@openhi/constructs 0.0.104 → 0.0.106

package/lib/data-store-postgres-replication.handler.mjs

@@ -5,7 +5,7 @@ import {
 import {
   dynamodbImageToPlain
 } from "./chunk-CEOAGPYY.mjs";
-import "./chunk-3QS3WKRC.mjs";
+import "./chunk-LZOMFHX3.mjs";
 
 // src/components/postgres/data-store-postgres-replication.handler.ts
 import {

package/lib/events-BfrkMoBD.d.mts

@@ -0,0 +1,44 @@
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/platform-deploy-bridge/index.md
+ */
+/** EventBridge `source` for the AWS-native CloudFormation events the bridge listens to. */
+declare const CLOUDFORMATION_EVENT_SOURCE: "aws.cloudformation";
+/** EventBridge `detail-type` for terminal stack status events. */
+declare const CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE: "CloudFormation Stack Status Change";
+/** Stack statuses the bridge republishes. Other statuses are pre-filtered at the rule. */
+declare const BRIDGED_STATUSES: readonly ["CREATE_COMPLETE", "UPDATE_COMPLETE"];
+type BridgedStatus = (typeof BRIDGED_STATUSES)[number];
+/** Env var the bridge handler reads to discover the control event bus name. */
+declare const CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+/**
+ * Env var the bridge handler reads for the resolved
+ * `openhi:repo-name`-shaped tag key. Resolved at synth time from the host
+ * stack's `appName` + {@link OPENHI_TAG_SUFFIX_REPO_NAME}.
+ */
+declare const OPENHI_REPO_TAG_KEY_ENV_VAR = "OPENHI_REPO_TAG_KEY";
+/**
+ * Env var the bridge handler reads for the resolved `openhi:` tag prefix.
+ * Resolved at synth time from the host stack's `appName`. Used to project
+ * the relevant stack tags into the published envelope.
+ */
+declare const OPENHI_TAG_KEY_PREFIX_ENV_VAR = "OPENHI_TAG_KEY_PREFIX";
+/** Free-form `actor.system` value per TR-016 § Decision points #1 (bootstrap-role pattern). */
+declare const PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM = "platform-deploy-bridge";
+/**
+ * Subset of the CloudFormation Stack Status Change `detail` field the
+ * bridge handler reads. AWS-side schema lives at
+ * <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/monitoring-cloudformation.html>.
+ */
+interface CloudFormationStackStatusChangeDetail {
+    readonly "stack-id": string;
+    readonly "logical-resource-id"?: string;
+    readonly "physical-resource-id"?: string;
+    readonly "status-details": {
+        readonly status: string;
+        readonly "status-reason"?: string;
+    };
+    readonly "resource-type"?: string;
+    readonly "client-request-token"?: string;
+}
+
+export { BRIDGED_STATUSES as B, CLOUDFORMATION_EVENT_SOURCE as C, OPENHI_REPO_TAG_KEY_ENV_VAR as O, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM as P, type BridgedStatus as a, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE as b, CONTROL_EVENT_BUS_NAME_ENV_VAR as c, type CloudFormationStackStatusChangeDetail as d, OPENHI_TAG_KEY_PREFIX_ENV_VAR as e };

package/lib/events-BfrkMoBD.d.ts

@@ -0,0 +1,44 @@
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/platform-deploy-bridge/index.md
+ */
+/** EventBridge `source` for the AWS-native CloudFormation events the bridge listens to. */
+declare const CLOUDFORMATION_EVENT_SOURCE: "aws.cloudformation";
+/** EventBridge `detail-type` for terminal stack status events. */
+declare const CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE: "CloudFormation Stack Status Change";
+/** Stack statuses the bridge republishes. Other statuses are pre-filtered at the rule. */
+declare const BRIDGED_STATUSES: readonly ["CREATE_COMPLETE", "UPDATE_COMPLETE"];
+type BridgedStatus = (typeof BRIDGED_STATUSES)[number];
+/** Env var the bridge handler reads to discover the control event bus name. */
+declare const CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+/**
+ * Env var the bridge handler reads for the resolved
+ * `openhi:repo-name`-shaped tag key. Resolved at synth time from the host
+ * stack's `appName` + {@link OPENHI_TAG_SUFFIX_REPO_NAME}.
+ */
+declare const OPENHI_REPO_TAG_KEY_ENV_VAR = "OPENHI_REPO_TAG_KEY";
+/**
+ * Env var the bridge handler reads for the resolved `openhi:` tag prefix.
+ * Resolved at synth time from the host stack's `appName`. Used to project
+ * the relevant stack tags into the published envelope.
+ */
+declare const OPENHI_TAG_KEY_PREFIX_ENV_VAR = "OPENHI_TAG_KEY_PREFIX";
+/** Free-form `actor.system` value per TR-016 § Decision points #1 (bootstrap-role pattern). */
+declare const PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM = "platform-deploy-bridge";
+/**
+ * Subset of the CloudFormation Stack Status Change `detail` field the
+ * bridge handler reads. AWS-side schema lives at
+ * <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/monitoring-cloudformation.html>.
+ */
+interface CloudFormationStackStatusChangeDetail {
+    readonly "stack-id": string;
+    readonly "logical-resource-id"?: string;
+    readonly "physical-resource-id"?: string;
+    readonly "status-details": {
+        readonly status: string;
+        readonly "status-reason"?: string;
+    };
+    readonly "resource-type"?: string;
+    readonly "client-request-token"?: string;
+}
+
+export { BRIDGED_STATUSES as B, CLOUDFORMATION_EVENT_SOURCE as C, OPENHI_REPO_TAG_KEY_ENV_VAR as O, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM as P, type BridgedStatus as a, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE as b, CONTROL_EVENT_BUS_NAME_ENV_VAR as c, type CloudFormationStackStatusChangeDetail as d, OPENHI_TAG_KEY_PREFIX_ENV_VAR as e };

package/lib/events-CVA3_eEB.d.mts

@@ -0,0 +1,23 @@
+import { PostConfirmationTriggerEvent } from 'aws-lambda';
+
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/user-onboarding/events.md
+ */
+declare const USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
+declare const PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
+interface ProvisionDefaultWorkspaceRequestedDetail {
+    readonly cognitoSub: string;
+    readonly userId?: string;
+    readonly email?: string;
+    readonly displayName?: string;
+    readonly trigger: {
+        readonly source: "cognito.post-confirmation";
+        readonly triggerSource?: string;
+        readonly userPoolId?: string;
+        readonly userName?: string;
+        readonly clientId?: string;
+    };
+}
+declare const buildProvisionDefaultWorkspaceRequestedDetail: (event: PostConfirmationTriggerEvent) => ProvisionDefaultWorkspaceRequestedDetail | undefined;
+
+export { PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE as P, USER_ONBOARDING_EVENT_SOURCE as U, type ProvisionDefaultWorkspaceRequestedDetail as a, buildProvisionDefaultWorkspaceRequestedDetail as b };

package/lib/events-CVA3_eEB.d.ts

@@ -0,0 +1,23 @@
+import { PostConfirmationTriggerEvent } from 'aws-lambda';
+
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/user-onboarding/events.md
+ */
+declare const USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
+declare const PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
+interface ProvisionDefaultWorkspaceRequestedDetail {
+    readonly cognitoSub: string;
+    readonly userId?: string;
+    readonly email?: string;
+    readonly displayName?: string;
+    readonly trigger: {
+        readonly source: "cognito.post-confirmation";
+        readonly triggerSource?: string;
+        readonly userPoolId?: string;
+        readonly userName?: string;
+        readonly clientId?: string;
+    };
+}
+declare const buildProvisionDefaultWorkspaceRequestedDetail: (event: PostConfirmationTriggerEvent) => ProvisionDefaultWorkspaceRequestedDetail | undefined;
+
+export { PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE as P, USER_ONBOARDING_EVENT_SOURCE as U, type ProvisionDefaultWorkspaceRequestedDetail as a, buildProvisionDefaultWorkspaceRequestedDetail as b };

package/lib/events-DGep6C7w.d.mts

@@ -0,0 +1,207 @@
+import { ControlPlaneRoleCode } from '@openhi/types';
+
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-demo-data/events.md
+ */
+/**
+ * Stable logical name this workflow registers with the shared
+ * `WorkflowDedupTable` (TR-015). Used in both the construct grant
+ * (`workflowDedupTable.grantConsumer(lambda, SEED_DEMO_DATA_CONSUMER_NAME)`)
+ * and the handler's runtime `recordIfAbsent` call — keep them aligned by
+ * importing this constant in both places.
+ */
+declare const SEED_DEMO_DATA_CONSUMER_NAME = "seed-demo-data";
+/** FHIR `Identifier.system` for the demo-scenario URN scheme. */
+declare const DEMO_URN_SYSTEM = "urn:openhi:demo";
+/**
+ * FHIR `Identifier.system` for the canonical OpenHI resource URN
+ * (ADR 2026-03-12-01). The value form is
+ * `urn:ohi:<tenantId>:<workspaceId>:<resourceType>:<id>`; empty
+ * workspaceId means the resource has tenant-wide scope (or is itself
+ * the workspace identity, in the Workspace case).
+ */
+declare const OPENHI_RESOURCE_URN_SYSTEM = "http://openhi.org/";
+/**
+ * Period stamped on every demo Membership and RoleAssignment. Fixed
+ * start so re-runs produce byte-identical bodies (decision #4); no
+ * end so demo memberships are open-ended.
+ */
+declare const DEMO_PERIOD: {
+    readonly start: "2026-01-01T00:00:00Z";
+};
+/**
+ * Sentinel `tenantId` used on every dev user's `system-admin`
+ * RoleAssignment. A `system-admin` RA is platform-scoped (it spans
+ * every tenant), but the RoleAssignment entity requires a tenantId on
+ * its key for sharding — there is no real tenant to point at. The
+ * `"platform"` literal is a reserved value that never matches a real
+ * Tenant id and signals "this RA scopes across all tenants".
+ *
+ * Renaming this constant is a wire-format break — the IAM grant in
+ * `seed-demo-data-lambda.ts` enumerates exact-match `LeadingKeys`
+ * computed from this value, and the in-band records written under it
+ * become unreachable if the sentinel changes.
+ */
+declare const PLATFORM_SCOPE_TENANT_ID = "platform";
+/** Placeholder Tenant id seeded by the workflow as the dev-user `currentTenant`. */
+declare const PLACEHOLDER_TENANT_ID = "placeholder-tenant-id";
+/** Placeholder Workspace id seeded by the workflow as the dev-user `currentWorkspace`. */
+declare const PLACEHOLDER_WORKSPACE_ID = "placeholder-workspace-id";
+/**
+ * Dev-user descriptor. Every entry produces:
+ *   - one Cognito user (idempotent create-then-skip),
+ *   - one DynamoDB User record (id = `dev-<email-local-part>`),
+ *   - four Memberships (placeholder + the three demo tenants),
+ *   - four `tenant-admin` RoleAssignments (one per tenant the user
+ *     belongs to),
+ *   - one `system-admin` RoleAssignment scoped to {@link PLATFORM_SCOPE_TENANT_ID}.
+ */
+interface DemoDevUser {
+    /** Stable DynamoDB User id. */
+    readonly id: string;
+    /** Email used as the Cognito `Username` and as the seed for the password algorithm. */
+    readonly email: string;
+}
+/**
+ * Hardcoded dev-user roster. Adding a new developer is a one-line
+ * change here plus a re-deploy. The list intentionally lives in-source
+ * (not behind an env-var seam) so the IAM grant in
+ * `seed-demo-data-lambda.ts` can enumerate per-user PKs at synth time.
+ */
+declare const DEV_USERS: ReadonlyArray<DemoDevUser>;
+/**
+ * A single workspace inside a demo tenant. The mixed tenant has two
+ * workspaces (wound-care and primary-care sub-workspaces); the other
+ * two tenants have one each.
+ */
+interface DemoWorkspaceSpec {
+    /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
+    readonly id: string;
+    /** FHIR `Workspace.name`. */
+    readonly name: string;
+    /**
+     * Role suffix used in the demo URN value (`<scenario>:<roleSuffix>`).
+     * Mirrors seed-fixtures' role suffix convention: `workspace` for
+     * single-workspace tenants, `workspace-<sub>` for the mixed tenant.
+     */
+    readonly roleSuffix: string;
+}
+/**
+ * One demo tenant + the workspaces it owns. Re-exported via {@link
+ * DEMO_TENANT_SPECS} as the canonical list; iterate that constant in
+ * the handler and the IAM-grant builder so the value sets agree.
+ */
+interface DemoTenantSpec {
+    /**
+     * Scenario slug — `placeholder`, `demo-wound-care`, `demo-primary-care`,
+     * `demo-mixed`. The placeholder tenant's slug is `placeholder`; the
+     * three demo tenants mirror seed-fixtures' `fixture-*` slugs renamed
+     * to `demo-*`.
+     */
+    readonly scenario: string;
+    /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
+    readonly tenantId: string;
+    /** FHIR `Tenant.name`. */
+    readonly tenantName: string;
+    /** Workspaces owned by this tenant. */
+    readonly workspaces: ReadonlyArray<DemoWorkspaceSpec>;
+}
+/**
+ * The full demo-tenant graph. Four entries: the placeholder tenant the
+ * JWT-claim fallback resolves to, plus the three v1 demo scenarios
+ * (OPS-009 §"v1 scenarios"):
+ *
+ *   0. Placeholder tenant — dereferences the JWT-claim fallback in
+ *      `pre-token-generation.handler.ts` and acts as every dev user's
+ *      `currentTenant`/`currentWorkspace` so Post-Confirmation skips
+ *      default provisioning when a seeded User signs in.
+ *   1. Single-workspace wound-care tenant.
+ *   2. Single-workspace primary-care tenant.
+ *   3. Two-workspace mixed tenant — exercises the cross-workspace
+ *      isolation flow that single-workspace tenants cannot.
+ */
+declare const DEMO_TENANT_SPECS: ReadonlyArray<DemoTenantSpec>;
+/** Stable Membership id derived from `(devUserId, tenantId)`. */
+declare const demoMembershipId: (devUserId: string, tenantId: string) => string;
+/**
+ * Stable RoleAssignment id derived from `(devUserId, tenantId, roleCode)`.
+ * Each (user, tenant, role) tuple maps to exactly one record — re-runs
+ * upsert the same id.
+ */
+declare const demoRoleAssignmentId: (devUserId: string, tenantId: string, roleCode: ControlPlaneRoleCode) => string;
+/**
+ * Demo-scenario FHIR `Identifier` entry — `urn:openhi:demo:<scenario>:<role>`.
+ * Mirrors the `urn:openhi:fixture:<scenario>:<role>` pattern from
+ * `@openhi/seed-fixtures/src/urn.ts`, renamed to the `demo` namespace.
+ */
+declare const demoScenarioIdentifier: (scenario: string, roleSuffix: string) => {
+    system: string;
+    value: string;
+};
+/**
+ * Canonical OpenHI resource FHIR `Identifier` entry per ADR
+ * 2026-03-12-01. `workspaceId` is empty for both Tenant resources and
+ * Workspace resources — for a Tenant, the resource is tenant-scoped
+ * with no workspace context; for a Workspace, the resource IS the
+ * workspace identity rather than living inside one.
+ */
+declare const openhiResourceIdentifier: (params: {
+    tenantId: string;
+    workspaceId: string;
+    resourceType: string;
+    id: string;
+}) => {
+    use: string;
+    system: string;
+    value: string;
+};
+/**
+ * Roles every dev user holds in every tenant they belong to. Per scope
+ * decision Q3, every dev user is `tenant-admin` in every tenant — there
+ * is no per-(user, tenant) variance to drive from.
+ */
+declare const demoRolesForUserInTenant: (_user: DemoDevUser, _tenantId: string) => ReadonlyArray<ControlPlaneRoleCode>;
+/**
+ * DynamoDB single-table partition-key builders. The IAM grant in
+ * `seed-demo-data-lambda.ts` uses these to enumerate exact-match
+ * `dynamodb:LeadingKeys` values; the entity definitions in
+ * `data/dynamo/entities/control/` own the canonical key templates.
+ *
+ * These builders MUST emit the keys ElectroDB actually writes — not
+ * the entity definition's pretty template. None of the control-plane
+ * entities sets `casing: "none"` on the base-table PK template, so
+ * ElectroDB applies its default lowercase casing at runtime: the
+ * entity's `ROLE#ID#${id}` becomes `role#id#<id>` on the wire. A
+ * builder that returns the uppercase template form produces a
+ * silently-broken IAM grant (every PutItem denied with "no
+ * identity-based policy allows" because the request's leading-key
+ * never matches a policy value).
+ */
+declare const rolePartitionKey: (roleId: string) => string;
+declare const demoTenantPartitionKey: (tenantId: string) => string;
+declare const demoWorkspacePartitionKey: (tenantId: string, workspaceId: string) => string;
+declare const demoMembershipPartitionKey: (tenantId: string, membershipId: string) => string;
+declare const demoRoleAssignmentPartitionKey: (tenantId: string, roleAssignmentId: string) => string;
+/** User entity PK template — `USER#ID#<id>` → `user#id#<id>` on the wire. */
+declare const demoUserPartitionKey: (userId: string) => string;
+/**
+ * Tenant + Workspace PKs the workflow writes on every fire: the 4
+ * tenant PKs (placeholder + 3 demo) plus their workspaces (1 + 1 + 1 + 2 = 5).
+ */
+declare const demoBasePartitionKeys: () => ReadonlyArray<string>;
+/**
+ * Membership + RoleAssignment + User PKs the workflow writes per dev
+ * user. Empty when `devUsers` is empty (used by tests). The list
+ * mirrors the handler's iteration order so the IAM grant covers every
+ * write the handler can make.
+ *
+ * Per dev user the function emits:
+ *   - one User PK,
+ *   - per tenant in {@link DEMO_TENANT_SPECS}: one Membership PK plus
+ *     one `tenant-admin` RoleAssignment PK,
+ *   - one platform-scoped `system-admin` RoleAssignment PK keyed by
+ *     {@link PLATFORM_SCOPE_TENANT_ID}.
+ */
+declare const demoDevUserPartitionKeys: (devUsers: ReadonlyArray<DemoDevUser>) => ReadonlyArray<string>;
+
+export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoBasePartitionKeys as i, demoDevUserPartitionKeys as j, demoMembershipId as k, demoMembershipPartitionKey as l, demoRoleAssignmentId as m, demoRoleAssignmentPartitionKey as n, demoRolesForUserInTenant as o, demoScenarioIdentifier as p, demoTenantPartitionKey as q, demoUserPartitionKey as r, demoWorkspacePartitionKey as s, openhiResourceIdentifier as t, rolePartitionKey as u };

package/lib/events-DGep6C7w.d.ts

@@ -0,0 +1,207 @@
+import { ControlPlaneRoleCode } from '@openhi/types';
+
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-demo-data/events.md
+ */
+/**
+ * Stable logical name this workflow registers with the shared
+ * `WorkflowDedupTable` (TR-015). Used in both the construct grant
+ * (`workflowDedupTable.grantConsumer(lambda, SEED_DEMO_DATA_CONSUMER_NAME)`)
+ * and the handler's runtime `recordIfAbsent` call — keep them aligned by
+ * importing this constant in both places.
+ */
+declare const SEED_DEMO_DATA_CONSUMER_NAME = "seed-demo-data";
+/** FHIR `Identifier.system` for the demo-scenario URN scheme. */
+declare const DEMO_URN_SYSTEM = "urn:openhi:demo";
+/**
+ * FHIR `Identifier.system` for the canonical OpenHI resource URN
+ * (ADR 2026-03-12-01). The value form is
+ * `urn:ohi:<tenantId>:<workspaceId>:<resourceType>:<id>`; empty
+ * workspaceId means the resource has tenant-wide scope (or is itself
+ * the workspace identity, in the Workspace case).
+ */
+declare const OPENHI_RESOURCE_URN_SYSTEM = "http://openhi.org/";
+/**
+ * Period stamped on every demo Membership and RoleAssignment. Fixed
+ * start so re-runs produce byte-identical bodies (decision #4); no
+ * end so demo memberships are open-ended.
+ */
+declare const DEMO_PERIOD: {
+    readonly start: "2026-01-01T00:00:00Z";
+};
+/**
+ * Sentinel `tenantId` used on every dev user's `system-admin`
+ * RoleAssignment. A `system-admin` RA is platform-scoped (it spans
+ * every tenant), but the RoleAssignment entity requires a tenantId on
+ * its key for sharding — there is no real tenant to point at. The
+ * `"platform"` literal is a reserved value that never matches a real
+ * Tenant id and signals "this RA scopes across all tenants".
+ *
+ * Renaming this constant is a wire-format break — the IAM grant in
+ * `seed-demo-data-lambda.ts` enumerates exact-match `LeadingKeys`
+ * computed from this value, and the in-band records written under it
+ * become unreachable if the sentinel changes.
+ */
+declare const PLATFORM_SCOPE_TENANT_ID = "platform";
+/** Placeholder Tenant id seeded by the workflow as the dev-user `currentTenant`. */
+declare const PLACEHOLDER_TENANT_ID = "placeholder-tenant-id";
+/** Placeholder Workspace id seeded by the workflow as the dev-user `currentWorkspace`. */
+declare const PLACEHOLDER_WORKSPACE_ID = "placeholder-workspace-id";
+/**
+ * Dev-user descriptor. Every entry produces:
+ *   - one Cognito user (idempotent create-then-skip),
+ *   - one DynamoDB User record (id = `dev-<email-local-part>`),
+ *   - four Memberships (placeholder + the three demo tenants),
+ *   - four `tenant-admin` RoleAssignments (one per tenant the user
+ *     belongs to),
+ *   - one `system-admin` RoleAssignment scoped to {@link PLATFORM_SCOPE_TENANT_ID}.
+ */
+interface DemoDevUser {
+    /** Stable DynamoDB User id. */
+    readonly id: string;
+    /** Email used as the Cognito `Username` and as the seed for the password algorithm. */
+    readonly email: string;
+}
+/**
+ * Hardcoded dev-user roster. Adding a new developer is a one-line
+ * change here plus a re-deploy. The list intentionally lives in-source
+ * (not behind an env-var seam) so the IAM grant in
+ * `seed-demo-data-lambda.ts` can enumerate per-user PKs at synth time.
+ */
+declare const DEV_USERS: ReadonlyArray<DemoDevUser>;
+/**
+ * A single workspace inside a demo tenant. The mixed tenant has two
+ * workspaces (wound-care and primary-care sub-workspaces); the other
+ * two tenants have one each.
+ */
+interface DemoWorkspaceSpec {
+    /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
+    readonly id: string;
+    /** FHIR `Workspace.name`. */
+    readonly name: string;
+    /**
+     * Role suffix used in the demo URN value (`<scenario>:<roleSuffix>`).
+     * Mirrors seed-fixtures' role suffix convention: `workspace` for
+     * single-workspace tenants, `workspace-<sub>` for the mixed tenant.
+     */
+    readonly roleSuffix: string;
+}
+/**
+ * One demo tenant + the workspaces it owns. Re-exported via {@link
+ * DEMO_TENANT_SPECS} as the canonical list; iterate that constant in
+ * the handler and the IAM-grant builder so the value sets agree.
+ */
+interface DemoTenantSpec {
+    /**
+     * Scenario slug — `placeholder`, `demo-wound-care`, `demo-primary-care`,
+     * `demo-mixed`. The placeholder tenant's slug is `placeholder`; the
+     * three demo tenants mirror seed-fixtures' `fixture-*` slugs renamed
+     * to `demo-*`.
+     */
+    readonly scenario: string;
+    /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
+    readonly tenantId: string;
+    /** FHIR `Tenant.name`. */
+    readonly tenantName: string;
+    /** Workspaces owned by this tenant. */
+    readonly workspaces: ReadonlyArray<DemoWorkspaceSpec>;
+}
+/**
+ * The full demo-tenant graph. Four entries: the placeholder tenant the
+ * JWT-claim fallback resolves to, plus the three v1 demo scenarios
+ * (OPS-009 §"v1 scenarios"):
+ *
+ *   0. Placeholder tenant — dereferences the JWT-claim fallback in
+ *      `pre-token-generation.handler.ts` and acts as every dev user's
+ *      `currentTenant`/`currentWorkspace` so Post-Confirmation skips
+ *      default provisioning when a seeded User signs in.
+ *   1. Single-workspace wound-care tenant.
+ *   2. Single-workspace primary-care tenant.
+ *   3. Two-workspace mixed tenant — exercises the cross-workspace
+ *      isolation flow that single-workspace tenants cannot.
+ */
+declare const DEMO_TENANT_SPECS: ReadonlyArray<DemoTenantSpec>;
+/** Stable Membership id derived from `(devUserId, tenantId)`. */
+declare const demoMembershipId: (devUserId: string, tenantId: string) => string;
+/**
+ * Stable RoleAssignment id derived from `(devUserId, tenantId, roleCode)`.
+ * Each (user, tenant, role) tuple maps to exactly one record — re-runs
+ * upsert the same id.
+ */
+declare const demoRoleAssignmentId: (devUserId: string, tenantId: string, roleCode: ControlPlaneRoleCode) => string;
+/**
+ * Demo-scenario FHIR `Identifier` entry — `urn:openhi:demo:<scenario>:<role>`.
+ * Mirrors the `urn:openhi:fixture:<scenario>:<role>` pattern from
+ * `@openhi/seed-fixtures/src/urn.ts`, renamed to the `demo` namespace.
+ */
+declare const demoScenarioIdentifier: (scenario: string, roleSuffix: string) => {
+    system: string;
+    value: string;
+};
+/**
+ * Canonical OpenHI resource FHIR `Identifier` entry per ADR
+ * 2026-03-12-01. `workspaceId` is empty for both Tenant resources and
+ * Workspace resources — for a Tenant, the resource is tenant-scoped
+ * with no workspace context; for a Workspace, the resource IS the
+ * workspace identity rather than living inside one.
+ */
+declare const openhiResourceIdentifier: (params: {
+    tenantId: string;
+    workspaceId: string;
+    resourceType: string;
+    id: string;
+}) => {
+    use: string;
+    system: string;
+    value: string;
+};
+/**
+ * Roles every dev user holds in every tenant they belong to. Per scope
+ * decision Q3, every dev user is `tenant-admin` in every tenant — there
+ * is no per-(user, tenant) variance to drive from.
+ */
+declare const demoRolesForUserInTenant: (_user: DemoDevUser, _tenantId: string) => ReadonlyArray<ControlPlaneRoleCode>;
+/**
+ * DynamoDB single-table partition-key builders. The IAM grant in
+ * `seed-demo-data-lambda.ts` uses these to enumerate exact-match
+ * `dynamodb:LeadingKeys` values; the entity definitions in
+ * `data/dynamo/entities/control/` own the canonical key templates.
+ *
+ * These builders MUST emit the keys ElectroDB actually writes — not
+ * the entity definition's pretty template. None of the control-plane
+ * entities sets `casing: "none"` on the base-table PK template, so
+ * ElectroDB applies its default lowercase casing at runtime: the
+ * entity's `ROLE#ID#${id}` becomes `role#id#<id>` on the wire. A
+ * builder that returns the uppercase template form produces a
+ * silently-broken IAM grant (every PutItem denied with "no
+ * identity-based policy allows" because the request's leading-key
+ * never matches a policy value).
+ */
+declare const rolePartitionKey: (roleId: string) => string;
+declare const demoTenantPartitionKey: (tenantId: string) => string;
+declare const demoWorkspacePartitionKey: (tenantId: string, workspaceId: string) => string;
+declare const demoMembershipPartitionKey: (tenantId: string, membershipId: string) => string;
+declare const demoRoleAssignmentPartitionKey: (tenantId: string, roleAssignmentId: string) => string;
+/** User entity PK template — `USER#ID#<id>` → `user#id#<id>` on the wire. */
+declare const demoUserPartitionKey: (userId: string) => string;
+/**
+ * Tenant + Workspace PKs the workflow writes on every fire: the 4
+ * tenant PKs (placeholder + 3 demo) plus their workspaces (1 + 1 + 1 + 2 = 5).
+ */
+declare const demoBasePartitionKeys: () => ReadonlyArray<string>;
+/**
+ * Membership + RoleAssignment + User PKs the workflow writes per dev
+ * user. Empty when `devUsers` is empty (used by tests). The list
+ * mirrors the handler's iteration order so the IAM grant covers every
+ * write the handler can make.
+ *
+ * Per dev user the function emits:
+ *   - one User PK,
+ *   - per tenant in {@link DEMO_TENANT_SPECS}: one Membership PK plus
+ *     one `tenant-admin` RoleAssignment PK,
+ *   - one platform-scoped `system-admin` RoleAssignment PK keyed by
+ *     {@link PLATFORM_SCOPE_TENANT_ID}.
+ */
+declare const demoDevUserPartitionKeys: (devUsers: ReadonlyArray<DemoDevUser>) => ReadonlyArray<string>;
+
+export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoBasePartitionKeys as i, demoDevUserPartitionKeys as j, demoMembershipId as k, demoMembershipPartitionKey as l, demoRoleAssignmentId as m, demoRoleAssignmentPartitionKey as n, demoRolesForUserInTenant as o, demoScenarioIdentifier as p, demoTenantPartitionKey as q, demoUserPartitionKey as r, demoWorkspacePartitionKey as s, openhiResourceIdentifier as t, rolePartitionKey as u };

package/lib/firehose-archive-transform.handler.mjs

@@ -4,7 +4,7 @@ import {
   shouldDropAsGlobalTableReplicationRecord
 } from "./chunk-X5MHU7DA.mjs";
 import "./chunk-CEOAGPYY.mjs";
-import "./chunk-3QS3WKRC.mjs";
+import "./chunk-LZOMFHX3.mjs";
 export {
   handler,
   parseCurrentResourceKeys,