@openhi/constructs 0.0.111 → 0.0.113

package/lib/index.d.ts

@@ -20,9 +20,11 @@ import * as rds from 'aws-cdk-lib/aws-rds';
 import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from 'aws-cdk-lib/aws-route53';
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { Distribution, DistributionProps } from 'aws-cdk-lib/aws-cloudfront';
+import { StateMachine } from 'aws-cdk-lib/aws-stepfunctions';
+import { RenamableEntityType } from '@openhi/workflows';
+export { ControlPlaneOwningDeleteCompleteV1, ControlPlaneOwningDeleteCompleteV1Detail, ControlPlaneOwningDeleteFailedV1, ControlPlaneOwningDeleteFailedV1Detail, ControlPlaneOwningDeleteV1, ControlPlaneOwningDeleteV1Detail, ControlPlaneRenameCompleteV1, ControlPlaneRenameCompleteV1Detail, ControlPlaneRenameFailedV1, ControlPlaneRenameFailedV1Detail, ControlPlaneRenameV1, ControlPlaneRenameV1Detail, OPENHI_DATA_SOURCE, OPENHI_OPS_SOURCE, OWNING_ENTITY_TYPE, OwningEntityType, PlatformDeploymentCompletedV1, PlatformSystemDataSeededV1, RENAMABLE_ENTITY_TYPE, RenamableEntityType } from '@openhi/workflows';
 import { PlatformRoleCode } from '@openhi/types';
 import { PostConfirmationTriggerEvent } from 'aws-lambda';
-export { PlatformDeploymentCompletedV1, PlatformSystemDataSeededV1 } from '@openhi/workflows';
 
 /*******************************************************************************
  *
@@ -121,6 +123,112 @@ interface DynamoDbStreamKinesisRecord {
     };
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/owning-delete-cascade/events.md
+ *
+ * Shared event-shape constants for the TR-022 owning-entity hard-delete
+ * cascade. The cascade's input detail-type (on the data event bus) and
+ * its two terminal detail-types (on the ops event bus) are owned by
+ * `@openhi/workflows`; this module re-imports them so the workflow
+ * construct can wire the EventBridge rule and the terminal publisher
+ * from a single place.
+ */
+
+/**
+ * Stable logical name registered with the shared `WorkflowDedupTable`
+ * (TR-015). The state machine's `DedupCheck` state writes a row keyed
+ * by `(consumerName, eventId, attempt)` to absorb EventBridge retries.
+ */
+declare const OWNING_DELETE_CASCADE_CONSUMER_NAME: "owning-delete-cascade";
+/**
+ * Map-state max concurrency. Per the ADR-018 implementation guide
+ * section 4: inline Map (NOT Distributed Map — that lives on TR-023's
+ * rename cascade), tunable via the construct's `cascadeMapConcurrency`
+ * prop. Operators may scale this down on first rollout.
+ */
+declare const OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY: 8;
+/**
+ * Stuck-cascade alarm threshold. Per the implementation guide section
+ * 4 "Observability" — operator-tunable via
+ * `stuckCascadeThresholdMinutes` on the construct prop.
+ */
+declare const OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES: 15;
+/**
+ * Inputs each cascade Map iteration receives. The state machine
+ * builds one of these per chunk and passes them in via `ItemsPath`.
+ * The handler then issues a single `TransactWriteItems` for the
+ * entire chunk.
+ */
+interface CascadeChunkInput {
+    /** Owner identity carried through every step for observability. */
+    readonly ownerType: "Workspace" | "User";
+    readonly ownerId: string;
+    readonly tenantId?: string;
+    /** Rows to delete in this chunk. Length must be 1..100. */
+    readonly rows: ReadonlyArray<{
+        readonly entity: string;
+        readonly key: Record<string, string>;
+    }>;
+    /**
+     * Idempotency token uniquely identifying this chunk within the
+     * cascade execution. Forwarded to `executeMultiWrite` so replayed
+     * chunks land idempotently (per AWS SDK `ClientRequestToken`).
+     */
+    readonly chunkToken: string;
+}
+/** Inputs the cascade list-and-chunk step receives. */
+interface CascadeListInput {
+    readonly ownerType: "Workspace" | "User";
+    readonly ownerId: string;
+    readonly tenantId?: string;
+    /** Per-entity cursor map from the previous page (start of run is `{}`). */
+    readonly cursors?: Record<string, string | null>;
+    /**
+     * Cumulative `projectionsRemoved` count carried forward across
+     * pages — emitted on the terminal `complete` event.
+     */
+    readonly projectionsRemoved?: number;
+    /** Cumulative `chunkCount` carried forward across pages. */
+    readonly chunkCount?: number;
+}
+/** Outputs the cascade list-and-chunk step emits to feed the Map state. */
+interface CascadeListOutput {
+    readonly ownerType: "Workspace" | "User";
+    readonly ownerId: string;
+    readonly tenantId?: string;
+    readonly cursors: Record<string, string | null>;
+    readonly chunks: ReadonlyArray<CascadeChunkInput>;
+    readonly exhausted: boolean;
+    readonly projectionsRemoved: number;
+    readonly chunkCount: number;
+}
+/** Inputs the cascade finalize step receives. */
+interface CascadeFinalizeInput {
+    readonly ownerType: "Workspace" | "User";
+    readonly ownerId: string;
+    readonly tenantId?: string;
+    readonly projectionsRemoved: number;
+    readonly chunkCount: number;
+    readonly startedAt: string;
+    /** Optional eventId / correlation carried through the run for ADR-016 envelope. */
+    readonly eventId?: string;
+    readonly correlationId?: string;
+    readonly causationId?: string;
+}
+/** Outputs the cascade finalize step emits (used by tests and telemetry). */
+interface CascadeFinalizeOutput {
+    readonly ownerType: "Workspace" | "User";
+    readonly ownerId: string;
+    readonly tenantId?: string;
+    readonly projectionsRemoved: number;
+    readonly chunkCount: number;
+    readonly durationMs: number;
+    readonly completedAt: string;
+    readonly canonicalDeleted: boolean;
+}
+/** Env var the construct uses to inject the ops event bus name into the finalize Lambda. */
+declare const OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR: "OWNING_DELETE_OPS_EVENT_BUS_NAME";
+
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/platform-deploy-bridge/index.md
  */
@@ -164,6 +272,211 @@ interface CloudFormationStackStatusChangeDetail {
     readonly "client-request-token"?: string;
 }
 
+/**
+ * Enumerate projection rows affected by a Tenant / User / Role rename
+ * for the TR-023 rename cascade.
+ *
+ * One page per call; the cascade state machine outer loop walks the
+ * returned `cursors` map back into this operation until every per-entity
+ * stream returns `null`. Each emitted row carries:
+ *
+ * - the projection-entity name (so the rewrite-chunk operation can map
+ *   it to the correct ElectroDB entity in `executeMultiWrite`),
+ * - the **existing** composite key (used for the `delete` triple in the
+ *   transact-write pair),
+ * - the **new** composite key (used for the `put` triple — same row
+ *   identity but a rewritten SK when the SK encodes the renamed
+ *   normalized name), and
+ * - the row's existing attributes (carried verbatim into the `put` so
+ *   `summary`, `vid`, `lastUpdated`, etc. are preserved across the
+ *   rewrite), with the renamed `denormalized<CarrierEntity>Name`
+ *   replaced by the new display name.
+ *
+ * Per-entityType query plan (per the ADR-018 implementation guide § 5):
+ *
+ * - **User rename**: under `PK = USER#ID#<userId>` — Membership user-
+ *   projection rows (patterns #3 + #4) and RoleAssignment user-projection
+ *   rows (pattern #5). Workspace-side projection rows
+ *   (membershipWorkspaceProjection #2 + roleAssignmentWorkspaceProjection
+ *   #9) encode `<normalizedUserName>` in their SK; this operation
+ *   discovers the affected workspaces from the user's pattern-#4
+ *   memberships and queries each workspace partition for them.
+ * - **Role rename**: under every affected user partition — RoleAssignment
+ *   user-projection rows (pattern #5) sort on `<normalizedRoleName>` and
+ *   need a SK rewrite. RoleAssignment canonical (pattern #8) and
+ *   workspace-projection (pattern #9) sort on raw `<roleId>` so only the
+ *   denormalized attr changes (no SK rewrite). The affected user-ids
+ *   are discovered via the canonical RoleAssignment GSI1 (`<roleId>#`
+ *   prefix).
+ * - **Tenant rename**: only `denormalizedTenantName` updates — SKs do
+ *   not carry tenant-name; the row identity is preserved. Affected user-
+ *   ids are discovered via the canonical Membership GSI1 page.
+ *
+ * For #1023 the User-rename path is implemented in full; the Tenant /
+ * Role discovery hooks are scaffolded with the right query shape and
+ * cursor map but only walk one canonical discovery batch per call (the
+ * cascade outer loop pages through them). See § 5 of the implementation
+ * guide for the full matrix.
+ *
+ * @see .state/adr-018-implementation-guide.md § 5 (TR-023 Rename-Cascade Consumer Contract)
+ * @see .claude/rules/data-layer-layout.md
+ */
+
+/**
+ * Projection-entity name keys this operation may emit. Each key maps to
+ * an entity in the control-plane service; the rewrite-chunk consumer
+ * forwards it to `executeMultiWrite` as the `entity` field on a triple.
+ */
+declare const RENAME_CASCADE_PROJECTION_ENTITY: {
+    readonly MembershipUserProjection: "membershipUserProjection";
+    readonly MembershipWorkspaceProjection: "membershipWorkspaceProjection";
+    readonly RoleAssignmentUserProjection: "roleAssignmentUserProjection";
+    readonly RoleAssignmentWorkspaceProjection: "roleAssignmentWorkspaceProjection";
+};
+type RenameCascadeProjectionEntity = (typeof RENAME_CASCADE_PROJECTION_ENTITY)[keyof typeof RENAME_CASCADE_PROJECTION_ENTITY];
+/**
+ * One row to rewrite — the cascade rewrite-chunk operation turns each
+ * entry into a `delete oldKey` + `put newPayload` transact-write pair.
+ *
+ * `oldKey` and `newKey` differ only in the SK segment when the SK
+ * encodes a normalized form of the renamed name. For Tenant rename and
+ * for SK-stable RoleAssignment projections (canonical pattern #8 and
+ * workspace pattern #9 under a Role rename), `oldKey === newKey` and
+ * the rewrite collapses to a single `put` overwrite.
+ */
+interface RenameCascadeRewriteTarget {
+    readonly entity: RenameCascadeProjectionEntity;
+    /** Composite key payload for the existing row. */
+    readonly oldKey: Record<string, string>;
+    /** Composite key payload for the rewritten row. */
+    readonly newKey: Record<string, string>;
+    /**
+     * Full row payload to write at `newKey` — carries the existing
+     * `summary`, `vid`, `lastUpdated`, and discriminating fields, with
+     * the renamed `denormalized<CarrierEntity>Name` swapped to the new
+     * display name.
+     */
+    readonly newItem: Record<string, unknown>;
+    /**
+     * `true` when `oldKey` and `newKey` differ — the rewrite must atomic
+     * delete the old row and put the new row in the same transaction.
+     * `false` when only the denormalized attr changes — a single `put`
+     * overwrite is sufficient.
+     */
+    readonly skRewriteRequired: boolean;
+}
+
+/**
+ * Shared event-shape constants for the TR-023 rename-cascade consumer.
+ * The cascade's input detail-type (on the data event bus) and its two
+ * terminal detail-types (on the ops event bus) are owned by
+ * `@openhi/workflows`; this module re-imports them so the workflow
+ * construct can wire the EventBridge rule and the terminal publisher
+ * from a single place.
+ *
+ * @see .state/adr-018-implementation-guide.md section 5
+ */
+
+/**
+ * Stable logical name registered with the shared `WorkflowDedupTable`
+ * (TR-015). The state machine's `DedupCheck` state writes a row keyed
+ * by `(consumerName, eventId, attempt)` to absorb EventBridge retries.
+ */
+declare const RENAME_CASCADE_CONSUMER_NAME: "rename-cascade";
+/**
+ * Distributed-Map max concurrency. Per the ADR-018 implementation guide
+ * section 5: Distributed Map (NOT inline — TR-022 owning-delete uses
+ * inline), tunable via the construct's `cascadeMapConcurrency` prop.
+ * Operators may scale this down on first rollout.
+ */
+declare const RENAME_CASCADE_DEFAULT_CONCURRENCY: 10;
+/**
+ * `CascadeFailed` alarm threshold — fires when ExecutionsFailed exceeds
+ * the value over the configured period. Per the implementation guide
+ * section 5 "Alarm thresholds" table.
+ */
+declare const RENAME_CASCADE_FAILED_THRESHOLD: 0;
+/**
+ * `CascadeSlow` alarm threshold (in seconds) — fires when ExecutionTime
+ * p99 exceeds the value. Per the implementation guide section 5.
+ */
+declare const RENAME_CASCADE_SLOW_THRESHOLD_SECONDS: 300;
+/**
+ * Inputs the cascade list-targets step receives. Most fields come
+ * straight off the `ControlPlaneRenameV1` envelope payload; `cursors`
+ * threads through the outer loop.
+ */
+interface RenameCascadeListInput {
+    readonly entityType: RenamableEntityType;
+    readonly entityId: string;
+    readonly tenantId?: string;
+    readonly oldName: string;
+    readonly newName: string;
+    readonly oldNormalizedName: string;
+    readonly newNormalizedName: string;
+    readonly cursors?: Record<string, string | null>;
+    /** Cumulative `itemsRewritten` carried forward across pages. */
+    readonly itemsRewritten?: number;
+    /** Cumulative `chunkCount` carried forward across pages. */
+    readonly chunkCount?: number;
+}
+/** Inputs the cascade rewrite-chunk step receives — one chunk per Map iteration. */
+interface RenameCascadeChunkInput {
+    readonly entityType: RenamableEntityType;
+    readonly entityId: string;
+    readonly tenantId?: string;
+    /** Targets to rewrite in this transaction. Length must be 1..50. */
+    readonly targets: ReadonlyArray<RenameCascadeRewriteTarget>;
+    /**
+     * Idempotency token uniquely identifying this chunk within the
+     * cascade execution. Forwarded to `executeMultiWrite` so replayed
+     * chunks land idempotently.
+     */
+    readonly chunkToken: string;
+}
+/** Outputs the cascade list-targets step emits to feed the Distributed Map state. */
+interface RenameCascadeListOutput {
+    readonly entityType: RenamableEntityType;
+    readonly entityId: string;
+    readonly tenantId?: string;
+    readonly oldName: string;
+    readonly newName: string;
+    readonly oldNormalizedName: string;
+    readonly newNormalizedName: string;
+    readonly cursors: Record<string, string | null>;
+    readonly chunks: ReadonlyArray<RenameCascadeChunkInput>;
+    readonly exhausted: boolean;
+    readonly itemsRewritten: number;
+    readonly chunkCount: number;
+}
+/** Inputs the cascade finalize step receives. */
+interface RenameCascadeFinalizeInput {
+    readonly entityType: RenamableEntityType;
+    readonly entityId: string;
+    readonly tenantId?: string;
+    readonly newName: string;
+    readonly itemsRewritten: number;
+    readonly chunkCount: number;
+    readonly startedAt: string;
+    /** Optional eventId / correlation for ADR-016 envelope chaining. */
+    readonly eventId?: string;
+    readonly correlationId?: string;
+    readonly causationId?: string;
+}
+/** Outputs the cascade finalize step emits (used by tests + telemetry). */
+interface RenameCascadeFinalizeOutput {
+    readonly entityType: RenamableEntityType;
+    readonly entityId: string;
+    readonly tenantId?: string;
+    readonly newName: string;
+    readonly itemsRewritten: number;
+    readonly chunkCount: number;
+    readonly durationMs: number;
+    readonly completedAt: string;
+}
+/** Env var the construct uses to inject the ops event bus name into the finalize Lambda. */
+declare const RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR: "RENAME_CASCADE_OPS_EVENT_BUS_NAME";
+
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-demo-data/events.md
  */
@@ -2152,5 +2465,189 @@ declare class OpenHiGraphqlService extends OpenHiService {
     protected createRootGraphqlApi(): RootGraphqlApi;
 }
 
-export { BRIDGED_STATUSES, CLOUDFORMATION_EVENT_SOURCE, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, CONTROL_EVENT_BUS_NAME_ENV_VAR, ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_PERIOD, DEMO_TENANT_SPECS, DEMO_URN_SYSTEM, DEV_USERS, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OPENHI_REPO_TAG_KEY_ENV_VAR, OPENHI_RESOURCE_URN_SYSTEM, OPENHI_TAG_KEY_PREFIX_ENV_VAR, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, PLACEHOLDER_TENANT_ID, PLACEHOLDER_WORKSPACE_ID, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM, PLATFORM_SCOPE_TENANT_ID, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, PlatformDeployBridge, PlatformDeployBridgeLambda, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, ProvisionDefaultWorkspaceLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, SEED_DEMO_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, SeedDemoDataWorkflow, SeedSystemDataLambda, SeedSystemDataWorkflow, StaticHosting, USER_ONBOARDING_EVENT_SOURCE, UserOnboardingWorkflow, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, buildFhirCurrentResourceChangeDetail, buildProvisionDefaultWorkspaceRequestedDetail, demoBasePartitionKeys, demoDevUserPartitionKeys, demoMembershipId, demoMembershipPartitionKey, demoRoleAssignmentId, demoRoleAssignmentPartitionKey, demoRolesForUserInTenant, demoScenarioIdentifier, demoTenantPartitionKey, demoUserPartitionKey, demoWorkspacePartitionKey, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey, openhiResourceIdentifier, rolePartitionKey };
-export type { BridgedStatus, BuildParameterNameProps, ChildHostedZoneProps, CloudFormationStackStatusChangeDetail, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DemoDevUser, DemoTenantSpec, DemoWorkspaceSpec, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, GrantConsumerOptions, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, PlatformDeployBridgeLambdaProps, PlatformDeployBridgeProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RootGraphqlApiProps, RootHttpApiProps, SeedDemoDataLambdaProps, SeedDemoDataWorkflowProps, SeedSystemDataLambdaProps, SeedSystemDataWorkflowProps, StaticHostingProps, UserOnboardingWorkflowProps, WorkflowDedupTableProps };
+interface OwningDeleteCascadeLambdasProps {
+    /** Data-store table the cascade reads (Query) and writes (DeleteItem / TransactWriteItems) against. */
+    readonly dataStoreTable: ITable;
+    /** Ops event bus the cascade finalize step publishes terminal events onto. */
+    readonly opsEventBus: IEventBus;
+}
+/**
+ * The three Lambdas that power the TR-022 owning-entity hard-delete
+ * cascade state machine. Bundled together because the state machine
+ * wires them in a fixed topology and they share the same data-store
+ * grant pattern.
+ *
+ * - `listChunks` — pages through the owner's adjacency-list partition
+ *   via ElectroDB Query, splits the page into <=100-item chunks for
+ *   the inline Map state.
+ * - `deleteChunk` — Map-iteration handler; submits one chunk as a
+ *   single `TransactWriteItems` via `executeMultiWrite`. The state
+ *   machine's `MaxConcurrency = 8` runs up to eight of these in
+ *   parallel.
+ * - `finalize` — deletes the owning canonical record at
+ *   `SK = "CURRENT"` conditional on `lifecycleState = "deleting"`,
+ *   then emits the `control-plane.owning-delete-complete.v1` terminal
+ *   event on the ops event bus.
+ *
+ * IAM grants are scoped per-Lambda: the read/write Lambdas get
+ * table-level Query / TransactWriteItems on the data store; the
+ * finalize Lambda gets a focused `DeleteItem` + `PutEvents` policy
+ * (no Query, no broad writes).
+ */
+declare class OwningDeleteCascadeLambdas extends Construct {
+    readonly listChunks: NodejsFunction;
+    readonly deleteChunk: NodejsFunction;
+    readonly finalize: NodejsFunction;
+    constructor(scope: Construct, props: OwningDeleteCascadeLambdasProps);
+}
+
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.md
+ */
+interface OwningDeleteCascadeWorkflowProps {
+    /**
+     * Data event bus carrying `control-plane.owning-delete.v1`. The
+     * workflow's EventBridge rule lives on this bus and starts a state
+     * machine execution per matching event.
+     */
+    readonly dataEventBus: IEventBus;
+    /** Ops event bus the cascade finalize step publishes terminal events onto. */
+    readonly opsEventBus: IEventBus;
+    /** Data-store table the cascade reads from / writes deletes into. */
+    readonly dataStoreTable: ITable;
+    /**
+     * Inline-Map max concurrency. Defaults to
+     * {@link OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY} (8) per the
+     * ADR-018 implementation guide section 4 — tunable per environment.
+     * NOTE: this is an **inline** Map (NOT Distributed Map — TR-022
+     * Choice 2A pins inline; TR-023 uses Distributed for renames).
+     */
+    readonly cascadeMapConcurrency?: number;
+}
+/**
+ * Control-plane workflow that fans out the TR-022 owning-entity
+ * hard-delete cascade.
+ *
+ * Pipeline (per the ADR-018 implementation guide section 4):
+ *
+ * 1. Synchronous API entry point flips the canonical owning record's
+ *    `lifecycleState: active -> deleting`. (Owned by the REST adapter,
+ *    not this construct.)
+ * 2. DynamoDB stream / Firehose transform publishes
+ *    `control-plane.owning-delete.v1` on the data event bus.
+ * 3. EventBridge rule (owned here) starts this state machine.
+ * 4. State machine outer loop:
+ *    - `ListChunks` Lambda pages through the owner's adjacency-list
+ *      partition and emits chunks of up to 100 projection rows.
+ *    - `RewriteChunks` inline Map (MaxConcurrency = 8) deletes each
+ *      chunk in parallel via `executeMultiWrite`.
+ *    - `IsExhausted` Choice loops back to `ListChunks` until the page
+ *      query returns zero items and every per-entity cursor is `null`.
+ * 5. `Finalize` Lambda deletes the canonical owning record
+ *    (conditional on `lifecycleState = "deleting"`) and emits
+ *    `control-plane.owning-delete-complete.v1` on the ops event bus.
+ *
+ * Idempotency: every Map iteration uses a per-chunk `ClientRequestToken`,
+ * and the finalize step's canonical delete is conditional on
+ * `lifecycleState = "deleting"`. A replayed execution finds no rows
+ * to delete, no canonical to remove, and emits no terminal event.
+ */
+declare class OwningDeleteCascadeWorkflow extends Construct {
+    readonly lambdas: OwningDeleteCascadeLambdas;
+    readonly stateMachine: StateMachine;
+    readonly rule: Rule;
+    constructor(scope: Construct, props: OwningDeleteCascadeWorkflowProps);
+}
+
+interface RenameCascadeLambdasProps {
+    /** Data-store table the cascade reads (Query) and writes (TransactWriteItems) against. */
+    readonly dataStoreTable: ITable;
+    /** Ops event bus the cascade finalize step publishes terminal events onto. */
+    readonly opsEventBus: IEventBus;
+}
+/**
+ * The three Lambdas that power the TR-023 rename cascade state machine.
+ *
+ * - `listTargets` — pages through the affected projection partitions
+ *   for a rename and emits chunks of up to 50 rewrite targets.
+ * - `rewriteChunk` — Distributed-Map iteration handler; submits one
+ *   chunk as a single `TransactWriteItems` via `executeMultiWrite`. The
+ *   state machine's `MaxConcurrency = 10` runs up to ten of these in
+ *   parallel.
+ * - `finalize` — emits `control-plane.rename-complete.v1` on the ops
+ *   event bus.
+ *
+ * IAM grants are scoped per-Lambda: read/write Lambdas get table-level
+ * Query / TransactWriteItems on the data store; the finalize Lambda
+ * gets only `events:PutEvents` on the ops event bus.
+ */
+declare class RenameCascadeLambdas extends Construct {
+    readonly listTargets: NodejsFunction;
+    readonly rewriteChunk: NodejsFunction;
+    readonly finalize: NodejsFunction;
+    constructor(scope: Construct, props: RenameCascadeLambdasProps);
+}
+
+interface RenameCascadeWorkflowProps {
+    /**
+     * Data event bus carrying `control-plane.rename.v1`. The workflow's
+     * EventBridge rule lives on this bus and starts a state machine
+     * execution per matching event.
+     */
+    readonly dataEventBus: IEventBus;
+    /** Ops event bus the cascade finalize step publishes terminal events onto. */
+    readonly opsEventBus: IEventBus;
+    /** Data-store table the cascade reads from / writes rewrites into. */
+    readonly dataStoreTable: ITable;
+    /**
+     * Distributed-Map max concurrency. Defaults to
+     * {@link RENAME_CASCADE_DEFAULT_CONCURRENCY} (10) per the ADR-018
+     * implementation guide section 5 — tunable per environment.
+     *
+     * NOTE: this is a **Distributed** Map (NOT inline — TR-022's
+     * owning-delete cascade uses inline; TR-023's rename cascade uses
+     * Distributed).
+     */
+    readonly cascadeMapConcurrency?: number;
+}
+/**
+ * Control-plane workflow that fans out the TR-023 rename cascade.
+ *
+ * Pipeline (per the ADR-018 implementation guide section 5):
+ *
+ * 1. The Firehose transform Lambda publishes
+ *    `control-plane.rename.v1` on the data event bus when it observes
+ *    a stream record showing a display-name change on a canonical
+ *    Tenant / User / Role row.
+ * 2. EventBridge rule (owned here) starts this state machine.
+ * 3. State machine outer loop:
+ *    - `ListTargets` Lambda pages through the affected projection
+ *      partitions for the renamed entity and emits chunks of up to 50
+ *      rewrite targets.
+ *    - `RewriteChunks` Distributed Map (MaxConcurrency = 10) rewrites
+ *      each chunk in parallel via `executeMultiWrite`. Each target
+ *      maps to either a `delete oldKey` + `put newItem` pair (SK
+ *      rewrite) or a single `put newItem` overwrite (attr-only update).
+ *    - `IsExhausted` Choice loops back to `ListTargets` until every
+ *      per-stream cursor returns `null`.
+ * 4. `Finalize` Lambda emits `control-plane.rename-complete.v1` on the
+ *    ops event bus.
+ *
+ * Idempotency: every Map iteration uses a per-chunk `ClientRequestToken`,
+ * and the state machine's `Catch` block absorbs
+ * `DynamoDB.TransactionCanceledException` as a no-op success — a
+ * replayed chunk where every row is already at the new SK fails its
+ * delete-old triple and the helper rolls back; the cascade keeps
+ * draining the page until the outer loop terminates on exhaustion.
+ * Lost-race writes (per the TR-023 idempotency rule) are accepted —
+ * the renaming write loses to a later concurrent write on the same row.
+ */
+declare class RenameCascadeWorkflow extends Construct {
+    readonly lambdas: RenameCascadeLambdas;
+    readonly stateMachine: StateMachine;
+    readonly rule: Rule;
+    constructor(scope: Construct, props: RenameCascadeWorkflowProps);
+}
+
+export { BRIDGED_STATUSES, CLOUDFORMATION_EVENT_SOURCE, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, CONTROL_EVENT_BUS_NAME_ENV_VAR, ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_PERIOD, DEMO_TENANT_SPECS, DEMO_URN_SYSTEM, DEV_USERS, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OPENHI_REPO_TAG_KEY_ENV_VAR, OPENHI_RESOURCE_URN_SYSTEM, OPENHI_TAG_KEY_PREFIX_ENV_VAR, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OWNING_DELETE_CASCADE_CONSUMER_NAME, OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY, OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES, OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, OwningDeleteCascadeLambdas, OwningDeleteCascadeWorkflow, PLACEHOLDER_TENANT_ID, PLACEHOLDER_WORKSPACE_ID, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM, PLATFORM_SCOPE_TENANT_ID, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, PlatformDeployBridge, PlatformDeployBridgeLambda, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, ProvisionDefaultWorkspaceLambda, RENAME_CASCADE_CONSUMER_NAME, RENAME_CASCADE_DEFAULT_CONCURRENCY, RENAME_CASCADE_FAILED_THRESHOLD, RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, RenameCascadeWorkflow, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, SEED_DEMO_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, SeedDemoDataWorkflow, SeedSystemDataLambda, SeedSystemDataWorkflow, StaticHosting, USER_ONBOARDING_EVENT_SOURCE, UserOnboardingWorkflow, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, buildFhirCurrentResourceChangeDetail, buildProvisionDefaultWorkspaceRequestedDetail, demoBasePartitionKeys, demoDevUserPartitionKeys, demoMembershipId, demoMembershipPartitionKey, demoRoleAssignmentId, demoRoleAssignmentPartitionKey, demoRolesForUserInTenant, demoScenarioIdentifier, demoTenantPartitionKey, demoUserPartitionKey, demoWorkspacePartitionKey, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey, openhiResourceIdentifier, rolePartitionKey };
+export type { BridgedStatus, BuildParameterNameProps, CascadeChunkInput, CascadeFinalizeInput, CascadeFinalizeOutput, CascadeListInput, CascadeListOutput, ChildHostedZoneProps, CloudFormationStackStatusChangeDetail, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DemoDevUser, DemoTenantSpec, DemoWorkspaceSpec, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, GrantConsumerOptions, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflowProps, PlatformDeployBridgeLambdaProps, PlatformDeployBridgeProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RenameCascadeChunkInput, RenameCascadeFinalizeInput, RenameCascadeFinalizeOutput, RenameCascadeLambdasProps, RenameCascadeListInput, RenameCascadeListOutput, RenameCascadeWorkflowProps, RootGraphqlApiProps, RootHttpApiProps, SeedDemoDataLambdaProps, SeedDemoDataWorkflowProps, SeedSystemDataLambdaProps, SeedSystemDataWorkflowProps, StaticHostingProps, UserOnboardingWorkflowProps, WorkflowDedupTableProps };