = path6.join(
+      __dirname,
+      "static-hosting.viewer-request-handler.ts"
+    );
+    const handlerEntry = fs6.existsSync(handlerJs) ? handlerJs : handlerTs;
+    this.viewerRequestHandler = new NodejsFunction6(
+      this,
+      "viewer-request-handler",
+      {
+        entry: handlerEntry,
+        handler: hostingMode === "static" ? "staticHandler" : "spaHandler",
+        memorySize: 128,
+        runtime: Runtime6.NODEJS_LATEST,
+        logGroup: new LogGroup(this, "viewer-request-handler-log-group", {
+          retention: RetentionDays.ONE_MONTH
+        })
+      }
+    );
     const cachePolicy = new CachePolicy(this, "cache-policy", {
-      cachePolicyName: `static-hosting-10s-${stack.branchHash}`,
-      comment: "Low TTL (10s) for static hosting; no invalidation",
-      defaultTtl: Duration4.seconds(10),
-      minTtl: Duration4.seconds(0),
-      maxTtl: Duration4.seconds(10)
-    });
+      cachePolicyName: `static-hosting-${stack.branchHash}`,
+      comment: "Static hosting default: 60s default / 300s max, gzip+brotli.",
+      defaultTtl: Duration5.seconds(60),
+      minTtl: Duration5.seconds(0),
+      maxTtl: Duration5.seconds(300),
+      headerBehavior: CacheHeaderBehavior.none(),
+      queryStringBehavior: CacheQueryStringBehavior.none(),
+      cookieBehavior: CacheCookieBehavior.none(),
+      enableAcceptEncodingGzip: true,
+      enableAcceptEncodingBrotli: true,
+      ...props.cachePolicyProps
+    });
+    const oac = new S3OriginAccessControl(this, "origin-access-control", {
+      signing: Signing.SIGV4_NO_OVERRIDE
+    });
+    const origin = S3BucketOrigin.withOriginAccessControl(this.bucket, {
+      originAccessControl: oac,
+      originAccessLevels: [AccessLevel.READ]
+    });
+    const hasCustomDomain = props.certificate !== void 0 && props.hostedZone !== void 0 && props.domainNames !== void 0 && props.domainNames.length > 0;
     this.distribution = new Distribution(this, "distribution", {
+      comment: `Static hosting distribution for ${props.description ?? id}`,
+      ...hasCustomDomain ? {
+        certificate: props.certificate,
+        domainNames: [...props.domainNames]
+      } : {},
+      defaultRootObject: "index.html",
       defaultBehavior: {
         origin,
-        cachePolicy
+        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        cachePolicy,
+        allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
+        edgeLambdas: [
+          {
+            functionVersion: this.viewerRequestHandler.currentVersion,
+            eventType: LambdaEdgeEventType.VIEWER_REQUEST,
+            includeBody: false
+          }
+        ]
       },
       ...props.distributionProps
     });
+    if (hasCustomDomain) {
+      props.domainNames.forEach((domainName, index) => {
+        new ARecord(this, `dns-record-${index}`, {
+          zone: props.hostedZone,
+          recordName: domainName,
+          target: RecordTarget.fromAlias(
+            new CloudFrontTarget(this.distribution)
+          )
+        });
+      });
+    }
     new DiscoverableStringParameter(this, "bucket-arn-param", {
       ssmParamName: _StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
       serviceType,
-      stringValue: this.bucket.bucketArn
+      stringValue: this.bucket.bucketArn,
+      description: `Static hosting bucket ARN (${props.description ?? id})`
     });
     new DiscoverableStringParameter(this, "distribution-arn-param", {
       ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
       serviceType,
-      stringValue: this.distribution.distributionArn
+      stringValue: this.distribution.distributionArn,
+      description: `Static hosting distribution ARN (${props.description ?? id})`
+    });
+    new DiscoverableStringParameter(this, "distribution-domain-param", {
+      ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType,
+      stringValue: this.distribution.domainName,
+      description: `Static hosting distribution domain (${props.description ?? id})`
+    });
+    new DiscoverableStringParameter(this, "distribution-id-param", {
+      ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType,
+      stringValue: this.distribution.distributionId,
+      description: `Static hosting distribution ID (${props.description ?? id})`
     });
   }
 };
@@ -1491,8 +1602,46 @@ _StaticHosting.SSM_PARAM_NAME_BUCKET_ARN = "STATIC_HOSTING_BUCKET_ARN";
  * SSM parameter name for the CloudFront distribution ARN.
  */
 _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_ARN";
+/**
+ * SSM parameter name for the CloudFront distribution domain
+ * (e.g. dXXXXX.cloudfront.net).
+ */
+_StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN = "STATIC_HOSTING_DISTRIBUTION_DOMAIN";
+/**
+ * SSM parameter name for the CloudFront distribution ID.
+ */
+_StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID = "STATIC_HOSTING_DISTRIBUTION_ID";
 var StaticHosting = _StaticHosting;
 
+// src/components/static-hosting/static-content.ts
+var StaticContent = class extends Construct9 {
+  constructor(scope, id, props) {
+    super(scope, id);
+    const stack = OpenHiService.of(scope);
+    const {
+      contentSourceDirectory,
+      contentDestinationDirectory = "/",
+      subDomain = stack.branchName,
+      fullDomain,
+      serviceType = STATIC_HOSTING_SERVICE_TYPE
+    } = props;
+    const keyPrefix = [paramCase2(subDomain), fullDomain].join(".");
+    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType
+    });
+    const bucket = Bucket3.fromBucketArn(this, "bucket", bucketArn);
+    const isTestEnv = process.env.JEST_WORKER_ID !== void 0;
+    const sources = isTestEnv ? [] : [Source.asset(contentSourceDirectory)];
+    new BucketDeployment(this, "deploy", {
+      sources,
+      destinationBucket: bucket,
+      retainOnDelete: false,
+      destinationKeyPrefix: `${keyPrefix}${contentDestinationDirectory}`
+    });
+  }
+};
+
 // src/services/open-hi-auth-service.ts
 import {
   LambdaVersion,
@@ -1503,7 +1652,7 @@ import {
 } from "aws-cdk-lib/aws-cognito";
 import { Effect as Effect6, PolicyStatement as PolicyStatement6 } from "aws-cdk-lib/aws-iam";
 import { Key as Key2 } from "aws-cdk-lib/aws-kms";
-import { Stack as Stack6 } from "aws-cdk-lib/core";
+import { Stack as Stack7 } from "aws-cdk-lib/core";
 
 // src/services/open-hi-data-service.ts
 var import_config4 = __toESM(require_lib2());
@@ -1522,27 +1671,27 @@ import {
 import { StringParameter as StringParameter3 } from "aws-cdk-lib/aws-ssm";
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
-import { Construct as Construct10 } from "constructs";
+import { Construct as Construct11 } from "constructs";
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
-import fs6 from "fs";
-import path6 from "path";
-import { Duration as Duration5, Stack as Stack3 } from "aws-cdk-lib";
+import fs7 from "fs";
+import path7 from "path";
+import { Duration as Duration6, Stack as Stack4 } from "aws-cdk-lib";
 import { Rule } from "aws-cdk-lib/aws-events";
 import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct9 } from "constructs";
+import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct10 } from "constructs";
 var HANDLER_NAME6 = "platform-deploy-bridge.handler.js";
 function resolveHandlerEntry6(dirname) {
-  const sameDir = path6.join(dirname, HANDLER_NAME6);
-  if (fs6.existsSync(sameDir)) {
+  const sameDir = path7.join(dirname, HANDLER_NAME6);
+  if (fs7.existsSync(sameDir)) {
     return sameDir;
   }
-  return path6.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
+  return path7.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
 }
-var PlatformDeployBridgeLambda = class extends Construct9 {
+var PlatformDeployBridgeLambda = class extends Construct10 {
   constructor(scope, props) {
     super(scope, "platform-deploy-bridge-lambda");
     const service = OpenHiService.of(this);
@@ -1551,15 +1700,15 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
       OPENHI_TAG_SUFFIX_REPO_NAME
     );
     const tagKeyPrefix = `${service.appName}:`;
-    const ownStackName = Stack3.of(this).stackName;
-    const ownSuffix = `-${service.serviceId}-${Stack3.of(this).account}-${Stack3.of(this).region}`;
+    const ownStackName = Stack4.of(this).stackName;
+    const ownSuffix = `-${service.serviceId}-${Stack4.of(this).account}-${Stack4.of(this).region}`;
     const sharedPrefix = ownStackName.endsWith(ownSuffix) ? ownStackName.slice(0, -ownSuffix.length) : service.branchHash;
-    const stackIdPrefix = `arn:aws:cloudformation:${Stack3.of(this).region}:${Stack3.of(this).account}:stack/${sharedPrefix}-`;
-    this.lambda = new NodejsFunction6(this, "handler", {
+    const stackIdPrefix = `arn:aws:cloudformation:${Stack4.of(this).region}:${Stack4.of(this).account}:stack/${sharedPrefix}-`;
+    this.lambda = new NodejsFunction7(this, "handler", {
       entry: resolveHandlerEntry6(__dirname),
-      runtime: Runtime6.NODEJS_LATEST,
+      runtime: Runtime7.NODEJS_LATEST,
       memorySize: 256,
-      timeout: Duration5.seconds(30),
+      timeout: Duration6.seconds(30),
       environment: {
         [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
         [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
@@ -1571,7 +1720,7 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
         effect: Effect2.ALLOW,
         actions: ["cloudformation:DescribeStacks"],
         resources: [
-          `arn:aws:cloudformation:${Stack3.of(this).region}:${Stack3.of(this).account}:stack/*`
+          `arn:aws:cloudformation:${Stack4.of(this).region}:${Stack4.of(this).account}:stack/*`
         ]
       })
     );
@@ -1590,7 +1739,7 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
       targets: [
         new LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration5.hours(2)
+          maxEventAge: Duration6.hours(2)
         })
       ]
     });
@@ -1598,7 +1747,7 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
 };
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
-var PlatformDeployBridge = class extends Construct10 {
+var PlatformDeployBridge = class extends Construct11 {
   constructor(scope, props) {
     super(scope, "platform-deploy-bridge");
     this.bridgeLambda = new PlatformDeployBridgeLambda(this, {
@@ -1791,31 +1940,31 @@ _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
 
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
-import fs7 from "fs";
-import path7 from "path";
-import { Duration as Duration6, Stack as Stack4 } from "aws-cdk-lib";
+import fs8 from "fs";
+import path8 from "path";
+import { Duration as Duration7, Stack as Stack5 } from "aws-cdk-lib";
 import { Rule as Rule2 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction2 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect3, PolicyStatement as PolicyStatement3 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct11 } from "constructs";
+import { Runtime as Runtime8 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction8 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct12 } from "constructs";
 var HANDLER_NAME7 = "seed-demo-data.handler.js";
 function resolveHandlerEntry7(dirname) {
-  const sameDir = path7.join(dirname, HANDLER_NAME7);
-  if (fs7.existsSync(sameDir)) {
+  const sameDir = path8.join(dirname, HANDLER_NAME7);
+  if (fs8.existsSync(sameDir)) {
     return sameDir;
   }
-  return path7.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME7);
+  return path8.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME7);
 }
-var SeedDemoDataLambda = class extends Construct11 {
+var SeedDemoDataLambda = class extends Construct12 {
   constructor(scope, props) {
     super(scope, "seed-demo-data-lambda");
-    this.lambda = new NodejsFunction7(this, "handler", {
+    this.lambda = new NodejsFunction8(this, "handler", {
       entry: resolveHandlerEntry7(__dirname),
-      runtime: Runtime7.NODEJS_LATEST,
+      runtime: Runtime8.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration6.minutes(2),
+      timeout: Duration7.minutes(2),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
@@ -1844,7 +1993,7 @@ var SeedDemoDataLambda = class extends Construct11 {
           "cognito-idp:AdminSetUserPassword"
         ],
         resources: [
-          Stack4.of(this).formatArn({
+          Stack5.of(this).formatArn({
             service: "cognito-idp",
             resource: "userpool",
             resourceName: props.userPool.userPoolId
@@ -1861,7 +2010,7 @@ var SeedDemoDataLambda = class extends Construct11 {
       targets: [
         new LambdaFunction2(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration6.hours(2)
+          maxEventAge: Duration7.hours(2)
         })
       ]
     });
@@ -1869,8 +2018,8 @@ var SeedDemoDataLambda = class extends Construct11 {
 };
 
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-workflow.ts
-import { Construct as Construct12 } from "constructs";
-var SeedDemoDataWorkflow = class extends Construct12 {
+import { Construct as Construct13 } from "constructs";
+var SeedDemoDataWorkflow = class extends Construct13 {
   constructor(scope, props) {
     super(scope, "seed-demo-data-workflow");
     this.seedDemoData = new SeedDemoDataLambda(this, {
@@ -1887,32 +2036,32 @@ var SeedDemoDataWorkflow = class extends Construct12 {
 };
 
 // src/workflows/control-plane/seed-system-data/seed-system-data-lambda.ts
-import fs8 from "fs";
-import path8 from "path";
+import fs9 from "fs";
+import path9 from "path";
 import { PLATFORM_ROLE_IDS } from "@openhi/types";
-import { Duration as Duration7, Stack as Stack5 } from "aws-cdk-lib";
+import { Duration as Duration8, Stack as Stack6 } from "aws-cdk-lib";
 import { Rule as Rule3 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction3 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect4, PolicyStatement as PolicyStatement4 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime8 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction8 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct13 } from "constructs";
+import { Runtime as Runtime9 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction9 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct14 } from "constructs";
 var HANDLER_NAME8 = "seed-system-data.handler.js";
 function resolveHandlerEntry8(dirname) {
-  const sameDir = path8.join(dirname, HANDLER_NAME8);
-  if (fs8.existsSync(sameDir)) {
+  const sameDir = path9.join(dirname, HANDLER_NAME8);
+  if (fs9.existsSync(sameDir)) {
     return sameDir;
   }
-  return path8.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME8);
+  return path9.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME8);
 }
-var SeedSystemDataLambda = class extends Construct13 {
+var SeedSystemDataLambda = class extends Construct14 {
   constructor(scope, props) {
     super(scope, "seed-system-data-lambda");
-    this.lambda = new NodejsFunction8(this, "handler", {
+    this.lambda = new NodejsFunction9(this, "handler", {
       entry: resolveHandlerEntry8(__dirname),
-      runtime: Runtime8.NODEJS_LATEST,
+      runtime: Runtime9.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration7.minutes(1),
+      timeout: Duration8.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
@@ -1934,7 +2083,7 @@ var SeedSystemDataLambda = class extends Construct13 {
       })
     );
     props.controlEventBus.grantPutEventsTo(this.lambda);
-    const hostStackName = Stack5.of(this).stackName;
+    const hostStackName = Stack6.of(this).stackName;
     this.rule = new Rule3(this, "rule", {
       eventBus: props.controlEventBus,
       eventPattern: {
@@ -1949,7 +2098,7 @@ var SeedSystemDataLambda = class extends Construct13 {
       targets: [
         new LambdaFunction3(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration7.hours(2)
+          maxEventAge: Duration8.hours(2)
         })
       ]
     });
@@ -1957,8 +2106,8 @@ var SeedSystemDataLambda = class extends Construct13 {
 };
 
 // src/workflows/control-plane/seed-system-data/seed-system-data-workflow.ts
-import { Construct as Construct14 } from "constructs";
-var SeedSystemDataWorkflow = class extends Construct14 {
+import { Construct as Construct15 } from "constructs";
+var SeedSystemDataWorkflow = class extends Construct15 {
   constructor(scope, props) {
     super(scope, "seed-system-data-workflow");
     this.seedSystemData = new SeedSystemDataLambda(this, {
@@ -2084,29 +2233,29 @@ _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
 // src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
-import fs9 from "fs";
-import path9 from "path";
-import { Duration as Duration8 } from "aws-cdk-lib";
+import fs10 from "fs";
+import path10 from "path";
+import { Duration as Duration9 } from "aws-cdk-lib";
 import { Rule as Rule4 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction4 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect5, PolicyStatement as PolicyStatement5 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime9 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction9 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct15 } from "constructs";
+import { Runtime as Runtime10 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction10 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct16 } from "constructs";
 var HANDLER_NAME9 = "provision-default-workspace.handler.js";
 function resolveHandlerEntry9(dirname) {
-  const sameDir = path9.join(dirname, HANDLER_NAME9);
-  if (fs9.existsSync(sameDir)) {
+  const sameDir = path10.join(dirname, HANDLER_NAME9);
+  if (fs10.existsSync(sameDir)) {
     return sameDir;
   }
-  return path9.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
+  return path10.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
 }
-var ProvisionDefaultWorkspaceLambda = class extends Construct15 {
+var ProvisionDefaultWorkspaceLambda = class extends Construct16 {
   constructor(scope, props) {
     super(scope, "provision-default-workspace-lambda");
-    this.lambda = new NodejsFunction9(this, "handler", {
+    this.lambda = new NodejsFunction10(this, "handler", {
       entry: resolveHandlerEntry9(__dirname),
-      runtime: Runtime9.NODEJS_LATEST,
+      runtime: Runtime10.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
@@ -2133,7 +2282,7 @@ var ProvisionDefaultWorkspaceLambda = class extends Construct15 {
       targets: [
         new LambdaFunction4(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration8.hours(2)
+          maxEventAge: Duration9.hours(2)
         })
       ]
     });
@@ -2141,8 +2290,8 @@ var ProvisionDefaultWorkspaceLambda = class extends Construct15 {
 };
 
 // src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
-import { Construct as Construct16 } from "constructs";
-var UserOnboardingWorkflow = class extends Construct16 {
+import { Construct as Construct17 } from "constructs";
+var UserOnboardingWorkflow = class extends Construct17 {
   constructor(scope, props) {
     super(scope, "user-onboarding-workflow");
     this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
@@ -2360,7 +2509,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       new PolicyStatement6({
         actions: ["cognito-idp:AdminUserGlobalSignOut"],
         resources: [
-          Stack6.of(this).formatArn({
+          Stack7.of(this).formatArn({
             service: "cognito-idp",
             resource: "userpool",
             resourceName: "*"
@@ -2429,60 +2578,60 @@ import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers
 import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
 import { Effect as Effect7, PolicyStatement as PolicyStatement7 } from "aws-cdk-lib/aws-iam";
 import {
-  ARecord,
+  ARecord as ARecord2,
   HostedZone as HostedZone3,
-  RecordTarget
+  RecordTarget as RecordTarget2
 } from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
-import { Duration as Duration9 } from "aws-cdk-lib/core";
+import { Duration as Duration10 } from "aws-cdk-lib/core";
 
 // src/data/lambda/cors-options-lambda.ts
-import fs10 from "fs";
-import path10 from "path";
-import { Runtime as Runtime10 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction10 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct17 } from "constructs";
+import fs11 from "fs";
+import path11 from "path";
+import { Runtime as Runtime11 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction11 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct18 } from "constructs";
 var HANDLER_NAME10 = "cors-options-lambda.handler.js";
 function resolveHandlerEntry10(dirname) {
-  const sameDir = path10.join(dirname, HANDLER_NAME10);
-  if (fs10.existsSync(sameDir)) {
+  const sameDir = path11.join(dirname, HANDLER_NAME10);
+  if (fs11.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path10.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
+  const fromLib = path11.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
   return fromLib;
 }
-var CorsOptionsLambda = class extends Construct17 {
+var CorsOptionsLambda = class extends Construct18 {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new NodejsFunction10(this, "handler", {
+    this.lambda = new NodejsFunction11(this, "handler", {
       entry: resolveHandlerEntry10(__dirname),
-      runtime: Runtime10.NODEJS_LATEST,
+      runtime: Runtime11.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-import fs11 from "fs";
-import path11 from "path";
-import { Runtime as Runtime11 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction11 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct18 } from "constructs";
+import fs12 from "fs";
+import path12 from "path";
+import { Runtime as Runtime12 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction12 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct19 } from "constructs";
 var HANDLER_NAME11 = "rest-api-lambda.handler.js";
 function resolveHandlerEntry11(dirname) {
-  const sameDir = path11.join(dirname, HANDLER_NAME11);
-  if (fs11.existsSync(sameDir)) {
+  const sameDir = path12.join(dirname, HANDLER_NAME11);
+  if (fs12.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path11.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
+  const fromLib = path12.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
   return fromLib;
 }
-var RestApiLambda = class extends Construct18 {
+var RestApiLambda = class extends Construct19 {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new NodejsFunction11(this, "handler", {
+    this.lambda = new NodejsFunction12(this, "handler", {
       entry: resolveHandlerEntry11(__dirname),
-      runtime: Runtime11.NODEJS_LATEST,
+      runtime: Runtime12.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -2700,10 +2849,10 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       integration
     });
     const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
-    new ARecord(this, "api-a-record", {
+    new ARecord2(this, "api-a-record", {
       zone: hostedZone,
       recordName: apiPrefix,
-      target: RecordTarget.fromAlias(
+      target: RecordTarget2.fromAlias(
         new ApiGatewayv2DomainProperties(
           domainName.regionalDomainName,
           domainName.regionalHostedZoneId
@@ -2741,7 +2890,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? Duration9.days(1),
+      maxAge: cors.maxAge ?? Duration10.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -2806,34 +2955,186 @@ var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
 _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 
+// src/services/open-hi-website-service.ts
+var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
+var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
+  /**
+   * Looks up the static-hosting bucket ARN published by the release-branch
+   * deploy of this service.
+   */
+  static bucketArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ARN published by the release-branch
+   * deploy of this service.
+   */
+  static distributionArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution domain
+   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   */
+  static distributionDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ID published by the release-branch
+   * deploy of this service.
+   */
+  static distributionIdFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the website's full domain (e.g. www.example.com) published by
+   * the release-branch deploy of this service.
+   */
+  static fullDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiWebsiteService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props) {
+    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    this.fullDomain = this.computeFullDomain(hostedZone);
+    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? this.branchName === this.defaultReleaseBranch;
+    if (shouldCreateHostingInfra) {
+      const certificate = this.createCertificate();
+      this.staticHosting = this.createStaticHosting({
+        certificate,
+        hostedZone
+      });
+      this.createFullDomainParameter();
+    }
+    this.staticContent = this.createStaticContent();
+  }
+  /**
+   * Validates that config required for the website stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
+  }
+  /**
+   * Looks up the child hosted zone published by the Global service.
+   * Override to customize.
+   */
+  createHostedZone() {
+    return OpenHiGlobalService.childHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName
+    });
+  }
+  /**
+   * Returns the wildcard certificate looked up from the Global service.
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Computes the full website domain from `domainPrefix` and the child
+   * zone name.
+   */
+  computeFullDomain(hostedZone) {
+    const prefix = this.props.domainPrefix ?? "www";
+    return [prefix, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Creates the StaticHosting infrastructure (bucket + distribution +
+   * Lambda@Edge + 4 SSM params + DNS).
+   */
+  createStaticHosting(deps) {
+    return new StaticHosting(this, "static-hosting", {
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      certificate: deps.certificate,
+      hostedZone: deps.hostedZone,
+      domainNames: [this.fullDomain],
+      description: `OpenHI website (${this.fullDomain})`
+    });
+  }
+  /**
+   * Creates the SSM parameter that publishes the website's full domain.
+   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   */
+  createFullDomainParameter() {
+    new DiscoverableStringParameter(this, "full-domain-param", {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      stringValue: this.fullDomain,
+      description: "Full website domain (e.g. www.example.com)"
+    });
+  }
+  /**
+   * Creates the StaticContent uploader. Always created so feature-branch
+   * deploys can publish content to their own sub-domain folder against the
+   * release-branch bucket.
+   */
+  createStaticContent() {
+    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
+    return new StaticContent(this, "static-content", {
+      contentSourceDirectory,
+      contentDestinationDirectory,
+      fullDomain: this.fullDomain,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+};
+_OpenHiWebsiteService.SERVICE_TYPE = "website";
+var OpenHiWebsiteService = _OpenHiWebsiteService;
+
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
-import fs12 from "fs";
-import path12 from "path";
-import { Duration as Duration10 } from "aws-cdk-lib";
+import fs13 from "fs";
+import path13 from "path";
+import { Duration as Duration11 } from "aws-cdk-lib";
 import { Effect as Effect8, PolicyStatement as PolicyStatement8 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime12 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction12 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct19 } from "constructs";
+import { Runtime as Runtime13 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction13 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct20 } from "constructs";
 function resolveHandlerEntry12(dirname, handlerName) {
-  const sameDir = path12.join(dirname, handlerName);
-  if (fs12.existsSync(sameDir)) {
+  const sameDir = path13.join(dirname, handlerName);
+  if (fs13.existsSync(sameDir)) {
     return { entry: sameDir, handler: "handler" };
   }
-  const libDir = path12.join(dirname, "..", "..", "..", "..", "lib", handlerName);
+  const libDir = path13.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var OwningDeleteCascadeLambdas = class extends Construct19 {
+var OwningDeleteCascadeLambdas = class extends Construct20 {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-lambdas");
     const listResolved = resolveHandlerEntry12(
       __dirname,
       "list-chunks.handler.js"
     );
-    this.listChunks = new NodejsFunction12(this, "list-chunks-handler", {
+    this.listChunks = new NodejsFunction13(this, "list-chunks-handler", {
       entry: listResolved.entry,
-      runtime: Runtime12.NODEJS_LATEST,
+      runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration10.minutes(1),
+      timeout: Duration11.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -2843,11 +3144,11 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
       __dirname,
       "delete-chunk.handler.js"
     );
-    this.deleteChunk = new NodejsFunction12(this, "delete-chunk-handler", {
+    this.deleteChunk = new NodejsFunction13(this, "delete-chunk-handler", {
       entry: deleteResolved.entry,
-      runtime: Runtime12.NODEJS_LATEST,
+      runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration10.minutes(1),
+      timeout: Duration11.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -2862,11 +3163,11 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
       __dirname,
       "finalize.handler.js"
     );
-    this.finalize = new NodejsFunction12(this, "finalize-handler", {
+    this.finalize = new NodejsFunction13(this, "finalize-handler", {
       entry: finalizeResolved.entry,
-      runtime: Runtime12.NODEJS_LATEST,
+      runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration10.minutes(1),
+      timeout: Duration11.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
@@ -2884,7 +3185,7 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
 };
 
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.ts
-import { Duration as Duration11 } from "aws-cdk-lib";
+import { Duration as Duration12 } from "aws-cdk-lib";
 import { Rule as Rule5 } from "aws-cdk-lib/aws-events";
 import { SfnStateMachine } from "aws-cdk-lib/aws-events-targets";
 import {
@@ -2900,8 +3201,8 @@ import {
   WaitTime
 } from "aws-cdk-lib/aws-stepfunctions";
 import { LambdaInvoke } from "aws-cdk-lib/aws-stepfunctions-tasks";
-import { Construct as Construct20 } from "constructs";
-var OwningDeleteCascadeWorkflow = class extends Construct20 {
+import { Construct as Construct21 } from "constructs";
+var OwningDeleteCascadeWorkflow = class extends Construct21 {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-workflow");
     this.lambdas = new OwningDeleteCascadeLambdas(this, {
@@ -3010,7 +3311,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       }
     });
     const interPageWait = new Wait(this, "inter-page-wait", {
-      time: WaitTime.duration(Duration11.seconds(0))
+      time: WaitTime.duration(Duration12.seconds(0))
     });
     const isExhausted = new Choice(this, "is-exhausted");
     const finalize = new LambdaInvoke(this, "finalize", {
@@ -3041,7 +3342,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       // Long timeout because real-world cascades can run minutes when
       // a workspace has thousands of members. The stuck-cascade alarm
       // fires at 15 minutes; the state machine itself does not abort.
-      timeout: Duration11.hours(2)
+      timeout: Duration12.hours(2)
     });
     this.rule = new Rule5(this, "rule", {
       eventBus: props.dataEventBus,
@@ -3052,7 +3353,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       targets: [
         new SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: Duration11.hours(2)
+          maxEventAge: Duration12.hours(2)
         })
       ]
     });
@@ -3060,33 +3361,33 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
 };
 
 // src/workflows/control-plane/rename-cascade/rename-cascade-lambdas.ts
-import fs13 from "fs";
-import path13 from "path";
-import { Duration as Duration12 } from "aws-cdk-lib";
+import fs14 from "fs";
+import path14 from "path";
+import { Duration as Duration13 } from "aws-cdk-lib";
 import { Effect as Effect9, PolicyStatement as PolicyStatement9 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime13 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction13 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct21 } from "constructs";
+import { Runtime as Runtime14 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction14 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct22 } from "constructs";
 function resolveHandlerEntry13(dirname, handlerName) {
-  const sameDir = path13.join(dirname, handlerName);
-  if (fs13.existsSync(sameDir)) {
+  const sameDir = path14.join(dirname, handlerName);
+  if (fs14.existsSync(sameDir)) {
     return { entry: sameDir, handler: "handler" };
   }
-  const libDir = path13.join(dirname, "..", "..", "..", "..", "lib", handlerName);
+  const libDir = path14.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var RenameCascadeLambdas = class extends Construct21 {
+var RenameCascadeLambdas = class extends Construct22 {
   constructor(scope, props) {
     super(scope, "rename-cascade-lambdas");
     const listResolved = resolveHandlerEntry13(
       __dirname,
       "rename-list-targets.handler.js"
     );
-    this.listTargets = new NodejsFunction13(this, "list-targets-handler", {
+    this.listTargets = new NodejsFunction14(this, "list-targets-handler", {
       entry: listResolved.entry,
-      runtime: Runtime13.NODEJS_LATEST,
+      runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration12.minutes(1),
+      timeout: Duration13.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3096,11 +3397,11 @@ var RenameCascadeLambdas = class extends Construct21 {
       __dirname,
       "rename-rewrite-chunk.handler.js"
     );
-    this.rewriteChunk = new NodejsFunction13(this, "rewrite-chunk-handler", {
+    this.rewriteChunk = new NodejsFunction14(this, "rewrite-chunk-handler", {
       entry: rewriteResolved.entry,
-      runtime: Runtime13.NODEJS_LATEST,
+      runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration12.minutes(1),
+      timeout: Duration13.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3115,11 +3416,11 @@ var RenameCascadeLambdas = class extends Construct21 {
       __dirname,
       "rename-finalize.handler.js"
     );
-    this.finalize = new NodejsFunction13(this, "finalize-handler", {
+    this.finalize = new NodejsFunction14(this, "finalize-handler", {
       entry: finalizeResolved.entry,
-      runtime: Runtime13.NODEJS_LATEST,
+      runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration12.minutes(1),
+      timeout: Duration13.minutes(1),
       environment: {
         [RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
       }
@@ -3135,7 +3436,7 @@ var RenameCascadeLambdas = class extends Construct21 {
 };
 
 // src/workflows/control-plane/rename-cascade/rename-cascade-workflow.ts
-import { Duration as Duration13 } from "aws-cdk-lib";
+import { Duration as Duration14 } from "aws-cdk-lib";
 import { Rule as Rule6 } from "aws-cdk-lib/aws-events";
 import { SfnStateMachine as SfnStateMachine2 } from "aws-cdk-lib/aws-events-targets";
 import {
@@ -3149,8 +3450,8 @@ import {
   TaskInput as TaskInput2
 } from "aws-cdk-lib/aws-stepfunctions";
 import { LambdaInvoke as LambdaInvoke2 } from "aws-cdk-lib/aws-stepfunctions-tasks";
-import { Construct as Construct22 } from "constructs";
-var RenameCascadeWorkflow = class extends Construct22 {
+import { Construct as Construct23 } from "constructs";
+var RenameCascadeWorkflow = class extends Construct23 {
   constructor(scope, props) {
     super(scope, "rename-cascade-workflow");
     this.lambdas = new RenameCascadeLambdas(this, {
@@ -3294,7 +3595,7 @@ var RenameCascadeWorkflow = class extends Construct22 {
       // Long timeout — large renames may rewrite thousands of rows;
       // the `CascadeSlow` alarm fires at 300s p99 but the state
       // machine itself does not abort.
-      timeout: Duration13.hours(2)
+      timeout: Duration14.hours(2)
     });
     this.rule = new Rule6(this, "rule", {
       eventBus: props.dataEventBus,
@@ -3305,7 +3606,7 @@ var RenameCascadeWorkflow = class extends Construct22 {
       targets: [
         new SfnStateMachine2(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: Duration13.hours(2)
+          maxEventAge: Duration14.hours(2)
         })
       ]
     });
@@ -3371,6 +3672,7 @@ export {
   OpenHiRestApiService,
   OpenHiService,
   OpenHiStage,
+  OpenHiWebsiteService,
   OpsEventBus,
   OwningDeleteCascadeLambdas,
   OwningDeleteCascadeWorkflow,
@@ -3406,11 +3708,13 @@ export {
   SEED_SYSTEM_DATA_ACTOR_SYSTEM,
   SEED_SYSTEM_DATA_CONSUMER_NAME,
   SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
+  SSM_PARAM_NAME_FULL_DOMAIN,
   STATIC_HOSTING_SERVICE_TYPE,
   SeedDemoDataLambda,
   SeedDemoDataWorkflow,
   SeedSystemDataLambda,
   SeedSystemDataWorkflow,
+  StaticContent,
   StaticHosting,
   USER_ONBOARDING_EVENT_SOURCE,
   UserOnboardingWorkflow,