@openhi/constructs 0.0.105 → 0.0.106

package/lib/seed-demo-data.handler.js

@@ -0,0 +1,2037 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// ../workflows/lib/envelope-version.js
+var require_envelope_version = __commonJS({
+  "../workflows/lib/envelope-version.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ENVELOPE_VERSION = void 0;
+    exports2.isSupportedEnvelopeVersion = isSupportedEnvelopeVersion;
+    exports2.ENVELOPE_VERSION = "1.0";
+    var ENVELOPE_VERSION_PATTERN = /^\d+\.\d+$/;
+    var MIN_SUPPORTED_MAJOR = 1;
+    var MAX_SUPPORTED_MAJOR = 1;
+    function isSupportedEnvelopeVersion(version) {
+      if (!ENVELOPE_VERSION_PATTERN.test(version)) {
+        return false;
+      }
+      const major = Number.parseInt(version.split(".")[0], 10);
+      return major >= MIN_SUPPORTED_MAJOR && major <= MAX_SUPPORTED_MAJOR;
+    }
+  }
+});
+
+// ../workflows/lib/envelope.js
+var require_envelope = __commonJS({
+  "../workflows/lib/envelope.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.MissingActorContextError = void 0;
+    exports2.isWorkflowUserActor = isWorkflowUserActor;
+    exports2.isWorkflowSystemActor = isWorkflowSystemActor;
+    exports2.workflowUserActorFromClaims = workflowUserActorFromClaims;
+    function isWorkflowUserActor(actor) {
+      return actor.ohi_uid !== void 0;
+    }
+    function isWorkflowSystemActor(actor) {
+      return actor.system !== void 0;
+    }
+    function workflowUserActorFromClaims(claims) {
+      if (claims.ohi_tid === void 0 || claims.ohi_wid === void 0) {
+        throw new MissingActorContextError("workflowUserActorFromClaims: ohi_tid and ohi_wid are required on the workflow user-actor; the caller's JWT is missing one or both. Use a system-actor for pre-provisioning bootstrap workflows.");
+      }
+      return {
+        ohi_tid: claims.ohi_tid,
+        ohi_wid: claims.ohi_wid,
+        ohi_uid: claims.ohi_uid,
+        ohi_uname: claims.ohi_uname
+      };
+    }
+    var MissingActorContextError = class extends Error {
+      /** @param message - human-readable description of the missing claim. */
+      constructor(message) {
+        super(message);
+        this.name = "MissingActorContextError";
+      }
+    };
+    exports2.MissingActorContextError = MissingActorContextError;
+  }
+});
+
+// ../workflows/lib/sources.js
+var require_sources = __commonJS({
+  "../workflows/lib/sources.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = void 0;
+    exports2.OPENHI_CONTROL_SOURCE = "openhi.control";
+    exports2.OPENHI_DATA_SOURCE = "openhi.data";
+    exports2.OPENHI_OPS_SOURCE = "openhi.ops";
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = {
+      [exports2.OPENHI_CONTROL_SOURCE]: "openhi-control-event-bus",
+      [exports2.OPENHI_DATA_SOURCE]: "openhi-data-event-bus",
+      [exports2.OPENHI_OPS_SOURCE]: "openhi-ops-event-bus"
+    };
+  }
+});
+
+// ../workflows/lib/detail-types/registry.js
+var require_registry = __commonJS({
+  "../workflows/lib/detail-types/registry.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.InvalidDetailTypeRegistrationError = void 0;
+    exports2.defineDetailType = defineDetailType;
+    exports2.isWellFormedDetailType = isWellFormedDetailType;
+    function defineDetailType(entry) {
+      if (!isWellFormedDetailType(entry.detailType)) {
+        throw new InvalidDetailTypeRegistrationError(`Detail-type "${entry.detailType}" does not match the platform-wide format <area>.<event>.v<integer>. See TR-016 \xA7Open Items #2.`);
+      }
+      return entry;
+    }
+    var DETAIL_TYPE_PATTERN = /^[a-z0-9]+(?:-[a-z0-9]+)*\.[a-z0-9]+(?:-[a-z0-9]+)*\.v\d+$/;
+    function isWellFormedDetailType(detailType) {
+      return DETAIL_TYPE_PATTERN.test(detailType);
+    }
+    var InvalidDetailTypeRegistrationError = class extends Error {
+      /** @param message - human-readable description of the violation. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidDetailTypeRegistrationError";
+      }
+    };
+    exports2.InvalidDetailTypeRegistrationError = InvalidDetailTypeRegistrationError;
+  }
+});
+
+// ../workflows/lib/detail-types/platform.js
+var require_platform = __commonJS({
+  "../workflows/lib/detail-types/platform.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = void 0;
+    var sources_1 = require_sources();
+    var registry_1 = require_registry();
+    exports2.PlatformDeploymentCompletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.deployment-completed.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.PlatformSystemDataSeededV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.system-data-seeded.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+  }
+});
+
+// ../workflows/lib/detail-types/index.js
+var require_detail_types = __commonJS({
+  "../workflows/lib/detail-types/index.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_platform(), exports2);
+    __exportStar(require_registry(), exports2);
+  }
+});
+
+// ../workflows/lib/publisher.js
+var require_publisher = __commonJS({
+  "../workflows/lib/publisher.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowPublishError = void 0;
+    exports2.workflowsClient = workflowsClient;
+    exports2.publishWorkflowEvent = publishWorkflowEvent;
+    var node_crypto_1 = require("crypto");
+    var client_eventbridge_1 = require("@aws-sdk/client-eventbridge");
+    var envelope_version_1 = require_envelope_version();
+    var sources_1 = require_sources();
+    function workflowsClient(bridge, options = {}) {
+      return {
+        publish: (entry, payload, ctx) => publishWorkflowEvent(bridge, entry, payload, ctx, options)
+      };
+    }
+    async function publishWorkflowEvent(bridge, entry, payload, ctx, options = {}) {
+      const eventIdGenerator = options.eventIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const correlationIdGenerator = options.correlationIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const now = options.now ?? (() => /* @__PURE__ */ new Date());
+      const envelope = {
+        eventId: eventIdGenerator(),
+        attempt: 1,
+        correlationId: ctx.correlationId ?? correlationIdGenerator(),
+        causationId: ctx.causationId ?? null,
+        actor: ctx.actor,
+        occurredAt: now().toISOString(),
+        envelopeVersion: envelope_version_1.ENVELOPE_VERSION,
+        payload
+      };
+      const busName = options.busNameByPlane?.[entry.source] ?? sources_1.DEFAULT_BUS_NAME_BY_SOURCE[entry.source];
+      const result = await bridge.send(new client_eventbridge_1.PutEventsCommand({
+        Entries: [
+          {
+            EventBusName: busName,
+            Source: entry.source,
+            DetailType: entry.detailType,
+            Detail: JSON.stringify(envelope)
+          }
+        ]
+      }));
+      if ((result.FailedEntryCount ?? 0) > 0) {
+        const first = result.Entries?.[0];
+        throw new WorkflowPublishError(`EventBridge rejected ${entry.detailType} publish on bus ${busName}: ${first?.ErrorCode ?? "unknown"} \u2014 ${first?.ErrorMessage ?? "no error message"}`);
+      }
+      return { eventId: envelope.eventId };
+    }
+    var WorkflowPublishError = class extends Error {
+      /** @param message - human-readable description of the failed publish. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowPublishError";
+      }
+    };
+    exports2.WorkflowPublishError = WorkflowPublishError;
+  }
+});
+
+// ../workflows/lib/consumer.js
+var require_consumer = __commonJS({
+  "../workflows/lib/consumer.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = void 0;
+    exports2.parseWorkflowEvent = parseWorkflowEvent2;
+    var envelope_version_1 = require_envelope_version();
+    function parseWorkflowEvent2(event, expected) {
+      if (event.source !== expected.source) {
+        throw new InvalidWorkflowEventError(`EventBridge source "${event.source}" does not match expected detail-type's source "${expected.source}".`);
+      }
+      if (event["detail-type"] !== expected.detailType) {
+        throw new InvalidWorkflowEventError(`EventBridge detail-type "${event["detail-type"]}" does not match expected "${expected.detailType}".`);
+      }
+      const candidate = asEnvelopeCandidate(event.detail);
+      if (!(0, envelope_version_1.isSupportedEnvelopeVersion)(candidate.envelopeVersion)) {
+        throw new UnsupportedEnvelopeVersionError(`Envelope version "${candidate.envelopeVersion}" is outside the SDK's supported range.`);
+      }
+      const envelope = {
+        eventId: candidate.eventId,
+        attempt: candidate.attempt,
+        correlationId: candidate.correlationId,
+        causationId: candidate.causationId,
+        actor: candidate.actor,
+        occurredAt: candidate.occurredAt,
+        envelopeVersion: candidate.envelopeVersion,
+        payload: candidate.payload
+      };
+      return {
+        envelope,
+        dedupKey: { eventId: envelope.eventId, attempt: envelope.attempt }
+      };
+    }
+    function asEnvelopeCandidate(detail) {
+      if (detail === null || typeof detail !== "object") {
+        throw new InvalidWorkflowEventError("EventBridge detail is not a non-null object.");
+      }
+      const obj = detail;
+      assertString(obj, "eventId");
+      assertPositiveInteger(obj, "attempt");
+      assertString(obj, "correlationId");
+      assertCausationId(obj);
+      assertActor(obj);
+      assertString(obj, "occurredAt");
+      assertString(obj, "envelopeVersion");
+      if (!("payload" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: payload.");
+      }
+      return obj;
+    }
+    function assertString(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "string" || value.length === 0) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a non-empty string.`);
+      }
+    }
+    function assertPositiveInteger(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "number" || !Number.isInteger(value) || value < 1) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a 1-indexed integer.`);
+      }
+    }
+    function assertCausationId(obj) {
+      if (!("causationId" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: causationId.");
+      }
+      const value = obj.causationId;
+      if (value !== null && (typeof value !== "string" || value.length === 0)) {
+        throw new InvalidWorkflowEventError('Envelope field "causationId" must be a non-empty string or null.');
+      }
+    }
+    function assertActor(obj) {
+      const actor = obj.actor;
+      if (actor === null || typeof actor !== "object") {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be an object.');
+      }
+      const actorObj = actor;
+      const isUserActor = typeof actorObj.ohi_uid === "string" && typeof actorObj.ohi_uname === "string" && typeof actorObj.ohi_tid === "string" && typeof actorObj.ohi_wid === "string";
+      const isSystemActor = typeof actorObj.system === "string";
+      if (!isUserActor && !isSystemActor) {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be either a user-actor (ohi_tid, ohi_wid, ohi_uid, ohi_uname) or a system-actor ({ system: string }).');
+      }
+    }
+    var InvalidWorkflowEventError = class extends Error {
+      /** @param message - human-readable description of the validation failure. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidWorkflowEventError";
+      }
+    };
+    exports2.InvalidWorkflowEventError = InvalidWorkflowEventError;
+    var UnsupportedEnvelopeVersionError = class extends Error {
+      /** @param message - human-readable description of the unsupported version. */
+      constructor(message) {
+        super(message);
+        this.name = "UnsupportedEnvelopeVersionError";
+      }
+    };
+    exports2.UnsupportedEnvelopeVersionError = UnsupportedEnvelopeVersionError;
+  }
+});
+
+// ../workflows/lib/dedup/env.js
+var require_env = __commonJS({
+  "../workflows/lib/dedup/env.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = void 0;
+    exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = "OPENHI_WORKFLOW_DEDUP_TABLE_NAME";
+    exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = 14 * 24 * 60 * 60;
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = 64;
+  }
+});
+
+// ../workflows/lib/dedup/workflow-dedup-client.js
+var require_workflow_dedup_client = __commonJS({
+  "../workflows/lib/dedup/workflow-dedup-client.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowDedupInvalidInputError = exports2.WorkflowDedupTableNameMissingError = void 0;
+    exports2.workflowDedupClient = workflowDedupClient2;
+    exports2.recordIfAbsent = recordIfAbsent;
+    exports2.markFailed = markFailed;
+    exports2.encodeSortKey = encodeSortKey;
+    var client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
+    var env_1 = require_env();
+    function workflowDedupClient2(dynamodb, options = {}) {
+      return {
+        recordIfAbsent: (input) => recordIfAbsent(dynamodb, input, options),
+        markFailed: (input) => markFailed(dynamodb, input, options)
+      };
+    }
+    async function recordIfAbsent(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      const ttlSeconds = input.ttlSeconds ?? options.defaultTtlSeconds ?? env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+      if (!Number.isInteger(ttlSeconds) || ttlSeconds <= 0) {
+        throw new WorkflowDedupInvalidInputError(`ttlSeconds must be a positive integer; got ${ttlSeconds}.`);
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      const expiresAt = Math.floor(now.getTime() / 1e3) + ttlSeconds;
+      try {
+        await dynamodb.send(new client_dynamodb_1.PutItemCommand({
+          TableName: tableName,
+          Item: {
+            consumerName: { S: input.consumerName },
+            sk: { S: sk },
+            eventId: { S: input.eventId },
+            attempt: { N: String(input.attempt) },
+            recordedAt: { S: now.toISOString() },
+            expiresAt: { N: String(expiresAt) }
+          },
+          ConditionExpression: "attribute_not_exists(consumerName) AND attribute_not_exists(sk)"
+        }));
+        return { recorded: true };
+      } catch (err) {
+        if (err instanceof client_dynamodb_1.ConditionalCheckFailedException) {
+          return { recorded: false, alreadyProcessed: true };
+        }
+        throw err;
+      }
+    }
+    async function markFailed(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      if (input.reason.length === 0) {
+        throw new WorkflowDedupInvalidInputError("reason must be non-empty.");
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      await dynamodb.send(new client_dynamodb_1.UpdateItemCommand({
+        TableName: tableName,
+        Key: {
+          consumerName: { S: input.consumerName },
+          sk: { S: sk }
+        },
+        UpdateExpression: "SET #failed = :failed, #failureReason = :reason, #failedAt = :failedAt",
+        ExpressionAttributeNames: {
+          "#failed": "failed",
+          "#failureReason": "failureReason",
+          "#failedAt": "failedAt"
+        },
+        ExpressionAttributeValues: {
+          ":failed": { BOOL: true },
+          ":reason": { S: input.reason },
+          ":failedAt": { S: now.toISOString() }
+        }
+      }));
+    }
+    function encodeSortKey(eventId, attempt) {
+      if (eventId.length === 0) {
+        throw new WorkflowDedupInvalidInputError("eventId must be non-empty.");
+      }
+      return `${eventId}#${attempt}`;
+    }
+    function resolveTableName(explicit) {
+      const name = explicit ?? process.env[env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR];
+      if (!name) {
+        throw new WorkflowDedupTableNameMissingError(`Workflow dedup table name not set. Pass options.tableName or set ${env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR}.`);
+      }
+      return name;
+    }
+    function assertConsumerName(consumerName) {
+      if (consumerName.length === 0) {
+        throw new WorkflowDedupInvalidInputError("consumerName must be non-empty.");
+      }
+      if (consumerName.length > env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {
+        throw new WorkflowDedupInvalidInputError(`consumerName must be \u2264${env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`);
+      }
+      if (/\s/.test(consumerName)) {
+        throw new WorkflowDedupInvalidInputError("consumerName must not contain whitespace.");
+      }
+    }
+    function assertPositiveInteger(value, field) {
+      if (!Number.isInteger(value) || value < 1) {
+        throw new WorkflowDedupInvalidInputError(`${field} must be a 1-indexed integer; got ${value}.`);
+      }
+    }
+    function defaultNow() {
+      return /* @__PURE__ */ new Date();
+    }
+    var WorkflowDedupTableNameMissingError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupTableNameMissingError";
+      }
+    };
+    exports2.WorkflowDedupTableNameMissingError = WorkflowDedupTableNameMissingError;
+    var WorkflowDedupInvalidInputError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupInvalidInputError";
+      }
+    };
+    exports2.WorkflowDedupInvalidInputError = WorkflowDedupInvalidInputError;
+  }
+});
+
+// ../workflows/lib/dedup/index.js
+var require_dedup = __commonJS({
+  "../workflows/lib/dedup/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = void 0;
+    var env_1 = require_env();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    var workflow_dedup_client_1 = require_workflow_dedup_client();
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.workflowDedupClient;
+    } });
+  }
+});
+
+// ../workflows/lib/index.js
+var require_lib = __commonJS({
+  "../workflows/lib/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.InvalidDetailTypeRegistrationError = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
+    var envelope_version_1 = require_envelope_version();
+    Object.defineProperty(exports2, "ENVELOPE_VERSION", { enumerable: true, get: function() {
+      return envelope_version_1.ENVELOPE_VERSION;
+    } });
+    Object.defineProperty(exports2, "isSupportedEnvelopeVersion", { enumerable: true, get: function() {
+      return envelope_version_1.isSupportedEnvelopeVersion;
+    } });
+    var envelope_1 = require_envelope();
+    Object.defineProperty(exports2, "MissingActorContextError", { enumerable: true, get: function() {
+      return envelope_1.MissingActorContextError;
+    } });
+    Object.defineProperty(exports2, "isWorkflowSystemActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowSystemActor;
+    } });
+    Object.defineProperty(exports2, "isWorkflowUserActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowUserActor;
+    } });
+    Object.defineProperty(exports2, "workflowUserActorFromClaims", { enumerable: true, get: function() {
+      return envelope_1.workflowUserActorFromClaims;
+    } });
+    var sources_1 = require_sources();
+    Object.defineProperty(exports2, "DEFAULT_BUS_NAME_BY_SOURCE", { enumerable: true, get: function() {
+      return sources_1.DEFAULT_BUS_NAME_BY_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_CONTROL_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_CONTROL_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_DATA_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_DATA_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_OPS_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_OPS_SOURCE;
+    } });
+    var detail_types_1 = require_detail_types();
+    Object.defineProperty(exports2, "InvalidDetailTypeRegistrationError", { enumerable: true, get: function() {
+      return detail_types_1.InvalidDetailTypeRegistrationError;
+    } });
+    Object.defineProperty(exports2, "PlatformDeploymentCompletedV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformDeploymentCompletedV1;
+    } });
+    Object.defineProperty(exports2, "PlatformSystemDataSeededV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformSystemDataSeededV1;
+    } });
+    Object.defineProperty(exports2, "defineDetailType", { enumerable: true, get: function() {
+      return detail_types_1.defineDetailType;
+    } });
+    Object.defineProperty(exports2, "isWellFormedDetailType", { enumerable: true, get: function() {
+      return detail_types_1.isWellFormedDetailType;
+    } });
+    var publisher_1 = require_publisher();
+    Object.defineProperty(exports2, "WorkflowPublishError", { enumerable: true, get: function() {
+      return publisher_1.WorkflowPublishError;
+    } });
+    Object.defineProperty(exports2, "publishWorkflowEvent", { enumerable: true, get: function() {
+      return publisher_1.publishWorkflowEvent;
+    } });
+    Object.defineProperty(exports2, "workflowsClient", { enumerable: true, get: function() {
+      return publisher_1.workflowsClient;
+    } });
+    var consumer_1 = require_consumer();
+    Object.defineProperty(exports2, "InvalidWorkflowEventError", { enumerable: true, get: function() {
+      return consumer_1.InvalidWorkflowEventError;
+    } });
+    Object.defineProperty(exports2, "UnsupportedEnvelopeVersionError", { enumerable: true, get: function() {
+      return consumer_1.UnsupportedEnvelopeVersionError;
+    } });
+    Object.defineProperty(exports2, "parseWorkflowEvent", { enumerable: true, get: function() {
+      return consumer_1.parseWorkflowEvent;
+    } });
+    var dedup_1 = require_dedup();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return dedup_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return dedup_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return dedup_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return dedup_1.workflowDedupClient;
+    } });
+  }
+});
+
+// src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
+var seed_demo_data_handler_exports = {};
+__export(seed_demo_data_handler_exports, {
+  SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR: () => SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR,
+  devPasswordForEmail: () => devPasswordForEmail,
+  handler: () => handler,
+  productionCognitoProvisioner: () => productionCognitoProvisioner,
+  runSeedDemoData: () => runSeedDemoData,
+  seedDemoGraph: () => seedDemoGraph
+});
+module.exports = __toCommonJS(seed_demo_data_handler_exports);
+var import_node_crypto = require("crypto");
+var import_client_cognito_identity_provider = require("@aws-sdk/client-cognito-identity-provider");
+var import_client_dynamodb2 = require("@aws-sdk/client-dynamodb");
+var import_types7 = require("@openhi/types");
+var import_workflows2 = __toESM(require_lib());
+
+// src/workflows/control-plane/seed-demo-data/events.ts
+var import_types = require("@openhi/types");
+var import_workflows = __toESM(require_lib());
+var SEED_DEMO_DATA_CONSUMER_NAME = "seed-demo-data";
+var DEMO_URN_SYSTEM = "urn:openhi:demo";
+var OPENHI_RESOURCE_URN_SYSTEM = "http://openhi.org/";
+var DEMO_PERIOD = { start: "2026-01-01T00:00:00Z" };
+var PLATFORM_SCOPE_TENANT_ID = "platform";
+var PLACEHOLDER_TENANT_ID = "placeholder-tenant-id";
+var PLACEHOLDER_WORKSPACE_ID = "placeholder-workspace-id";
+var DEV_USERS = [
+  { id: "dev-russell", email: "russell@codedrifters.com" },
+  { id: "dev-cameron", email: "cameron@codedrifters.com" },
+  { id: "dev-neelima", email: "neelima@codedrifters.com" },
+  { id: "dev-garon", email: "garon@codedrifters.com" },
+  { id: "dev-dave", email: "dave@codedrifters.com" },
+  { id: "dev-drew", email: "drew@codedrifters.com" },
+  { id: "dev-jessica", email: "jessica@codedrifters.com" },
+  { id: "dev-jared", email: "jared@codedrifters.com" },
+  { id: "dev-goddess", email: "goddess@codedrifters.com" }
+];
+var DEMO_TENANT_SPECS = [
+  {
+    scenario: "placeholder",
+    tenantId: PLACEHOLDER_TENANT_ID,
+    tenantName: "OpenHI Placeholder Tenant",
+    workspaces: [
+      {
+        id: PLACEHOLDER_WORKSPACE_ID,
+        name: "OpenHI Placeholder Workspace",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-wound-care",
+    tenantId: "demo-wound-care-tenant",
+    tenantName: "Cedarbrook Wound Healing Institute",
+    workspaces: [
+      {
+        id: "demo-wound-care-workspace",
+        name: "Cedarbrook Outpatient Wound Clinic",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-primary-care",
+    tenantId: "demo-primary-care-tenant",
+    tenantName: "Maple Ridge Family Medicine",
+    workspaces: [
+      {
+        id: "demo-primary-care-workspace",
+        name: "Maple Ridge Main Street Office",
+        roleSuffix: "workspace"
+      }
+    ]
+  },
+  {
+    scenario: "demo-mixed",
+    tenantId: "demo-mixed-tenant",
+    tenantName: "Northbridge Health Network",
+    workspaces: [
+      {
+        id: "demo-mixed-workspace-wound-care",
+        name: "Northbridge Wound Care Center",
+        roleSuffix: "workspace-wound-care"
+      },
+      {
+        id: "demo-mixed-workspace-primary-care",
+        name: "Northbridge Family Practice",
+        roleSuffix: "workspace-primary-care"
+      }
+    ]
+  }
+];
+var demoMembershipId = (devUserId, tenantId) => `demo-membership-${devUserId}-${tenantId}`;
+var demoRoleAssignmentId = (devUserId, tenantId, roleCode) => `demo-roleassignment-${devUserId}-${tenantId}-${roleCode}`;
+var demoScenarioIdentifier = (scenario, roleSuffix) => ({
+  system: DEMO_URN_SYSTEM,
+  value: `${scenario}:${roleSuffix}`
+});
+var openhiResourceIdentifier = (params) => ({
+  use: "unversioned",
+  system: OPENHI_RESOURCE_URN_SYSTEM,
+  value: `urn:ohi:${params.tenantId}:${params.workspaceId}:${params.resourceType}:${params.id}`
+});
+var demoRolesForUserInTenant = (_user, _tenantId) => {
+  void _user;
+  void _tenantId;
+  return [import_types.CONTROL_PLANE_ROLE_CODE.TENANT_ADMIN];
+};
+
+// src/data/dynamo/dynamo-control-service.ts
+var import_electrodb8 = require("electrodb");
+
+// src/data/dynamo/dynamo-client.ts
+var import_client_dynamodb = require("@aws-sdk/client-dynamodb");
+var defaultTableName = process.env.DYNAMO_TABLE_NAME ?? "jesttesttable";
+var dynamoClient = new import_client_dynamodb.DynamoDBClient({
+  ...process.env.MOCK_DYNAMODB_ENDPOINT && {
+    endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,
+    sslEnabled: false,
+    region: "local"
+  }
+});
+
+// src/data/dynamo/entities/control/configuration-entity.ts
+var import_electrodb = require("electrodb");
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var import_types2 = require("@openhi/types");
+
+// src/data/dynamo/shard.ts
+var SHARD_COUNT = 4;
+function computeShard(id) {
+  let hash = 2166136261;
+  for (let i = 0; i < id.length; i++) {
+    hash ^= id.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) % SHARD_COUNT;
+}
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var gsi1ShardAttribute = {
+  type: "string",
+  watch: ["id"],
+  set: (_val, item) => {
+    if (typeof item?.id !== "string" || item.id.length === 0) {
+      return void 0;
+    }
+    return String(computeShard(item.id));
+  }
+};
+var gsi1skAttribute = {
+  type: "string",
+  watch: ["resource", "lastUpdated", "id"],
+  set: (_val, item) => {
+    const id = typeof item?.id === "string" ? item.id : "";
+    const lastUpdated = typeof item?.lastUpdated === "string" ? item.lastUpdated : "";
+    const fallback = `${lastUpdated}#${id}`;
+    if (typeof item?.resource !== "string" || item.resource.length === 0) {
+      return fallback;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(item.resource);
+    } catch {
+      return fallback;
+    }
+    if (!parsed || typeof parsed !== "object") return fallback;
+    const resourceType = parsed.resourceType;
+    if (typeof resourceType !== "string") return fallback;
+    const label = (0, import_types2.extractLabel)(parsed);
+    return label !== void 0 ? `${label}#${id}` : fallback;
+  }
+};
+
+// src/data/dynamo/entities/control/configuration-entity.ts
+var ConfigurationEntity = new import_electrodb.Entity({
+  model: {
+    entity: "configuration",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key. "CURRENT" for current version; version history in S3. */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant scope. Use "BASELINE" when the config is baseline default (no tenant). */
+    tenantId: {
+      type: "string",
+      required: true,
+      default: "BASELINE"
+    },
+    /** Workspace scope. Use "-" when absent. */
+    workspaceId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** User scope. Use "-" when absent. */
+    userId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Role scope. Use "-" when absent. */
+    roleId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Config type (category), e.g. endpoints, branding, display. */
+    key: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL and for the Configuration resource. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, key, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). Tracks current version; S3 history key. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "workspaceId", "userId", "roleId"],
+        template: "CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["key", "sk"],
+        template: "KEY#${key}#SK#${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
+     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
+     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
+     * hierarchical resolution in one query; use base table GetItem in fallback order
+     * (user → workspace → tenant → baseline) for that.
+     * SK is `<key>#<id>` — Configuration's `key` is a required entity attribute (the
+     * config category: endpoints, branding, display, …) and the natural sort/lookup
+     * dimension. `casing: "none"` preserves the literal key value.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "workspaceId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["key", "id"],
+        template: "${key}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/membership-entity.ts
+var import_electrodb2 = require("electrodb");
+var MembershipEntity = new import_electrodb2.Entity({
+  model: {
+    entity: "membership",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the user has membership (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; membership id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Membership resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/role-entity.ts
+var import_electrodb3 = require("electrodb");
+var RoleEntity = new import_electrodb3.Entity({
+  model: {
+    entity: "role",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; role id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Role resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "ROLE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/roleassignment-entity.ts
+var import_electrodb4 = require("electrodb");
+var RoleAssignmentEntity = new import_electrodb4.Entity({
+  model: {
+    entity: "roleassignment",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the role assignment applies (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; role assignment id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full RoleAssignment resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/tenant-entity.ts
+var import_electrodb5 = require("electrodb");
+var TenantEntity = new import_electrodb5.Entity({
+  model: {
+    entity: "tenant",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** The tenant's own id (= resource id). Drives the partition key. */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. Equals tenantId. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Tenant resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId"],
+        template: "TENANT#ID#${tenantId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
+     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
+     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is derived via `gsi1skAttribute` —
+     * `<normalizedName>#<id>` when the resource carries a `name`, else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/user-entity.ts
+var import_electrodb6 = require("electrodb");
+var UserEntity = new import_electrodb6.Entity({
+  model: {
+    entity: "user",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; platform user id (ohi_uid). */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full User resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
+     * Post Confirmation Lambda (#770) lands; required thereafter.
+     */
+    cognitoSub: {
+      type: "string",
+      required: false
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "USER#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable (string `name`/`title` via introspection), else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    },
+    /**
+     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
+     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
+     * not indexed.
+     */
+    gsi2: {
+      index: "GSI2",
+      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
+      pk: {
+        field: "GSI2PK",
+        casing: "none",
+        composite: ["cognitoSub"],
+        template: "USER#SUB#${cognitoSub}"
+      },
+      sk: {
+        field: "GSI2SK",
+        casing: "none",
+        composite: [],
+        template: "CURRENT"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/workspace-entity.ts
+var import_electrodb7 = require("electrodb");
+var WorkspaceEntity = new import_electrodb7.Entity({
+  model: {
+    entity: "workspace",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant that contains this workspace (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Workspace resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
+     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — `<normalizedName>#<id>` when the resource
+     * carries a `name`, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves
+     * the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/dynamo-control-service.ts
+var controlPlaneEntities = {
+  configuration: ConfigurationEntity,
+  membership: MembershipEntity,
+  role: RoleEntity,
+  roleAssignment: RoleAssignmentEntity,
+  tenant: TenantEntity,
+  user: UserEntity,
+  workspace: WorkspaceEntity
+};
+var controlPlaneService = new import_electrodb8.Service(controlPlaneEntities, {
+  table: defaultTableName,
+  client: dynamoClient
+});
+var DynamoControlService = {
+  entities: controlPlaneService.entities
+};
+function getDynamoControlService(tableName) {
+  const resolved = tableName ?? defaultTableName;
+  const service = new import_electrodb8.Service(controlPlaneEntities, {
+    table: resolved,
+    client: dynamoClient
+  });
+  return {
+    entities: service.entities
+  };
+}
+
+// src/data/errors/domain-errors.ts
+var DomainError = class extends Error {
+  constructor(message, code, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = code;
+    this.details = options?.details;
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+};
+var NotFoundError = class extends DomainError {
+  constructor(message, options) {
+    super(message, "NOT_FOUND", options);
+  }
+};
+
+// src/data/operations/control/membership/membership-create-operation.ts
+var import_types3 = require("@openhi/types");
+async function createMembershipOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `membership-${Date.now()}`;
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `1`;
+  const resource = { resourceType: "Membership", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types3.extractSummary)(resource));
+  await service.entities.membership.put({
+    tenantId: context.tenantId,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/operations/control/role/role-get-by-id-operation.ts
+async function getRoleByIdOperation(params) {
+  const { id, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const response = await service.entities.role.get({ id, sk: "CURRENT" }).go();
+  const item = response.data;
+  if (!item) {
+    throw new NotFoundError(`Role not found: ${id}`);
+  }
+  const parsedResource = JSON.parse(item.resource);
+  return {
+    id,
+    resource: { resourceType: "Role", id, ...parsedResource }
+  };
+}
+
+// src/data/operations/control/roleassignment/roleassignment-create-operation.ts
+var import_types4 = require("@openhi/types");
+async function createRoleAssignmentOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `roleassignment-${Date.now()}`;
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `1`;
+  const resource = { resourceType: "RoleAssignment", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types4.extractSummary)(resource));
+  await service.entities.roleAssignment.put({
+    tenantId: context.tenantId,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/operations/control/tenant/tenant-create-operation.ts
+var import_types5 = require("@openhi/types");
+async function createTenantOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `tenant-${Date.now()}`;
+  const lastUpdated = context.date;
+  const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const resource = { resourceType: "Tenant", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types5.extractSummary)(resource));
+  await service.entities.tenant.put({
+    tenantId: id,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return { id, resource, meta: { lastUpdated, versionId: vid } };
+}
+
+// src/data/operations/control/workspace/workspace-create-operation.ts
+var import_types6 = require("@openhi/types");
+async function createWorkspaceOperation(params) {
+  const { context, body, tableName } = params;
+  const { tenantId } = context;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `workspace-${Date.now()}`;
+  const lastUpdated = context.date;
+  const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const resource = { resourceType: "Workspace", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types6.extractSummary)(resource));
+  await service.entities.workspace.put({
+    tenantId,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return { id, resource, meta: { lastUpdated, versionId: vid } };
+}
+
+// src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
+var SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR = "SEED_DEMO_DATA_USER_POOL_ID";
+var errorMessage = (err) => {
+  if (err instanceof Error) {
+    return err.message;
+  }
+  return String(err);
+};
+var idForRoleCode = (code) => {
+  for (const key of Object.keys(import_types7.CONTROL_PLANE_ROLE_IDS)) {
+    if (import_types7.CONTROL_PLANE_ROLE_CONCEPTS[key].code === code) {
+      return import_types7.CONTROL_PLANE_ROLE_IDS[key];
+    }
+  }
+  throw new Error(`No id mapping for role code "${code}".`);
+};
+var verifySystemRolesExist = async () => {
+  const probeContext = {
+    tenantId: "",
+    workspaceId: "",
+    date: (/* @__PURE__ */ new Date(0)).toISOString(),
+    actorId: "platform-deploy-bridge",
+    actorName: "Platform Deploy Bridge",
+    actorType: "internal-system",
+    source: "step-function"
+  };
+  for (const id of Object.values(import_types7.CONTROL_PLANE_ROLE_IDS)) {
+    try {
+      await getRoleByIdOperation({ context: probeContext, id });
+    } catch (err) {
+      if (err instanceof NotFoundError) {
+        throw new Error(
+          `seed-demo-data pre-flight: control-plane Role "${id}" is missing. Ensure seed-system-data has run on this environment before retrying.`
+        );
+      }
+      throw err;
+    }
+  }
+};
+var tenantResourceBody = (spec) => ({
+  name: spec.tenantName,
+  active: true,
+  identifier: [
+    demoScenarioIdentifier(spec.scenario, "tenant"),
+    openhiResourceIdentifier({
+      tenantId: spec.tenantId,
+      workspaceId: "",
+      resourceType: "Tenant",
+      id: spec.tenantId
+    })
+  ]
+});
+var workspaceResourceBody = (spec, workspace) => ({
+  name: workspace.name,
+  active: true,
+  identifier: [
+    demoScenarioIdentifier(spec.scenario, workspace.roleSuffix),
+    openhiResourceIdentifier({
+      tenantId: spec.tenantId,
+      workspaceId: "",
+      resourceType: "Workspace",
+      id: workspace.id
+    })
+  ],
+  tenant: { reference: `Tenant/${spec.tenantId}`, type: "Tenant" }
+});
+var membershipResourceBody = (spec, user, membershipId) => ({
+  identifier: [
+    demoScenarioIdentifier(spec.scenario, `membership-${user.id}`),
+    openhiResourceIdentifier({
+      tenantId: spec.tenantId,
+      workspaceId: "",
+      resourceType: "Membership",
+      id: membershipId
+    })
+  ],
+  user: { reference: `User/${user.id}`, type: "User" },
+  tenant: { reference: `Tenant/${spec.tenantId}`, type: "Tenant" },
+  period: DEMO_PERIOD
+});
+var roleAssignmentResourceBody = (scenario, tenantId, user, roleCode, roleAssignmentId) => ({
+  identifier: [
+    demoScenarioIdentifier(scenario, `roleassignment-${user.id}-${roleCode}`),
+    openhiResourceIdentifier({
+      tenantId,
+      workspaceId: "",
+      resourceType: "RoleAssignment",
+      id: roleAssignmentId
+    })
+  ],
+  user: { reference: `User/${user.id}`, type: "User" },
+  role: { reference: `Role/${idForRoleCode(roleCode)}`, type: "Role" },
+  tenant: { reference: `Tenant/${tenantId}`, type: "Tenant" },
+  period: DEMO_PERIOD
+});
+var userResourceBody = (user, cognitoSub) => ({
+  resourceType: "User",
+  id: user.id,
+  name: [{ text: user.email }],
+  status: "active",
+  cognitoSub,
+  currentTenant: { reference: `Tenant/${PLACEHOLDER_TENANT_ID}` },
+  currentWorkspace: { reference: `Workspace/${PLACEHOLDER_WORKSPACE_ID}` }
+});
+var upsertUser = async (context, user, cognitoSub) => {
+  const service = getDynamoControlService();
+  const resource = userResourceBody(user, cognitoSub);
+  const summary = JSON.stringify((0, import_types7.extractSummary)(resource));
+  await service.entities.user.put({
+    id: user.id,
+    cognitoSub,
+    resource: JSON.stringify(resource),
+    summary,
+    vid: "1",
+    lastUpdated: context.date ?? (/* @__PURE__ */ new Date()).toISOString()
+  }).go();
+};
+var seedDemoGraph = async (params) => {
+  const { baseContext, devUsers, cognito } = params;
+  for (const spec of DEMO_TENANT_SPECS) {
+    const tenantContext = {
+      ...baseContext,
+      tenantId: spec.tenantId
+    };
+    await createTenantOperation({
+      context: tenantContext,
+      body: { id: spec.tenantId, resource: tenantResourceBody(spec) }
+    });
+    for (const workspace of spec.workspaces) {
+      await createWorkspaceOperation({
+        context: tenantContext,
+        body: {
+          id: workspace.id,
+          resource: workspaceResourceBody(spec, workspace)
+        }
+      });
+    }
+  }
+  for (const user of devUsers) {
+    const cognitoSub = await cognito.ensureUser(user.email);
+    await upsertUser(baseContext, user, cognitoSub);
+    for (const spec of DEMO_TENANT_SPECS) {
+      const tenantContext = {
+        ...baseContext,
+        tenantId: spec.tenantId
+      };
+      const membershipId = demoMembershipId(user.id, spec.tenantId);
+      await createMembershipOperation({
+        context: tenantContext,
+        body: {
+          id: membershipId,
+          resource: membershipResourceBody(spec, user, membershipId)
+        }
+      });
+      for (const roleCode of demoRolesForUserInTenant(user, spec.tenantId)) {
+        const raId = demoRoleAssignmentId(user.id, spec.tenantId, roleCode);
+        await createRoleAssignmentOperation({
+          context: tenantContext,
+          body: {
+            id: raId,
+            resource: roleAssignmentResourceBody(
+              spec.scenario,
+              spec.tenantId,
+              user,
+              roleCode,
+              raId
+            )
+          }
+        });
+      }
+    }
+    const platformContext = {
+      ...baseContext,
+      tenantId: PLATFORM_SCOPE_TENANT_ID
+    };
+    const platformRoleCode = import_types7.CONTROL_PLANE_ROLE_CODE.SYSTEM_ADMIN;
+    const platformRaId = demoRoleAssignmentId(
+      user.id,
+      PLATFORM_SCOPE_TENANT_ID,
+      platformRoleCode
+    );
+    await createRoleAssignmentOperation({
+      context: platformContext,
+      body: {
+        id: platformRaId,
+        resource: roleAssignmentResourceBody(
+          "platform",
+          PLATFORM_SCOPE_TENANT_ID,
+          user,
+          platformRoleCode,
+          platformRaId
+        )
+      }
+    });
+  }
+};
+var runSeedDemoData = async (event, deps, devUsers) => {
+  const parsed = (0, import_workflows2.parseWorkflowEvent)(event, import_workflows.PlatformSystemDataSeededV1);
+  const recordResult = await deps.dedupClient.recordIfAbsent({
+    consumerName: SEED_DEMO_DATA_CONSUMER_NAME,
+    eventId: parsed.dedupKey.eventId,
+    attempt: parsed.dedupKey.attempt
+  });
+  if (!recordResult.recorded) {
+    return;
+  }
+  const baseContext = {
+    tenantId: "",
+    workspaceId: "",
+    date: parsed.envelope.occurredAt,
+    actorId: "platform-deploy-bridge",
+    actorName: "Platform Deploy Bridge",
+    actorType: "internal-system",
+    source: "step-function"
+  };
+  try {
+    await deps.verifyRoles();
+    await deps.seedDemoGraph({
+      baseContext,
+      devUsers,
+      cognito: deps.cognito
+    });
+  } catch (err) {
+    await deps.dedupClient.markFailed({
+      consumerName: SEED_DEMO_DATA_CONSUMER_NAME,
+      eventId: parsed.dedupKey.eventId,
+      attempt: parsed.dedupKey.attempt,
+      reason: errorMessage(err)
+    });
+    throw err;
+  }
+};
+var devPasswordForEmail = (email) => {
+  const digest = (0, import_node_crypto.createHash)("sha256").update(email).digest();
+  const base64url = digest.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+  return `Dev-${base64url.slice(0, 20)}!1`;
+};
+var productionCognitoProvisioner = () => {
+  const client = new import_client_cognito_identity_provider.CognitoIdentityProviderClient({});
+  const userPoolId = process.env[SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR];
+  if (!userPoolId || userPoolId.trim() === "") {
+    throw new Error(
+      `${SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR} is not set; the seed-demo-data Lambda cannot provision Cognito users without a user-pool id.`
+    );
+  }
+  const subFromAttributes = (attrs) => {
+    for (const attr of attrs ?? []) {
+      if (attr.Name === "sub" && typeof attr.Value === "string") {
+        return attr.Value;
+      }
+    }
+    return void 0;
+  };
+  return {
+    ensureUser: async (email) => {
+      try {
+        const created = await client.send(
+          new import_client_cognito_identity_provider.AdminCreateUserCommand({
+            UserPoolId: userPoolId,
+            Username: email,
+            MessageAction: "SUPPRESS",
+            UserAttributes: [
+              { Name: "email", Value: email },
+              { Name: "email_verified", Value: "true" }
+            ]
+          })
+        );
+        await client.send(
+          new import_client_cognito_identity_provider.AdminSetUserPasswordCommand({
+            UserPoolId: userPoolId,
+            Username: email,
+            Password: devPasswordForEmail(email),
+            Permanent: true
+          })
+        );
+        const sub = subFromAttributes(created.User?.Attributes);
+        if (!sub) {
+          throw new Error(
+            `AdminCreateUser response for "${email}" did not carry a sub attribute.`
+          );
+        }
+        return sub;
+      } catch (err) {
+        if (err instanceof import_client_cognito_identity_provider.UsernameExistsException) {
+          const got = await client.send(
+            new import_client_cognito_identity_provider.AdminGetUserCommand({
+              UserPoolId: userPoolId,
+              Username: email
+            })
+          );
+          const sub = subFromAttributes(got.UserAttributes);
+          if (!sub) {
+            throw new Error(
+              `AdminGetUser response for "${email}" did not carry a sub attribute.`
+            );
+          }
+          return sub;
+        }
+        throw err;
+      }
+    }
+  };
+};
+var productionDependencies = () => {
+  const dynamodb = new import_client_dynamodb2.DynamoDBClient({});
+  const cognito = productionCognitoProvisioner();
+  return {
+    dedupClient: (0, import_workflows2.workflowDedupClient)(dynamodb),
+    verifyRoles: verifySystemRolesExist,
+    seedDemoGraph,
+    cognito
+  };
+};
+var handler = async (event) => runSeedDemoData(event, productionDependencies(), DEV_USERS);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR,
+  devPasswordForEmail,
+  handler,
+  productionCognitoProvisioner,
+  runSeedDemoData,
+  seedDemoGraph
+});
+//# sourceMappingURL=seed-demo-data.handler.js.map