diff --git a/.github/actions/cdk-deploy/action.yml b/.github/actions/cdk-deploy/action.yml
index 6d10e67..7f2b6b4 100644
--- a/.github/actions/cdk-deploy/action.yml
+++ b/.github/actions/cdk-deploy/action.yml
@@ -16,9 +16,9 @@ runs:
   using: "composite"
   steps:
     - name: Install node and related deps
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
-        node-version: 17.3.0
+        node-version: 20
 
     - uses: actions/cache@v3
       with:
@@ -30,7 +30,7 @@ runs:
       run: npm install -g aws-cdk@2
 
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: "3.10"
         cache: "pip"
@@ -49,7 +49,13 @@ runs:
       working-directory: ${{ inputs.dir }}
       env:
         AWS_DEFAULT_REGION: us-west-2
-      run: ./scripts/get-env.sh ${{ inputs.env_aws_secret_name }}
+      run: |
+        if [[ -z "${{ inputs.script_path }}" ]]; then
+        ./scripts/sync-env.sh ${{ inputs.env_aws_secret_name }}
+        else
+        python ${{ inputs.script_path }} --secret-id ${{ inputs.env_aws_secret_name }}
+        fi
+
 
     - name: Deploy
       id: deploy_auth_stack
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index bf9afbc..1c0b800 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -7,7 +7,9 @@ permissions:
 on:
   push:
     branches:
-      - make-mcp-ready
+      - main
+      - dev
+      - production
 
 jobs:
   define-environment:
@@ -25,7 +27,6 @@ jobs:
             echo "secret_name=veda-auth-dev" >> $GITHUB_OUTPUT
           elif [ "${{ github.ref }}" = "refs/heads/production" ]; then
             echo "env_name=production" >> $GITHUB_OUTPUT
-            echo "secret_name=veda-auth-production" >> $GITHUB_OUTPUT
           fi
       - name: Print the environment
         run: echo "The environment is ${{ steps.define_environment.outputs.env_name }}"
@@ -51,41 +52,11 @@ jobs:
       - name: Configure awscli
         uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
+          role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }}
+          role-session-name: "veda-auth-github-${{ needs.define-environment.outputs.env_name }}-deployment"
+          aws-region: "us-west-2"
 
-      - name: Install node and related deps
-        uses: actions/setup-node@v3
+      - name: Run deployment
+        uses: "./.github/actions/cdk-deploy"
         with:
-          node-version: 17.3.0
-
-      - uses: actions/cache@v3
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
-
-      - name: Install AWS CDK
-        shell: bash
-        run: npm install -g aws-cdk@2
-
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: "3.10"
-          cache: "pip"
-          cache-dependency-path: requirements.txt
-
-      - name: Install python dependencies
-        run: |
-          pip install \
-            -r requirements.txt \
-
-      - name: Get environment configuration from aws secrets
-        run: ./scripts/get-env.sh  ${{ needs.define-environment.outputs.secret_name }}
-
-      - name: Deploy
-        env:
-          AWS_DEFAULT_REGION: us-west-2
-          CDK_DEFAULT_REGION: us-west-2
-        run: cdk deploy --all --require-approval never
\ No newline at end of file
+          env_aws_secret_name: ${{ secrets.ENV_AWS_SECRET_NAME }}
diff --git a/.github/workflows/gitflow-enforcer.yml b/.github/workflows/gitflow-enforcer.yml
new file mode 100644
index 0000000..3a833a0
--- /dev/null
+++ b/.github/workflows/gitflow-enforcer.yml
@@ -0,0 +1,19 @@
+name: Gitflow enforcer 🚀
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+      - production
+    types: [ opened, reopened, edited, synchronize ]
+
+jobs:
+  gitflow-enforcer:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch
+        if: github.base_ref == 'main' && github.head_ref != 'dev' || github.base_ref == 'production' && github.head_ref != 'main'
+        run: |
+          echo "ERROR: You can only merge to main from dev and to production from main"
+          exit 1
diff --git a/app.py b/app.py
index 0c22a49..e0dc0d5 100644
--- a/app.py
+++ b/app.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 import subprocess
 
-from aws_cdk import App, Tags, DefaultStackSynthesizer
+from aws_cdk import App, CfnOutput, Tags, DefaultStackSynthesizer
 
 from infra.stack import AuthStack, BucketPermissions
 
@@ -11,7 +11,7 @@
 
 stack = AuthStack(
     app, 
-    f"veda-auth-stack-{app_settings.stage}", 
+    f"{app_settings.app_name}-{app_settings.stage}", 
     app_settings,
     synthesizer=DefaultStackSynthesizer(
         qualifier=app_settings.bootstrap_qualifier
@@ -98,7 +98,13 @@
     )
 
 # Programmatic Clients
-stack.add_programmatic_client("veda-sdk")
+client = stack.add_programmatic_client(f"{app_settings.app_name}-{app_settings.stage}-veda-sdk")
+CfnOutput(
+    stack,
+    "client_id",
+    export_name=f"{app_settings.app_name}-{app_settings.stage}-client-id",
+    value=client.user_pool_client_id,
+)
 
 # Frontend Clients
 # stack.add_frontend_client('veda-dashboard')
diff --git a/config.py b/config.py
index 2d919fa..28ecea5 100644
--- a/config.py
+++ b/config.py
@@ -7,6 +7,11 @@
 
 
 class Config(pydantic.BaseSettings):
+    # App name and deployment stage
+    app_name: Optional[str] = pydantic.Field(
+        "veda-auth-stack",
+        description="Optional app name used to name stack and resources",
+    )
     stage: str = pydantic.Field(
         description=" ".join(
             [
diff --git a/infra/stack.py b/infra/stack.py
index 652fa7a..ffe2b44 100644
--- a/infra/stack.py
+++ b/infra/stack.py
@@ -13,7 +13,6 @@
 
 from config import Config
 
-
 class BucketPermissions(str, Enum):
     read_only = "r"
     read_write = "wr"
@@ -44,9 +43,13 @@ def __init__(
         else:
             self.userpool = self._create_userpool()
         self.domain = self._add_domain(self.userpool)
-
         stack_name = Stack.of(self).stack_name
-
+        CfnOutput(
+            self,
+            "userpool_id",
+            export_name=f"{stack_name}-userpool-id",
+            value=self.userpool.user_pool_id,
+        )
         if app_settings.cognito_groups or app_settings.data_managers_group:
             self._group_precedence = 0
 
@@ -224,12 +227,6 @@ def _create_secret(
             secret_string_value=SecretValue.unsafe_plain_text(json.dumps(secret_dict)),
         )
 
-        CfnOutput(
-            self,
-            f"{service_id}-secret-output",
-            export_name=f"{stack_name}-{service_id}-secret",
-            value=secret.secret_name,
-        )
         CfnOutput(
             self,
             f"{service_id}-secret-arn-output",
diff --git a/requirements.txt b/requirements.txt
index 352a31a..f7e1493 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
-aws-cdk-lib==2.35.0
-aws_cdk.aws_cognito_identitypool_alpha==2.35.0a0
+aws-cdk-lib==2.112.0
+aws_cdk.aws_cognito_identitypool_alpha>=2.112.0a0
 constructs>=10.0.0,<11.0.0
 pydantic==1.9.1
 black==22.3.0