@openhi/constructs 0.0.103 → 0.0.105

package/lib/index.d.mts

@@ -9,7 +9,7 @@ import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
 import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { D as DynamoDbStreamKinesisRecord } from './dynamodb-stream-record-CJtV6a1t.mjs';
 import * as events from 'aws-cdk-lib/aws-events';
-import { EventBus, EventBusProps, IEventBus } from 'aws-cdk-lib/aws-events';
+import { EventBus, EventBusProps, Rule, IEventBus } from 'aws-cdk-lib/aws-events';
 import * as kinesis from 'aws-cdk-lib/aws-kinesis';
 import * as kinesisfirehose from 'aws-cdk-lib/aws-kinesisfirehose';
 import * as s3 from 'aws-cdk-lib/aws-s3';
@@ -21,7 +21,9 @@ import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from '
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { Distribution, DistributionProps } from 'aws-cdk-lib/aws-cloudfront';
 import { IFunction } from 'aws-cdk-lib/aws-lambda';
+export { P as PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, a as ProvisionDefaultWorkspaceRequestedDetail, U as USER_ONBOARDING_EVENT_SOURCE, b as buildProvisionDefaultWorkspaceRequestedDetail } from './events-CVA3_eEB.mjs';
 import '@aws-sdk/client-dynamodb';
+import 'aws-lambda';
 
 /**
  * Properties for creating an OpenHiStage instance.
@@ -484,16 +486,14 @@ declare class PostAuthenticationLambda extends Construct {
 
 interface PostConfirmationLambdaProps {
     /**
-     * DynamoDB data store table name. Passed to the Lambda as DYNAMO_TABLE_NAME
-     * so the control-plane ElectroDB service writes to the same single-table store.
+     * Control-plane EventBridge bus name. Passed to the Lambda as
+     * CONTROL_EVENT_BUS_NAME so it can publish onboarding workflow events.
      */
-    readonly dynamoTableName: string;
+    readonly controlEventBusName: string;
 }
 /**
- * Lambda used as Cognito Post Confirmation trigger. Creates the new user's
- * default Tenant, Workspace, Memberships, and RoleAssignment, plus a User
- * record carrying the Cognito `sub` and current tenant/workspace pointers
- * (ADR 2026-03-17-01).
+ * Lambda used as Cognito Post Confirmation trigger. It publishes a control
+ * event and returns quickly; workflow Lambdas own provisioning.
  */
 declare class PostConfirmationLambda extends Construct {
     readonly lambda: NodejsFunction;
@@ -661,6 +661,21 @@ declare class OpsEventBus extends EventBus {
     constructor(scope: Construct, props?: EventBusProps);
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/components/event-bridge/control-event-bus.md
+ */
+declare class ControlEventBus extends EventBus {
+    /*****************************************************************************
+     *
+     * Return a name for this EventBus based on the stack environment hash. This
+     * name is common across all stacks since it's using the environment hash in
+     * its name.
+     *
+     ****************************************************************************/
+    static getEventBusName(scope: Construct): string;
+    constructor(scope: Construct, props?: EventBusProps);
+}
+
 /**
  * SSM parameter names that publish the Postgres replica's coordinates so other
  * stacks (notably the REST API stack) can discover them without a direct CDK
@@ -905,6 +920,47 @@ declare class StaticHosting extends Construct {
     constructor(scope: Construct, id: string, props?: StaticHostingProps);
 }
 
+interface ProvisionDefaultWorkspaceLambdaProps {
+    /**
+     * DynamoDB data store table. Used for the Lambda's `DYNAMO_TABLE_NAME`
+     * env var and for granting the Lambda the writes + GSI queries it needs
+     * to provision default control-plane resources.
+     */
+    readonly dataStoreTable: ITable;
+    /**
+     * Control-plane event bus that the EventBridge Rule listens on.
+     */
+    readonly controlEventBus: IEventBus;
+}
+/**
+ * Lambda used by the user-onboarding workflow to create a user's default
+ * Tenant, Workspace, Memberships, and RoleAssignment.
+ *
+ * Owns the EventBridge Rule that routes the default-workspace onboarding
+ * event to itself, and the IAM permissions it needs on the data store
+ * table — colocating routing + permissions with the function they target.
+ */
+declare class ProvisionDefaultWorkspaceLambda extends Construct {
+    readonly lambda: NodejsFunction;
+    readonly rule: Rule;
+    constructor(scope: Construct, props: ProvisionDefaultWorkspaceLambdaProps);
+}
+
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/user-onboarding/user-onboarding-workflow.md
+ */
+interface UserOnboardingWorkflowProps {
+    readonly controlEventBus: IEventBus;
+    readonly dataStoreTable: ITable;
+}
+/**
+ * Control-plane workflow for onboarding users after Cognito confirmation.
+ */
+declare class UserOnboardingWorkflow extends Construct {
+    readonly provisionDefaultWorkspace: ProvisionDefaultWorkspaceLambda;
+    constructor(scope: Construct, props: UserOnboardingWorkflowProps);
+}
+
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/services/open-hi-auth-service.md
  */
@@ -970,6 +1026,7 @@ declare class OpenHiAuthService extends OpenHiService {
     readonly preTokenGenerationLambda: IFunction;
     readonly postAuthenticationLambda: IFunction;
     readonly postConfirmationLambda: IFunction;
+    readonly userOnboardingWorkflow: UserOnboardingWorkflow;
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
@@ -986,6 +1043,7 @@ declare class OpenHiAuthService extends OpenHiService {
      * would collide.
      */
     private _dataStoreTable;
+    private _controlEventBus;
     constructor(ohEnv: OpenHiEnvironment, props?: OpenHiAuthServiceProps);
     /**
      * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
@@ -1008,13 +1066,13 @@ declare class OpenHiAuthService extends OpenHiService {
     protected createPostAuthenticationLambda(): IFunction;
     /**
      * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-     * confirmation, writes the new user's default Tenant, Workspace,
-     * Memberships, and `tenant-user` RoleAssignment, plus a User record
-     * carrying the Cognito `sub` and current tenant/workspace pointers
-     * (ADR 2026-03-17-01 invariants).
+     * confirmation, publishes a control-plane workflow event; provisioning lives
+     * behind EventBridge.
      */
     protected createPostConfirmationLambda(): IFunction;
+    protected createUserOnboardingWorkflow(): UserOnboardingWorkflow;
     private dataStoreTable;
+    private controlEventBus;
     /**
      * Creates the Cognito User Pool and exports its ID to SSM.
      * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1046,9 +1104,8 @@ declare class OpenHiAuthService extends OpenHiService {
      */
     protected grantPostAuthenticationPermissions(): void;
     /**
-     * Grants the Post Confirmation Lambda write access to the data store
-     * table (and its GSIs) so it can seed the new user's Tenant, Workspace,
-     * Memberships, RoleAssignment, and User records on sign-up confirmation.
+     * Grants the Post Confirmation Lambda publish-only access to the
+     * control-plane event bus. Workflow Lambdas own DynamoDB writes.
      */
     protected grantPostConfirmationPermissions(): void;
     /**
@@ -1084,9 +1141,9 @@ interface OpenHiGlobalServiceProps extends OpenHiServiceProps {
 }
 /**
  * Global Infrastructure stack: owns global DNS, certificates, and the
- * cross-region EventBridge buses (data, ops). Resources (root zone, optional
- * child zone, wildcard cert, data/ops buses) are created in protected methods;
- * subclasses may override to customize.
+ * cross-region EventBridge buses (data, ops, control). Resources (root zone,
+ * optional child zone, wildcard cert, data/ops/control buses) are created in
+ * protected methods; subclasses may override to customize.
  */
 declare class OpenHiGlobalService extends OpenHiService {
     static readonly SERVICE_TYPE = "global";
@@ -1113,6 +1170,10 @@ declare class OpenHiGlobalService extends OpenHiService {
      * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
      */
     static opsEventBusFromConstruct(scope: Construct): IEventBus;
+    /**
+     * Returns the control-plane event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+     */
+    static controlEventBusFromConstruct(scope: Construct): IEventBus;
     get serviceType(): string;
     /** Override so this.props is typed with this service's options. */
     props: OpenHiGlobalServiceProps;
@@ -1129,6 +1190,11 @@ declare class OpenHiGlobalService extends OpenHiService {
      * Other stacks obtain it via {@link OpenHiGlobalService.opsEventBusFromConstruct}.
      */
     readonly opsEventBus: IEventBus;
+    /**
+     * Event bus for control-plane lifecycle and command events.
+     * Other stacks obtain it via {@link OpenHiGlobalService.controlEventBusFromConstruct}.
+     */
+    readonly controlEventBus: IEventBus;
     constructor(ohEnv: OpenHiEnvironment, props?: OpenHiGlobalServiceProps);
     /**
      * Validates that config required for the Global stack is present.
@@ -1162,6 +1228,11 @@ declare class OpenHiGlobalService extends OpenHiService {
      * Override to customize.
      */
     protected createOpsEventBus(): IEventBus;
+    /**
+     * Creates the control-plane event bus.
+     * Override to customize.
+     */
+    protected createControlEventBus(): IEventBus;
 }
 
 /**
@@ -1251,8 +1322,8 @@ interface OpenHiDataServiceProps extends OpenHiServiceProps {
  * Data storage service stack: centralizes DynamoDB, S3, and other persistence
  * resources for OpenHI. Creates the single-table data store in a protected
  * method; subclasses may override to customize. EventBridge event buses
- * (data, ops) are owned by {@link OpenHiGlobalService} so they deploy ahead of
- * regional services.
+ * (data, ops, control) are owned by {@link OpenHiGlobalService} so they deploy
+ * ahead of regional services.
  */
 declare class OpenHiDataService extends OpenHiService {
     static readonly SERVICE_TYPE = "data";
@@ -1314,4 +1385,4 @@ declare class OpenHiGraphqlService extends OpenHiService {
     protected createRootGraphqlApi(): RootGraphqlApi;
 }
 
-export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoFixtureSeederClient, type CognitoFixtureSeederClientProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, type StaticHostingProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };
+export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoFixtureSeederClient, type CognitoFixtureSeederClientProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambda, type ProvisionDefaultWorkspaceLambdaProps, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, type StaticHostingProps, UserOnboardingWorkflow, type UserOnboardingWorkflowProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };

package/lib/index.d.ts

@@ -8,7 +8,7 @@ import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
 import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { AttributeValue } from '@aws-sdk/client-dynamodb';
 import * as events from 'aws-cdk-lib/aws-events';
-import { EventBus, EventBusProps, IEventBus } from 'aws-cdk-lib/aws-events';
+import { EventBus, EventBusProps, Rule, IEventBus } from 'aws-cdk-lib/aws-events';
 import * as kinesis from 'aws-cdk-lib/aws-kinesis';
 import * as kinesisfirehose from 'aws-cdk-lib/aws-kinesisfirehose';
 import * as s3 from 'aws-cdk-lib/aws-s3';
@@ -20,6 +20,7 @@ import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from '
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { Distribution, DistributionProps } from 'aws-cdk-lib/aws-cloudfront';
 import { IFunction } from 'aws-cdk-lib/aws-lambda';
+import { PostConfirmationTriggerEvent } from 'aws-lambda';
 
 /*******************************************************************************
  *
@@ -118,6 +119,26 @@ interface DynamoDbStreamKinesisRecord {
     };
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/user-onboarding/events.md
+ */
+declare const USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
+declare const PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
+interface ProvisionDefaultWorkspaceRequestedDetail {
+    readonly cognitoSub: string;
+    readonly userId?: string;
+    readonly email?: string;
+    readonly displayName?: string;
+    readonly trigger: {
+        readonly source: "cognito.post-confirmation";
+        readonly triggerSource?: string;
+        readonly userPoolId?: string;
+        readonly userName?: string;
+        readonly clientId?: string;
+    };
+}
+declare const buildProvisionDefaultWorkspaceRequestedDetail: (event: PostConfirmationTriggerEvent) => ProvisionDefaultWorkspaceRequestedDetail | undefined;
+
 /**
  * Properties for creating an OpenHiStage instance.
  */
@@ -579,16 +600,14 @@ declare class PostAuthenticationLambda extends Construct {
 
 interface PostConfirmationLambdaProps {
     /**
-     * DynamoDB data store table name. Passed to the Lambda as DYNAMO_TABLE_NAME
-     * so the control-plane ElectroDB service writes to the same single-table store.
+     * Control-plane EventBridge bus name. Passed to the Lambda as
+     * CONTROL_EVENT_BUS_NAME so it can publish onboarding workflow events.
      */
-    readonly dynamoTableName: string;
+    readonly controlEventBusName: string;
 }
 /**
- * Lambda used as Cognito Post Confirmation trigger. Creates the new user's
- * default Tenant, Workspace, Memberships, and RoleAssignment, plus a User
- * record carrying the Cognito `sub` and current tenant/workspace pointers
- * (ADR 2026-03-17-01).
+ * Lambda used as Cognito Post Confirmation trigger. It publishes a control
+ * event and returns quickly; workflow Lambdas own provisioning.
  */
 declare class PostConfirmationLambda extends Construct {
     readonly lambda: NodejsFunction;
@@ -756,6 +775,21 @@ declare class OpsEventBus extends EventBus {
     constructor(scope: Construct, props?: EventBusProps);
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/components/event-bridge/control-event-bus.md
+ */
+declare class ControlEventBus extends EventBus {
+    /*****************************************************************************
+     *
+     * Return a name for this EventBus based on the stack environment hash. This
+     * name is common across all stacks since it's using the environment hash in
+     * its name.
+     *
+     ****************************************************************************/
+    static getEventBusName(scope: Construct): string;
+    constructor(scope: Construct, props?: EventBusProps);
+}
+
 /**
  * SSM parameter names that publish the Postgres replica's coordinates so other
  * stacks (notably the REST API stack) can discover them without a direct CDK
@@ -1000,6 +1034,47 @@ declare class StaticHosting extends Construct {
     constructor(scope: Construct, id: string, props?: StaticHostingProps);
 }
 
+interface ProvisionDefaultWorkspaceLambdaProps {
+    /**
+     * DynamoDB data store table. Used for the Lambda's `DYNAMO_TABLE_NAME`
+     * env var and for granting the Lambda the writes + GSI queries it needs
+     * to provision default control-plane resources.
+     */
+    readonly dataStoreTable: ITable;
+    /**
+     * Control-plane event bus that the EventBridge Rule listens on.
+     */
+    readonly controlEventBus: IEventBus;
+}
+/**
+ * Lambda used by the user-onboarding workflow to create a user's default
+ * Tenant, Workspace, Memberships, and RoleAssignment.
+ *
+ * Owns the EventBridge Rule that routes the default-workspace onboarding
+ * event to itself, and the IAM permissions it needs on the data store
+ * table — colocating routing + permissions with the function they target.
+ */
+declare class ProvisionDefaultWorkspaceLambda extends Construct {
+    readonly lambda: NodejsFunction;
+    readonly rule: Rule;
+    constructor(scope: Construct, props: ProvisionDefaultWorkspaceLambdaProps);
+}
+
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/user-onboarding/user-onboarding-workflow.md
+ */
+interface UserOnboardingWorkflowProps {
+    readonly controlEventBus: IEventBus;
+    readonly dataStoreTable: ITable;
+}
+/**
+ * Control-plane workflow for onboarding users after Cognito confirmation.
+ */
+declare class UserOnboardingWorkflow extends Construct {
+    readonly provisionDefaultWorkspace: ProvisionDefaultWorkspaceLambda;
+    constructor(scope: Construct, props: UserOnboardingWorkflowProps);
+}
+
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/services/open-hi-auth-service.md
  */
@@ -1065,6 +1140,7 @@ declare class OpenHiAuthService extends OpenHiService {
     readonly preTokenGenerationLambda: IFunction;
     readonly postAuthenticationLambda: IFunction;
     readonly postConfirmationLambda: IFunction;
+    readonly userOnboardingWorkflow: UserOnboardingWorkflow;
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
@@ -1081,6 +1157,7 @@ declare class OpenHiAuthService extends OpenHiService {
      * would collide.
      */
     private _dataStoreTable;
+    private _controlEventBus;
     constructor(ohEnv: OpenHiEnvironment, props?: OpenHiAuthServiceProps);
     /**
      * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
@@ -1103,13 +1180,13 @@ declare class OpenHiAuthService extends OpenHiService {
     protected createPostAuthenticationLambda(): IFunction;
     /**
      * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-     * confirmation, writes the new user's default Tenant, Workspace,
-     * Memberships, and `tenant-user` RoleAssignment, plus a User record
-     * carrying the Cognito `sub` and current tenant/workspace pointers
-     * (ADR 2026-03-17-01 invariants).
+     * confirmation, publishes a control-plane workflow event; provisioning lives
+     * behind EventBridge.
      */
     protected createPostConfirmationLambda(): IFunction;
+    protected createUserOnboardingWorkflow(): UserOnboardingWorkflow;
     private dataStoreTable;
+    private controlEventBus;
     /**
      * Creates the Cognito User Pool and exports its ID to SSM.
      * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1141,9 +1218,8 @@ declare class OpenHiAuthService extends OpenHiService {
      */
     protected grantPostAuthenticationPermissions(): void;
     /**
-     * Grants the Post Confirmation Lambda write access to the data store
-     * table (and its GSIs) so it can seed the new user's Tenant, Workspace,
-     * Memberships, RoleAssignment, and User records on sign-up confirmation.
+     * Grants the Post Confirmation Lambda publish-only access to the
+     * control-plane event bus. Workflow Lambdas own DynamoDB writes.
      */
     protected grantPostConfirmationPermissions(): void;
     /**
@@ -1179,9 +1255,9 @@ interface OpenHiGlobalServiceProps extends OpenHiServiceProps {
 }
 /**
  * Global Infrastructure stack: owns global DNS, certificates, and the
- * cross-region EventBridge buses (data, ops). Resources (root zone, optional
- * child zone, wildcard cert, data/ops buses) are created in protected methods;
- * subclasses may override to customize.
+ * cross-region EventBridge buses (data, ops, control). Resources (root zone,
+ * optional child zone, wildcard cert, data/ops/control buses) are created in
+ * protected methods; subclasses may override to customize.
  */
 declare class OpenHiGlobalService extends OpenHiService {
     static readonly SERVICE_TYPE = "global";
@@ -1208,6 +1284,10 @@ declare class OpenHiGlobalService extends OpenHiService {
      * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
      */
     static opsEventBusFromConstruct(scope: Construct): IEventBus;
+    /**
+     * Returns the control-plane event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+     */
+    static controlEventBusFromConstruct(scope: Construct): IEventBus;
     get serviceType(): string;
     /** Override so this.props is typed with this service's options. */
     props: OpenHiGlobalServiceProps;
@@ -1224,6 +1304,11 @@ declare class OpenHiGlobalService extends OpenHiService {
      * Other stacks obtain it via {@link OpenHiGlobalService.opsEventBusFromConstruct}.
      */
     readonly opsEventBus: IEventBus;
+    /**
+     * Event bus for control-plane lifecycle and command events.
+     * Other stacks obtain it via {@link OpenHiGlobalService.controlEventBusFromConstruct}.
+     */
+    readonly controlEventBus: IEventBus;
     constructor(ohEnv: OpenHiEnvironment, props?: OpenHiGlobalServiceProps);
     /**
      * Validates that config required for the Global stack is present.
@@ -1257,6 +1342,11 @@ declare class OpenHiGlobalService extends OpenHiService {
      * Override to customize.
      */
     protected createOpsEventBus(): IEventBus;
+    /**
+     * Creates the control-plane event bus.
+     * Override to customize.
+     */
+    protected createControlEventBus(): IEventBus;
 }
 
 /**
@@ -1346,8 +1436,8 @@ interface OpenHiDataServiceProps extends OpenHiServiceProps {
  * Data storage service stack: centralizes DynamoDB, S3, and other persistence
  * resources for OpenHI. Creates the single-table data store in a protected
  * method; subclasses may override to customize. EventBridge event buses
- * (data, ops) are owned by {@link OpenHiGlobalService} so they deploy ahead of
- * regional services.
+ * (data, ops, control) are owned by {@link OpenHiGlobalService} so they deploy
+ * ahead of regional services.
  */
 declare class OpenHiDataService extends OpenHiService {
     static readonly SERVICE_TYPE = "data";
@@ -1409,5 +1499,5 @@ declare class OpenHiGraphqlService extends OpenHiService {
     protected createRootGraphqlApi(): RootGraphqlApi;
 }
 
-export { ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };
-export type { BuildParameterNameProps, ChildHostedZoneProps, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, RootGraphqlApiProps, RootHttpApiProps, StaticHostingProps };
+export { ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, ProvisionDefaultWorkspaceLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, USER_ONBOARDING_EVENT_SOURCE, UserOnboardingWorkflow, buildFhirCurrentResourceChangeDetail, buildProvisionDefaultWorkspaceRequestedDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };
+export type { BuildParameterNameProps, ChildHostedZoneProps, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RootGraphqlApiProps, RootHttpApiProps, StaticHostingProps, UserOnboardingWorkflowProps };