AppTheory API Reference
This page is the canonical human-readable map of the AppTheory surface. Treat the generated snapshots as the release-gated source of truth, and use this document to understand which surface to reach for.
Source of truth
Use these files when reviewing or documenting external interfaces:
- Go:
api-snapshots/go.txt(exports fromruntime/,pkg/, andtestkit/) - TypeScript:
api-snapshots/ts.txt(exports fromts/dist/index.d.ts) - Python:
api-snapshots/py.txt(exports frompy/src/apptheory/__init__.pyandpy/src/apptheory/limited/__init__.py) - CDK:
cdk/.jsii,cdk/lib/index.ts, andcdk/lib/*.d.ts
Known CLI surface:
cmd/lift-migrateexists as a Go migration helper with-rootand-applyflags./scripts/migrate-from-lift-go.shis the repo wrapper forgo run ./cmd/lift-migrateUNKNOWN:no broader stable public CLI contract is documented forcmd/
Verification command surface:
make test-unit./scripts/verify-ts-tests.sh./scripts/verify-python-tests.sh./scripts/verify-contract-tests.sh./scripts/update-api-snapshots.sh./scripts/verify-api-snapshots.sh./scripts/verify-docs-standard.shmake rubric
Security migration note:
- For consolidated v1.0 fail-closed migration guidance across the surfaces documented here, see
docs/migration/v1-security.md.
Core runtime entrypoints
| Concern | Go | TypeScript | Python |
|---|---|---|---|
| App container | apptheory.New(...) |
createApp() |
create_app() |
| Deterministic test env | testkit.New() |
createTestEnv() |
create_test_env() |
| Universal Lambda dispatcher | app.HandleLambda(ctx, event) |
app.handleLambda(event, ctx) |
app.handle_lambda(event, ctx) |
| AppSync resolver entrypoint | app.ServeAppSync(ctx, event) |
app.serveAppSync(event, ctx) |
app.serve_appsync(event, ctx) |
| Strict route registration | app.GetStrict(...), app.HandleStrict(...) |
app.handleStrict(...) |
app.handle_strict(...) |
| HTTP entrypoints | ServeAPIGatewayV2, ServeLambdaFunctionURL, ServeAPIGatewayProxy |
serveAPIGatewayV2, serveLambdaFunctionURL, serveAPIGatewayProxy |
serve_apigw_v2, serve_lambda_function_url, serve_apigw_proxy |
| Streaming helpers | SSEResponse, SSEStreamResponse |
htmlStream, sseEventStream, createLambdaFunctionURLStreamingHandler |
html_stream, sse_event_stream |
Shared request model:
Request: method, path, headers, query, body, and normalized source provenanceResponse: status, headers, cookies, body, and streaming fields where supportedContext: request-scoped accessors for headers, params, request ID, tenant, source provenance, clock, IDs, and middleware state
Common helper exports:
| Concern | Go | TypeScript | Python |
|---|---|---|---|
| App creation | apptheory.New(...) |
createApp() |
create_app() |
| Deterministic HTTP builders | testkit.APIGatewayV2Request, testkit.LambdaFunctionURLRequest |
buildAPIGatewayV2Request, buildLambdaFunctionURLRequest |
build_apigw_v2_request, build_lambda_function_url_request |
| Deterministic AppSync builders | testkit.AppSyncEvent |
buildAppSyncEvent |
build_appsync_event |
| Basic response helpers | Text, JSON, Binary |
text, json, html, binary, sse |
text, json, html, binary, sse |
HTTP error compatibility:
- Default HTTP error bodies remain nested under
error. - In the default nested envelope, any error whose code string is
EMPTY_BODYorINVALID_JSONis remapped to canonicalapp.bad_requestfields; the opt-in flat legacy format preserves those Lift-era codes/messages. - Lift-compatible flat HTTP error bodies are opt-in:
- Go:
apptheory.WithHTTPErrorFormat(apptheory.HTTPErrorFormatFlatLegacy)orapptheory.WithLegacyHTTPErrorShape() - TypeScript:
createApp({ httpErrorFormat: HTTP_ERROR_FORMAT_FLAT_LEGACY }) - Python:
create_app(http_error_format=HTTP_ERROR_FORMAT_FLAT_LEGACY)
- Go:
- This setting applies to HTTP serialization only. AppSync and WebSocket error payloads keep their existing shapes.
HTTP source provenance
SourceProvenance is the portable, structured source-IP contract for HTTP requests. It is available in every HTTP
tier, including P0, and is derived only from AWS provider request context fields.
| Concern | Go | TypeScript | Python |
|---|---|---|---|
| Structured type | SourceProvenance |
SourceProvenance |
SourceProvenance |
| Request field | Request.SourceProvenance |
Request.sourceProvenance |
Request.source_provenance |
| Context accessor | ctx.SourceProvenance() |
ctx.sourceProvenance() |
ctx.source_provenance() |
| Convenience IP accessor | ctx.SourceIP() |
ctx.sourceIP() |
ctx.source_ip() |
| API Gateway v2 test builder option | HTTPEventOptions.SourceIP |
sourceIp |
source_ip |
| Lambda Function URL test builder option | HTTPEventOptions.SourceIP |
sourceIp |
source_ip |
The structured value has four fields:
source_ip: canonical parsed source IP string, or""when invalid/unknownprovider:apigw-v2,lambda-url,apigw-v1, orunknownsource:provider_request_contextorunknownvalid:trueonly when the provider supplied a parseable source IP
Provider mapping:
- API Gateway v2 HTTP API:
requestContext.http.sourceIp->provider = "apigw-v2" - Lambda Function URL:
requestContext.http.sourceIp->provider = "lambda-url" - API Gateway v1 REST proxy:
requestContext.identity.sourceIp->provider = "apigw-v1" - Missing, malformed, unsupported, or ALB source values ->
provider = "unknown",source = "unknown",valid = false
Valid IPs are parsed and re-emitted in canonical form before they become public response or handler strings. For
example, 2001:DB8::1 becomes 2001:db8::1 in all three runtimes.
AppTheory does not parse or trust Forwarded, X-Forwarded-For, or similar client-controlled forwarding headers for
this contract. Those headers remain ordinary request headers if AWS forwards them, but they do not influence
SourceProvenance or SourceIP.
Universal Lambda entrypoint
When one Lambda must accept multiple AWS trigger types, keep the handler thin and delegate dispatch to the runtime.
func handler(ctx context.Context, event json.RawMessage) (any, error) {
return app.HandleLambda(ctx, event)
}
export const handler = async (event: unknown, ctx: unknown) =>
app.handleLambda(event, ctx);
def handler(event, ctx):
return app.handle_lambda(event, ctx)
Event shape to entrypoint mapping
| Event shape | Detection heuristic | Entry point called |
|---|---|---|
| SQS | Records[0].eventSource == "aws:sqs" |
ServeSQS / serveSQSEvent / serve_sqs |
| DynamoDB Streams | Records[0].eventSource == "aws:dynamodb" |
ServeDynamoDBStream / serveDynamoDBStream / serve_dynamodb_stream |
| Kinesis | Records[0].eventSource == "aws:kinesis" |
ServeKinesis / serveKinesisEvent / serve_kinesis |
| SNS | Records[0].Sns or EventSource == "aws:sns" |
ServeSNS / serveSNSEvent / serve_sns |
| EventBridge | detail-type or detailType |
ServeEventBridge / serveEventBridge / serve_eventbridge |
| AppSync resolver | info.fieldName + info.parentTypeName + arguments |
ServeAppSync / serveAppSync / serve_appsync |
| WebSocket (APIGW v2) | requestContext.connectionId |
ServeWebSocket / serveWebSocket / serve_websocket |
| API Gateway v2 (HTTP API) | requestContext.http + routeKey |
ServeAPIGatewayV2 / serveAPIGatewayV2 / serve_apigw_v2 |
| Lambda Function URL | requestContext.http + no routeKey |
ServeLambdaFunctionURL / serveLambdaFunctionURL / serve_lambda_function_url |
| ALB Target Group | requestContext.elb.targetGroupArn |
ServeALB / serveALB / serve_alb |
| API Gateway v1 (REST proxy) | httpMethod |
ServeAPIGatewayProxy / serveAPIGatewayProxy / serve_apigw_proxy |
Notes:
- Unknown shapes fail closed
- Exact field casing varies by AWS integration; prefer deterministic event builders from the test envs
- Package-local runtime docs may add language-specific examples, but the canonical cross-language dispatch guidance lives here
Event workload contract notes:
- EventBridge workload fixtures pin portable envelope/correlation behavior for future helpers.
metadata.correlation_idand top-levelheaders["x-correlation-id"]are AppTheory portable envelope conventions, not AWS-native EventBridge fields.- Scheduled workloads use EventBridge scheduled events and derive run IDs, idempotency keys, remaining-time/deadline fields, and structured result summaries.
- DynamoDB Streams workloads keep the Lambda partial-batch response contract and derive only safe record summaries.
- Kinesis workloads keep the Lambda partial-batch response contract, route by stream name, and fail closed for unregistered streams by returning every record ID as a failure.
Kinesis runtime and helpers
Kinesis uses the universal Lambda dispatcher. Register one stream handler through the AppTheory app and keep the Lambda
handler on HandleLambda, handleLambda, or handle_lambda.
| Concern | Go | TypeScript | Python |
|---|---|---|---|
| Register stream handler | app.Kinesis(streamName, handler) |
app.kinesis(streamName, handler) |
app.kinesis(stream_name, handler) |
| Direct Kinesis entrypoint | app.ServeKinesis(ctx, event) |
app.serveKinesisEvent(event, ctx) |
app.serve_kinesis(event, ctx) |
| CloudWatch Logs decoder | DecodeCloudWatchLogsSubscription(record) |
decodeCloudWatchLogsSubscription(record) |
decode_cloudwatch_logs_subscription(record) |
| JSON producer record helper | NewKinesisJSONRecord(opts) |
createKinesisJsonRecord(opts) |
create_kinesis_json_record(...) |
| PutRecords failure reporter | ReportKinesisPutRecordsFailures(records, results) |
reportKinesisPutRecordsFailures(records, results) |
report_kinesis_put_records_failures(records, results) |
Kinesis handler failures are returned as Lambda partial-batch failures by record eventID; successful records are
omitted. DecodeCloudWatchLogsSubscription and its TypeScript/Python equivalents decode the gzip CloudWatch Logs
subscription envelope carried in Kinesis data and return a safe_summary that excludes raw log messages. The producer
helpers create deterministic JSON record bytes and safe failure summaries without introducing a second per-service
record or failure shape.
Testkit helpers:
| Concern | Go | TypeScript | Python |
|---|---|---|---|
| Build Kinesis event | KinesisEvent |
buildKinesisEvent |
build_kinesis_event |
| Build CloudWatch Logs subscription record | KinesisCloudWatchLogsSubscriptionRecord |
kinesisCloudWatchLogsSubscriptionRecord |
kinesis_cloudwatch_logs_subscription_record |
| Build CloudWatch Logs subscription data | CloudWatchLogsSubscriptionData |
cloudWatchLogsSubscriptionData |
cloudwatch_logs_subscription_data |
Guide: Event Workload Contracts
Canonical CDK example: examples/cdk/kinesis-cloudwatch-logs
AppSync resolvers
AppTheory supports the standard AWS direct Lambda resolver event shape in all three runtimes.
- Event models:
- Go:
AppSyncResolverEvent,AppSyncResolverInfo,AppSyncResolverRequest - TypeScript:
AppSyncResolverEvent,AppSyncResolverInfo,AppSyncResolverRequest - Python:
AppSyncResolverEvent,AppSyncResolverInfo,AppSyncResolverRequest
- Go:
- Core event fields:
arguments: top-level resolver arguments; adapted into the JSON request bodyinfo.fieldName+info.parentTypeName: determine the AppTheory route and methodinfo.variables: preserved on the typed context and raw eventinfo.selectionSetList+info.selectionSetGraphQL: preserved on the exported event types and available on the raw event for selection-set-aware handlersrequest.headers: forwarded to the synthesized requestidentity,source,prev, andstash: preserved on the typed context and portable metadata keys
- Typed context:
- Go:
ctx.AsAppSync() - TypeScript:
ctx.asAppSync() - Python:
ctx.as_appsync()
- Go:
- Portable context metadata keys:
| Key | Meaning |
| — | — |
| apptheory.trigger_type | Constant "appsync" |
| apptheory.appsync.field_name | GraphQL field name |
| apptheory.appsync.parent_type_name | GraphQL parent type |
| apptheory.appsync.arguments | Top-level resolver arguments |
| apptheory.appsync.identity | Resolver identity payload |
| apptheory.appsync.source | Parent/source object |
| apptheory.appsync.variables | GraphQL variables |
| apptheory.appsync.prev | Previous resolver result |
| apptheory.appsync.stash | Resolver stash map |
| apptheory.appsync.request_headers | Forwarded AppSync request headers |
| apptheory.appsync.raw_event | Full resolver event |
- Request adaptation:
Mutation -> POST /fieldNameQuery -> GET /fieldNameSubscription -> GET /fieldName- top-level
argumentsbecome the JSON request body request.headersare forwarded andcontent-type: application/jsonis synthesized when absent
- Response behavior:
- JSON bodies project back to native resolver payloads
- empty bodies project to
null - any other non-empty body projects to a UTF-8 string
- binary and streaming bodies fail closed with deterministic AppSync system errors
- Error behavior:
- handler failures return Lift-compatible AppSync error objects with
pay_theory_error,error_message,error_type,error_data, anderror_info - portable AppTheory/AppError payloads include
error_data.status_codeand may includerequest_id,trace_id,timestamp, pluserror_info.code,trigger_type,method,path, and optionaldetails - non-portable exceptions now mask to
error_message: "internal error"instead of echoing raw exception text
- handler failures return Lift-compatible AppSync error objects with
Recipe:
Infrastructure note:
- use
aws-cdk-lib/aws-appsyncfor the GraphQL API, schema, auth, and Lambda data source wiring - AppTheory does not currently export an AppSync-specific CDK construct
Route registration
Invalid route patterns, duplicate method/pattern pairs, and nil/undefined/None handlers fail closed during registration across runtimes. Use the normal fluent registration path for new code:
- Go:
app.Get("/users/{id}", h)orapp.Handle("GET", "/users/{id}", h) - TypeScript:
app.get("/users/{id}", h)orapp.handle("GET", "/users/{id}", h) - Python:
app.get("/users/{id}", h)orapp.handle("GET", "/users/{id}", h)
Strict helpers remain as deprecated compatibility wrappers for code that already depends on their error-returning or
throwing shape. Python strict helpers now raise AppTheoryError rather than ValueError, and Go strict helpers return
canonical AppTheoryError messaging where applicable. See UPGRADING.md for per-line deprecation notes.
Cross-language feature surfaces
These feature areas extend the core runtime and have dedicated guides when you need deeper operational detail.
Rate limiting
The limited feature set provides DynamoDB-backed cross-instance rate limiting.
- Go:
pkg/limited - TypeScript: exports in
api-snapshots/ts.txtincludingDynamoRateLimiter,FixedWindowStrategy,SlidingWindowStrategy, andMultiWindowStrategy - Python: exports in
api-snapshots/py.txtunderapptheory.limited
Go runtime note:
runtime.RateLimitMiddleware(...)fingerprints default credential-derived identifiers before they reach limiter backends:x-api-key→api_key:hmac-sha256:<hex>Authorization: Bearer ...→bearer:hmac-sha256:<hex>
AuthIdentity,TenantID, and explicitExtractIdentifieroverrides are unchanged.- This avoids storing raw credentials in rate-limit tables, but it also changes observed key values and resets any existing credential-backed buckets on first deploy.
- For operator migration guidance, see
docs/migration/v1-security.md.
Sanitization
Safe logging helpers are exported in all three runtimes:
- Go:
pkg/sanitization - TypeScript:
sanitizeLogString,sanitizeFieldValue,sanitizeJSON,sanitizeJSONValue,sanitizeXML - Python:
sanitize_log_string,sanitize_field_value,sanitize_json,sanitize_json_value,sanitize_xml
Guide: Sanitization
Operational note:
- Sanitization heuristics once again redact token-like unknown keys by default, including
authorization_id. Seedocs/migration/v1-security.mdif you have log-processing workflows that depended on those values remaining visible.
Jobs ledger
TableTheory-backed job ledger primitives exist for long-running workflows that need job state, record state, idempotency, and leases.
- Go:
pkg/jobs - TypeScript: exports in
api-snapshots/ts.txtincludingDynamoJobLedger,CreateJobInput,JobMeta, and related status types - Python: exports in
api-snapshots/py.txtincludingDynamoJobLedger,JobsConfig, and related helpers
Guide: Jobs Ledger
Reference stack: examples/cdk/import-pipeline/
Object store helper
AppTheory includes a narrow bounded object-store helper for framework-owned byte payload storage. It is not a general storage SDK and does not expose list, presign, multipart, or raw-client escape hatches.
- Go:
pkg/objectstore - TypeScript:
ObjectStore,ObjectRef,createS3ObjectStore, andFakeObjectStore - Python:
ObjectStore,ObjectRef,create_s3_object_store, andFakeObjectStore - Testkit/fakes:
testkit/objectstorein Go plus package-local fake stores in TypeScript and Python - Object refs: strict
s3://bucket/keyparsing into bucket/key/version fields with no default bucket/key and no query or fragment support. - Store contract:
Put, boundedGetwith requiredMaxBytes, andDeleteonly. - S3 implementations: each runtime keeps the cloud client seam inside the framework surface and exposes only bounded
put/get/deleteoperations. TypeScript intentionally carries@aws-sdk/client-s3as a hard package dependency because the S3 implementation imports it at module load; Python intentionally keepsboto3optional/lazy and fails closed fromcreate_s3_object_storeif the dependency or required S3 methods are unavailable. - Encryption: bucket-default, S3-managed, and KMS modes fail closed on contradictory or missing KMS configuration.
Guide: Object Store Helper
Semantic vector helpers
AppTheory includes a narrow semantic-recall helper surface for S3 Vectors and Bedrock Titan embeddings. It is a retrieval plane, not canonical persistence: store durable records and ledgers in TableTheory-backed or app-owned stores, then publish keyed embeddings and retrieval metadata through the AppTheory vectorstore contract.
- Go:
pkg/vectorstoreexposesVectorRecord,PutInput,GetInput,DeleteInput,QueryInput,QueryHit,Store,Embedder,SemanticRecord, andSemanticIndex. - Fake/test helpers:
NewFakeStore,FakeStore,NewFakeEmbedder, andFakeEmbedder. - S3 Vectors adapter:
NewS3VectorStore,S3VectorStore, andS3VectorsAPI. - Bedrock Titan adapter:
NewTitanEmbedder,TitanEmbedder,BedrockRuntimeAPI,DefaultTitanEmbedTextModelID,DefaultEmbeddingDimensions,EnvEmbeddingProvider,EnvEmbeddingModelID,EnvEmbeddingDimensions, andEnvEmbeddingNormalize. - S3 Vectors environment/config:
EnvVectorBucketName,EnvVectorIndexName,EnvVectorIndexARN,EnvVectorDimension,DefaultQueryTopK,MaxQueryTopK, andMaxPutDeleteBatchSize. - Validation helpers:
ValidateDimension,ValidateVector,ValidateKey,ValidateRequiredMetadata,NormalizeTopK,CloneVector,CloneMetadata, andEmbeddingErrorCode. - Fail-closed errors:
ErrorCodeInvalidConfig,ErrorCodeInvalidInput,ErrorCodeInvalidVector,ErrorCodeDimensionMismatch,ErrorCodeEmbeddingFailed,ErrorCodeNotFound,ErrorCodeUnsupportedOperation,ErrInvalidConfig,ErrInvalidInput,ErrInvalidVector,ErrDimensionMismatch,ErrEmbeddingFailed,ErrNotFound, andErrUnsupportedOperation.
Guides: S3 Vectors and Bedrock Embeddings and S3 Vector Index
AWS Lambda MicroVM support
The corrective M16 MicroVM surface is fixture-backed across Go, TypeScript, and Python. It is a constrained AppTheory
primitive, not a raw AWS SDK escape hatch. The v1.14.0 / M15 foundation should not be cited as complete live MicroVM
support; the canonical real operation vocabulary is run, get, list, suspend, resume, terminate,
invoke, auth-token, and shell-auth-token.
- Go:
runtime/microvmexports lifecycle adapters, real controller routes, constrained provider adapters, safe session records, token-hidden workload invocation, TableTheory session registry helpers, and test fakes. - TypeScript:
MicroVMLifecycleAdapter,MicroVMRealController,TableTheoryMicroVMSessionRegistry,createAWSLambdaMicroVMProvider,createRealMicroVMController, and related validators. - Python:
MicroVMLifecycleAdapter,MicroVMRealController,TableTheoryMicroVMSessionRegistry,create_aws_lambda_microvm_provider,create_real_microvm_controller, and related validators. - CDK:
AppTheoryMicrovmNetworkConnector,AppTheoryMicrovmImage, andAppTheoryMicrovmControllerwire typed connector references, endpoint-dispatched no-hook images, protected routes, IAM grants, token-hidden workload invoke, and the durable session table. - Conformance:
examples/microvm-conformanceis the AppTheory-owned harness for a consumer-provided EqualToAI/Host lab.
The golden path requires sanitized lifecycle events, protected controller routes, sanitized token metadata, token-hidden
workload invocation through /microvms/{session_id}/invoke, and the TableTheory/DynamoDB-style session registry with
pk, sk, and ttl. It does not provide EqualToAI/Host application proof, customer workload readiness, generalized
account vending, unauthenticated controllers, raw SDK access, provider auth-token exposure, or raw lifecycle hook
bypasses.
Guide: AWS Lambda MicroVM Golden Path CDK guide: Lambda MicroVM CDK Constructs
Migration and configuration notes
Confirmed migration surface:
- Dry run:
go run ./cmd/lift-migrate -root ./path/to/service - Apply rewrite:
go run ./cmd/lift-migrate -root ./path/to/service -apply - Repo wrapper:
./scripts/migrate-from-lift-go.sh -root ./path/to/service [-apply]
Known configuration keys surfaced by canonical docs:
APPTHEORY_EVENTBUS_TABLE_NAMEERROR_NOTIFICATION_SNS_TOPIC_ARNAPPTHEORY_JOBS_TABLE_NAMEUNKNOWN:a complete stable env-var/config-key catalog is not yet centralized in one canonical index
MCP and OAuth
AppTheory includes fixture-backed MCP and OAuth support across the runtime family, with the Go package paths listed here for operators who need implementation-level details:
runtime/mcp: Streamable HTTPPOST/GET/DELETE /mcp, protocol negotiation, origin validation, sessions, resumable SSE, and the MCP request surface (initialize,ping,tools/*,resources/*,prompts/*, plus acceptednotifications/initialized/notifications/cancelled)testkit/mcp: deterministic in-process MCP client helpers (NewClient,Initialize,ListTools,CallTool,ListResources,ReadResource,ListPrompts,GetPrompt,RawStream,ResumeStream,Stream.Response,Stream.Cancel,Stream.Next,Stream.ReadAll) plus JSON-RPC request builders and assertionsruntime/oauth: protected-resource metadata, challenges, DCR, PKCE, and token-store helperstestkit/oauth: Claude-like end-to-end OAuth flow helpers for remote MCP tests (NewClaudePublicClient,AuthorizeOptions,Authorize)- TypeScript and Python expose matching MCP registries, server/test harnesses, in-memory/Dynamo stores, bearer-token validation, protected-resource metadata, DCR, and PKCE helpers through their package API snapshots.
Remote MCP auth hardening notes:
oauth.RequireBearerTokenMiddleware(...)is fail-closed in Go: you must provide aValidator, and metadata discovery for theWWW-Authenticatechallenge comes fromResourceMetadataURLorMCP_ENDPOINT, not request headers.- Invalid-audience bearer tokens are intentionally fixture-pinned as authorization failures: AppTheory returns
403 app.forbiddenwithout aWWW-Authenticatechallenge, matching insufficient-scope denial so a token bound to another resource is not treated as a rediscovery prompt. Missing or expired bearers remain401challenge cases.
Related canonical integration guides:
CDK construct overview
Canonical CDK guidance lives under docs/cdk. The construct inventory exported by cdk/lib/index.ts
includes:
AppTheoryHttpApiAppTheoryRestApiAppTheoryRestApiRouterAppTheoryMcpServerAppTheoryRemoteMcpServerAppTheoryMcpProtectedResourceAppTheoryJobsTableAppTheoryS3IngestAppTheoryVectorIndexAppTheoryCodeBuildJobRunnerAppTheoryKinesisStreamAppTheoryKinesisStreamMappingAppTheoryCloudWatchLogsDestinationAppTheoryMicrovmNetworkConnectorAppTheoryMicrovmImageAppTheoryMicrovmController
Start with:
- CDK Getting Started
- CDK API Reference
- Kinesis + CloudWatch Logs
- CDK Import Pipeline Guides
- S3 Vector Index
- Lambda MicroVM CDK Constructs
Package-local docs remain available under ts/docs/, py/docs/, and cdk/docs/ for language-specific examples, but
they should not be treated as the canonical external root.
Go snapshot coverage index
This index is maintained with scripts/verify-api-docs.sh so handwritten docs cannot drift from api-snapshots/go.txt.