@openhi/constructs 0.0.104 → 0.0.106

package/lib/index.js

@@ -90,23 +90,637 @@ var require_lib = __commonJS({
   }
 });
 
+// ../workflows/lib/envelope-version.js
+var require_envelope_version = __commonJS({
+  "../workflows/lib/envelope-version.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ENVELOPE_VERSION = void 0;
+    exports2.isSupportedEnvelopeVersion = isSupportedEnvelopeVersion;
+    exports2.ENVELOPE_VERSION = "1.0";
+    var ENVELOPE_VERSION_PATTERN = /^\d+\.\d+$/;
+    var MIN_SUPPORTED_MAJOR = 1;
+    var MAX_SUPPORTED_MAJOR = 1;
+    function isSupportedEnvelopeVersion(version) {
+      if (!ENVELOPE_VERSION_PATTERN.test(version)) {
+        return false;
+      }
+      const major = Number.parseInt(version.split(".")[0], 10);
+      return major >= MIN_SUPPORTED_MAJOR && major <= MAX_SUPPORTED_MAJOR;
+    }
+  }
+});
+
+// ../workflows/lib/envelope.js
+var require_envelope = __commonJS({
+  "../workflows/lib/envelope.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.MissingActorContextError = void 0;
+    exports2.isWorkflowUserActor = isWorkflowUserActor;
+    exports2.isWorkflowSystemActor = isWorkflowSystemActor;
+    exports2.workflowUserActorFromClaims = workflowUserActorFromClaims;
+    function isWorkflowUserActor(actor) {
+      return actor.ohi_uid !== void 0;
+    }
+    function isWorkflowSystemActor(actor) {
+      return actor.system !== void 0;
+    }
+    function workflowUserActorFromClaims(claims) {
+      if (claims.ohi_tid === void 0 || claims.ohi_wid === void 0) {
+        throw new MissingActorContextError("workflowUserActorFromClaims: ohi_tid and ohi_wid are required on the workflow user-actor; the caller's JWT is missing one or both. Use a system-actor for pre-provisioning bootstrap workflows.");
+      }
+      return {
+        ohi_tid: claims.ohi_tid,
+        ohi_wid: claims.ohi_wid,
+        ohi_uid: claims.ohi_uid,
+        ohi_uname: claims.ohi_uname
+      };
+    }
+    var MissingActorContextError = class extends Error {
+      /** @param message - human-readable description of the missing claim. */
+      constructor(message) {
+        super(message);
+        this.name = "MissingActorContextError";
+      }
+    };
+    exports2.MissingActorContextError = MissingActorContextError;
+  }
+});
+
+// ../workflows/lib/sources.js
+var require_sources = __commonJS({
+  "../workflows/lib/sources.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = void 0;
+    exports2.OPENHI_CONTROL_SOURCE = "openhi.control";
+    exports2.OPENHI_DATA_SOURCE = "openhi.data";
+    exports2.OPENHI_OPS_SOURCE = "openhi.ops";
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = {
+      [exports2.OPENHI_CONTROL_SOURCE]: "openhi-control-event-bus",
+      [exports2.OPENHI_DATA_SOURCE]: "openhi-data-event-bus",
+      [exports2.OPENHI_OPS_SOURCE]: "openhi-ops-event-bus"
+    };
+  }
+});
+
+// ../workflows/lib/detail-types/registry.js
+var require_registry = __commonJS({
+  "../workflows/lib/detail-types/registry.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.InvalidDetailTypeRegistrationError = void 0;
+    exports2.defineDetailType = defineDetailType;
+    exports2.isWellFormedDetailType = isWellFormedDetailType;
+    function defineDetailType(entry) {
+      if (!isWellFormedDetailType(entry.detailType)) {
+        throw new InvalidDetailTypeRegistrationError(`Detail-type "${entry.detailType}" does not match the platform-wide format <area>.<event>.v<integer>. See TR-016 \xA7Open Items #2.`);
+      }
+      return entry;
+    }
+    var DETAIL_TYPE_PATTERN = /^[a-z0-9]+(?:-[a-z0-9]+)*\.[a-z0-9]+(?:-[a-z0-9]+)*\.v\d+$/;
+    function isWellFormedDetailType(detailType) {
+      return DETAIL_TYPE_PATTERN.test(detailType);
+    }
+    var InvalidDetailTypeRegistrationError = class extends Error {
+      /** @param message - human-readable description of the violation. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidDetailTypeRegistrationError";
+      }
+    };
+    exports2.InvalidDetailTypeRegistrationError = InvalidDetailTypeRegistrationError;
+  }
+});
+
+// ../workflows/lib/detail-types/platform.js
+var require_platform = __commonJS({
+  "../workflows/lib/detail-types/platform.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = void 0;
+    var sources_1 = require_sources();
+    var registry_1 = require_registry();
+    exports2.PlatformDeploymentCompletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.deployment-completed.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.PlatformSystemDataSeededV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.system-data-seeded.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+  }
+});
+
+// ../workflows/lib/detail-types/index.js
+var require_detail_types = __commonJS({
+  "../workflows/lib/detail-types/index.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_platform(), exports2);
+    __exportStar(require_registry(), exports2);
+  }
+});
+
+// ../workflows/lib/publisher.js
+var require_publisher = __commonJS({
+  "../workflows/lib/publisher.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowPublishError = void 0;
+    exports2.workflowsClient = workflowsClient;
+    exports2.publishWorkflowEvent = publishWorkflowEvent;
+    var node_crypto_1 = require("crypto");
+    var client_eventbridge_1 = require("@aws-sdk/client-eventbridge");
+    var envelope_version_1 = require_envelope_version();
+    var sources_1 = require_sources();
+    function workflowsClient(bridge, options = {}) {
+      return {
+        publish: (entry, payload, ctx) => publishWorkflowEvent(bridge, entry, payload, ctx, options)
+      };
+    }
+    async function publishWorkflowEvent(bridge, entry, payload, ctx, options = {}) {
+      const eventIdGenerator = options.eventIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const correlationIdGenerator = options.correlationIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const now = options.now ?? (() => /* @__PURE__ */ new Date());
+      const envelope = {
+        eventId: eventIdGenerator(),
+        attempt: 1,
+        correlationId: ctx.correlationId ?? correlationIdGenerator(),
+        causationId: ctx.causationId ?? null,
+        actor: ctx.actor,
+        occurredAt: now().toISOString(),
+        envelopeVersion: envelope_version_1.ENVELOPE_VERSION,
+        payload
+      };
+      const busName = options.busNameByPlane?.[entry.source] ?? sources_1.DEFAULT_BUS_NAME_BY_SOURCE[entry.source];
+      const result = await bridge.send(new client_eventbridge_1.PutEventsCommand({
+        Entries: [
+          {
+            EventBusName: busName,
+            Source: entry.source,
+            DetailType: entry.detailType,
+            Detail: JSON.stringify(envelope)
+          }
+        ]
+      }));
+      if ((result.FailedEntryCount ?? 0) > 0) {
+        const first = result.Entries?.[0];
+        throw new WorkflowPublishError(`EventBridge rejected ${entry.detailType} publish on bus ${busName}: ${first?.ErrorCode ?? "unknown"} \u2014 ${first?.ErrorMessage ?? "no error message"}`);
+      }
+      return { eventId: envelope.eventId };
+    }
+    var WorkflowPublishError = class extends Error {
+      /** @param message - human-readable description of the failed publish. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowPublishError";
+      }
+    };
+    exports2.WorkflowPublishError = WorkflowPublishError;
+  }
+});
+
+// ../workflows/lib/consumer.js
+var require_consumer = __commonJS({
+  "../workflows/lib/consumer.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = void 0;
+    exports2.parseWorkflowEvent = parseWorkflowEvent2;
+    var envelope_version_1 = require_envelope_version();
+    function parseWorkflowEvent2(event, expected) {
+      if (event.source !== expected.source) {
+        throw new InvalidWorkflowEventError(`EventBridge source "${event.source}" does not match expected detail-type's source "${expected.source}".`);
+      }
+      if (event["detail-type"] !== expected.detailType) {
+        throw new InvalidWorkflowEventError(`EventBridge detail-type "${event["detail-type"]}" does not match expected "${expected.detailType}".`);
+      }
+      const candidate = asEnvelopeCandidate(event.detail);
+      if (!(0, envelope_version_1.isSupportedEnvelopeVersion)(candidate.envelopeVersion)) {
+        throw new UnsupportedEnvelopeVersionError(`Envelope version "${candidate.envelopeVersion}" is outside the SDK's supported range.`);
+      }
+      const envelope = {
+        eventId: candidate.eventId,
+        attempt: candidate.attempt,
+        correlationId: candidate.correlationId,
+        causationId: candidate.causationId,
+        actor: candidate.actor,
+        occurredAt: candidate.occurredAt,
+        envelopeVersion: candidate.envelopeVersion,
+        payload: candidate.payload
+      };
+      return {
+        envelope,
+        dedupKey: { eventId: envelope.eventId, attempt: envelope.attempt }
+      };
+    }
+    function asEnvelopeCandidate(detail) {
+      if (detail === null || typeof detail !== "object") {
+        throw new InvalidWorkflowEventError("EventBridge detail is not a non-null object.");
+      }
+      const obj = detail;
+      assertString(obj, "eventId");
+      assertPositiveInteger(obj, "attempt");
+      assertString(obj, "correlationId");
+      assertCausationId(obj);
+      assertActor(obj);
+      assertString(obj, "occurredAt");
+      assertString(obj, "envelopeVersion");
+      if (!("payload" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: payload.");
+      }
+      return obj;
+    }
+    function assertString(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "string" || value.length === 0) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a non-empty string.`);
+      }
+    }
+    function assertPositiveInteger(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "number" || !Number.isInteger(value) || value < 1) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a 1-indexed integer.`);
+      }
+    }
+    function assertCausationId(obj) {
+      if (!("causationId" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: causationId.");
+      }
+      const value = obj.causationId;
+      if (value !== null && (typeof value !== "string" || value.length === 0)) {
+        throw new InvalidWorkflowEventError('Envelope field "causationId" must be a non-empty string or null.');
+      }
+    }
+    function assertActor(obj) {
+      const actor = obj.actor;
+      if (actor === null || typeof actor !== "object") {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be an object.');
+      }
+      const actorObj = actor;
+      const isUserActor = typeof actorObj.ohi_uid === "string" && typeof actorObj.ohi_uname === "string" && typeof actorObj.ohi_tid === "string" && typeof actorObj.ohi_wid === "string";
+      const isSystemActor = typeof actorObj.system === "string";
+      if (!isUserActor && !isSystemActor) {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be either a user-actor (ohi_tid, ohi_wid, ohi_uid, ohi_uname) or a system-actor ({ system: string }).');
+      }
+    }
+    var InvalidWorkflowEventError = class extends Error {
+      /** @param message - human-readable description of the validation failure. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidWorkflowEventError";
+      }
+    };
+    exports2.InvalidWorkflowEventError = InvalidWorkflowEventError;
+    var UnsupportedEnvelopeVersionError = class extends Error {
+      /** @param message - human-readable description of the unsupported version. */
+      constructor(message) {
+        super(message);
+        this.name = "UnsupportedEnvelopeVersionError";
+      }
+    };
+    exports2.UnsupportedEnvelopeVersionError = UnsupportedEnvelopeVersionError;
+  }
+});
+
+// ../workflows/lib/dedup/env.js
+var require_env = __commonJS({
+  "../workflows/lib/dedup/env.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = void 0;
+    exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = "OPENHI_WORKFLOW_DEDUP_TABLE_NAME";
+    exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = 14 * 24 * 60 * 60;
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = 64;
+  }
+});
+
+// ../workflows/lib/dedup/workflow-dedup-client.js
+var require_workflow_dedup_client = __commonJS({
+  "../workflows/lib/dedup/workflow-dedup-client.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowDedupInvalidInputError = exports2.WorkflowDedupTableNameMissingError = void 0;
+    exports2.workflowDedupClient = workflowDedupClient2;
+    exports2.recordIfAbsent = recordIfAbsent;
+    exports2.markFailed = markFailed;
+    exports2.encodeSortKey = encodeSortKey;
+    var client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
+    var env_1 = require_env();
+    function workflowDedupClient2(dynamodb, options = {}) {
+      return {
+        recordIfAbsent: (input) => recordIfAbsent(dynamodb, input, options),
+        markFailed: (input) => markFailed(dynamodb, input, options)
+      };
+    }
+    async function recordIfAbsent(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      const ttlSeconds = input.ttlSeconds ?? options.defaultTtlSeconds ?? env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+      if (!Number.isInteger(ttlSeconds) || ttlSeconds <= 0) {
+        throw new WorkflowDedupInvalidInputError(`ttlSeconds must be a positive integer; got ${ttlSeconds}.`);
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      const expiresAt = Math.floor(now.getTime() / 1e3) + ttlSeconds;
+      try {
+        await dynamodb.send(new client_dynamodb_1.PutItemCommand({
+          TableName: tableName,
+          Item: {
+            consumerName: { S: input.consumerName },
+            sk: { S: sk },
+            eventId: { S: input.eventId },
+            attempt: { N: String(input.attempt) },
+            recordedAt: { S: now.toISOString() },
+            expiresAt: { N: String(expiresAt) }
+          },
+          ConditionExpression: "attribute_not_exists(consumerName) AND attribute_not_exists(sk)"
+        }));
+        return { recorded: true };
+      } catch (err) {
+        if (err instanceof client_dynamodb_1.ConditionalCheckFailedException) {
+          return { recorded: false, alreadyProcessed: true };
+        }
+        throw err;
+      }
+    }
+    async function markFailed(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      if (input.reason.length === 0) {
+        throw new WorkflowDedupInvalidInputError("reason must be non-empty.");
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      await dynamodb.send(new client_dynamodb_1.UpdateItemCommand({
+        TableName: tableName,
+        Key: {
+          consumerName: { S: input.consumerName },
+          sk: { S: sk }
+        },
+        UpdateExpression: "SET #failed = :failed, #failureReason = :reason, #failedAt = :failedAt",
+        ExpressionAttributeNames: {
+          "#failed": "failed",
+          "#failureReason": "failureReason",
+          "#failedAt": "failedAt"
+        },
+        ExpressionAttributeValues: {
+          ":failed": { BOOL: true },
+          ":reason": { S: input.reason },
+          ":failedAt": { S: now.toISOString() }
+        }
+      }));
+    }
+    function encodeSortKey(eventId, attempt) {
+      if (eventId.length === 0) {
+        throw new WorkflowDedupInvalidInputError("eventId must be non-empty.");
+      }
+      return `${eventId}#${attempt}`;
+    }
+    function resolveTableName(explicit) {
+      const name = explicit ?? process.env[env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR];
+      if (!name) {
+        throw new WorkflowDedupTableNameMissingError(`Workflow dedup table name not set. Pass options.tableName or set ${env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR}.`);
+      }
+      return name;
+    }
+    function assertConsumerName(consumerName) {
+      if (consumerName.length === 0) {
+        throw new WorkflowDedupInvalidInputError("consumerName must be non-empty.");
+      }
+      if (consumerName.length > env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {
+        throw new WorkflowDedupInvalidInputError(`consumerName must be \u2264${env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`);
+      }
+      if (/\s/.test(consumerName)) {
+        throw new WorkflowDedupInvalidInputError("consumerName must not contain whitespace.");
+      }
+    }
+    function assertPositiveInteger(value, field) {
+      if (!Number.isInteger(value) || value < 1) {
+        throw new WorkflowDedupInvalidInputError(`${field} must be a 1-indexed integer; got ${value}.`);
+      }
+    }
+    function defaultNow() {
+      return /* @__PURE__ */ new Date();
+    }
+    var WorkflowDedupTableNameMissingError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupTableNameMissingError";
+      }
+    };
+    exports2.WorkflowDedupTableNameMissingError = WorkflowDedupTableNameMissingError;
+    var WorkflowDedupInvalidInputError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupInvalidInputError";
+      }
+    };
+    exports2.WorkflowDedupInvalidInputError = WorkflowDedupInvalidInputError;
+  }
+});
+
+// ../workflows/lib/dedup/index.js
+var require_dedup = __commonJS({
+  "../workflows/lib/dedup/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = void 0;
+    var env_1 = require_env();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    var workflow_dedup_client_1 = require_workflow_dedup_client();
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.workflowDedupClient;
+    } });
+  }
+});
+
+// ../workflows/lib/index.js
+var require_lib2 = __commonJS({
+  "../workflows/lib/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.InvalidDetailTypeRegistrationError = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
+    var envelope_version_1 = require_envelope_version();
+    Object.defineProperty(exports2, "ENVELOPE_VERSION", { enumerable: true, get: function() {
+      return envelope_version_1.ENVELOPE_VERSION;
+    } });
+    Object.defineProperty(exports2, "isSupportedEnvelopeVersion", { enumerable: true, get: function() {
+      return envelope_version_1.isSupportedEnvelopeVersion;
+    } });
+    var envelope_1 = require_envelope();
+    Object.defineProperty(exports2, "MissingActorContextError", { enumerable: true, get: function() {
+      return envelope_1.MissingActorContextError;
+    } });
+    Object.defineProperty(exports2, "isWorkflowSystemActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowSystemActor;
+    } });
+    Object.defineProperty(exports2, "isWorkflowUserActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowUserActor;
+    } });
+    Object.defineProperty(exports2, "workflowUserActorFromClaims", { enumerable: true, get: function() {
+      return envelope_1.workflowUserActorFromClaims;
+    } });
+    var sources_1 = require_sources();
+    Object.defineProperty(exports2, "DEFAULT_BUS_NAME_BY_SOURCE", { enumerable: true, get: function() {
+      return sources_1.DEFAULT_BUS_NAME_BY_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_CONTROL_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_CONTROL_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_DATA_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_DATA_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_OPS_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_OPS_SOURCE;
+    } });
+    var detail_types_1 = require_detail_types();
+    Object.defineProperty(exports2, "InvalidDetailTypeRegistrationError", { enumerable: true, get: function() {
+      return detail_types_1.InvalidDetailTypeRegistrationError;
+    } });
+    Object.defineProperty(exports2, "PlatformDeploymentCompletedV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformDeploymentCompletedV1;
+    } });
+    Object.defineProperty(exports2, "PlatformSystemDataSeededV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformSystemDataSeededV1;
+    } });
+    Object.defineProperty(exports2, "defineDetailType", { enumerable: true, get: function() {
+      return detail_types_1.defineDetailType;
+    } });
+    Object.defineProperty(exports2, "isWellFormedDetailType", { enumerable: true, get: function() {
+      return detail_types_1.isWellFormedDetailType;
+    } });
+    var publisher_1 = require_publisher();
+    Object.defineProperty(exports2, "WorkflowPublishError", { enumerable: true, get: function() {
+      return publisher_1.WorkflowPublishError;
+    } });
+    Object.defineProperty(exports2, "publishWorkflowEvent", { enumerable: true, get: function() {
+      return publisher_1.publishWorkflowEvent;
+    } });
+    Object.defineProperty(exports2, "workflowsClient", { enumerable: true, get: function() {
+      return publisher_1.workflowsClient;
+    } });
+    var consumer_1 = require_consumer();
+    Object.defineProperty(exports2, "InvalidWorkflowEventError", { enumerable: true, get: function() {
+      return consumer_1.InvalidWorkflowEventError;
+    } });
+    Object.defineProperty(exports2, "UnsupportedEnvelopeVersionError", { enumerable: true, get: function() {
+      return consumer_1.UnsupportedEnvelopeVersionError;
+    } });
+    Object.defineProperty(exports2, "parseWorkflowEvent", { enumerable: true, get: function() {
+      return consumer_1.parseWorkflowEvent;
+    } });
+    var dedup_1 = require_dedup();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return dedup_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return dedup_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return dedup_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return dedup_1.workflowDedupClient;
+    } });
+  }
+});
+
 // src/index.ts
 var src_exports = {};
 __export(src_exports, {
+  BRIDGED_STATUSES: () => BRIDGED_STATUSES,
+  CLOUDFORMATION_EVENT_SOURCE: () => CLOUDFORMATION_EVENT_SOURCE,
+  CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE: () => CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
+  CONTROL_EVENT_BUS_NAME_ENV_VAR: () => CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone: () => ChildHostedZone,
   CognitoFixtureSeederClient: () => CognitoFixtureSeederClient,
   CognitoUserPool: () => CognitoUserPool,
   CognitoUserPoolClient: () => CognitoUserPoolClient,
   CognitoUserPoolDomain: () => CognitoUserPoolDomain,
   CognitoUserPoolKmsKey: () => CognitoUserPoolKmsKey,
+  ControlEventBus: () => ControlEventBus,
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES: () => DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE: () => DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE: () => DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_PERIOD: () => DEMO_PERIOD,
+  DEMO_TENANT_SPECS: () => DEMO_TENANT_SPECS,
+  DEMO_URN_SYSTEM: () => DEMO_URN_SYSTEM,
+  DEV_USERS: () => DEV_USERS,
   DataEventBus: () => DataEventBus,
   DataStoreHistoricalArchive: () => DataStoreHistoricalArchive,
   DataStorePostgresReplica: () => DataStorePostgresReplica,
   DiscoverableStringParameter: () => DiscoverableStringParameter,
   DynamoDbDataStore: () => DynamoDbDataStore,
+  OPENHI_REPO_TAG_KEY_ENV_VAR: () => OPENHI_REPO_TAG_KEY_ENV_VAR,
+  OPENHI_RESOURCE_URN_SYSTEM: () => OPENHI_RESOURCE_URN_SYSTEM,
+  OPENHI_TAG_KEY_PREFIX_ENV_VAR: () => OPENHI_TAG_KEY_PREFIX_ENV_VAR,
+  OPENHI_TAG_SUFFIX_BRANCH_NAME: () => OPENHI_TAG_SUFFIX_BRANCH_NAME,
+  OPENHI_TAG_SUFFIX_REPO_NAME: () => OPENHI_TAG_SUFFIX_REPO_NAME,
+  OPENHI_TAG_SUFFIX_SERVICE_TYPE: () => OPENHI_TAG_SUFFIX_SERVICE_TYPE,
+  OPENHI_TAG_SUFFIX_STAGE_TYPE: () => OPENHI_TAG_SUFFIX_STAGE_TYPE,
   OpenHiApp: () => OpenHiApp,
   OpenHiAuthService: () => OpenHiAuthService,
   OpenHiDataService: () => OpenHiDataService,
@@ -117,22 +731,60 @@ __export(src_exports, {
   OpenHiService: () => OpenHiService,
   OpenHiStage: () => OpenHiStage,
   OpsEventBus: () => OpsEventBus,
+  PLACEHOLDER_TENANT_ID: () => PLACEHOLDER_TENANT_ID,
+  PLACEHOLDER_WORKSPACE_ID: () => PLACEHOLDER_WORKSPACE_ID,
+  PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM: () => PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,
+  PLATFORM_SCOPE_TENANT_ID: () => PLATFORM_SCOPE_TENANT_ID,
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME: () => POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME: () => POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME: () => POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE: () => PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
+  PlatformDeployBridge: () => PlatformDeployBridge,
+  PlatformDeployBridgeLambda: () => PlatformDeployBridgeLambda,
+  PlatformDeploymentCompletedV1: () => import_workflows4.PlatformDeploymentCompletedV1,
   PostAuthenticationLambda: () => PostAuthenticationLambda,
   PostConfirmationLambda: () => PostConfirmationLambda,
   PreTokenGenerationLambda: () => PreTokenGenerationLambda,
+  ProvisionDefaultWorkspaceLambda: () => ProvisionDefaultWorkspaceLambda,
   REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi: () => RootGraphqlApi,
   RootHostedZone: () => RootHostedZone,
   RootHttpApi: () => RootHttpApi,
   RootWildcardCertificate: () => RootWildcardCertificate,
+  SEED_DEMO_DATA_CONSUMER_NAME: () => SEED_DEMO_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_ACTOR_SYSTEM: () => SEED_SYSTEM_DATA_ACTOR_SYSTEM,
+  SEED_SYSTEM_DATA_CONSUMER_NAME: () => SEED_SYSTEM_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR: () => SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
   STATIC_HOSTING_SERVICE_TYPE: () => STATIC_HOSTING_SERVICE_TYPE,
+  SeedDemoDataLambda: () => SeedDemoDataLambda,
+  SeedDemoDataWorkflow: () => SeedDemoDataWorkflow,
+  SeedSystemDataLambda: () => SeedSystemDataLambda,
+  SeedSystemDataWorkflow: () => SeedSystemDataWorkflow,
   StaticHosting: () => StaticHosting,
+  USER_ONBOARDING_EVENT_SOURCE: () => USER_ONBOARDING_EVENT_SOURCE,
+  UserOnboardingWorkflow: () => UserOnboardingWorkflow,
+  WorkflowDedupConsumerNameInvalidError: () => WorkflowDedupConsumerNameInvalidError,
+  WorkflowDedupTable: () => WorkflowDedupTable,
+  WorkflowDedupTableDuplicateError: () => WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail: () => buildFhirCurrentResourceChangeDetail,
+  buildProvisionDefaultWorkspaceRequestedDetail: () => buildProvisionDefaultWorkspaceRequestedDetail,
+  demoBasePartitionKeys: () => demoBasePartitionKeys,
+  demoDevUserPartitionKeys: () => demoDevUserPartitionKeys,
+  demoMembershipId: () => demoMembershipId,
+  demoMembershipPartitionKey: () => demoMembershipPartitionKey,
+  demoRoleAssignmentId: () => demoRoleAssignmentId,
+  demoRoleAssignmentPartitionKey: () => demoRoleAssignmentPartitionKey,
+  demoRolesForUserInTenant: () => demoRolesForUserInTenant,
+  demoScenarioIdentifier: () => demoScenarioIdentifier,
+  demoTenantPartitionKey: () => demoTenantPartitionKey,
+  demoUserPartitionKey: () => demoUserPartitionKey,
+  demoWorkspacePartitionKey: () => demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName: () => getDynamoDbDataStoreTableName,
-  getPostgresReplicaSchemaName: () => getPostgresReplicaSchemaName
+  getPostgresReplicaSchemaName: () => getPostgresReplicaSchemaName,
+  getWorkflowDedupTableName: () => getWorkflowDedupTableName,
+  openHiTagKey: () => openHiTagKey,
+  openhiResourceIdentifier: () => openhiResourceIdentifier,
+  rolePartitionKey: () => rolePartitionKey
 });
 module.exports = __toCommonJS(src_exports);
 
@@ -347,6 +999,11 @@ var import_utils = require("@codedrifters/utils");
 var import_config3 = __toESM(require_lib());
 var import_aws_cdk_lib4 = require("aws-cdk-lib");
 var import_change_case = require("change-case");
+var OPENHI_TAG_SUFFIX_REPO_NAME = "repo-name";
+var OPENHI_TAG_SUFFIX_BRANCH_NAME = "branch-name";
+var OPENHI_TAG_SUFFIX_SERVICE_TYPE = "service-type";
+var OPENHI_TAG_SUFFIX_STAGE_TYPE = "stage-type";
+var openHiTagKey = (appName, suffix) => `${appName}:${suffix}`;
 var OpenHiService = class extends import_aws_cdk_lib4.Stack {
   /**
    * Creates a new OpenHI service stack.
@@ -414,11 +1071,20 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
       `availability-zones:account=${account}:region=${region}`,
       [`${region}a`, `${region}b`, `${region}c`]
     );
-    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
-    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
-    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
     import_aws_cdk_lib4.Tags.of(this).add(
-      `${appName}:stage-type`,
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_REPO_NAME),
+      repoName.slice(0, 255)
+    );
+    import_aws_cdk_lib4.Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_BRANCH_NAME),
+      branchName.slice(0, 255)
+    );
+    import_aws_cdk_lib4.Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_SERVICE_TYPE),
+      id.slice(0, 255)
+    );
+    import_aws_cdk_lib4.Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_STAGE_TYPE),
       ohEnv.ohStage.stageType.slice(0, 255)
     );
   }
@@ -761,14 +1427,13 @@ var import_aws_lambda2 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs2 = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs2 = require("constructs");
 var HANDLER_NAME2 = "post-confirmation.handler.js";
-function resolveHandlerEntry2(dirname) {
+var resolveHandlerEntry2 = (dirname) => {
   const sameDir = import_node_path2.default.join(dirname, HANDLER_NAME2);
   if (import_node_fs2.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path2.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
-  return fromLib;
-}
+  return import_node_path2.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+};
 var PostConfirmationLambda = class extends import_constructs2.Construct {
   constructor(scope, props) {
     super(scope, "post-confirmation-lambda");
@@ -777,7 +1442,7 @@ var PostConfirmationLambda = class extends import_constructs2.Construct {
       runtime: import_aws_lambda2.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
-        DYNAMO_TABLE_NAME: props.dynamoTableName
+        CONTROL_EVENT_BUS_NAME: props.controlEventBusName
       }
     });
   }
@@ -1105,6 +1770,204 @@ var DynamoDbDataStore = class extends import_aws_dynamodb.Table {
   }
 };
 
+// src/components/dynamodb/workflow-dedup-table.ts
+var import_workflows = __toESM(require_lib2());
+var import_aws_cdk_lib8 = require("aws-cdk-lib");
+var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
+var import_aws_iam = require("aws-cdk-lib/aws-iam");
+var import_constructs5 = require("constructs");
+function getWorkflowDedupTableName(scope) {
+  const stack = OpenHiService.of(scope);
+  return `workflow-dedup-${stack.branchHash}`;
+}
+var _WorkflowDedupTable = class _WorkflowDedupTable extends import_constructs5.Construct {
+  constructor(scope, id, props = {}) {
+    super(scope, id);
+    this.registeredConsumers = /* @__PURE__ */ new Set();
+    const service = OpenHiService.of(scope);
+    const others = service.node.findAll().filter(
+      (c) => c instanceof _WorkflowDedupTable && c !== this
+    );
+    if (others.length > 0) {
+      throw new WorkflowDedupTableDuplicateError(
+        `WorkflowDedupTable already exists at ${others[0].node.path}; only one shared dedup table is allowed per service stack (TR-015).`
+      );
+    }
+    this.table = new import_aws_dynamodb2.Table(this, "Table", {
+      tableName: getWorkflowDedupTableName(scope),
+      partitionKey: {
+        name: "consumerName",
+        type: import_aws_dynamodb2.AttributeType.STRING
+      },
+      sortKey: {
+        name: "sk",
+        type: import_aws_dynamodb2.AttributeType.STRING
+      },
+      billingMode: import_aws_dynamodb2.BillingMode.PAY_PER_REQUEST,
+      timeToLiveAttribute: "expiresAt",
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
+    });
+    new DiscoverableStringParameter(this, "table-name-param", {
+      ssmParamName: _WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME,
+      stringValue: this.table.tableName
+    });
+    new DiscoverableStringParameter(this, "table-arn-param", {
+      ssmParamName: _WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME,
+      stringValue: this.table.tableArn
+    });
+  }
+  /** Cross-stack lookup for the table name. */
+  static tableNameFromLookup(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME,
+      serviceType: _WorkflowDedupTable.PUBLISHER_SERVICE_TYPE
+    });
+  }
+  /** Cross-stack lookup for the table ARN. */
+  static tableArnFromLookup(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME,
+      serviceType: _WorkflowDedupTable.PUBLISHER_SERVICE_TYPE
+    });
+  }
+  /**
+   * Cross-stack equivalent of {@link grantConsumer}. Use when the dedup
+   * table is on a different stack than the consumer Lambda — the
+   * grant resolves the table name + ARN via SSM at synth time, so the
+   * consumer stack does not pick up a CloudFormation export dependency
+   * on the global stack.
+   *
+   * Inverts the singleton-guard semantics of `grantConsumer`: there is
+   * no synth-time check that the same `consumerName` was registered
+   * twice across stacks. Consumer names are agreed by convention
+   * (see TR-015); double-registration is operator error caught at
+   * design time, not synth time.
+   */
+  static grantConsumerFromLookup(scope, fn, consumerName, options = {}) {
+    _WorkflowDedupTable.assertConsumerNameStatic(consumerName);
+    const tableName = _WorkflowDedupTable.tableNameFromLookup(scope);
+    const tableArn = _WorkflowDedupTable.tableArnFromLookup(scope);
+    fn.addEnvironment(import_workflows.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR, tableName);
+    if (options.defaultTtlSeconds !== void 0) {
+      fn.addEnvironment(
+        "OPENHI_WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS",
+        String(options.defaultTtlSeconds)
+      );
+    }
+    fn.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: [
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:GetItem",
+          "dynamodb:Query"
+        ],
+        resources: [tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": [consumerName]
+          }
+        }
+      })
+    );
+  }
+  /**
+   * Standalone consumer-name validator shared by the instance method
+   * and `grantConsumerFromLookup` so the two grants enforce identical
+   * invariants.
+   */
+  static assertConsumerNameStatic(consumerName) {
+    if (consumerName.length === 0) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        "consumerName must be non-empty."
+      );
+    }
+    if (consumerName.length > import_workflows.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        `consumerName must be at most ${import_workflows.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`
+      );
+    }
+    if (/\s/.test(consumerName)) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        "consumerName must not contain whitespace."
+      );
+    }
+  }
+  /**
+   * Wire a Lambda consumer to this table. Injects the table-name env var
+   * so the runtime `WorkflowDedupClient` can resolve it, then attaches a
+   * per-consumer IAM grant scoped by `dynamodb:LeadingKeys` so the
+   * consumer can only read/write its own partition.
+   */
+  grantConsumer(fn, consumerName, options = {}) {
+    this.assertConsumerName(consumerName);
+    if (this.registeredConsumers.has(consumerName)) {
+      import_aws_cdk_lib8.Annotations.of(this).addWarning(
+        `WorkflowDedupTable: consumerName "${consumerName}" registered more than once; subsequent grantConsumer calls add policy statements but do not re-inject the env var.`
+      );
+    }
+    this.registeredConsumers.add(consumerName);
+    fn.addEnvironment(import_workflows.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR, this.table.tableName);
+    if (options.defaultTtlSeconds !== void 0) {
+      fn.addEnvironment(
+        "OPENHI_WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS",
+        String(options.defaultTtlSeconds)
+      );
+    }
+    fn.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: [
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:GetItem",
+          "dynamodb:Query"
+        ],
+        resources: [this.table.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": [consumerName]
+          }
+        }
+      })
+    );
+  }
+  assertConsumerName(consumerName) {
+    _WorkflowDedupTable.assertConsumerNameStatic(consumerName);
+  }
+};
+/** SSM param name (short) used by `DiscoverableStringParameter` for the table name lookup. */
+_WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME = "workflow-dedup-table-name";
+/** SSM param name (short) used by `DiscoverableStringParameter` for the table ARN lookup. */
+_WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME = "workflow-dedup-table-arn";
+/**
+ * Service-type the publishing stack runs under. The cross-stack lookups
+ * pin to this value so consumer stacks on a different service-type
+ * (e.g. `data`, `auth`) resolve the parameter at the publisher's SSM
+ * path instead of their own. Typed against `OpenHiServiceType` so a
+ * future rename of the literal triggers a compile error; not pulled
+ * from `OpenHiGlobalService.SERVICE_TYPE` because
+ * `OpenHiGlobalService` already imports `WorkflowDedupTable` — a
+ * back-import would create a circular dependency.
+ */
+_WorkflowDedupTable.PUBLISHER_SERVICE_TYPE = "global";
+var WorkflowDedupTable = _WorkflowDedupTable;
+var WorkflowDedupTableDuplicateError = class extends Error {
+  /** @param message - human-readable description of the duplicate. */
+  constructor(message) {
+    super(message);
+    this.name = "WorkflowDedupTableDuplicateError";
+  }
+};
+var WorkflowDedupConsumerNameInvalidError = class extends Error {
+  /** @param message - human-readable description of the invariant violation. */
+  constructor(message) {
+    super(message);
+    this.name = "WorkflowDedupConsumerNameInvalidError";
+  }
+};
+
 // src/components/event-bridge/data-event-bus.ts
 var import_aws_events = require("aws-cdk-lib/aws-events");
 var DataEventBus = class _DataEventBus extends import_aws_events.EventBus {
@@ -1149,16 +2012,38 @@ var OpsEventBus = class _OpsEventBus extends import_aws_events2.EventBus {
   }
 };
 
+// src/components/event-bridge/control-event-bus.ts
+var import_aws_events3 = require("aws-cdk-lib/aws-events");
+var ControlEventBus = class _ControlEventBus extends import_aws_events3.EventBus {
+  /*****************************************************************************
+   *
+   * Return a name for this EventBus based on the stack environment hash. This
+   * name is common across all stacks since it's using the environment hash in
+   * its name.
+   *
+   ****************************************************************************/
+  static getEventBusName(scope) {
+    const stack = OpenHiService.of(scope);
+    return `controlv1${stack.branchHash}`;
+  }
+  constructor(scope, props) {
+    super(scope, "control-event-bus-v1", {
+      ...props,
+      eventBusName: _ControlEventBus.getEventBusName(scope)
+    });
+  }
+};
+
 // src/components/postgres/data-store-postgres-replica.ts
 var import_node_fs5 = __toESM(require("fs"));
 var import_node_path5 = __toESM(require("path"));
-var import_aws_cdk_lib8 = require("aws-cdk-lib");
+var import_aws_cdk_lib9 = require("aws-cdk-lib");
 var ec2 = __toESM(require("aws-cdk-lib/aws-ec2"));
 var import_aws_lambda5 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_event_sources = require("aws-cdk-lib/aws-lambda-event-sources");
 var import_aws_lambda_nodejs5 = require("aws-cdk-lib/aws-lambda-nodejs");
 var rds = __toESM(require("aws-cdk-lib/aws-rds"));
-var import_constructs5 = require("constructs");
+var import_constructs6 = require("constructs");
 var HANDLER_NAME5 = "data-store-postgres-replication.handler.js";
 var DEFAULT_DATABASE_NAME = "openhi";
 var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
@@ -1181,7 +2066,7 @@ function getPostgresReplicaSchemaName(branchHash) {
   }
   return candidate;
 }
-var DataStorePostgresReplica = class extends import_constructs5.Construct {
+var DataStorePostgresReplica = class extends import_constructs6.Construct {
   /**
    * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
    * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
@@ -1218,7 +2103,7 @@ var DataStorePostgresReplica = class extends import_constructs5.Construct {
     super(scope, id);
     this.databaseName = props.databaseName ?? DEFAULT_DATABASE_NAME;
     this.schemaName = getPostgresReplicaSchemaName(props.branchHash);
-    const region = import_aws_cdk_lib8.Stack.of(this).region;
+    const region = import_aws_cdk_lib9.Stack.of(this).region;
     this.vpc = props.vpc ?? new ec2.Vpc(this, "Vpc", {
       availabilityZones: [`${region}a`, `${region}b`],
       natGateways: 0,
@@ -1254,7 +2139,7 @@ var DataStorePostgresReplica = class extends import_constructs5.Construct {
       entry: resolveHandlerEntry5(__dirname),
       runtime: import_aws_lambda5.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib8.Duration.minutes(1),
+      timeout: import_aws_cdk_lib9.Duration.minutes(1),
       vpc: this.vpc,
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
       description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
@@ -1281,7 +2166,7 @@ var DataStorePostgresReplica = class extends import_constructs5.Construct {
       new import_aws_lambda_event_sources.KinesisEventSource(props.kinesisStream, {
         startingPosition: import_aws_lambda5.StartingPosition.LATEST,
         batchSize: 100,
-        maxBatchingWindow: import_aws_cdk_lib8.Duration.seconds(5),
+        maxBatchingWindow: import_aws_cdk_lib9.Duration.seconds(5),
         retryAttempts: 10,
         bisectBatchOnError: true,
         parallelizationFactor: 2,
@@ -1314,7 +2199,7 @@ var DataStorePostgresReplica = class extends import_constructs5.Construct {
 };
 
 // src/components/route-53/child-hosted-zone.ts
-var import_aws_cdk_lib9 = require("aws-cdk-lib");
+var import_aws_cdk_lib10 = require("aws-cdk-lib");
 var import_aws_route53 = require("aws-cdk-lib/aws-route53");
 var ChildHostedZone = class extends import_aws_route53.HostedZone {
   constructor(scope, id, props) {
@@ -1323,7 +2208,7 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: import_aws_cdk_lib9.Duration.minutes(5)
+      ttl: import_aws_cdk_lib10.Duration.minutes(5)
     });
   }
 };
@@ -1333,8 +2218,8 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-var import_constructs6 = require("constructs");
-var RootHostedZone = class extends import_constructs6.Construct {
+var import_constructs7 = require("constructs");
+var RootHostedZone = class extends import_constructs7.Construct {
 };
 
 // src/components/static-hosting/static-hosting.ts
@@ -1342,9 +2227,9 @@ var import_aws_cloudfront = require("aws-cdk-lib/aws-cloudfront");
 var import_aws_cloudfront_origins = require("aws-cdk-lib/aws-cloudfront-origins");
 var import_aws_s3 = require("aws-cdk-lib/aws-s3");
 var import_core = require("aws-cdk-lib/core");
-var import_constructs7 = require("constructs");
+var import_constructs8 = require("constructs");
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends import_constructs7.Construct {
+var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1396,21 +2281,119 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_AR
 var StaticHosting = _StaticHosting;
 
 // src/services/open-hi-auth-service.ts
-var import_config4 = __toESM(require_lib());
+var import_config5 = __toESM(require_lib());
 var import_aws_cognito5 = require("aws-cdk-lib/aws-cognito");
-var import_aws_iam = require("aws-cdk-lib/aws-iam");
+var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
 var import_core2 = require("aws-cdk-lib/core");
 
 // src/services/open-hi-data-service.ts
-var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
+var import_config4 = __toESM(require_lib());
+var import_aws_dynamodb3 = require("aws-cdk-lib/aws-dynamodb");
 var kinesis = __toESM(require("aws-cdk-lib/aws-kinesis"));
 
 // src/services/open-hi-global-service.ts
 var import_aws_certificatemanager2 = require("aws-cdk-lib/aws-certificatemanager");
-var import_aws_events3 = require("aws-cdk-lib/aws-events");
+var import_aws_events5 = require("aws-cdk-lib/aws-events");
 var import_aws_route532 = require("aws-cdk-lib/aws-route53");
 var import_aws_ssm3 = require("aws-cdk-lib/aws-ssm");
+
+// src/workflows/control-plane/platform-deploy-bridge/events.ts
+var CLOUDFORMATION_EVENT_SOURCE = "aws.cloudformation";
+var CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE = "CloudFormation Stack Status Change";
+var BRIDGED_STATUSES = ["CREATE_COMPLETE", "UPDATE_COMPLETE"];
+var CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+var OPENHI_REPO_TAG_KEY_ENV_VAR = "OPENHI_REPO_TAG_KEY";
+var OPENHI_TAG_KEY_PREFIX_ENV_VAR = "OPENHI_TAG_KEY_PREFIX";
+var PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM = "platform-deploy-bridge";
+
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
+var import_constructs10 = require("constructs");
+
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
+var import_aws_cdk_lib11 = require("aws-cdk-lib");
+var import_aws_events4 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs9 = require("constructs");
+var HANDLER_NAME6 = "platform-deploy-bridge.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
+  if (import_node_fs6.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path6.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
+}
+var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
+  constructor(scope, props) {
+    super(scope, "platform-deploy-bridge-lambda");
+    const service = OpenHiService.of(this);
+    const repoTagKey = openHiTagKey(
+      service.appName,
+      OPENHI_TAG_SUFFIX_REPO_NAME
+    );
+    const tagKeyPrefix = `${service.appName}:`;
+    const ownStackName = import_aws_cdk_lib11.Stack.of(this).stackName;
+    const ownSuffix = `-${service.serviceId}-${import_aws_cdk_lib11.Stack.of(this).account}-${import_aws_cdk_lib11.Stack.of(this).region}`;
+    const sharedPrefix = ownStackName.endsWith(ownSuffix) ? ownStackName.slice(0, -ownSuffix.length) : service.branchHash;
+    const stackIdPrefix = `arn:aws:cloudformation:${import_aws_cdk_lib11.Stack.of(this).region}:${import_aws_cdk_lib11.Stack.of(this).account}:stack/${sharedPrefix}-`;
+    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+      memorySize: 256,
+      timeout: import_aws_cdk_lib11.Duration.seconds(30),
+      environment: {
+        [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
+        [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
+        [OPENHI_TAG_KEY_PREFIX_ENV_VAR]: tagKeyPrefix
+      }
+    });
+    this.lambda.addToRolePolicy(
+      new import_aws_iam2.PolicyStatement({
+        effect: import_aws_iam2.Effect.ALLOW,
+        actions: ["cloudformation:DescribeStacks"],
+        resources: [
+          `arn:aws:cloudformation:${import_aws_cdk_lib11.Stack.of(this).region}:${import_aws_cdk_lib11.Stack.of(this).account}:stack/*`
+        ]
+      })
+    );
+    props.controlEventBus.grantPutEventsTo(this.lambda);
+    this.rule = new import_aws_events4.Rule(this, "rule", {
+      eventPattern: {
+        source: [CLOUDFORMATION_EVENT_SOURCE],
+        detailType: [CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE],
+        detail: {
+          "stack-id": [{ prefix: stackIdPrefix }],
+          "status-details": {
+            status: [...BRIDGED_STATUSES]
+          }
+        }
+      },
+      targets: [
+        new import_aws_events_targets.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib11.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
+var PlatformDeployBridge = class extends import_constructs10.Construct {
+  constructor(scope, props) {
+    super(scope, "platform-deploy-bridge");
+    this.bridgeLambda = new PlatformDeployBridgeLambda(this, {
+      controlEventBus: props.controlEventBus
+    });
+  }
+};
+
+// src/services/open-hi-global-service.ts
 var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
   /**
    * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
@@ -1449,7 +2432,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static dataEventBusFromConstruct(scope) {
-    return import_aws_events3.EventBus.fromEventBusName(
+    return import_aws_events5.EventBus.fromEventBusName(
       scope,
       "data-event-bus",
       DataEventBus.getEventBusName(scope)
@@ -1459,12 +2442,33 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static opsEventBusFromConstruct(scope) {
-    return import_aws_events3.EventBus.fromEventBusName(
+    return import_aws_events5.EventBus.fromEventBusName(
       scope,
       "ops-event-bus",
       OpsEventBus.getEventBusName(scope)
     );
   }
+  /**
+   * Returns the control-plane event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static controlEventBusFromConstruct(scope) {
+    return import_aws_events5.EventBus.fromEventBusName(
+      scope,
+      "control-event-bus",
+      ControlEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the workflow dedup table by name (deterministic per branch).
+   * Use from other stacks to obtain an ITable reference. Consumer Lambdas
+   * are typically wired via `WorkflowDedupTable.grantConsumer(fn, name)`
+   * on the owning service's `workflowDedupTable` reference; the
+   * `tableNameFromLookup` / `tableArnFromLookup` SSM helpers on the
+   * construct cover cross-stack consumers that need only the name/ARN.
+   */
+  static workflowDedupTableNameFromLookup(scope) {
+    return WorkflowDedupTable.tableNameFromLookup(scope);
+  }
   get serviceType() {
     return _OpenHiGlobalService.SERVICE_TYPE;
   }
@@ -1477,6 +2481,9 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
     this.rootWildcardCertificate = this.createRootWildcardCertificate();
     this.dataEventBus = this.createDataEventBus();
     this.opsEventBus = this.createOpsEventBus();
+    this.controlEventBus = this.createControlEventBus();
+    this.workflowDedupTable = this.createWorkflowDedupTable();
+    this.platformDeployBridge = this.createPlatformDeployBridge();
   }
   /**
    * Validates that config required for the Global stack is present.
@@ -1541,23 +2548,1255 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
   createOpsEventBus() {
     return new OpsEventBus(this);
   }
+  /**
+   * Creates the control-plane event bus.
+   * Override to customize.
+   */
+  createControlEventBus() {
+    return new ControlEventBus(this);
+  }
+  /**
+   * Creates the platform deploy bridge that republishes CloudFormation
+   * Stack Status Change events onto the control event bus.
+   * Override to customize.
+   */
+  createPlatformDeployBridge() {
+    return new PlatformDeployBridge(this, {
+      controlEventBus: this.controlEventBus
+    });
+  }
+  /**
+   * Creates the shared workflow dedup table (TR-015 singleton).
+   * Override to customize.
+   */
+  createWorkflowDedupTable() {
+    return new WorkflowDedupTable(this, "workflow-dedup-table");
+  }
 };
 _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
 
-// src/services/open-hi-data-service.ts
-var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
-  /**
-   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
-   */
-  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
-    return import_aws_dynamodb2.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+// src/workflows/control-plane/seed-demo-data/events.ts
+var import_types = require("@openhi/types");
+var import_workflows2 = __toESM(require_lib2());
+var SEED_DEMO_DATA_CONSUMER_NAME = "seed-demo-data";
+var DEMO_URN_SYSTEM = "urn:openhi:demo";
+var OPENHI_RESOURCE_URN_SYSTEM = "http://openhi.org/";
+var DEMO_PERIOD = { start: "2026-01-01T00:00:00Z" };
+var PLATFORM_SCOPE_TENANT_ID = "platform";
+var PLACEHOLDER_TENANT_ID = "placeholder-tenant-id";
+var PLACEHOLDER_WORKSPACE_ID = "placeholder-workspace-id";
+var DEV_USERS = [
+  { id: "dev-russell", email: "russell@codedrifters.com" },
+  { id: "dev-cameron", email: "cameron@codedrifters.com" },
+  { id: "dev-neelima", email: "neelima@codedrifters.com" },
+  { id: "dev-garon", email: "garon@codedrifters.com" },
+  { id: "dev-dave", email: "dave@codedrifters.com" },
+  { id: "dev-drew", email: "drew@codedrifters.com" },
+  { id: "dev-jessica", email: "jessica@codedrifters.com" },
+  { id: "dev-jared", email: "jared@codedrifters.com" },
+  { id: "dev-goddess", email: "goddess@codedrifters.com" }
+];
+var DEMO_TENANT_SPECS = [
+  {
+    scenario: "placeholder",
+    tenantId: PLACEHOLDER_TENANT_ID,
+    tenantName: "OpenHI Placeholder Tenant",
+    workspaces: [
+      {
+        id: PLACEHOLDER_WORKSPACE_ID,
+        name: "OpenHI Placeholder Workspace",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-wound-care",
+    tenantId: "demo-wound-care-tenant",
+    tenantName: "Cedarbrook Wound Healing Institute",
+    workspaces: [
+      {
+        id: "demo-wound-care-workspace",
+        name: "Cedarbrook Outpatient Wound Clinic",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-primary-care",
+    tenantId: "demo-primary-care-tenant",
+    tenantName: "Maple Ridge Family Medicine",
+    workspaces: [
+      {
+        id: "demo-primary-care-workspace",
+        name: "Maple Ridge Main Street Office",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-mixed",
+    tenantId: "demo-mixed-tenant",
+    tenantName: "Northbridge Health Network",
+    workspaces: [
+      {
+        id: "demo-mixed-workspace-wound-care",
+        name: "Northbridge Wound Care Center",
+        roleSuffix: "workspace-wound-care"
+      },
+      {
+        id: "demo-mixed-workspace-primary-care",
+        name: "Northbridge Family Practice",
+        roleSuffix: "workspace-primary-care"
+      }
+    ]
+  }
+];
+var demoMembershipId = (devUserId, tenantId) => `demo-membership-${devUserId}-${tenantId}`;
+var demoRoleAssignmentId = (devUserId, tenantId, roleCode) => `demo-roleassignment-${devUserId}-${tenantId}-${roleCode}`;
+var demoScenarioIdentifier = (scenario, roleSuffix) => ({
+  system: DEMO_URN_SYSTEM,
+  value: `${scenario}:${roleSuffix}`
+});
+var openhiResourceIdentifier = (params) => ({
+  use: "unversioned",
+  system: OPENHI_RESOURCE_URN_SYSTEM,
+  value: `urn:ohi:${params.tenantId}:${params.workspaceId}:${params.resourceType}:${params.id}`
+});
+var demoRolesForUserInTenant = (_user, _tenantId) => {
+  void _user;
+  void _tenantId;
+  return [import_types.CONTROL_PLANE_ROLE_CODE.TENANT_ADMIN];
+};
+var rolePartitionKey = (roleId) => `role#id#${roleId}`;
+var demoTenantPartitionKey = (tenantId) => `tenant#id#${tenantId}`;
+var demoWorkspacePartitionKey = (tenantId, workspaceId) => `tid#${tenantId}#workspace#id#${workspaceId}`;
+var demoMembershipPartitionKey = (tenantId, membershipId) => `tid#${tenantId}#membership#id#${membershipId}`;
+var demoRoleAssignmentPartitionKey = (tenantId, roleAssignmentId) => `tid#${tenantId}#roleassignment#id#${roleAssignmentId}`;
+var demoUserPartitionKey = (userId) => `user#id#${userId}`;
+var demoBasePartitionKeys = () => {
+  const keys = [];
+  for (const spec of DEMO_TENANT_SPECS) {
+    keys.push(demoTenantPartitionKey(spec.tenantId));
+    for (const workspace of spec.workspaces) {
+      keys.push(demoWorkspacePartitionKey(spec.tenantId, workspace.id));
+    }
   }
-  get serviceType() {
-    return _OpenHiDataService.SERVICE_TYPE;
+  return keys;
+};
+var demoDevUserPartitionKeys = (devUsers) => {
+  const keys = [];
+  for (const user of devUsers) {
+    keys.push(demoUserPartitionKey(user.id));
+    for (const spec of DEMO_TENANT_SPECS) {
+      keys.push(
+        demoMembershipPartitionKey(
+          spec.tenantId,
+          demoMembershipId(user.id, spec.tenantId)
+        )
+      );
+      for (const roleCode of demoRolesForUserInTenant(user, spec.tenantId)) {
+        keys.push(
+          demoRoleAssignmentPartitionKey(
+            spec.tenantId,
+            demoRoleAssignmentId(user.id, spec.tenantId, roleCode)
+          )
+        );
+      }
+    }
+    keys.push(
+      demoRoleAssignmentPartitionKey(
+        PLATFORM_SCOPE_TENANT_ID,
+        demoRoleAssignmentId(
+          user.id,
+          PLATFORM_SCOPE_TENANT_ID,
+          import_types.CONTROL_PLANE_ROLE_CODE.SYSTEM_ADMIN
+        )
+      )
+    );
   }
+  return keys;
+};
+
+// src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
+var import_node_fs7 = __toESM(require("fs"));
+var import_node_path7 = __toESM(require("path"));
+var import_types8 = require("@openhi/types");
+var import_aws_cdk_lib12 = require("aws-cdk-lib");
+var import_aws_events6 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets2 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam3 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs11 = require("constructs");
+
+// src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
+var import_node_crypto = require("crypto");
+var import_client_cognito_identity_provider = require("@aws-sdk/client-cognito-identity-provider");
+var import_client_dynamodb2 = require("@aws-sdk/client-dynamodb");
+var import_types7 = require("@openhi/types");
+var import_workflows3 = __toESM(require_lib2());
+
+// src/data/dynamo/dynamo-control-service.ts
+var import_electrodb8 = require("electrodb");
+
+// src/data/dynamo/dynamo-client.ts
+var import_client_dynamodb = require("@aws-sdk/client-dynamodb");
+var defaultTableName = process.env.DYNAMO_TABLE_NAME ?? "jesttesttable";
+var dynamoClient = new import_client_dynamodb.DynamoDBClient({
+  ...process.env.MOCK_DYNAMODB_ENDPOINT && {
+    endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,
+    sslEnabled: false,
+    region: "local"
+  }
+});
+
+// src/data/dynamo/entities/control/configuration-entity.ts
+var import_electrodb = require("electrodb");
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var import_types2 = require("@openhi/types");
+
+// src/data/dynamo/shard.ts
+var SHARD_COUNT = 4;
+function computeShard(id) {
+  let hash = 2166136261;
+  for (let i = 0; i < id.length; i++) {
+    hash ^= id.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) % SHARD_COUNT;
+}
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var gsi1ShardAttribute = {
+  type: "string",
+  watch: ["id"],
+  set: (_val, item) => {
+    if (typeof item?.id !== "string" || item.id.length === 0) {
+      return void 0;
+    }
+    return String(computeShard(item.id));
+  }
+};
+var gsi1skAttribute = {
+  type: "string",
+  watch: ["resource", "lastUpdated", "id"],
+  set: (_val, item) => {
+    const id = typeof item?.id === "string" ? item.id : "";
+    const lastUpdated = typeof item?.lastUpdated === "string" ? item.lastUpdated : "";
+    const fallback = `${lastUpdated}#${id}`;
+    if (typeof item?.resource !== "string" || item.resource.length === 0) {
+      return fallback;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(item.resource);
+    } catch {
+      return fallback;
+    }
+    if (!parsed || typeof parsed !== "object") return fallback;
+    const resourceType = parsed.resourceType;
+    if (typeof resourceType !== "string") return fallback;
+    const label = (0, import_types2.extractLabel)(parsed);
+    return label !== void 0 ? `${label}#${id}` : fallback;
+  }
+};
+
+// src/data/dynamo/entities/control/configuration-entity.ts
+var ConfigurationEntity = new import_electrodb.Entity({
+  model: {
+    entity: "configuration",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key. "CURRENT" for current version; version history in S3. */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant scope. Use "BASELINE" when the config is baseline default (no tenant). */
+    tenantId: {
+      type: "string",
+      required: true,
+      default: "BASELINE"
+    },
+    /** Workspace scope. Use "-" when absent. */
+    workspaceId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** User scope. Use "-" when absent. */
+    userId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Role scope. Use "-" when absent. */
+    roleId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Config type (category), e.g. endpoints, branding, display. */
+    key: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL and for the Configuration resource. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, key, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). Tracks current version; S3 history key. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "workspaceId", "userId", "roleId"],
+        template: "CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["key", "sk"],
+        template: "KEY#${key}#SK#${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
+     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
+     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
+     * hierarchical resolution in one query; use base table GetItem in fallback order
+     * (user → workspace → tenant → baseline) for that.
+     * SK is `<key>#<id>` — Configuration's `key` is a required entity attribute (the
+     * config category: endpoints, branding, display, …) and the natural sort/lookup
+     * dimension. `casing: "none"` preserves the literal key value.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "workspaceId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["key", "id"],
+        template: "${key}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/membership-entity.ts
+var import_electrodb2 = require("electrodb");
+var MembershipEntity = new import_electrodb2.Entity({
+  model: {
+    entity: "membership",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the user has membership (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; membership id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Membership resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/role-entity.ts
+var import_electrodb3 = require("electrodb");
+var RoleEntity = new import_electrodb3.Entity({
+  model: {
+    entity: "role",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; role id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Role resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "ROLE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/roleassignment-entity.ts
+var import_electrodb4 = require("electrodb");
+var RoleAssignmentEntity = new import_electrodb4.Entity({
+  model: {
+    entity: "roleassignment",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the role assignment applies (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; role assignment id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full RoleAssignment resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/tenant-entity.ts
+var import_electrodb5 = require("electrodb");
+var TenantEntity = new import_electrodb5.Entity({
+  model: {
+    entity: "tenant",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** The tenant's own id (= resource id). Drives the partition key. */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. Equals tenantId. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Tenant resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId"],
+        template: "TENANT#ID#${tenantId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
+     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
+     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is derived via `gsi1skAttribute` —
+     * `<normalizedName>#<id>` when the resource carries a `name`, else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/user-entity.ts
+var import_electrodb6 = require("electrodb");
+var UserEntity = new import_electrodb6.Entity({
+  model: {
+    entity: "user",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; platform user id (ohi_uid). */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full User resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
+     * Post Confirmation Lambda (#770) lands; required thereafter.
+     */
+    cognitoSub: {
+      type: "string",
+      required: false
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "USER#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable (string `name`/`title` via introspection), else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    },
+    /**
+     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
+     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
+     * not indexed.
+     */
+    gsi2: {
+      index: "GSI2",
+      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
+      pk: {
+        field: "GSI2PK",
+        casing: "none",
+        composite: ["cognitoSub"],
+        template: "USER#SUB#${cognitoSub}"
+      },
+      sk: {
+        field: "GSI2SK",
+        casing: "none",
+        composite: [],
+        template: "CURRENT"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/workspace-entity.ts
+var import_electrodb7 = require("electrodb");
+var WorkspaceEntity = new import_electrodb7.Entity({
+  model: {
+    entity: "workspace",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant that contains this workspace (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Workspace resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
+     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — `<normalizedName>#<id>` when the resource
+     * carries a `name`, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves
+     * the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/dynamo-control-service.ts
+var controlPlaneEntities = {
+  configuration: ConfigurationEntity,
+  membership: MembershipEntity,
+  role: RoleEntity,
+  roleAssignment: RoleAssignmentEntity,
+  tenant: TenantEntity,
+  user: UserEntity,
+  workspace: WorkspaceEntity
+};
+var controlPlaneService = new import_electrodb8.Service(controlPlaneEntities, {
+  table: defaultTableName,
+  client: dynamoClient
+});
+var DynamoControlService = {
+  entities: controlPlaneService.entities
+};
+
+// src/data/operations/control/membership/membership-create-operation.ts
+var import_types3 = require("@openhi/types");
+
+// src/data/operations/control/roleassignment/roleassignment-create-operation.ts
+var import_types4 = require("@openhi/types");
+
+// src/data/operations/control/tenant/tenant-create-operation.ts
+var import_types5 = require("@openhi/types");
+
+// src/data/operations/control/workspace/workspace-create-operation.ts
+var import_types6 = require("@openhi/types");
+
+// src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
+var SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR = "SEED_DEMO_DATA_USER_POOL_ID";
+
+// src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
+var HANDLER_NAME7 = "seed-demo-data.handler.js";
+function resolveHandlerEntry7(dirname) {
+  const sameDir = import_node_path7.default.join(dirname, HANDLER_NAME7);
+  if (import_node_fs7.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path7.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME7);
+}
+var SeedDemoDataLambda = class extends import_constructs11.Construct {
+  constructor(scope, props) {
+    super(scope, "seed-demo-data-lambda");
+    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry7(__dirname),
+      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib12.Duration.minutes(2),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
+        [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
+      }
+    });
+    const roleReadKeys = Object.values(import_types8.CONTROL_PLANE_ROLE_IDS).map(
+      rolePartitionKey
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
+        actions: ["dynamodb:GetItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": roleReadKeys
+          }
+        }
+      })
+    );
+    const writeKeys = [
+      ...demoBasePartitionKeys(),
+      ...demoDevUserPartitionKeys(DEV_USERS)
+    ];
+    this.lambda.addToRolePolicy(
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
+        actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": writeKeys
+          }
+        }
+      })
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
+        actions: [
+          "cognito-idp:AdminCreateUser",
+          "cognito-idp:AdminGetUser",
+          "cognito-idp:AdminSetUserPassword"
+        ],
+        resources: [
+          import_aws_cdk_lib12.Stack.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: props.userPool.userPoolId
+          })
+        ]
+      })
+    );
+    this.rule = new import_aws_events6.Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [import_workflows2.PlatformSystemDataSeededV1.source],
+        detailType: [import_workflows2.PlatformSystemDataSeededV1.detailType]
+      },
+      targets: [
+        new import_aws_events_targets2.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib12.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/seed-demo-data/seed-demo-data-workflow.ts
+var import_constructs12 = require("constructs");
+var SeedDemoDataWorkflow = class extends import_constructs12.Construct {
+  constructor(scope, props) {
+    super(scope, "seed-demo-data-workflow");
+    this.seedDemoData = new SeedDemoDataLambda(this, {
+      controlEventBus: props.controlEventBus,
+      dataStoreTable: props.dataStoreTable,
+      userPool: props.userPool
+    });
+    WorkflowDedupTable.grantConsumerFromLookup(
+      this,
+      this.seedDemoData.lambda,
+      SEED_DEMO_DATA_CONSUMER_NAME
+    );
+  }
+};
+
+// src/workflows/control-plane/seed-system-data/events.ts
+var import_workflows4 = __toESM(require_lib2());
+var SEED_SYSTEM_DATA_CONSUMER_NAME = "seed-system-data";
+var SEED_SYSTEM_DATA_ACTOR_SYSTEM = "seed-system-data";
+var SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+
+// src/workflows/control-plane/seed-system-data/seed-system-data-lambda.ts
+var import_node_fs8 = __toESM(require("fs"));
+var import_node_path8 = __toESM(require("path"));
+var import_types9 = require("@openhi/types");
+var import_aws_cdk_lib13 = require("aws-cdk-lib");
+var import_aws_events7 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets3 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam4 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda8 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs8 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs13 = require("constructs");
+var HANDLER_NAME8 = "seed-system-data.handler.js";
+function resolveHandlerEntry8(dirname) {
+  const sameDir = import_node_path8.default.join(dirname, HANDLER_NAME8);
+  if (import_node_fs8.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path8.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME8);
+}
+var SeedSystemDataLambda = class extends import_constructs13.Construct {
+  constructor(scope, props) {
+    super(scope, "seed-system-data-lambda");
+    this.lambda = new import_aws_lambda_nodejs8.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry8(__dirname),
+      runtime: import_aws_lambda8.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib13.Duration.minutes(1),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
+        [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
+      }
+    });
+    const roleArns = Object.values(import_types9.CONTROL_PLANE_ROLE_IDS).map(
+      (id) => `role#id#${id}`
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam4.PolicyStatement({
+        effect: import_aws_iam4.Effect.ALLOW,
+        actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": roleArns
+          }
+        }
+      })
+    );
+    props.controlEventBus.grantPutEventsTo(this.lambda);
+    const hostStackName = import_aws_cdk_lib13.Stack.of(this).stackName;
+    this.rule = new import_aws_events7.Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [import_workflows4.PlatformDeploymentCompletedV1.source],
+        detailType: [import_workflows4.PlatformDeploymentCompletedV1.detailType],
+        detail: {
+          payload: {
+            stackName: [hostStackName]
+          }
+        }
+      },
+      targets: [
+        new import_aws_events_targets3.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib13.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/seed-system-data/seed-system-data-workflow.ts
+var import_constructs14 = require("constructs");
+var SeedSystemDataWorkflow = class extends import_constructs14.Construct {
+  constructor(scope, props) {
+    super(scope, "seed-system-data-workflow");
+    this.seedSystemData = new SeedSystemDataLambda(this, {
+      controlEventBus: props.controlEventBus,
+      dataStoreTable: props.dataStoreTable
+    });
+    WorkflowDedupTable.grantConsumerFromLookup(
+      this,
+      this.seedSystemData.lambda,
+      SEED_SYSTEM_DATA_CONSUMER_NAME
+    );
+  }
+};
+
+// src/services/open-hi-data-service.ts
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
   constructor(ohEnv, props = {}) {
     super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    /**
+     * Cached control-event-bus lookup. `OpenHiGlobalService.controlEventBusFromConstruct`
+     * registers a child `EventBus.fromEventBusName` construct with a
+     * fixed id under the scope it is passed, so calling it twice on the
+     * same `OpenHiDataService` instance collides. The cache mirrors the
+     * `private controlEventBus()` pattern already used in
+     * `OpenHiAuthService`. Use {@link controlEventBus} from this class
+     * — never call the static lookup from inside `OpenHiDataService`.
+     */
+    this._controlEventBus = null;
     this.props = props;
     this.dataStoreChangeStream = new kinesis.Stream(
       this,
@@ -1592,6 +3831,53 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
         branchHash: this.branchHash
       }
     );
+    this.seedSystemDataWorkflow = this.createSeedSystemDataWorkflow();
+    this.seedDemoDataWorkflow = this.createSeedDemoDataWorkflow();
+  }
+  /**
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
+   */
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return import_aws_dynamodb3.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  }
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  /**
+   * Lazily looks up the control event bus exactly once per
+   * `OpenHiDataService` instance and caches the reference. Every
+   * workflow that consumes the bus must read it through this method
+   * — see {@link _controlEventBus} for the underlying collision risk.
+   */
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    }
+    return this._controlEventBus;
+  }
+  /**
+   * Creates the seed-system-data workflow. Override to customize.
+   */
+  createSeedSystemDataWorkflow() {
+    return new SeedSystemDataWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStore
+    });
+  }
+  /**
+   * Creates the seed-demo-data workflow — but only on non-prod
+   * stages. Returns `undefined` on prod so the workflow literally
+   * does not exist in prod stacks. Override to customize.
+   */
+  createSeedDemoDataWorkflow() {
+    if (this.ohEnv.ohStage.stageType === import_config4.OPEN_HI_STAGE.PROD) {
+      return void 0;
+    }
+    return new SeedDemoDataWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStore,
+      userPool: OpenHiAuthService.userPoolFromConstruct(this)
+    });
   }
   /**
    * Creates the single-table DynamoDB data store.
@@ -1600,13 +3886,107 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
   createDataStore() {
     return new DynamoDbDataStore(this, "dynamo-db-data-store", {
       kinesisStream: this.dataStoreChangeStream,
-      stream: import_aws_dynamodb2.StreamViewType.NEW_AND_OLD_IMAGES
+      stream: import_aws_dynamodb3.StreamViewType.NEW_AND_OLD_IMAGES
     });
   }
 };
 _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
+// src/workflows/control-plane/user-onboarding/events.ts
+var USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
+var PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
+var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
+  const attrs = event.request?.userAttributes ?? {};
+  const cognitoSub = attrs.sub?.trim();
+  if (!cognitoSub) {
+    return void 0;
+  }
+  const email = attrs.email?.trim();
+  const displayName = email || event.userName || cognitoSub;
+  return {
+    cognitoSub,
+    ...email ? { email } : {},
+    displayName,
+    trigger: {
+      source: "cognito.post-confirmation",
+      triggerSource: event.triggerSource,
+      userPoolId: event.userPoolId,
+      userName: event.userName,
+      clientId: event.callerContext?.clientId
+    }
+  };
+};
+
+// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+var import_node_fs9 = __toESM(require("fs"));
+var import_node_path9 = __toESM(require("path"));
+var import_aws_cdk_lib14 = require("aws-cdk-lib");
+var import_aws_events8 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam5 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda9 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs9 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs15 = require("constructs");
+var HANDLER_NAME9 = "provision-default-workspace.handler.js";
+function resolveHandlerEntry9(dirname) {
+  const sameDir = import_node_path9.default.join(dirname, HANDLER_NAME9);
+  if (import_node_fs9.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path9.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
+}
+var ProvisionDefaultWorkspaceLambda = class extends import_constructs15.Construct {
+  constructor(scope, props) {
+    super(scope, "provision-default-workspace-lambda");
+    this.lambda = new import_aws_lambda_nodejs9.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry9(__dirname),
+      runtime: import_aws_lambda9.Runtime.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.lambda,
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem"
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
+        actions: ["dynamodb:Query"],
+        resources: [`${props.dataStoreTable.tableArn}/index/*`]
+      })
+    );
+    this.rule = new import_aws_events8.Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [USER_ONBOARDING_EVENT_SOURCE],
+        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
+      },
+      targets: [
+        new import_aws_events_targets4.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib14.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+var import_constructs16 = require("constructs");
+var UserOnboardingWorkflow = class extends import_constructs16.Construct {
+  constructor(scope, props) {
+    super(scope, "user-onboarding-workflow");
+    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
+      dataStoreTable: props.dataStoreTable,
+      controlEventBus: props.controlEventBus
+    });
+  }
+};
+
 // src/services/open-hi-auth-service.ts
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   constructor(ohEnv, props = {}) {
@@ -1618,11 +3998,13 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
      * would collide.
      */
     this._dataStoreTable = null;
+    this._controlEventBus = null;
     this.props = props;
     this.userPoolKmsKey = this.createUserPoolKmsKey();
     this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
     this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
     this.userPool = this.createUserPool();
     this.grantPreTokenGenerationPermissions();
     this.grantPostAuthenticationPermissions();
@@ -1739,23 +4121,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   }
   /**
    * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-   * confirmation, writes the new user's default Tenant, Workspace,
-   * Memberships, and `tenant-user` RoleAssignment, plus a User record
-   * carrying the Cognito `sub` and current tenant/workspace pointers
-   * (ADR 2026-03-17-01 invariants).
+   * confirmation, publishes a control-plane workflow event; provisioning lives
+   * behind EventBridge.
    */
   createPostConfirmationLambda() {
     const construct = new PostConfirmationLambda(this, {
-      dynamoTableName: this.dataStoreTable().tableName
+      controlEventBusName: this.controlEventBus().eventBusName
     });
     return construct.lambda;
   }
+  createUserOnboardingWorkflow() {
+    return new UserOnboardingWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStoreTable()
+    });
+  }
   dataStoreTable() {
     if (this._dataStoreTable === null) {
       this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     }
     return this._dataStoreTable;
   }
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    }
+    return this._controlEventBus;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1800,8 +4192,8 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
     dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
     this.preTokenGenerationLambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
+      new import_aws_iam6.PolicyStatement({
+        effect: import_aws_iam6.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
@@ -1822,7 +4214,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    */
   grantPostAuthenticationPermissions() {
     this.postAuthenticationLambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
+      new import_aws_iam6.PolicyStatement({
         actions: ["cognito-idp:AdminUserGlobalSignOut"],
         resources: [
           import_core2.Stack.of(this).formatArn({
@@ -1835,26 +4227,11 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     );
   }
   /**
-   * Grants the Post Confirmation Lambda write access to the data store
-   * table (and its GSIs) so it can seed the new user's Tenant, Workspace,
-   * Memberships, RoleAssignment, and User records on sign-up confirmation.
+   * Grants the Post Confirmation Lambda publish-only access to the
+   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
    */
   grantPostConfirmationPermissions() {
-    const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = [
-      "dynamodb:PutItem",
-      "dynamodb:UpdateItem",
-      "dynamodb:BatchWriteItem",
-      "dynamodb:DescribeTable"
-    ];
-    dataStoreTable.grant(this.postConfirmationLambda, ...dynamoActions);
-    this.postConfirmationLambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
-        actions: [...dynamoActions],
-        resources: [`${dataStoreTable.tableArn}/index/*`]
-      })
-    );
+    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
   }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
@@ -1884,7 +4261,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    * via env vars to drive `InitiateAuth`.
    */
   createFixtureSeederClient() {
-    if (this.ohEnv.ohStage.stageType === import_config4.OPEN_HI_STAGE.PROD) {
+    if (this.ohEnv.ohStage.stageType === import_config5.OPEN_HI_STAGE.PROD) {
       return void 0;
     }
     const client = new CognitoFixtureSeederClient(this, {
@@ -1921,62 +4298,62 @@ _OpenHiAuthService.SERVICE_TYPE = "auth";
 var OpenHiAuthService = _OpenHiAuthService;
 
 // src/services/open-hi-rest-api-service.ts
-var import_config5 = __toESM(require_lib());
+var import_config6 = __toESM(require_lib());
 var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
 var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
 var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
-var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
+var import_aws_iam7 = require("aws-cdk-lib/aws-iam");
 var import_aws_route533 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
 var import_core3 = require("aws-cdk-lib/core");
 
 // src/data/lambda/cors-options-lambda.ts
-var import_node_fs6 = __toESM(require("fs"));
-var import_node_path6 = __toESM(require("path"));
-var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs8 = require("constructs");
-var HANDLER_NAME6 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry6(dirname) {
-  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
-  if (import_node_fs6.default.existsSync(sameDir)) {
+var import_node_fs10 = __toESM(require("fs"));
+var import_node_path10 = __toESM(require("path"));
+var import_aws_lambda10 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs10 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs17 = require("constructs");
+var HANDLER_NAME10 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry10(dirname) {
+  const sameDir = import_node_path10.default.join(dirname, HANDLER_NAME10);
+  if (import_node_fs10.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path6.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
+  const fromLib = import_node_path10.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
   return fromLib;
 }
-var CorsOptionsLambda = class extends import_constructs8.Construct {
+var CorsOptionsLambda = class extends import_constructs17.Construct {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry6(__dirname),
-      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs10.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry10(__dirname),
+      runtime: import_aws_lambda10.Runtime.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-var import_node_fs7 = __toESM(require("fs"));
-var import_node_path7 = __toESM(require("path"));
-var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs9 = require("constructs");
-var HANDLER_NAME7 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry7(dirname) {
-  const sameDir = import_node_path7.default.join(dirname, HANDLER_NAME7);
-  if (import_node_fs7.default.existsSync(sameDir)) {
+var import_node_fs11 = __toESM(require("fs"));
+var import_node_path11 = __toESM(require("path"));
+var import_aws_lambda11 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs11 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs18 = require("constructs");
+var HANDLER_NAME11 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry11(dirname) {
+  const sameDir = import_node_path11.default.join(dirname, HANDLER_NAME11);
+  if (import_node_fs11.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path7.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
+  const fromLib = import_node_path11.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
   return fromLib;
 }
-var RestApiLambda = class extends import_constructs9.Construct {
+var RestApiLambda = class extends import_constructs18.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry7(__dirname),
-      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs11.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry11(__dirname),
+      runtime: import_aws_lambda11.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -2118,8 +4495,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresSchema
     });
     lambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -2128,8 +4505,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -2147,15 +4524,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -2214,7 +4591,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const userPool = OpenHiAuthService.userPoolFromConstruct(this);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(this);
     const userPoolClients = [userPoolClient];
-    if (this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD) {
+    if (this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD) {
       userPoolClients.push(
         OpenHiAuthService.fixtureSeederClientFromConstruct(this)
       );
@@ -2304,20 +4681,36 @@ _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  BRIDGED_STATUSES,
+  CLOUDFORMATION_EVENT_SOURCE,
+  CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
+  CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone,
   CognitoFixtureSeederClient,
   CognitoUserPool,
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
   CognitoUserPoolKmsKey,
+  ControlEventBus,
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_PERIOD,
+  DEMO_TENANT_SPECS,
+  DEMO_URN_SYSTEM,
+  DEV_USERS,
   DataEventBus,
   DataStoreHistoricalArchive,
   DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
+  OPENHI_REPO_TAG_KEY_ENV_VAR,
+  OPENHI_RESOURCE_URN_SYSTEM,
+  OPENHI_TAG_KEY_PREFIX_ENV_VAR,
+  OPENHI_TAG_SUFFIX_BRANCH_NAME,
+  OPENHI_TAG_SUFFIX_REPO_NAME,
+  OPENHI_TAG_SUFFIX_SERVICE_TYPE,
+  OPENHI_TAG_SUFFIX_STAGE_TYPE,
   OpenHiApp,
   OpenHiAuthService,
   OpenHiDataService,
@@ -2328,21 +4721,59 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   OpenHiService,
   OpenHiStage,
   OpsEventBus,
+  PLACEHOLDER_TENANT_ID,
+  PLACEHOLDER_WORKSPACE_ID,
+  PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,
+  PLATFORM_SCOPE_TENANT_ID,
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
+  PlatformDeployBridge,
+  PlatformDeployBridgeLambda,
+  PlatformDeploymentCompletedV1,
   PostAuthenticationLambda,
   PostConfirmationLambda,
   PreTokenGenerationLambda,
+  ProvisionDefaultWorkspaceLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,
   RootHostedZone,
   RootHttpApi,
   RootWildcardCertificate,
+  SEED_DEMO_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_ACTOR_SYSTEM,
+  SEED_SYSTEM_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
   STATIC_HOSTING_SERVICE_TYPE,
+  SeedDemoDataLambda,
+  SeedDemoDataWorkflow,
+  SeedSystemDataLambda,
+  SeedSystemDataWorkflow,
   StaticHosting,
+  USER_ONBOARDING_EVENT_SOURCE,
+  UserOnboardingWorkflow,
+  WorkflowDedupConsumerNameInvalidError,
+  WorkflowDedupTable,
+  WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail,
+  buildProvisionDefaultWorkspaceRequestedDetail,
+  demoBasePartitionKeys,
+  demoDevUserPartitionKeys,
+  demoMembershipId,
+  demoMembershipPartitionKey,
+  demoRoleAssignmentId,
+  demoRoleAssignmentPartitionKey,
+  demoRolesForUserInTenant,
+  demoScenarioIdentifier,
+  demoTenantPartitionKey,
+  demoUserPartitionKey,
+  demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName,
-  getPostgresReplicaSchemaName
+  getPostgresReplicaSchemaName,
+  getWorkflowDedupTableName,
+  openHiTagKey,
+  openhiResourceIdentifier,
+  rolePartitionKey
 });
 //# sourceMappingURL=index.js.map