npm - @openhi/constructs - Versions diffs - 0.0.105 → 0.0.106 - Mend

@openhi/constructs 0.0.105 → 0.0.106

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (73) hide show

package/lib/chunk-AGF3RAAZ.mjs +20 -0
package/lib/chunk-AGF3RAAZ.mjs.map +1 -0
package/lib/{chunk-BXEG7IOZ.mjs → chunk-AO3E22CS.mjs} +2 -2
package/lib/{chunk-WNUH2WDZ.mjs → chunk-CHPEQRXU.mjs} +2 -2
package/lib/chunk-JUNL76HF.mjs +428 -0
package/lib/chunk-JUNL76HF.mjs.map +1 -0
package/lib/chunk-L6UAP4KP.mjs +27 -0
package/lib/chunk-L6UAP4KP.mjs.map +1 -0
package/lib/{chunk-3QS3WKRC.mjs → chunk-LZOMFHX3.mjs} +9 -2
package/lib/chunk-QMIOLLAS.mjs +531 -0
package/lib/chunk-QMIOLLAS.mjs.map +1 -0
package/lib/chunk-SYBADQXI.mjs +607 -0
package/lib/chunk-SYBADQXI.mjs.map +1 -0
package/lib/chunk-VXX4I3EF.mjs +19 -0
package/lib/chunk-VXX4I3EF.mjs.map +1 -0
package/lib/{chunk-36YCDLLA.mjs → chunk-VYDIGFIX.mjs} +75 -481
package/lib/chunk-VYDIGFIX.mjs.map +1 -0
package/lib/chunk-YU2HRNUP.mjs +33 -0
package/lib/chunk-YU2HRNUP.mjs.map +1 -0
package/lib/chunk-YZZDUJHI.mjs +37 -0
package/lib/chunk-YZZDUJHI.mjs.map +1 -0
package/lib/cors-options-lambda.handler.mjs +1 -1
package/lib/data-store-postgres-replication.handler.mjs +1 -1
package/lib/events-BfrkMoBD.d.mts +44 -0
package/lib/events-BfrkMoBD.d.ts +44 -0
package/lib/events-DGep6C7w.d.mts +207 -0
package/lib/events-DGep6C7w.d.ts +207 -0
package/lib/firehose-archive-transform.handler.mjs +1 -1
package/lib/index.d.mts +417 -9
package/lib/index.d.ts +663 -10
package/lib/index.js +2400 -111
package/lib/index.js.map +1 -1
package/lib/index.mjs +781 -104
package/lib/index.mjs.map +1 -1
package/lib/openhi-context-CaBH8SFo.d.mts +39 -0
package/lib/openhi-context-CaBH8SFo.d.ts +39 -0
package/lib/platform-deploy-bridge.handler.d.mts +14 -0
package/lib/platform-deploy-bridge.handler.d.ts +14 -0
package/lib/platform-deploy-bridge.handler.js +762 -0
package/lib/platform-deploy-bridge.handler.js.map +1 -0
package/lib/platform-deploy-bridge.handler.mjs +134 -0
package/lib/platform-deploy-bridge.handler.mjs.map +1 -0
package/lib/post-authentication.handler.mjs +1 -1
package/lib/post-confirmation.handler.mjs +1 -1
package/lib/pre-token-generation.handler.js +76 -31
package/lib/pre-token-generation.handler.js.map +1 -1
package/lib/pre-token-generation.handler.mjs +5 -3
package/lib/pre-token-generation.handler.mjs.map +1 -1
package/lib/provision-default-workspace.handler.js +86 -41
package/lib/provision-default-workspace.handler.js.map +1 -1
package/lib/provision-default-workspace.handler.mjs +6 -4
package/lib/provision-default-workspace.handler.mjs.map +1 -1
package/lib/rest-api-lambda.handler.js +114 -59
package/lib/rest-api-lambda.handler.js.map +1 -1
package/lib/rest-api-lambda.handler.mjs +40 -61
package/lib/rest-api-lambda.handler.mjs.map +1 -1
package/lib/seed-demo-data.handler.d.mts +107 -0
package/lib/seed-demo-data.handler.d.ts +107 -0
package/lib/seed-demo-data.handler.js +2037 -0
package/lib/seed-demo-data.handler.js.map +1 -0
package/lib/seed-demo-data.handler.mjs +23 -0
package/lib/seed-demo-data.handler.mjs.map +1 -0
package/lib/seed-system-data.handler.d.mts +64 -0
package/lib/seed-system-data.handler.d.ts +64 -0
package/lib/seed-system-data.handler.js +1631 -0
package/lib/seed-system-data.handler.js.map +1 -0
package/lib/seed-system-data.handler.mjs +135 -0
package/lib/seed-system-data.handler.mjs.map +1 -0
package/package.json +4 -2
package/lib/chunk-36YCDLLA.mjs.map +0 -1
/package/lib/{chunk-BXEG7IOZ.mjs.map → chunk-AO3E22CS.mjs.map} +0 -0
/package/lib/{chunk-WNUH2WDZ.mjs.map → chunk-CHPEQRXU.mjs.map} +0 -0
/package/lib/{chunk-3QS3WKRC.mjs.map → chunk-LZOMFHX3.mjs.map} +0 -0

package/lib/index.js CHANGED Viewed

@@ -90,9 +90,611 @@ var require_lib = __commonJS({
   }
 });
+// ../workflows/lib/envelope-version.js
+var require_envelope_version = __commonJS({
+  "../workflows/lib/envelope-version.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ENVELOPE_VERSION = void 0;
+    exports2.isSupportedEnvelopeVersion = isSupportedEnvelopeVersion;
+    exports2.ENVELOPE_VERSION = "1.0";
+    var ENVELOPE_VERSION_PATTERN = /^\d+\.\d+$/;
+    var MIN_SUPPORTED_MAJOR = 1;
+    var MAX_SUPPORTED_MAJOR = 1;
+    function isSupportedEnvelopeVersion(version) {
+      if (!ENVELOPE_VERSION_PATTERN.test(version)) {
+        return false;
+      }
+      const major = Number.parseInt(version.split(".")[0], 10);
+      return major >= MIN_SUPPORTED_MAJOR && major <= MAX_SUPPORTED_MAJOR;
+    }
+  }
+});
+// ../workflows/lib/envelope.js
+var require_envelope = __commonJS({
+  "../workflows/lib/envelope.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.MissingActorContextError = void 0;
+    exports2.isWorkflowUserActor = isWorkflowUserActor;
+    exports2.isWorkflowSystemActor = isWorkflowSystemActor;
+    exports2.workflowUserActorFromClaims = workflowUserActorFromClaims;
+    function isWorkflowUserActor(actor) {
+      return actor.ohi_uid !== void 0;
+    }
+    function isWorkflowSystemActor(actor) {
+      return actor.system !== void 0;
+    }
+    function workflowUserActorFromClaims(claims) {
+      if (claims.ohi_tid === void 0 || claims.ohi_wid === void 0) {
+        throw new MissingActorContextError("workflowUserActorFromClaims: ohi_tid and ohi_wid are required on the workflow user-actor; the caller's JWT is missing one or both. Use a system-actor for pre-provisioning bootstrap workflows.");
+      }
+      return {
+        ohi_tid: claims.ohi_tid,
+        ohi_wid: claims.ohi_wid,
+        ohi_uid: claims.ohi_uid,
+        ohi_uname: claims.ohi_uname
+      };
+    }
+    var MissingActorContextError = class extends Error {
+      /** @param message - human-readable description of the missing claim. */
+      constructor(message) {
+        super(message);
+        this.name = "MissingActorContextError";
+      }
+    };
+    exports2.MissingActorContextError = MissingActorContextError;
+  }
+});
+// ../workflows/lib/sources.js
+var require_sources = __commonJS({
+  "../workflows/lib/sources.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = void 0;
+    exports2.OPENHI_CONTROL_SOURCE = "openhi.control";
+    exports2.OPENHI_DATA_SOURCE = "openhi.data";
+    exports2.OPENHI_OPS_SOURCE = "openhi.ops";
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = {
+      [exports2.OPENHI_CONTROL_SOURCE]: "openhi-control-event-bus",
+      [exports2.OPENHI_DATA_SOURCE]: "openhi-data-event-bus",
+      [exports2.OPENHI_OPS_SOURCE]: "openhi-ops-event-bus"
+    };
+  }
+});
+// ../workflows/lib/detail-types/registry.js
+var require_registry = __commonJS({
+  "../workflows/lib/detail-types/registry.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.InvalidDetailTypeRegistrationError = void 0;
+    exports2.defineDetailType = defineDetailType;
+    exports2.isWellFormedDetailType = isWellFormedDetailType;
+    function defineDetailType(entry) {
+      if (!isWellFormedDetailType(entry.detailType)) {
+        throw new InvalidDetailTypeRegistrationError(`Detail-type "${entry.detailType}" does not match the platform-wide format <area>.<event>.v<integer>. See TR-016 \xA7Open Items #2.`);
+      }
+      return entry;
+    }
+    var DETAIL_TYPE_PATTERN = /^[a-z0-9]+(?:-[a-z0-9]+)*\.[a-z0-9]+(?:-[a-z0-9]+)*\.v\d+$/;
+    function isWellFormedDetailType(detailType) {
+      return DETAIL_TYPE_PATTERN.test(detailType);
+    }
+    var InvalidDetailTypeRegistrationError = class extends Error {
+      /** @param message - human-readable description of the violation. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidDetailTypeRegistrationError";
+      }
+    };
+    exports2.InvalidDetailTypeRegistrationError = InvalidDetailTypeRegistrationError;
+  }
+});
+// ../workflows/lib/detail-types/platform.js
+var require_platform = __commonJS({
+  "../workflows/lib/detail-types/platform.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = void 0;
+    var sources_1 = require_sources();
+    var registry_1 = require_registry();
+    exports2.PlatformDeploymentCompletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.deployment-completed.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.PlatformSystemDataSeededV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.system-data-seeded.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+  }
+});
+// ../workflows/lib/detail-types/index.js
+var require_detail_types = __commonJS({
+  "../workflows/lib/detail-types/index.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_platform(), exports2);
+    __exportStar(require_registry(), exports2);
+  }
+});
+// ../workflows/lib/publisher.js
+var require_publisher = __commonJS({
+  "../workflows/lib/publisher.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowPublishError = void 0;
+    exports2.workflowsClient = workflowsClient;
+    exports2.publishWorkflowEvent = publishWorkflowEvent;
+    var node_crypto_1 = require("crypto");
+    var client_eventbridge_1 = require("@aws-sdk/client-eventbridge");
+    var envelope_version_1 = require_envelope_version();
+    var sources_1 = require_sources();
+    function workflowsClient(bridge, options = {}) {
+      return {
+        publish: (entry, payload, ctx) => publishWorkflowEvent(bridge, entry, payload, ctx, options)
+      };
+    }
+    async function publishWorkflowEvent(bridge, entry, payload, ctx, options = {}) {
+      const eventIdGenerator = options.eventIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const correlationIdGenerator = options.correlationIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const now = options.now ?? (() => /* @__PURE__ */ new Date());
+      const envelope = {
+        eventId: eventIdGenerator(),
+        attempt: 1,
+        correlationId: ctx.correlationId ?? correlationIdGenerator(),
+        causationId: ctx.causationId ?? null,
+        actor: ctx.actor,
+        occurredAt: now().toISOString(),
+        envelopeVersion: envelope_version_1.ENVELOPE_VERSION,
+        payload
+      };
+      const busName = options.busNameByPlane?.[entry.source] ?? sources_1.DEFAULT_BUS_NAME_BY_SOURCE[entry.source];
+      const result = await bridge.send(new client_eventbridge_1.PutEventsCommand({
+        Entries: [
+          {
+            EventBusName: busName,
+            Source: entry.source,
+            DetailType: entry.detailType,
+            Detail: JSON.stringify(envelope)
+          }
+        ]
+      }));
+      if ((result.FailedEntryCount ?? 0) > 0) {
+        const first = result.Entries?.[0];
+        throw new WorkflowPublishError(`EventBridge rejected ${entry.detailType} publish on bus ${busName}: ${first?.ErrorCode ?? "unknown"} \u2014 ${first?.ErrorMessage ?? "no error message"}`);
+      }
+      return { eventId: envelope.eventId };
+    }
+    var WorkflowPublishError = class extends Error {
+      /** @param message - human-readable description of the failed publish. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowPublishError";
+      }
+    };
+    exports2.WorkflowPublishError = WorkflowPublishError;
+  }
+});
+// ../workflows/lib/consumer.js
+var require_consumer = __commonJS({
+  "../workflows/lib/consumer.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = void 0;
+    exports2.parseWorkflowEvent = parseWorkflowEvent2;
+    var envelope_version_1 = require_envelope_version();
+    function parseWorkflowEvent2(event, expected) {
+      if (event.source !== expected.source) {
+        throw new InvalidWorkflowEventError(`EventBridge source "${event.source}" does not match expected detail-type's source "${expected.source}".`);
+      }
+      if (event["detail-type"] !== expected.detailType) {
+        throw new InvalidWorkflowEventError(`EventBridge detail-type "${event["detail-type"]}" does not match expected "${expected.detailType}".`);
+      }
+      const candidate = asEnvelopeCandidate(event.detail);
+      if (!(0, envelope_version_1.isSupportedEnvelopeVersion)(candidate.envelopeVersion)) {
+        throw new UnsupportedEnvelopeVersionError(`Envelope version "${candidate.envelopeVersion}" is outside the SDK's supported range.`);
+      }
+      const envelope = {
+        eventId: candidate.eventId,
+        attempt: candidate.attempt,
+        correlationId: candidate.correlationId,
+        causationId: candidate.causationId,
+        actor: candidate.actor,
+        occurredAt: candidate.occurredAt,
+        envelopeVersion: candidate.envelopeVersion,
+        payload: candidate.payload
+      };
+      return {
+        envelope,
+        dedupKey: { eventId: envelope.eventId, attempt: envelope.attempt }
+      };
+    }
+    function asEnvelopeCandidate(detail) {
+      if (detail === null || typeof detail !== "object") {
+        throw new InvalidWorkflowEventError("EventBridge detail is not a non-null object.");
+      }
+      const obj = detail;
+      assertString(obj, "eventId");
+      assertPositiveInteger(obj, "attempt");
+      assertString(obj, "correlationId");
+      assertCausationId(obj);
+      assertActor(obj);
+      assertString(obj, "occurredAt");
+      assertString(obj, "envelopeVersion");
+      if (!("payload" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: payload.");
+      }
+      return obj;
+    }
+    function assertString(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "string" || value.length === 0) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a non-empty string.`);
+      }
+    }
+    function assertPositiveInteger(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "number" || !Number.isInteger(value) || value < 1) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a 1-indexed integer.`);
+      }
+    }
+    function assertCausationId(obj) {
+      if (!("causationId" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: causationId.");
+      }
+      const value = obj.causationId;
+      if (value !== null && (typeof value !== "string" || value.length === 0)) {
+        throw new InvalidWorkflowEventError('Envelope field "causationId" must be a non-empty string or null.');
+      }
+    }
+    function assertActor(obj) {
+      const actor = obj.actor;
+      if (actor === null || typeof actor !== "object") {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be an object.');
+      }
+      const actorObj = actor;
+      const isUserActor = typeof actorObj.ohi_uid === "string" && typeof actorObj.ohi_uname === "string" && typeof actorObj.ohi_tid === "string" && typeof actorObj.ohi_wid === "string";
+      const isSystemActor = typeof actorObj.system === "string";
+      if (!isUserActor && !isSystemActor) {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be either a user-actor (ohi_tid, ohi_wid, ohi_uid, ohi_uname) or a system-actor ({ system: string }).');
+      }
+    }
+    var InvalidWorkflowEventError = class extends Error {
+      /** @param message - human-readable description of the validation failure. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidWorkflowEventError";
+      }
+    };
+    exports2.InvalidWorkflowEventError = InvalidWorkflowEventError;
+    var UnsupportedEnvelopeVersionError = class extends Error {
+      /** @param message - human-readable description of the unsupported version. */
+      constructor(message) {
+        super(message);
+        this.name = "UnsupportedEnvelopeVersionError";
+      }
+    };
+    exports2.UnsupportedEnvelopeVersionError = UnsupportedEnvelopeVersionError;
+  }
+});
+// ../workflows/lib/dedup/env.js
+var require_env = __commonJS({
+  "../workflows/lib/dedup/env.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = void 0;
+    exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = "OPENHI_WORKFLOW_DEDUP_TABLE_NAME";
+    exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = 14 * 24 * 60 * 60;
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = 64;
+  }
+});
+// ../workflows/lib/dedup/workflow-dedup-client.js
+var require_workflow_dedup_client = __commonJS({
+  "../workflows/lib/dedup/workflow-dedup-client.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowDedupInvalidInputError = exports2.WorkflowDedupTableNameMissingError = void 0;
+    exports2.workflowDedupClient = workflowDedupClient2;
+    exports2.recordIfAbsent = recordIfAbsent;
+    exports2.markFailed = markFailed;
+    exports2.encodeSortKey = encodeSortKey;
+    var client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
+    var env_1 = require_env();
+    function workflowDedupClient2(dynamodb, options = {}) {
+      return {
+        recordIfAbsent: (input) => recordIfAbsent(dynamodb, input, options),
+        markFailed: (input) => markFailed(dynamodb, input, options)
+      };
+    }
+    async function recordIfAbsent(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      const ttlSeconds = input.ttlSeconds ?? options.defaultTtlSeconds ?? env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+      if (!Number.isInteger(ttlSeconds) || ttlSeconds <= 0) {
+        throw new WorkflowDedupInvalidInputError(`ttlSeconds must be a positive integer; got ${ttlSeconds}.`);
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      const expiresAt = Math.floor(now.getTime() / 1e3) + ttlSeconds;
+      try {
+        await dynamodb.send(new client_dynamodb_1.PutItemCommand({
+          TableName: tableName,
+          Item: {
+            consumerName: { S: input.consumerName },
+            sk: { S: sk },
+            eventId: { S: input.eventId },
+            attempt: { N: String(input.attempt) },
+            recordedAt: { S: now.toISOString() },
+            expiresAt: { N: String(expiresAt) }
+          },
+          ConditionExpression: "attribute_not_exists(consumerName) AND attribute_not_exists(sk)"
+        }));
+        return { recorded: true };
+      } catch (err) {
+        if (err instanceof client_dynamodb_1.ConditionalCheckFailedException) {
+          return { recorded: false, alreadyProcessed: true };
+        }
+        throw err;
+      }
+    }
+    async function markFailed(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      if (input.reason.length === 0) {
+        throw new WorkflowDedupInvalidInputError("reason must be non-empty.");
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      await dynamodb.send(new client_dynamodb_1.UpdateItemCommand({
+        TableName: tableName,
+        Key: {
+          consumerName: { S: input.consumerName },
+          sk: { S: sk }
+        },
+        UpdateExpression: "SET #failed = :failed, #failureReason = :reason, #failedAt = :failedAt",
+        ExpressionAttributeNames: {
+          "#failed": "failed",
+          "#failureReason": "failureReason",
+          "#failedAt": "failedAt"
+        },
+        ExpressionAttributeValues: {
+          ":failed": { BOOL: true },
+          ":reason": { S: input.reason },
+          ":failedAt": { S: now.toISOString() }
+        }
+      }));
+    }
+    function encodeSortKey(eventId, attempt) {
+      if (eventId.length === 0) {
+        throw new WorkflowDedupInvalidInputError("eventId must be non-empty.");
+      }
+      return `${eventId}#${attempt}`;
+    }
+    function resolveTableName(explicit) {
+      const name = explicit ?? process.env[env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR];
+      if (!name) {
+        throw new WorkflowDedupTableNameMissingError(`Workflow dedup table name not set. Pass options.tableName or set ${env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR}.`);
+      }
+      return name;
+    }
+    function assertConsumerName(consumerName) {
+      if (consumerName.length === 0) {
+        throw new WorkflowDedupInvalidInputError("consumerName must be non-empty.");
+      }
+      if (consumerName.length > env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {
+        throw new WorkflowDedupInvalidInputError(`consumerName must be \u2264${env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`);
+      }
+      if (/\s/.test(consumerName)) {
+        throw new WorkflowDedupInvalidInputError("consumerName must not contain whitespace.");
+      }
+    }
+    function assertPositiveInteger(value, field) {
+      if (!Number.isInteger(value) || value < 1) {
+        throw new WorkflowDedupInvalidInputError(`${field} must be a 1-indexed integer; got ${value}.`);
+      }
+    }
+    function defaultNow() {
+      return /* @__PURE__ */ new Date();
+    }
+    var WorkflowDedupTableNameMissingError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupTableNameMissingError";
+      }
+    };
+    exports2.WorkflowDedupTableNameMissingError = WorkflowDedupTableNameMissingError;
+    var WorkflowDedupInvalidInputError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupInvalidInputError";
+      }
+    };
+    exports2.WorkflowDedupInvalidInputError = WorkflowDedupInvalidInputError;
+  }
+});
+// ../workflows/lib/dedup/index.js
+var require_dedup = __commonJS({
+  "../workflows/lib/dedup/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = void 0;
+    var env_1 = require_env();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    var workflow_dedup_client_1 = require_workflow_dedup_client();
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.workflowDedupClient;
+    } });
+  }
+});
+// ../workflows/lib/index.js
+var require_lib2 = __commonJS({
+  "../workflows/lib/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.InvalidDetailTypeRegistrationError = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
+    var envelope_version_1 = require_envelope_version();
+    Object.defineProperty(exports2, "ENVELOPE_VERSION", { enumerable: true, get: function() {
+      return envelope_version_1.ENVELOPE_VERSION;
+    } });
+    Object.defineProperty(exports2, "isSupportedEnvelopeVersion", { enumerable: true, get: function() {
+      return envelope_version_1.isSupportedEnvelopeVersion;
+    } });
+    var envelope_1 = require_envelope();
+    Object.defineProperty(exports2, "MissingActorContextError", { enumerable: true, get: function() {
+      return envelope_1.MissingActorContextError;
+    } });
+    Object.defineProperty(exports2, "isWorkflowSystemActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowSystemActor;
+    } });
+    Object.defineProperty(exports2, "isWorkflowUserActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowUserActor;
+    } });
+    Object.defineProperty(exports2, "workflowUserActorFromClaims", { enumerable: true, get: function() {
+      return envelope_1.workflowUserActorFromClaims;
+    } });
+    var sources_1 = require_sources();
+    Object.defineProperty(exports2, "DEFAULT_BUS_NAME_BY_SOURCE", { enumerable: true, get: function() {
+      return sources_1.DEFAULT_BUS_NAME_BY_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_CONTROL_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_CONTROL_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_DATA_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_DATA_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_OPS_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_OPS_SOURCE;
+    } });
+    var detail_types_1 = require_detail_types();
+    Object.defineProperty(exports2, "InvalidDetailTypeRegistrationError", { enumerable: true, get: function() {
+      return detail_types_1.InvalidDetailTypeRegistrationError;
+    } });
+    Object.defineProperty(exports2, "PlatformDeploymentCompletedV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformDeploymentCompletedV1;
+    } });
+    Object.defineProperty(exports2, "PlatformSystemDataSeededV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformSystemDataSeededV1;
+    } });
+    Object.defineProperty(exports2, "defineDetailType", { enumerable: true, get: function() {
+      return detail_types_1.defineDetailType;
+    } });
+    Object.defineProperty(exports2, "isWellFormedDetailType", { enumerable: true, get: function() {
+      return detail_types_1.isWellFormedDetailType;
+    } });
+    var publisher_1 = require_publisher();
+    Object.defineProperty(exports2, "WorkflowPublishError", { enumerable: true, get: function() {
+      return publisher_1.WorkflowPublishError;
+    } });
+    Object.defineProperty(exports2, "publishWorkflowEvent", { enumerable: true, get: function() {
+      return publisher_1.publishWorkflowEvent;
+    } });
+    Object.defineProperty(exports2, "workflowsClient", { enumerable: true, get: function() {
+      return publisher_1.workflowsClient;
+    } });
+    var consumer_1 = require_consumer();
+    Object.defineProperty(exports2, "InvalidWorkflowEventError", { enumerable: true, get: function() {
+      return consumer_1.InvalidWorkflowEventError;
+    } });
+    Object.defineProperty(exports2, "UnsupportedEnvelopeVersionError", { enumerable: true, get: function() {
+      return consumer_1.UnsupportedEnvelopeVersionError;
+    } });
+    Object.defineProperty(exports2, "parseWorkflowEvent", { enumerable: true, get: function() {
+      return consumer_1.parseWorkflowEvent;
+    } });
+    var dedup_1 = require_dedup();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return dedup_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return dedup_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return dedup_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return dedup_1.workflowDedupClient;
+    } });
+  }
+});
 // src/index.ts
 var src_exports = {};
 __export(src_exports, {
+  BRIDGED_STATUSES: () => BRIDGED_STATUSES,
+  CLOUDFORMATION_EVENT_SOURCE: () => CLOUDFORMATION_EVENT_SOURCE,
+  CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE: () => CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
+  CONTROL_EVENT_BUS_NAME_ENV_VAR: () => CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone: () => ChildHostedZone,
   CognitoFixtureSeederClient: () => CognitoFixtureSeederClient,
   CognitoUserPool: () => CognitoUserPool,
@@ -103,11 +705,22 @@ __export(src_exports, {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES: () => DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE: () => DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE: () => DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_PERIOD: () => DEMO_PERIOD,
+  DEMO_TENANT_SPECS: () => DEMO_TENANT_SPECS,
+  DEMO_URN_SYSTEM: () => DEMO_URN_SYSTEM,
+  DEV_USERS: () => DEV_USERS,
   DataEventBus: () => DataEventBus,
   DataStoreHistoricalArchive: () => DataStoreHistoricalArchive,
   DataStorePostgresReplica: () => DataStorePostgresReplica,
   DiscoverableStringParameter: () => DiscoverableStringParameter,
   DynamoDbDataStore: () => DynamoDbDataStore,
+  OPENHI_REPO_TAG_KEY_ENV_VAR: () => OPENHI_REPO_TAG_KEY_ENV_VAR,
+  OPENHI_RESOURCE_URN_SYSTEM: () => OPENHI_RESOURCE_URN_SYSTEM,
+  OPENHI_TAG_KEY_PREFIX_ENV_VAR: () => OPENHI_TAG_KEY_PREFIX_ENV_VAR,
+  OPENHI_TAG_SUFFIX_BRANCH_NAME: () => OPENHI_TAG_SUFFIX_BRANCH_NAME,
+  OPENHI_TAG_SUFFIX_REPO_NAME: () => OPENHI_TAG_SUFFIX_REPO_NAME,
+  OPENHI_TAG_SUFFIX_SERVICE_TYPE: () => OPENHI_TAG_SUFFIX_SERVICE_TYPE,
+  OPENHI_TAG_SUFFIX_STAGE_TYPE: () => OPENHI_TAG_SUFFIX_STAGE_TYPE,
   OpenHiApp: () => OpenHiApp,
   OpenHiAuthService: () => OpenHiAuthService,
   OpenHiDataService: () => OpenHiDataService,
@@ -118,10 +731,17 @@ __export(src_exports, {
   OpenHiService: () => OpenHiService,
   OpenHiStage: () => OpenHiStage,
   OpsEventBus: () => OpsEventBus,
+  PLACEHOLDER_TENANT_ID: () => PLACEHOLDER_TENANT_ID,
+  PLACEHOLDER_WORKSPACE_ID: () => PLACEHOLDER_WORKSPACE_ID,
+  PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM: () => PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,
+  PLATFORM_SCOPE_TENANT_ID: () => PLATFORM_SCOPE_TENANT_ID,
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME: () => POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME: () => POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME: () => POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
   PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE: () => PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
+  PlatformDeployBridge: () => PlatformDeployBridge,
+  PlatformDeployBridgeLambda: () => PlatformDeployBridgeLambda,
+  PlatformDeploymentCompletedV1: () => import_workflows4.PlatformDeploymentCompletedV1,
   PostAuthenticationLambda: () => PostAuthenticationLambda,
   PostConfirmationLambda: () => PostConfirmationLambda,
   PreTokenGenerationLambda: () => PreTokenGenerationLambda,
@@ -131,14 +751,40 @@ __export(src_exports, {
   RootHostedZone: () => RootHostedZone,
   RootHttpApi: () => RootHttpApi,
   RootWildcardCertificate: () => RootWildcardCertificate,
+  SEED_DEMO_DATA_CONSUMER_NAME: () => SEED_DEMO_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_ACTOR_SYSTEM: () => SEED_SYSTEM_DATA_ACTOR_SYSTEM,
+  SEED_SYSTEM_DATA_CONSUMER_NAME: () => SEED_SYSTEM_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR: () => SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
   STATIC_HOSTING_SERVICE_TYPE: () => STATIC_HOSTING_SERVICE_TYPE,
+  SeedDemoDataLambda: () => SeedDemoDataLambda,
+  SeedDemoDataWorkflow: () => SeedDemoDataWorkflow,
+  SeedSystemDataLambda: () => SeedSystemDataLambda,
+  SeedSystemDataWorkflow: () => SeedSystemDataWorkflow,
   StaticHosting: () => StaticHosting,
   USER_ONBOARDING_EVENT_SOURCE: () => USER_ONBOARDING_EVENT_SOURCE,
   UserOnboardingWorkflow: () => UserOnboardingWorkflow,
+  WorkflowDedupConsumerNameInvalidError: () => WorkflowDedupConsumerNameInvalidError,
+  WorkflowDedupTable: () => WorkflowDedupTable,
+  WorkflowDedupTableDuplicateError: () => WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail: () => buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail: () => buildProvisionDefaultWorkspaceRequestedDetail,
+  demoBasePartitionKeys: () => demoBasePartitionKeys,
+  demoDevUserPartitionKeys: () => demoDevUserPartitionKeys,
+  demoMembershipId: () => demoMembershipId,
+  demoMembershipPartitionKey: () => demoMembershipPartitionKey,
+  demoRoleAssignmentId: () => demoRoleAssignmentId,
+  demoRoleAssignmentPartitionKey: () => demoRoleAssignmentPartitionKey,
+  demoRolesForUserInTenant: () => demoRolesForUserInTenant,
+  demoScenarioIdentifier: () => demoScenarioIdentifier,
+  demoTenantPartitionKey: () => demoTenantPartitionKey,
+  demoUserPartitionKey: () => demoUserPartitionKey,
+  demoWorkspacePartitionKey: () => demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName: () => getDynamoDbDataStoreTableName,
-  getPostgresReplicaSchemaName: () => getPostgresReplicaSchemaName
+  getPostgresReplicaSchemaName: () => getPostgresReplicaSchemaName,
+  getWorkflowDedupTableName: () => getWorkflowDedupTableName,
+  openHiTagKey: () => openHiTagKey,
+  openhiResourceIdentifier: () => openhiResourceIdentifier,
+  rolePartitionKey: () => rolePartitionKey
 });
 module.exports = __toCommonJS(src_exports);
@@ -353,6 +999,11 @@ var import_utils = require("@codedrifters/utils");
 var import_config3 = __toESM(require_lib());
 var import_aws_cdk_lib4 = require("aws-cdk-lib");
 var import_change_case = require("change-case");
+var OPENHI_TAG_SUFFIX_REPO_NAME = "repo-name";
+var OPENHI_TAG_SUFFIX_BRANCH_NAME = "branch-name";
+var OPENHI_TAG_SUFFIX_SERVICE_TYPE = "service-type";
+var OPENHI_TAG_SUFFIX_STAGE_TYPE = "stage-type";
+var openHiTagKey = (appName, suffix) => `${appName}:${suffix}`;
 var OpenHiService = class extends import_aws_cdk_lib4.Stack {
   /**
    * Creates a new OpenHI service stack.
@@ -420,11 +1071,20 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
       `availability-zones:account=${account}:region=${region}`,
       [`${region}a`, `${region}b`, `${region}c`]
     );
-    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
-    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
-    import_aws_cdk_lib4.Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
     import_aws_cdk_lib4.Tags.of(this).add(
-      `${appName}:stage-type`,
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_REPO_NAME),
+      repoName.slice(0, 255)
+    );
+    import_aws_cdk_lib4.Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_BRANCH_NAME),
+      branchName.slice(0, 255)
+    );
+    import_aws_cdk_lib4.Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_SERVICE_TYPE),
+      id.slice(0, 255)
+    );
+    import_aws_cdk_lib4.Tags.of(this).add(
+      openHiTagKey(appName, OPENHI_TAG_SUFFIX_STAGE_TYPE),
       ohEnv.ohStage.stageType.slice(0, 255)
     );
   }
@@ -1110,6 +1770,204 @@ var DynamoDbDataStore = class extends import_aws_dynamodb.Table {
   }
 };
+// src/components/dynamodb/workflow-dedup-table.ts
+var import_workflows = __toESM(require_lib2());
+var import_aws_cdk_lib8 = require("aws-cdk-lib");
+var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
+var import_aws_iam = require("aws-cdk-lib/aws-iam");
+var import_constructs5 = require("constructs");
+function getWorkflowDedupTableName(scope) {
+  const stack = OpenHiService.of(scope);
+  return `workflow-dedup-${stack.branchHash}`;
+}
+var _WorkflowDedupTable = class _WorkflowDedupTable extends import_constructs5.Construct {
+  constructor(scope, id, props = {}) {
+    super(scope, id);
+    this.registeredConsumers = /* @__PURE__ */ new Set();
+    const service = OpenHiService.of(scope);
+    const others = service.node.findAll().filter(
+      (c) => c instanceof _WorkflowDedupTable && c !== this
+    );
+    if (others.length > 0) {
+      throw new WorkflowDedupTableDuplicateError(
+        `WorkflowDedupTable already exists at ${others[0].node.path}; only one shared dedup table is allowed per service stack (TR-015).`
+      );
+    }
+    this.table = new import_aws_dynamodb2.Table(this, "Table", {
+      tableName: getWorkflowDedupTableName(scope),
+      partitionKey: {
+        name: "consumerName",
+        type: import_aws_dynamodb2.AttributeType.STRING
+      },
+      sortKey: {
+        name: "sk",
+        type: import_aws_dynamodb2.AttributeType.STRING
+      },
+      billingMode: import_aws_dynamodb2.BillingMode.PAY_PER_REQUEST,
+      timeToLiveAttribute: "expiresAt",
+      removalPolicy: props.removalPolicy ?? service.removalPolicy
+    });
+    new DiscoverableStringParameter(this, "table-name-param", {
+      ssmParamName: _WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME,
+      stringValue: this.table.tableName
+    });
+    new DiscoverableStringParameter(this, "table-arn-param", {
+      ssmParamName: _WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME,
+      stringValue: this.table.tableArn
+    });
+  }
+  /** Cross-stack lookup for the table name. */
+  static tableNameFromLookup(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME,
+      serviceType: _WorkflowDedupTable.PUBLISHER_SERVICE_TYPE
+    });
+  }
+  /** Cross-stack lookup for the table ARN. */
+  static tableArnFromLookup(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: _WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME,
+      serviceType: _WorkflowDedupTable.PUBLISHER_SERVICE_TYPE
+    });
+  }
+  /**
+   * Cross-stack equivalent of {@link grantConsumer}. Use when the dedup
+   * table is on a different stack than the consumer Lambda — the
+   * grant resolves the table name + ARN via SSM at synth time, so the
+   * consumer stack does not pick up a CloudFormation export dependency
+   * on the global stack.
+   *
+   * Inverts the singleton-guard semantics of `grantConsumer`: there is
+   * no synth-time check that the same `consumerName` was registered
+   * twice across stacks. Consumer names are agreed by convention
+   * (see TR-015); double-registration is operator error caught at
+   * design time, not synth time.
+   */
+  static grantConsumerFromLookup(scope, fn, consumerName, options = {}) {
+    _WorkflowDedupTable.assertConsumerNameStatic(consumerName);
+    const tableName = _WorkflowDedupTable.tableNameFromLookup(scope);
+    const tableArn = _WorkflowDedupTable.tableArnFromLookup(scope);
+    fn.addEnvironment(import_workflows.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR, tableName);
+    if (options.defaultTtlSeconds !== void 0) {
+      fn.addEnvironment(
+        "OPENHI_WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS",
+        String(options.defaultTtlSeconds)
+      );
+    }
+    fn.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: [
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:GetItem",
+          "dynamodb:Query"
+        ],
+        resources: [tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": [consumerName]
+          }
+        }
+      })
+    );
+  }
+  /**
+   * Standalone consumer-name validator shared by the instance method
+   * and `grantConsumerFromLookup` so the two grants enforce identical
+   * invariants.
+   */
+  static assertConsumerNameStatic(consumerName) {
+    if (consumerName.length === 0) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        "consumerName must be non-empty."
+      );
+    }
+    if (consumerName.length > import_workflows.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        `consumerName must be at most ${import_workflows.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`
+      );
+    }
+    if (/\s/.test(consumerName)) {
+      throw new WorkflowDedupConsumerNameInvalidError(
+        "consumerName must not contain whitespace."
+      );
+    }
+  }
+  /**
+   * Wire a Lambda consumer to this table. Injects the table-name env var
+   * so the runtime `WorkflowDedupClient` can resolve it, then attaches a
+   * per-consumer IAM grant scoped by `dynamodb:LeadingKeys` so the
+   * consumer can only read/write its own partition.
+   */
+  grantConsumer(fn, consumerName, options = {}) {
+    this.assertConsumerName(consumerName);
+    if (this.registeredConsumers.has(consumerName)) {
+      import_aws_cdk_lib8.Annotations.of(this).addWarning(
+        `WorkflowDedupTable: consumerName "${consumerName}" registered more than once; subsequent grantConsumer calls add policy statements but do not re-inject the env var.`
+      );
+    }
+    this.registeredConsumers.add(consumerName);
+    fn.addEnvironment(import_workflows.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR, this.table.tableName);
+    if (options.defaultTtlSeconds !== void 0) {
+      fn.addEnvironment(
+        "OPENHI_WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS",
+        String(options.defaultTtlSeconds)
+      );
+    }
+    fn.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: [
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:GetItem",
+          "dynamodb:Query"
+        ],
+        resources: [this.table.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": [consumerName]
+          }
+        }
+      })
+    );
+  }
+  assertConsumerName(consumerName) {
+    _WorkflowDedupTable.assertConsumerNameStatic(consumerName);
+  }
+};
+/** SSM param name (short) used by `DiscoverableStringParameter` for the table name lookup. */
+_WorkflowDedupTable.TABLE_NAME_SSM_PARAM_NAME = "workflow-dedup-table-name";
+/** SSM param name (short) used by `DiscoverableStringParameter` for the table ARN lookup. */
+_WorkflowDedupTable.TABLE_ARN_SSM_PARAM_NAME = "workflow-dedup-table-arn";
+/**
+ * Service-type the publishing stack runs under. The cross-stack lookups
+ * pin to this value so consumer stacks on a different service-type
+ * (e.g. `data`, `auth`) resolve the parameter at the publisher's SSM
+ * path instead of their own. Typed against `OpenHiServiceType` so a
+ * future rename of the literal triggers a compile error; not pulled
+ * from `OpenHiGlobalService.SERVICE_TYPE` because
+ * `OpenHiGlobalService` already imports `WorkflowDedupTable` — a
+ * back-import would create a circular dependency.
+ */
+_WorkflowDedupTable.PUBLISHER_SERVICE_TYPE = "global";
+var WorkflowDedupTable = _WorkflowDedupTable;
+var WorkflowDedupTableDuplicateError = class extends Error {
+  /** @param message - human-readable description of the duplicate. */
+  constructor(message) {
+    super(message);
+    this.name = "WorkflowDedupTableDuplicateError";
+  }
+};
+var WorkflowDedupConsumerNameInvalidError = class extends Error {
+  /** @param message - human-readable description of the invariant violation. */
+  constructor(message) {
+    super(message);
+    this.name = "WorkflowDedupConsumerNameInvalidError";
+  }
+};
 // src/components/event-bridge/data-event-bus.ts
 var import_aws_events = require("aws-cdk-lib/aws-events");
 var DataEventBus = class _DataEventBus extends import_aws_events.EventBus {
@@ -1179,13 +2037,13 @@ var ControlEventBus = class _ControlEventBus extends import_aws_events3.EventBus
 // src/components/postgres/data-store-postgres-replica.ts
 var import_node_fs5 = __toESM(require("fs"));
 var import_node_path5 = __toESM(require("path"));
-var import_aws_cdk_lib8 = require("aws-cdk-lib");
+var import_aws_cdk_lib9 = require("aws-cdk-lib");
 var ec2 = __toESM(require("aws-cdk-lib/aws-ec2"));
 var import_aws_lambda5 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_event_sources = require("aws-cdk-lib/aws-lambda-event-sources");
 var import_aws_lambda_nodejs5 = require("aws-cdk-lib/aws-lambda-nodejs");
 var rds = __toESM(require("aws-cdk-lib/aws-rds"));
-var import_constructs5 = require("constructs");
+var import_constructs6 = require("constructs");
 var HANDLER_NAME5 = "data-store-postgres-replication.handler.js";
 var DEFAULT_DATABASE_NAME = "openhi";
 var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
@@ -1208,7 +2066,7 @@ function getPostgresReplicaSchemaName(branchHash) {
   }
   return candidate;
 }
-var DataStorePostgresReplica = class extends import_constructs5.Construct {
+var DataStorePostgresReplica = class extends import_constructs6.Construct {
   /**
    * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
    * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
@@ -1245,7 +2103,7 @@ var DataStorePostgresReplica = class extends import_constructs5.Construct {
     super(scope, id);
     this.databaseName = props.databaseName ?? DEFAULT_DATABASE_NAME;
     this.schemaName = getPostgresReplicaSchemaName(props.branchHash);
-    const region = import_aws_cdk_lib8.Stack.of(this).region;
+    const region = import_aws_cdk_lib9.Stack.of(this).region;
     this.vpc = props.vpc ?? new ec2.Vpc(this, "Vpc", {
       availabilityZones: [`${region}a`, `${region}b`],
       natGateways: 0,
@@ -1281,7 +2139,7 @@ var DataStorePostgresReplica = class extends import_constructs5.Construct {
       entry: resolveHandlerEntry5(__dirname),
       runtime: import_aws_lambda5.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib8.Duration.minutes(1),
+      timeout: import_aws_cdk_lib9.Duration.minutes(1),
       vpc: this.vpc,
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
       description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
@@ -1308,7 +2166,7 @@ var DataStorePostgresReplica = class extends import_constructs5.Construct {
       new import_aws_lambda_event_sources.KinesisEventSource(props.kinesisStream, {
         startingPosition: import_aws_lambda5.StartingPosition.LATEST,
         batchSize: 100,
-        maxBatchingWindow: import_aws_cdk_lib8.Duration.seconds(5),
+        maxBatchingWindow: import_aws_cdk_lib9.Duration.seconds(5),
         retryAttempts: 10,
         bisectBatchOnError: true,
         parallelizationFactor: 2,
@@ -1341,7 +2199,7 @@ var DataStorePostgresReplica = class extends import_constructs5.Construct {
 };
 // src/components/route-53/child-hosted-zone.ts
-var import_aws_cdk_lib9 = require("aws-cdk-lib");
+var import_aws_cdk_lib10 = require("aws-cdk-lib");
 var import_aws_route53 = require("aws-cdk-lib/aws-route53");
 var ChildHostedZone = class extends import_aws_route53.HostedZone {
   constructor(scope, id, props) {
@@ -1350,7 +2208,7 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: import_aws_cdk_lib9.Duration.minutes(5)
+      ttl: import_aws_cdk_lib10.Duration.minutes(5)
     });
   }
 };
@@ -1360,8 +2218,8 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 // src/components/route-53/root-hosted-zone.ts
-var import_constructs6 = require("constructs");
-var RootHostedZone = class extends import_constructs6.Construct {
+var import_constructs7 = require("constructs");
+var RootHostedZone = class extends import_constructs7.Construct {
 };
 // src/components/static-hosting/static-hosting.ts
@@ -1369,9 +2227,9 @@ var import_aws_cloudfront = require("aws-cdk-lib/aws-cloudfront");
 var import_aws_cloudfront_origins = require("aws-cdk-lib/aws-cloudfront-origins");
 var import_aws_s3 = require("aws-cdk-lib/aws-s3");
 var import_core = require("aws-cdk-lib/core");
-var import_constructs7 = require("constructs");
+var import_constructs8 = require("constructs");
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends import_constructs7.Construct {
+var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1423,29 +2281,127 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_AR
 var StaticHosting = _StaticHosting;
 // src/services/open-hi-auth-service.ts
-var import_config4 = __toESM(require_lib());
+var import_config5 = __toESM(require_lib());
 var import_aws_cognito5 = require("aws-cdk-lib/aws-cognito");
-var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
+var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
 var import_core2 = require("aws-cdk-lib/core");
 // src/services/open-hi-data-service.ts
-var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
+var import_config4 = __toESM(require_lib());
+var import_aws_dynamodb3 = require("aws-cdk-lib/aws-dynamodb");
 var kinesis = __toESM(require("aws-cdk-lib/aws-kinesis"));
 // src/services/open-hi-global-service.ts
 var import_aws_certificatemanager2 = require("aws-cdk-lib/aws-certificatemanager");
-var import_aws_events4 = require("aws-cdk-lib/aws-events");
+var import_aws_events5 = require("aws-cdk-lib/aws-events");
 var import_aws_route532 = require("aws-cdk-lib/aws-route53");
 var import_aws_ssm3 = require("aws-cdk-lib/aws-ssm");
-var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
-  /**
-   * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
-   */
-  static rootHostedZoneFromConstruct(scope, props) {
-    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "root-zone", props);
-  }
-  /**
+// src/workflows/control-plane/platform-deploy-bridge/events.ts
+var CLOUDFORMATION_EVENT_SOURCE = "aws.cloudformation";
+var CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE = "CloudFormation Stack Status Change";
+var BRIDGED_STATUSES = ["CREATE_COMPLETE", "UPDATE_COMPLETE"];
+var CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+var OPENHI_REPO_TAG_KEY_ENV_VAR = "OPENHI_REPO_TAG_KEY";
+var OPENHI_TAG_KEY_PREFIX_ENV_VAR = "OPENHI_TAG_KEY_PREFIX";
+var PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM = "platform-deploy-bridge";
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
+var import_constructs10 = require("constructs");
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
+var import_aws_cdk_lib11 = require("aws-cdk-lib");
+var import_aws_events4 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs9 = require("constructs");
+var HANDLER_NAME6 = "platform-deploy-bridge.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
+  if (import_node_fs6.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path6.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
+}
+var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
+  constructor(scope, props) {
+    super(scope, "platform-deploy-bridge-lambda");
+    const service = OpenHiService.of(this);
+    const repoTagKey = openHiTagKey(
+      service.appName,
+      OPENHI_TAG_SUFFIX_REPO_NAME
+    );
+    const tagKeyPrefix = `${service.appName}:`;
+    const ownStackName = import_aws_cdk_lib11.Stack.of(this).stackName;
+    const ownSuffix = `-${service.serviceId}-${import_aws_cdk_lib11.Stack.of(this).account}-${import_aws_cdk_lib11.Stack.of(this).region}`;
+    const sharedPrefix = ownStackName.endsWith(ownSuffix) ? ownStackName.slice(0, -ownSuffix.length) : service.branchHash;
+    const stackIdPrefix = `arn:aws:cloudformation:${import_aws_cdk_lib11.Stack.of(this).region}:${import_aws_cdk_lib11.Stack.of(this).account}:stack/${sharedPrefix}-`;
+    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+      memorySize: 256,
+      timeout: import_aws_cdk_lib11.Duration.seconds(30),
+      environment: {
+        [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
+        [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
+        [OPENHI_TAG_KEY_PREFIX_ENV_VAR]: tagKeyPrefix
+      }
+    });
+    this.lambda.addToRolePolicy(
+      new import_aws_iam2.PolicyStatement({
+        effect: import_aws_iam2.Effect.ALLOW,
+        actions: ["cloudformation:DescribeStacks"],
+        resources: [
+          `arn:aws:cloudformation:${import_aws_cdk_lib11.Stack.of(this).region}:${import_aws_cdk_lib11.Stack.of(this).account}:stack/*`
+        ]
+      })
+    );
+    props.controlEventBus.grantPutEventsTo(this.lambda);
+    this.rule = new import_aws_events4.Rule(this, "rule", {
+      eventPattern: {
+        source: [CLOUDFORMATION_EVENT_SOURCE],
+        detailType: [CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE],
+        detail: {
+          "stack-id": [{ prefix: stackIdPrefix }],
+          "status-details": {
+            status: [...BRIDGED_STATUSES]
+          }
+        }
+      },
+      targets: [
+        new import_aws_events_targets.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib11.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+// src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
+var PlatformDeployBridge = class extends import_constructs10.Construct {
+  constructor(scope, props) {
+    super(scope, "platform-deploy-bridge");
+    this.bridgeLambda = new PlatformDeployBridgeLambda(this, {
+      controlEventBus: props.controlEventBus
+    });
+  }
+};
+// src/services/open-hi-global-service.ts
+var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
+  /**
+   * Returns an IHostedZone from the given attributes (no SSM). Use when the zone is imported from config.
+   */
+  static rootHostedZoneFromConstruct(scope, props) {
+    return import_aws_route532.HostedZone.fromHostedZoneAttributes(scope, "root-zone", props);
+  }
+  /**
    * Returns an ICertificate by looking up the Global stack's wildcard cert ARN from SSM.
    */
   static rootWildcardCertificateFromConstruct(scope) {
@@ -1476,7 +2432,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static dataEventBusFromConstruct(scope) {
-    return import_aws_events4.EventBus.fromEventBusName(
+    return import_aws_events5.EventBus.fromEventBusName(
       scope,
       "data-event-bus",
       DataEventBus.getEventBusName(scope)
@@ -1486,7 +2442,7 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static opsEventBusFromConstruct(scope) {
-    return import_aws_events4.EventBus.fromEventBusName(
+    return import_aws_events5.EventBus.fromEventBusName(
       scope,
       "ops-event-bus",
       OpsEventBus.getEventBusName(scope)
@@ -1496,12 +2452,23 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
    * Returns the control-plane event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
    */
   static controlEventBusFromConstruct(scope) {
-    return import_aws_events4.EventBus.fromEventBusName(
+    return import_aws_events5.EventBus.fromEventBusName(
       scope,
       "control-event-bus",
       ControlEventBus.getEventBusName(scope)
     );
   }
+  /**
+   * Returns the workflow dedup table by name (deterministic per branch).
+   * Use from other stacks to obtain an ITable reference. Consumer Lambdas
+   * are typically wired via `WorkflowDedupTable.grantConsumer(fn, name)`
+   * on the owning service's `workflowDedupTable` reference; the
+   * `tableNameFromLookup` / `tableArnFromLookup` SSM helpers on the
+   * construct cover cross-stack consumers that need only the name/ARN.
+   */
+  static workflowDedupTableNameFromLookup(scope) {
+    return WorkflowDedupTable.tableNameFromLookup(scope);
+  }
   get serviceType() {
     return _OpenHiGlobalService.SERVICE_TYPE;
   }
@@ -1515,6 +2482,8 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
     this.dataEventBus = this.createDataEventBus();
     this.opsEventBus = this.createOpsEventBus();
     this.controlEventBus = this.createControlEventBus();
+    this.workflowDedupTable = this.createWorkflowDedupTable();
+    this.platformDeployBridge = this.createPlatformDeployBridge();
   }
   /**
    * Validates that config required for the Global stack is present.
@@ -1586,23 +2555,1248 @@ var _OpenHiGlobalService = class _OpenHiGlobalService extends OpenHiService {
   createControlEventBus() {
     return new ControlEventBus(this);
   }
+  /**
+   * Creates the platform deploy bridge that republishes CloudFormation
+   * Stack Status Change events onto the control event bus.
+   * Override to customize.
+   */
+  createPlatformDeployBridge() {
+    return new PlatformDeployBridge(this, {
+      controlEventBus: this.controlEventBus
+    });
+  }
+  /**
+   * Creates the shared workflow dedup table (TR-015 singleton).
+   * Override to customize.
+   */
+  createWorkflowDedupTable() {
+    return new WorkflowDedupTable(this, "workflow-dedup-table");
+  }
 };
 _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
-// src/services/open-hi-data-service.ts
-var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
-  /**
-   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
-   */
-  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
-    return import_aws_dynamodb2.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+// src/workflows/control-plane/seed-demo-data/events.ts
+var import_types = require("@openhi/types");
+var import_workflows2 = __toESM(require_lib2());
+var SEED_DEMO_DATA_CONSUMER_NAME = "seed-demo-data";
+var DEMO_URN_SYSTEM = "urn:openhi:demo";
+var OPENHI_RESOURCE_URN_SYSTEM = "http://openhi.org/";
+var DEMO_PERIOD = { start: "2026-01-01T00:00:00Z" };
+var PLATFORM_SCOPE_TENANT_ID = "platform";
+var PLACEHOLDER_TENANT_ID = "placeholder-tenant-id";
+var PLACEHOLDER_WORKSPACE_ID = "placeholder-workspace-id";
+var DEV_USERS = [
+  { id: "dev-russell", email: "russell@codedrifters.com" },
+  { id: "dev-cameron", email: "cameron@codedrifters.com" },
+  { id: "dev-neelima", email: "neelima@codedrifters.com" },
+  { id: "dev-garon", email: "garon@codedrifters.com" },
+  { id: "dev-dave", email: "dave@codedrifters.com" },
+  { id: "dev-drew", email: "drew@codedrifters.com" },
+  { id: "dev-jessica", email: "jessica@codedrifters.com" },
+  { id: "dev-jared", email: "jared@codedrifters.com" },
+  { id: "dev-goddess", email: "goddess@codedrifters.com" }
+];
+var DEMO_TENANT_SPECS = [
+  {
+    scenario: "placeholder",
+    tenantId: PLACEHOLDER_TENANT_ID,
+    tenantName: "OpenHI Placeholder Tenant",
+    workspaces: [
+      {
+        id: PLACEHOLDER_WORKSPACE_ID,
+        name: "OpenHI Placeholder Workspace",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-wound-care",
+    tenantId: "demo-wound-care-tenant",
+    tenantName: "Cedarbrook Wound Healing Institute",
+    workspaces: [
+      {
+        id: "demo-wound-care-workspace",
+        name: "Cedarbrook Outpatient Wound Clinic",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-primary-care",
+    tenantId: "demo-primary-care-tenant",
+    tenantName: "Maple Ridge Family Medicine",
+    workspaces: [
+      {
+        id: "demo-primary-care-workspace",
+        name: "Maple Ridge Main Street Office",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-mixed",
+    tenantId: "demo-mixed-tenant",
+    tenantName: "Northbridge Health Network",
+    workspaces: [
+      {
+        id: "demo-mixed-workspace-wound-care",
+        name: "Northbridge Wound Care Center",
+        roleSuffix: "workspace-wound-care"
+      },
+      {
+        id: "demo-mixed-workspace-primary-care",
+        name: "Northbridge Family Practice",
+        roleSuffix: "workspace-primary-care"
+      }
+    ]
+  }
+];
+var demoMembershipId = (devUserId, tenantId) => `demo-membership-${devUserId}-${tenantId}`;
+var demoRoleAssignmentId = (devUserId, tenantId, roleCode) => `demo-roleassignment-${devUserId}-${tenantId}-${roleCode}`;
+var demoScenarioIdentifier = (scenario, roleSuffix) => ({
+  system: DEMO_URN_SYSTEM,
+  value: `${scenario}:${roleSuffix}`
+});
+var openhiResourceIdentifier = (params) => ({
+  use: "unversioned",
+  system: OPENHI_RESOURCE_URN_SYSTEM,
+  value: `urn:ohi:${params.tenantId}:${params.workspaceId}:${params.resourceType}:${params.id}`
+});
+var demoRolesForUserInTenant = (_user, _tenantId) => {
+  void _user;
+  void _tenantId;
+  return [import_types.CONTROL_PLANE_ROLE_CODE.TENANT_ADMIN];
+};
+var rolePartitionKey = (roleId) => `role#id#${roleId}`;
+var demoTenantPartitionKey = (tenantId) => `tenant#id#${tenantId}`;
+var demoWorkspacePartitionKey = (tenantId, workspaceId) => `tid#${tenantId}#workspace#id#${workspaceId}`;
+var demoMembershipPartitionKey = (tenantId, membershipId) => `tid#${tenantId}#membership#id#${membershipId}`;
+var demoRoleAssignmentPartitionKey = (tenantId, roleAssignmentId) => `tid#${tenantId}#roleassignment#id#${roleAssignmentId}`;
+var demoUserPartitionKey = (userId) => `user#id#${userId}`;
+var demoBasePartitionKeys = () => {
+  const keys = [];
+  for (const spec of DEMO_TENANT_SPECS) {
+    keys.push(demoTenantPartitionKey(spec.tenantId));
+    for (const workspace of spec.workspaces) {
+      keys.push(demoWorkspacePartitionKey(spec.tenantId, workspace.id));
+    }
   }
-  get serviceType() {
-    return _OpenHiDataService.SERVICE_TYPE;
+  return keys;
+};
+var demoDevUserPartitionKeys = (devUsers) => {
+  const keys = [];
+  for (const user of devUsers) {
+    keys.push(demoUserPartitionKey(user.id));
+    for (const spec of DEMO_TENANT_SPECS) {
+      keys.push(
+        demoMembershipPartitionKey(
+          spec.tenantId,
+          demoMembershipId(user.id, spec.tenantId)
+        )
+      );
+      for (const roleCode of demoRolesForUserInTenant(user, spec.tenantId)) {
+        keys.push(
+          demoRoleAssignmentPartitionKey(
+            spec.tenantId,
+            demoRoleAssignmentId(user.id, spec.tenantId, roleCode)
+          )
+        );
+      }
+    }
+    keys.push(
+      demoRoleAssignmentPartitionKey(
+        PLATFORM_SCOPE_TENANT_ID,
+        demoRoleAssignmentId(
+          user.id,
+          PLATFORM_SCOPE_TENANT_ID,
+          import_types.CONTROL_PLANE_ROLE_CODE.SYSTEM_ADMIN
+        )
+      )
+    );
+  }
+  return keys;
+};
+// src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
+var import_node_fs7 = __toESM(require("fs"));
+var import_node_path7 = __toESM(require("path"));
+var import_types8 = require("@openhi/types");
+var import_aws_cdk_lib12 = require("aws-cdk-lib");
+var import_aws_events6 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets2 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam3 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs11 = require("constructs");
+// src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
+var import_node_crypto = require("crypto");
+var import_client_cognito_identity_provider = require("@aws-sdk/client-cognito-identity-provider");
+var import_client_dynamodb2 = require("@aws-sdk/client-dynamodb");
+var import_types7 = require("@openhi/types");
+var import_workflows3 = __toESM(require_lib2());
+// src/data/dynamo/dynamo-control-service.ts
+var import_electrodb8 = require("electrodb");
+// src/data/dynamo/dynamo-client.ts
+var import_client_dynamodb = require("@aws-sdk/client-dynamodb");
+var defaultTableName = process.env.DYNAMO_TABLE_NAME ?? "jesttesttable";
+var dynamoClient = new import_client_dynamodb.DynamoDBClient({
+  ...process.env.MOCK_DYNAMODB_ENDPOINT && {
+    endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,
+    sslEnabled: false,
+    region: "local"
+  }
+});
+// src/data/dynamo/entities/control/configuration-entity.ts
+var import_electrodb = require("electrodb");
+// src/data/dynamo/entities/control/control-entity-common.ts
+var import_types2 = require("@openhi/types");
+// src/data/dynamo/shard.ts
+var SHARD_COUNT = 4;
+function computeShard(id) {
+  let hash = 2166136261;
+  for (let i = 0; i < id.length; i++) {
+    hash ^= id.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) % SHARD_COUNT;
+}
+// src/data/dynamo/entities/control/control-entity-common.ts
+var gsi1ShardAttribute = {
+  type: "string",
+  watch: ["id"],
+  set: (_val, item) => {
+    if (typeof item?.id !== "string" || item.id.length === 0) {
+      return void 0;
+    }
+    return String(computeShard(item.id));
+  }
+};
+var gsi1skAttribute = {
+  type: "string",
+  watch: ["resource", "lastUpdated", "id"],
+  set: (_val, item) => {
+    const id = typeof item?.id === "string" ? item.id : "";
+    const lastUpdated = typeof item?.lastUpdated === "string" ? item.lastUpdated : "";
+    const fallback = `${lastUpdated}#${id}`;
+    if (typeof item?.resource !== "string" || item.resource.length === 0) {
+      return fallback;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(item.resource);
+    } catch {
+      return fallback;
+    }
+    if (!parsed || typeof parsed !== "object") return fallback;
+    const resourceType = parsed.resourceType;
+    if (typeof resourceType !== "string") return fallback;
+    const label = (0, import_types2.extractLabel)(parsed);
+    return label !== void 0 ? `${label}#${id}` : fallback;
+  }
+};
+// src/data/dynamo/entities/control/configuration-entity.ts
+var ConfigurationEntity = new import_electrodb.Entity({
+  model: {
+    entity: "configuration",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key. "CURRENT" for current version; version history in S3. */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant scope. Use "BASELINE" when the config is baseline default (no tenant). */
+    tenantId: {
+      type: "string",
+      required: true,
+      default: "BASELINE"
+    },
+    /** Workspace scope. Use "-" when absent. */
+    workspaceId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** User scope. Use "-" when absent. */
+    userId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Role scope. Use "-" when absent. */
+    roleId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Config type (category), e.g. endpoints, branding, display. */
+    key: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL and for the Configuration resource. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, key, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). Tracks current version; S3 history key. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "workspaceId", "userId", "roleId"],
+        template: "CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["key", "sk"],
+        template: "KEY#${key}#SK#${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
+     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
+     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
+     * hierarchical resolution in one query; use base table GetItem in fallback order
+     * (user → workspace → tenant → baseline) for that.
+     * SK is `<key>#<id>` — Configuration's `key` is a required entity attribute (the
+     * config category: endpoints, branding, display, …) and the natural sort/lookup
+     * dimension. `casing: "none"` preserves the literal key value.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "workspaceId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["key", "id"],
+        template: "${key}#${id}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/membership-entity.ts
+var import_electrodb2 = require("electrodb");
+var MembershipEntity = new import_electrodb2.Entity({
+  model: {
+    entity: "membership",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the user has membership (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; membership id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Membership resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/role-entity.ts
+var import_electrodb3 = require("electrodb");
+var RoleEntity = new import_electrodb3.Entity({
+  model: {
+    entity: "role",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; role id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Role resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "ROLE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/roleassignment-entity.ts
+var import_electrodb4 = require("electrodb");
+var RoleAssignmentEntity = new import_electrodb4.Entity({
+  model: {
+    entity: "roleassignment",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the role assignment applies (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; role assignment id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full RoleAssignment resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/tenant-entity.ts
+var import_electrodb5 = require("electrodb");
+var TenantEntity = new import_electrodb5.Entity({
+  model: {
+    entity: "tenant",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** The tenant's own id (= resource id). Drives the partition key. */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. Equals tenantId. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Tenant resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId"],
+        template: "TENANT#ID#${tenantId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
+     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
+     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is derived via `gsi1skAttribute` —
+     * `<normalizedName>#<id>` when the resource carries a `name`, else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/user-entity.ts
+var import_electrodb6 = require("electrodb");
+var UserEntity = new import_electrodb6.Entity({
+  model: {
+    entity: "user",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; platform user id (ohi_uid). */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full User resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
+     * Post Confirmation Lambda (#770) lands; required thereafter.
+     */
+    cognitoSub: {
+      type: "string",
+      required: false
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "USER#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable (string `name`/`title` via introspection), else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    },
+    /**
+     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
+     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
+     * not indexed.
+     */
+    gsi2: {
+      index: "GSI2",
+      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
+      pk: {
+        field: "GSI2PK",
+        casing: "none",
+        composite: ["cognitoSub"],
+        template: "USER#SUB#${cognitoSub}"
+      },
+      sk: {
+        field: "GSI2SK",
+        casing: "none",
+        composite: [],
+        template: "CURRENT"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/workspace-entity.ts
+var import_electrodb7 = require("electrodb");
+var WorkspaceEntity = new import_electrodb7.Entity({
+  model: {
+    entity: "workspace",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant that contains this workspace (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Workspace resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
+     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — `<normalizedName>#<id>` when the resource
+     * carries a `name`, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves
+     * the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/dynamo-control-service.ts
+var controlPlaneEntities = {
+  configuration: ConfigurationEntity,
+  membership: MembershipEntity,
+  role: RoleEntity,
+  roleAssignment: RoleAssignmentEntity,
+  tenant: TenantEntity,
+  user: UserEntity,
+  workspace: WorkspaceEntity
+};
+var controlPlaneService = new import_electrodb8.Service(controlPlaneEntities, {
+  table: defaultTableName,
+  client: dynamoClient
+});
+var DynamoControlService = {
+  entities: controlPlaneService.entities
+};
+// src/data/operations/control/membership/membership-create-operation.ts
+var import_types3 = require("@openhi/types");
+// src/data/operations/control/roleassignment/roleassignment-create-operation.ts
+var import_types4 = require("@openhi/types");
+// src/data/operations/control/tenant/tenant-create-operation.ts
+var import_types5 = require("@openhi/types");
+// src/data/operations/control/workspace/workspace-create-operation.ts
+var import_types6 = require("@openhi/types");
+// src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
+var SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR = "SEED_DEMO_DATA_USER_POOL_ID";
+// src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
+var HANDLER_NAME7 = "seed-demo-data.handler.js";
+function resolveHandlerEntry7(dirname) {
+  const sameDir = import_node_path7.default.join(dirname, HANDLER_NAME7);
+  if (import_node_fs7.default.existsSync(sameDir)) {
+    return sameDir;
   }
+  return import_node_path7.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME7);
+}
+var SeedDemoDataLambda = class extends import_constructs11.Construct {
+  constructor(scope, props) {
+    super(scope, "seed-demo-data-lambda");
+    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry7(__dirname),
+      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib12.Duration.minutes(2),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
+        [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
+      }
+    });
+    const roleReadKeys = Object.values(import_types8.CONTROL_PLANE_ROLE_IDS).map(
+      rolePartitionKey
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
+        actions: ["dynamodb:GetItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": roleReadKeys
+          }
+        }
+      })
+    );
+    const writeKeys = [
+      ...demoBasePartitionKeys(),
+      ...demoDevUserPartitionKeys(DEV_USERS)
+    ];
+    this.lambda.addToRolePolicy(
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
+        actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": writeKeys
+          }
+        }
+      })
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam3.PolicyStatement({
+        effect: import_aws_iam3.Effect.ALLOW,
+        actions: [
+          "cognito-idp:AdminCreateUser",
+          "cognito-idp:AdminGetUser",
+          "cognito-idp:AdminSetUserPassword"
+        ],
+        resources: [
+          import_aws_cdk_lib12.Stack.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: props.userPool.userPoolId
+          })
+        ]
+      })
+    );
+    this.rule = new import_aws_events6.Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [import_workflows2.PlatformSystemDataSeededV1.source],
+        detailType: [import_workflows2.PlatformSystemDataSeededV1.detailType]
+      },
+      targets: [
+        new import_aws_events_targets2.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib12.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+// src/workflows/control-plane/seed-demo-data/seed-demo-data-workflow.ts
+var import_constructs12 = require("constructs");
+var SeedDemoDataWorkflow = class extends import_constructs12.Construct {
+  constructor(scope, props) {
+    super(scope, "seed-demo-data-workflow");
+    this.seedDemoData = new SeedDemoDataLambda(this, {
+      controlEventBus: props.controlEventBus,
+      dataStoreTable: props.dataStoreTable,
+      userPool: props.userPool
+    });
+    WorkflowDedupTable.grantConsumerFromLookup(
+      this,
+      this.seedDemoData.lambda,
+      SEED_DEMO_DATA_CONSUMER_NAME
+    );
+  }
+};
+// src/workflows/control-plane/seed-system-data/events.ts
+var import_workflows4 = __toESM(require_lib2());
+var SEED_SYSTEM_DATA_CONSUMER_NAME = "seed-system-data";
+var SEED_SYSTEM_DATA_ACTOR_SYSTEM = "seed-system-data";
+var SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+// src/workflows/control-plane/seed-system-data/seed-system-data-lambda.ts
+var import_node_fs8 = __toESM(require("fs"));
+var import_node_path8 = __toESM(require("path"));
+var import_types9 = require("@openhi/types");
+var import_aws_cdk_lib13 = require("aws-cdk-lib");
+var import_aws_events7 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets3 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam4 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda8 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs8 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs13 = require("constructs");
+var HANDLER_NAME8 = "seed-system-data.handler.js";
+function resolveHandlerEntry8(dirname) {
+  const sameDir = import_node_path8.default.join(dirname, HANDLER_NAME8);
+  if (import_node_fs8.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path8.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME8);
+}
+var SeedSystemDataLambda = class extends import_constructs13.Construct {
+  constructor(scope, props) {
+    super(scope, "seed-system-data-lambda");
+    this.lambda = new import_aws_lambda_nodejs8.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry8(__dirname),
+      runtime: import_aws_lambda8.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib13.Duration.minutes(1),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
+        [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
+      }
+    });
+    const roleArns = Object.values(import_types9.CONTROL_PLANE_ROLE_IDS).map(
+      (id) => `role#id#${id}`
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam4.PolicyStatement({
+        effect: import_aws_iam4.Effect.ALLOW,
+        actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
+        resources: [props.dataStoreTable.tableArn],
+        conditions: {
+          "ForAllValues:StringEquals": {
+            "dynamodb:LeadingKeys": roleArns
+          }
+        }
+      })
+    );
+    props.controlEventBus.grantPutEventsTo(this.lambda);
+    const hostStackName = import_aws_cdk_lib13.Stack.of(this).stackName;
+    this.rule = new import_aws_events7.Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [import_workflows4.PlatformDeploymentCompletedV1.source],
+        detailType: [import_workflows4.PlatformDeploymentCompletedV1.detailType],
+        detail: {
+          payload: {
+            stackName: [hostStackName]
+          }
+        }
+      },
+      targets: [
+        new import_aws_events_targets3.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib13.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+// src/workflows/control-plane/seed-system-data/seed-system-data-workflow.ts
+var import_constructs14 = require("constructs");
+var SeedSystemDataWorkflow = class extends import_constructs14.Construct {
+  constructor(scope, props) {
+    super(scope, "seed-system-data-workflow");
+    this.seedSystemData = new SeedSystemDataLambda(this, {
+      controlEventBus: props.controlEventBus,
+      dataStoreTable: props.dataStoreTable
+    });
+    WorkflowDedupTable.grantConsumerFromLookup(
+      this,
+      this.seedSystemData.lambda,
+      SEED_SYSTEM_DATA_CONSUMER_NAME
+    );
+  }
+};
+// src/services/open-hi-data-service.ts
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
   constructor(ohEnv, props = {}) {
     super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    /**
+     * Cached control-event-bus lookup. `OpenHiGlobalService.controlEventBusFromConstruct`
+     * registers a child `EventBus.fromEventBusName` construct with a
+     * fixed id under the scope it is passed, so calling it twice on the
+     * same `OpenHiDataService` instance collides. The cache mirrors the
+     * `private controlEventBus()` pattern already used in
+     * `OpenHiAuthService`. Use {@link controlEventBus} from this class
+     * — never call the static lookup from inside `OpenHiDataService`.
+     */
+    this._controlEventBus = null;
     this.props = props;
     this.dataStoreChangeStream = new kinesis.Stream(
       this,
@@ -1637,6 +3831,53 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
         branchHash: this.branchHash
       }
     );
+    this.seedSystemDataWorkflow = this.createSeedSystemDataWorkflow();
+    this.seedDemoDataWorkflow = this.createSeedDemoDataWorkflow();
+  }
+  /**
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
+   */
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return import_aws_dynamodb3.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  }
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  /**
+   * Lazily looks up the control event bus exactly once per
+   * `OpenHiDataService` instance and caches the reference. Every
+   * workflow that consumes the bus must read it through this method
+   * — see {@link _controlEventBus} for the underlying collision risk.
+   */
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    }
+    return this._controlEventBus;
+  }
+  /**
+   * Creates the seed-system-data workflow. Override to customize.
+   */
+  createSeedSystemDataWorkflow() {
+    return new SeedSystemDataWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStore
+    });
+  }
+  /**
+   * Creates the seed-demo-data workflow — but only on non-prod
+   * stages. Returns `undefined` on prod so the workflow literally
+   * does not exist in prod stacks. Override to customize.
+   */
+  createSeedDemoDataWorkflow() {
+    if (this.ohEnv.ohStage.stageType === import_config4.OPEN_HI_STAGE.PROD) {
+      return void 0;
+    }
+    return new SeedDemoDataWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStore,
+      userPool: OpenHiAuthService.userPoolFromConstruct(this)
+    });
   }
   /**
    * Creates the single-table DynamoDB data store.
@@ -1645,7 +3886,7 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
   createDataStore() {
     return new DynamoDbDataStore(this, "dynamo-db-data-store", {
       kinesisStream: this.dataStoreChangeStream,
-      stream: import_aws_dynamodb2.StreamViewType.NEW_AND_OLD_IMAGES
+      stream: import_aws_dynamodb3.StreamViewType.NEW_AND_OLD_IMAGES
     });
   }
 };
@@ -1678,29 +3919,29 @@ var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
 };
 // src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
-var import_node_fs6 = __toESM(require("fs"));
-var import_node_path6 = __toESM(require("path"));
-var import_aws_cdk_lib10 = require("aws-cdk-lib");
-var import_aws_events5 = require("aws-cdk-lib/aws-events");
-var import_aws_events_targets = require("aws-cdk-lib/aws-events-targets");
-var import_aws_iam = require("aws-cdk-lib/aws-iam");
-var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs8 = require("constructs");
-var HANDLER_NAME6 = "provision-default-workspace.handler.js";
-function resolveHandlerEntry6(dirname) {
-  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
-  if (import_node_fs6.default.existsSync(sameDir)) {
+var import_node_fs9 = __toESM(require("fs"));
+var import_node_path9 = __toESM(require("path"));
+var import_aws_cdk_lib14 = require("aws-cdk-lib");
+var import_aws_events8 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam5 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda9 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs9 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs15 = require("constructs");
+var HANDLER_NAME9 = "provision-default-workspace.handler.js";
+function resolveHandlerEntry9(dirname) {
+  const sameDir = import_node_path9.default.join(dirname, HANDLER_NAME9);
+  if (import_node_fs9.default.existsSync(sameDir)) {
     return sameDir;
   }
-  return import_node_path6.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
+  return import_node_path9.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
 }
-var ProvisionDefaultWorkspaceLambda = class extends import_constructs8.Construct {
+var ProvisionDefaultWorkspaceLambda = class extends import_constructs15.Construct {
   constructor(scope, props) {
     super(scope, "provision-default-workspace-lambda");
-    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry6(__dirname),
-      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs9.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry9(__dirname),
+      runtime: import_aws_lambda9.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
@@ -1712,22 +3953,22 @@ var ProvisionDefaultWorkspaceLambda = class extends import_constructs8.Construct
       "dynamodb:UpdateItem"
     );
     this.lambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: ["dynamodb:Query"],
         resources: [`${props.dataStoreTable.tableArn}/index/*`]
       })
     );
-    this.rule = new import_aws_events5.Rule(this, "rule", {
+    this.rule = new import_aws_events8.Rule(this, "rule", {
       eventBus: props.controlEventBus,
       eventPattern: {
         source: [USER_ONBOARDING_EVENT_SOURCE],
         detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
       },
       targets: [
-        new import_aws_events_targets.LambdaFunction(this.lambda, {
+        new import_aws_events_targets4.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib10.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib14.Duration.hours(2)
         })
       ]
     });
@@ -1735,8 +3976,8 @@ var ProvisionDefaultWorkspaceLambda = class extends import_constructs8.Construct
 };
 // src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
-var import_constructs9 = require("constructs");
-var UserOnboardingWorkflow = class extends import_constructs9.Construct {
+var import_constructs16 = require("constructs");
+var UserOnboardingWorkflow = class extends import_constructs16.Construct {
   constructor(scope, props) {
     super(scope, "user-onboarding-workflow");
     this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
@@ -1951,8 +4192,8 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
     dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
     this.preTokenGenerationLambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
-        effect: import_aws_iam2.Effect.ALLOW,
+      new import_aws_iam6.PolicyStatement({
+        effect: import_aws_iam6.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
@@ -1973,7 +4214,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    */
   grantPostAuthenticationPermissions() {
     this.postAuthenticationLambda.addToRolePolicy(
-      new import_aws_iam2.PolicyStatement({
+      new import_aws_iam6.PolicyStatement({
         actions: ["cognito-idp:AdminUserGlobalSignOut"],
         resources: [
           import_core2.Stack.of(this).formatArn({
@@ -2020,7 +4261,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    * via env vars to drive `InitiateAuth`.
    */
   createFixtureSeederClient() {
-    if (this.ohEnv.ohStage.stageType === import_config4.OPEN_HI_STAGE.PROD) {
+    if (this.ohEnv.ohStage.stageType === import_config5.OPEN_HI_STAGE.PROD) {
       return void 0;
     }
     const client = new CognitoFixtureSeederClient(this, {
@@ -2057,62 +4298,62 @@ _OpenHiAuthService.SERVICE_TYPE = "auth";
 var OpenHiAuthService = _OpenHiAuthService;
 // src/services/open-hi-rest-api-service.ts
-var import_config5 = __toESM(require_lib());
+var import_config6 = __toESM(require_lib());
 var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
 var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
 var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
-var import_aws_iam3 = require("aws-cdk-lib/aws-iam");
+var import_aws_iam7 = require("aws-cdk-lib/aws-iam");
 var import_aws_route533 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
 var import_core3 = require("aws-cdk-lib/core");
 // src/data/lambda/cors-options-lambda.ts
-var import_node_fs7 = __toESM(require("fs"));
-var import_node_path7 = __toESM(require("path"));
-var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs10 = require("constructs");
-var HANDLER_NAME7 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry7(dirname) {
-  const sameDir = import_node_path7.default.join(dirname, HANDLER_NAME7);
-  if (import_node_fs7.default.existsSync(sameDir)) {
+var import_node_fs10 = __toESM(require("fs"));
+var import_node_path10 = __toESM(require("path"));
+var import_aws_lambda10 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs10 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs17 = require("constructs");
+var HANDLER_NAME10 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry10(dirname) {
+  const sameDir = import_node_path10.default.join(dirname, HANDLER_NAME10);
+  if (import_node_fs10.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path7.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
+  const fromLib = import_node_path10.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
   return fromLib;
 }
-var CorsOptionsLambda = class extends import_constructs10.Construct {
+var CorsOptionsLambda = class extends import_constructs17.Construct {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry7(__dirname),
-      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs10.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry10(__dirname),
+      runtime: import_aws_lambda10.Runtime.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 // src/data/lambda/rest-api-lambda.ts
-var import_node_fs8 = __toESM(require("fs"));
-var import_node_path8 = __toESM(require("path"));
-var import_aws_lambda8 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs8 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs11 = require("constructs");
-var HANDLER_NAME8 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry8(dirname) {
-  const sameDir = import_node_path8.default.join(dirname, HANDLER_NAME8);
-  if (import_node_fs8.default.existsSync(sameDir)) {
+var import_node_fs11 = __toESM(require("fs"));
+var import_node_path11 = __toESM(require("path"));
+var import_aws_lambda11 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs11 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs18 = require("constructs");
+var HANDLER_NAME11 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry11(dirname) {
+  const sameDir = import_node_path11.default.join(dirname, HANDLER_NAME11);
+  if (import_node_fs11.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path8.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME8);
+  const fromLib = import_node_path11.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
   return fromLib;
 }
-var RestApiLambda = class extends import_constructs11.Construct {
+var RestApiLambda = class extends import_constructs18.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs8.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry8(__dirname),
-      runtime: import_aws_lambda8.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs11.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry11(__dirname),
+      runtime: import_aws_lambda11.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -2254,8 +4495,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresSchema
     });
     lambda.addToRolePolicy(
-      new import_aws_iam3.PolicyStatement({
-        effect: import_aws_iam3.Effect.ALLOW,
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -2264,8 +4505,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam3.PolicyStatement({
-        effect: import_aws_iam3.Effect.ALLOW,
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -2283,15 +4524,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new import_aws_iam3.PolicyStatement({
-        effect: import_aws_iam3.Effect.ALLOW,
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam3.PolicyStatement({
-        effect: import_aws_iam3.Effect.ALLOW,
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -2350,7 +4591,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const userPool = OpenHiAuthService.userPoolFromConstruct(this);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(this);
     const userPoolClients = [userPoolClient];
-    if (this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD) {
+    if (this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD) {
       userPoolClients.push(
         OpenHiAuthService.fixtureSeederClientFromConstruct(this)
       );
@@ -2440,6 +4681,10 @@ _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  BRIDGED_STATUSES,
+  CLOUDFORMATION_EVENT_SOURCE,
+  CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
+  CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone,
   CognitoFixtureSeederClient,
   CognitoUserPool,
@@ -2450,11 +4695,22 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_PERIOD,
+  DEMO_TENANT_SPECS,
+  DEMO_URN_SYSTEM,
+  DEV_USERS,
   DataEventBus,
   DataStoreHistoricalArchive,
   DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
+  OPENHI_REPO_TAG_KEY_ENV_VAR,
+  OPENHI_RESOURCE_URN_SYSTEM,
+  OPENHI_TAG_KEY_PREFIX_ENV_VAR,
+  OPENHI_TAG_SUFFIX_BRANCH_NAME,
+  OPENHI_TAG_SUFFIX_REPO_NAME,
+  OPENHI_TAG_SUFFIX_SERVICE_TYPE,
+  OPENHI_TAG_SUFFIX_STAGE_TYPE,
   OpenHiApp,
   OpenHiAuthService,
   OpenHiDataService,
@@ -2465,10 +4721,17 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   OpenHiService,
   OpenHiStage,
   OpsEventBus,
+  PLACEHOLDER_TENANT_ID,
+  PLACEHOLDER_WORKSPACE_ID,
+  PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,
+  PLATFORM_SCOPE_TENANT_ID,
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
   PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
+  PlatformDeployBridge,
+  PlatformDeployBridgeLambda,
+  PlatformDeploymentCompletedV1,
   PostAuthenticationLambda,
   PostConfirmationLambda,
   PreTokenGenerationLambda,
@@ -2478,13 +4741,39 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   RootHostedZone,
   RootHttpApi,
   RootWildcardCertificate,
+  SEED_DEMO_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_ACTOR_SYSTEM,
+  SEED_SYSTEM_DATA_CONSUMER_NAME,
+  SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
   STATIC_HOSTING_SERVICE_TYPE,
+  SeedDemoDataLambda,
+  SeedDemoDataWorkflow,
+  SeedSystemDataLambda,
+  SeedSystemDataWorkflow,
   StaticHosting,
   USER_ONBOARDING_EVENT_SOURCE,
   UserOnboardingWorkflow,
+  WorkflowDedupConsumerNameInvalidError,
+  WorkflowDedupTable,
+  WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail,
+  demoBasePartitionKeys,
+  demoDevUserPartitionKeys,
+  demoMembershipId,
+  demoMembershipPartitionKey,
+  demoRoleAssignmentId,
+  demoRoleAssignmentPartitionKey,
+  demoRolesForUserInTenant,
+  demoScenarioIdentifier,
+  demoTenantPartitionKey,
+  demoUserPartitionKey,
+  demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName,
-  getPostgresReplicaSchemaName
+  getPostgresReplicaSchemaName,
+  getWorkflowDedupTableName,
+  openHiTagKey,
+  openhiResourceIdentifier,
+  rolePartitionKey
 });
 //# sourceMappingURL=index.js.map