CDK

CDK API Reference

This page is the canonical human-readable overview of the AppTheory CDK surface. For exact prop types and exported constructs, read cdk/.jsii, cdk/lib/index.ts, and cdk/lib/*.d.ts.

Core API constructs

  • AppTheoryHttpApi: API Gateway HTTP API v2 plus Lambda proxy routes
  • AppTheoryRestApi: API Gateway REST API v1 plus single-Lambda proxy routes
  • AppTheoryRestApiRouter: REST API v1 multi-Lambda routing with streaming support
  • AppTheoryMcpServer: HTTP API v2 POST /mcp for Bedrock AgentCore
  • AppTheoryRemoteMcpServer: REST API v1 /mcp with streaming for Remote MCP
  • AppTheoryMcpProtectedResource: /.well-known/oauth-protected-resource metadata route
  • AppTheoryJobsTable: opinionated DynamoDB jobs ledger table
  • AppTheoryS3Ingest: secure S3 ingest front door with optional notifications
  • AppTheoryVectorIndex: S3 vector bucket/index plus vectorstore and Bedrock embedding env/grants
  • AppTheoryCodeBuildJobRunner: batch-step runner for import pipelines
  • AppTheoryEventBridgeBus: custom EventBridge bus with explicit cross-account publish allowlist
  • AppTheoryEventBridgeRuleTarget: EventBridge rule or schedule to Lambda target
  • AppTheoryKinesisStream: create or wrap the encrypted Kinesis Data Stream used by AppTheory stream consumers
  • AppTheoryKinesisStreamMapping: Kinesis stream to AppTheory Lambda event-source mapping with partial-batch failures enabled by default
  • AppTheoryCloudWatchLogsDestination: CloudWatch Logs destination and fail-closed source allowlist for Logs-to-Kinesis delivery
  • AppTheoryCloudWatchLogsSubscription: source-side CloudWatch Logs subscription attachment for a caller-provided log group, destination ARN, filter pattern, and optional delivery role
  • AppTheoryHttpIngestionEndpoint: authenticated HTTP API v2 ingestion endpoint with Lambda request authorizer
  • AppTheoryMicrovmNetworkConnector: caller-owned VPC/subnet/security-group egress wiring plus typed ingress/egress/shell connector references for Lambda MicroVMs
  • AppTheoryMicrovmImage: AWS::Lambda::MicrovmImage deployment with AppTheory hook, logging, resource, and connector validation
  • AppTheoryMicrovmController: protected controller routes, controller Lambda, IAM grants, and durable pk/sk/ttl session registry table
  • AppTheorySsrSite: FaceTheory-first CloudFront + S3 + Lambda URL deployment for SSR, SSG, and ISR
  • AppTheoryQueue, AppTheoryQueueConsumer, AppTheoryQueueProcessor: SQS queue and consumer patterns

Supporting constructs exported from cdk/lib/index.ts

  • AppTheoryFunction
  • AppTheoryFunctionAlarms
  • AppTheoryDynamoDBStreamMapping
  • AppTheoryDynamoTable
  • AppTheoryEventBusTable: durable EventBus DynamoDB table plus Lambda binding helper for publish/query/replay flows
  • AppTheoryLambdaRole
  • AppTheoryPathRoutedFrontend
  • AppTheoryMediaCdn
  • AppTheoryWebSocketApi

Selection guide

  • Use AppTheoryHttpApi for the simplest HTTP API v2 deployment
  • Use AppTheoryRestApi when you need REST API v1 but not multi-Lambda routing
  • Use AppTheoryRestApiRouter when you need SSE or response streaming
  • Use AppTheoryMcpServer for Bedrock AgentCore
  • Use AppTheoryRemoteMcpServer plus AppTheoryMcpProtectedResource for Claude Remote MCP
  • Use AppTheorySsrSite when you need the canonical FaceTheory-first SSR/SSG/ISR deployment story
  • Use AppTheoryJobsTable, AppTheoryS3Ingest, and AppTheoryCodeBuildJobRunner for import pipelines
  • Use AppTheoryVectorIndex when an import pipeline or MCP tool needs S3 Vectors semantic recall
  • Use AppTheoryMicrovmNetworkConnector, AppTheoryMicrovmImage, and AppTheoryMicrovmController together for the corrective M16 AWS Lambda MicroVM golden path. The controller requires an authorizer, explicit ingress/egress/shell connector references, endpoint-dispatched no-hook image wiring for the live example path, token-hidden invoke routes, and fails closed when omitted.

Event workload wiring:

  • use AppTheoryEventBridgeRuleTarget for scheduled workloads and EventBridge pattern intake
  • use targetProps on EventBridge targets for DLQ, retry, and maximum-event-age policy
  • use AppTheoryDynamoDBStreamMapping for DynamoDB Streams to Lambda wiring
  • use AppTheoryKinesisStream plus AppTheoryKinesisStreamMapping for Kinesis stream consumers
  • use AppTheoryCloudWatchLogsDestination when CloudWatch Logs subscriptions deliver through Kinesis; configure allowedSourceAccounts and/or allowedOrganizationIds explicitly
  • use AppTheoryCloudWatchLogsSubscription to attach one source log group to the destination ARN from TypeScript (new AppTheoryCloudWatchLogsSubscription(...)) or Go (apptheorycdk.NewAppTheoryCloudWatchLogsSubscription(...))
  • use AppTheoryJobsTable when the workload needs durable run state, idempotency, leases, or record status
  • keep handlers on AppTheory runtime entrypoints so routing, retry posture, and observability stay fixture-backed

Runtime guide:

Kinesis guide and example:

Guide:

MicroVM guide and example:

AppSync note

AppTheory does not currently export an AppSync-specific CDK construct.

Use aws-cdk-lib/aws-appsync for the GraphQL API, schema, auth, and Lambda data source wiring, and keep the Lambda handler on AppTheory’s AppSync runtime entrypoints.

Guide: