@openhi/constructs 0.0.104 → 0.0.106

package/lib/index.mjs

@@ -1,13 +1,66 @@
+import {
+  SEED_SYSTEM_DATA_ACTOR_SYSTEM,
+  SEED_SYSTEM_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
+  import_workflows as import_workflows2
+} from "./chunk-AGF3RAAZ.mjs";
+import {
+  DEMO_PERIOD,
+  DEMO_TENANT_SPECS,
+  DEMO_URN_SYSTEM,
+  DEV_USERS,
+  OPENHI_RESOURCE_URN_SYSTEM,
+  PLACEHOLDER_TENANT_ID,
+  PLACEHOLDER_WORKSPACE_ID,
+  PLATFORM_SCOPE_TENANT_ID,
+  SEED_DEMO_DATA_CONSUMER_NAME,
+  SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR,
+  demoBasePartitionKeys,
+  demoDevUserPartitionKeys,
+  demoMembershipId,
+  demoMembershipPartitionKey,
+  demoRoleAssignmentId,
+  demoRoleAssignmentPartitionKey,
+  demoRolesForUserInTenant,
+  demoScenarioIdentifier,
+  demoTenantPartitionKey,
+  demoUserPartitionKey,
+  demoWorkspacePartitionKey,
+  import_workflows,
+  openhiResourceIdentifier,
+  rolePartitionKey
+} from "./chunk-QMIOLLAS.mjs";
 import {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
   buildFhirCurrentResourceChangeDetail
 } from "./chunk-CEOAGPYY.mjs";
+import "./chunk-L6UAP4KP.mjs";
+import {
+  PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
+  USER_ONBOARDING_EVENT_SOURCE,
+  buildProvisionDefaultWorkspaceRequestedDetail
+} from "./chunk-2PM2NGXI.mjs";
+import {
+  BRIDGED_STATUSES,
+  CLOUDFORMATION_EVENT_SOURCE,
+  CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
+  CONTROL_EVENT_BUS_NAME_ENV_VAR,
+  OPENHI_REPO_TAG_KEY_ENV_VAR,
+  OPENHI_TAG_KEY_PREFIX_ENV_VAR,
+  PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM
+} from "./chunk-VXX4I3EF.mjs";
+import {
+  require_lib
+} from "./chunk-SYBADQXI.mjs";
+import "./chunk-AO3E22CS.mjs";
+import "./chunk-YZZDUJHI.mjs";
+import "./chunk-VYDIGFIX.mjs";
 import {
   __commonJS,
   __toESM
-} from "./chunk-3QS3WKRC.mjs";
+} from "./chunk-LZOMFHX3.mjs";
 
 // ../config/lib/open-hi-config.js
 var require_open_hi_config = __commonJS({
@@ -45,7 +98,7 @@ var require_open_hi_config = __commonJS({
 });
 
 // ../config/lib/index.js
-var require_lib = __commonJS({
+var require_lib2 = __commonJS({
   "../config/lib/index.js"(exports) {
     "use strict";
     var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
@@ -70,11 +123,11 @@ var require_lib = __commonJS({
 });
 
 // src/app/open-hi-app.ts
-var import_config2 = __toESM(require_lib());
+var import_config2 = __toESM(require_lib2());
 import { App } from "aws-cdk-lib";
 
 // src/app/open-hi-environment.ts
-var import_config = __toESM(require_lib());
+var import_config = __toESM(require_lib2());
 import { Stage } from "aws-cdk-lib";
 var OPEN_HI_ENVIRONMENT_SYMBOL = /* @__PURE__ */ Symbol.for(
   "@openhi/constructs/core.OpenHiEnvironment"
@@ -276,7 +329,7 @@ var OpenHiApp = class _OpenHiApp extends App {
 };
 
 // src/app/open-hi-service.ts
-var import_config3 = __toESM(require_lib());
+var import_config3 = __toESM(require_lib2());
 import {
   findGitBranch,
   findGitRepoName,
@@ -284,6 +337,11 @@ import {
 } from "@codedrifters/utils";
 import { RemovalPolicy, Stack, Tags } from "aws-cdk-lib";
 import { paramCase } from "change-case";
+var OPENHI_TAG_SUFFIX_REPO_NAME = "repo-name";
+var OPENHI_TAG_SUFFIX_BRANCH_NAME = "branch-name";
+var OPENHI_TAG_SUFFIX_SERVICE_TYPE = "service-type";
+var OPENHI_TAG_SUFFIX_STAGE_TYPE = "stage-type";
+var openHiTagKey = (appName, suffix) => `${appName}:${suffix}`;
 var OpenHiService = class extends Stack {
   /**
    * Creates a new OpenHI service stack.
@@ -351,11 +409,20 @@ var OpenHiService = class extends Stack {
       `availability-zones:account=${account}:region=${region}`,
       [`${region}a`, `${region}b`, `${region}c`]
     );
-    Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
-    Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
-    Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
     Tags.of(this).add(
-      `${appName}:stage-type`,
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_REPO_NAME),
+      repoName.slice(0, 255)
+    );
+    Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_BRANCH_NAME),
+      branchName.slice(0, 255)
+    );
+    Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_SERVICE_TYPE),
+      id.slice(0, 255)
+    );
+    Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_STAGE_TYPE),
       ohEnv.ohStage.stageType.slice(0, 255)
     );
   }
@@ -711,14 +778,13 @@ import { Runtime as Runtime2 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction2 } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Construct as Construct2 } from "constructs";
 var HANDLER_NAME2 = "post-confirmation.handler.js";
-function resolveHandlerEntry2(dirname) {
+var resolveHandlerEntry2 = (dirname) => {
   const sameDir = path2.join(dirname, HANDLER_NAME2);
   if (fs2.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
-  return fromLib;
-}
+  return path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+};
 var PostConfirmationLambda = class extends Construct2 {
   constructor(scope, props) {
     super(scope, "post-confirmation-lambda");
@@ -727,7 +793,7 @@ var PostConfirmationLambda = class extends Construct2 {
       runtime: Runtime2.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
-        DYNAMO_TABLE_NAME: props.dynamoTableName
+        CONTROL_EVENT_BUS_NAME: props.controlEventBusName
       }
     });
   }
@@ -939,6 +1005,204 @@ var DynamoDbDataStore = class extends Table {
   }
 };
 
+// src/components/dynamodb/workflow-dedup-table.ts
+var import_workflows3 = __toESM(require_lib());
+import { Annotations } from "aws-cdk-lib";
+import { AttributeType as AttributeType2, BillingMode as BillingMode2, Table as Table2 } from "aws-cdk-lib/aws-dynamodb";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Construct as Construct5 } from "constructs";
+function getWorkflowDedupTableName(scope) {
+  const stack = OpenHiService.of(scope);
+  return `workflow-dedup-${stack.branchHash}`;
+}
+var _WorkflowDedupTable = class _WorkflowDedupTable extends Construct5 {
+  constructor(scope, id, props = {}) {
+    super(scope, id);
+    this.registeredConsumers = /* @__PURE__ */ new Set();
+    const service = OpenHiService.of(scope);
+    const others = service.node.findAll().filter(
+      (c) => c instanceof _WorkflowDedupTable && c !== this
+    );
+    if (others.length > 0) {
+      throw new WorkflowDedupTableDuplicateError(
+        `WorkflowDedupTable already exists at ${others[0].node.path}; only one shared dedup table is allowed per service stack (TR-015).`
+      );
+    }
+    this.table = new Table2(this, "Table", {
+      tableName: getWorkflowDedupTableName(scope),
+      partitionKey: {
+        name: "consumerName",
+        type: AttributeType2.STRING
+      },
+      sortKey: {
+        name: "sk",
+        type: AttributeType2.STRING
+      },
+      billingMode: BillingMode2.PAY_PER_REQUEST,
+      timeToLiveAttribute: "expiresAt",
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
+    });
+    new DiscoverableStringParameter(this, "table-name-param", {
+      ssmParamName: _WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME,
+      stringValue: this.table.tableName
+    });
+    new DiscoverableStringParameter(this, "table-arn-param", {
+      ssmParamName: _WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME,
+      stringValue: this.table.tableArn
+    });
+  }
+  /** Cross-stack lookup for the table name. */
+  static tableNameFromLookup(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME,
+      serviceType: _WorkflowDedupTable.PUBLISHER_SERVICE_TYPE
+    });
+  }
+  /** Cross-stack lookup for the table ARN. */
+  static tableArnFromLookup(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME,
+      serviceType: _WorkflowDedupTable.PUBLISHER_SERVICE_TYPE
+    });
+  }
+  /**
+   * Cross-stack equivalent of {@link grantConsumer}. Use when the dedup
+   * table is on a different stack than the consumer Lambda — the
+   * grant resolves the table name + ARN via SSM at synth time, so the
+   * consumer stack does not pick up a CloudFormation export dependency
+   * on the global stack.
+   *
+   * Inverts the singleton-guard semantics of `grantConsumer`: there is
+   * no synth-time check that the same `consumerName` was registered
+   * twice across stacks. Consumer names are agreed by convention
+   * (see TR-015); double-registration is operator error caught at
+   * design time, not synth time.
+   */
+  static grantConsumerFromLookup(scope, fn, consumerName, options = {}) {
+    _WorkflowDedupTable.assertConsumerNameStatic(consumerName);
+    const tableName = _WorkflowDedupTable.tableNameFromLookup(scope);
+    const tableArn = _WorkflowDedupTable.tableArnFromLookup(scope);
+    fn.addEnvironment(import_workflows3.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR, tableName);
+    if (options.defaultTtlSeconds !== void 0) {
+      fn.addEnvironment(
+        "OPENHI_WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS",
+        String(options.defaultTtlSeconds)
+      );
+    }
+    fn.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: [
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:GetItem",
+          "dynamodb:Query"
+        ],
+        resources: [tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": [consumerName]
+          }
+        }
+      })
+    );
+  }
+  /**
+   * Standalone consumer-name validator shared by the instance method
+   * and `grantConsumerFromLookup` so the two grants enforce identical
+   * invariants.
+   */
+  static assertConsumerNameStatic(consumerName) {
+    if (consumerName.length === 0) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        "consumerName must be non-empty."
+      );
+    }
+    if (consumerName.length > import_workflows3.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        `consumerName must be at most ${import_workflows3.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`
+      );
+    }
+    if (/\s/.test(consumerName)) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        "consumerName must not contain whitespace."
+      );
+    }
+  }
+  /**
+   * Wire a Lambda consumer to this table. Injects the table-name env var
+   * so the runtime `WorkflowDedupClient` can resolve it, then attaches a
+   * per-consumer IAM grant scoped by `dynamodb:LeadingKeys` so the
+   * consumer can only read/write its own partition.
+   */
+  grantConsumer(fn, consumerName, options = {}) {
+    this.assertConsumerName(consumerName);
+    if (this.registeredConsumers.has(consumerName)) {
+      Annotations.of(this).addWarning(
+        `WorkflowDedupTable: consumerName "${consumerName}" registered more than once; subsequent grantConsumer calls add policy statements but do not re-inject the env var.`
+      );
+    }
+    this.registeredConsumers.add(consumerName);
+    fn.addEnvironment(import_workflows3.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR, this.table.tableName);
+    if (options.defaultTtlSeconds !== void 0) {
+      fn.addEnvironment(
+        "OPENHI_WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS",
+        String(options.defaultTtlSeconds)
+      );
+    }
+    fn.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: [
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:GetItem",
+          "dynamodb:Query"
+        ],
+        resources: [this.table.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": [consumerName]
+          }
+        }
+      })
+    );
+  }
+  assertConsumerName(consumerName) {
+    _WorkflowDedupTable.assertConsumerNameStatic(consumerName);
+  }
+};
+/** SSM param name (short) used by `DiscoverableStringParameter` for the table name lookup. */
+_WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME = "workflow-dedup-table-name";
+/** SSM param name (short) used by `DiscoverableStringParameter` for the table ARN lookup. */
+_WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME = "workflow-dedup-table-arn";
+/**
+ * Service-type the publishing stack runs under. The cross-stack lookups
+ * pin to this value so consumer stacks on a different service-type
+ * (e.g. `data`, `auth`) resolve the parameter at the publisher's SSM
+ * path instead of their own. Typed against `OpenHiServiceType` so a
+ * future rename of the literal triggers a compile error; not pulled
+ * from `OpenHiGlobalService.SERVICE_TYPE` because
+ * `OpenHiGlobalService` already imports `WorkflowDedupTable` — a
+ * back-import would create a circular dependency.
+ */
+_WorkflowDedupTable.PUBLISHER_SERVICE_TYPE = "global";
+var WorkflowDedupTable = _WorkflowDedupTable;
+var WorkflowDedupTableDuplicateError = class extends Error {
+  /** @param message - human-readable description of the duplicate. */
+  constructor(message) {
+    super(message);
+    this.name = "WorkflowDedupTableDuplicateError";
+  }
+};
+var WorkflowDedupConsumerNameInvalidError = class extends Error {
+  /** @param message - human-readable description of the invariant violation. */
+  constructor(message) {
+    super(message);
+    this.name = "WorkflowDedupConsumerNameInvalidError";
+  }
+};
+
 // src/components/event-bridge/data-event-bus.ts
 import { EventBus } from "aws-cdk-lib/aws-events";
 var DataEventBus = class _DataEventBus extends EventBus {
@@ -983,6 +1247,28 @@ var OpsEventBus = class _OpsEventBus extends EventBus2 {
   }
 };
 
+// src/components/event-bridge/control-event-bus.ts
+import { EventBus as EventBus3 } from "aws-cdk-lib/aws-events";
+var ControlEventBus = class _ControlEventBus extends EventBus3 {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * its name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `controlv1${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "control-event-bus-v1", {
+      ...props,
+      eventBusName: _ControlEventBus.getEventBusName(scope)
+    });
+  }
+};
+
 // src/components/postgres/data-store-postgres-replica.ts
 import fs5 from "fs";
 import path5 from "path";
@@ -992,7 +1278,7 @@ import { Runtime as Runtime5, StartingPosition } from "aws-cdk-lib/aws-lambda";
 import { KinesisEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
 import { NodejsFunction as NodejsFunction5 } from "aws-cdk-lib/aws-lambda-nodejs";
 import * as rds from "aws-cdk-lib/aws-rds";
-import { Construct as Construct5 } from "constructs";
+import { Construct as Construct6 } from "constructs";
 var HANDLER_NAME5 = "data-store-postgres-replication.handler.js";
 var DEFAULT_DATABASE_NAME = "openhi";
 var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
@@ -1015,7 +1301,7 @@ function getPostgresReplicaSchemaName(branchHash) {
   }
   return candidate;
 }
-var DataStorePostgresReplica = class extends Construct5 {
+var DataStorePostgresReplica = class extends Construct6 {
   /**
    * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
    * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
@@ -1170,8 +1456,8 @@ var ChildHostedZone = class extends HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-import { Construct as Construct6 } from "constructs";
-var RootHostedZone = class extends Construct6 {
+import { Construct as Construct7 } from "constructs";
+var RootHostedZone = class extends Construct7 {
 };
 
 // src/components/static-hosting/static-hosting.ts
@@ -1182,9 +1468,9 @@ import {
 import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
 import { Duration as Duration5 } from "aws-cdk-lib/core";
-import { Construct as Construct7 } from "constructs";
+import { Construct as Construct8 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends Construct7 {
+var _StaticHosting = class _StaticHosting extends Construct8 {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1236,7 +1522,7 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_AR
 var StaticHosting = _StaticHosting;
 
 // src/services/open-hi-auth-service.ts
-var import_config4 = __toESM(require_lib());
+var import_config5 = __toESM(require_lib2());
 import {
   LambdaVersion,
   UserPool as UserPool2,
@@ -1244,12 +1530,13 @@ import {
   UserPoolDomain as UserPoolDomain2,
   UserPoolOperation
 } from "aws-cdk-lib/aws-cognito";
-import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Effect as Effect6, PolicyStatement as PolicyStatement6 } from "aws-cdk-lib/aws-iam";
 import { Key as Key2 } from "aws-cdk-lib/aws-kms";
-import { Stack as Stack3 } from "aws-cdk-lib/core";
+import { Stack as Stack6 } from "aws-cdk-lib/core";
 
 // src/services/open-hi-data-service.ts
-import { StreamViewType, Table as Table2 } from "aws-cdk-lib/aws-dynamodb";
+var import_config4 = __toESM(require_lib2());
+import { StreamViewType, Table as Table3 } from "aws-cdk-lib/aws-dynamodb";
 import * as kinesis from "aws-cdk-lib/aws-kinesis";
 
 // src/services/open-hi-global-service.ts
@@ -1257,11 +1544,99 @@ import {
   Certificate as Certificate2,
   CertificateValidation
 } from "aws-cdk-lib/aws-certificatemanager";
-import { EventBus as EventBus3 } from "aws-cdk-lib/aws-events";
+import { EventBus as EventBus4 } from "aws-cdk-lib/aws-events";
 import {
   HostedZone as HostedZone2
 } from "aws-cdk-lib/aws-route53";
 import { StringParameter as StringParameter3 } from "aws-cdk-lib/aws-ssm";
+
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
+import { Construct as Construct10 } from "constructs";
+
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
+import fs6 from "fs";
+import path6 from "path";
+import { Duration as Duration6, Stack as Stack3 } from "aws-cdk-lib";
+import { Rule } from "aws-cdk-lib/aws-events";
+import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
+import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
+import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct9 } from "constructs";
+var HANDLER_NAME6 = "platform-deploy-bridge.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = path6.join(dirname, HANDLER_NAME6);
+  if (fs6.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path6.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
+}
+var PlatformDeployBridgeLambda = class extends Construct9 {
+  constructor(scope, props) {
+    super(scope, "platform-deploy-bridge-lambda");
+    const service = OpenHiService.of(this);
+    const repoTagKey = openHiTagKey(
+      service.appName,
+      OPENHI_TAG_SUFFIX_REPO_NAME
+    );
+    const tagKeyPrefix = `${service.appName}:`;
+    const ownStackName = Stack3.of(this).stackName;
+    const ownSuffix = `-${service.serviceId}-${Stack3.of(this).account}-${Stack3.of(this).region}`;
+    const sharedPrefix = ownStackName.endsWith(ownSuffix) ? ownStackName.slice(0, -ownSuffix.length) : service.branchHash;
+    const stackIdPrefix = `arn:aws:cloudformation:${Stack3.of(this).region}:${Stack3.of(this).account}:stack/${sharedPrefix}-`;
+    this.lambda = new NodejsFunction6(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: Runtime6.NODEJS_LATEST,
+      memorySize: 256,
+      timeout: Duration6.seconds(30),
+      environment: {
+        [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
+        [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
+        [OPENHI_TAG_KEY_PREFIX_ENV_VAR]: tagKeyPrefix
+      }
+    });
+    this.lambda.addToRolePolicy(
+      new PolicyStatement2({
+        effect: Effect2.ALLOW,
+        actions: ["cloudformation:DescribeStacks"],
+        resources: [
+          `arn:aws:cloudformation:${Stack3.of(this).region}:${Stack3.of(this).account}:stack/*`
+        ]
+      })
+    );
+    props.controlEventBus.grantPutEventsTo(this.lambda);
+    this.rule = new Rule(this, "rule", {
+      eventPattern: {
+        source: [CLOUDFORMATION_EVENT_SOURCE],
+        detailType: [CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE],
+        detail: {
+          "stack-id": [{ prefix: stackIdPrefix }],
+          "status-details": {
+            status: [...BRIDGED_STATUSES]
+          }
+        }
+      },
+      targets: [
+        new LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: Duration6.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
+var PlatformDeployBridge = class extends Construct10 {
+  constructor(scope, props) {
+    super(scope, "platform-deploy-bridge");
+    this.bridgeLambda = new PlatformDeployBridgeLambda(this, {
+      controlEventBus: props.controlEventBus
+    });
+  }
+};
+
+// src/services/open-hi-global-service.ts
 var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
   /**
    * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
@@ -1300,7 +1675,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static dataEventBusFromConstruct(scope) {
-    return EventBus3.fromEventBusName(
+    return EventBus4.fromEventBusName(
       scope,
       "data-event-bus",
       DataEventBus.getEventBusName(scope)
@@ -1310,12 +1685,33 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static opsEventBusFromConstruct(scope) {
-    return EventBus3.fromEventBusName(
+    return EventBus4.fromEventBusName(
       scope,
       "ops-event-bus",
       OpsEventBus.getEventBusName(scope)
     );
   }
+  /**
+   * Returns the control-plane event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static controlEventBusFromConstruct(scope) {
+    return EventBus4.fromEventBusName(
+      scope,
+      "control-event-bus",
+      ControlEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the workflow dedup table by name (deterministic per branch).
+   * Use from other stacks to obtain an ITable reference. Consumer Lambdas
+   * are typically wired via `WorkflowDedupTable.grantConsumer(fn, name)`
+   * on the owning service's `workflowDedupTable` reference; the
+   * `tableNameFromLookup` / `tableArnFromLookup` SSM helpers on the
+   * construct cover cross-stack consumers that need only the name/ARN.
+   */
+  static workflowDedupTableNameFromLookup(scope) {
+    return WorkflowDedupTable.tableNameFromLookup(scope);
+  }
   get serviceType() {
     return _OpenHiGlobalService.SERVICE_TYPE;
   }
@@ -1328,6 +1724,9 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
     this.rootWildcardCertificate = this.createRootWildcardCertificate();
     this.dataEventBus = this.createDataEventBus();
     this.opsEventBus = this.createOpsEventBus();
+    this.controlEventBus = this.createControlEventBus();
+    this.workflowDedupTable = this.createWorkflowDedupTable();
+    this.platformDeployBridge = this.createPlatformDeployBridge();
   }
   /**
    * Validates that config required for the Global stack is present.
@@ -1392,23 +1791,249 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
   createOpsEventBus() {
     return new OpsEventBus(this);
   }
+  /**
+   * Creates the control-plane event bus.
+   * Override to customize.
+   */
+  createControlEventBus() {
+    return new ControlEventBus(this);
+  }
+  /**
+   * Creates the platform deploy bridge that republishes CloudFormation
+   * Stack Status Change events onto the control event bus.
+   * Override to customize.
+   */
+  createPlatformDeployBridge() {
+    return new PlatformDeployBridge(this, {
+      controlEventBus: this.controlEventBus
+    });
+  }
+  /**
+   * Creates the shared workflow dedup table (TR-015 singleton).
+   * Override to customize.
+   */
+  createWorkflowDedupTable() {
+    return new WorkflowDedupTable(this, "workflow-dedup-table");
+  }
 };
 _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
 
-// src/services/open-hi-data-service.ts
-var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
-  /**
-   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
-   */
-  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
-    return Table2.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+// src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
+import fs7 from "fs";
+import path7 from "path";
+import { CONTROL_PLANE_ROLE_IDS } from "@openhi/types";
+import { Duration as Duration7, Stack as Stack4 } from "aws-cdk-lib";
+import { Rule as Rule2 } from "aws-cdk-lib/aws-events";
+import { LambdaFunction as LambdaFunction2 } from "aws-cdk-lib/aws-events-targets";
+import { Effect as Effect3, PolicyStatement as PolicyStatement3 } from "aws-cdk-lib/aws-iam";
+import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct11 } from "constructs";
+var HANDLER_NAME7 = "seed-demo-data.handler.js";
+function resolveHandlerEntry7(dirname) {
+  const sameDir = path7.join(dirname, HANDLER_NAME7);
+  if (fs7.existsSync(sameDir)) {
+    return sameDir;
   }
-  get serviceType() {
-    return _OpenHiDataService.SERVICE_TYPE;
+  return path7.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME7);
+}
+var SeedDemoDataLambda = class extends Construct11 {
+  constructor(scope, props) {
+    super(scope, "seed-demo-data-lambda");
+    this.lambda = new NodejsFunction7(this, "handler", {
+      entry: resolveHandlerEntry7(__dirname),
+      runtime: Runtime7.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: Duration7.minutes(2),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
+        [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
+      }
+    });
+    const roleReadKeys = Object.values(CONTROL_PLANE_ROLE_IDS).map(
+      rolePartitionKey
+    );
+    this.lambda.addToRolePolicy(
+      new PolicyStatement3({
+        effect: Effect3.ALLOW,
+        actions: ["dynamodb:GetItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": roleReadKeys
+          }
+        }
+      })
+    );
+    const writeKeys = [
+      ...demoBasePartitionKeys(),
+      ...demoDevUserPartitionKeys(DEV_USERS)
+    ];
+    this.lambda.addToRolePolicy(
+      new PolicyStatement3({
+        effect: Effect3.ALLOW,
+        actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": writeKeys
+          }
+        }
+      })
+    );
+    this.lambda.addToRolePolicy(
+      new PolicyStatement3({
+        effect: Effect3.ALLOW,
+        actions: [
+          "cognito-idp:AdminCreateUser",
+          "cognito-idp:AdminGetUser",
+          "cognito-idp:AdminSetUserPassword"
+        ],
+        resources: [
+          Stack4.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: props.userPool.userPoolId
+          })
+        ]
+      })
+    );
+    this.rule = new Rule2(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [import_workflows.PlatformSystemDataSeededV1.source],
+        detailType: [import_workflows.PlatformSystemDataSeededV1.detailType]
+      },
+      targets: [
+        new LambdaFunction2(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: Duration7.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/seed-demo-data/seed-demo-data-workflow.ts
+import { Construct as Construct12 } from "constructs";
+var SeedDemoDataWorkflow = class extends Construct12 {
+  constructor(scope, props) {
+    super(scope, "seed-demo-data-workflow");
+    this.seedDemoData = new SeedDemoDataLambda(this, {
+      controlEventBus: props.controlEventBus,
+      dataStoreTable: props.dataStoreTable,
+      userPool: props.userPool
+    });
+    WorkflowDedupTable.grantConsumerFromLookup(
+      this,
+      this.seedDemoData.lambda,
+      SEED_DEMO_DATA_CONSUMER_NAME
+    );
+  }
+};
+
+// src/workflows/control-plane/seed-system-data/seed-system-data-lambda.ts
+import fs8 from "fs";
+import path8 from "path";
+import { CONTROL_PLANE_ROLE_IDS as CONTROL_PLANE_ROLE_IDS2 } from "@openhi/types";
+import { Duration as Duration8, Stack as Stack5 } from "aws-cdk-lib";
+import { Rule as Rule3 } from "aws-cdk-lib/aws-events";
+import { LambdaFunction as LambdaFunction3 } from "aws-cdk-lib/aws-events-targets";
+import { Effect as Effect4, PolicyStatement as PolicyStatement4 } from "aws-cdk-lib/aws-iam";
+import { Runtime as Runtime8 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction8 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct13 } from "constructs";
+var HANDLER_NAME8 = "seed-system-data.handler.js";
+function resolveHandlerEntry8(dirname) {
+  const sameDir = path8.join(dirname, HANDLER_NAME8);
+  if (fs8.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path8.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME8);
+}
+var SeedSystemDataLambda = class extends Construct13 {
+  constructor(scope, props) {
+    super(scope, "seed-system-data-lambda");
+    this.lambda = new NodejsFunction8(this, "handler", {
+      entry: resolveHandlerEntry8(__dirname),
+      runtime: Runtime8.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: Duration8.minutes(1),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
+        [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
+      }
+    });
+    const roleArns = Object.values(CONTROL_PLANE_ROLE_IDS2).map(
+      (id) => `role#id#${id}`
+    );
+    this.lambda.addToRolePolicy(
+      new PolicyStatement4({
+        effect: Effect4.ALLOW,
+        actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": roleArns
+          }
+        }
+      })
+    );
+    props.controlEventBus.grantPutEventsTo(this.lambda);
+    const hostStackName = Stack5.of(this).stackName;
+    this.rule = new Rule3(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [import_workflows2.PlatformDeploymentCompletedV1.source],
+        detailType: [import_workflows2.PlatformDeploymentCompletedV1.detailType],
+        detail: {
+          payload: {
+            stackName: [hostStackName]
+          }
+        }
+      },
+      targets: [
+        new LambdaFunction3(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: Duration8.hours(2)
+        })
+      ]
+    });
   }
+};
+
+// src/workflows/control-plane/seed-system-data/seed-system-data-workflow.ts
+import { Construct as Construct14 } from "constructs";
+var SeedSystemDataWorkflow = class extends Construct14 {
+  constructor(scope, props) {
+    super(scope, "seed-system-data-workflow");
+    this.seedSystemData = new SeedSystemDataLambda(this, {
+      controlEventBus: props.controlEventBus,
+      dataStoreTable: props.dataStoreTable
+    });
+    WorkflowDedupTable.grantConsumerFromLookup(
+      this,
+      this.seedSystemData.lambda,
+      SEED_SYSTEM_DATA_CONSUMER_NAME
+    );
+  }
+};
+
+// src/services/open-hi-data-service.ts
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
   constructor(ohEnv, props = {}) {
     super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    /**
+     * Cached control-event-bus lookup. `OpenHiGlobalService.controlEventBusFromConstruct`
+     * registers a child `EventBus.fromEventBusName` construct with a
+     * fixed id under the scope it is passed, so calling it twice on the
+     * same `OpenHiDataService` instance collides. The cache mirrors the
+     * `private controlEventBus()` pattern already used in
+     * `OpenHiAuthService`. Use {@link controlEventBus} from this class
+     * — never call the static lookup from inside `OpenHiDataService`.
+     */
+    this._controlEventBus = null;
     this.props = props;
     this.dataStoreChangeStream = new kinesis.Stream(
       this,
@@ -1443,6 +2068,53 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
         branchHash: this.branchHash
       }
     );
+    this.seedSystemDataWorkflow = this.createSeedSystemDataWorkflow();
+    this.seedDemoDataWorkflow = this.createSeedDemoDataWorkflow();
+  }
+  /**
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
+   */
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return Table3.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  }
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  /**
+   * Lazily looks up the control event bus exactly once per
+   * `OpenHiDataService` instance and caches the reference. Every
+   * workflow that consumes the bus must read it through this method
+   * — see {@link _controlEventBus} for the underlying collision risk.
+   */
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    }
+    return this._controlEventBus;
+  }
+  /**
+   * Creates the seed-system-data workflow. Override to customize.
+   */
+  createSeedSystemDataWorkflow() {
+    return new SeedSystemDataWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStore
+    });
+  }
+  /**
+   * Creates the seed-demo-data workflow — but only on non-prod
+   * stages. Returns `undefined` on prod so the workflow literally
+   * does not exist in prod stacks. Override to customize.
+   */
+  createSeedDemoDataWorkflow() {
+    if (this.ohEnv.ohStage.stageType === import_config4.OPEN_HI_STAGE.PROD) {
+      return void 0;
+    }
+    return new SeedDemoDataWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStore,
+      userPool: OpenHiAuthService.userPoolFromConstruct(this)
+    });
   }
   /**
    * Creates the single-table DynamoDB data store.
@@ -1458,6 +2130,75 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
 _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
+// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+import fs9 from "fs";
+import path9 from "path";
+import { Duration as Duration9 } from "aws-cdk-lib";
+import { Rule as Rule4 } from "aws-cdk-lib/aws-events";
+import { LambdaFunction as LambdaFunction4 } from "aws-cdk-lib/aws-events-targets";
+import { Effect as Effect5, PolicyStatement as PolicyStatement5 } from "aws-cdk-lib/aws-iam";
+import { Runtime as Runtime9 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction9 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct15 } from "constructs";
+var HANDLER_NAME9 = "provision-default-workspace.handler.js";
+function resolveHandlerEntry9(dirname) {
+  const sameDir = path9.join(dirname, HANDLER_NAME9);
+  if (fs9.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path9.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
+}
+var ProvisionDefaultWorkspaceLambda = class extends Construct15 {
+  constructor(scope, props) {
+    super(scope, "provision-default-workspace-lambda");
+    this.lambda = new NodejsFunction9(this, "handler", {
+      entry: resolveHandlerEntry9(__dirname),
+      runtime: Runtime9.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.lambda,
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem"
+    );
+    this.lambda.addToRolePolicy(
+      new PolicyStatement5({
+        effect: Effect5.ALLOW,
+        actions: ["dynamodb:Query"],
+        resources: [`${props.dataStoreTable.tableArn}/index/*`]
+      })
+    );
+    this.rule = new Rule4(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [USER_ONBOARDING_EVENT_SOURCE],
+        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
+      },
+      targets: [
+        new LambdaFunction4(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: Duration9.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+import { Construct as Construct16 } from "constructs";
+var UserOnboardingWorkflow = class extends Construct16 {
+  constructor(scope, props) {
+    super(scope, "user-onboarding-workflow");
+    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
+      dataStoreTable: props.dataStoreTable,
+      controlEventBus: props.controlEventBus
+    });
+  }
+};
+
 // src/services/open-hi-auth-service.ts
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   constructor(ohEnv, props = {}) {
@@ -1469,11 +2210,13 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
      * would collide.
      */
     this._dataStoreTable = null;
+    this._controlEventBus = null;
     this.props = props;
     this.userPoolKmsKey = this.createUserPoolKmsKey();
     this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
     this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
     this.userPool = this.createUserPool();
     this.grantPreTokenGenerationPermissions();
     this.grantPostAuthenticationPermissions();
@@ -1590,23 +2333,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   }
   /**
    * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-   * confirmation, writes the new user's default Tenant, Workspace,
-   * Memberships, and `tenant-user` RoleAssignment, plus a User record
-   * carrying the Cognito `sub` and current tenant/workspace pointers
-   * (ADR 2026-03-17-01 invariants).
+   * confirmation, publishes a control-plane workflow event; provisioning lives
+   * behind EventBridge.
    */
   createPostConfirmationLambda() {
     const construct = new PostConfirmationLambda(this, {
-      dynamoTableName: this.dataStoreTable().tableName
+      controlEventBusName: this.controlEventBus().eventBusName
     });
     return construct.lambda;
   }
+  createUserOnboardingWorkflow() {
+    return new UserOnboardingWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStoreTable()
+    });
+  }
   dataStoreTable() {
     if (this._dataStoreTable === null) {
       this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     }
     return this._dataStoreTable;
   }
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    }
+    return this._controlEventBus;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1651,8 +2404,8 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
     dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
     this.preTokenGenerationLambda.addToRolePolicy(
-      new PolicyStatement({
-        effect: Effect.ALLOW,
+      new PolicyStatement6({
+        effect: Effect6.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
@@ -1673,10 +2426,10 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    */
   grantPostAuthenticationPermissions() {
     this.postAuthenticationLambda.addToRolePolicy(
-      new PolicyStatement({
+      new PolicyStatement6({
         actions: ["cognito-idp:AdminUserGlobalSignOut"],
         resources: [
-          Stack3.of(this).formatArn({
+          Stack6.of(this).formatArn({
             service: "cognito-idp",
             resource: "userpool",
             resourceName: "*"
@@ -1686,26 +2439,11 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     );
   }
   /**
-   * Grants the Post Confirmation Lambda write access to the data store
-   * table (and its GSIs) so it can seed the new user's Tenant, Workspace,
-   * Memberships, RoleAssignment, and User records on sign-up confirmation.
+   * Grants the Post Confirmation Lambda publish-only access to the
+   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
    */
   grantPostConfirmationPermissions() {
-    const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = [
-      "dynamodb:PutItem",
-      "dynamodb:UpdateItem",
-      "dynamodb:BatchWriteItem",
-      "dynamodb:DescribeTable"
-    ];
-    dataStoreTable.grant(this.postConfirmationLambda, ...dynamoActions);
-    this.postConfirmationLambda.addToRolePolicy(
-      new PolicyStatement({
-        effect: Effect.ALLOW,
-        actions: [...dynamoActions],
-        resources: [`${dataStoreTable.tableArn}/index/*`]
-      })
-    );
+    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
   }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
@@ -1735,7 +2473,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    * via env vars to drive `InitiateAuth`.
    */
   createFixtureSeederClient() {
-    if (this.ohEnv.ohStage.stageType === import_config4.OPEN_HI_STAGE.PROD) {
+    if (this.ohEnv.ohStage.stageType === import_config5.OPEN_HI_STAGE.PROD) {
       return void 0;
     }
     const client = new CognitoFixtureSeederClient(this, {
@@ -1772,7 +2510,7 @@ _OpenHiAuthService.SERVICE_TYPE = "auth";
 var OpenHiAuthService = _OpenHiAuthService;
 
 // src/services/open-hi-rest-api-service.ts
-var import_config5 = __toESM(require_lib());
+var import_config6 = __toESM(require_lib2());
 import {
   CorsHttpMethod,
   DomainName,
@@ -1784,62 +2522,62 @@ import {
 } from "aws-cdk-lib/aws-apigatewayv2";
 import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers";
 import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
-import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
+import { Effect as Effect7, PolicyStatement as PolicyStatement7 } from "aws-cdk-lib/aws-iam";
 import {
   ARecord,
   HostedZone as HostedZone3,
   RecordTarget
 } from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
-import { Duration as Duration6 } from "aws-cdk-lib/core";
+import { Duration as Duration10 } from "aws-cdk-lib/core";
 
 // src/data/lambda/cors-options-lambda.ts
-import fs6 from "fs";
-import path6 from "path";
-import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct8 } from "constructs";
-var HANDLER_NAME6 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry6(dirname) {
-  const sameDir = path6.join(dirname, HANDLER_NAME6);
-  if (fs6.existsSync(sameDir)) {
+import fs10 from "fs";
+import path10 from "path";
+import { Runtime as Runtime10 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction10 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct17 } from "constructs";
+var HANDLER_NAME10 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry10(dirname) {
+  const sameDir = path10.join(dirname, HANDLER_NAME10);
+  if (fs10.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path6.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
+  const fromLib = path10.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
   return fromLib;
 }
-var CorsOptionsLambda = class extends Construct8 {
+var CorsOptionsLambda = class extends Construct17 {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new NodejsFunction6(this, "handler", {
-      entry: resolveHandlerEntry6(__dirname),
-      runtime: Runtime6.NODEJS_LATEST,
+    this.lambda = new NodejsFunction10(this, "handler", {
+      entry: resolveHandlerEntry10(__dirname),
+      runtime: Runtime10.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-import fs7 from "fs";
-import path7 from "path";
-import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct9 } from "constructs";
-var HANDLER_NAME7 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry7(dirname) {
-  const sameDir = path7.join(dirname, HANDLER_NAME7);
-  if (fs7.existsSync(sameDir)) {
+import fs11 from "fs";
+import path11 from "path";
+import { Runtime as Runtime11 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction11 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct18 } from "constructs";
+var HANDLER_NAME11 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry11(dirname) {
+  const sameDir = path11.join(dirname, HANDLER_NAME11);
+  if (fs11.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path7.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
+  const fromLib = path11.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
   return fromLib;
 }
-var RestApiLambda = class extends Construct9 {
+var RestApiLambda = class extends Construct18 {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new NodejsFunction7(this, "handler", {
-      entry: resolveHandlerEntry7(__dirname),
-      runtime: Runtime7.NODEJS_LATEST,
+    this.lambda = new NodejsFunction11(this, "handler", {
+      entry: resolveHandlerEntry11(__dirname),
+      runtime: Runtime11.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -1981,8 +2719,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresSchema
     });
     lambda.addToRolePolicy(
-      new PolicyStatement2({
-        effect: Effect2.ALLOW,
+      new PolicyStatement7({
+        effect: Effect7.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -1991,8 +2729,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement2({
-        effect: Effect2.ALLOW,
+      new PolicyStatement7({
+        effect: Effect7.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -2010,15 +2748,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new PolicyStatement2({
-        effect: Effect2.ALLOW,
+      new PolicyStatement7({
+        effect: Effect7.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement2({
-        effect: Effect2.ALLOW,
+      new PolicyStatement7({
+        effect: Effect7.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -2077,7 +2815,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const userPool = OpenHiAuthService.userPoolFromConstruct(this);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(this);
     const userPoolClients = [userPoolClient];
-    if (this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD) {
+    if (this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD) {
       userPoolClients.push(
         OpenHiAuthService.fixtureSeederClientFromConstruct(this)
       );
@@ -2104,7 +2842,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? Duration6.days(1),
+      maxAge: cors.maxAge ?? Duration10.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -2168,21 +2906,38 @@ var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
 };
 _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
+var export_PlatformDeploymentCompletedV1 = import_workflows2.PlatformDeploymentCompletedV1;
 export {
+  BRIDGED_STATUSES,
+  CLOUDFORMATION_EVENT_SOURCE,
+  CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
+  CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone,
   CognitoFixtureSeederClient,
   CognitoUserPool,
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
   CognitoUserPoolKmsKey,
+  ControlEventBus,
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_PERIOD,
+  DEMO_TENANT_SPECS,
+  DEMO_URN_SYSTEM,
+  DEV_USERS,
   DataEventBus,
   DataStoreHistoricalArchive,
   DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
+  OPENHI_REPO_TAG_KEY_ENV_VAR,
+  OPENHI_RESOURCE_URN_SYSTEM,
+  OPENHI_TAG_KEY_PREFIX_ENV_VAR,
+  OPENHI_TAG_SUFFIX_BRANCH_NAME,
+  OPENHI_TAG_SUFFIX_REPO_NAME,
+  OPENHI_TAG_SUFFIX_SERVICE_TYPE,
+  OPENHI_TAG_SUFFIX_STAGE_TYPE,
   OpenHiApp,
   OpenHiAuthService,
   OpenHiDataService,
@@ -2193,21 +2948,59 @@ export {
   OpenHiService,
   OpenHiStage,
   OpsEventBus,
+  PLACEHOLDER_TENANT_ID,
+  PLACEHOLDER_WORKSPACE_ID,
+  PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,
+  PLATFORM_SCOPE_TENANT_ID,
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
+  PlatformDeployBridge,
+  PlatformDeployBridgeLambda,
+  export_PlatformDeploymentCompletedV1 as PlatformDeploymentCompletedV1,
   PostAuthenticationLambda,
   PostConfirmationLambda,
   PreTokenGenerationLambda,
+  ProvisionDefaultWorkspaceLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,
   RootHostedZone,
   RootHttpApi,
   RootWildcardCertificate,
+  SEED_DEMO_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_ACTOR_SYSTEM,
+  SEED_SYSTEM_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
   STATIC_HOSTING_SERVICE_TYPE,
+  SeedDemoDataLambda,
+  SeedDemoDataWorkflow,
+  SeedSystemDataLambda,
+  SeedSystemDataWorkflow,
   StaticHosting,
+  USER_ONBOARDING_EVENT_SOURCE,
+  UserOnboardingWorkflow,
+  WorkflowDedupConsumerNameInvalidError,
+  WorkflowDedupTable,
+  WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail,
+  buildProvisionDefaultWorkspaceRequestedDetail,
+  demoBasePartitionKeys,
+  demoDevUserPartitionKeys,
+  demoMembershipId,
+  demoMembershipPartitionKey,
+  demoRoleAssignmentId,
+  demoRoleAssignmentPartitionKey,
+  demoRolesForUserInTenant,
+  demoScenarioIdentifier,
+  demoTenantPartitionKey,
+  demoUserPartitionKey,
+  demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName,
-  getPostgresReplicaSchemaName
+  getPostgresReplicaSchemaName,
+  getWorkflowDedupTableName,
+  openHiTagKey,
+  openhiResourceIdentifier,
+  rolePartitionKey
 };
 //# sourceMappingURL=index.mjs.map