@openhi/constructs 0.0.113 → 0.0.115

package/lib/{chunk-NZRW7ROK.mjs → chunk-YYRWDEG4.mjs}

@@ -1,7 +1,7 @@
 import {
   batchGetWithRetry,
   dispatchListMode
-} from "./chunk-QMBJ4VHC.mjs";
+} from "./chunk-U7L7T4XU.mjs";
 import {
   ForbiddenError,
   NotFoundError,
@@ -304,4 +304,4 @@ export {
   idFromReference,
   switchUserTenantWorkspaceOperation
 };
-//# sourceMappingURL=chunk-NZRW7ROK.mjs.map
+//# sourceMappingURL=chunk-YYRWDEG4.mjs.map

package/lib/{chunk-KSFC72TT.mjs → chunk-ZHMHLK3S.mjs}

@@ -3,7 +3,7 @@ import {
   dispatchListMode,
   getDynamoDataService,
   listDataEntitiesByWorkspace
-} from "./chunk-QMBJ4VHC.mjs";
+} from "./chunk-U7L7T4XU.mjs";
 import {
   SHARD_COUNT,
   getDynamoControlService
@@ -93,4 +93,4 @@ export {
   listMembershipsOperation,
   listRoleAssignmentsOperation
 };
-//# sourceMappingURL=chunk-KSFC72TT.mjs.map
+//# sourceMappingURL=chunk-ZHMHLK3S.mjs.map

package/lib/{events-DPodvl07.d.mts → events-CMG8xanm.d.mts}

@@ -37,10 +37,9 @@ declare const DEMO_PERIOD: {
  * `"platform"` literal is a reserved value that never matches a real
  * Tenant id and signals "this RA scopes across all tenants".
  *
- * Renaming this constant is a wire-format break — the IAM grant in
- * `seed-demo-data-lambda.ts` enumerates exact-match `LeadingKeys`
- * computed from this value, and the in-band records written under it
- * become unreachable if the sentinel changes.
+ * Renaming this constant is a wire-format break — the handler emits
+ * RoleAssignment records keyed on this value, and the in-band records
+ * written under it become unreachable if the sentinel changes.
  */
 declare const PLATFORM_SCOPE_TENANT_ID = "platform";
 /** Placeholder Tenant id seeded by the workflow as the dev-user `currentTenant`. */
@@ -81,8 +80,8 @@ interface DemoWorkspaceSpec {
     readonly name: string;
     /**
      * Role suffix used in the demo URN value (`<scenario>:<roleSuffix>`).
-     * Mirrors seed-fixtures' role suffix convention: `workspace` for
-     * single-workspace tenants, `workspace-<sub>` for the mixed tenant.
+     * `workspace` for single-workspace tenants, `workspace-<sub>` for the
+     * mixed tenant.
      */
     readonly roleSuffix: string;
 }
@@ -95,8 +94,7 @@ interface DemoTenantSpec {
     /**
      * Scenario slug — `placeholder`, `demo-wound-care`, `demo-primary-care`,
      * `demo-mixed`. The placeholder tenant's slug is `placeholder`; the
-     * three demo tenants mirror seed-fixtures' `fixture-*` slugs renamed
-     * to `demo-*`.
+     * three demo tenants use `demo-*` slugs.
      */
     readonly scenario: string;
     /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
@@ -131,8 +129,6 @@ declare const demoMembershipId: (devUserId: string, tenantId: string) => string;
 declare const demoRoleAssignmentId: (devUserId: string, tenantId: string, roleCode: PlatformRoleCode) => string;
 /**
  * Demo-scenario FHIR `Identifier` entry — `urn:openhi:demo:<scenario>:<role>`.
- * Mirrors the `urn:openhi:fixture:<scenario>:<role>` pattern from
- * `@openhi/seed-fixtures/src/urn.ts`, renamed to the `demo` namespace.
  */
 declare const demoScenarioIdentifier: (scenario: string, roleSuffix: string) => {
     system: string;
@@ -161,47 +157,5 @@ declare const openhiResourceIdentifier: (params: {
  * is no per-(user, tenant) variance to drive from.
  */
 declare const demoRolesForUserInTenant: (_user: DemoDevUser, _tenantId: string) => ReadonlyArray<PlatformRoleCode>;
-/**
- * DynamoDB single-table partition-key builders. The IAM grant in
- * `seed-demo-data-lambda.ts` uses these to enumerate exact-match
- * `dynamodb:LeadingKeys` values; the entity definitions in
- * `data/dynamo/entities/control/` own the canonical key templates.
- *
- * These builders MUST emit the keys ElectroDB actually writes — not
- * the entity definition's pretty template. None of the control-plane
- * entities sets `casing: "none"` on the base-table PK template, so
- * ElectroDB applies its default lowercase casing at runtime: the
- * entity's `ROLE#ID#${id}` becomes `role#id#<id>` on the wire. A
- * builder that returns the uppercase template form produces a
- * silently-broken IAM grant (every PutItem denied with "no
- * identity-based policy allows" because the request's leading-key
- * never matches a policy value).
- */
-declare const rolePartitionKey: (roleId: string) => string;
-declare const demoTenantPartitionKey: (tenantId: string) => string;
-declare const demoWorkspacePartitionKey: (tenantId: string, workspaceId: string) => string;
-declare const demoMembershipPartitionKey: (tenantId: string, membershipId: string) => string;
-declare const demoRoleAssignmentPartitionKey: (tenantId: string, roleAssignmentId: string) => string;
-/** User entity PK template — `USER#ID#<id>` → `user#id#<id>` on the wire. */
-declare const demoUserPartitionKey: (userId: string) => string;
-/**
- * Tenant + Workspace PKs the workflow writes on every fire: the 4
- * tenant PKs (placeholder + 3 demo) plus their workspaces (1 + 1 + 1 + 2 = 5).
- */
-declare const demoBasePartitionKeys: () => ReadonlyArray<string>;
-/**
- * Membership + RoleAssignment + User PKs the workflow writes per dev
- * user. Empty when `devUsers` is empty (used by tests). The list
- * mirrors the handler's iteration order so the IAM grant covers every
- * write the handler can make.
- *
- * Per dev user the function emits:
- *   - one User PK,
- *   - per tenant in {@link DEMO_TENANT_SPECS}: one Membership PK plus
- *     one `tenant-admin` RoleAssignment PK,
- *   - one platform-scoped `system-admin` RoleAssignment PK keyed by
- *     {@link PLATFORM_SCOPE_TENANT_ID}.
- */
-declare const demoDevUserPartitionKeys: (devUsers: ReadonlyArray<DemoDevUser>) => ReadonlyArray<string>;
 
-export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoBasePartitionKeys as i, demoDevUserPartitionKeys as j, demoMembershipId as k, demoMembershipPartitionKey as l, demoRoleAssignmentId as m, demoRoleAssignmentPartitionKey as n, demoRolesForUserInTenant as o, demoScenarioIdentifier as p, demoTenantPartitionKey as q, demoUserPartitionKey as r, demoWorkspacePartitionKey as s, openhiResourceIdentifier as t, rolePartitionKey as u };
+export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoMembershipId as i, demoRoleAssignmentId as j, demoRolesForUserInTenant as k, demoScenarioIdentifier as l, openhiResourceIdentifier as o };

package/lib/{events-DPodvl07.d.ts → events-CMG8xanm.d.ts}

@@ -37,10 +37,9 @@ declare const DEMO_PERIOD: {
  * `"platform"` literal is a reserved value that never matches a real
  * Tenant id and signals "this RA scopes across all tenants".
  *
- * Renaming this constant is a wire-format break — the IAM grant in
- * `seed-demo-data-lambda.ts` enumerates exact-match `LeadingKeys`
- * computed from this value, and the in-band records written under it
- * become unreachable if the sentinel changes.
+ * Renaming this constant is a wire-format break — the handler emits
+ * RoleAssignment records keyed on this value, and the in-band records
+ * written under it become unreachable if the sentinel changes.
  */
 declare const PLATFORM_SCOPE_TENANT_ID = "platform";
 /** Placeholder Tenant id seeded by the workflow as the dev-user `currentTenant`. */
@@ -81,8 +80,8 @@ interface DemoWorkspaceSpec {
     readonly name: string;
     /**
      * Role suffix used in the demo URN value (`<scenario>:<roleSuffix>`).
-     * Mirrors seed-fixtures' role suffix convention: `workspace` for
-     * single-workspace tenants, `workspace-<sub>` for the mixed tenant.
+     * `workspace` for single-workspace tenants, `workspace-<sub>` for the
+     * mixed tenant.
      */
     readonly roleSuffix: string;
 }
@@ -95,8 +94,7 @@ interface DemoTenantSpec {
     /**
      * Scenario slug — `placeholder`, `demo-wound-care`, `demo-primary-care`,
      * `demo-mixed`. The placeholder tenant's slug is `placeholder`; the
-     * three demo tenants mirror seed-fixtures' `fixture-*` slugs renamed
-     * to `demo-*`.
+     * three demo tenants use `demo-*` slugs.
      */
     readonly scenario: string;
     /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
@@ -131,8 +129,6 @@ declare const demoMembershipId: (devUserId: string, tenantId: string) => string;
 declare const demoRoleAssignmentId: (devUserId: string, tenantId: string, roleCode: PlatformRoleCode) => string;
 /**
  * Demo-scenario FHIR `Identifier` entry — `urn:openhi:demo:<scenario>:<role>`.
- * Mirrors the `urn:openhi:fixture:<scenario>:<role>` pattern from
- * `@openhi/seed-fixtures/src/urn.ts`, renamed to the `demo` namespace.
  */
 declare const demoScenarioIdentifier: (scenario: string, roleSuffix: string) => {
     system: string;
@@ -161,47 +157,5 @@ declare const openhiResourceIdentifier: (params: {
  * is no per-(user, tenant) variance to drive from.
  */
 declare const demoRolesForUserInTenant: (_user: DemoDevUser, _tenantId: string) => ReadonlyArray<PlatformRoleCode>;
-/**
- * DynamoDB single-table partition-key builders. The IAM grant in
- * `seed-demo-data-lambda.ts` uses these to enumerate exact-match
- * `dynamodb:LeadingKeys` values; the entity definitions in
- * `data/dynamo/entities/control/` own the canonical key templates.
- *
- * These builders MUST emit the keys ElectroDB actually writes — not
- * the entity definition's pretty template. None of the control-plane
- * entities sets `casing: "none"` on the base-table PK template, so
- * ElectroDB applies its default lowercase casing at runtime: the
- * entity's `ROLE#ID#${id}` becomes `role#id#<id>` on the wire. A
- * builder that returns the uppercase template form produces a
- * silently-broken IAM grant (every PutItem denied with "no
- * identity-based policy allows" because the request's leading-key
- * never matches a policy value).
- */
-declare const rolePartitionKey: (roleId: string) => string;
-declare const demoTenantPartitionKey: (tenantId: string) => string;
-declare const demoWorkspacePartitionKey: (tenantId: string, workspaceId: string) => string;
-declare const demoMembershipPartitionKey: (tenantId: string, membershipId: string) => string;
-declare const demoRoleAssignmentPartitionKey: (tenantId: string, roleAssignmentId: string) => string;
-/** User entity PK template — `USER#ID#<id>` → `user#id#<id>` on the wire. */
-declare const demoUserPartitionKey: (userId: string) => string;
-/**
- * Tenant + Workspace PKs the workflow writes on every fire: the 4
- * tenant PKs (placeholder + 3 demo) plus their workspaces (1 + 1 + 1 + 2 = 5).
- */
-declare const demoBasePartitionKeys: () => ReadonlyArray<string>;
-/**
- * Membership + RoleAssignment + User PKs the workflow writes per dev
- * user. Empty when `devUsers` is empty (used by tests). The list
- * mirrors the handler's iteration order so the IAM grant covers every
- * write the handler can make.
- *
- * Per dev user the function emits:
- *   - one User PK,
- *   - per tenant in {@link DEMO_TENANT_SPECS}: one Membership PK plus
- *     one `tenant-admin` RoleAssignment PK,
- *   - one platform-scoped `system-admin` RoleAssignment PK keyed by
- *     {@link PLATFORM_SCOPE_TENANT_ID}.
- */
-declare const demoDevUserPartitionKeys: (devUsers: ReadonlyArray<DemoDevUser>) => ReadonlyArray<string>;
 
-export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoBasePartitionKeys as i, demoDevUserPartitionKeys as j, demoMembershipId as k, demoMembershipPartitionKey as l, demoRoleAssignmentId as m, demoRoleAssignmentPartitionKey as n, demoRolesForUserInTenant as o, demoScenarioIdentifier as p, demoTenantPartitionKey as q, demoUserPartitionKey as r, demoWorkspacePartitionKey as s, openhiResourceIdentifier as t, rolePartitionKey as u };
+export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoMembershipId as i, demoRoleAssignmentId as j, demoRolesForUserInTenant as k, demoScenarioIdentifier as l, openhiResourceIdentifier as o };

package/lib/index.d.mts

@@ -4,7 +4,7 @@ import { IConstruct, Construct } from 'constructs';
 import { Certificate, CertificateProps, ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
 import { HttpApiProps, HttpApi, IHttpApi, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
 import { GraphqlApi, IGraphqlApi, GraphqlApiProps } from 'aws-cdk-lib/aws-appsync';
-import { UserPoolClient, UserPoolClientProps, IUserPool, UserPool, UserPoolProps, UserPoolDomain, UserPoolDomainProps, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
+import { UserPool, UserPoolProps, UserPoolClient, UserPoolClientProps, UserPoolDomain, UserPoolDomainProps, IUserPool, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
 import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
 import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { D as DynamoDbStreamKinesisRecord } from './dynamodb-stream-record-CJtV6a1t.mjs';
@@ -25,11 +25,11 @@ export { C as CascadeChunkInput, a as CascadeFinalizeInput, b as CascadeFinalize
 import { StateMachine } from 'aws-cdk-lib/aws-stepfunctions';
 export { B as BRIDGED_STATUSES, a as BridgedStatus, C as CLOUDFORMATION_EVENT_SOURCE, b as CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, c as CONTROL_EVENT_BUS_NAME_ENV_VAR, d as CloudFormationStackStatusChangeDetail, O as OPENHI_REPO_TAG_KEY_ENV_VAR, e as OPENHI_TAG_KEY_PREFIX_ENV_VAR, P as PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM } from './events-BfrkMoBD.mjs';
 export { R as RENAME_CASCADE_CONSUMER_NAME, a as RENAME_CASCADE_DEFAULT_CONCURRENCY, b as RENAME_CASCADE_FAILED_THRESHOLD, c as RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, d as RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, e as RenameCascadeChunkInput, f as RenameCascadeFinalizeInput, g as RenameCascadeFinalizeOutput, h as RenameCascadeListInput, i as RenameCascadeListOutput } from './events-Da_cFgtc.mjs';
-export { D as DEMO_PERIOD, a as DEMO_TENANT_SPECS, b as DEMO_URN_SYSTEM, c as DEV_USERS, d as DemoDevUser, e as DemoTenantSpec, f as DemoWorkspaceSpec, O as OPENHI_RESOURCE_URN_SYSTEM, P as PLACEHOLDER_TENANT_ID, g as PLACEHOLDER_WORKSPACE_ID, h as PLATFORM_SCOPE_TENANT_ID, S as SEED_DEMO_DATA_CONSUMER_NAME, i as demoBasePartitionKeys, j as demoDevUserPartitionKeys, k as demoMembershipId, l as demoMembershipPartitionKey, m as demoRoleAssignmentId, n as demoRoleAssignmentPartitionKey, o as demoRolesForUserInTenant, p as demoScenarioIdentifier, q as demoTenantPartitionKey, r as demoUserPartitionKey, s as demoWorkspacePartitionKey, t as openhiResourceIdentifier, u as rolePartitionKey } from './events-DPodvl07.mjs';
+import { Patient, Practitioner, Observation, Encounter, Account } from '@openhi/types';
+export { D as DEMO_PERIOD, a as DEMO_TENANT_SPECS, b as DEMO_URN_SYSTEM, c as DEV_USERS, d as DemoDevUser, e as DemoTenantSpec, f as DemoWorkspaceSpec, O as OPENHI_RESOURCE_URN_SYSTEM, P as PLACEHOLDER_TENANT_ID, g as PLACEHOLDER_WORKSPACE_ID, h as PLATFORM_SCOPE_TENANT_ID, S as SEED_DEMO_DATA_CONSUMER_NAME, i as demoMembershipId, j as demoRoleAssignmentId, k as demoRolesForUserInTenant, l as demoScenarioIdentifier, o as openhiResourceIdentifier } from './events-CMG8xanm.mjs';
 export { P as PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, a as ProvisionDefaultWorkspaceRequestedDetail, U as USER_ONBOARDING_EVENT_SOURCE, b as buildProvisionDefaultWorkspaceRequestedDetail } from './events-CVA3_eEB.mjs';
 export { ControlPlaneOwningDeleteCompleteV1, ControlPlaneOwningDeleteCompleteV1Detail, ControlPlaneOwningDeleteFailedV1, ControlPlaneOwningDeleteFailedV1Detail, ControlPlaneOwningDeleteV1, ControlPlaneOwningDeleteV1Detail, ControlPlaneRenameCompleteV1, ControlPlaneRenameCompleteV1Detail, ControlPlaneRenameFailedV1, ControlPlaneRenameFailedV1Detail, ControlPlaneRenameV1, ControlPlaneRenameV1Detail, OPENHI_DATA_SOURCE, OPENHI_OPS_SOURCE, OWNING_ENTITY_TYPE, OwningEntityType, PlatformDeploymentCompletedV1, PlatformSystemDataSeededV1, RENAMABLE_ENTITY_TYPE, RenamableEntityType } from '@openhi/workflows';
 import '@aws-sdk/client-dynamodb';
-import '@openhi/types';
 import 'aws-lambda';
 
 /**
@@ -420,47 +420,6 @@ declare class RootGraphqlApi extends GraphqlApi {
     constructor(scope: Construct, props?: Omit<RootGraphqlApiProps, "name">);
 }
 
-interface CognitoFixtureSeederClientProps extends Partial<Omit<UserPoolClientProps, "userPool" | "generateSecret">> {
-    readonly userPool: IUserPool;
-}
-/**
- * Dedicated Cognito app client for the OpenHI fixture-seeder CLI
- * (`@openhi/seed-fixtures`).
- *
- * Why a dedicated client (vs reusing the SPA client):
- * - Tightly scoped: only the seeder consumes tokens issued here, so an
- *   audit trail of seeder activity is cleanly separable.
- * - Decoupled from the SPA client's OAuth flows — no risk of breaking
- *   web-app sign-in by tweaking auth-flow settings here.
- * - Stage-conditional creation upstream (only provisioned in non-prod
- *   environments) means prod stacks never carry a code path that could
- *   issue a fixture-seeder token in the first place.
- *
- * Why USER_PASSWORD_AUTH (vs M2M client-credentials):
- * - Cognito's M2M tier has a per-app-client monthly fee plus per-token
- *   activity charges. For sporadic non-prod fixture runs the per-client
- *   fee dominates the bill, especially if every dev branch spins up
- *   its own auth stack.
- * - USER_PASSWORD_AUTH against a service `fixture-seeder` user keeps
- *   the cost in MAU territory (free under the 50K MAU tier).
- * - Tradeoff: passwords need rotation and the service user must be
- *   provisioned per non-prod environment (manual or scripted post-deploy).
- *
- * No client secret (`generateSecret: false`): USER_PASSWORD_AUTH
- * authenticates with the password directly; a secret would just add
- * another credential to manage without strengthening anything.
- */
-declare class CognitoFixtureSeederClient extends UserPoolClient {
-    /**
-     * SSM parameter name suffix used to publish this client's ID for
-     * cross-stack lookups. Built into a full parameter name via
-     * `buildParameterName` with `serviceType` AUTH (since the auth stack
-     * owns this resource).
-     */
-    static readonly SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
-    constructor(scope: Construct, props: CognitoFixtureSeederClientProps);
-}
-
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/components/cognito/cognito-user-pool.md
  */
@@ -1131,17 +1090,6 @@ declare class OpenHiAuthService extends OpenHiService {
      * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
      */
     static userPoolClientFromConstruct(scope: Construct): IUserPoolClient;
-    /**
-     * Returns the dedicated fixture-seeder IUserPoolClient by looking up
-     * its ID from SSM. Only non-prod auth stacks publish this parameter
-     * (per the conditional in {@link createFixtureSeederClient}); calling
-     * this against a prod-deployed stack will fail at lookup time.
-     *
-     * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
-     * accepts tokens issued by this client, and by the seed-fixtures CLI
-     * to drive USER_PASSWORD_AUTH against this client's ID.
-     */
-    static fixtureSeederClientFromConstruct(scope: Construct): IUserPoolClient;
     /**
      * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
      */
@@ -1161,12 +1109,6 @@ declare class OpenHiAuthService extends OpenHiService {
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
-    /**
-     * Dedicated USER_PASSWORD_AUTH client for the seed-fixtures CLI.
-     * Only created in non-prod environments (see
-     * {@link createFixtureSeederClient}). `undefined` in prod.
-     */
-    readonly fixtureSeederClient?: IUserPoolClient;
     /**
      * Cross-stack reference to the data store table. Cached so repeated
      * lookups share a single CDK construct id ("dynamo-db-data-store") in
@@ -1245,18 +1187,6 @@ declare class OpenHiAuthService extends OpenHiService {
      * Override to customize.
      */
     protected createUserPoolClient(): IUserPoolClient;
-    /**
-     * Creates the dedicated USER_PASSWORD_AUTH app client for the
-     * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
-     * Returns `undefined` when this stack is being deployed to a prod
-     * stage so the prod auth stack carries no fixture-seeder code path.
-     *
-     * Operator post-deploy: create a `fixture-seeder` Cognito user with
-     * a service password (manually via console or scripted with
-     * `aws cognito-idp admin-create-user`); the CLI consumes those creds
-     * via env vars to drive `InitiateAuth`.
-     */
-    protected createFixtureSeederClient(): IUserPoolClient | undefined;
     /**
      * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
      * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -1522,12 +1452,69 @@ declare class OpenHiRestApiService extends OpenHiService {
     protected createRootHttpApi(domainName: DomainName): RootHttpApi;
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-demo-data/data-plane-fixtures.md
+ *
+ * Hand-authored FHIR data-plane fixture bodies the `seed-demo-data`
+ * workflow upserts into the data store on every non-prod deploy.
+ * Mirrors the OPS-009 v1 resource set: Patient, Practitioner,
+ * Observation, Encounter, Account.
+ *
+ * Ids are deterministic — re-fires of the workflow upsert the same
+ * records, satisfying the workflow's idempotency contract (no
+ * duplicates) and letting the IAM grant in `seed-demo-data-lambda.ts`
+ * enumerate exact-match `dynamodb:LeadingKeys` rather than a wildcard.
+ *
+ * The placeholder tenant carries no data-plane fixtures — only the
+ * three real demo tenants (wound-care, primary-care, mixed) get
+ * Patient/Practitioner/Observation/Encounter/Account records. The
+ * placeholder tenant exists solely as a routing target for the
+ * Cognito pre-token-generation fallback and never holds clinical
+ * data.
+ */
+/**
+ * Logical group of FHIR resources owned by a single (tenant, workspace)
+ * pair. The workflow walks `DEMO_DATA_PLANE_FIXTURES` and writes every
+ * entry against the matching workspace's `OpenHiContext`.
+ */
+interface DemoWorkspaceDataPlaneFixtures {
+    readonly tenantId: string;
+    readonly workspaceId: string;
+    /**
+     * Scenario slug used in the demo-URN identifier — mirrors the
+     * `DemoTenantSpec.scenario` value for the parent tenant. For the
+     * mixed tenant both workspaces share the `demo-mixed` scenario.
+     */
+    readonly scenario: string;
+    readonly patients: ReadonlyArray<Patient>;
+    readonly practitioners: ReadonlyArray<Practitioner>;
+    readonly observations: ReadonlyArray<Observation>;
+    readonly encounters: ReadonlyArray<Encounter>;
+    readonly accounts: ReadonlyArray<Account>;
+}
+/**
+ * Per-workspace fixtures the data-plane phase writes on every fire.
+ * The placeholder tenant carries no fixtures. The mixed tenant carries
+ * one fixture group per workspace; the two single-workspace tenants
+ * carry one each. Total: 4 fixture groups × ≈ 9 resources = ~36
+ * data-plane records.
+ *
+ * Ids embed the tenant + workspace slug so they remain unambiguous
+ * across the four workspaces (the FHIR resource id is the only thing
+ * that survives into the partition key, so a duplicate id across
+ * workspaces would still collide on read paths that scan-by-id).
+ */
+declare const DEMO_DATA_PLANE_FIXTURES: ReadonlyArray<DemoWorkspaceDataPlaneFixtures>;
+
 interface SeedDemoDataLambdaProps {
     /**
      * Data-store table the workflow upserts demo-data records into.
-     * Wired via `DYNAMO_TABLE_NAME` env var; granted scoped read on the
-     * Role PKs (pre-flight check) and scoped write on the enumerated
-     * demo Tenant / Workspace / Membership / RoleAssignment / User PKs.
+     * Wired via `DYNAMO_TABLE_NAME` env var; granted `dynamodb:GetItem`
+     * (pre-flight Role lookup) and `dynamodb:PutItem`/`dynamodb:UpdateItem`
+     * (write phase). The grants are scoped to the table ARN only; the
+     * handler itself is the scope guarantee for which records the
+     * workflow touches (see the construct body for the previous
+     * `LeadingKeys`-based grants and the reason they were dropped).
      */
     readonly dataStoreTable: ITable;
     /**
@@ -1980,4 +1967,4 @@ declare class RenameCascadeWorkflow extends Construct {
     constructor(scope: Construct, props: RenameCascadeWorkflowProps);
 }
 
-export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoFixtureSeederClient, type CognitoFixtureSeederClientProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, type GrantConsumerOptions, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, OwningDeleteCascadeLambdas, type OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflow, type OwningDeleteCascadeWorkflowProps, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PlatformDeployBridge, PlatformDeployBridgeLambda, type PlatformDeployBridgeLambdaProps, type PlatformDeployBridgeProps, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambda, type ProvisionDefaultWorkspaceLambdaProps, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, type RenameCascadeLambdasProps, RenameCascadeWorkflow, type RenameCascadeWorkflowProps, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, type SeedDemoDataLambdaProps, SeedDemoDataWorkflow, type SeedDemoDataWorkflowProps, SeedSystemDataLambda, type SeedSystemDataLambdaProps, SeedSystemDataWorkflow, type SeedSystemDataWorkflowProps, StaticHosting, type StaticHostingProps, UserOnboardingWorkflow, type UserOnboardingWorkflowProps, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, type WorkflowDedupTableProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey };
+export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_DATA_PLANE_FIXTURES, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, type DemoWorkspaceDataPlaneFixtures, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, type GrantConsumerOptions, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, OwningDeleteCascadeLambdas, type OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflow, type OwningDeleteCascadeWorkflowProps, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PlatformDeployBridge, PlatformDeployBridgeLambda, type PlatformDeployBridgeLambdaProps, type PlatformDeployBridgeProps, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambda, type ProvisionDefaultWorkspaceLambdaProps, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, type RenameCascadeLambdasProps, RenameCascadeWorkflow, type RenameCascadeWorkflowProps, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, type SeedDemoDataLambdaProps, SeedDemoDataWorkflow, type SeedDemoDataWorkflowProps, SeedSystemDataLambda, type SeedSystemDataLambdaProps, SeedSystemDataWorkflow, type SeedSystemDataWorkflowProps, StaticHosting, type StaticHostingProps, UserOnboardingWorkflow, type UserOnboardingWorkflowProps, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, type WorkflowDedupTableProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey };