@openhi/constructs 0.0.116 → 0.0.118

package/lib/index.mjs

@@ -386,6 +386,16 @@ var OpenHiService = class extends Stack {
       ),
       6
     );
+    const releaseBranchHash = hashString(
+      [
+        appName,
+        ohEnv.deploymentTargetRole,
+        account,
+        region,
+        defaultReleaseBranch
+      ].join("-"),
+      6
+    );
     const stackHash = hashString(
       [
         appName,
@@ -416,6 +426,7 @@ var OpenHiService = class extends Stack {
     this.branchName = branchName;
     this.environmentHash = environmentHash;
     this.branchHash = branchHash;
+    this.releaseBranchHash = releaseBranchHash;
     this.stackHash = stackHash;
     this.node.setContext(
       `availability-zones:account=${account}:region=${region}`,
@@ -1176,7 +1187,9 @@ var WorkflowDedupConsumerNameInvalidError = class extends Error {
 };
 
 // src/components/event-bridge/data-event-bus.ts
-import { EventBus } from "aws-cdk-lib/aws-events";
+import { Duration as Duration2, Stack as Stack2 } from "aws-cdk-lib";
+import { Archive, EventBus } from "aws-cdk-lib/aws-events";
+var DEFAULT_ARCHIVE_RETENTION = Duration2.days(7);
 var DataEventBus = class _DataEventBus extends EventBus {
   /*****************************************************************************
    *
@@ -1189,11 +1202,19 @@ var DataEventBus = class _DataEventBus extends EventBus {
     const stack = OpenHiService.of(scope);
     return `datav1${stack.branchHash}`;
   }
-  constructor(scope, props) {
+  constructor(scope, props = void 0) {
+    const { archiveRetention, ...busProps } = props ?? {};
     super(scope, "data-event-bus-v1", {
-      ...props,
+      ...busProps,
       eventBusName: _DataEventBus.getEventBusName(scope)
     });
+    this.replayArchive = new Archive(this, "Archive", {
+      sourceEventBus: this,
+      archiveName: `${_DataEventBus.getEventBusName(scope)}-archive`,
+      description: "Replay archive for the OpenHI data event bus (data-store change notifications).",
+      eventPattern: { account: [Stack2.of(this).account] },
+      retention: archiveRetention ?? DEFAULT_ARCHIVE_RETENTION
+    });
   }
 };
 
@@ -1244,7 +1265,7 @@ var ControlEventBus = class _ControlEventBus extends EventBus3 {
 // src/components/postgres/data-store-postgres-replica.ts
 import fs5 from "fs";
 import path5 from "path";
-import { Duration as Duration2, Stack as Stack2 } from "aws-cdk-lib";
+import { Duration as Duration3, Stack as Stack3 } from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import { Runtime as Runtime5, StartingPosition } from "aws-cdk-lib/aws-lambda";
 import { KinesisEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
@@ -1310,7 +1331,7 @@ var DataStorePostgresReplica = class extends Construct6 {
     super(scope, id);
     this.databaseName = props.databaseName ?? DEFAULT_DATABASE_NAME;
     this.schemaName = getPostgresReplicaSchemaName(props.branchHash);
-    const region = Stack2.of(this).region;
+    const region = Stack3.of(this).region;
     this.vpc = props.vpc ?? new ec2.Vpc(this, "Vpc", {
       availabilityZones: [`${region}a`, `${region}b`],
       natGateways: 0,
@@ -1346,7 +1367,7 @@ var DataStorePostgresReplica = class extends Construct6 {
       entry: resolveHandlerEntry5(__dirname),
       runtime: Runtime5.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration2.minutes(1),
+      timeout: Duration3.minutes(1),
       vpc: this.vpc,
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
       description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
@@ -1373,7 +1394,7 @@ var DataStorePostgresReplica = class extends Construct6 {
       new KinesisEventSource(props.kinesisStream, {
         startingPosition: StartingPosition.LATEST,
         batchSize: 100,
-        maxBatchingWindow: Duration2.seconds(5),
+        maxBatchingWindow: Duration3.seconds(5),
         retryAttempts: 10,
         bisectBatchOnError: true,
         parallelizationFactor: 2,
@@ -1406,7 +1427,7 @@ var DataStorePostgresReplica = class extends Construct6 {
 };
 
 // src/components/route-53/child-hosted-zone.ts
-import { Duration as Duration3 } from "aws-cdk-lib";
+import { Duration as Duration4 } from "aws-cdk-lib";
 import {
   HostedZone,
   NsRecord
@@ -1418,7 +1439,7 @@ var ChildHostedZone = class extends HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: Duration3.minutes(5)
+      ttl: Duration4.minutes(5)
     });
   }
 };
@@ -1433,15 +1454,36 @@ var RootHostedZone = class extends Construct7 {
 };
 
 // src/components/static-hosting/static-content.ts
-import { Bucket as Bucket3 } from "aws-cdk-lib/aws-s3";
 import { BucketDeployment, Source } from "aws-cdk-lib/aws-s3-deployment";
 import { paramCase as paramCase2 } from "change-case";
-import { Construct as Construct9 } from "constructs";
+import { Construct as Construct8 } from "constructs";
+var StaticContent = class extends Construct8 {
+  constructor(scope, id, props) {
+    super(scope, id);
+    const stack = OpenHiService.of(scope);
+    const {
+      bucket,
+      contentSourceDirectory,
+      contentDestinationDirectory = "/",
+      subDomain = stack.branchName,
+      fullDomain
+    } = props;
+    const keyPrefix = [paramCase2(subDomain), fullDomain].join(".");
+    const isTestEnv = process.env.JEST_WORKER_ID !== void 0;
+    const sources = isTestEnv ? [] : [Source.asset(contentSourceDirectory)];
+    new BucketDeployment(this, "deploy", {
+      sources,
+      destinationBucket: bucket,
+      retainOnDelete: false,
+      destinationKeyPrefix: `${keyPrefix}${contentDestinationDirectory}`
+    });
+  }
+};
 
 // src/components/static-hosting/static-hosting.ts
 import * as fs6 from "fs";
 import * as path6 from "path";
-import { Duration as Duration4 } from "aws-cdk-lib";
+import { Duration as Duration5 } from "aws-cdk-lib";
 import {
   AccessLevel,
   AllowedMethods,
@@ -1465,9 +1507,9 @@ import {
 } from "aws-cdk-lib/aws-route53";
 import { CloudFrontTarget } from "aws-cdk-lib/aws-route53-targets";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
-import { Construct as Construct8 } from "constructs";
+import { Construct as Construct9 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends Construct8 {
+var _StaticHosting = class _StaticHosting extends Construct9 {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1507,9 +1549,9 @@ var _StaticHosting = class _StaticHosting extends Construct8 {
     const cachePolicy = new CachePolicy(this, "cache-policy", {
       cachePolicyName: `static-hosting-${stack.branchHash}`,
       comment: "Static hosting default: 60s default / 300s max, gzip+brotli.",
-      defaultTtl: Duration4.seconds(60),
-      minTtl: Duration4.seconds(0),
-      maxTtl: Duration4.seconds(300),
+      defaultTtl: Duration5.seconds(60),
+      minTtl: Duration5.seconds(0),
+      maxTtl: Duration5.seconds(300),
       headerBehavior: CacheHeaderBehavior.none(),
       queryStringBehavior: CacheQueryStringBehavior.none(),
       cookieBehavior: CacheCookieBehavior.none(),
@@ -1603,35 +1645,6 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN = "STATIC_HOSTING_DISTRIBUTION
 _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID = "STATIC_HOSTING_DISTRIBUTION_ID";
 var StaticHosting = _StaticHosting;
 
-// src/components/static-hosting/static-content.ts
-var StaticContent = class extends Construct9 {
-  constructor(scope, id, props) {
-    super(scope, id);
-    const stack = OpenHiService.of(scope);
-    const {
-      contentSourceDirectory,
-      contentDestinationDirectory = "/",
-      subDomain = stack.branchName,
-      fullDomain,
-      serviceType = STATIC_HOSTING_SERVICE_TYPE
-    } = props;
-    const keyPrefix = [paramCase2(subDomain), fullDomain].join(".");
-    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
-      serviceType
-    });
-    const bucket = Bucket3.fromBucketArn(this, "bucket", bucketArn);
-    const isTestEnv = process.env.JEST_WORKER_ID !== void 0;
-    const sources = isTestEnv ? [] : [Source.asset(contentSourceDirectory)];
-    new BucketDeployment(this, "deploy", {
-      sources,
-      destinationBucket: bucket,
-      retainOnDelete: false,
-      destinationKeyPrefix: `${keyPrefix}${contentDestinationDirectory}`
-    });
-  }
-};
-
 // src/services/open-hi-auth-service.ts
 import {
   LambdaVersion,
@@ -1642,7 +1655,7 @@ import {
 } from "aws-cdk-lib/aws-cognito";
 import { Effect as Effect6, PolicyStatement as PolicyStatement6 } from "aws-cdk-lib/aws-iam";
 import { Key as Key2 } from "aws-cdk-lib/aws-kms";
-import { Stack as Stack6 } from "aws-cdk-lib/core";
+import { Stack as Stack7 } from "aws-cdk-lib/core";
 
 // src/services/open-hi-data-service.ts
 var import_config4 = __toESM(require_lib2());
@@ -1666,7 +1679,7 @@ import { Construct as Construct11 } from "constructs";
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
 import fs7 from "fs";
 import path7 from "path";
-import { Duration as Duration5, Stack as Stack3 } from "aws-cdk-lib";
+import { Duration as Duration6, Stack as Stack4 } from "aws-cdk-lib";
 import { Rule } from "aws-cdk-lib/aws-events";
 import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
@@ -1690,15 +1703,15 @@ var PlatformDeployBridgeLambda = class extends Construct10 {
       OPENHI_TAG_SUFFIX_REPO_NAME
     );
     const tagKeyPrefix = `${service.appName}:`;
-    const ownStackName = Stack3.of(this).stackName;
-    const ownSuffix = `-${service.serviceId}-${Stack3.of(this).account}-${Stack3.of(this).region}`;
+    const ownStackName = Stack4.of(this).stackName;
+    const ownSuffix = `-${service.serviceId}-${Stack4.of(this).account}-${Stack4.of(this).region}`;
     const sharedPrefix = ownStackName.endsWith(ownSuffix) ? ownStackName.slice(0, -ownSuffix.length) : service.branchHash;
-    const stackIdPrefix = `arn:aws:cloudformation:${Stack3.of(this).region}:${Stack3.of(this).account}:stack/${sharedPrefix}-`;
+    const stackIdPrefix = `arn:aws:cloudformation:${Stack4.of(this).region}:${Stack4.of(this).account}:stack/${sharedPrefix}-`;
     this.lambda = new NodejsFunction7(this, "handler", {
       entry: resolveHandlerEntry6(__dirname),
       runtime: Runtime7.NODEJS_LATEST,
       memorySize: 256,
-      timeout: Duration5.seconds(30),
+      timeout: Duration6.seconds(30),
       environment: {
         [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
         [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
@@ -1710,7 +1723,7 @@ var PlatformDeployBridgeLambda = class extends Construct10 {
         effect: Effect2.ALLOW,
         actions: ["cloudformation:DescribeStacks"],
         resources: [
-          `arn:aws:cloudformation:${Stack3.of(this).region}:${Stack3.of(this).account}:stack/*`
+          `arn:aws:cloudformation:${Stack4.of(this).region}:${Stack4.of(this).account}:stack/*`
         ]
       })
     );
@@ -1729,7 +1742,7 @@ var PlatformDeployBridgeLambda = class extends Construct10 {
       targets: [
         new LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration5.hours(2)
+          maxEventAge: Duration6.hours(2)
         })
       ]
     });
@@ -1932,7 +1945,7 @@ var OpenHiGlobalService = _OpenHiGlobalService;
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
 import fs8 from "fs";
 import path8 from "path";
-import { Duration as Duration6, Stack as Stack4 } from "aws-cdk-lib";
+import { Duration as Duration7, Stack as Stack5 } from "aws-cdk-lib";
 import { Rule as Rule2 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction2 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect3, PolicyStatement as PolicyStatement3 } from "aws-cdk-lib/aws-iam";
@@ -1954,7 +1967,7 @@ var SeedDemoDataLambda = class extends Construct12 {
       entry: resolveHandlerEntry7(__dirname),
       runtime: Runtime8.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration6.minutes(2),
+      timeout: Duration7.minutes(2),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
@@ -1983,7 +1996,7 @@ var SeedDemoDataLambda = class extends Construct12 {
           "cognito-idp:AdminSetUserPassword"
         ],
         resources: [
-          Stack4.of(this).formatArn({
+          Stack5.of(this).formatArn({
             service: "cognito-idp",
             resource: "userpool",
             resourceName: props.userPool.userPoolId
@@ -2000,7 +2013,7 @@ var SeedDemoDataLambda = class extends Construct12 {
       targets: [
         new LambdaFunction2(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration6.hours(2)
+          maxEventAge: Duration7.hours(2)
         })
       ]
     });
@@ -2029,7 +2042,7 @@ var SeedDemoDataWorkflow = class extends Construct13 {
 import fs9 from "fs";
 import path9 from "path";
 import { PLATFORM_ROLE_IDS } from "@openhi/types";
-import { Duration as Duration7, Stack as Stack5 } from "aws-cdk-lib";
+import { Duration as Duration8, Stack as Stack6 } from "aws-cdk-lib";
 import { Rule as Rule3 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction3 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect4, PolicyStatement as PolicyStatement4 } from "aws-cdk-lib/aws-iam";
@@ -2051,7 +2064,7 @@ var SeedSystemDataLambda = class extends Construct14 {
       entry: resolveHandlerEntry8(__dirname),
       runtime: Runtime9.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration7.minutes(1),
+      timeout: Duration8.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
@@ -2073,7 +2086,7 @@ var SeedSystemDataLambda = class extends Construct14 {
       })
     );
     props.controlEventBus.grantPutEventsTo(this.lambda);
-    const hostStackName = Stack5.of(this).stackName;
+    const hostStackName = Stack6.of(this).stackName;
     this.rule = new Rule3(this, "rule", {
       eventBus: props.controlEventBus,
       eventPattern: {
@@ -2088,7 +2101,7 @@ var SeedSystemDataLambda = class extends Construct14 {
       targets: [
         new LambdaFunction3(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration7.hours(2)
+          maxEventAge: Duration8.hours(2)
         })
       ]
     });
@@ -2225,7 +2238,7 @@ var OpenHiDataService = _OpenHiDataService;
 // src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
 import fs10 from "fs";
 import path10 from "path";
-import { Duration as Duration8 } from "aws-cdk-lib";
+import { Duration as Duration9 } from "aws-cdk-lib";
 import { Rule as Rule4 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction4 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect5, PolicyStatement as PolicyStatement5 } from "aws-cdk-lib/aws-iam";
@@ -2272,7 +2285,7 @@ var ProvisionDefaultWorkspaceLambda = class extends Construct16 {
       targets: [
         new LambdaFunction4(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration8.hours(2)
+          maxEventAge: Duration9.hours(2)
         })
       ]
     });
@@ -2499,7 +2512,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       new PolicyStatement6({
         actions: ["cognito-idp:AdminUserGlobalSignOut"],
         resources: [
-          Stack6.of(this).formatArn({
+          Stack7.of(this).formatArn({
             service: "cognito-idp",
             resource: "userpool",
             resourceName: "*"
@@ -2573,7 +2586,7 @@ import {
   RecordTarget as RecordTarget2
 } from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
-import { Duration as Duration9 } from "aws-cdk-lib/core";
+import { Duration as Duration10 } from "aws-cdk-lib/core";
 
 // src/data/lambda/cors-options-lambda.ts
 import fs11 from "fs";
@@ -2880,7 +2893,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? Duration9.days(1),
+      maxAge: cors.maxAge ?? Duration10.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -2946,6 +2959,7 @@ _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 
 // src/services/open-hi-website-service.ts
+import { Bucket as Bucket3 } from "aws-cdk-lib/aws-s3";
 var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
 var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
@@ -3016,7 +3030,9 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
       });
       this.createFullDomainParameter();
     }
-    this.staticContent = this.createStaticContent();
+    if (props.createStaticContent !== false) {
+      this.staticContent = this.createStaticContent();
+    }
   }
   /**
    * Validates that config required for the website stack is present.
@@ -3029,14 +3045,21 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     if (!config.zoneName) {
       throw new Error("Zone name is required");
     }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required to import the website zone");
+    }
   }
   /**
-   * Looks up the child hosted zone published by the Global service.
+   * Imports the website's hosted zone from config attributes (no SSM lookup).
+   * The website attaches DNS records here on the release-branch deploy and
+   * the same zone is imported on feature-branch deploys for any sub-domain
+   * routing.
    * Override to customize.
    */
   createHostedZone() {
-    return OpenHiGlobalService.childHostedZoneFromConstruct(this, {
-      zoneName: this.config.zoneName
+    return OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
     });
   }
   /**
@@ -3083,16 +3106,41 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
    * Creates the StaticContent uploader. Always created so feature-branch
    * deploys can publish content to their own sub-domain folder against the
    * release-branch bucket.
+   *
+   * The destination bucket is resolved here so the construct never has to
+   * branch on release-vs-feature: on the release branch we pass the
+   * just-created {@link staticHosting} bucket directly (no SSM round-trip
+   * within a single stack); on every other branch we look up the bucket
+   * ARN published by the release-branch deploy, addressed against
+   * {@link OpenHiService.releaseBranchHash}.
    */
   createStaticContent() {
     const { contentSourceDirectory, contentDestinationDirectory } = this.props;
     return new StaticContent(this, "static-content", {
+      bucket: this.resolveStaticHostingBucket(),
       contentSourceDirectory,
       contentDestinationDirectory,
-      fullDomain: this.fullDomain,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+      fullDomain: this.fullDomain
     });
   }
+  /**
+   * Returns an {@link IBucket} pointing at the static-hosting bucket the
+   * uploader writes to. On the release-branch deploy this is the bucket
+   * just provisioned by {@link staticHosting}; on every other deploy it's
+   * imported from the bucket ARN the release-branch deploy publishes to
+   * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+   */
+  resolveStaticHostingBucket() {
+    if (this.staticHosting) {
+      return this.staticHosting.bucket;
+    }
+    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      branchHash: this.releaseBranchHash
+    });
+    return Bucket3.fromBucketArn(this, "shared-bucket", bucketArn);
+  }
 };
 _OpenHiWebsiteService.SERVICE_TYPE = "website";
 var OpenHiWebsiteService = _OpenHiWebsiteService;
@@ -3100,7 +3148,7 @@ var OpenHiWebsiteService = _OpenHiWebsiteService;
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
 import fs13 from "fs";
 import path13 from "path";
-import { Duration as Duration10 } from "aws-cdk-lib";
+import { Duration as Duration11 } from "aws-cdk-lib";
 import { Effect as Effect8, PolicyStatement as PolicyStatement8 } from "aws-cdk-lib/aws-iam";
 import { Runtime as Runtime13 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction13 } from "aws-cdk-lib/aws-lambda-nodejs";
@@ -3124,7 +3172,7 @@ var OwningDeleteCascadeLambdas = class extends Construct20 {
       entry: listResolved.entry,
       runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration10.minutes(1),
+      timeout: Duration11.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3138,7 +3186,7 @@ var OwningDeleteCascadeLambdas = class extends Construct20 {
       entry: deleteResolved.entry,
       runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration10.minutes(1),
+      timeout: Duration11.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3157,7 +3205,7 @@ var OwningDeleteCascadeLambdas = class extends Construct20 {
       entry: finalizeResolved.entry,
       runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration10.minutes(1),
+      timeout: Duration11.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
@@ -3175,7 +3223,7 @@ var OwningDeleteCascadeLambdas = class extends Construct20 {
 };
 
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.ts
-import { Duration as Duration11 } from "aws-cdk-lib";
+import { Duration as Duration12 } from "aws-cdk-lib";
 import { Rule as Rule5 } from "aws-cdk-lib/aws-events";
 import { SfnStateMachine } from "aws-cdk-lib/aws-events-targets";
 import {
@@ -3301,7 +3349,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct21 {
       }
     });
     const interPageWait = new Wait(this, "inter-page-wait", {
-      time: WaitTime.duration(Duration11.seconds(0))
+      time: WaitTime.duration(Duration12.seconds(0))
     });
     const isExhausted = new Choice(this, "is-exhausted");
     const finalize = new LambdaInvoke(this, "finalize", {
@@ -3332,7 +3380,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct21 {
       // Long timeout because real-world cascades can run minutes when
       // a workspace has thousands of members. The stuck-cascade alarm
       // fires at 15 minutes; the state machine itself does not abort.
-      timeout: Duration11.hours(2)
+      timeout: Duration12.hours(2)
     });
     this.rule = new Rule5(this, "rule", {
       eventBus: props.dataEventBus,
@@ -3343,7 +3391,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct21 {
       targets: [
         new SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: Duration11.hours(2)
+          maxEventAge: Duration12.hours(2)
         })
       ]
     });
@@ -3353,7 +3401,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct21 {
 // src/workflows/control-plane/rename-cascade/rename-cascade-lambdas.ts
 import fs14 from "fs";
 import path14 from "path";
-import { Duration as Duration12 } from "aws-cdk-lib";
+import { Duration as Duration13 } from "aws-cdk-lib";
 import { Effect as Effect9, PolicyStatement as PolicyStatement9 } from "aws-cdk-lib/aws-iam";
 import { Runtime as Runtime14 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction14 } from "aws-cdk-lib/aws-lambda-nodejs";
@@ -3377,7 +3425,7 @@ var RenameCascadeLambdas = class extends Construct22 {
       entry: listResolved.entry,
       runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration12.minutes(1),
+      timeout: Duration13.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3391,7 +3439,7 @@ var RenameCascadeLambdas = class extends Construct22 {
       entry: rewriteResolved.entry,
       runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration12.minutes(1),
+      timeout: Duration13.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3410,7 +3458,7 @@ var RenameCascadeLambdas = class extends Construct22 {
       entry: finalizeResolved.entry,
       runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration12.minutes(1),
+      timeout: Duration13.minutes(1),
       environment: {
         [RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
       }
@@ -3426,7 +3474,7 @@ var RenameCascadeLambdas = class extends Construct22 {
 };
 
 // src/workflows/control-plane/rename-cascade/rename-cascade-workflow.ts
-import { Duration as Duration13 } from "aws-cdk-lib";
+import { Duration as Duration14 } from "aws-cdk-lib";
 import { Rule as Rule6 } from "aws-cdk-lib/aws-events";
 import { SfnStateMachine as SfnStateMachine2 } from "aws-cdk-lib/aws-events-targets";
 import {
@@ -3585,7 +3633,7 @@ var RenameCascadeWorkflow = class extends Construct23 {
       // Long timeout — large renames may rewrite thousands of rows;
       // the `CascadeSlow` alarm fires at 300s p99 but the state
       // machine itself does not abort.
-      timeout: Duration13.hours(2)
+      timeout: Duration14.hours(2)
     });
     this.rule = new Rule6(this, "rule", {
       eventBus: props.dataEventBus,
@@ -3596,7 +3644,7 @@ var RenameCascadeWorkflow = class extends Construct23 {
       targets: [
         new SfnStateMachine2(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: Duration13.hours(2)
+          maxEventAge: Duration14.hours(2)
         })
       ]
     });