From 73839c50b83c8aeaa2b256dde5309933da88163e Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Wed, 4 Feb 2026 16:18:58 -0700
Subject: [PATCH 01/14] WIP: Cosmetology multi-backend scaffolding - Added the
 concept of an app-mode to track jcc vs. cosmo switching - @todo: Get actual
 .env values for API & cognito & begin smoke testing - @todo: Implement
 interceptors to evaluate which API to call - @todo: Update mock data with
 cosmo data - @todo: Update ChangePassword component (if needed) - @todo: Add
 debug component to nav that displays app-mode

---
 webroot/.env.example                          | 10 +++-
 webroot/src/app.config.ts                     | 36 +++++++++---
 webroot/src/components/App/App.ts             | 18 ++++++
 .../CompactSelector/CompactSelector.ts        |  7 ++-
 webroot/src/locales/en.json                   | 17 ++++++
 webroot/src/locales/es.json                   | 17 ++++++
 webroot/src/models/Compact/Compact.model.ts   |  3 +-
 .../src/pages/AuthCallback/AuthCallback.ts    | 58 +++++++++++++++----
 webroot/src/pages/Logout/Logout.ts            | 27 ++++++++-
 .../MfaResetConfirmLicensee.ts                |  7 ++-
 .../MfaResetStartLicensee.ts                  |  7 ++-
 .../PublicDashboard/PublicDashboard.spec.ts   | 22 +++++--
 .../pages/PublicDashboard/PublicDashboard.ts  |  9 ++-
 .../src/plugins/EnvConfig/envConfig.plugin.ts | 12 ++++
 webroot/src/store/global/global.actions.ts    |  3 +
 webroot/src/store/global/global.mutations.ts  |  6 +-
 webroot/src/store/global/global.spec.ts       | 10 +++-
 webroot/src/store/global/global.state.ts      |  4 +-
 webroot/src/store/user/user.actions.ts        | 13 ++++-
 webroot/src/store/user/user.spec.ts           |  7 ++-
 20 files changed, 250 insertions(+), 43 deletions(-)

diff --git a/webroot/.env.example b/webroot/.env.example
index 856b3de93..cb10af5c8 100644
--- a/webroot/.env.example
+++ b/webroot/.env.example
@@ -7,11 +7,17 @@ VUE_APP_API_STATE_ROOT=https://api.test.jcc.iaapi.io
 VUE_APP_API_LICENSE_ROOT=https://api.test.jcc.iaapi.io
 VUE_APP_API_SEARCH_ROOT=https://search.test.jcc.iaapi.io
 VUE_APP_API_USER_ROOT=https://api.test.jcc.iaapi.io
+VUE_APP_API_STATE_ROOT_COSMO=https://api.test.cosmo.iaapi.io
+VUE_APP_API_LICENSE_ROOT_COSMO=https://api.test.cosmo.iaapi.io
+VUE_APP_API_SEARCH_ROOT_COSMO=https://search.test.cosmo.iaapi.io
+VUE_APP_API_USER_ROOT_COSMO=https://api.test.cosmo.iaapi.io
 VUE_APP_COGNITO_REGION=us-east-1
 VUE_APP_COGNITO_AUTH_DOMAIN_STAFF=https://staff-auth.test.jcc.iaapi.io
-VUE_APP_COGNITO_CLIENT_ID_STAFF=4s5iil9aut9lo0du76p37o8m7h
+VUE_APP_COGNITO_CLIENT_ID_STAFF=15mh24ea4af3of8jcnv8h2ic10
 VUE_APP_COGNITO_AUTH_DOMAIN_LICENSEE=https://licensee-auth.test.jcc.iaapi.io
-VUE_APP_COGNITO_CLIENT_ID_LICENSEE=topd4vhftng5cfm3ccgkb6ejd
+VUE_APP_COGNITO_CLIENT_ID_LICENSEE=2uv8d9iom5tq8onicri9akot3r
+VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO=https://staff-auth.test.cosmo.iaapi.io
+VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO=TODO
 VUE_APP_RECAPTCHA_KEY=6Le-3bgqAAAAAILDVUKkRnAF9SSzb8o9uv5lY7Ih
 VUE_APP_STATSIG_KEY=TODO
 VUE_APP_STATSIG_DISABLED=false
diff --git a/webroot/src/app.config.ts b/webroot/src/app.config.ts
index b37752936..e3d4a750d 100644
--- a/webroot/src/app.config.ts
+++ b/webroot/src/app.config.ts
@@ -8,6 +8,14 @@ import { config as envConfig } from '@plugins/EnvConfig/envConfig.plugin';
 import localStorage from '@store/local.storage';
 import moment from 'moment';
 
+// ===============
+// =  App Modes  =
+// ===============
+export enum AppModes {
+    JCC = 'jcc',
+    COSMETOLOGY = 'cosmo',
+}
+
 // =========================
 // =  Authorization Types  =
 // =========================
@@ -25,7 +33,7 @@ export type CognitoConfig = {
     clientId: string;
     authDomain: string;
 };
-export const getCognitoConfig = (authType: AuthTypes): CognitoConfig => {
+export const getCognitoConfig = (appMode: AppModes, authType: AuthTypes): CognitoConfig => {
     const config: CognitoConfig = {
         scopes: '',
         clientId: '',
@@ -35,12 +43,23 @@ export const getCognitoConfig = (authType: AuthTypes): CognitoConfig => {
     switch (authType) {
     case AuthTypes.STAFF:
         config.scopes = staffLoginScopes;
-        if (envConfig.cognitoClientIdStaff) {
-            config.clientId = envConfig.cognitoClientIdStaff;
-        }
-        if (envConfig.cognitoAuthDomainStaff) {
-            config.authDomain = envConfig.cognitoAuthDomainStaff;
+
+        if (appMode === AppModes.JCC) {
+            if (envConfig.cognitoClientIdStaff) {
+                config.clientId = envConfig.cognitoClientIdStaff;
+            }
+            if (envConfig.cognitoAuthDomainStaff) {
+                config.authDomain = envConfig.cognitoAuthDomainStaff;
+            }
+        } else if (appMode === AppModes.COSMETOLOGY) {
+            if (envConfig.cognitoClientIdStaffCosmo) {
+                config.clientId = envConfig.cognitoClientIdStaffCosmo;
+            }
+            if (envConfig.cognitoAuthDomainStaffCosmo) {
+                config.authDomain = envConfig.cognitoAuthDomainStaffCosmo;
+            }
         }
+
         break;
     case AuthTypes.LICENSEE:
         config.scopes = licenseeLoginScopes;
@@ -58,9 +77,9 @@ export const getCognitoConfig = (authType: AuthTypes): CognitoConfig => {
     return config;
 };
 
-export const getHostedLoginUri = (authType: AuthTypes, hostedIdpPath = '/login'): string => {
+export const getHostedLoginUri = (appMode: AppModes, authType: AuthTypes, hostedIdpPath = '/login'): string => {
     const { domain } = envConfig;
-    const { scopes, clientId, authDomain } = getCognitoConfig(authType);
+    const { scopes, clientId, authDomain } = getCognitoConfig(appMode, authType);
     const loginUriQuery = [
         `?client_id=${clientId}`,
         `&response_type=code`,
@@ -308,6 +327,7 @@ export const compacts = {
     aslp: {},
     octp: {},
     coun: {},
+    cosm: {},
 };
 
 // =============================
diff --git a/webroot/src/components/App/App.ts b/webroot/src/components/App/App.ts
index a082ac900..e0a1bf983 100644
--- a/webroot/src/components/App/App.ts
+++ b/webroot/src/components/App/App.ts
@@ -14,6 +14,7 @@ import {
 import { RouteRecordName } from 'vue-router';
 import {
     authStorage,
+    AppModes,
     AuthTypes,
     relativeTimeFormats,
     AUTH_TYPE
@@ -47,6 +48,8 @@ class App extends Vue {
     // Lifecycle
     //
     async created() {
+        this.setAppModeFromCompact(this.routeCompactType);
+
         if (this.userStore.isLoggedIn) {
             await this.handleAuth();
         }
@@ -103,6 +106,18 @@ class App extends Vue {
         }
     }
 
+    setAppModeFromCompact(compact: CompactType | null): void {
+        let appMode = AppModes.JCC;
+
+        if (compact === CompactType.COSMETOLOGY) {
+            appMode = AppModes.COSMETOLOGY;
+        }
+
+        if (this.globalStore.appMode !== appMode) {
+            this.$store.dispatch('setAppMode', appMode);
+        }
+    }
+
     setAuthType() {
         let authType: AuthTypes;
 
@@ -192,6 +207,9 @@ class App extends Vue {
                 });
             }
         }
+
+        // Set the app mode based on the current compact
+        this.setAppModeFromCompact(userDefaultCompact?.type || null);
     }
 
     setRelativeTimeFormats() {
diff --git a/webroot/src/components/CompactSelector/CompactSelector.ts b/webroot/src/components/CompactSelector/CompactSelector.ts
index 8db49ff50..95f95b5f0 100644
--- a/webroot/src/components/CompactSelector/CompactSelector.ts
+++ b/webroot/src/components/CompactSelector/CompactSelector.ts
@@ -5,7 +5,7 @@
 //  Created by InspiringApps on 10/2/2024.
 //
 
-import { compacts as compactsConfig } from '@/app.config';
+import { AppModes, compacts as compactsConfig } from '@/app.config';
 import {
     Component,
     mixins,
@@ -146,6 +146,11 @@ class CompactSelector extends mixins(MixinForm) {
         } else {
             // Refresh the compact type on the store
             await this.$store.dispatch('user/setCurrentCompact', CompactSerializer.fromServer({ type: selectedCompactType }));
+            if (selectedCompactType === CompactType.COSMETOLOGY) {
+                this.$store.dispatch('setAppMode', AppModes.COSMETOLOGY);
+            } else {
+                this.$store.dispatch('setAppMode', AppModes.JCC);
+            }
         }
     }
 
diff --git a/webroot/src/locales/en.json b/webroot/src/locales/en.json
index 247d75bcf..013deaeaf 100644
--- a/webroot/src/locales/en.json
+++ b/webroot/src/locales/en.json
@@ -500,6 +500,11 @@
             "name": "Counseling",
             "abbrev": "Counseling",
             "key": "coun"
+        },
+        {
+            "name": "Cosmetology and Esthetics",
+            "abbrev": "COSM",
+            "key": "cosm"
         }
     ],
     "compact": {
@@ -812,6 +817,18 @@
                 "key": "licensed professional counselor",
                 "compactKey": "coun",
                 "abbrev": "lpc"
+            },
+            {
+                "name": "Cosmetologist",
+                "key": "cosmetologist",
+                "compactKey": "cosm",
+                "abbrev": "cos"
+            },
+            {
+                "name": "Esthetician",
+                "key": "esthetician",
+                "compactKey": "cosm",
+                "abbrev": "esth"
             }
         ],
         "disciplineTypes": [
diff --git a/webroot/src/locales/es.json b/webroot/src/locales/es.json
index a8dc9db2b..b2cbcab45 100644
--- a/webroot/src/locales/es.json
+++ b/webroot/src/locales/es.json
@@ -484,6 +484,11 @@
             "name": "Asesoramiento",
             "abbrev": "Counseling",
             "key": "coun"
+        },
+        {
+            "name": "Cosmetología y Estética",
+            "abbrev": "COSM",
+            "key": "cosm"
         }
     ],
     "compact": {
@@ -796,6 +801,18 @@
                 "key": "licensed professional counselor",
                 "compactKey": "coun",
                 "abbrev": "lpc"
+            },
+            {
+                "name": "Cosmetólogo",
+                "key": "cosmetologist",
+                "compactKey": "cosm",
+                "abbrev": "cos"
+            },
+            {
+                "name": "Esteticista",
+                "key": "esthetician",
+                "compactKey": "cosm",
+                "abbrev": "esth"
             }
         ],
         "disciplineTypes": [
diff --git a/webroot/src/models/Compact/Compact.model.ts b/webroot/src/models/Compact/Compact.model.ts
index 409253c04..9c5cca37b 100644
--- a/webroot/src/models/Compact/Compact.model.ts
+++ b/webroot/src/models/Compact/Compact.model.ts
@@ -13,10 +13,11 @@ import { CompactFeeConfig } from '@models/CompactFeeConfig/CompactFeeConfig.mode
 // ========================================================
 // =                       Interface                      =
 // ========================================================
-export enum CompactType { // Temp server definition until server returns via endpoint
+export enum CompactType {
     ASLP = 'aslp',
     OT = 'octp',
     COUNSELING = 'coun',
+    COSMETOLOGY = 'cosm',
 }
 
 export interface PaymentProcessorConfig {
diff --git a/webroot/src/pages/AuthCallback/AuthCallback.ts b/webroot/src/pages/AuthCallback/AuthCallback.ts
index 49e20d762..863de1963 100644
--- a/webroot/src/pages/AuthCallback/AuthCallback.ts
+++ b/webroot/src/pages/AuthCallback/AuthCallback.ts
@@ -11,6 +11,7 @@ import Section from '@components/Section/Section.vue';
 import Card from '@components/Card/Card.vue';
 import {
     authStorage,
+    AppModes,
     AuthTypes,
     AUTH_TYPE,
     AUTH_LOGIN_GOTO_PATH,
@@ -18,6 +19,12 @@ import {
 } from '@/app.config';
 import axios from 'axios';
 
+export enum CognitoStateTypes {
+    STAFF_JCC = 'staff',
+    STAFF_COSMETOLOGY = 'staff-cosmo',
+    LICENSEE_JCC = 'licensee',
+}
+
 @Component({
     name: 'AuthCallback',
     components: {
@@ -59,34 +66,48 @@ export default class AuthCallback extends Vue {
     //
     async getTokens(): Promise<void> {
         this.$store.dispatch('startLoading');
+        const { userType } = this;
 
-        if (this.userType === AuthTypes.STAFF) {
-            await this.getTokensStaff().catch(() => {
+        if (userType === CognitoStateTypes.STAFF_JCC) {
+            this.$store.dispatch('setAppMode', AppModes.JCC);
+            await this.getTokensStaffJcc().catch(() => {
                 this.isError = true;
             });
-        } else if (this.userType === AuthTypes.LICENSEE) {
-            await this.getTokensLicensee().catch(() => {
+        } else if (userType === CognitoStateTypes.LICENSEE_JCC) {
+            this.$store.dispatch('setAppMode', AppModes.JCC);
+            await this.getTokensLicenseeJcc().catch(() => {
+                this.isError = true;
+            });
+        } else if (userType === CognitoStateTypes.STAFF_COSMETOLOGY) {
+            this.$store.dispatch('setAppMode', AppModes.COSMETOLOGY);
+            await this.getTokensStaffCosmo().catch(() => {
                 this.isError = true;
             });
         } else {
             // If the state query param is absent or not matching we will
-            // still try to get tokens, if the user just logged in one of the two
-            // user pools will successfully return tokens. If neither do we enter
-            // the error state
+            // still try to get tokens, if the user just logged in one of the
+            // user pools will successfully return tokens. If none then we enter
+            // the error state.
 
             let errorCount = 0;
 
-            await this.getTokensStaff().catch(() => {
+            await this.getTokensStaffJcc().catch(() => {
                 errorCount += 1;
             });
 
             if (errorCount > 0) {
-                await this.getTokensLicensee().catch(() => {
+                await this.getTokensStaffCosmo().catch(() => {
                     errorCount += 1;
                 });
             }
 
             if (errorCount > 1) {
+                await this.getTokensLicenseeJcc().catch(() => {
+                    errorCount += 1;
+                });
+            }
+
+            if (errorCount > 2) {
                 this.isError = true;
             }
         }
@@ -98,7 +119,7 @@ export default class AuthCallback extends Vue {
         }
     }
 
-    async getTokensStaff(): Promise<void> {
+    async getTokensStaffJcc(): Promise<void> {
         const { domain, cognitoAuthDomainStaff, cognitoClientIdStaff } = this.$envConfig;
         const params = new URLSearchParams();
 
@@ -113,7 +134,22 @@ export default class AuthCallback extends Vue {
         await this.$store.dispatch('user/loginSuccess', AuthTypes.STAFF);
     }
 
-    async getTokensLicensee(): Promise<void> {
+    async getTokensStaffCosmo(): Promise<void> {
+        const { domain, cognitoAuthDomainStaffCosmo, cognitoClientIdStaffCosmo } = this.$envConfig;
+        const params = new URLSearchParams();
+
+        params.append('grant_type', 'authorization_code');
+        params.append('client_id', cognitoClientIdStaffCosmo || '');
+        params.append('redirect_uri', `${domain}${this.$route.path}`);
+        params.append('code', this.authorizationCode);
+
+        const { data } = await axios.post(`${cognitoAuthDomainStaffCosmo}/oauth2/token`, params);
+
+        await this.$store.dispatch('user/updateAuthTokens', { tokenResponse: data, authType: AuthTypes.STAFF });
+        await this.$store.dispatch('user/loginSuccess', AuthTypes.STAFF);
+    }
+
+    async getTokensLicenseeJcc(): Promise<void> {
         const { domain, cognitoAuthDomainLicensee, cognitoClientIdLicensee } = this.$envConfig;
         const params = new URLSearchParams();
 
diff --git a/webroot/src/pages/Logout/Logout.ts b/webroot/src/pages/Logout/Logout.ts
index 43b4af619..562296fab 100644
--- a/webroot/src/pages/Logout/Logout.ts
+++ b/webroot/src/pages/Logout/Logout.ts
@@ -8,6 +8,7 @@
 import { Component, Vue } from 'vue-facing-decorator';
 import {
     authStorage,
+    AppModes,
     AuthTypes,
     AUTH_TYPE,
     AUTH_LOGIN_GOTO_PATH,
@@ -30,6 +31,10 @@ export default class Logout extends Vue {
     //
     // Computed
     //
+    get appMode(): AppModes {
+        return this.$store.state.appMode;
+    }
+
     get userStore() {
         return this.$store.state.user;
     }
@@ -39,14 +44,30 @@ export default class Logout extends Vue {
     }
 
     get hostedLogoutUriStaff(): string {
-        const { domain, cognitoAuthDomainStaff, cognitoClientIdStaff } = this.$envConfig;
+        const {
+            domain,
+            cognitoAuthDomainStaff,
+            cognitoClientIdStaff,
+            cognitoAuthDomainStaffCosmo,
+            cognitoClientIdStaffCosmo
+        } = this.$envConfig;
+        let cognitoAuthDomain = cognitoAuthDomainStaff;
+        let cognitoClientId = cognitoClientIdStaff;
+
+        // Adjust cognito params based on app mode
+        if (this.appMode === AppModes.COSMETOLOGY) {
+            cognitoAuthDomain = cognitoAuthDomainStaffCosmo;
+            cognitoClientId = cognitoClientIdStaffCosmo;
+        }
+
+        // Create the logout URI
         const logoutLink = encodeURIComponent(`${(domain as string)}/Logout`);
         const logoutUriQuery = [
-            `?client_id=${cognitoClientIdStaff}`,
+            `?client_id=${cognitoClientId}`,
             `&logout_uri=${logoutLink}`
         ].join('');
         const idpPath = '/logout';
-        const logoutUri = `${cognitoAuthDomainStaff}${idpPath}${logoutUriQuery}`;
+        const logoutUri = `${cognitoAuthDomain}${idpPath}${logoutUriQuery}`;
 
         return logoutUri;
     }
diff --git a/webroot/src/pages/MfaResetConfirmLicensee/MfaResetConfirmLicensee.ts b/webroot/src/pages/MfaResetConfirmLicensee/MfaResetConfirmLicensee.ts
index 4317f78a7..0f328a841 100644
--- a/webroot/src/pages/MfaResetConfirmLicensee/MfaResetConfirmLicensee.ts
+++ b/webroot/src/pages/MfaResetConfirmLicensee/MfaResetConfirmLicensee.ts
@@ -13,6 +13,7 @@ import {
 } from 'vue-facing-decorator';
 import {
     authStorage,
+    AppModes,
     AuthTypes,
     getHostedLoginUri,
     AUTH_LOGIN_GOTO_PATH,
@@ -60,6 +61,10 @@ class MfaResetConfirmLicensee extends Vue {
     //
     // Computed
     //
+    get appMode(): AppModes {
+        return this.$store.state.appMode;
+    }
+
     get compactQuery(): string {
         const compact: string = (this.$route.query?.compact as string) || '';
 
@@ -75,7 +80,7 @@ class MfaResetConfirmLicensee extends Vue {
     }
 
     get hostedLoginUriLicensee(): string {
-        return getHostedLoginUri(AuthTypes.LICENSEE, '/login');
+        return getHostedLoginUri(this.appMode, AuthTypes.LICENSEE, '/login');
     }
 
     get isUsingMockApi(): boolean {
diff --git a/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.ts b/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.ts
index bf329d1e6..834e3c7cd 100644
--- a/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.ts
+++ b/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.ts
@@ -20,6 +20,7 @@ import {
 import {
     stateList,
     dateFormatPatterns,
+    AppModes,
     AuthTypes,
     getHostedLoginUri
 } from '@/app.config';
@@ -85,6 +86,10 @@ class MfaResetStartLicensee extends mixins(MixinForm) {
     //
     // Computed
     //
+    get appMode(): AppModes {
+        return this.$store.state.appMode;
+    }
+
     get stateOptions(): Array<SelectOption> {
         const options = [{ value: '', name: `- ${this.$t('common.select')} -`, isDisabled: true }];
 
@@ -165,7 +170,7 @@ class MfaResetStartLicensee extends mixins(MixinForm) {
     }
 
     get hostedForgotPasswordUriLicensee(): string {
-        return getHostedLoginUri(AuthTypes.LICENSEE, '/forgotPassword');
+        return getHostedLoginUri(this.appMode, AuthTypes.LICENSEE, '/forgotPassword');
     }
 
     get isUsingMockApi(): boolean {
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.spec.ts b/webroot/src/pages/PublicDashboard/PublicDashboard.spec.ts
index e086ed908..e52de7dc3 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.spec.ts
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.spec.ts
@@ -7,7 +7,12 @@
 
 import { mountShallow } from '@tests/helpers/setup';
 import PublicDashboard from '@pages/PublicDashboard/PublicDashboard.vue';
-import { AuthTypes, getCognitoConfig, getHostedLoginUri } from '@/app.config';
+import {
+    AppModes,
+    AuthTypes,
+    getCognitoConfig,
+    getHostedLoginUri
+} from '@/app.config';
 import { config as envConfig } from '@plugins/EnvConfig/envConfig.plugin';
 
 const chaiMatchPattern = require('chai-match-pattern');
@@ -22,15 +27,22 @@ describe('PublicDashboard page', async () => {
         expect(wrapper.exists()).to.equal(true);
         expect(wrapper.findComponent(PublicDashboard).exists()).to.equal(true);
     });
-    it('should use staff cognito config in app.config', async () => {
-        const cognitoConfig = getCognitoConfig(AuthTypes.STAFF);
+    it('should use staff cognito config in app.config (jcc)', async () => {
+        const cognitoConfig = getCognitoConfig(AppModes.JCC, AuthTypes.STAFF);
 
         expect(cognitoConfig.scopes).to.equal('email openid phone profile aws.cognito.signin.user.admin');
         expect(cognitoConfig.clientId).to.equal(envConfig.cognitoClientIdStaff);
         expect(cognitoConfig.authDomain).to.equal(envConfig.cognitoAuthDomainStaff);
     });
-    it('should use licensee cognito config in app.config', async () => {
-        const cognitoConfig = getCognitoConfig(AuthTypes.LICENSEE);
+    it('should use staff cognito config in app.config (cosmetology)', async () => {
+        const cognitoConfig = getCognitoConfig(AppModes.COSMETOLOGY, AuthTypes.STAFF);
+
+        expect(cognitoConfig.scopes).to.equal('email openid phone profile aws.cognito.signin.user.admin');
+        expect(cognitoConfig.clientId).to.equal(envConfig.cognitoClientIdStaffCosmo);
+        expect(cognitoConfig.authDomain).to.equal(envConfig.cognitoAuthDomainStaffCosmo);
+    });
+    it('should use licensee cognito config in app.config (jcc)', async () => {
+        const cognitoConfig = getCognitoConfig(AppModes.JCC, AuthTypes.LICENSEE);
 
         expect(cognitoConfig.scopes).to.equal('email openid phone profile aws.cognito.signin.user.admin');
         expect(cognitoConfig.clientId).to.equal(envConfig.cognitoClientIdLicensee);
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.ts b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
index 9c123d2cc..812104823 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.ts
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
@@ -8,6 +8,7 @@
 import { Component, Vue } from 'vue-facing-decorator';
 import {
     authStorage,
+    AppModes,
     AuthTypes,
     getHostedLoginUri,
     AUTH_LOGIN_GOTO_PATH,
@@ -42,6 +43,10 @@ export default class DashboardPublic extends Vue {
     //
     // Computed
     //
+    get appMode(): AppModes {
+        return this.$store.state.appMode;
+    }
+
     get bypassQuery(): string {
         const bypass: string = (this.$route.query?.bypass as string) || '';
 
@@ -59,11 +64,11 @@ export default class DashboardPublic extends Vue {
     }
 
     get hostedLoginUriStaff(): string {
-        return getHostedLoginUri(AuthTypes.STAFF, this.hostedLoginUriPath);
+        return getHostedLoginUri(this.appMode, AuthTypes.STAFF, this.hostedLoginUriPath);
     }
 
     get hostedLoginUriLicensee(): string {
-        return getHostedLoginUri(AuthTypes.LICENSEE, this.hostedLoginUriPath);
+        return getHostedLoginUri(this.appMode, AuthTypes.LICENSEE, this.hostedLoginUriPath);
     }
 
     get isUsingMockApi(): boolean {
diff --git a/webroot/src/plugins/EnvConfig/envConfig.plugin.ts b/webroot/src/plugins/EnvConfig/envConfig.plugin.ts
index 820a686bb..d945e5895 100644
--- a/webroot/src/plugins/EnvConfig/envConfig.plugin.ts
+++ b/webroot/src/plugins/EnvConfig/envConfig.plugin.ts
@@ -45,6 +45,10 @@ export interface EnvConfig {
     apiUrlLicense?: string;
     apiUrlSearch?: string;
     apiUrlUser?: string;
+    apiUrlStateCosmo?: string;
+    apiUrlLicenseCosmo?: string;
+    apiUrlSearchCosmo?: string;
+    apiUrlUserCosmo?: string;
     apiUrlExample?: string;
     apiKeyExample?: string;
     cognitoRegion?: string;
@@ -52,6 +56,8 @@ export interface EnvConfig {
     cognitoClientIdStaff?: string;
     cognitoAuthDomainLicensee?: string;
     cognitoClientIdLicensee?: string;
+    cognitoAuthDomainStaffCosmo?: string;
+    cognitoClientIdStaffCosmo?: string;
     recaptchaKey?: string;
     statsigKey?: string;
     isStatsigDisabled?: boolean;
@@ -78,6 +84,10 @@ export const config: EnvConfig = {
     apiUrlLicense: context.VUE_APP_API_LICENSE_ROOT,
     apiUrlSearch: context.VUE_APP_API_SEARCH_ROOT,
     apiUrlUser: context.VUE_APP_API_USER_ROOT,
+    apiUrlStateCosmo: context.VUE_APP_API_STATE_ROOT_COSMO,
+    apiUrlLicenseCosmo: context.VUE_APP_API_LICENSE_ROOT_COSMO,
+    apiUrlSearchCosmo: context.VUE_APP_API_SEARCH_ROOT_COSMO,
+    apiUrlUserCosmo: context.VUE_APP_API_USER_ROOT_COSMO,
     apiUrlExample: '/api',
     apiKeyExample: 'example',
     cognitoRegion: context.VUE_APP_COGNITO_REGION,
@@ -85,6 +95,8 @@ export const config: EnvConfig = {
     cognitoClientIdStaff: context.VUE_APP_COGNITO_CLIENT_ID_STAFF,
     cognitoAuthDomainLicensee: context.VUE_APP_COGNITO_AUTH_DOMAIN_LICENSEE,
     cognitoClientIdLicensee: context.VUE_APP_COGNITO_CLIENT_ID_LICENSEE,
+    cognitoAuthDomainStaffCosmo: context.VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO,
+    cognitoClientIdStaffCosmo: context.VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO,
     recaptchaKey: context.VUE_APP_RECAPTCHA_KEY,
     statsigKey: context.VUE_APP_STATSIG_KEY,
     isStatsigDisabled: (context.VUE_APP_STATSIG_DISABLED === 'true'),
diff --git a/webroot/src/store/global/global.actions.ts b/webroot/src/store/global/global.actions.ts
index d82f29be7..1d07e6b8c 100644
--- a/webroot/src/store/global/global.actions.ts
+++ b/webroot/src/store/global/global.actions.ts
@@ -30,6 +30,9 @@ export default {
     setModalIsLogoutOnly: ({ commit }, isLogoutOnly) => {
         commit(MutationTypes.SET_MODAL_LOGOUT_ONLY, isLogoutOnly);
     },
+    setAppMode: ({ commit }, mode) => {
+        commit(MutationTypes.SET_APP_MODE, mode);
+    },
     setAuthType: ({ commit }, type) => {
         commit(MutationTypes.SET_AUTH_TYPE, type);
     },
diff --git a/webroot/src/store/global/global.mutations.ts b/webroot/src/store/global/global.mutations.ts
index 9576b065b..04a7fb7d9 100644
--- a/webroot/src/store/global/global.mutations.ts
+++ b/webroot/src/store/global/global.mutations.ts
@@ -5,7 +5,7 @@
 //  Created by InspiringApps on 4/12/20.
 //
 
-import { AuthTypes } from '@/app.config';
+import { AuthTypes, AppModes } from '@/app.config';
 import { AppMessage } from '@/models/AppMessage/AppMessage.model';
 import { State } from './global.state';
 
@@ -19,6 +19,7 @@ export enum MutationTypes {
     STORE_RESET_GLOBAL = '[Global] Store reset',
     SET_MODAL_OPEN = '[Global] Modal isOpen set',
     SET_MODAL_LOGOUT_ONLY = '[Global] Modal isLogoutOnly set',
+    SET_APP_MODE = '[Global] App mode set',
     SET_AUTH_TYPE = '[Global] Auth type set',
     EXPAND_NAV_MENU = '[Global] Expand nav menu',
     COLLAPSE_NAV_MENU = '[Global] Collapse nav menu',
@@ -54,6 +55,9 @@ export default {
         state.isModalOpen = false;
         state.isModalLogoutOnly = false;
     },
+    [MutationTypes.SET_APP_MODE]: (state: State, mode: AppModes) => {
+        state.appMode = mode;
+    },
     [MutationTypes.SET_AUTH_TYPE]: (state: State, type: AuthTypes) => {
         state.authType = type;
     },
diff --git a/webroot/src/store/global/global.spec.ts b/webroot/src/store/global/global.spec.ts
index f3fdd758b..43d6921ec 100644
--- a/webroot/src/store/global/global.spec.ts
+++ b/webroot/src/store/global/global.spec.ts
@@ -5,7 +5,7 @@
 //  Created by InspiringApps on 4/12/20.
 //
 
-import { AuthTypes } from '@/app.config';
+import { AuthTypes, AppModes } from '@/app.config';
 import mutations, { MutationTypes } from './global.mutations';
 import actions from './global.actions';
 
@@ -99,6 +99,14 @@ describe('Global Store Mutations', () => {
 
         expect(state.isModalLogoutOnly).to.equal(isModalLogoutOnly);
     });
+    it('should successfully set app mode', () => {
+        const state = {};
+        const appMode = AppModes.JCC;
+
+        mutations[MutationTypes.SET_APP_MODE](state, appMode);
+
+        expect(state.appMode).to.equal(appMode);
+    });
     it('should successfully set auth type', () => {
         const state = {};
         const authType = AuthTypes.LICENSEE;
diff --git a/webroot/src/store/global/global.state.ts b/webroot/src/store/global/global.state.ts
index a100e9f4c..e6dea49bf 100644
--- a/webroot/src/store/global/global.state.ts
+++ b/webroot/src/store/global/global.state.ts
@@ -4,7 +4,7 @@
 //
 //  Created by InspiringApps on 4/12/20.
 //
-import { AuthTypes } from '@/app.config';
+import { AuthTypes, AppModes } from '@/app.config';
 import { AppMessage } from '@/models/AppMessage/AppMessage.model';
 
 export interface State {
@@ -13,6 +13,7 @@ export interface State {
     messages: Array<AppMessage>;
     isModalOpen: boolean;
     isModalLogoutOnly: boolean;
+    appMode: AppModes;
     authType: AuthTypes;
     isNavExpanded: boolean;
 }
@@ -23,6 +24,7 @@ export const state: State = {
     messages: [],
     isModalOpen: false,
     isModalLogoutOnly: false,
+    appMode: AppModes.JCC,
     authType: AuthTypes.PUBLIC,
     isNavExpanded: false,
 };
diff --git a/webroot/src/store/user/user.actions.ts b/webroot/src/store/user/user.actions.ts
index 081e60dbc..840e71034 100644
--- a/webroot/src/store/user/user.actions.ts
+++ b/webroot/src/store/user/user.actions.ts
@@ -9,6 +9,7 @@ import { dataApi } from '@network/data.api';
 import { config } from '@plugins/EnvConfig/envConfig.plugin';
 import {
     authStorage,
+    AppModes,
     AuthTypes,
     tokens,
     AUTH_TYPE,
@@ -235,13 +236,19 @@ export default {
             dispatch('setRefreshTokenTimeout', { refreshToken, expiresIn, authType });
         }
     },
-    setRefreshTokenTimeout: async ({ commit, dispatch }, { refreshToken, expiresIn, authType }) => {
+    setRefreshTokenTimeout: async ({ rootState, commit, dispatch }, { refreshToken, expiresIn, authType }) => {
+        const { appMode } = rootState;
         let cognitoClientId;
         let cognitoAuthDomain;
 
         if (authType === AuthTypes.STAFF) {
-            cognitoClientId = config.cognitoClientIdStaff;
-            cognitoAuthDomain = config.cognitoAuthDomainStaff;
+            if (appMode === AppModes.JCC) {
+                cognitoClientId = config.cognitoClientIdStaff;
+                cognitoAuthDomain = config.cognitoAuthDomainStaff;
+            } else if (appMode === AppModes.COSMETOLOGY) {
+                cognitoClientId = config.cognitoClientIdStaffCosmo;
+                cognitoAuthDomain = config.cognitoAuthDomainStaffCosmo;
+            }
         } else if (authType === AuthTypes.LICENSEE) {
             cognitoClientId = config.cognitoClientIdLicensee;
             cognitoAuthDomain = config.cognitoAuthDomainLicensee;
diff --git a/webroot/src/store/user/user.spec.ts b/webroot/src/store/user/user.spec.ts
index a5169e01c..fce3be555 100644
--- a/webroot/src/store/user/user.spec.ts
+++ b/webroot/src/store/user/user.spec.ts
@@ -9,6 +9,7 @@ import {
     authStorage,
     tokens,
     FeeTypes,
+    AppModes,
     AuthTypes
 } from '@/app.config';
 import chaiMatchPattern from 'chai-match-pattern';
@@ -742,25 +743,27 @@ describe('User Store Actions', async () => {
         expect(dispatch.calledOnce).to.equal(false);
     });
     it('should successfully set staff refresh token timeout', () => {
+        const rootState = { appMode: AppModes.JCC };
         const commit = sinon.spy();
         const dispatch = sinon.spy();
         const refreshToken = 'test_refresh_token';
         const expiresIn = 7200;
         const authType = 'staff';
 
-        actions.setRefreshTokenTimeout({ commit, dispatch }, { refreshToken, expiresIn, authType });
+        actions.setRefreshTokenTimeout({ rootState, commit, dispatch }, { refreshToken, expiresIn, authType });
 
         expect(commit.calledOnce).to.equal(true);
         expect(dispatch.calledOnce).to.equal(false);
     });
     it('should successfully set licensee refresh token timeout', () => {
+        const rootState = { appMode: AppModes.JCC };
         const commit = sinon.spy();
         const dispatch = sinon.spy();
         const refreshToken = 'test_refresh_token';
         const expiresIn = 7200;
         const authType = 'licensee';
 
-        actions.setRefreshTokenTimeout({ commit, dispatch }, { refreshToken, expiresIn, authType });
+        actions.setRefreshTokenTimeout({ rootState, commit, dispatch }, { refreshToken, expiresIn, authType });
 
         expect(commit.calledOnce).to.equal(true);
         expect(dispatch.calledOnce).to.equal(false);

From d36628002b6a2b04dba42d5a0dda40862825faa3 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Thu, 5 Feb 2026 12:59:50 -0700
Subject: [PATCH 02/14] WIP: Cosmetology multi-backend scaffolding - Add debug
 component to nav that displays app-mode - @todo: Get actual .env values for
 API & cognito & begin smoke testing - @todo: Implement interceptors to
 evaluate which API to call - @todo: Update mock data with cosmo data & to
 handle app mode - @todo: Update ChangePassword component (if needed)

---
 webroot/.env.example                          |  4 ++--
 webroot/src/components/App/App.ts             | 15 ++++++++++++
 .../Page/PageMainNav/PageMainNav.less         |  7 ++++++
 .../Page/PageMainNav/PageMainNav.vue          |  3 +++
 .../pages/PublicDashboard/PublicDashboard.ts  | 23 +++++++++++++++---
 .../pages/PublicDashboard/PublicDashboard.vue | 22 +++++++++++++++++
 webroot/src/store/global/global.actions.ts    |  3 +++
 webroot/src/store/global/global.mutations.ts  |  4 ++++
 webroot/src/store/global/global.spec.ts       | 24 +++++++++++++++++++
 webroot/src/store/global/global.state.ts      |  2 ++
 10 files changed, 102 insertions(+), 5 deletions(-)

diff --git a/webroot/.env.example b/webroot/.env.example
index cb10af5c8..6dc53a14c 100644
--- a/webroot/.env.example
+++ b/webroot/.env.example
@@ -16,8 +16,8 @@ VUE_APP_COGNITO_AUTH_DOMAIN_STAFF=https://staff-auth.test.jcc.iaapi.io
 VUE_APP_COGNITO_CLIENT_ID_STAFF=15mh24ea4af3of8jcnv8h2ic10
 VUE_APP_COGNITO_AUTH_DOMAIN_LICENSEE=https://licensee-auth.test.jcc.iaapi.io
 VUE_APP_COGNITO_CLIENT_ID_LICENSEE=2uv8d9iom5tq8onicri9akot3r
-VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO=https://staff-auth.test.cosmo.iaapi.io
-VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO=TODO
+VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO=https://staff-auth.test.cosmetology.jcc.iaapi.io
+VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO=42km9ho786d28dp812j88kvscq
 VUE_APP_RECAPTCHA_KEY=6Le-3bgqAAAAAILDVUKkRnAF9SSzb8o9uv5lY7Ih
 VUE_APP_STATSIG_KEY=TODO
 VUE_APP_STATSIG_DISABLED=false
diff --git a/webroot/src/components/App/App.ts b/webroot/src/components/App/App.ts
index e0a1bf983..2a90f6c8a 100644
--- a/webroot/src/components/App/App.ts
+++ b/webroot/src/components/App/App.ts
@@ -26,6 +26,8 @@ import AutoLogout from '@components/AutoLogout/AutoLogout.vue';
 import { StatsigUser } from '@statsig/js-client';
 import moment from 'moment';
 
+const appWindow = window as any;
+
 @Component({
     name: 'App',
     components: {
@@ -56,6 +58,7 @@ class App extends Vue {
 
         this.setRelativeTimeFormats();
         this.setFeatureGateRefetchInterval();
+        this.addAppModeDebugger();
     }
 
     async beforeUnmount() {
@@ -223,6 +226,18 @@ class App extends Vue {
         this.$store.dispatch('clearMessages');
     }
 
+    addAppModeDebugger(): void {
+        appWindow.ccModeToggle = () => {
+            if (this.globalStore.isAppModeDisplayed) {
+                this.$store.dispatch('setAppModeDisplay', false);
+                console.log('CompactConnect app mode display: DISABLED');
+            } else {
+                this.$store.dispatch('setAppModeDisplay', true);
+                console.log('CompactConnect app mode display: ENABLED');
+            }
+        };
+    }
+
     //
     // Watchers
     //
diff --git a/webroot/src/components/Page/PageMainNav/PageMainNav.less b/webroot/src/components/Page/PageMainNav/PageMainNav.less
index 5a80e8ada..53a44a93f 100644
--- a/webroot/src/components/Page/PageMainNav/PageMainNav.less
+++ b/webroot/src/components/Page/PageMainNav/PageMainNav.less
@@ -157,4 +157,11 @@
         background-color: fade(@white, 50%);
         transition: width @navAnimation;
     }
+
+    .app-mode {
+        display: flex;
+        width: 100%;
+        padding: 0.4rem;
+        background-color: @midGrey;
+    }
 }
diff --git a/webroot/src/components/Page/PageMainNav/PageMainNav.vue b/webroot/src/components/Page/PageMainNav/PageMainNav.vue
index 7e1b4024e..9f3121388 100644
--- a/webroot/src/components/Page/PageMainNav/PageMainNav.vue
+++ b/webroot/src/components/Page/PageMainNav/PageMainNav.vue
@@ -71,6 +71,9 @@
                 :hideIfNotMultiple="true"
             />
         </div>
+        <div v-if="$store.state.isAppModeDisplayed" class="app-mode">
+            App mode: {{ $store.state.appMode }}
+        </div>
         <div v-if="isLoggedIn" class="separator"></div>
         <ul
             class="nav my-nav"
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.ts b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
index 812104823..fe4c460cf 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.ts
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
@@ -64,11 +64,15 @@ export default class DashboardPublic extends Vue {
     }
 
     get hostedLoginUriStaff(): string {
-        return getHostedLoginUri(this.appMode, AuthTypes.STAFF, this.hostedLoginUriPath);
+        return getHostedLoginUri(AppModes.JCC, AuthTypes.STAFF, this.hostedLoginUriPath);
+    }
+
+    get hostedLoginUriStaffCosmo(): string {
+        return getHostedLoginUri(AppModes.COSMETOLOGY, AuthTypes.STAFF, this.hostedLoginUriPath);
     }
 
     get hostedLoginUriLicensee(): string {
-        return getHostedLoginUri(this.appMode, AuthTypes.LICENSEE, this.hostedLoginUriPath);
+        return getHostedLoginUri(AppModes.JCC, AuthTypes.LICENSEE, this.hostedLoginUriPath);
     }
 
     get isUsingMockApi(): boolean {
@@ -83,6 +87,9 @@ export default class DashboardPublic extends Vue {
         case 'login-staff':
             this.bypassToStaffLogin();
             break;
+        case 'login-staff-cosmo':
+            this.bypassToStaffLoginCosmo();
+            break;
         case 'login-practitioner':
             this.bypassToLicenseeLogin();
             break;
@@ -103,6 +110,15 @@ export default class DashboardPublic extends Vue {
         }
     }
 
+    bypassToStaffLoginCosmo(): void {
+        if (this.isUsingMockApi) {
+            this.mockStaffLogin(AppModes.COSMETOLOGY);
+        } else {
+            this.$store.dispatch('startLoading');
+            window.location.replace(this.hostedLoginUriStaffCosmo);
+        }
+    }
+
     bypassToLicenseeLogin(): void {
         if (this.isUsingMockApi) {
             this.mockLicenseeLogin();
@@ -125,7 +141,7 @@ export default class DashboardPublic extends Vue {
         });
     }
 
-    async mockStaffLogin(): Promise<void> {
+    async mockStaffLogin(appMode = AppModes.JCC): Promise<void> {
         const goto = authStorage.getItem(AUTH_LOGIN_GOTO_PATH);
         const gotoAuthType = authStorage.getItem(AUTH_LOGIN_GOTO_PATH_AUTH_TYPE);
         const data = {
@@ -140,6 +156,7 @@ export default class DashboardPublic extends Vue {
         authStorage.removeItem(AUTH_LOGIN_GOTO_PATH_AUTH_TYPE);
         await this.$store.dispatch('user/updateAuthTokens', { tokenResponse: data, authType: AuthTypes.STAFF });
         this.$store.dispatch('user/loginSuccess', AuthTypes.STAFF);
+        this.$store.dispatch('setAppMode', appMode);
 
         if (goto && (!gotoAuthType || gotoAuthType === AuthTypes.STAFF)) {
             this.$router.push({ path: goto });
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.vue b/webroot/src/pages/PublicDashboard/PublicDashboard.vue
index e9727385f..747eae50d 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.vue
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.vue
@@ -76,6 +76,28 @@
                 <StaffUserIcon class="login-icon" />
                 {{ $t('navigation.loginAsStaff') }}
             </div>
+
+            <a
+                v-if="!isUsingMockApi"
+                :href="hostedLoginUriStaffCosmo"
+                class="login-link small"
+                rel="noopener noreferrer"
+            >
+                <StaffUserIcon class="login-icon" />
+                {{ $t('navigation.loginAsStaff') }} COSMO
+            </a>
+            <div
+                v-else
+                class="login-link small"
+                @click="bypassToStaffLoginCosmo"
+                @keyup.enter="bypassToStaffLoginCosmo"
+                tabindex="0"
+                role="button"
+                :aria-label="$t('navigation.loginAsStaff')"
+            >
+                <StaffUserIcon class="login-icon" />
+                {{ $t('navigation.loginAsStaff') }} COSMO
+            </div>
         </div>
         </div>
         <div class="dashboard-footer">
diff --git a/webroot/src/store/global/global.actions.ts b/webroot/src/store/global/global.actions.ts
index 1d07e6b8c..64d930ee8 100644
--- a/webroot/src/store/global/global.actions.ts
+++ b/webroot/src/store/global/global.actions.ts
@@ -33,6 +33,9 @@ export default {
     setAppMode: ({ commit }, mode) => {
         commit(MutationTypes.SET_APP_MODE, mode);
     },
+    setAppModeDisplay: ({ commit }, isDisplayed) => {
+        commit(MutationTypes.SET_APP_MODE_DISPLAY, isDisplayed);
+    },
     setAuthType: ({ commit }, type) => {
         commit(MutationTypes.SET_AUTH_TYPE, type);
     },
diff --git a/webroot/src/store/global/global.mutations.ts b/webroot/src/store/global/global.mutations.ts
index 04a7fb7d9..8ca866422 100644
--- a/webroot/src/store/global/global.mutations.ts
+++ b/webroot/src/store/global/global.mutations.ts
@@ -20,6 +20,7 @@ export enum MutationTypes {
     SET_MODAL_OPEN = '[Global] Modal isOpen set',
     SET_MODAL_LOGOUT_ONLY = '[Global] Modal isLogoutOnly set',
     SET_APP_MODE = '[Global] App mode set',
+    SET_APP_MODE_DISPLAY = '[Global] App mode displayed set',
     SET_AUTH_TYPE = '[Global] Auth type set',
     EXPAND_NAV_MENU = '[Global] Expand nav menu',
     COLLAPSE_NAV_MENU = '[Global] Collapse nav menu',
@@ -58,6 +59,9 @@ export default {
     [MutationTypes.SET_APP_MODE]: (state: State, mode: AppModes) => {
         state.appMode = mode;
     },
+    [MutationTypes.SET_APP_MODE_DISPLAY]: (state: State, isDisplayed: boolean) => {
+        state.isAppModeDisplayed = isDisplayed;
+    },
     [MutationTypes.SET_AUTH_TYPE]: (state: State, type: AuthTypes) => {
         state.authType = type;
     },
diff --git a/webroot/src/store/global/global.spec.ts b/webroot/src/store/global/global.spec.ts
index 43d6921ec..ae6cdeded 100644
--- a/webroot/src/store/global/global.spec.ts
+++ b/webroot/src/store/global/global.spec.ts
@@ -107,6 +107,13 @@ describe('Global Store Mutations', () => {
 
         expect(state.appMode).to.equal(appMode);
     });
+    it('should successfully set app mode display', () => {
+        const state = {};
+
+        mutations[MutationTypes.SET_APP_MODE_DISPLAY](state, true);
+
+        expect(state.isAppModeDisplayed).to.equal(true);
+    });
     it('should successfully set auth type', () => {
         const state = {};
         const authType = AuthTypes.LICENSEE;
@@ -190,6 +197,23 @@ describe('Global Store Actions', () => {
         expect(commit.calledOnce).to.equal(true);
         expect(commit.firstCall.args).to.matchPattern([MutationTypes.SET_MODAL_LOGOUT_ONLY, isLogoutOnly]);
     });
+    it('should successfully set app mode', () => {
+        const commit = sinon.spy();
+        const appMode = AppModes.JCC;
+
+        actions.setAppMode({ commit }, appMode);
+
+        expect(commit.calledOnce).to.equal(true);
+        expect(commit.firstCall.args).to.matchPattern([MutationTypes.SET_APP_MODE, appMode]);
+    });
+    it('should successfully set app mode display', () => {
+        const commit = sinon.spy();
+
+        actions.setAppModeDisplay({ commit }, true);
+
+        expect(commit.calledOnce).to.equal(true);
+        expect(commit.firstCall.args).to.matchPattern([MutationTypes.SET_APP_MODE_DISPLAY, true]);
+    });
     it('should successfully set auth type', () => {
         const commit = sinon.spy();
         const authType = AuthTypes.LICENSEE;
diff --git a/webroot/src/store/global/global.state.ts b/webroot/src/store/global/global.state.ts
index e6dea49bf..ca6110b3a 100644
--- a/webroot/src/store/global/global.state.ts
+++ b/webroot/src/store/global/global.state.ts
@@ -14,6 +14,7 @@ export interface State {
     isModalOpen: boolean;
     isModalLogoutOnly: boolean;
     appMode: AppModes;
+    isAppModeDisplayed: boolean;
     authType: AuthTypes;
     isNavExpanded: boolean;
 }
@@ -25,6 +26,7 @@ export const state: State = {
     isModalOpen: false,
     isModalLogoutOnly: false,
     appMode: AppModes.JCC,
+    isAppModeDisplayed: true, // @TODO
     authType: AuthTypes.PUBLIC,
     isNavExpanded: false,
 };

From 858c4abcbc68a324ab9ae852be23d05d6dc03e7e Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Thu, 5 Feb 2026 17:36:08 -0700
Subject: [PATCH 03/14] WIP: Cosmetology multi-backend scaffolding - Get actual
 .env values for API & cognito & begin smoke testing - Implement initial
 interceptors switch - @todo: Continue smoke testing - @todo: Update mock data
 with cosmo data & to handle app mode - @todo: Update ChangePassword component
 (if needed)

---
 webroot/src/app.config.ts                     | 20 +++++++++--
 webroot/src/components/App/App.ts             |  7 +++-
 .../StateSettingsList/StateSettingsList.ts    |  2 +-
 webroot/src/main.ts                           |  4 +--
 webroot/src/network/data.api.ts               | 11 ++++---
 webroot/src/network/licenseApi/data.api.ts    |  9 ++---
 .../src/network/licenseApi/interceptors.ts    | 12 +++++--
 webroot/src/network/mocks/mock.data.api.ts    | 23 +++++++------
 webroot/src/network/mocks/mock.data.ts        | 33 +++++++++++++++++++
 webroot/src/network/searchApi/data.api.ts     |  5 +--
 webroot/src/network/searchApi/interceptors.ts | 12 +++++--
 webroot/src/network/stateApi/data.api.ts      |  9 ++---
 webroot/src/network/stateApi/interceptors.ts  | 12 +++++--
 webroot/src/network/userApi/data.api.ts       |  9 ++---
 webroot/src/network/userApi/interceptors.ts   | 12 +++++--
 .../src/pages/AuthCallback/AuthCallback.ts    |  7 +---
 .../pages/PublicDashboard/PublicDashboard.ts  |  7 ++--
 .../pages/PublicDashboard/PublicDashboard.vue |  4 +--
 webroot/src/router/index.ts                   | 22 +++++++++++--
 19 files changed, 163 insertions(+), 57 deletions(-)

diff --git a/webroot/src/app.config.ts b/webroot/src/app.config.ts
index e3d4a750d..2978ce2a3 100644
--- a/webroot/src/app.config.ts
+++ b/webroot/src/app.config.ts
@@ -25,6 +25,12 @@ export enum AuthTypes {
     PUBLIC = 'public',
 }
 
+export enum CognitoStateTypes {
+    STAFF_JCC = 'staff',
+    STAFF_COSMETOLOGY = 'staff-cosmo',
+    LICENSEE_JCC = 'licensee',
+}
+
 export const staffLoginScopes = 'email openid phone profile aws.cognito.signin.user.admin';
 export const licenseeLoginScopes = 'email openid phone profile aws.cognito.signin.user.admin';
 
@@ -32,12 +38,14 @@ export type CognitoConfig = {
     scopes: string;
     clientId: string;
     authDomain: string;
+    state: string;
 };
 export const getCognitoConfig = (appMode: AppModes, authType: AuthTypes): CognitoConfig => {
     const config: CognitoConfig = {
         scopes: '',
         clientId: '',
         authDomain: '',
+        state: '',
     };
 
     switch (authType) {
@@ -45,6 +53,7 @@ export const getCognitoConfig = (appMode: AppModes, authType: AuthTypes): Cognit
         config.scopes = staffLoginScopes;
 
         if (appMode === AppModes.JCC) {
+            config.state = CognitoStateTypes.STAFF_JCC;
             if (envConfig.cognitoClientIdStaff) {
                 config.clientId = envConfig.cognitoClientIdStaff;
             }
@@ -52,6 +61,7 @@ export const getCognitoConfig = (appMode: AppModes, authType: AuthTypes): Cognit
                 config.authDomain = envConfig.cognitoAuthDomainStaff;
             }
         } else if (appMode === AppModes.COSMETOLOGY) {
+            config.state = CognitoStateTypes.STAFF_COSMETOLOGY;
             if (envConfig.cognitoClientIdStaffCosmo) {
                 config.clientId = envConfig.cognitoClientIdStaffCosmo;
             }
@@ -63,6 +73,7 @@ export const getCognitoConfig = (appMode: AppModes, authType: AuthTypes): Cognit
         break;
     case AuthTypes.LICENSEE:
         config.scopes = licenseeLoginScopes;
+        config.state = CognitoStateTypes.LICENSEE_JCC;
         if (envConfig.cognitoClientIdLicensee) {
             config.clientId = envConfig.cognitoClientIdLicensee;
         }
@@ -79,12 +90,17 @@ export const getCognitoConfig = (appMode: AppModes, authType: AuthTypes): Cognit
 
 export const getHostedLoginUri = (appMode: AppModes, authType: AuthTypes, hostedIdpPath = '/login'): string => {
     const { domain } = envConfig;
-    const { scopes, clientId, authDomain } = getCognitoConfig(appMode, authType);
+    const {
+        scopes,
+        clientId,
+        authDomain,
+        state
+    } = getCognitoConfig(appMode, authType);
     const loginUriQuery = [
         `?client_id=${clientId}`,
         `&response_type=code`,
         `&scope=${encodeURIComponent(scopes)}`,
-        `&state=${authType}`,
+        `&state=${state}`,
         `&redirect_uri=${encodeURIComponent(`${domain}/auth/callback`)}`,
     ].join('');
     const loginUri = `${authDomain}${hostedIdpPath}${loginUriQuery}`;
diff --git a/webroot/src/components/App/App.ts b/webroot/src/components/App/App.ts
index 2a90f6c8a..c1f3c3f59 100644
--- a/webroot/src/components/App/App.ts
+++ b/webroot/src/components/App/App.ts
@@ -50,6 +50,7 @@ class App extends Vue {
     // Lifecycle
     //
     async created() {
+        await this.$router.isReady();
         this.setAppModeFromCompact(this.routeCompactType);
 
         if (this.userStore.isLoggedIn) {
@@ -102,6 +103,8 @@ class App extends Vue {
     async handleAuth() {
         const authType = this.setAuthType();
 
+        this.setAppModeFromCompact(this.routeCompactType);
+
         if (authType !== AuthTypes.PUBLIC) {
             this.$store.dispatch('user/startRefreshTokenTimer', authType);
             await this.getAccount();
@@ -110,10 +113,12 @@ class App extends Vue {
     }
 
     setAppModeFromCompact(compact: CompactType | null): void {
-        let appMode = AppModes.JCC;
+        let { appMode } = this.globalStore;
 
         if (compact === CompactType.COSMETOLOGY) {
             appMode = AppModes.COSMETOLOGY;
+        } else {
+            appMode = AppModes.JCC;
         }
 
         if (this.globalStore.appMode !== appMode) {
diff --git a/webroot/src/components/StateSettingsList/StateSettingsList.ts b/webroot/src/components/StateSettingsList/StateSettingsList.ts
index 6273243a9..caca88462 100644
--- a/webroot/src/components/StateSettingsList/StateSettingsList.ts
+++ b/webroot/src/components/StateSettingsList/StateSettingsList.ts
@@ -188,7 +188,7 @@ class StateSettingsList extends mixins(MixinForm) {
 
             this.initialCompactConfig = compactConfig;
 
-            if (Array.isArray(compactConfig.configuredStates)) {
+            if (Array.isArray(compactConfig?.configuredStates)) {
                 this.compactConfigStates = [];
                 compactConfig.configuredStates.forEach((serverState) => {
                     this.compactConfigStates.push({
diff --git a/webroot/src/main.ts b/webroot/src/main.ts
index 27d707608..276c87c34 100644
--- a/webroot/src/main.ts
+++ b/webroot/src/main.ts
@@ -31,8 +31,8 @@ import './registerServiceWorker';
     // Enable vue-devtools. Can make environment-specific if needed.
     app.config.performance = true;
 
-    // Inject router into API interceptors (avoids circular dependency)
-    network.dataApi.initInterceptors(router);
+    // Inject modules into API interceptors (avoids circular dependency)
+    network.dataApi.initInterceptors(router, store);
 
     //
     // ALLOW ACCESS TO VUE INSTANCE SERVICES
diff --git a/webroot/src/network/data.api.ts b/webroot/src/network/data.api.ts
index 834034eda..1adcd6137 100644
--- a/webroot/src/network/data.api.ts
+++ b/webroot/src/network/data.api.ts
@@ -16,12 +16,13 @@ export class DataApi {
     /**
      * Initialize API Axios interceptors with injected store context.
      * @param {Router} router
+     * @param {Store} store
      */
-    public initInterceptors(router) {
-        stateDataApi.initInterceptors(router);
-        licenseDataApi.initInterceptors(router);
-        searchDataApi.initInterceptors(router);
-        userDataApi.initInterceptors(router);
+    public initInterceptors(router, store) {
+        stateDataApi.initInterceptors(router, store);
+        licenseDataApi.initInterceptors(router, store);
+        searchDataApi.initInterceptors(router, store);
+        userDataApi.initInterceptors(router, store);
         exampleDataApi.initInterceptors(router);
     }
 
diff --git a/webroot/src/network/licenseApi/data.api.ts b/webroot/src/network/licenseApi/data.api.ts
index 51eae511f..9096a7c1b 100644
--- a/webroot/src/network/licenseApi/data.api.ts
+++ b/webroot/src/network/licenseApi/data.api.ts
@@ -84,13 +84,14 @@ export class LicenseDataApi implements DataApiInterface {
     /**
      * Attach Axios interceptors with injected contexts.
      * https://github.com/axios/axios#interceptors
-     * @param {Store} store
+     * @param {Router} router
+     * @param {Store}  store
      */
-    public initInterceptors(store) {
-        const requestSuccessInterceptor = requestSuccess();
+    public initInterceptors(router, store) {
+        const requestSuccessInterceptor = requestSuccess(store);
         const requestErrorInterceptor = requestError();
         const responseSuccessInterceptor = responseSuccess();
-        const responseErrorInterceptor = responseError(store);
+        const responseErrorInterceptor = responseError(router);
 
         // Request Interceptors
         this.api.interceptors.request.use(
diff --git a/webroot/src/network/licenseApi/interceptors.ts b/webroot/src/network/licenseApi/interceptors.ts
index 748832fd0..06d34bc6d 100644
--- a/webroot/src/network/licenseApi/interceptors.ts
+++ b/webroot/src/network/licenseApi/interceptors.ts
@@ -4,25 +4,33 @@
 //
 //  Created by InspiringApps on 6/18/24.
 //
-import { authStorage, tokens } from '@/app.config';
+import { AppModes, authStorage, tokens } from '@/app.config';
+import { config as envConfig } from '@plugins/EnvConfig/envConfig.plugin';
 
 // ============================================================================
 // =                           REQUEST INTERCEPTORS                           =
 // ============================================================================
 /**
  * Get Axios API request interceptor.
+ * @param  {Store} store
  * @return {AxiosInterceptor} Function that amends the outgoing client API request.
  */
-export const requestSuccess = () => async (requestConfig) => {
+export const requestSuccess = (store) => async (requestConfig) => {
     const authTokenStaff = authStorage.getItem(tokens.staff.AUTH_TOKEN);
     const authTokenStaffType = authStorage.getItem(tokens.staff.AUTH_TOKEN_TYPE);
     const authTokenLicensee = authStorage.getItem(tokens.licensee.ID_TOKEN);
     const authTokenLicenseeType = authStorage.getItem(tokens.licensee.AUTH_TOKEN_TYPE);
+    const appMode = store?.state?.appMode;
     const { headers } = requestConfig;
 
     // Add auth token
     headers.Authorization = `${authTokenStaffType || authTokenLicenseeType} ${authTokenStaff || authTokenLicensee}`;
 
+    // Update base url for different compacts / app modes
+    if (appMode === AppModes.COSMETOLOGY) {
+        requestConfig.baseURL = envConfig.apiUrlLicenseCosmo;
+    }
+
     return requestConfig;
 };
 
diff --git a/webroot/src/network/mocks/mock.data.api.ts b/webroot/src/network/mocks/mock.data.api.ts
index 92ddbe103..00cb0a3b4 100644
--- a/webroot/src/network/mocks/mock.data.api.ts
+++ b/webroot/src/network/mocks/mock.data.api.ts
@@ -6,7 +6,7 @@
 //
 
 import { config as envConfig } from '@plugins/EnvConfig/envConfig.plugin';
-import { FeatureGates } from '@/app.config';
+import { AppModes, FeatureGates } from '@/app.config';
 import { LicenseeSerializer } from '@models/Licensee/Licensee.model';
 import { LicenseHistoryItem, LicenseHistoryItemSerializer } from '@/models/LicenseHistoryItem/LicenseHistoryItem.model';
 import { LicenseeUserSerializer } from '@models/LicenseeUser/LicenseeUser.model';
@@ -37,13 +37,9 @@ import {
 let mockStore: any = null;
 
 const initMockStore = (store) => {
-    if (mockStore) {
-        return mockStore;
+    if (store && !mockStore) {
+        mockStore = store;
     }
-
-    mockStore = store;
-
-    return mockStore;
 };
 
 // Authenticated provider index for the current session
@@ -80,9 +76,8 @@ const wait = (ms = 0) => new Promise((resolve) => {
 
 export class DataApi {
     // Init interceptors
-    public initInterceptors(store) {
+    public initInterceptors(router, store) {
         initMockStore(store);
-        return true;
     }
 
     // ========================================================================
@@ -608,7 +603,15 @@ export class DataApi {
 
     // Get Authenticated Staff User
     public getAuthenticatedStaffUser() {
-        return wait(500).then(() => StaffUserSerializer.fromServer(staffAccount));
+        const account = JSON.parse(JSON.stringify(staffAccount));
+
+        if (mockStore?.state?.appMode === AppModes.COSMETOLOGY) {
+            delete account.permissions.octp;
+            delete account.permissions.aslp;
+            delete account.permissions.coun;
+        }
+
+        return wait(500).then(() => StaffUserSerializer.fromServer(account));
     }
 
     // Update Authenticated Staff User
diff --git a/webroot/src/network/mocks/mock.data.ts b/webroot/src/network/mocks/mock.data.ts
index 257904cf4..618f47ebd 100644
--- a/webroot/src/network/mocks/mock.data.ts
+++ b/webroot/src/network/mocks/mock.data.ts
@@ -161,6 +161,39 @@ export const staffAccount = {
                 },
             },
         },
+        cosm: {
+            actions: {
+                admin: true,
+                readPrivate: true,
+                readSsn: true,
+            },
+            jurisdictions: {
+                al: {
+                    actions: {
+                        admin: true,
+                        write: true,
+                        readPrivate: true,
+                        readSsn: true,
+                    },
+                },
+                co: {
+                    actions: {
+                        admin: true,
+                        write: true,
+                        readPrivate: true,
+                        readSsn: true,
+                    },
+                },
+                ky: {
+                    actions: {
+                        admin: true,
+                        write: true,
+                        readPrivate: true,
+                        readSsn: true,
+                    },
+                },
+            },
+        },
     },
 };
 
diff --git a/webroot/src/network/searchApi/data.api.ts b/webroot/src/network/searchApi/data.api.ts
index 702e7d1be..96a57f0f9 100644
--- a/webroot/src/network/searchApi/data.api.ts
+++ b/webroot/src/network/searchApi/data.api.ts
@@ -100,9 +100,10 @@ export class SearchDataApi implements DataApiInterface {
      * Attach Axios interceptors with injected contexts.
      * https://github.com/axios/axios#interceptors
      * @param {Router} router
+     * @param {Store}  store
      */
-    public initInterceptors(router) {
-        const requestSuccessInterceptor = requestSuccess();
+    public initInterceptors(router, store) {
+        const requestSuccessInterceptor = requestSuccess(store);
         const requestErrorInterceptor = requestError();
         const responseSuccessInterceptor = responseSuccess();
         const responseErrorInterceptor = responseError(router);
diff --git a/webroot/src/network/searchApi/interceptors.ts b/webroot/src/network/searchApi/interceptors.ts
index 69652aa85..f0d7a30f9 100644
--- a/webroot/src/network/searchApi/interceptors.ts
+++ b/webroot/src/network/searchApi/interceptors.ts
@@ -4,25 +4,33 @@
 //
 //  Created by InspiringApps on 12/15/25.
 //
-import { authStorage, tokens } from '@/app.config';
+import { AppModes, authStorage, tokens } from '@/app.config';
+import { config as envConfig } from '@plugins/EnvConfig/envConfig.plugin';
 
 // ============================================================================
 // =                           REQUEST INTERCEPTORS                           =
 // ============================================================================
 /**
  * Get Axios API request interceptor.
+ * @param  {Store} store
  * @return {AxiosInterceptor} Function that amends the outgoing client API request.
  */
-export const requestSuccess = () => async (requestConfig) => {
+export const requestSuccess = (store) => async (requestConfig) => {
     const authTokenStaff = authStorage.getItem(tokens.staff.AUTH_TOKEN);
     const authTokenStaffType = authStorage.getItem(tokens.staff.AUTH_TOKEN_TYPE);
     const authTokenLicensee = authStorage.getItem(tokens.licensee.ID_TOKEN);
     const authTokenLicenseeType = authStorage.getItem(tokens.licensee.AUTH_TOKEN_TYPE);
+    const appMode = store?.state?.appMode;
     const { headers } = requestConfig;
 
     // Add auth token
     headers.Authorization = `${authTokenStaffType || authTokenLicenseeType} ${authTokenStaff || authTokenLicensee}`;
 
+    // Update base url for different compacts / app modes
+    if (appMode === AppModes.COSMETOLOGY) {
+        requestConfig.baseURL = envConfig.apiUrlSearchCosmo;
+    }
+
     return requestConfig;
 };
 
diff --git a/webroot/src/network/stateApi/data.api.ts b/webroot/src/network/stateApi/data.api.ts
index b962fa0b6..22b594f96 100644
--- a/webroot/src/network/stateApi/data.api.ts
+++ b/webroot/src/network/stateApi/data.api.ts
@@ -46,13 +46,14 @@ export class StateDataApi implements DataApiInterface {
     /**
      * Attach Axios interceptors with injected contexts.
      * https://github.com/axios/axios#interceptors
-     * @param {Store} store
+     * @param {Router} router
+     * @param {Store}  store
      */
-    public initInterceptors(store) {
-        const requestSuccessInterceptor = requestSuccess();
+    public initInterceptors(router, store) {
+        const requestSuccessInterceptor = requestSuccess(store);
         const requestErrorInterceptor = requestError();
         const responseSuccessInterceptor = responseSuccess();
-        const responseErrorInterceptor = responseError(store);
+        const responseErrorInterceptor = responseError(router);
 
         // Request Interceptors
         this.api.interceptors.request.use(
diff --git a/webroot/src/network/stateApi/interceptors.ts b/webroot/src/network/stateApi/interceptors.ts
index 130e448b5..d5ee529a2 100644
--- a/webroot/src/network/stateApi/interceptors.ts
+++ b/webroot/src/network/stateApi/interceptors.ts
@@ -4,23 +4,31 @@
 //
 //  Created by InspiringApps on 6/18/24.
 //
-import { authStorage, tokens } from '@/app.config';
+import { AppModes, authStorage, tokens } from '@/app.config';
+import { config as envConfig } from '@plugins/EnvConfig/envConfig.plugin';
 
 // ============================================================================
 // =                           REQUEST INTERCEPTORS                           =
 // ============================================================================
 /**
  * Get Axios API request interceptor.
+ * @param  {Store} store
  * @return {AxiosInterceptor} Function that amends the outgoing client API request.
  */
-export const requestSuccess = () => async (requestConfig) => {
+export const requestSuccess = (store) => async (requestConfig) => {
     const authToken = authStorage.getItem(tokens.staff.AUTH_TOKEN);
     const authTokenType = authStorage.getItem(tokens.staff.AUTH_TOKEN_TYPE);
+    const appMode = store?.state?.appMode;
     const { headers } = requestConfig;
 
     // Add auth token
     headers.Authorization = `${authTokenType} ${authToken}`;
 
+    // Update base url for different compacts / app modes
+    if (appMode === AppModes.COSMETOLOGY) {
+        requestConfig.baseURL = envConfig.apiUrlStateCosmo;
+    }
+
     return requestConfig;
 };
 
diff --git a/webroot/src/network/userApi/data.api.ts b/webroot/src/network/userApi/data.api.ts
index 60378bc2a..991547fad 100644
--- a/webroot/src/network/userApi/data.api.ts
+++ b/webroot/src/network/userApi/data.api.ts
@@ -63,13 +63,14 @@ export class UserDataApi implements DataApiInterface {
     /**
      * Attach Axios interceptors with injected contexts.
      * https://github.com/axios/axios#interceptors
-     * @param {Store} store
+     * @param {Router} router
+     * @param {Store}  store
      */
-    public initInterceptors(store) {
-        const requestSuccessInterceptor = requestSuccess();
+    public initInterceptors(router, store) {
+        const requestSuccessInterceptor = requestSuccess(store);
         const requestErrorInterceptor = requestError();
         const responseSuccessInterceptor = responseSuccess();
-        const responseErrorInterceptor = responseError(store);
+        const responseErrorInterceptor = responseError(router);
 
         // Request Interceptors
         this.api.interceptors.request.use(
diff --git a/webroot/src/network/userApi/interceptors.ts b/webroot/src/network/userApi/interceptors.ts
index 06eb0e9e6..152b21219 100644
--- a/webroot/src/network/userApi/interceptors.ts
+++ b/webroot/src/network/userApi/interceptors.ts
@@ -4,25 +4,33 @@
 //
 //  Created by InspiringApps on 6/18/24.
 //
-import { authStorage, tokens } from '@/app.config';
+import { AppModes, authStorage, tokens } from '@/app.config';
+import { config as envConfig } from '@plugins/EnvConfig/envConfig.plugin';
 
 // ============================================================================
 // =                           REQUEST INTERCEPTORS                           =
 // ============================================================================
 /**
  * Get Axios API request interceptor.
+ * @param  {Store} store
  * @return {AxiosInterceptor} Function that amends the outgoing client API request.
  */
-export const requestSuccess = () => async (requestConfig) => {
+export const requestSuccess = (store) => async (requestConfig) => {
     const authTokenStaff = authStorage.getItem(tokens.staff.AUTH_TOKEN);
     const authTokenStaffType = authStorage.getItem(tokens.staff.AUTH_TOKEN_TYPE);
     const authTokenLicensee = authStorage.getItem(tokens.licensee.ID_TOKEN);
     const authTokenLicenseeType = authStorage.getItem(tokens.licensee.AUTH_TOKEN_TYPE);
+    const appMode = store?.state?.appMode;
     const { headers } = requestConfig;
 
     // Add auth token
     headers.Authorization = `${authTokenStaffType || authTokenLicenseeType} ${authTokenStaff || authTokenLicensee}`;
 
+    // Update base url for different compacts / app modes
+    if (appMode === AppModes.COSMETOLOGY) {
+        requestConfig.baseURL = envConfig.apiUrlUserCosmo;
+    }
+
     return requestConfig;
 };
 
diff --git a/webroot/src/pages/AuthCallback/AuthCallback.ts b/webroot/src/pages/AuthCallback/AuthCallback.ts
index 863de1963..008d69c6a 100644
--- a/webroot/src/pages/AuthCallback/AuthCallback.ts
+++ b/webroot/src/pages/AuthCallback/AuthCallback.ts
@@ -12,6 +12,7 @@ import Card from '@components/Card/Card.vue';
 import {
     authStorage,
     AppModes,
+    CognitoStateTypes,
     AuthTypes,
     AUTH_TYPE,
     AUTH_LOGIN_GOTO_PATH,
@@ -19,12 +20,6 @@ import {
 } from '@/app.config';
 import axios from 'axios';
 
-export enum CognitoStateTypes {
-    STAFF_JCC = 'staff',
-    STAFF_COSMETOLOGY = 'staff-cosmo',
-    LICENSEE_JCC = 'licensee',
-}
-
 @Component({
     name: 'AuthCallback',
     components: {
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.ts b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
index fe4c460cf..7239271af 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.ts
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
@@ -103,7 +103,7 @@ export default class DashboardPublic extends Vue {
 
     bypassToStaffLogin(): void {
         if (this.isUsingMockApi) {
-            this.mockStaffLogin();
+            this.mockStaffLogin(AppModes.JCC);
         } else {
             this.$store.dispatch('startLoading');
             window.location.replace(this.hostedLoginUriStaff);
@@ -141,7 +141,7 @@ export default class DashboardPublic extends Vue {
         });
     }
 
-    async mockStaffLogin(appMode = AppModes.JCC): Promise<void> {
+    async mockStaffLogin(appMode: AppModes): Promise<void> {
         const goto = authStorage.getItem(AUTH_LOGIN_GOTO_PATH);
         const gotoAuthType = authStorage.getItem(AUTH_LOGIN_GOTO_PATH_AUTH_TYPE);
         const data = {
@@ -154,9 +154,10 @@ export default class DashboardPublic extends Vue {
 
         authStorage.removeItem(AUTH_LOGIN_GOTO_PATH);
         authStorage.removeItem(AUTH_LOGIN_GOTO_PATH_AUTH_TYPE);
+        this.$store.dispatch('setAppMode', appMode);
+        console.log(`appMode set to ${appMode}`);
         await this.$store.dispatch('user/updateAuthTokens', { tokenResponse: data, authType: AuthTypes.STAFF });
         this.$store.dispatch('user/loginSuccess', AuthTypes.STAFF);
-        this.$store.dispatch('setAppMode', appMode);
 
         if (goto && (!gotoAuthType || gotoAuthType === AuthTypes.STAFF)) {
             this.$router.push({ path: goto });
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.vue b/webroot/src/pages/PublicDashboard/PublicDashboard.vue
index 747eae50d..3ca95d7c3 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.vue
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.vue
@@ -67,8 +67,8 @@
             <div
                 v-else
                 class="login-link small"
-                @click="mockStaffLogin"
-                @keyup.enter="mockStaffLogin"
+                @click="bypassToStaffLogin"
+                @keyup.enter="bypassToStaffLogin"
                 tabindex="0"
                 role="button"
                 :aria-label="$t('navigation.loginAsStaff')"
diff --git a/webroot/src/router/index.ts b/webroot/src/router/index.ts
index 4376b171c..53482f684 100644
--- a/webroot/src/router/index.ts
+++ b/webroot/src/router/index.ts
@@ -8,8 +8,13 @@
 import { createRouter, createWebHistory, RouteLocationNormalized as Route } from 'vue-router';
 import routes from '@router/routes';
 import store from '@/store';
-import { authStorage, AUTH_TYPE, AuthTypes } from '@/app.config';
-import { CompactSerializer } from '@models/Compact/Compact.model';
+import {
+    AppModes,
+    authStorage,
+    AUTH_TYPE,
+    AuthTypes
+} from '@/app.config';
+import { CompactType, CompactSerializer } from '@models/Compact/Compact.model';
 
 const router = createRouter({
     history: createWebHistory(process.env.BASE_URL || '/'),
@@ -34,10 +39,21 @@ router.beforeEach(async (to, from, next) => {
     const isStaffRoute = to.matched.some((route) => route.meta.staffAccess);
     const routeParamCompactType = to.params?.compact;
 
-    // If the store does not have the requested compact, set it from the route (e.g. page refreshes)
     if (routeParamCompactType) {
+        const { appMode } = store.state;
+        let expectedAppMode = AppModes.JCC;
         const { currentCompact } = store.getters['user/state'];
 
+        // Update the app mode based on attempted compact route, if needed
+        if (routeParamCompactType === CompactType.COSMETOLOGY) {
+            expectedAppMode = AppModes.COSMETOLOGY;
+        }
+
+        if (!appMode || appMode !== expectedAppMode) {
+            store.dispatch('setAppMode', expectedAppMode);
+        }
+
+        // If the store does not have the requested compact, set it from the route (e.g. page refreshes)
         if (!currentCompact || currentCompact.type !== routeParamCompactType) {
             await store.dispatch('user/setCurrentCompact', CompactSerializer.fromServer({ type: routeParamCompactType }));
         }

From 4bef451313ac804023db17a89cfde5a70539071d Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Mon, 9 Feb 2026 12:34:42 -0700
Subject: [PATCH 04/14] WIP: Cosmetology multi-backend scaffolding - Update
 axios dependency for dependabot alert - Update mock data api with minimal
 support for cosm compact - Continue smoke testing - @todo: Update backend
 'bypass' params to support cosm login passthrough - @todo: Update CSP Lambda
 & related Python with new cosm domains - @todo: Update ChangePassword
 component (if needed)

---
 webroot/src/components/App/App.ts             | 12 +++----
 webroot/src/network/mocks/mock.data.api.ts    |  1 +
 webroot/src/network/mocks/mock.data.ts        | 33 +++++++++++++++++++
 .../pages/CompactSettings/CompactSettings.ts  |  6 +++-
 .../pages/CompactSettings/CompactSettings.vue |  2 +-
 .../PublicDashboard/PublicDashboard.spec.ts   |  1 +
 .../pages/PublicDashboard/PublicDashboard.ts  |  1 -
 webroot/yarn.lock                             | 31 +++++++++++------
 8 files changed, 68 insertions(+), 19 deletions(-)

diff --git a/webroot/src/components/App/App.ts b/webroot/src/components/App/App.ts
index c1f3c3f59..7a51d4a09 100644
--- a/webroot/src/components/App/App.ts
+++ b/webroot/src/components/App/App.ts
@@ -115,13 +115,13 @@ class App extends Vue {
     setAppModeFromCompact(compact: CompactType | null): void {
         let { appMode } = this.globalStore;
 
-        if (compact === CompactType.COSMETOLOGY) {
-            appMode = AppModes.COSMETOLOGY;
-        } else {
-            appMode = AppModes.JCC;
-        }
+        if (!appMode) {
+            if (compact === CompactType.COSMETOLOGY) {
+                appMode = AppModes.COSMETOLOGY;
+            } else {
+                appMode = AppModes.JCC;
+            }
 
-        if (this.globalStore.appMode !== appMode) {
             this.$store.dispatch('setAppMode', appMode);
         }
     }
diff --git a/webroot/src/network/mocks/mock.data.api.ts b/webroot/src/network/mocks/mock.data.api.ts
index 00cb0a3b4..edfe9432e 100644
--- a/webroot/src/network/mocks/mock.data.api.ts
+++ b/webroot/src/network/mocks/mock.data.api.ts
@@ -606,6 +606,7 @@ export class DataApi {
         const account = JSON.parse(JSON.stringify(staffAccount));
 
         if (mockStore?.state?.appMode === AppModes.COSMETOLOGY) {
+            console.log(`deleting non-cosm staff user compacts`);
             delete account.permissions.octp;
             delete account.permissions.aslp;
             delete account.permissions.coun;
diff --git a/webroot/src/network/mocks/mock.data.ts b/webroot/src/network/mocks/mock.data.ts
index 618f47ebd..c8875a2ca 100644
--- a/webroot/src/network/mocks/mock.data.ts
+++ b/webroot/src/network/mocks/mock.data.ts
@@ -1422,6 +1422,39 @@ export const users = {
                         },
                     },
                 },
+                cosm: {
+                    actions: {
+                        admin: true,
+                        readPrivate: true,
+                        readSsn: true,
+                    },
+                    jurisdictions: {
+                        al: {
+                            actions: {
+                                admin: true,
+                                write: true,
+                                readPrivate: true,
+                                readSsn: true,
+                            },
+                        },
+                        co: {
+                            actions: {
+                                admin: true,
+                                write: true,
+                                readPrivate: true,
+                                readSsn: true,
+                            },
+                        },
+                        ky: {
+                            actions: {
+                                admin: true,
+                                write: true,
+                                readPrivate: true,
+                                readSsn: true,
+                            },
+                        },
+                    },
+                },
             },
         },
         {
diff --git a/webroot/src/pages/CompactSettings/CompactSettings.ts b/webroot/src/pages/CompactSettings/CompactSettings.ts
index 3e3299f13..342b52173 100644
--- a/webroot/src/pages/CompactSettings/CompactSettings.ts
+++ b/webroot/src/pages/CompactSettings/CompactSettings.ts
@@ -6,7 +6,7 @@
 //
 
 import { Component, Vue, Watch } from 'vue-facing-decorator';
-import { AuthTypes } from '@/app.config';
+import { AppModes, AuthTypes } from '@/app.config';
 import Section from '@components/Section/Section.vue';
 import PaymentProcessorConfig from '@components/PaymentProcessorConfig/PaymentProcessorConfig.vue';
 import CompactSettingsConfig from '@components/CompactSettingsConfig/CompactSettingsConfig.vue';
@@ -70,6 +70,10 @@ export default class CompactSettings extends Vue {
         return compactPermission;
     }
 
+    get shouldShowPaymentConfig(): boolean {
+        return this.globalStore.appMode === AppModes.JCC;
+    }
+
     get isCompactAdmin(): boolean {
         return this.isLoggedInAsStaff && Boolean(this.staffPermission?.isAdmin);
     }
diff --git a/webroot/src/pages/CompactSettings/CompactSettings.vue b/webroot/src/pages/CompactSettings/CompactSettings.vue
index f121ac24c..6f779871a 100644
--- a/webroot/src/pages/CompactSettings/CompactSettings.vue
+++ b/webroot/src/pages/CompactSettings/CompactSettings.vue
@@ -11,7 +11,7 @@
             {{ $t('compact.settingsTitle') }}
         </h1>
         <CompactSettingsConfig v-if="isCompactAdmin" class="section compact-config" />
-        <PaymentProcessorConfig v-if="isCompactAdmin" class="section payment-config" />
+        <PaymentProcessorConfig v-if="isCompactAdmin && shouldShowPaymentConfig" class="section payment-config" />
         <StateSettingsList v-if="shouldShowStateList" class="section state-list" />
     </Section>
 </template>
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.spec.ts b/webroot/src/pages/PublicDashboard/PublicDashboard.spec.ts
index e52de7dc3..f92760bf4 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.spec.ts
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.spec.ts
@@ -53,6 +53,7 @@ describe('PublicDashboard page', async () => {
             scopes: '',
             clientId: '',
             authDomain: '',
+            state: '',
         });
     });
     it('should use fallback idp path in app.config', async () => {
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.ts b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
index 7239271af..d6be16203 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.ts
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
@@ -155,7 +155,6 @@ export default class DashboardPublic extends Vue {
         authStorage.removeItem(AUTH_LOGIN_GOTO_PATH);
         authStorage.removeItem(AUTH_LOGIN_GOTO_PATH_AUTH_TYPE);
         this.$store.dispatch('setAppMode', appMode);
-        console.log(`appMode set to ${appMode}`);
         await this.$store.dispatch('user/updateAuthTokens', { tokenResponse: data, authType: AuthTypes.STAFF });
         this.$store.dispatch('user/loginSuccess', AuthTypes.STAFF);
 
diff --git a/webroot/yarn.lock b/webroot/yarn.lock
index 7a47150a9..039445a2a 100644
--- a/webroot/yarn.lock
+++ b/webroot/yarn.lock
@@ -4178,12 +4178,12 @@ axe-core@^4.9.1:
   integrity sha512-QbUdXJVTpvUTHU7871ppZkdOLBeGUKBQWHkHrvN2V9IQWGMt61zf3B45BtzjxEJzYuj0JBjBZP/hmYS/R9pmAw==
 
 axios@^1.12.2:
-  version "1.12.2"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.12.2.tgz#6c307390136cf7a2278d09cec63b136dfc6e6da7"
-  integrity sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==
+  version "1.13.5"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.13.5.tgz#5e464688fa127e11a660a2c49441c009f6567a43"
+  integrity sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==
   dependencies:
-    follow-redirects "^1.15.6"
-    form-data "^4.0.4"
+    follow-redirects "^1.15.11"
+    form-data "^4.0.5"
     proxy-from-env "^1.1.0"
 
 axobject-query@^2.2.0:
@@ -6795,10 +6795,10 @@ follow-redirects@^1.0.0:
   resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b"
   integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==
 
-follow-redirects@^1.15.6:
-  version "1.15.9"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.9.tgz#a604fa10e443bf98ca94228d9eebcc2e8a2c8ee1"
-  integrity sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==
+follow-redirects@^1.15.11:
+  version "1.15.11"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340"
+  integrity sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==
 
 for-each@^0.3.3:
   version "0.3.3"
@@ -6847,7 +6847,7 @@ fork-ts-checker-webpack-plugin@^6.4.0:
     semver "^7.3.2"
     tapable "^1.0.0"
 
-form-data@^4.0.0, form-data@^4.0.4, form-data@~4.0.4:
+form-data@^4.0.0, form-data@~4.0.4:
   version "4.0.4"
   resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.4.tgz#784cdcce0669a9d68e94d11ac4eea98088edd2c4"
   integrity sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==
@@ -6858,6 +6858,17 @@ form-data@^4.0.0, form-data@^4.0.4, form-data@~4.0.4:
     hasown "^2.0.2"
     mime-types "^2.1.12"
 
+form-data@^4.0.5:
+  version "4.0.5"
+  resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.5.tgz#b49e48858045ff4cbf6b03e1805cebcad3679053"
+  integrity sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==
+  dependencies:
+    asynckit "^0.4.0"
+    combined-stream "^1.0.8"
+    es-set-tostringtag "^2.1.0"
+    hasown "^2.0.2"
+    mime-types "^2.1.12"
+
 forwarded@0.2.0:
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/forwarded/-/forwarded-0.2.0.tgz#2269936428aad4c15c7ebe9779a84bf0b2a81811"

From 7e2cf6d0e64715dc225e071a39172b983a9f5ec3 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Mon, 9 Feb 2026 13:54:47 -0700
Subject: [PATCH 05/14] WIP: Cosmetology multi-backend scaffolding - Update
 backend lambda for the CSP header response - Update backend 'bypass' param
 for cosmetology staff - Updated frontend README with new .env vars - Continue
 smoke testing - @todo: Work with backend team to get ui stack configured with
 cosmetology SSM values - @todo: Work with backend team to resolve issues with
 `/v1/compacts/cosm` endpoint - @todo: Work with backend team to resolve
 cognito scopes for pw mgmt for JCC & Cosmo (may be separate PR?) - @todo:
 Work with backend team to resolve ui_domain_name SSM param for cosmetology
 (if needed) - @todo: Update ChangePassword UI component (if needed) - @todo:
 Continue smoke testing

---
 .../lambdas/nodejs/cloudfront-csp/index.js    | 22 ++++++-
 .../nodejs/cloudfront-csp/test/index.test.js  | 28 ++++++++-
 ...ontendDeploymentStack-UI_DISTRIBUTION.json |  2 +-
 ...Stack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json |  2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION.json |  2 +-
 ...Stack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json |  2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION.json |  2 +-
 ...Stack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json |  2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION.json |  2 +-
 ...Stack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json |  2 +-
 .../nodejs/lib/email/cognito-email-service.ts |  2 +-
 .../lib/email/cognito-email-service.test.ts   |  4 +-
 webroot/README.md                             | 60 +++++++++++++++++++
 13 files changed, 119 insertions(+), 13 deletions(-)

diff --git a/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js b/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js
index 9068048ba..83f7574c3 100644
--- a/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js
+++ b/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js
@@ -13,17 +13,23 @@
  *
  * These values are injected into the lambda function at build time. See the
  * `generate_csp_lambda_code` function in
- * backend/compact-connect/stacks/frontend_deployment_stack/distribution.py
+ * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py
  * @type {object}
  */
 const environmentValues = {
     webFrontend: `##WEB_FRONTEND##`,
+    // JCC
     dataApi: `##DATA_API##`,
     searchApi: `##SEARCH_API##`,
     s3UploadUrlState: `##S3_UPLOAD_URL_STATE##`,
     s3UploadUrlProvider: `##S3_UPLOAD_URL_PROVIDER##`,
     cognitoStaff: `##COGNITO_STAFF##`,
     cognitoProvider: `##COGNITO_PROVIDER##`,
+    // COSMETOLOGY
+    dataApiCosmo: `##DATA_API_COSMO##`,
+    searchApiCosmo: `##SEARCH_API_COSMO##`,
+    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,
+    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,
 };
 
 // ============================================================================
@@ -62,12 +68,18 @@ const getFullyQualified = (domain) => {
 const getEnvironmentUrls = () => {
     const environmentUrls = {};
 
+    // JCC
     environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);
     environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);
     environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);
     environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);
     environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);
     environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);
+    // COSMETOLOGY
+    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);
+    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);
+    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);
+    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);
 
     return environmentUrls;
 };
@@ -214,11 +226,13 @@ const setCspHeader = (headers = {}) => {
                 'self',
                 'data:',
                 domains.dataApi,
+                domains.dataApiCosmo,
                 'https://www.gstatic.com/recaptcha/',
             ]),
             buildSrcString('media-src', [
                 'self',
                 domains.dataApi,
+                domains.dataApiCosmo,
             ]),
             buildSrcString('frame-src', [
                 'self',
@@ -238,12 +252,18 @@ const setCspHeader = (headers = {}) => {
             ]),
             buildSrcString('connect-src', [
                 'self',
+                // JCC
                 domains.dataApi,
                 domains.searchApi,
                 domains.s3UploadUrlState,
                 domains.s3UploadUrlProvider,
                 domains.cognitoStaff,
                 domains.cognitoProvider,
+                // COSMETOLOGY
+                domains.dataApiCosmo,
+                domains.searchApiCosmo,
+                domains.s3UploadUrlStateCosmo,
+                domains.cognitoStaffCosmo,
                 cognitoIdpUrl,
                 'https://www.google.com/recaptcha/',
                 // Begin Statsig domains
diff --git a/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js b/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js
index 3d7e73b8e..1e9c07790 100644
--- a/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js
+++ b/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js
@@ -19,12 +19,18 @@ const {
 // ================================================================================================
 const environmentValues = {
     webFrontend: 'app.compactconnect.org',
+    // JCC
     dataApi: 'api.compactconnect.org',
     searchApi: 'search.compactconnect.org',
     s3UploadUrlState: 'prod-persistentstack-bulkuploadsbucketda4bdcd0-zq5o0q8uqq5i.s3.amazonaws.com',
     s3UploadUrlProvider: 'prod-persistentstack-providerusersbucket5c7b202b-ffpgh4fyozwk.s3.amazonaws.com',
     cognitoStaff: 'staff-auth.compactconnect.org',
     cognitoProvider: 'licensee-auth.compactconnect.org',
+    // COSMETOLOGY
+    dataApiCosmo: 'api.cosmetology.compactconnect.org',
+    searchApiCosmo: 'search.cosmetology.compactconnect.org',
+    s3UploadUrlStateCosmo: 'prod-persistentstack-bulkuploadsbucketda4bdcd0-zq5o0q8uqq5j.s3.amazonaws.com',
+    cognitoStaffCosmo: 'staff-auth.cosmetology.compactconnect.org',
 };
 
 /**
@@ -46,12 +52,18 @@ const prepareLambdaForTest = () => {
     // Replace placeholders with test values
     const replacements = {
         '##WEB_FRONTEND##': environmentValues.webFrontend,
+        // JCC
         '##DATA_API##': environmentValues.dataApi,
         '##SEARCH_API##': environmentValues.searchApi,
         '##S3_UPLOAD_URL_STATE##': environmentValues.s3UploadUrlState,
         '##S3_UPLOAD_URL_PROVIDER##': environmentValues.s3UploadUrlProvider,
         '##COGNITO_STAFF##': environmentValues.cognitoStaff,
         '##COGNITO_PROVIDER##': environmentValues.cognitoProvider,
+        // COSMETOLOGY
+        '##DATA_API_COSMO##': environmentValues.dataApiCosmo,
+        '##SEARCH_API_COSMO##': environmentValues.searchApiCosmo,
+        '##S3_UPLOAD_URL_STATE_COSMO##': environmentValues.s3UploadUrlStateCosmo,
+        '##COGNITO_STAFF_COSMO##': environmentValues.cognitoStaffCosmo,
     };
 
     // Apply all replacements to the Lambda code
@@ -70,13 +82,19 @@ const prepareLambdaForTest = () => {
 };
 
 const buildCspHeaders = (environment) => {
+    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';
+    // JCC
     const dataApiUrl = (environment?.dataApi) ? `https://${environment.dataApi}` : '';
     const searchApiUrl = (environment?.searchApi) ? `https://${environment.searchApi}` : '';
     const s3UploadUrlState = (environment?.s3UploadUrlState) ? `https://${environment.s3UploadUrlState}` : '';
     const s3UploadUrlProvider = (environment?.s3UploadUrlProvider) ? `https://${environment.s3UploadUrlProvider}` : '';
     const cognitoStaffUrl = (environment?.cognitoStaff) ? `https://${environment.cognitoStaff}` : '';
     const cognitoProviderUrl = (environment?.cognitoProvider) ? `https://${environment.cognitoProvider}` : '';
-    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';
+    // COSMETOLOGY
+    const dataApiUrlCosmo = (environment?.dataApiCosmo) ? `https://${environment.dataApiCosmo}` : '';
+    const searchApiUrlCosmo = (environment?.searchApiCosmo) ? `https://${environment.searchApiCosmo}` : '';
+    const s3UploadUrlStateCosmo = (environment?.s3UploadUrlStateCosmo) ? `https://${environment.s3UploadUrlStateCosmo}` : '';
+    const cognitoStaffUrlCosmo = (environment?.cognitoStaffCosmo) ? `https://${environment.cognitoStaffCosmo}` : '';
     // src configs are maintained here as arrays for ease of maintenance;
     // defining them as static strings could lead to long lines of code.
     const cspDefaultSrc = [
@@ -128,11 +146,13 @@ const buildCspHeaders = (environment) => {
         '\'self\'',
         'data:',
         dataApiUrl,
+        dataApiUrlCosmo,
         'https://www.gstatic.com/recaptcha/',
     ].join(' ');
     const cspMediaSrc = [
         '\'self\'',
         dataApiUrl,
+        dataApiUrlCosmo,
     ].join(' ');
     const cspFrameSrc = [
         '\'self\'',
@@ -152,12 +172,18 @@ const buildCspHeaders = (environment) => {
     ].join(' ');
     const cspConnectSrc = [
         '\'self\'',
+        // JCC
         dataApiUrl,
         searchApiUrl,
         s3UploadUrlState,
         s3UploadUrlProvider,
         cognitoStaffUrl,
         cognitoProviderUrl,
+        // COSMETOLOGY
+        dataApiUrlCosmo,
+        searchApiUrlCosmo,
+        s3UploadUrlStateCosmo,
+        cognitoStaffUrlCosmo,
         cognitoIdpUrl,
         'https://www.google.com/recaptcha/',
         // Begin Statsig domains
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index 385fb6a91..313acd8ad 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A6611b3705bb7a3e3440bc14c943a82111069"
+                "Ref": "CSPFunctionCurrentVersionB61A66119d41b9d535c1a9a1d97ce915b0b0b079"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index 3daaba274..a7a6dbbfb 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `##DATA_API_COSMO##`,\n    searchApiCosmo: `##SEARCH_API_COSMO##`,\n    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,\n    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index d9148924a..840db48dc 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A6611b3705bb7a3e3440bc14c943a82111069"
+                "Ref": "CSPFunctionCurrentVersionB61A66119d41b9d535c1a9a1d97ce915b0b0b079"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index 3daaba274..a7a6dbbfb 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `##DATA_API_COSMO##`,\n    searchApiCosmo: `##SEARCH_API_COSMO##`,\n    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,\n    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
index b3394318b..cba853c5a 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A6611b3705bb7a3e3440bc14c943a82111069"
+                "Ref": "CSPFunctionCurrentVersionB61A66119d41b9d535c1a9a1d97ce915b0b0b079"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index 3daaba274..a7a6dbbfb 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `##DATA_API_COSMO##`,\n    searchApiCosmo: `##SEARCH_API_COSMO##`,\n    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,\n    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index fa058f2b2..c1202aa5a 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A6611b3705bb7a3e3440bc14c943a82111069"
+                "Ref": "CSPFunctionCurrentVersionB61A66119d41b9d535c1a9a1d97ce915b0b0b079"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index 3daaba274..a7a6dbbfb 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `##DATA_API_COSMO##`,\n    searchApiCosmo: `##SEARCH_API_COSMO##`,\n    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,\n    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/cosmetology-app/lambdas/nodejs/lib/email/cognito-email-service.ts b/backend/cosmetology-app/lambdas/nodejs/lib/email/cognito-email-service.ts
index 2ddeacfdb..fd044e38a 100644
--- a/backend/cosmetology-app/lambdas/nodejs/lib/email/cognito-email-service.ts
+++ b/backend/cosmetology-app/lambdas/nodejs/lib/email/cognito-email-service.ts
@@ -63,7 +63,7 @@ export class CognitoEmailService extends BaseEmailService {
 
         this.insertHeader(template, subject);
 
-        const loginUrl = `${environmentVariableService.getUiBasePathUrl()}/Dashboard?bypass=login-staff`;
+        const loginUrl = `${environmentVariableService.getUiBasePathUrl()}/Dashboard?bypass=login-staff-cosmo`;
         const loginText = `Please immediately [sign in](${loginUrl}) and change your password when prompted.`;
 
         this.insertBody(template,
diff --git a/backend/cosmetology-app/lambdas/nodejs/tests/lib/email/cognito-email-service.test.ts b/backend/cosmetology-app/lambdas/nodejs/tests/lib/email/cognito-email-service.test.ts
index 0e89e1479..bf74dd053 100644
--- a/backend/cosmetology-app/lambdas/nodejs/tests/lib/email/cognito-email-service.test.ts
+++ b/backend/cosmetology-app/lambdas/nodejs/tests/lib/email/cognito-email-service.test.ts
@@ -72,7 +72,7 @@ describe('CognitoEmailService', () => {
                 expect(htmlContent).toContain('testuser');
                 expect(htmlContent).toContain('Please immediately');
                 expect(htmlContent).toContain('and change your password when prompted');
-                expect(htmlContent).toContain('<a href="https://app.test.compactconnect.org/Dashboard?bypass=login-staff" target="_blank">sign in</a>');
+                expect(htmlContent).toContain('<a href="https://app.test.compactconnect.org/Dashboard?bypass=login-staff-cosmo" target="_blank">sign in</a>');
             });
 
             it('should generate AdminCreateUser message for unknown user pool type with immediate login message', () => {
@@ -91,7 +91,7 @@ describe('CognitoEmailService', () => {
                 expect(htmlContent).toContain('testuser');
                 expect(htmlContent).toContain('Please immediately');
                 expect(htmlContent).toContain('and change your password when prompted');
-                expect(htmlContent).toContain('<a href="https://app.test.compactconnect.org/Dashboard?bypass=login-staff" target="_blank">sign in</a>');
+                expect(htmlContent).toContain('<a href="https://app.test.compactconnect.org/Dashboard?bypass=login-staff-cosmo" target="_blank">sign in</a>');
             });
         });
 
diff --git a/webroot/README.md b/webroot/README.md
index 956a03799..6a8667f39 100644
--- a/webroot/README.md
+++ b/webroot/README.md
@@ -84,6 +84,46 @@
             - Prod: `https://search.compactconnect.org`
         - _Local_ :arrow_heading_down:
             - `https://search.test.jcc.iaapi.io`
+    - **`VUE_APP_API_USER_ROOT`**
+        - _Server_ :arrow_heading_up:
+            - IA Test: `https://api.test.jcc.iaapi.io`
+            - CSG Test: `TODO`
+            - Beta: `TODO`
+            - Prod: `TODO`
+        - _Local_ :arrow_heading_down:
+            - `https://api.test.jcc.iaapi.io`
+    - **`VUE_APP_API_STATE_ROOT_COSMO`**
+        - _Server_ :arrow_heading_up:
+            - IA Test: `https://api.test.cosmetology.jcc.iaapi.io`
+            - CSG Test: `TODO`
+            - Beta: `TODO`
+            - Prod: `TODO`
+        - _Local_ :arrow_heading_down:
+            - `https://api.test.cosmetology.jcc.iaapi.io`
+    - **`VUE_APP_API_LICENSE_ROOT_COSMO`**
+        - _Server_ :arrow_heading_up:
+            - IA Test: `https://api.test.cosmetology.jcc.iaapi.io`
+            - CSG Test: `TODO`
+            - Beta: `TODO`
+            - Prod: `TODO`
+        - _Local_ :arrow_heading_down:
+            - `https://api.test.cosmetology.jcc.iaapi.io`
+    - **`VUE_APP_API_SEARCH_ROOT_COSMO`**
+        - _Server_ :arrow_heading_up:
+            - IA Test: `https://search.test.cosmetology.jcc.iaapi.io`
+            - CSG Test: `TODO`
+            - Beta: `TODO`
+            - Prod: `TODO`
+        - _Local_ :arrow_heading_down:
+            - `https://search.test.cosmetology.jcc.iaapi.io`
+    - **`VUE_APP_API_USER_ROOT_COSMO`**
+        - _Server_ :arrow_heading_up:
+            - IA Test: `https://api.test.cosmetology.jcc.iaapi.io`
+            - CSG Test: `TODO`
+            - Beta: `TODO`
+            - Prod: `TODO`
+        - _Local_ :arrow_heading_down:
+            - `https://api.test.cosmetology.jcc.iaapi.io`
     - **`VUE_APP_COGNITO_REGION`**
         - _Server_ :arrow_heading_up:
             - IA Test: `us-east-1`
@@ -124,6 +164,22 @@
             - Prod: `4mnd3u2rp30ssgnm7dk81jcqsc`
         - _Local_ :arrow_heading_down:
             - `15mh24ea4af3of8jcnv8h2ic10`
+    - **`VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO`**
+        - _Server_ :arrow_heading_up:
+            - IA Test: `https://staff-auth.test.cosmetology.jcc.iaapi.io`
+            - CSG Test: `TODO`
+            - Beta: `TODO`
+            - Prod: `TODO`
+        - _Local_ :arrow_heading_down:
+            - `https://staff-auth.test.cosmetology.jcc.iaapi.io`
+    - **`VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO`**
+        - _Server_ :arrow_heading_up:
+            - IA Test: `42km9ho786d28dp812j88kvscq`
+            - CSG Test: `TODO`
+            - Beta: TODO
+            - Prod: `TODO`
+        - _Local_ :arrow_heading_down:
+            - `42km9ho786d28dp812j88kvscq`
     - **`VUE_APP_RECAPTCHA_KEY`**
         - _Server_ :arrow_heading_up:
             - IA Test: `6Le-3bgqAAAAAILDVUKkRnAF9SSzb8o9uv5lY7Ih`
@@ -161,6 +217,10 @@
         - `3018`
 
 ### Adding environment variables
+_For any environment values that are NOT static and DO depend on backend CDK context, coordinate with the backend team to coordinate the updates to the SSM parameter store._
+
+For any environment values that are static and don't depend on backend CDK context, follow the steps below.
+
 In **`/backend/compact-connect-ui-app/`**:
 
 - **Update `cdk.context.*-example.json` files**

From 767751acd6c24e70e10253ace9e23605ed293859 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Wed, 11 Feb 2026 15:10:26 -0700
Subject: [PATCH 06/14] WIP: Cosmetology multi-backend scaffolding - Work with
 backend team to get ui stack configured with cosmetology SSM values - Work
 with backend team to resolve plan for eventual `/v1/compacts/cosm` endpoint -
 Work with backend team to resolve ui_domain_name SSM param for cosmetology -
 Continue smoke testing - @todo: Update ChangePassword UI component (if
 needed) - @todo: Continue smoke testing

---
 .github/workflows/check-webroot.yml                | 14 ++++++++++++++
 .../stacks/frontend_deployment_stack/__init__.py   | 14 ++++++++++++++
 .../stacks/frontend_deployment_stack/deployment.py |  7 +++++++
 .../frontend_deployment_stack/distribution.py      | 13 ++++++++++++-
 4 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/check-webroot.yml b/.github/workflows/check-webroot.yml
index 452a3586d..47d2841ef 100644
--- a/.github/workflows/check-webroot.yml
+++ b/.github/workflows/check-webroot.yml
@@ -34,11 +34,18 @@ jobs:
       VUE_APP_API_STATE_ROOT: https://api.test.jcc.iaapi.io
       VUE_APP_API_LICENSE_ROOT: https://api.test.jcc.iaapi.io
       VUE_APP_API_SEARCH_ROOT: https://search.test.jcc.iaapi.io
+      VUE_APP_API_USER_ROOT: https://api.test.jcc.iaapi.io
+      VUE_APP_API_STATE_ROOT_COSMO: https://api.test.cosmetology.jcc.iaapi.io
+      VUE_APP_API_LICENSE_ROOT_COSMO: https://api.test.cosmetology.jcc.iaapi.io
+      VUE_APP_API_SEARCH_ROOT_COSMO: https://search.test.cosmetology.jcc.iaapi.io
+      VUE_APP_API_USER_ROOT_COSMO: https://api.test.cosmetology.jcc.iaapi.io
       VUE_APP_COGNITO_REGION: us-east-1
       VUE_APP_COGNITO_AUTH_DOMAIN_STAFF: https://ia-cc-staff-test.auth.us-east-1.amazoncognito.com
       VUE_APP_COGNITO_CLIENT_ID_STAFF: ${{ secrets.DEV_WEBROOT_COGNITO_CLIENT_ID_STAFF }}
       VUE_APP_COGNITO_AUTH_DOMAIN_LICENSEE: https://ia-cc-provider-test.auth.us-east-1.amazoncognito.com
       VUE_APP_COGNITO_CLIENT_ID_LICENSEE: ${{ secrets.DEV_WEBROOT_COGNITO_CLIENT_ID_LICENSEE }}
+      VUE_APP_COGNITO_AUTH_DOMAIN_STAFF: https://staff-auth.test.cosmetology.jcc.iaapi.io
+      VUE_APP_COGNITO_CLIENT_ID_STAFF: ${{ secrets.DEV_WEBROOT_COGNITO_CLIENT_ID_STAFF_COSMO }}
       VUE_APP_RECAPTCHA_KEY: 6Le-3bgqAAAAAILDVUKkRnAF9SSzb8o9uv5lY7Ih
 
     steps:
@@ -90,11 +97,18 @@ jobs:
           VUE_APP_API_STATE_ROOT: ${{ env.VUE_APP_API_STATE_ROOT }}
           VUE_APP_API_LICENSE_ROOT: ${{ env.VUE_APP_API_LICENSE_ROOT }}
           VUE_APP_API_SEARCH_ROOT: ${{ env.VUE_APP_API_SEARCH_ROOT }}
+          VUE_APP_API_USER_ROOT: ${{ env.VUE_APP_API_USER_ROOT }}
+          VUE_APP_API_STATE_ROOT_COSMO: ${{ env.VUE_APP_API_STATE_ROOT_COSMO }}
+          VUE_APP_API_LICENSE_ROOT_COSMO: ${{ env.VUE_APP_API_LICENSE_ROOT_COSMO }}
+          VUE_APP_API_SEARCH_ROOT_COSMO: ${{ env.VUE_APP_API_SEARCH_ROOT_COSMO }}
+          VUE_APP_API_USER_ROOT_COSMO: ${{ env.VUE_APP_API_USER_ROOT_COSMO }}
           VUE_APP_COGNITO_REGION: ${{ env.VUE_APP_COGNITO_REGION }}
           VUE_APP_COGNITO_AUTH_DOMAIN_STAFF: ${{ env.VUE_APP_COGNITO_AUTH_DOMAIN_STAFF }}
           VUE_APP_COGNITO_CLIENT_ID_STAFF: ${{ env.VUE_APP_COGNITO_CLIENT_ID_STAFF }}
           VUE_APP_COGNITO_AUTH_DOMAIN_LICENSEE: ${{ env.VUE_APP_COGNITO_AUTH_DOMAIN_LICENSEE }}
           VUE_APP_COGNITO_CLIENT_ID_LICENSEE: ${{ env.VUE_APP_COGNITO_CLIENT_ID_LICENSEE }}
+          VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO: ${{ env.VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO }}
+          VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO: ${{ env.VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO }}
           VUE_APP_RECAPTCHA_KEY: ${{ env.VUE_APP_RECAPTCHA_KEY }}
           VUE_APP_MOCK_API: true
         run: yarn build
diff --git a/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/__init__.py b/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/__init__.py
index f21ba5170..0b4b3217b 100644
--- a/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/__init__.py
+++ b/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/__init__.py
@@ -3,6 +3,7 @@
 from common_constructs.access_logs_bucket import AccessLogsBucket
 from common_constructs.bucket import Bucket
 from common_constructs.frontend_app_config_utility import (
+    AppId,
     PersistentStackFrontendAppConfigValues,
     ProviderUsersStackFrontendAppConfigValues,
 )
@@ -39,6 +40,11 @@ def __init__(
         persistent_stack_frontend_app_config_values = (
             PersistentStackFrontendAppConfigValues.load_persistent_stack_values_from_ssm_parameter(self)
         )
+        persistent_stack_frontend_app_config_values_cosmetology = (
+            PersistentStackFrontendAppConfigValues.load_persistent_stack_values_from_ssm_parameter(
+                self, app_id=AppId.COSMETOLOGY
+            )
+        )
         provider_users_stack_frontend_app_config_values = (
             ProviderUsersStackFrontendAppConfigValues.load_provider_users_stack_values_from_ssm_parameter(self)
         )
@@ -51,6 +57,12 @@ def __init__(
                 'Persistent Stack App Configuration not found in SSM. '
                 'Make sure Persistent Stack resources have been deployed.'
             )
+        if persistent_stack_frontend_app_config_values_cosmetology is None:
+            raise ValueError(
+                'Persistent Stack App Configuration (cosmetology) not found in SSM. '
+                'Make sure Cosmetology Persistent Stack resources have been deployed and the parameter '
+                'has been copied to this account.'
+            )
         if provider_users_stack_frontend_app_config_values is None:
             raise ValueError(
                 'Provider Users Stack App Configuration not found in SSM. '
@@ -100,6 +112,7 @@ def __init__(
             ui_bucket=self.ui_bucket,
             environment_context=environment_context,
             persistent_stack_app_config_values=persistent_stack_frontend_app_config_values,
+            persistent_stack_app_config_values_cosmetology=persistent_stack_frontend_app_config_values_cosmetology,
             provider_users_stack_app_config_values=provider_users_stack_frontend_app_config_values,
         )
 
@@ -110,5 +123,6 @@ def __init__(
             security_profile=security_profile,
             access_logs_bucket=self.frontend_access_logs_bucket,
             persistent_stack_frontend_app_config_values=persistent_stack_frontend_app_config_values,
+            persistent_stack_frontend_app_config_values_cosmetology=persistent_stack_frontend_app_config_values_cosmetology,
             provider_users_stack_frontend_app_config_values=provider_users_stack_frontend_app_config_values,
         )
diff --git a/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py b/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py
index dc6f714f1..2bd452ad3 100644
--- a/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py
+++ b/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/deployment.py
@@ -24,6 +24,7 @@ def __init__(
         ui_bucket: IBucket,
         environment_context: dict,
         persistent_stack_app_config_values: PersistentStackFrontendAppConfigValues,
+        persistent_stack_app_config_values_cosmetology: PersistentStackFrontendAppConfigValues,
         provider_users_stack_app_config_values: ProviderUsersStackFrontendAppConfigValues,
     ):
         stack = Stack.of(scope)
@@ -64,11 +65,17 @@ def __init__(
                                 'VUE_APP_API_LICENSE_ROOT': f'{HTTPS_PREFIX}{persistent_stack_app_config_values.api_domain_name}',
                                 'VUE_APP_API_SEARCH_ROOT': f'{HTTPS_PREFIX}{persistent_stack_app_config_values.search_api_domain_name}',
                                 'VUE_APP_API_USER_ROOT': f'{HTTPS_PREFIX}{persistent_stack_app_config_values.api_domain_name}',
+                                'VUE_APP_API_STATE_ROOT_COSMO': f'{HTTPS_PREFIX}{persistent_stack_app_config_values_cosmetology.api_domain_name}',
+                                'VUE_APP_API_LICENSE_ROOT_COSMO': f'{HTTPS_PREFIX}{persistent_stack_app_config_values_cosmetology.api_domain_name}',
+                                'VUE_APP_API_SEARCH_ROOT_COSMO': f'{HTTPS_PREFIX}{persistent_stack_app_config_values_cosmetology.search_api_domain_name}',
+                                'VUE_APP_API_USER_ROOT_COSMO': f'{HTTPS_PREFIX}{persistent_stack_app_config_values_cosmetology.api_domain_name}',
                                 'VUE_APP_COGNITO_REGION': 'us-east-1',
                                 'VUE_APP_COGNITO_AUTH_DOMAIN_STAFF': f'{HTTPS_PREFIX}{persistent_stack_app_config_values.staff_cognito_domain}',
                                 'VUE_APP_COGNITO_CLIENT_ID_STAFF': persistent_stack_app_config_values.staff_cognito_client_id,
                                 'VUE_APP_COGNITO_AUTH_DOMAIN_LICENSEE': f'{HTTPS_PREFIX}{provider_users_stack_app_config_values.provider_cognito_domain}',
                                 'VUE_APP_COGNITO_CLIENT_ID_LICENSEE': provider_users_stack_app_config_values.provider_cognito_client_id,
+                                'VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO': f'{HTTPS_PREFIX}{persistent_stack_app_config_values_cosmetology.staff_cognito_domain}',
+                                'VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO': persistent_stack_app_config_values_cosmetology.staff_cognito_client_id,
                                 'VUE_APP_RECAPTCHA_KEY': recaptcha_public_key,
                                 'VUE_APP_STATSIG_KEY': statsig_client_key,
                             },
diff --git a/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py b/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py
index d9a3e781e..b1ab44378 100644
--- a/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py
+++ b/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py
@@ -34,6 +34,7 @@
 
 def generate_csp_lambda_code(
     persistent_stack_values: PersistentStackFrontendAppConfigValues,
+    persistent_stack_values_cosmetology: PersistentStackFrontendAppConfigValues,
     provider_users_stack_values: ProviderUsersStackFrontendAppConfigValues,
 ) -> str:
     """
@@ -45,6 +46,7 @@ def generate_csp_lambda_code(
     This function reads the template file and replaces placeholders with actual values.
 
     :param persistent_stack_values: The values from the persistent stack
+    :param persistent_stack_values_cosmetology: The values from the cosmetology persistent stack
     :param provider_users_stack_values: The values from the provider users stack
     :return: The generated Lambda function code
     """
@@ -56,12 +58,18 @@ def generate_csp_lambda_code(
     # Replace placeholders with actual values
     replacements = {
         '##WEB_FRONTEND##': persistent_stack_values.ui_domain_name,
+        # JCC
         '##DATA_API##': persistent_stack_values.api_domain_name,
         '##SEARCH_API##': persistent_stack_values.search_api_domain_name,
         '##S3_UPLOAD_URL_STATE##': f'{persistent_stack_values.bulk_uploads_bucket_name}{S3_URL_SUFFIX}',
         '##S3_UPLOAD_URL_PROVIDER##': f'{persistent_stack_values.provider_users_bucket_name}{S3_URL_SUFFIX}',
         '##COGNITO_STAFF##': persistent_stack_values.staff_cognito_domain,
         '##COGNITO_PROVIDER##': provider_users_stack_values.provider_cognito_domain,
+        # COSMETOLOGY
+        '##DATA_API_COSMO##': persistent_stack_values_cosmetology.api_domain_name,
+        '##SEARCH_API_COSMO##': persistent_stack_values_cosmetology.search_api_domain_name,
+        '##S3_UPLOAD_URL_STATE_COSMO##': f'{persistent_stack_values_cosmetology.bulk_uploads_bucket_name}{S3_URL_SUFFIX}',
+        '##COGNITO_STAFF_COSMO##': persistent_stack_values_cosmetology.staff_cognito_domain,
     }
 
     for placeholder, value in replacements.items():
@@ -80,6 +88,7 @@ def __init__(
         security_profile: SecurityProfile = SecurityProfile.RECOMMENDED,
         access_logs_bucket: AccessLogsBucket,
         persistent_stack_frontend_app_config_values: PersistentStackFrontendAppConfigValues,
+        persistent_stack_frontend_app_config_values_cosmetology: PersistentStackFrontendAppConfigValues,
         provider_users_stack_frontend_app_config_values: ProviderUsersStackFrontendAppConfigValues,
     ):
         stack: AppStack = AppStack.of(scope)
@@ -118,7 +127,9 @@ def __init__(
 
         # Generate the CSP Lambda code with injected values
         csp_function_code = generate_csp_lambda_code(
-            persistent_stack_frontend_app_config_values, provider_users_stack_frontend_app_config_values
+            persistent_stack_frontend_app_config_values,
+            persistent_stack_frontend_app_config_values_cosmetology,
+            provider_users_stack_frontend_app_config_values
         )
 
         self.csp_function = Function(

From 1651bb696c2b4675be438fcd18bb1b4da6ab9255 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Wed, 11 Feb 2026 15:20:58 -0700
Subject: [PATCH 07/14] WIP: Cosmetology multi-backend scaffolding - Update
 backend test snapshots - @todo: Update ChangePassword UI component (if
 needed) - @todo: Continue smoke testing

---
 .github/workflows/check-webroot.yml                           | 4 ++--
 .../BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json | 2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json | 2 +-
 .../ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json | 2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json | 2 +-
 .../SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json    | 2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json | 2 +-
 .../TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json | 2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json | 2 +-
 9 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/check-webroot.yml b/.github/workflows/check-webroot.yml
index 47d2841ef..fe2d2bcd1 100644
--- a/.github/workflows/check-webroot.yml
+++ b/.github/workflows/check-webroot.yml
@@ -44,8 +44,8 @@ jobs:
       VUE_APP_COGNITO_CLIENT_ID_STAFF: ${{ secrets.DEV_WEBROOT_COGNITO_CLIENT_ID_STAFF }}
       VUE_APP_COGNITO_AUTH_DOMAIN_LICENSEE: https://ia-cc-provider-test.auth.us-east-1.amazoncognito.com
       VUE_APP_COGNITO_CLIENT_ID_LICENSEE: ${{ secrets.DEV_WEBROOT_COGNITO_CLIENT_ID_LICENSEE }}
-      VUE_APP_COGNITO_AUTH_DOMAIN_STAFF: https://staff-auth.test.cosmetology.jcc.iaapi.io
-      VUE_APP_COGNITO_CLIENT_ID_STAFF: ${{ secrets.DEV_WEBROOT_COGNITO_CLIENT_ID_STAFF_COSMO }}
+      VUE_APP_COGNITO_AUTH_DOMAIN_STAFF_COSMO: https://staff-auth.test.cosmetology.jcc.iaapi.io
+      VUE_APP_COGNITO_CLIENT_ID_STAFF_COSMO: ${{ secrets.DEV_WEBROOT_COGNITO_CLIENT_ID_STAFF_COSMO }}
       VUE_APP_RECAPTCHA_KEY: 6Le-3bgqAAAAAILDVUKkRnAF9SSzb8o9uv5lY7Ih
 
     steps:
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index 313acd8ad..2badde480 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A66119d41b9d535c1a9a1d97ce915b0b0b079"
+                "Ref": "CSPFunctionCurrentVersionB61A6611ae71df5f4a2e71905706631237e7d8d0"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index a7a6dbbfb..7e31da685 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `##DATA_API_COSMO##`,\n    searchApiCosmo: `##SEARCH_API_COSMO##`,\n    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,\n    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index 840db48dc..7c6497986 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A66119d41b9d535c1a9a1d97ce915b0b0b079"
+                "Ref": "CSPFunctionCurrentVersionB61A6611ae71df5f4a2e71905706631237e7d8d0"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index a7a6dbbfb..7e31da685 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `##DATA_API_COSMO##`,\n    searchApiCosmo: `##SEARCH_API_COSMO##`,\n    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,\n    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
index cba853c5a..aaba47e6c 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A66119d41b9d535c1a9a1d97ce915b0b0b079"
+                "Ref": "CSPFunctionCurrentVersionB61A6611ae71df5f4a2e71905706631237e7d8d0"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index a7a6dbbfb..7e31da685 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `##DATA_API_COSMO##`,\n    searchApiCosmo: `##SEARCH_API_COSMO##`,\n    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,\n    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index c1202aa5a..00931a8d9 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A66119d41b9d535c1a9a1d97ce915b0b0b079"
+                "Ref": "CSPFunctionCurrentVersionB61A6611ae71df5f4a2e71905706631237e7d8d0"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index a7a6dbbfb..7e31da685 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `##DATA_API_COSMO##`,\n    searchApiCosmo: `##SEARCH_API_COSMO##`,\n    s3UploadUrlStateCosmo: `##S3_UPLOAD_URL_STATE_COSMO##`,\n    cognitoStaffCosmo: `##COGNITO_STAFF_COSMO##`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {

From d92a53e518c1c15384405a6a204b7bf645d272e5 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Wed, 11 Feb 2026 16:17:41 -0700
Subject: [PATCH 08/14] WIP: Cosmetology multi-backend scaffolding - Minor
 updates from backend workflow checks - @todo: Update ChangePassword UI
 component (if needed) - @todo: Continue smoke testing

---
 .../stacks/frontend_deployment_stack/distribution.py      | 3 +++
 backend/cosmetology-app/lambdas/nodejs/package.json       | 3 ++-
 backend/cosmetology-app/lambdas/nodejs/yarn.lock          | 8 ++++----
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py b/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py
index b1ab44378..e25758dc4 100644
--- a/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py
+++ b/backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py
@@ -1,3 +1,6 @@
+# ruff: noqa: E501 line-too-long
+# For the sake of readability, we don't want to break up environment values into separate lines
+
 import os
 
 from aws_cdk.aws_certificatemanager import Certificate, CertificateValidation
diff --git a/backend/cosmetology-app/lambdas/nodejs/package.json b/backend/cosmetology-app/lambdas/nodejs/package.json
index 21cd12237..7189531bc 100644
--- a/backend/cosmetology-app/lambdas/nodejs/package.json
+++ b/backend/cosmetology-app/lambdas/nodejs/package.json
@@ -4,7 +4,8 @@
   "type": "commonjs",
   "description": "NodeJS lambdas for Compact Connect",
   "resolutions": {
-    "@aws-sdk/client-sesv2": "^3.901.0"
+    "@aws-sdk/client-sesv2": "^3.901.0",
+     "fast-xml-parser": "5.3.4"
   },
   "scripts": {
     "build": "tsc",
diff --git a/backend/cosmetology-app/lambdas/nodejs/yarn.lock b/backend/cosmetology-app/lambdas/nodejs/yarn.lock
index 0aeefce7a..b0a4bfc44 100644
--- a/backend/cosmetology-app/lambdas/nodejs/yarn.lock
+++ b/backend/cosmetology-app/lambdas/nodejs/yarn.lock
@@ -3454,10 +3454,10 @@ fast-levenshtein@^2.0.6:
   resolved "https://registry.yarnpkg.com/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz#3d8a5c66883a16a30ca8643e851f19baa7797917"
   integrity sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==
 
-fast-xml-parser@5.2.5:
-  version "5.2.5"
-  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.2.5.tgz#4809fdfb1310494e341098c25cb1341a01a9144a"
-  integrity sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ==
+fast-xml-parser@5.2.5, fast-xml-parser@5.3.4:
+  version "5.3.4"
+  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.3.4.tgz#06f39aafffdbc97bef0321e626c7ddd06a043ecf"
+  integrity sha512-EFd6afGmXlCx8H8WTZHhAoDaWaGyuIBoZJ2mknrNxug+aZKjkp0a0dlars9Izl+jF+7Gu1/5f/2h68cQpe0IiA==
   dependencies:
     strnum "^2.1.0"
 

From 2e05f9c06bf96def610a2ed1e82eddcdaf713111 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Wed, 11 Feb 2026 16:31:47 -0700
Subject: [PATCH 09/14] WIP: Cosmetology multi-backend scaffolding - Set
 default state of app mode display to false - PR review feedback - @todo:
 Continue smoke testing

---
 webroot/README.md                             |  2 +-
 .../src/pages/AuthCallback/AuthCallback.ts    | 29 +++++++++++++------
 webroot/src/store/global/global.mutations.ts  |  1 +
 webroot/src/store/global/global.spec.ts       |  1 +
 webroot/src/store/global/global.state.ts      |  2 +-
 5 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/webroot/README.md b/webroot/README.md
index 6a8667f39..da52ed7b4 100644
--- a/webroot/README.md
+++ b/webroot/README.md
@@ -176,7 +176,7 @@
         - _Server_ :arrow_heading_up:
             - IA Test: `42km9ho786d28dp812j88kvscq`
             - CSG Test: `TODO`
-            - Beta: TODO
+            - Beta: `TODO`
             - Prod: `TODO`
         - _Local_ :arrow_heading_down:
             - `42km9ho786d28dp812j88kvscq`
diff --git a/webroot/src/pages/AuthCallback/AuthCallback.ts b/webroot/src/pages/AuthCallback/AuthCallback.ts
index 008d69c6a..426da3acc 100644
--- a/webroot/src/pages/AuthCallback/AuthCallback.ts
+++ b/webroot/src/pages/AuthCallback/AuthCallback.ts
@@ -86,20 +86,31 @@ export default class AuthCallback extends Vue {
 
             let errorCount = 0;
 
-            await this.getTokensStaffJcc().catch(() => {
-                errorCount += 1;
-            });
-
-            if (errorCount > 0) {
-                await this.getTokensStaffCosmo().catch(() => {
+            await this.getTokensStaffJcc()
+                .then(() => {
+                    this.$store.dispatch('setAppMode', AppModes.JCC);
+                })
+                .catch(() => {
                     errorCount += 1;
                 });
+
+            if (errorCount > 0) {
+                await this.getTokensStaffCosmo()
+                    .then(() => {
+                        this.$store.dispatch('setAppMode', AppModes.COSMETOLOGY);
+                    })
+                    .catch(() => {
+                        errorCount += 1;
+                    });
             }
 
             if (errorCount > 1) {
-                await this.getTokensLicenseeJcc().catch(() => {
-                    errorCount += 1;
-                });
+                await this.getTokensLicenseeJcc()
+                    .then(() => {
+                        this.$store.dispatch('setAppMode', AppModes.JCC);
+                    }).catch(() => {
+                        errorCount += 1;
+                    });
             }
 
             if (errorCount > 2) {
diff --git a/webroot/src/store/global/global.mutations.ts b/webroot/src/store/global/global.mutations.ts
index 8ca866422..a6d17ef94 100644
--- a/webroot/src/store/global/global.mutations.ts
+++ b/webroot/src/store/global/global.mutations.ts
@@ -55,6 +55,7 @@ export default {
         state.messages = [];
         state.isModalOpen = false;
         state.isModalLogoutOnly = false;
+        state.appMode = AppModes.JCC;
     },
     [MutationTypes.SET_APP_MODE]: (state: State, mode: AppModes) => {
         state.appMode = mode;
diff --git a/webroot/src/store/global/global.spec.ts b/webroot/src/store/global/global.spec.ts
index ae6cdeded..4c6249caa 100644
--- a/webroot/src/store/global/global.spec.ts
+++ b/webroot/src/store/global/global.spec.ts
@@ -81,6 +81,7 @@ describe('Global Store Mutations', () => {
             messages: [],
             isModalOpen: false,
             isModalLogoutOnly: false,
+            appMode: AppModes.JCC,
         });
     });
     it('should successfully set modal open', () => {
diff --git a/webroot/src/store/global/global.state.ts b/webroot/src/store/global/global.state.ts
index ca6110b3a..1f33585e4 100644
--- a/webroot/src/store/global/global.state.ts
+++ b/webroot/src/store/global/global.state.ts
@@ -26,7 +26,7 @@ export const state: State = {
     isModalOpen: false,
     isModalLogoutOnly: false,
     appMode: AppModes.JCC,
-    isAppModeDisplayed: true, // @TODO
+    isAppModeDisplayed: false,
     authType: AuthTypes.PUBLIC,
     isNavExpanded: false,
 };

From bc42960b958dbd7128dc6038375a2710b95822e0 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Wed, 11 Feb 2026 16:38:47 -0700
Subject: [PATCH 10/14] WIP: Cosmetology multi-backend scaffolding - PR review
 feedback - @todo: Continue smoke testing

---
 backend/cosmetology-app/lambdas/nodejs/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/cosmetology-app/lambdas/nodejs/package.json b/backend/cosmetology-app/lambdas/nodejs/package.json
index 7189531bc..7a78ea6b4 100644
--- a/backend/cosmetology-app/lambdas/nodejs/package.json
+++ b/backend/cosmetology-app/lambdas/nodejs/package.json
@@ -5,7 +5,7 @@
   "description": "NodeJS lambdas for Compact Connect",
   "resolutions": {
     "@aws-sdk/client-sesv2": "^3.901.0",
-     "fast-xml-parser": "5.3.4"
+    "fast-xml-parser": "5.3.4"
   },
   "scripts": {
     "build": "tsc",

From 4e06dffbc14fa80f16c0a542fcd1e5915d39cabc Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Thu, 12 Feb 2026 16:48:11 -0700
Subject: [PATCH 11/14] WIP: Cosmetology multi-backend scaffolding - Implement
 new public dashboard page - Remove cosmetology license types from
 registration & mfa recovery screens - Remove form subtext from state upload
 form (#1293)

---
 .../Icons/LicenseeUser/LicenseeUser.vue       |   2 +-
 .../Page/PageContainer/PageContainer.ts       |   2 +
 .../components/StateUpload/StateUpload.vue    |   1 -
 webroot/src/locales/en.json                   |  15 +-
 webroot/src/locales/es.json                   |  15 +-
 .../MfaResetStartLicensee.less                |  10 -
 .../MfaResetStartLicensee.ts                  |  22 +-
 .../MfaResetStartLicensee.vue                 |  15 -
 .../PublicDashboard/PublicDashboard.less      | 222 ++++++++------
 .../pages/PublicDashboard/PublicDashboard.ts  |  27 ++
 .../pages/PublicDashboard/PublicDashboard.vue | 283 ++++++++++++------
 .../RegisterLicensee/RegisterLicensee.less    |  10 -
 .../RegisterLicensee/RegisterLicensee.ts      |  23 +-
 .../RegisterLicensee/RegisterLicensee.vue     |  15 -
 14 files changed, 391 insertions(+), 271 deletions(-)

diff --git a/webroot/src/components/Icons/LicenseeUser/LicenseeUser.vue b/webroot/src/components/Icons/LicenseeUser/LicenseeUser.vue
index 55f594d91..7b23791f7 100644
--- a/webroot/src/components/Icons/LicenseeUser/LicenseeUser.vue
+++ b/webroot/src/components/Icons/LicenseeUser/LicenseeUser.vue
@@ -7,6 +7,7 @@
 
 <template>
     <svg class="icon licensee-user-icon stroke-fill-type" viewBox="0 0 50 51">
+        <rect x="1.5" y="2" width="47" height="47" rx="3" stroke-width="2.5" stroke-linejoin="round"/>
         <path class="custom-fill" d="M29.8659 13.0256C29.8659 12.2824 29.8659 11.9108 29.7212 11.6269C29.594 11.3772
             29.391 11.1742 29.1413 11.047C28.8574 10.9023 28.4858 10.9023 27.7426 10.9023H22.2574C21.5142 10.9023
             21.1426 10.9023 20.8587 11.047C20.609 11.1742 20.406 11.3772 20.2787 11.6269C20.1341 11.9108 20.1341
@@ -27,7 +28,6 @@
             20.4895C30.3407 20.3622 30.1377 20.1592 30.0105 19.9095C29.8659 19.6256 29.8659 19.254 29.8659
             18.5108V13.0256Z"
             stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"/>
-        <rect x="1.5" y="2" width="47" height="47" rx="3" stroke-width="2.5" stroke-linejoin="round"/>
     </svg>
 
 </template>
diff --git a/webroot/src/components/Page/PageContainer/PageContainer.ts b/webroot/src/components/Page/PageContainer/PageContainer.ts
index 83768933c..be5cb1a40 100644
--- a/webroot/src/components/Page/PageContainer/PageContainer.ts
+++ b/webroot/src/components/Page/PageContainer/PageContainer.ts
@@ -49,6 +49,7 @@ class PageContainer extends Vue {
     get includePageHeader(): boolean {
         const nonHeaderRouteNames: Array<string> = [
             'Logout',
+            'DashboardPublic',
             'LicenseeVerification',
             'MfaResetConfirmLicensee',
         ];
@@ -69,6 +70,7 @@ class PageContainer extends Vue {
 
     get includeMainNav(): boolean {
         const nonMainNavRouteNames: Array<string> = [
+            'DashboardPublic', // This is a custom splash page with custom button navigation
             'LicenseeVerification', // This is a printer-friendly page
             'MfaResetConfirmLicensee', // This is a standalone automation page accessed from emailed link
         ];
diff --git a/webroot/src/components/StateUpload/StateUpload.vue b/webroot/src/components/StateUpload/StateUpload.vue
index 317697dd7..e8148f702 100644
--- a/webroot/src/components/StateUpload/StateUpload.vue
+++ b/webroot/src/components/StateUpload/StateUpload.vue
@@ -8,7 +8,6 @@
 <template>
     <div class="state-upload-container">
         <h1>{{ $t('stateUpload.formTitle') }}</h1>
-        <div class="sub-title">{{ $t('stateUpload.formSubtext') }}</div>
         <Card class="state-upload">
             <Transition name="fade" :mode="elementTransitionMode">
                 <LoadingSpinner v-if="isInitializing" />
diff --git a/webroot/src/locales/en.json b/webroot/src/locales/en.json
index 013deaeaf..e39b690fb 100644
--- a/webroot/src/locales/en.json
+++ b/webroot/src/locales/en.json
@@ -1,6 +1,6 @@
 {
     "common": {
-        "appName": "Compact Connect",
+        "appName": "CompactConnect",
         "yes": "Yes",
         "no": "No",
         "back": "Back",
@@ -378,11 +378,16 @@
         "dashboard": "Dashboard",
         "goToDashboard": "Go to dashboard",
         "login": "Login",
-        "loginAsStaff": "Login as Compact or State Staff",
-        "loginAsProvider": "Login as Practitioner",
+        "loginAsStaff": "Compact / State Staff Login",
+        "loginAsStaffSubtext": "Select a compact",
+        "loginAsProvider": "Practitioner login",
+        "loginAsProviderSubtext": "Access your account and privileges",
         "register": "Register",
-        "registerAsProvider": "Register as Practitioner",
+        "registerAsProvider": "Create an account",
+        "registerAsProviderSubtext": "Don't have an account?",
         "verifyPrivilege": "Verify a compact privilege",
+        "verifyPrivilegeSubtext": "Look up practitioner credentials and status",
+        "verifyPrivilegeSearch": "Go to search",
         "home": "Home",
         "upload": "Upload data",
         "licensing": "Search licensing data",
@@ -508,6 +513,7 @@
         }
     ],
     "compact": {
+        "welcomeTo": "Welcome to",
         "settingsTitle": "Settings",
         "configuration": "Configuration",
         "paymentProcessorCredentials": "Authorize.net credentials",
@@ -547,7 +553,6 @@
     },
     "stateUpload": {
         "formTitle": "Compact data upload",
-        "formSubtext": "Current uploads are for test purposes and the data will not be saved permanently",
         "uploadHint": "Only 1 CSV",
         "successTitle": "Your document has been uploaded successfully",
         "successSubTitle": "If your document encounters any errors during processing you will be notified via email"
diff --git a/webroot/src/locales/es.json b/webroot/src/locales/es.json
index b2cbcab45..183831ff7 100644
--- a/webroot/src/locales/es.json
+++ b/webroot/src/locales/es.json
@@ -377,11 +377,16 @@
         "dashboard": "Panel",
         "goToDashboard": "Ir al panel de control",
         "login": "Iniciar sesión",
-        "loginAsStaff": "Iniciar sesión como personal compacto o estatal",
-        "loginAsProvider": "Iniciar sesión como practicante",
+        "loginAsStaff": "Inicio de sesión del personal del Pacto / Estado",
+        "loginAsStaffSubtext": "Seleccione un compacto",
+        "loginAsProvider": "Inicio de sesión de practicante",
+        "loginAsProviderSubtext": "Accede a tu cuenta y privilegios",
         "register": "Registro",
-        "registerAsProvider": "Registrarse como practicante",
-        "verifyPrivilege": "Verificar un privilegio del compacto",
+        "registerAsProvider": "Crear una cuenta",
+        "registerAsProviderSubtext": "¿No tienes una cuenta?",
+        "verifyPrivilege": "Verificar un privilegio compacto",
+        "verifyPrivilegeSubtext": "Busque credenciales y estado del profesional",
+        "verifyPrivilegeSearch": "Ir a la búsqueda",
         "home": "Hogar",
         "upload": "Subir",
         "licensing": "Licencia",
@@ -492,6 +497,7 @@
         }
     ],
     "compact": {
+        "welcome": "Bienvenido a CompactConnect",
         "settingsTitle": "Ajustes",
         "configuration": "Configuración",
         "paymentProcessorCredentials": "Authorize.net cartas credenciales",
@@ -531,7 +537,6 @@
     },
     "stateUpload": {
         "formTitle": "Carga de datos compacta",
-        "formSubtext": "Las cargas actuales son para fines de prueba y los datos no se guardarán de forma permanente.",
         "uploadHint": "Sólo 1 archivo CSV",
         "successTitle": "Su documento ha sido subido exitosamente",
         "successSubTitle": "Si su documento encuentra algún error durante el procesamiento, se le notificará por correo electrónico."
diff --git a/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.less b/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.less
index b4f6743ad..301ae3a91 100644
--- a/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.less
+++ b/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.less
@@ -206,16 +206,6 @@
         cursor: pointer;
     }
 
-    .recaptcha-terms {
-        margin: 2.4rem;
-        font-size: @fontSizeSmall;
-        text-align: center;
-
-        .recaptcha-link {
-            text-decoration: underline;
-        }
-    }
-
     .mock-nav {
         display: flex;
         flex-direction: column;
diff --git a/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.ts b/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.ts
index 834e3c7cd..efbd42d0d 100644
--- a/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.ts
+++ b/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.ts
@@ -35,6 +35,7 @@ import InputSubmit from '@components/Forms/InputSubmit/InputSubmit.vue';
 import InputButton from '@components/Forms/InputButton/InputButton.vue';
 import CheckCircle from '@components/Icons/CheckCircle/CheckCircle.vue';
 import MockPopulate from '@components/Forms/MockPopulate/MockPopulate.vue';
+import { CompactType } from '@models/Compact/Compact.model';
 import { State } from '@models/State/State.model';
 import { FormInput } from '@models/FormInput/FormInput.model';
 import Joi from 'joi';
@@ -109,14 +110,21 @@ class MfaResetStartLicensee extends mixins(MixinForm) {
     get licenseTypeOptions(): Array<SelectOption> {
         const options = [{ value: '', name: `- ${this.$t('common.select')} -`, isDisabled: true }];
         const licenseTypes = this.$tm('licensing.licenseTypes') || [];
-
-        licenseTypes.forEach((licenseType) => {
-            options.push({
-                value: licenseType.key,
-                name: licenseType.name,
-                isDisabled: false,
+        const enabledCompacts = [
+            CompactType.ASLP,
+            CompactType.OT,
+            CompactType.COUNSELING,
+        ];
+
+        licenseTypes
+            .filter((licenseType) => enabledCompacts.includes(licenseType.compactKey))
+            .forEach((licenseType) => {
+                options.push({
+                    value: licenseType.key,
+                    name: licenseType.name,
+                    isDisabled: false,
+                });
             });
-        });
 
         return options;
     }
diff --git a/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.vue b/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.vue
index 35095197a..811d1148e 100644
--- a/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.vue
+++ b/webroot/src/pages/MfaResetStartLicensee/MfaResetStartLicensee.vue
@@ -230,21 +230,6 @@
             </Transition>
         </Card>
         <div ref="recaptcha"></div>
-        <div class="recaptcha-terms">
-            {{ $t('recaptcha.googleDesc') }}
-            <a
-                href="https://policies.google.com/privacy"
-                rel="noopener noreferrer"
-                class="recaptcha-link"
-            >{{ $t('recaptcha.privacyPolicy') }}</a>
-            {{ $t('recaptcha.and') }}
-            <a
-                href="https://policies.google.com/terms"
-                rel="noopener noreferrer"
-                class="recaptcha-link"
-            >{{ $t('recaptcha.terms') }}</a>
-            {{ $t('recaptcha.apply') }}.
-        </div>
     </Section>
 </template>
 
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.less b/webroot/src/pages/PublicDashboard/PublicDashboard.less
index 80245c683..47b1332c6 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.less
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.less
@@ -5,14 +5,63 @@
 //  Created by InspiringApps on 8/12/2024.
 //
 .login-container {
-    @cardSizeDefault: 28rem;
-    @cardSizeSmall: 22rem;
-    @cardSpacing: 2.4rem;
-
     display: flex;
-    flex-direction: column;
     align-items: center;
     justify-content: center;
+    width: 100%;
+    height: 100%;
+    min-height: 100vh;
+
+    .dashboard-splash-container {
+        display: none;
+        flex-direction: column;
+        align-self: stretch;
+        justify-content: center;
+        width: 55%;
+        background-color: @primaryColor;
+
+        @media @largeDesktopWidth {
+            display: flex;
+        }
+
+        .splash-image-container {
+            position: absolute;
+
+            &.upper {
+                top: 0;
+                right: 0;
+                width: 60%;
+
+                .splash-image {
+                    fill: #59bfe6;
+                }
+            }
+
+            &.lower {
+                bottom: -5px;
+                left: 0;
+                width: 80%;
+                max-width: 100rem;
+
+                .splash-image {
+                    fill: transparent;
+                    stroke: #59bfe6;
+                }
+            }
+        }
+
+        .splash-title-container {
+            padding-bottom: 8rem;
+            padding-left: 60px;
+
+            .splash-title {
+                color: @white;
+                font-weight: @fontWeightBold;
+                font-size: 7.6rem;
+                line-height: 8.1rem;
+            }
+        }
+    }
 
     .dashboard-content-container {
         display: flex;
@@ -20,13 +69,11 @@
         align-items: center;
         justify-content: center;
         width: 100%;
-        margin: 2rem 0;
-        padding: 4rem;
-        border-radius: 12px;
-        background-color: @white;
+        padding: 0 4rem;
 
-        @media @desktopWidth {
-            width: calc(100% - 6rem);
+        @media @largeDesktopWidth {
+            width: auto;
+            min-width: 45%;
         }
     }
 
@@ -35,14 +82,10 @@
         align-items: center;
         justify-content: center;
         width: 100%;
-        height: 12.8rem;
-        margin-bottom: 6.4rem;
+        height: 10rem;
+        margin-bottom: 2rem;
         text-align: center;
 
-        @media @desktopWidth {
-            margin-bottom: 12.8rem;
-        }
-
         .dashboard-logo {
             display: inline-block;
             width: auto;
@@ -50,107 +93,96 @@
         }
     }
 
-    .dashboard-row {
-        display: flex;
+    .dashboard-card {
+        @iconSize: 4rem;
+
         flex-direction: column;
-        align-items: center;
-        width: 90%;
+        width: 100%;
+        max-width: 50rem;
+        padding: 1.6rem;
 
-        @media @desktopWidth {
-            flex-direction: row;
-            justify-content: center;
-            width: auto;
+        &:not(.provider-login-card) {
+            margin-top: 2rem;
         }
-    }
 
-    .login-link {
-        display: flex;
-        flex-direction: column;
-        align-items: center;
-        justify-content: center;
-        width: @cardSizeDefault;
-        min-width: @cardSizeDefault;
-        max-width: @cardSizeDefault;
-        height: @cardSizeDefault;
-        min-height: @cardSizeDefault;
-        max-height: @cardSizeDefault;
-        margin-bottom: @cardSpacing;
-        padding: 0 4rem;
-        border-radius: 8px;
-        color: @white;
-        font-weight: @fontWeightBold;
-        font-size: 2.6rem;
-        text-align: center;
-        background-color: @primaryColor;
-        cursor: pointer;
-        transition: all 0.2s ease-out;
+        .header {
+            display: flex;
+            width: 100%;
+            margin-bottom: 2rem;
 
-        @media @desktopWidth {
-            &.small {
-                width: @cardSizeSmall;
-                min-width: @cardSizeSmall;
-                max-width: @cardSizeSmall;
-                height: @cardSizeSmall;
-                min-height: @cardSizeSmall;
-                max-height: @cardSizeSmall;
+            .login-icon {
+                width: @iconSize;
 
-                &:not(:first-child) {
-                    margin-left: @cardSpacing;
+                &.fill-type {
+                    fill: @primaryColor;
+
+                    &:deep(.custom-fill) {
+                        fill: @white;
+                        stroke: @primaryColor;
+                    }
                 }
-            }
 
-            &.large {
-                width: ~"calc((@{cardSizeSmall} * 3) + (@{cardSpacing} * 2))";
-                max-width: 100%;
+                &.stroke-fill-type,
+                &.stroke-type {
+                    fill: @white;
+                    stroke: @primaryColor;
+                    stroke-width: 2.5;
+                }
             }
-        }
 
-        .login-icon {
-            display: inline-block;
-            width: 4.8rem;
-            margin-bottom: 1.2rem;
-            transition: fill 0.2s ease-out;
+            .title-container {
+                display: flex;
+                flex-direction: column;
+                padding-left: 1.2rem;
 
-            &.fill-type {
-                fill: @white;
+                .title {
+                    font-weight: @fontWeightBold;
+                    font-size: @fontSizeLarge;
+                }
             }
+        }
+
+        .staff-compacts {
+            display: flex;
+            flex-direction: column;
 
-            &.stroke-fill-type,
-            &.stroke-type {
-                fill: fade(@fontColor, 0%);
-                stroke: @white;
-                stroke-width: 2.5;
+            @media @tabletWidth {
+                flex-direction: row;
+                flex-wrap: wrap;
+                align-items: center;
+                justify-content: space-between;
             }
         }
 
-        &:hover {
-            color: @fontColor;
-            background-color: @lightBlue;
+        .login-link {
+            .button-primary();
 
-            .login-icon {
-                &.fill-type {
-                    fill: @fontColor;
-                }
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            min-height: 4rem;
+            font-size: @fontSize;
+            text-align: center;
 
-                &.stroke-fill-type,
-                &.stroke-type {
-                    stroke: @fontColor;
-                }
+            &.small {
+                margin-bottom: 1.6rem;
 
-                &:deep(.custom-fill) {
-                    fill: @primaryColor;
+                @media @tabletWidth {
+                    width: 48%;
+                    height: 7.4rem;
                 }
+            }
 
-                &:deep(.custom-fill-alt) {
-                    fill: @white;
-                }
+            &.register {
+                margin: 0.8rem 0;
             }
         }
 
-        &:deep(.custom-fill),
-        &:deep(.custom-fill-alt) {
-            transition: fill 0.2s ease-out;
-            fill: @darkBlue;
+        .separator {
+            width: 100%;
+            height: 1px;
+            margin: 2rem 0;
+            background-color: @lightGrey;
         }
     }
 
@@ -160,7 +192,7 @@
         align-items: center;
         justify-content: center;
         width: 100%;
-        margin-bottom: 1rem;
+        padding: 4rem 0 2rem;
 
         @media @desktopWidth {
             flex-direction: row;
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.ts b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
index d6be16203..f654f4958 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.ts
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.ts
@@ -14,15 +14,18 @@ import {
     AUTH_LOGIN_GOTO_PATH,
     AUTH_LOGIN_GOTO_PATH_AUTH_TYPE
 } from '@/app.config';
+import Card from '@components/Card/Card.vue';
 import SearchIcon from '@components/Icons/Search/Search.vue';
 import RegisterIcon from '@components/Icons/RegisterAlt/RegisterAlt.vue';
 import StaffUserIcon from '@components/Icons/StaffUser/StaffUser.vue';
 import LicenseeUserIcon from '@components/Icons/LicenseeUser/LicenseeUser.vue';
 import InputButton from '@components/Forms/InputButton/InputButton.vue';
+import { CompactType } from '@models/Compact/Compact.model';
 
 @Component({
     name: 'DashboardPublic',
     components: {
+        Card,
         SearchIcon,
         RegisterIcon,
         StaffUserIcon,
@@ -75,6 +78,10 @@ export default class DashboardPublic extends Vue {
         return getHostedLoginUri(AppModes.JCC, AuthTypes.LICENSEE, this.hostedLoginUriPath);
     }
 
+    get compactTypes(): typeof CompactType {
+        return CompactType;
+    }
+
     get isUsingMockApi(): boolean {
         return this.$envConfig.isUsingMockApi || false;
     }
@@ -141,6 +148,26 @@ export default class DashboardPublic extends Vue {
         });
     }
 
+    getCompactDisplay(compactType: CompactType): string {
+        const compacts = this.$tm('compacts') || [];
+        const selectedCompact = compacts.find((compact) => compact?.key === compactType);
+        const shouldAddAbbrev = [
+            CompactType.ASLP,
+            CompactType.OT,
+        ].includes(compactType);
+        let compactDisplay = '';
+
+        if (selectedCompact) {
+            compactDisplay += selectedCompact.name;
+
+            if (shouldAddAbbrev && selectedCompact.abbrev) {
+                compactDisplay += ` (${selectedCompact.abbrev})`;
+            }
+        }
+
+        return compactDisplay.trim();
+    }
+
     async mockStaffLogin(appMode: AppModes): Promise<void> {
         const goto = authStorage.getItem(AUTH_LOGIN_GOTO_PATH);
         const gotoAuthType = authStorage.getItem(AUTH_LOGIN_GOTO_PATH_AUTH_TYPE);
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.vue b/webroot/src/pages/PublicDashboard/PublicDashboard.vue
index 3ca95d7c3..68b8e0de6 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.vue
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.vue
@@ -7,6 +7,35 @@
 
 <template>
     <div class="login-container">
+        <div class="dashboard-splash-container">
+            <div class="splash-image-container upper">
+                <svg viewBox="0 0 535 217" class="splash-image upper">
+                    <path d="M164.026 208.904L164.026 216.404L164.026 208.904ZM552.708 -96.6482C556.85
+                        -96.6482 560.208 -100.006 560.208 -104.148C560.208 -108.29 556.85 -111.648 552.708
+                        -111.648L552.708 -104.148L552.708 -96.6482ZM534.716 208.904L534.716 201.404L164.026
+                        201.404L164.026 208.904L164.026 216.404L534.716 216.404L534.716 208.904ZM164.026
+                        -104.148L164.026 -96.6483L552.708 -96.6482L552.708 -104.148L552.708 -111.648L164.026
+                        -111.648L164.026 -104.148ZM7.49995 52.3777L15 52.3777C15 -29.9271 81.7212 -96.6483 164.026
+                        -96.6483L164.026 -104.148L164.026 -111.648C73.4369 -111.648 -3.94317e-05 -38.2114
+                        -4.73512e-05 52.3777L7.49995 52.3777ZM7.49995 52.3777L-4.73512e-05 52.3777C-5.52708e-05
+                        142.967 73.437 216.404 164.026 216.404L164.026 208.904L164.026 201.404C81.7213 201.404
+                        14.9999 134.683 15 52.3777L7.49995 52.3777Z"
+                    />
+                </svg>
+            </div>
+            <div class="splash-image-container lower">
+                <svg viewBox="0 0 721 332" class="splash-image lower">
+                    <path d="M-126.192 7.5H472.073C605.133 7.5 713 115.367 713 248.427C713 381.487 605.133
+                        489.354 472.073 489.354H-126.192"
+                        stroke-width="15" stroke-linecap="round"
+                    />
+                </svg>
+            </div>
+            <div class="splash-title-container">
+                <div class="splash-title">{{ $t('compact.welcomeTo') }}</div>
+                <div class="splash-title">{{ $t('common.appName') }}</div>
+            </div>
+        </div>
         <div class="dashboard-content-container">
             <div class="dashboard-logo-container">
                 <img
@@ -15,107 +44,163 @@
                     :alt="$t('common.appName')"
                 />
             </div>
-        <div class="dashboard-row">
-            <router-link
-                :to="{ name: 'LicneseeSearchPublic' }"
-                class="login-link large"
-                tabindex="0"
-            >
-                <SearchIcon class="login-icon" />
-                {{ $t('navigation.verifyPrivilege') }}
-            </router-link>
-        </div>
-        <div class="dashboard-row">
-            <router-link
-                :to="{ name: 'RegisterLicensee' }"
-                class="login-link small"
-                tabindex="0"
-            >
-                <RegisterIcon class="login-icon" />
-                {{ $t('navigation.registerAsProvider') }}
-            </router-link>
-            <a
-                v-if="!isUsingMockApi"
-                :href="hostedLoginUriLicensee"
-                class="login-link small"
-                rel="noopener noreferrer"
-            >
-                <LicenseeUserIcon class="login-icon" />
-                {{ $t('navigation.loginAsProvider') }}
-            </a>
-            <div
-                v-else
-                class="login-link small"
-                @click="mockLicenseeLogin"
-                @keyup.enter="mockLicenseeLogin"
-                tabindex="0"
-                role="button"
-                :aria-label="$t('navigation.loginAsProvider')"
-            >
-                <LicenseeUserIcon class="login-icon" />
-                {{ $t('navigation.loginAsProvider') }}
-            </div>
-            <a
-                v-if="!isUsingMockApi"
-                :href="hostedLoginUriStaff"
-                class="login-link small"
-                rel="noopener noreferrer"
-            >
-                <StaffUserIcon class="login-icon" />
-                {{ $t('navigation.loginAsStaff') }}
-            </a>
-            <div
-                v-else
-                class="login-link small"
-                @click="bypassToStaffLogin"
-                @keyup.enter="bypassToStaffLogin"
-                tabindex="0"
-                role="button"
-                :aria-label="$t('navigation.loginAsStaff')"
-            >
-                <StaffUserIcon class="login-icon" />
-                {{ $t('navigation.loginAsStaff') }}
-            </div>
-
-            <a
-                v-if="!isUsingMockApi"
-                :href="hostedLoginUriStaffCosmo"
-                class="login-link small"
-                rel="noopener noreferrer"
-            >
-                <StaffUserIcon class="login-icon" />
-                {{ $t('navigation.loginAsStaff') }} COSMO
-            </a>
-            <div
-                v-else
-                class="login-link small"
-                @click="bypassToStaffLoginCosmo"
-                @keyup.enter="bypassToStaffLoginCosmo"
-                tabindex="0"
-                role="button"
-                :aria-label="$t('navigation.loginAsStaff')"
-            >
-                <StaffUserIcon class="login-icon" />
-                {{ $t('navigation.loginAsStaff') }} COSMO
+            <Card class="dashboard-card provider-login-card">
+                <div class="header">
+                    <LicenseeUserIcon class="login-icon" />
+                    <div class="title-container">
+                        <div class="title">{{ $t('navigation.loginAsProvider') }}</div>
+                        <div class="title-subtext">{{ $t('navigation.loginAsProviderSubtext') }}</div>
+                    </div>
+                </div>
+                <a
+                    v-if="!isUsingMockApi"
+                    :href="hostedLoginUriLicensee"
+                    class="login-link"
+                    rel="noopener noreferrer"
+                >
+                    {{ $t('navigation.login') }}
+                </a>
+                <div
+                    v-else
+                    class="login-link"
+                    @click="mockLicenseeLogin"
+                    @keyup.enter="mockLicenseeLogin"
+                    tabindex="0"
+                    role="button"
+                    :aria-label="$t('navigation.login')"
+                >
+                    {{ $t('navigation.login') }}
+                </div>
+                <div class="separator" />
+                {{ $t('navigation.registerAsProviderSubtext') }}
+                <router-link
+                    :to="{ name: 'RegisterLicensee' }"
+                    class="login-link register transparent"
+                    tabindex="0"
+                >
+                    {{ $t('navigation.registerAsProvider') }}
+                </router-link>
+            </Card>
+            <Card class="dashboard-card staff-login-card">
+                <div class="header">
+                    <StaffUserIcon class="login-icon" />
+                    <div class="title-container">
+                        <div class="title">{{ $t('navigation.loginAsStaff') }}</div>
+                        <div class="title-subtext">{{ $t('navigation.loginAsStaffSubtext') }}</div>
+                    </div>
+                </div>
+                <div class="staff-compacts">
+                    <a
+                        v-if="!isUsingMockApi"
+                        :href="hostedLoginUriStaff"
+                        class="login-link small"
+                        rel="noopener noreferrer"
+                    >
+                        {{ getCompactDisplay(compactTypes.ASLP) }}
+                    </a>
+                    <div
+                        v-else
+                        class="login-link small"
+                        @click="bypassToStaffLogin"
+                        @keyup.enter="bypassToStaffLogin"
+                        tabindex="0"
+                        role="button"
+                        :aria-label="getCompactDisplay(compactTypes.ASLP)"
+                    >
+                        {{ getCompactDisplay(compactTypes.ASLP) }}
+                    </div>
+                    <a
+                        v-if="!isUsingMockApi"
+                        :href="hostedLoginUriStaff"
+                        class="login-link small"
+                        rel="noopener noreferrer"
+                    >
+                        {{ getCompactDisplay(compactTypes.OT) }}
+                    </a>
+                    <div
+                        v-else
+                        class="login-link small"
+                        @click="bypassToStaffLogin"
+                        @keyup.enter="bypassToStaffLogin"
+                        tabindex="0"
+                        role="button"
+                        :aria-label="getCompactDisplay(compactTypes.OT)"
+                    >
+                        {{ getCompactDisplay(compactTypes.OT) }}
+                    </div>
+                    <a
+                        v-if="!isUsingMockApi"
+                        :href="hostedLoginUriStaff"
+                        class="login-link small"
+                        rel="noopener noreferrer"
+                    >
+                        {{ getCompactDisplay(compactTypes.COUNSELING) }}
+                    </a>
+                    <div
+                        v-else
+                        class="login-link small"
+                        @click="bypassToStaffLogin"
+                        @keyup.enter="bypassToStaffLogin"
+                        tabindex="0"
+                        role="button"
+                        :aria-label="getCompactDisplay(compactTypes.COUNSELING)"
+                    >
+                        {{ getCompactDisplay(compactTypes.COUNSELING) }}
+                    </div>
+                    <a
+                        v-if="!isUsingMockApi"
+                        :href="hostedLoginUriStaffCosmo"
+                        class="login-link small"
+                        rel="noopener noreferrer"
+                    >
+                        {{ getCompactDisplay(compactTypes.COSMETOLOGY) }}
+                    </a>
+                    <div
+                        v-else
+                        class="login-link small"
+                        @click="bypassToStaffLoginCosmo"
+                        @keyup.enter="bypassToStaffLoginCosmo"
+                        tabindex="0"
+                        role="button"
+                        :aria-label="getCompactDisplay(compactTypes.COSMETOLOGY)"
+                    >
+                        {{ getCompactDisplay(compactTypes.COSMETOLOGY) }}
+                    </div>
+                </div>
+            </Card>
+            <Card class="dashboard-card privilege-search">
+                <div class="header">
+                    <SearchIcon class="login-icon" />
+                    <div class="title-container">
+                        <div class="title">{{ $t('navigation.verifyPrivilege') }}</div>
+                        <div class="title-subtext">{{ $t('navigation.verifyPrivilegeSubtext') }}</div>
+                    </div>
+                </div>
+                <router-link
+                    :to="{ name: 'LicneseeSearchPublic' }"
+                    class="login-link transparent"
+                    tabindex="0"
+                >
+                    {{ $t('navigation.verifyPrivilegeSearch') }}
+                </router-link>
+            </Card>
+            <div class="dashboard-footer">
+                <router-link :to="{ name: 'MfaResetStartLicensee' }" class="footer-link">
+                    {{ $t('account.lockedOut') }}
+                </router-link>
+                <router-link :to="{ name: 'PrivacyPolicy' }" class="footer-link">
+                    {{ $t('privacyPolicy.title') }}
+                </router-link>
+                <a
+                    href="https://compactconnect.zendesk.com/hc/en-us"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    class="footer-link"
+                >
+                    {{ $t('navigation.helpCenter') }}
+                </a>
             </div>
         </div>
-        </div>
-        <div class="dashboard-footer">
-            <router-link :to="{ name: 'MfaResetStartLicensee' }" class="footer-link">
-                {{ $t('account.lockedOut') }}
-            </router-link>
-            <router-link :to="{ name: 'PrivacyPolicy' }" class="footer-link">
-                {{ $t('privacyPolicy.title') }}
-            </router-link>
-            <a
-                href="https://compactconnect.zendesk.com/hc/en-us"
-                target="_blank"
-                rel="noopener noreferrer"
-                class="footer-link"
-            >
-                {{ $t('navigation.helpCenter') }}
-            </a>
-        </div>
     </div>
 </template>
 
diff --git a/webroot/src/pages/RegisterLicensee/RegisterLicensee.less b/webroot/src/pages/RegisterLicensee/RegisterLicensee.less
index 584d387d2..1732fa91c 100644
--- a/webroot/src/pages/RegisterLicensee/RegisterLicensee.less
+++ b/webroot/src/pages/RegisterLicensee/RegisterLicensee.less
@@ -191,14 +191,4 @@
         font-style: italic;
         cursor: pointer;
     }
-
-    .recaptcha-terms {
-        margin: 2.4rem;
-        font-size: @fontSizeSmall;
-        text-align: center;
-
-        .recaptcha-link {
-            text-decoration: underline;
-        }
-    }
 }
diff --git a/webroot/src/pages/RegisterLicensee/RegisterLicensee.ts b/webroot/src/pages/RegisterLicensee/RegisterLicensee.ts
index 30eb897b0..825c131e5 100644
--- a/webroot/src/pages/RegisterLicensee/RegisterLicensee.ts
+++ b/webroot/src/pages/RegisterLicensee/RegisterLicensee.ts
@@ -28,7 +28,7 @@ import InputSubmit from '@components/Forms/InputSubmit/InputSubmit.vue';
 import InputButton from '@components/Forms/InputButton/InputButton.vue';
 import CheckCircle from '@components/Icons/CheckCircle/CheckCircle.vue';
 import MockPopulate from '@components/Forms/MockPopulate/MockPopulate.vue';
-import { Compact } from '@models/Compact/Compact.model';
+import { Compact, CompactType } from '@models/Compact/Compact.model';
 import { State } from '@models/State/State.model';
 import { FormInput } from '@models/FormInput/FormInput.model';
 import Joi from 'joi';
@@ -85,14 +85,21 @@ class RegisterLicensee extends mixins(MixinForm) {
     get licenseTypeOptions(): Array<SelectOption> {
         const options = [{ value: '', name: `- ${this.$t('common.select')} -`, isDisabled: true }];
         const licenseTypes = this.$tm('licensing.licenseTypes') || [];
-
-        licenseTypes.forEach((licenseType) => {
-            options.push({
-                value: licenseType.key,
-                name: licenseType.name,
-                isDisabled: false,
+        const enabledCompacts = [
+            CompactType.ASLP,
+            CompactType.OT,
+            CompactType.COUNSELING,
+        ];
+
+        licenseTypes
+            .filter((licenseType) => enabledCompacts.includes(licenseType.compactKey))
+            .forEach((licenseType) => {
+                options.push({
+                    value: licenseType.key,
+                    name: licenseType.name,
+                    isDisabled: false,
+                });
             });
-        });
 
         return options;
     }
diff --git a/webroot/src/pages/RegisterLicensee/RegisterLicensee.vue b/webroot/src/pages/RegisterLicensee/RegisterLicensee.vue
index 3c1df99d0..63cbbbe82 100644
--- a/webroot/src/pages/RegisterLicensee/RegisterLicensee.vue
+++ b/webroot/src/pages/RegisterLicensee/RegisterLicensee.vue
@@ -179,21 +179,6 @@
             </Transition>
         </Card>
         <div ref="recaptcha"></div>
-        <div class="recaptcha-terms">
-            {{ $t('recaptcha.googleDesc') }}
-            <a
-                href="https://policies.google.com/privacy"
-                rel="noopener noreferrer"
-                class="recaptcha-link"
-            >{{ $t('recaptcha.privacyPolicy') }}</a>
-            {{ $t('recaptcha.and') }}
-            <a
-                href="https://policies.google.com/terms"
-                rel="noopener noreferrer"
-                class="recaptcha-link"
-            >{{ $t('recaptcha.terms') }}</a>
-            {{ $t('recaptcha.apply') }}.
-        </div>
     </Section>
 </template>
 

From 295f8e981617d7f56c26619db3c5c29681e9b547 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Fri, 13 Feb 2026 11:18:42 -0700
Subject: [PATCH 12/14] PR review feedback

---
 .../lambdas/nodejs/cloudfront-csp/index.js    |   4 +-
 .../nodejs/cloudfront-csp/test/index.test.js  |   4 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION.json |   2 +-
 ...Stack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json |   2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION.json |   2 +-
 ...Stack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json |   2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION.json |   2 +-
 ...Stack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json |   2 +-
 ...ontendDeploymentStack-UI_DISTRIBUTION.json |   2 +-
 ...Stack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json |   2 +-
 .../PublicDashboard/PublicDashboard.less      |  19 +-
 .../pages/PublicDashboard/PublicDashboard.vue | 262 +++++++++---------
 12 files changed, 161 insertions(+), 144 deletions(-)

diff --git a/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js b/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js
index 83f7574c3..eef5e425f 100644
--- a/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js
+++ b/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/index.js
@@ -252,6 +252,8 @@ const setCspHeader = (headers = {}) => {
             ]),
             buildSrcString('connect-src', [
                 'self',
+                cognitoIdpUrl,
+                'https://www.google.com/recaptcha/',
                 // JCC
                 domains.dataApi,
                 domains.searchApi,
@@ -264,8 +266,6 @@ const setCspHeader = (headers = {}) => {
                 domains.searchApiCosmo,
                 domains.s3UploadUrlStateCosmo,
                 domains.cognitoStaffCosmo,
-                cognitoIdpUrl,
-                'https://www.google.com/recaptcha/',
                 // Begin Statsig domains
                 'https://api.statsig.com/',
                 'https://featuregates.org/',
diff --git a/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js b/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js
index 1e9c07790..824e3a69d 100644
--- a/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js
+++ b/backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/test/index.test.js
@@ -172,6 +172,8 @@ const buildCspHeaders = (environment) => {
     ].join(' ');
     const cspConnectSrc = [
         '\'self\'',
+        cognitoIdpUrl,
+        'https://www.google.com/recaptcha/',
         // JCC
         dataApiUrl,
         searchApiUrl,
@@ -184,8 +186,6 @@ const buildCspHeaders = (environment) => {
         searchApiUrlCosmo,
         s3UploadUrlStateCosmo,
         cognitoStaffUrlCosmo,
-        cognitoIdpUrl,
-        'https://www.google.com/recaptcha/',
         // Begin Statsig domains
         'https://api.statsig.com/',
         'https://featuregates.org/',
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index 2badde480..dc8b372d4 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A6611ae71df5f4a2e71905706631237e7d8d0"
+                "Ref": "CSPFunctionCurrentVersionB61A6611f2f39c390a3d6bdfa6597b3ffeb69920"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index 7e31da685..7f25a36d5 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/BetaFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index 7c6497986..29489c8d3 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A6611ae71df5f4a2e71905706631237e7d8d0"
+                "Ref": "CSPFunctionCurrentVersionB61A6611f2f39c390a3d6bdfa6597b3ffeb69920"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index 7e31da685..7f25a36d5 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/ProdFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
index aaba47e6c..094beac19 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A6611ae71df5f4a2e71905706631237e7d8d0"
+                "Ref": "CSPFunctionCurrentVersionB61A6611f2f39c390a3d6bdfa6597b3ffeb69920"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index 7e31da685..7f25a36d5 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/SandboxUI-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
index 00931a8d9..63997a5ac 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION.json
@@ -39,7 +39,7 @@
             {
               "EventType": "viewer-response",
               "LambdaFunctionARN": {
-                "Ref": "CSPFunctionCurrentVersionB61A6611ae71df5f4a2e71905706631237e7d8d0"
+                "Ref": "CSPFunctionCurrentVersionB61A6611f2f39c390a3d6bdfa6597b3ffeb69920"
               }
             }
           ],
diff --git a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
index 7e31da685..7f25a36d5 100644
--- a/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
+++ b/backend/compact-connect-ui-app/tests/resources/snapshots/TestFrontend-FrontendDeploymentStack-UI_DISTRIBUTION_LAMBDA_FUNCTION.json
@@ -2,7 +2,7 @@
   "Type": "AWS::Lambda::Function",
   "Properties": {
     "Code": {
-      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
+      "ZipFile": "//\n//  index.js\n//  CompactConnect\n//\n//  Created by InspiringApps on 7/22/2024.\n//\n\n// ============================================================================\n//                               CONFIGURATION                                =\n// ============================================================================\n/**\n * Configuration of supported domains.\n *\n * These values are injected into the lambda function at build time. See the\n * `generate_csp_lambda_code` function in\n * backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py\n * @type {object}\n */\nconst environmentValues = {\n    webFrontend: `test-ui.example.com`,\n    // JCC\n    dataApi: `test-api.example.com`,\n    searchApi: `test-search-api.example.com`,\n    s3UploadUrlState: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    s3UploadUrlProvider: `test-provider-users-bucket-name.s3.amazonaws.com`,\n    cognitoStaff: `test-staff-domain`,\n    cognitoProvider: `test-provider-domain`,\n    // COSMETOLOGY\n    dataApiCosmo: `test-api.example.com`,\n    searchApiCosmo: `test-search-api.example.com`,\n    s3UploadUrlStateCosmo: `test-bulk-uploads-bucket-name.s3.amazonaws.com`,\n    cognitoStaffCosmo: `test-staff-domain`,\n};\n\n// ============================================================================\n//                                   HELPERS                                  =\n// ============================================================================\n/**\n * Get the request domain from the lambda event record.\n * @param  {object} eventRecord The cloudfront record from the lambda event.\n * @return {string}             The bare domain of the request domain.\n */\n\n/**\n * Get a fully qualified domain URI with the protocol scheme.\n * @param  {string} domain The bare domain string.\n * @return {string}        The fully-qualified domain string.\n */\nconst getFullyQualified = (domain) => {\n    const protocol = 'https://';\n    let fullyQualified = '';\n\n    if (domain && typeof domain === 'string' && !domain.startsWith(protocol)) {\n        fullyQualified = `${protocol}${domain}`;\n    }\n\n    return fullyQualified;\n};\n\n/**\n * Helper to get the fully-qualified domains for connected services.\n * @return {object}               A map of fully-qualified domains for the environment.\n *   @return {string} dataApi       The data API fully-qualified domain.\n *   @return {string} s3UploadUrlState      The S3 fully-qualified domain for uploading state files.\n *   @return {string} s3UploadUrlProvider      The S3 fully-qualified domain for uploading provider files.\n *   @return {string} cognitoStaff  The Cognito fully-qualified domain for authenticating staff users.\n */\nconst getEnvironmentUrls = () => {\n    const environmentUrls = {};\n\n    // JCC\n    environmentUrls.dataApi = getFullyQualified(environmentValues.dataApi);\n    environmentUrls.searchApi = getFullyQualified(environmentValues.searchApi);\n    environmentUrls.s3UploadUrlState = getFullyQualified(environmentValues.s3UploadUrlState);\n    environmentUrls.s3UploadUrlProvider = getFullyQualified(environmentValues.s3UploadUrlProvider);\n    environmentUrls.cognitoStaff = getFullyQualified(environmentValues.cognitoStaff);\n    environmentUrls.cognitoProvider = getFullyQualified(environmentValues.cognitoProvider);\n    // COSMETOLOGY\n    environmentUrls.dataApiCosmo = getFullyQualified(environmentValues.dataApiCosmo);\n    environmentUrls.searchApiCosmo = getFullyQualified(environmentValues.searchApiCosmo);\n    environmentUrls.s3UploadUrlStateCosmo = getFullyQualified(environmentValues.s3UploadUrlStateCosmo);\n    environmentUrls.cognitoStaffCosmo = getFullyQualified(environmentValues.cognitoStaffCosmo);\n\n    return environmentUrls;\n};\n\n/**\n * Helper to escape CSP src keywords.\n * @param  {string} keyword The standard keyword value.\n * @return {string}         The escaped keyword value.\n */\nconst srcKeywordEscape = (keyword) => {\n    let escaped = '';\n\n    if (keyword && typeof keyword === 'string') {\n        escaped = `'${keyword}'`.toLowerCase();\n    }\n\n    return escaped;\n};\n\n/**\n * Helper to automatically escape and prep CSP src keyword values (by reference).\n * @param  {Array<string>} srcList       The CSP src list.\n * @param  {string}        [listName=''] Optional src list name for logging.\n */\nconst srcKeywordsEscape = (srcList, listName = '') => {\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#keyword_values\n    const srcKeywordsConfig = [\n        { value: 'self', isAllowed: true },\n        { value: 'none', isAllowed: true },\n        { value: 'strict-dynamic', isAllowed: true },\n        { value: 'report-sample', isAllowed: true },\n        { value: 'inline-speculation-rules', isAllowed: true },\n        { value: 'unsafe-inline', isAllowed: false },\n        { value: 'unsafe-eval', isAllowed: false },\n        { value: 'unsafe-hashes', isAllowed: false },\n        { value: 'wasm-unsafe-eval', isAllowed: false },\n    ];\n    const srcKeywords = srcKeywordsConfig.map((config) => config.value.toLowerCase());\n\n    if (Array.isArray(srcList)) {\n        srcList.forEach((srcItem, idx) => {\n            const isString = typeof srcItem === 'string';\n\n            if (!isString) {\n                srcList[idx] = '';\n            } else {\n                const srcItemLowerCase = srcItem.toLowerCase();\n\n                if (srcKeywords.includes(srcItemLowerCase)) {\n                    const keywordConfig = srcKeywordsConfig.find(\n                        (config) => srcItemLowerCase === config.value.toLowerCase()\n                    );\n\n                    if (keywordConfig) {\n                        if (!keywordConfig.isAllowed) {\n                            console.warn(`${listName} ${srcItem} keyword is not allowed in srcKeywordsConfig policy. We likely should not be using this keyword for security reasons.`.trim());\n                            srcList[idx] = '';\n                        } else {\n                            srcList[idx] = srcKeywordEscape(srcItem);\n                        }\n                    }\n                }\n            }\n        });\n    }\n};\n\n/**\n * Helper to build a CSP src group list string from input params.\n * @param  {string}        name src name for the CSP group.\n * @param  {Array<string>} list The static src list for the CSP group.\n * @return {string}             The prepped src list string;\n */\nconst buildSrcString = (name = '', list = []) => {\n    let srcString = '';\n\n    if (Array.isArray(list)) {\n        srcKeywordsEscape(list, name);\n        srcString = `${name} ${list.join(' ')};`;\n    }\n\n    return srcString;\n};\n\n// ============================================================================\n//                               RESPONSE HEADERS                             =\n// ============================================================================\n/**\n * Set the CSP header on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setCspHeader = (headers = {}) => {\n    const domains = getEnvironmentUrls();\n    const cognitoIdpUrl = 'https://cognito-idp.us-east-1.amazonaws.com';\n\n    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\n    headers['content-security-policy'] = [{\n        key: 'Content-Security-Policy',\n        value: `${[\n            `default-src 'none';`,\n            buildSrcString('manifest-src', [\n                'self',\n            ]),\n            buildSrcString('script-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-elem', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://www.gstatic.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('script-src-attr', [\n                'self',\n            ]),\n            buildSrcString('worker-src', [\n                'self',\n            ]),\n            buildSrcString('style-src', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('style-src-elem', [\n                'self',\n                'https://fonts.googleapis.com',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n                `'sha256-YwWQHXh4Vw0oD2Oo8pV9huEF2sE9mD8i5nZUuHzEg9A='`, // <style> tag injected by authorize.net widget\n            ]),\n            buildSrcString('style-src-attr', [\n                'self',\n            ]),\n            buildSrcString('font-src', [\n                'self',\n                'https://fonts.gstatic.com',\n            ]),\n            buildSrcString('img-src', [\n                'self',\n                'data:',\n                domains.dataApi,\n                domains.dataApiCosmo,\n                'https://www.gstatic.com/recaptcha/',\n            ]),\n            buildSrcString('media-src', [\n                'self',\n                domains.dataApi,\n                domains.dataApiCosmo,\n            ]),\n            buildSrcString('frame-src', [\n                'self',\n                'https://www.google.com/recaptcha/',\n                'https://recaptcha.google.com/recaptcha/',\n                'https://jstest.authorize.net/',\n                'https://js.authorize.net/',\n            ]),\n            buildSrcString('frame-ancestors', [\n                'none'\n            ]),\n            buildSrcString('object-src', [\n                'none',\n            ]),\n            buildSrcString('form-action', [\n                'none',\n            ]),\n            buildSrcString('connect-src', [\n                'self',\n                cognitoIdpUrl,\n                'https://www.google.com/recaptcha/',\n                // JCC\n                domains.dataApi,\n                domains.searchApi,\n                domains.s3UploadUrlState,\n                domains.s3UploadUrlProvider,\n                domains.cognitoStaff,\n                domains.cognitoProvider,\n                // COSMETOLOGY\n                domains.dataApiCosmo,\n                domains.searchApiCosmo,\n                domains.s3UploadUrlStateCosmo,\n                domains.cognitoStaffCosmo,\n                // Begin Statsig domains\n                'https://api.statsig.com/',\n                'https://featuregates.org/',\n                'https://statsigapi.net/',\n                'https://events.statsigapi.net/',\n                'https://api.statsigcdn.com/',\n                'https://featureassets.org/',\n                'https://assetsconfigcdn.org/',\n                'https://prodregistryv2.org/',\n                'https://cloudflare-dns.com/',\n                'https://beyondwickedmapping.org/',\n                // End Statsig domains\n            ]),\n        ].join(' ')}`,\n    }];\n};\n\n/**\n * Set security headers on the response (by reference).\n * @param {object} [headers={}]  The event response headers (updated by reference).\n */\nconst setSecurityHeaders = (headers = {}) => {\n    // Strict-Transport-Security\n    headers['strict-transport-security'] = [{\n        key: 'Strict-Transport-Security',\n        value: 'max-age=31536000; includeSubdomains; preload',\n    }];\n    // X-Content-Type-Options\n    headers['x-content-type-options'] = [{\n        key: 'X-Content-Type-Options',\n        value: 'nosniff',\n    }];\n    // X-Frame-Options\n    headers['x-frame-options'] = [{\n        key: 'X-Frame-Options',\n        value: 'DENY',\n    }];\n    // Referrer-Policy\n    headers['referrer-policy'] = [{\n        key: 'Referrer-Policy',\n        value: 'strict-origin-when-cross-origin',\n    }];\n    // Server\n    headers.server = [{\n        key: 'Server',\n        value: 'CompactConnect',\n    }];\n    // Content-Security-Policy\n    setCspHeader(headers);\n};\n\n// ============================================================================\n//                                 LAMBDA ENTRY                               =\n// ============================================================================\nexports.handler = async (event) => {\n    // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-event-structure.html\n    const eventRecord = event?.Records[0]?.cf || {};\n    const response = eventRecord.response || {};\n    const responseHeaders = response.headers || {};\n\n    setSecurityHeaders(responseHeaders);\n\n    return response;\n};\n"
     },
     "Handler": "index.handler",
     "Role": {
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.less b/webroot/src/pages/PublicDashboard/PublicDashboard.less
index 47b1332c6..9dcc1fde4 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.less
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.less
@@ -38,10 +38,11 @@
             }
 
             &.lower {
-                bottom: -5px;
+                bottom: 0;
                 left: 0;
                 width: 80%;
                 max-width: 100rem;
+                line-height: 0.5;
 
                 .splash-image {
                     fill: transparent;
@@ -66,7 +67,7 @@
     .dashboard-content-container {
         display: flex;
         flex-direction: column;
-        align-items: center;
+        align-self: stretch;
         justify-content: center;
         width: 100%;
         padding: 0 4rem;
@@ -74,6 +75,16 @@
         @media @largeDesktopWidth {
             width: auto;
             min-width: 45%;
+            margin-top: 2rem;
+        }
+
+        .dashboard-content {
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+            justify-content: center;
+            width: 100%;
+            height: 100%;
         }
     }
 
@@ -198,6 +209,10 @@
             flex-direction: row;
         }
 
+        @media @largeDesktopWidth {
+            margin-top: auto;
+        }
+
         .footer-link {
             @separatorSize: 0.4rem;
             @separatorSpacing: 1.6rem;
diff --git a/webroot/src/pages/PublicDashboard/PublicDashboard.vue b/webroot/src/pages/PublicDashboard/PublicDashboard.vue
index 68b8e0de6..b6e08bcd7 100644
--- a/webroot/src/pages/PublicDashboard/PublicDashboard.vue
+++ b/webroot/src/pages/PublicDashboard/PublicDashboard.vue
@@ -8,7 +8,7 @@
 <template>
     <div class="login-container">
         <div class="dashboard-splash-container">
-            <div class="splash-image-container upper">
+            <div class="splash-image-container upper" aria-hidden="true">
                 <svg viewBox="0 0 535 217" class="splash-image upper">
                     <path d="M164.026 208.904L164.026 216.404L164.026 208.904ZM552.708 -96.6482C556.85
                         -96.6482 560.208 -100.006 560.208 -104.148C560.208 -108.29 556.85 -111.648 552.708
@@ -23,7 +23,7 @@
                     />
                 </svg>
             </div>
-            <div class="splash-image-container lower">
+            <div class="splash-image-container lower" aria-hidden="true">
                 <svg viewBox="0 0 721 332" class="splash-image lower">
                     <path d="M-126.192 7.5H472.073C605.133 7.5 713 115.367 713 248.427C713 381.487 605.133
                         489.354 472.073 489.354H-126.192"
@@ -37,153 +37,155 @@
             </div>
         </div>
         <div class="dashboard-content-container">
-            <div class="dashboard-logo-container">
-                <img
-                    src="@assets/logos/compact-connect-logo.png"
-                    class="dashboard-logo"
-                    :alt="$t('common.appName')"
-                />
-            </div>
-            <Card class="dashboard-card provider-login-card">
-                <div class="header">
-                    <LicenseeUserIcon class="login-icon" />
-                    <div class="title-container">
-                        <div class="title">{{ $t('navigation.loginAsProvider') }}</div>
-                        <div class="title-subtext">{{ $t('navigation.loginAsProviderSubtext') }}</div>
-                    </div>
-                </div>
-                <a
-                    v-if="!isUsingMockApi"
-                    :href="hostedLoginUriLicensee"
-                    class="login-link"
-                    rel="noopener noreferrer"
-                >
-                    {{ $t('navigation.login') }}
-                </a>
-                <div
-                    v-else
-                    class="login-link"
-                    @click="mockLicenseeLogin"
-                    @keyup.enter="mockLicenseeLogin"
-                    tabindex="0"
-                    role="button"
-                    :aria-label="$t('navigation.login')"
-                >
-                    {{ $t('navigation.login') }}
+            <div class="dashboard-content">
+                <div class="dashboard-logo-container">
+                    <img
+                        src="@assets/logos/compact-connect-logo.png"
+                        class="dashboard-logo"
+                        :alt="$t('common.appName')"
+                    />
                 </div>
-                <div class="separator" />
-                {{ $t('navigation.registerAsProviderSubtext') }}
-                <router-link
-                    :to="{ name: 'RegisterLicensee' }"
-                    class="login-link register transparent"
-                    tabindex="0"
-                >
-                    {{ $t('navigation.registerAsProvider') }}
-                </router-link>
-            </Card>
-            <Card class="dashboard-card staff-login-card">
-                <div class="header">
-                    <StaffUserIcon class="login-icon" />
-                    <div class="title-container">
-                        <div class="title">{{ $t('navigation.loginAsStaff') }}</div>
-                        <div class="title-subtext">{{ $t('navigation.loginAsStaffSubtext') }}</div>
+                <Card class="dashboard-card provider-login-card">
+                    <div class="header">
+                        <LicenseeUserIcon class="login-icon" />
+                        <div class="title-container">
+                            <div class="title">{{ $t('navigation.loginAsProvider') }}</div>
+                            <div class="title-subtext">{{ $t('navigation.loginAsProviderSubtext') }}</div>
+                        </div>
                     </div>
-                </div>
-                <div class="staff-compacts">
                     <a
                         v-if="!isUsingMockApi"
-                        :href="hostedLoginUriStaff"
-                        class="login-link small"
+                        :href="hostedLoginUriLicensee"
+                        class="login-link"
                         rel="noopener noreferrer"
                     >
-                        {{ getCompactDisplay(compactTypes.ASLP) }}
+                        {{ $t('navigation.login') }}
                     </a>
                     <div
                         v-else
-                        class="login-link small"
-                        @click="bypassToStaffLogin"
-                        @keyup.enter="bypassToStaffLogin"
+                        class="login-link"
+                        @click="mockLicenseeLogin"
+                        @keyup.enter="mockLicenseeLogin"
                         tabindex="0"
                         role="button"
-                        :aria-label="getCompactDisplay(compactTypes.ASLP)"
+                        :aria-label="$t('navigation.login')"
                     >
-                        {{ getCompactDisplay(compactTypes.ASLP) }}
+                        {{ $t('navigation.login') }}
                     </div>
-                    <a
-                        v-if="!isUsingMockApi"
-                        :href="hostedLoginUriStaff"
-                        class="login-link small"
-                        rel="noopener noreferrer"
-                    >
-                        {{ getCompactDisplay(compactTypes.OT) }}
-                    </a>
-                    <div
-                        v-else
-                        class="login-link small"
-                        @click="bypassToStaffLogin"
-                        @keyup.enter="bypassToStaffLogin"
+                    <div class="separator" />
+                    {{ $t('navigation.registerAsProviderSubtext') }}
+                    <router-link
+                        :to="{ name: 'RegisterLicensee' }"
+                        class="login-link register transparent"
                         tabindex="0"
-                        role="button"
-                        :aria-label="getCompactDisplay(compactTypes.OT)"
                     >
-                        {{ getCompactDisplay(compactTypes.OT) }}
+                        {{ $t('navigation.registerAsProvider') }}
+                    </router-link>
+                </Card>
+                <Card class="dashboard-card staff-login-card">
+                    <div class="header">
+                        <StaffUserIcon class="login-icon" />
+                        <div class="title-container">
+                            <div class="title">{{ $t('navigation.loginAsStaff') }}</div>
+                            <div class="title-subtext">{{ $t('navigation.loginAsStaffSubtext') }}</div>
+                        </div>
                     </div>
-                    <a
-                        v-if="!isUsingMockApi"
-                        :href="hostedLoginUriStaff"
-                        class="login-link small"
-                        rel="noopener noreferrer"
-                    >
-                        {{ getCompactDisplay(compactTypes.COUNSELING) }}
-                    </a>
-                    <div
-                        v-else
-                        class="login-link small"
-                        @click="bypassToStaffLogin"
-                        @keyup.enter="bypassToStaffLogin"
-                        tabindex="0"
-                        role="button"
-                        :aria-label="getCompactDisplay(compactTypes.COUNSELING)"
-                    >
-                        {{ getCompactDisplay(compactTypes.COUNSELING) }}
+                    <div class="staff-compacts">
+                        <a
+                            v-if="!isUsingMockApi"
+                            :href="hostedLoginUriStaff"
+                            class="login-link small"
+                            rel="noopener noreferrer"
+                        >
+                            {{ getCompactDisplay(compactTypes.ASLP) }}
+                        </a>
+                        <div
+                            v-else
+                            class="login-link small"
+                            @click="bypassToStaffLogin"
+                            @keyup.enter="bypassToStaffLogin"
+                            tabindex="0"
+                            role="button"
+                            :aria-label="getCompactDisplay(compactTypes.ASLP)"
+                        >
+                            {{ getCompactDisplay(compactTypes.ASLP) }}
+                        </div>
+                        <a
+                            v-if="!isUsingMockApi"
+                            :href="hostedLoginUriStaff"
+                            class="login-link small"
+                            rel="noopener noreferrer"
+                        >
+                            {{ getCompactDisplay(compactTypes.OT) }}
+                        </a>
+                        <div
+                            v-else
+                            class="login-link small"
+                            @click="bypassToStaffLogin"
+                            @keyup.enter="bypassToStaffLogin"
+                            tabindex="0"
+                            role="button"
+                            :aria-label="getCompactDisplay(compactTypes.OT)"
+                        >
+                            {{ getCompactDisplay(compactTypes.OT) }}
+                        </div>
+                        <a
+                            v-if="!isUsingMockApi"
+                            :href="hostedLoginUriStaff"
+                            class="login-link small"
+                            rel="noopener noreferrer"
+                        >
+                            {{ getCompactDisplay(compactTypes.COUNSELING) }}
+                        </a>
+                        <div
+                            v-else
+                            class="login-link small"
+                            @click="bypassToStaffLogin"
+                            @keyup.enter="bypassToStaffLogin"
+                            tabindex="0"
+                            role="button"
+                            :aria-label="getCompactDisplay(compactTypes.COUNSELING)"
+                        >
+                            {{ getCompactDisplay(compactTypes.COUNSELING) }}
+                        </div>
+                        <a
+                            v-if="!isUsingMockApi"
+                            :href="hostedLoginUriStaffCosmo"
+                            class="login-link small"
+                            rel="noopener noreferrer"
+                        >
+                            {{ getCompactDisplay(compactTypes.COSMETOLOGY) }}
+                        </a>
+                        <div
+                            v-else
+                            class="login-link small"
+                            @click="bypassToStaffLoginCosmo"
+                            @keyup.enter="bypassToStaffLoginCosmo"
+                            tabindex="0"
+                            role="button"
+                            :aria-label="getCompactDisplay(compactTypes.COSMETOLOGY)"
+                        >
+                            {{ getCompactDisplay(compactTypes.COSMETOLOGY) }}
+                        </div>
                     </div>
-                    <a
-                        v-if="!isUsingMockApi"
-                        :href="hostedLoginUriStaffCosmo"
-                        class="login-link small"
-                        rel="noopener noreferrer"
-                    >
-                        {{ getCompactDisplay(compactTypes.COSMETOLOGY) }}
-                    </a>
-                    <div
-                        v-else
-                        class="login-link small"
-                        @click="bypassToStaffLoginCosmo"
-                        @keyup.enter="bypassToStaffLoginCosmo"
+                </Card>
+                <Card class="dashboard-card privilege-search">
+                    <div class="header">
+                        <SearchIcon class="login-icon" />
+                        <div class="title-container">
+                            <div class="title">{{ $t('navigation.verifyPrivilege') }}</div>
+                            <div class="title-subtext">{{ $t('navigation.verifyPrivilegeSubtext') }}</div>
+                        </div>
+                    </div>
+                    <router-link
+                        :to="{ name: 'LicneseeSearchPublic' }"
+                        class="login-link transparent"
                         tabindex="0"
-                        role="button"
-                        :aria-label="getCompactDisplay(compactTypes.COSMETOLOGY)"
                     >
-                        {{ getCompactDisplay(compactTypes.COSMETOLOGY) }}
-                    </div>
-                </div>
-            </Card>
-            <Card class="dashboard-card privilege-search">
-                <div class="header">
-                    <SearchIcon class="login-icon" />
-                    <div class="title-container">
-                        <div class="title">{{ $t('navigation.verifyPrivilege') }}</div>
-                        <div class="title-subtext">{{ $t('navigation.verifyPrivilegeSubtext') }}</div>
-                    </div>
-                </div>
-                <router-link
-                    :to="{ name: 'LicneseeSearchPublic' }"
-                    class="login-link transparent"
-                    tabindex="0"
-                >
-                    {{ $t('navigation.verifyPrivilegeSearch') }}
-                </router-link>
-            </Card>
+                        {{ $t('navigation.verifyPrivilegeSearch') }}
+                    </router-link>
+                </Card>
+            </div>
             <div class="dashboard-footer">
                 <router-link :to="{ name: 'MfaResetStartLicensee' }" class="footer-link">
                     {{ $t('account.lockedOut') }}

From c676973105191da7321a4fe7c1165b8ae7d0eee1 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Wed, 18 Feb 2026 14:08:26 -0700
Subject: [PATCH 13/14] Lambda dependency update

---
 .../lambdas/nodejs/package.json                |  3 +++
 .../lambdas/nodejs/yarn.lock                   | 18 +++++++++---------
 .../lambdas/nodejs/package.json                |  3 ++-
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/backend/compact-connect-ui-app/lambdas/nodejs/package.json b/backend/compact-connect-ui-app/lambdas/nodejs/package.json
index 8ffb19d76..ccc9dbfdd 100644
--- a/backend/compact-connect-ui-app/lambdas/nodejs/package.json
+++ b/backend/compact-connect-ui-app/lambdas/nodejs/package.json
@@ -30,5 +30,8 @@
     "@aws-sdk/client-s3": "^3.682.0",
     "@aws-sdk/util-dynamodb": "^3.682.0",
     "zod": "^3.23.8"
+  },
+  "resolutions": {
+    "fast-xml-parser": "5.3.6"
   }
 }
diff --git a/backend/compact-connect-ui-app/lambdas/nodejs/yarn.lock b/backend/compact-connect-ui-app/lambdas/nodejs/yarn.lock
index ba6e6914d..2f1410018 100644
--- a/backend/compact-connect-ui-app/lambdas/nodejs/yarn.lock
+++ b/backend/compact-connect-ui-app/lambdas/nodejs/yarn.lock
@@ -2143,12 +2143,12 @@ fast-levenshtein@^2.0.6:
   resolved "https://registry.yarnpkg.com/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz#3d8a5c66883a16a30ca8643e851f19baa7797917"
   integrity sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==
 
-fast-xml-parser@4.4.1:
-  version "4.4.1"
-  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.4.1.tgz#86dbf3f18edf8739326447bcaac31b4ae7f6514f"
-  integrity sha512-xkjOecfnKGkSsOwtZ5Pz7Us/T6mrbPQrq0nh+aCO5V9nk5NLWmasAHumTKjiPJPWANe+kAZ84Jc8ooJkzZ88Sw==
+fast-xml-parser@4.4.1, fast-xml-parser@5.3.6:
+  version "5.3.6"
+  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.3.6.tgz#85a69117ca156b1b3c52e426495b6de266cb6a4b"
+  integrity sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==
   dependencies:
-    strnum "^1.0.5"
+    strnum "^2.1.2"
 
 fecha@^4.2.0:
   version "4.2.3"
@@ -2917,10 +2917,10 @@ strip-json-comments@^3.1.1:
   resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006"
   integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==
 
-strnum@^1.0.5:
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/strnum/-/strnum-1.0.5.tgz#5c4e829fe15ad4ff0d20c3db5ac97b73c9b072db"
-  integrity sha512-J8bbNyKKXl5qYcR36TIO8W3mVGVHrmmxsd5PAItGkmyzwJvybiw2IVq5nqd0i4LSNSkB/sx9VHllbfFdr9k1JA==
+strnum@^2.1.2:
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/strnum/-/strnum-2.1.2.tgz#a5e00ba66ab25f9cafa3726b567ce7a49170937a"
+  integrity sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ==
 
 supports-color@^7, supports-color@^7.1.0:
   version "7.2.0"
diff --git a/backend/cosmetology-app/lambdas/nodejs/package.json b/backend/cosmetology-app/lambdas/nodejs/package.json
index 21cd12237..bba809a0a 100644
--- a/backend/cosmetology-app/lambdas/nodejs/package.json
+++ b/backend/cosmetology-app/lambdas/nodejs/package.json
@@ -4,7 +4,8 @@
   "type": "commonjs",
   "description": "NodeJS lambdas for Compact Connect",
   "resolutions": {
-    "@aws-sdk/client-sesv2": "^3.901.0"
+    "@aws-sdk/client-sesv2": "^3.901.0",
+    "fast-xml-parser": "5.3.6"
   },
   "scripts": {
     "build": "tsc",

From 8390025c88b4cfb5c609c0288810b77b599a4d99 Mon Sep 17 00:00:00 2001
From: John Sandoval <john@inspiringapps.com>
Date: Thu, 19 Feb 2026 09:57:37 -0700
Subject: [PATCH 14/14] resolve merge conflict

---
 backend/cosmetology-app/lambdas/nodejs/package.json | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/backend/cosmetology-app/lambdas/nodejs/package.json b/backend/cosmetology-app/lambdas/nodejs/package.json
index 92275af83..bd05c7b09 100644
--- a/backend/cosmetology-app/lambdas/nodejs/package.json
+++ b/backend/cosmetology-app/lambdas/nodejs/package.json
@@ -4,10 +4,6 @@
   "type": "commonjs",
   "description": "NodeJS lambdas for Compact Connect",
   "resolutions": {
-<<<<<<< HEAD
-    "@aws-sdk/client-sesv2": "^3.901.0",
-=======
->>>>>>> main
     "fast-xml-parser": "5.3.6"
   },
   "scripts": {