@openhi/constructs 0.0.113 → 0.0.115

package/lib/index.js

@@ -771,7 +771,6 @@ __export(src_exports, {
   CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE: () => CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
   CONTROL_EVENT_BUS_NAME_ENV_VAR: () => CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone: () => ChildHostedZone,
-  CognitoFixtureSeederClient: () => CognitoFixtureSeederClient,
   CognitoUserPool: () => CognitoUserPool,
   CognitoUserPoolClient: () => CognitoUserPoolClient,
   CognitoUserPoolDomain: () => CognitoUserPoolDomain,
@@ -786,6 +785,7 @@ __export(src_exports, {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES: () => DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE: () => DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE: () => DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_DATA_PLANE_FIXTURES: () => DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD: () => DEMO_PERIOD,
   DEMO_TENANT_SPECS: () => DEMO_TENANT_SPECS,
   DEMO_URN_SYSTEM: () => DEMO_URN_SYSTEM,
@@ -864,23 +864,15 @@ __export(src_exports, {
   WorkflowDedupTableDuplicateError: () => WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail: () => buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail: () => buildProvisionDefaultWorkspaceRequestedDetail,
-  demoBasePartitionKeys: () => demoBasePartitionKeys,
-  demoDevUserPartitionKeys: () => demoDevUserPartitionKeys,
   demoMembershipId: () => demoMembershipId,
-  demoMembershipPartitionKey: () => demoMembershipPartitionKey,
   demoRoleAssignmentId: () => demoRoleAssignmentId,
-  demoRoleAssignmentPartitionKey: () => demoRoleAssignmentPartitionKey,
   demoRolesForUserInTenant: () => demoRolesForUserInTenant,
   demoScenarioIdentifier: () => demoScenarioIdentifier,
-  demoTenantPartitionKey: () => demoTenantPartitionKey,
-  demoUserPartitionKey: () => demoUserPartitionKey,
-  demoWorkspacePartitionKey: () => demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName: () => getDynamoDbDataStoreTableName,
   getPostgresReplicaSchemaName: () => getPostgresReplicaSchemaName,
   getWorkflowDedupTableName: () => getWorkflowDedupTableName,
   openHiTagKey: () => openHiTagKey,
-  openhiResourceIdentifier: () => openhiResourceIdentifier,
-  rolePartitionKey: () => rolePartitionKey
+  openhiResourceIdentifier: () => openhiResourceIdentifier
 });
 module.exports = __toCommonJS(src_exports);
 
@@ -1352,47 +1344,9 @@ var _RootGraphqlApi = class _RootGraphqlApi extends import_aws_appsync.GraphqlAp
 _RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
 var RootGraphqlApi = _RootGraphqlApi;
 
-// src/components/cognito/cognito-fixture-seeder-client.ts
-var import_aws_cdk_lib6 = require("aws-cdk-lib");
-var import_aws_cognito = require("aws-cdk-lib/aws-cognito");
-var CognitoFixtureSeederClient = class extends import_aws_cognito.UserPoolClient {
-  constructor(scope, props) {
-    const { userPool, ...rest } = props;
-    super(scope, "fixture-seeder-client", {
-      userPool,
-      generateSecret: false,
-      authFlows: {
-        userPassword: true
-      },
-      // No OAuth flows — the seeder calls Cognito's `InitiateAuth`
-      // directly with USER_PASSWORD_AUTH, not through the hosted-UI
-      // OAuth grant flows the SPA client uses. `disableOAuth: true`
-      // causes CDK to omit `AllowedOAuthFlowsUserPoolClient` entirely;
-      // passing an empty `oAuth` block instead still flips that flag on
-      // and Cognito rejects the create call for missing flows/scopes.
-      disableOAuth: true,
-      // Short-lived tokens: a seeder run takes seconds, not hours.
-      // 1h access-token validity is the minimum Cognito permits and is
-      // plenty for a fixture run.
-      accessTokenValidity: import_aws_cdk_lib6.Duration.hours(1),
-      idTokenValidity: import_aws_cdk_lib6.Duration.hours(1),
-      refreshTokenValidity: import_aws_cdk_lib6.Duration.days(1),
-      preventUserExistenceErrors: true,
-      ...rest
-    });
-  }
-};
-/**
- * SSM parameter name suffix used to publish this client's ID for
- * cross-stack lookups. Built into a full parameter name via
- * `buildParameterName` with `serviceType` AUTH (since the auth stack
- * owns this resource).
- */
-CognitoFixtureSeederClient.SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
-
 // src/components/cognito/cognito-user-pool.ts
-var import_aws_cognito2 = require("aws-cdk-lib/aws-cognito");
-var CognitoUserPool = class extends import_aws_cognito2.UserPool {
+var import_aws_cognito = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPool = class extends import_aws_cognito.UserPool {
   constructor(scope, props = {}) {
     const service = OpenHiService.of(scope);
     super(scope, "user-pool", {
@@ -1406,13 +1360,13 @@ var CognitoUserPool = class extends import_aws_cognito2.UserPool {
       userVerification: {
         emailSubject: "Verify your email!",
         emailBody: "Your verification code is {####}.",
-        emailStyle: import_aws_cognito2.VerificationEmailStyle.CODE
+        emailStyle: import_aws_cognito.VerificationEmailStyle.CODE
       },
       removalPolicy: props.removalPolicy ?? service.removalPolicy,
       // Plus is required for access-token V2 claim customization in the
       // pre-token-generation Lambda. Essentials silently drops
       // claimsAndScopeOverrideDetails.accessTokenGeneration.claimsToAddOrOverride.
-      featurePlan: import_aws_cognito2.FeaturePlan.PLUS,
+      featurePlan: import_aws_cognito.FeaturePlan.PLUS,
       /**
        * Over-rideable props
        */
@@ -1430,8 +1384,8 @@ var CognitoUserPool = class extends import_aws_cognito2.UserPool {
 CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
 
 // src/components/cognito/cognito-user-pool-client.ts
-var import_aws_cognito3 = require("aws-cdk-lib/aws-cognito");
-var CognitoUserPoolClient = class extends import_aws_cognito3.UserPoolClient {
+var import_aws_cognito2 = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPoolClient = class extends import_aws_cognito2.UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
       /**
@@ -1458,8 +1412,8 @@ var CognitoUserPoolClient = class extends import_aws_cognito3.UserPoolClient {
 CognitoUserPoolClient.SSM_PARAM_NAME = "COGNITO_USER_POOL_CLIENT";
 
 // src/components/cognito/cognito-user-pool-domain.ts
-var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
-var CognitoUserPoolDomain = class extends import_aws_cognito4.UserPoolDomain {
+var import_aws_cognito3 = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPoolDomain = class extends import_aws_cognito3.UserPoolDomain {
   constructor(scope, props) {
     const id = props.cognitoDomain?.domainPrefix ? "cognito-domain" : "custom-domain";
     super(scope, id, {
@@ -1697,7 +1651,7 @@ function buildFhirCurrentResourceChangeDetail(record, keys) {
 // src/components/dynamodb/data-store-historical-archive.ts
 var import_node_fs4 = __toESM(require("fs"));
 var import_node_path4 = __toESM(require("path"));
-var import_aws_cdk_lib7 = require("aws-cdk-lib");
+var import_aws_cdk_lib6 = require("aws-cdk-lib");
 var kinesisfirehose = __toESM(require("aws-cdk-lib/aws-kinesisfirehose"));
 var import_aws_lambda4 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs4 = require("aws-cdk-lib/aws-lambda-nodejs");
@@ -1719,7 +1673,7 @@ var DataStoreHistoricalArchive = class extends import_constructs4.Construct {
       encryption: s3.BucketEncryption.S3_MANAGED,
       enforceSSL: true,
       removalPolicy: props.removalPolicy,
-      autoDeleteObjects: props.removalPolicy === import_aws_cdk_lib7.RemovalPolicy.DESTROY,
+      autoDeleteObjects: props.removalPolicy === import_aws_cdk_lib6.RemovalPolicy.DESTROY,
       versioned: true
     });
     const putEventsFailureDlqBucket = props.dataEventBus ? new s3.Bucket(this, "PutEventsFailureDlq", {
@@ -1727,7 +1681,7 @@ var DataStoreHistoricalArchive = class extends import_constructs4.Construct {
       encryption: s3.BucketEncryption.S3_MANAGED,
       enforceSSL: true,
       removalPolicy: props.removalPolicy,
-      autoDeleteObjects: props.removalPolicy === import_aws_cdk_lib7.RemovalPolicy.DESTROY,
+      autoDeleteObjects: props.removalPolicy === import_aws_cdk_lib6.RemovalPolicy.DESTROY,
       versioned: false
     }) : void 0;
     this.putEventsFailureDlqBucket = putEventsFailureDlqBucket;
@@ -1735,7 +1689,7 @@ var DataStoreHistoricalArchive = class extends import_constructs4.Construct {
       entry: resolveHandlerEntry4(__dirname),
       runtime: import_aws_lambda4.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib7.Duration.minutes(1),
+      timeout: import_aws_cdk_lib6.Duration.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
       environment: props.dataEventBus && putEventsFailureDlqBucket ? {
         DATA_EVENT_BUS_NAME: props.dataEventBus.eventBusName,
@@ -1751,16 +1705,16 @@ var DataStoreHistoricalArchive = class extends import_constructs4.Construct {
     const processor = new kinesisfirehose.LambdaFunctionProcessor(
       this.transformFunction,
       {
-        bufferInterval: import_aws_cdk_lib7.Duration.seconds(60),
-        bufferSize: import_aws_cdk_lib7.Size.mebibytes(3),
+        bufferInterval: import_aws_cdk_lib6.Duration.seconds(60),
+        bufferSize: import_aws_cdk_lib6.Size.mebibytes(3),
         retries: 3
       }
     );
     const destination = new kinesisfirehose.S3Bucket(this.archiveBucket, {
       compression: kinesisfirehose.Compression.GZIP,
-      bufferingInterval: import_aws_cdk_lib7.Duration.seconds(300),
+      bufferingInterval: import_aws_cdk_lib6.Duration.seconds(300),
       // Firehose requires SizeInMBs ≥ 64 when dynamic partitioning is enabled.
-      bufferingSize: import_aws_cdk_lib7.Size.mebibytes(64),
+      bufferingSize: import_aws_cdk_lib6.Size.mebibytes(64),
       processors: [processor],
       errorOutputPrefix: "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd/HH}/",
       loggingConfig: new kinesisfirehose.EnableLogging()
@@ -1868,7 +1822,7 @@ var DynamoDbDataStore = class extends import_aws_dynamodb.Table {
 
 // src/components/dynamodb/workflow-dedup-table.ts
 var import_workflows = __toESM(require_lib2());
-var import_aws_cdk_lib8 = require("aws-cdk-lib");
+var import_aws_cdk_lib7 = require("aws-cdk-lib");
 var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
 var import_aws_iam = require("aws-cdk-lib/aws-iam");
 var import_constructs5 = require("constructs");
@@ -1999,7 +1953,7 @@ var _WorkflowDedupTable = class _WorkflowDedupTable extends import_constructs5.C
   grantConsumer(fn, consumerName, options = {}) {
     this.assertConsumerName(consumerName);
     if (this.registeredConsumers.has(consumerName)) {
-      import_aws_cdk_lib8.Annotations.of(this).addWarning(
+      import_aws_cdk_lib7.Annotations.of(this).addWarning(
         `WorkflowDedupTable: consumerName "${consumerName}" registered more than once; subsequent grantConsumer calls add policy statements but do not re-inject the env var.`
       );
     }
@@ -2133,7 +2087,7 @@ var ControlEventBus = class _ControlEventBus extends import_aws_events3.EventBus
 // src/components/postgres/data-store-postgres-replica.ts
 var import_node_fs5 = __toESM(require("fs"));
 var import_node_path5 = __toESM(require("path"));
-var import_aws_cdk_lib9 = require("aws-cdk-lib");
+var import_aws_cdk_lib8 = require("aws-cdk-lib");
 var ec2 = __toESM(require("aws-cdk-lib/aws-ec2"));
 var import_aws_lambda5 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_event_sources = require("aws-cdk-lib/aws-lambda-event-sources");
@@ -2199,7 +2153,7 @@ var DataStorePostgresReplica = class extends import_constructs6.Construct {
     super(scope, id);
     this.databaseName = props.databaseName ?? DEFAULT_DATABASE_NAME;
     this.schemaName = getPostgresReplicaSchemaName(props.branchHash);
-    const region = import_aws_cdk_lib9.Stack.of(this).region;
+    const region = import_aws_cdk_lib8.Stack.of(this).region;
     this.vpc = props.vpc ?? new ec2.Vpc(this, "Vpc", {
       availabilityZones: [`${region}a`, `${region}b`],
       natGateways: 0,
@@ -2235,7 +2189,7 @@ var DataStorePostgresReplica = class extends import_constructs6.Construct {
       entry: resolveHandlerEntry5(__dirname),
       runtime: import_aws_lambda5.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib9.Duration.minutes(1),
+      timeout: import_aws_cdk_lib8.Duration.minutes(1),
       vpc: this.vpc,
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
       description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
@@ -2262,7 +2216,7 @@ var DataStorePostgresReplica = class extends import_constructs6.Construct {
       new import_aws_lambda_event_sources.KinesisEventSource(props.kinesisStream, {
         startingPosition: import_aws_lambda5.StartingPosition.LATEST,
         batchSize: 100,
-        maxBatchingWindow: import_aws_cdk_lib9.Duration.seconds(5),
+        maxBatchingWindow: import_aws_cdk_lib8.Duration.seconds(5),
         retryAttempts: 10,
         bisectBatchOnError: true,
         parallelizationFactor: 2,
@@ -2295,7 +2249,7 @@ var DataStorePostgresReplica = class extends import_constructs6.Construct {
 };
 
 // src/components/route-53/child-hosted-zone.ts
-var import_aws_cdk_lib10 = require("aws-cdk-lib");
+var import_aws_cdk_lib9 = require("aws-cdk-lib");
 var import_aws_route53 = require("aws-cdk-lib/aws-route53");
 var ChildHostedZone = class extends import_aws_route53.HostedZone {
   constructor(scope, id, props) {
@@ -2304,7 +2258,7 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: import_aws_cdk_lib10.Duration.minutes(5)
+      ttl: import_aws_cdk_lib9.Duration.minutes(5)
     });
   }
 };
@@ -2377,8 +2331,7 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_AR
 var StaticHosting = _StaticHosting;
 
 // src/services/open-hi-auth-service.ts
-var import_config5 = __toESM(require_lib());
-var import_aws_cognito5 = require("aws-cdk-lib/aws-cognito");
+var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
 var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
 var import_core2 = require("aws-cdk-lib/core");
@@ -2409,7 +2362,7 @@ var import_constructs10 = require("constructs");
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
 var import_node_fs6 = __toESM(require("fs"));
 var import_node_path6 = __toESM(require("path"));
-var import_aws_cdk_lib11 = require("aws-cdk-lib");
+var import_aws_cdk_lib10 = require("aws-cdk-lib");
 var import_aws_events4 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
@@ -2433,15 +2386,15 @@ var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
       OPENHI_TAG_SUFFIX_REPO_NAME
     );
     const tagKeyPrefix = `${service.appName}:`;
-    const ownStackName = import_aws_cdk_lib11.Stack.of(this).stackName;
-    const ownSuffix = `-${service.serviceId}-${import_aws_cdk_lib11.Stack.of(this).account}-${import_aws_cdk_lib11.Stack.of(this).region}`;
+    const ownStackName = import_aws_cdk_lib10.Stack.of(this).stackName;
+    const ownSuffix = `-${service.serviceId}-${import_aws_cdk_lib10.Stack.of(this).account}-${import_aws_cdk_lib10.Stack.of(this).region}`;
     const sharedPrefix = ownStackName.endsWith(ownSuffix) ? ownStackName.slice(0, -ownSuffix.length) : service.branchHash;
-    const stackIdPrefix = `arn:aws:cloudformation:${import_aws_cdk_lib11.Stack.of(this).region}:${import_aws_cdk_lib11.Stack.of(this).account}:stack/${sharedPrefix}-`;
+    const stackIdPrefix = `arn:aws:cloudformation:${import_aws_cdk_lib10.Stack.of(this).region}:${import_aws_cdk_lib10.Stack.of(this).account}:stack/${sharedPrefix}-`;
     this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry6(__dirname),
       runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
       memorySize: 256,
-      timeout: import_aws_cdk_lib11.Duration.seconds(30),
+      timeout: import_aws_cdk_lib10.Duration.seconds(30),
       environment: {
         [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
         [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
@@ -2453,7 +2406,7 @@ var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
         effect: import_aws_iam2.Effect.ALLOW,
         actions: ["cloudformation:DescribeStacks"],
         resources: [
-          `arn:aws:cloudformation:${import_aws_cdk_lib11.Stack.of(this).region}:${import_aws_cdk_lib11.Stack.of(this).account}:stack/*`
+          `arn:aws:cloudformation:${import_aws_cdk_lib10.Stack.of(this).region}:${import_aws_cdk_lib10.Stack.of(this).account}:stack/*`
         ]
       })
     );
@@ -2472,7 +2425,7 @@ var PlatformDeployBridgeLambda = class extends import_constructs9.Construct {
       targets: [
         new import_aws_events_targets.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib11.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib10.Duration.hours(2)
         })
       ]
     });
@@ -2764,61 +2717,428 @@ var demoRolesForUserInTenant = (_user, _tenantId) => {
   void _tenantId;
   return [import_types.PLATFORM_ROLE_CODE.TENANT_ADMIN];
 };
-var rolePartitionKey = (roleId) => `role#id#${roleId}`;
-var demoTenantPartitionKey = (tenantId) => `tenant#id#${tenantId}`;
-var demoWorkspacePartitionKey = (tenantId, workspaceId) => `tid#${tenantId}#workspace#id#${workspaceId}`;
-var demoMembershipPartitionKey = (tenantId, membershipId) => `tid#${tenantId}#membership#id#${membershipId}`;
-var demoRoleAssignmentPartitionKey = (tenantId, roleAssignmentId) => `tid#${tenantId}#roleassignment#id#${roleAssignmentId}`;
-var demoUserPartitionKey = (userId) => `user#id#${userId}`;
-var demoBasePartitionKeys = () => {
-  const keys = [];
-  for (const spec of DEMO_TENANT_SPECS) {
-    keys.push(demoTenantPartitionKey(spec.tenantId));
-    for (const workspace of spec.workspaces) {
-      keys.push(demoWorkspacePartitionKey(spec.tenantId, workspace.id));
+
+// src/workflows/control-plane/seed-demo-data/data-plane-fixtures.ts
+var fixtureIdentifiers = (scenario, tenantId, workspaceId, resourceType, id, roleSuffix) => [
+  demoScenarioIdentifier(scenario, roleSuffix),
+  openhiResourceIdentifier({
+    tenantId,
+    workspaceId,
+    resourceType,
+    id
+  })
+];
+var buildWoundCareFixtures = (scenario, tenantId, workspaceId, idPrefix) => ({
+  tenantId,
+  workspaceId,
+  scenario,
+  patients: [
+    {
+      resourceType: "Patient",
+      id: `${idPrefix}-patient-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Patient",
+        `${idPrefix}-patient-1`,
+        `patient-1`
+      ),
+      active: true,
+      name: [{ family: "Carter", given: ["Eleanor"], use: "official" }],
+      gender: "female",
+      birthDate: "1952-04-18"
+    },
+    {
+      resourceType: "Patient",
+      id: `${idPrefix}-patient-2`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Patient",
+        `${idPrefix}-patient-2`,
+        `patient-2`
+      ),
+      active: true,
+      name: [{ family: "Nguyen", given: ["Hao"], use: "official" }],
+      gender: "male",
+      birthDate: "1968-11-02"
     }
-  }
-  return keys;
-};
-var demoDevUserPartitionKeys = (devUsers) => {
-  const keys = [];
-  for (const user of devUsers) {
-    keys.push(demoUserPartitionKey(user.id));
-    for (const spec of DEMO_TENANT_SPECS) {
-      keys.push(
-        demoMembershipPartitionKey(
-          spec.tenantId,
-          demoMembershipId(user.id, spec.tenantId)
-        )
+  ],
+  practitioners: [
+    {
+      resourceType: "Practitioner",
+      id: `${idPrefix}-practitioner-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Practitioner",
+        `${idPrefix}-practitioner-1`,
+        `practitioner-1`
+      ),
+      active: true,
+      name: [{ family: "Reyes", given: ["Maria"], prefix: ["Dr."] }],
+      gender: "female"
+    },
+    {
+      resourceType: "Practitioner",
+      id: `${idPrefix}-practitioner-2`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Practitioner",
+        `${idPrefix}-practitioner-2`,
+        `practitioner-2`
+      ),
+      active: true,
+      name: [{ family: "Okafor", given: ["Chinedu"], prefix: ["Dr."] }],
+      gender: "male"
+    }
+  ],
+  observations: [
+    {
+      resourceType: "Observation",
+      id: `${idPrefix}-observation-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Observation",
+        `${idPrefix}-observation-1`,
+        `observation-1`
+      ),
+      status: "final",
+      code: {
+        coding: [
+          {
+            system: "http://loinc.org",
+            code: "39135-9",
+            display: "Wound size"
+          }
+        ]
+      },
+      subject: { reference: `Patient/${idPrefix}-patient-1` },
+      valueString: "3.2cm x 2.1cm"
+    },
+    {
+      resourceType: "Observation",
+      id: `${idPrefix}-observation-2`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Observation",
+        `${idPrefix}-observation-2`,
+        `observation-2`
+      ),
+      status: "final",
+      code: {
+        coding: [
+          {
+            system: "http://loinc.org",
+            code: "72287-2",
+            display: "Wound exudate amount"
+          }
+        ]
+      },
+      subject: { reference: `Patient/${idPrefix}-patient-2` },
+      valueString: "moderate"
+    }
+  ],
+  encounters: [
+    {
+      resourceType: "Encounter",
+      id: `${idPrefix}-encounter-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Encounter",
+        `${idPrefix}-encounter-1`,
+        `encounter-1`
+      ),
+      status: "finished",
+      class: {
+        system: "http://terminology.hl7.org/CodeSystem/v3-ActCode",
+        code: "AMB",
+        display: "ambulatory"
+      },
+      subject: { reference: `Patient/${idPrefix}-patient-1` }
+    },
+    {
+      resourceType: "Encounter",
+      id: `${idPrefix}-encounter-2`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Encounter",
+        `${idPrefix}-encounter-2`,
+        `encounter-2`
+      ),
+      status: "finished",
+      class: {
+        system: "http://terminology.hl7.org/CodeSystem/v3-ActCode",
+        code: "AMB",
+        display: "ambulatory"
+      },
+      subject: { reference: `Patient/${idPrefix}-patient-2` }
+    }
+  ],
+  accounts: [
+    {
+      resourceType: "Account",
+      id: `${idPrefix}-account-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Account",
+        `${idPrefix}-account-1`,
+        `account-1`
+      ),
+      status: "active",
+      name: "Wound-care self-pay account",
+      subject: [{ reference: `Patient/${idPrefix}-patient-1` }]
+    }
+  ]
+});
+var buildPrimaryCareFixtures = (scenario, tenantId, workspaceId, idPrefix) => ({
+  tenantId,
+  workspaceId,
+  scenario,
+  patients: [
+    {
+      resourceType: "Patient",
+      id: `${idPrefix}-patient-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Patient",
+        `${idPrefix}-patient-1`,
+        `patient-1`
+      ),
+      active: true,
+      name: [{ family: "Bennett", given: ["Sophia"], use: "official" }],
+      gender: "female",
+      birthDate: "1985-06-09"
+    },
+    {
+      resourceType: "Patient",
+      id: `${idPrefix}-patient-2`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Patient",
+        `${idPrefix}-patient-2`,
+        `patient-2`
+      ),
+      active: true,
+      name: [{ family: "Patel", given: ["Arjun"], use: "official" }],
+      gender: "male",
+      birthDate: "1979-02-21"
+    }
+  ],
+  practitioners: [
+    {
+      resourceType: "Practitioner",
+      id: `${idPrefix}-practitioner-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Practitioner",
+        `${idPrefix}-practitioner-1`,
+        `practitioner-1`
+      ),
+      active: true,
+      name: [{ family: "Lin", given: ["Wei"], prefix: ["Dr."] }],
+      gender: "female"
+    },
+    {
+      resourceType: "Practitioner",
+      id: `${idPrefix}-practitioner-2`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Practitioner",
+        `${idPrefix}-practitioner-2`,
+        `practitioner-2`
+      ),
+      active: true,
+      name: [{ family: "Kowalski", given: ["Piotr"], prefix: ["Dr."] }],
+      gender: "male"
+    }
+  ],
+  observations: [
+    {
+      resourceType: "Observation",
+      id: `${idPrefix}-observation-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Observation",
+        `${idPrefix}-observation-1`,
+        `observation-1`
+      ),
+      status: "final",
+      code: {
+        coding: [
+          {
+            system: "http://loinc.org",
+            code: "8480-6",
+            display: "Systolic blood pressure"
+          }
+        ]
+      },
+      subject: { reference: `Patient/${idPrefix}-patient-1` },
+      valueQuantity: { value: 122, unit: "mm[Hg]" }
+    },
+    {
+      resourceType: "Observation",
+      id: `${idPrefix}-observation-2`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Observation",
+        `${idPrefix}-observation-2`,
+        `observation-2`
+      ),
+      status: "final",
+      code: {
+        coding: [
+          {
+            system: "http://loinc.org",
+            code: "8462-4",
+            display: "Diastolic blood pressure"
+          }
+        ]
+      },
+      subject: { reference: `Patient/${idPrefix}-patient-2` },
+      valueQuantity: { value: 78, unit: "mm[Hg]" }
+    }
+  ],
+  encounters: [
+    {
+      resourceType: "Encounter",
+      id: `${idPrefix}-encounter-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Encounter",
+        `${idPrefix}-encounter-1`,
+        `encounter-1`
+      ),
+      status: "finished",
+      class: {
+        system: "http://terminology.hl7.org/CodeSystem/v3-ActCode",
+        code: "AMB",
+        display: "ambulatory"
+      },
+      subject: { reference: `Patient/${idPrefix}-patient-1` }
+    },
+    {
+      resourceType: "Encounter",
+      id: `${idPrefix}-encounter-2`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Encounter",
+        `${idPrefix}-encounter-2`,
+        `encounter-2`
+      ),
+      status: "in-progress",
+      class: {
+        system: "http://terminology.hl7.org/CodeSystem/v3-ActCode",
+        code: "AMB",
+        display: "ambulatory"
+      },
+      subject: { reference: `Patient/${idPrefix}-patient-2` }
+    }
+  ],
+  accounts: [
+    {
+      resourceType: "Account",
+      id: `${idPrefix}-account-1`,
+      identifier: fixtureIdentifiers(
+        scenario,
+        tenantId,
+        workspaceId,
+        "Account",
+        `${idPrefix}-account-1`,
+        `account-1`
+      ),
+      status: "active",
+      name: "Primary-care insurance account",
+      subject: [{ reference: `Patient/${idPrefix}-patient-1` }]
+    }
+  ]
+});
+var DEMO_DATA_PLANE_FIXTURES = [
+  buildWoundCareFixtures(
+    "demo-wound-care",
+    "demo-wound-care-tenant",
+    "demo-wound-care-workspace",
+    "demo-wound-care"
+  ),
+  buildPrimaryCareFixtures(
+    "demo-primary-care",
+    "demo-primary-care-tenant",
+    "demo-primary-care-workspace",
+    "demo-primary-care"
+  ),
+  buildWoundCareFixtures(
+    "demo-mixed",
+    "demo-mixed-tenant",
+    "demo-mixed-workspace-wound-care",
+    "demo-mixed-wound-care"
+  ),
+  buildPrimaryCareFixtures(
+    "demo-mixed",
+    "demo-mixed-tenant",
+    "demo-mixed-workspace-primary-care",
+    "demo-mixed-primary-care"
+  )
+];
+var _validateFixturesAgainstTenantSpecs = () => {
+  for (const group of DEMO_DATA_PLANE_FIXTURES) {
+    if (group.tenantId === PLACEHOLDER_TENANT_ID) {
+      throw new Error(
+        "The placeholder tenant must not carry data-plane fixtures."
       );
-      for (const roleCode of demoRolesForUserInTenant(user, spec.tenantId)) {
-        keys.push(
-          demoRoleAssignmentPartitionKey(
-            spec.tenantId,
-            demoRoleAssignmentId(user.id, spec.tenantId, roleCode)
-          )
-        );
-      }
     }
-    keys.push(
-      demoRoleAssignmentPartitionKey(
-        PLATFORM_SCOPE_TENANT_ID,
-        demoRoleAssignmentId(
-          user.id,
-          PLATFORM_SCOPE_TENANT_ID,
-          import_types.PLATFORM_ROLE_CODE.SYSTEM_ADMIN
-        )
-      )
+    const tenant = DEMO_TENANT_SPECS.find((s) => s.tenantId === group.tenantId);
+    if (!tenant) {
+      throw new Error(
+        `Fixture references unknown tenantId "${group.tenantId}". Add a matching entry to DEMO_TENANT_SPECS first.`
+      );
+    }
+    const workspace = tenant.workspaces.find(
+      (ws) => ws.id === group.workspaceId
     );
+    if (!workspace) {
+      throw new Error(
+        `Fixture references unknown workspaceId "${group.workspaceId}" for tenant "${group.tenantId}".`
+      );
+    }
   }
-  return keys;
 };
+_validateFixturesAgainstTenantSpecs();
 
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
 var import_node_fs7 = __toESM(require("fs"));
 var import_node_path7 = __toESM(require("path"));
-var import_types13 = require("@openhi/types");
-var import_aws_cdk_lib12 = require("aws-cdk-lib");
+var import_aws_cdk_lib11 = require("aws-cdk-lib");
 var import_aws_events6 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets2 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam3 = require("aws-cdk-lib/aws-iam");
@@ -5678,6 +5998,21 @@ var import_types10 = require("@openhi/types");
 // src/lib/compression.ts
 var import_node_zlib = require("zlib");
 
+// src/data/operations/data/account/account-create-operation.ts
+var import_ulid = require("ulid");
+
+// src/data/operations/data/encounter/encounter-create-operation.ts
+var import_ulid2 = require("ulid");
+
+// src/data/operations/data/observation/observation-create-operation.ts
+var import_ulid3 = require("ulid");
+
+// src/data/operations/data/patient/patient-create-operation.ts
+var import_ulid4 = require("ulid");
+
+// src/data/operations/data/practitioner/practitioner-create-operation.ts
+var import_ulid5 = require("ulid");
+
 // src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
 var SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR = "SEED_DEMO_DATA_USER_POOL_ID";
 
@@ -5697,39 +6032,24 @@ var SeedDemoDataLambda = class extends import_constructs11.Construct {
       entry: resolveHandlerEntry7(__dirname),
       runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib12.Duration.minutes(2),
+      timeout: import_aws_cdk_lib11.Duration.minutes(2),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
       }
     });
-    const roleReadKeys = Object.values(import_types13.PLATFORM_ROLE_IDS).map(rolePartitionKey);
     this.lambda.addToRolePolicy(
       new import_aws_iam3.PolicyStatement({
         effect: import_aws_iam3.Effect.ALLOW,
         actions: ["dynamodb:GetItem"],
-        resources: [props.dataStoreTable.tableArn],
-        conditions: {
-          "ForAllValues:StringEquals": {
-            "dynamodb:LeadingKeys": roleReadKeys
-          }
-        }
+        resources: [props.dataStoreTable.tableArn]
       })
     );
-    const writeKeys = [
-      ...demoBasePartitionKeys(),
-      ...demoDevUserPartitionKeys(DEV_USERS)
-    ];
     this.lambda.addToRolePolicy(
       new import_aws_iam3.PolicyStatement({
         effect: import_aws_iam3.Effect.ALLOW,
         actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
-        resources: [props.dataStoreTable.tableArn],
-        conditions: {
-          "ForAllValues:StringEquals": {
-            "dynamodb:LeadingKeys": writeKeys
-          }
-        }
+        resources: [props.dataStoreTable.tableArn]
       })
     );
     this.lambda.addToRolePolicy(
@@ -5741,7 +6061,7 @@ var SeedDemoDataLambda = class extends import_constructs11.Construct {
           "cognito-idp:AdminSetUserPassword"
         ],
         resources: [
-          import_aws_cdk_lib12.Stack.of(this).formatArn({
+          import_aws_cdk_lib11.Stack.of(this).formatArn({
             service: "cognito-idp",
             resource: "userpool",
             resourceName: props.userPool.userPoolId
@@ -5758,7 +6078,7 @@ var SeedDemoDataLambda = class extends import_constructs11.Construct {
       targets: [
         new import_aws_events_targets2.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib12.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib11.Duration.hours(2)
         })
       ]
     });
@@ -5792,8 +6112,8 @@ var SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
 // src/workflows/control-plane/seed-system-data/seed-system-data-lambda.ts
 var import_node_fs8 = __toESM(require("fs"));
 var import_node_path8 = __toESM(require("path"));
-var import_types14 = require("@openhi/types");
-var import_aws_cdk_lib13 = require("aws-cdk-lib");
+var import_types13 = require("@openhi/types");
+var import_aws_cdk_lib12 = require("aws-cdk-lib");
 var import_aws_events7 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets3 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam4 = require("aws-cdk-lib/aws-iam");
@@ -5815,13 +6135,13 @@ var SeedSystemDataLambda = class extends import_constructs13.Construct {
       entry: resolveHandlerEntry8(__dirname),
       runtime: import_aws_lambda8.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib13.Duration.minutes(1),
+      timeout: import_aws_cdk_lib12.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
       }
     });
-    const roleArns = Object.values(import_types14.PLATFORM_ROLE_IDS).map(
+    const roleArns = Object.values(import_types13.PLATFORM_ROLE_IDS).map(
       (id) => `role#id#${id}`
     );
     this.lambda.addToRolePolicy(
@@ -5837,7 +6157,7 @@ var SeedSystemDataLambda = class extends import_constructs13.Construct {
       })
     );
     props.controlEventBus.grantPutEventsTo(this.lambda);
-    const hostStackName = import_aws_cdk_lib13.Stack.of(this).stackName;
+    const hostStackName = import_aws_cdk_lib12.Stack.of(this).stackName;
     this.rule = new import_aws_events7.Rule(this, "rule", {
       eventBus: props.controlEventBus,
       eventPattern: {
@@ -5852,7 +6172,7 @@ var SeedSystemDataLambda = class extends import_constructs13.Construct {
       targets: [
         new import_aws_events_targets3.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib13.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib12.Duration.hours(2)
         })
       ]
     });
@@ -6014,7 +6334,7 @@ var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
 // src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
 var import_node_fs9 = __toESM(require("fs"));
 var import_node_path9 = __toESM(require("path"));
-var import_aws_cdk_lib14 = require("aws-cdk-lib");
+var import_aws_cdk_lib13 = require("aws-cdk-lib");
 var import_aws_events8 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_iam5 = require("aws-cdk-lib/aws-iam");
@@ -6061,7 +6381,7 @@ var ProvisionDefaultWorkspaceLambda = class extends import_constructs15.Construc
       targets: [
         new import_aws_events_targets4.LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib14.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib13.Duration.hours(2)
         })
       ]
     });
@@ -6104,7 +6424,6 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.grantPostConfirmationPermissions();
     this.userPoolClient = this.createUserPoolClient();
     this.userPoolDomain = this.createUserPoolDomain();
-    this.fixtureSeederClient = this.createFixtureSeederClient();
   }
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
@@ -6114,7 +6433,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
       serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
-    return import_aws_cognito5.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
+    return import_aws_cognito4.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
   }
   /**
    * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
@@ -6127,33 +6446,12 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
         serviceType: _OpenHiAuthService.SERVICE_TYPE
       }
     );
-    return import_aws_cognito5.UserPoolClient.fromUserPoolClientId(
+    return import_aws_cognito4.UserPoolClient.fromUserPoolClientId(
       scope,
       "user-pool-client",
       userPoolClientId
     );
   }
-  /**
-   * Returns the dedicated fixture-seeder IUserPoolClient by looking up
-   * its ID from SSM. Only non-prod auth stacks publish this parameter
-   * (per the conditional in {@link createFixtureSeederClient}); calling
-   * this against a prod-deployed stack will fail at lookup time.
-   *
-   * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
-   * accepts tokens issued by this client, and by the seed-fixtures CLI
-   * to drive USER_PASSWORD_AUTH against this client's ID.
-   */
-  static fixtureSeederClientFromConstruct(scope) {
-    const clientId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
-    });
-    return import_aws_cognito5.UserPoolClient.fromUserPoolClientId(
-      scope,
-      "fixture-seeder-client",
-      clientId
-    );
-  }
   /**
    * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
    */
@@ -6162,7 +6460,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
       serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
-    return import_aws_cognito5.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
+    return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
   }
   /**
    * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
@@ -6252,16 +6550,16 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       customSenderKmsKey: this.userPoolKmsKey
     });
     userPool.addTrigger(
-      import_aws_cognito5.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
+      import_aws_cognito4.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
       this.preTokenGenerationLambda,
-      import_aws_cognito5.LambdaVersion.V2_0
+      import_aws_cognito4.LambdaVersion.V2_0
     );
     userPool.addTrigger(
-      import_aws_cognito5.UserPoolOperation.POST_AUTHENTICATION,
+      import_aws_cognito4.UserPoolOperation.POST_AUTHENTICATION,
       this.postAuthenticationLambda
     );
     userPool.addTrigger(
-      import_aws_cognito5.UserPoolOperation.POST_CONFIRMATION,
+      import_aws_cognito4.UserPoolOperation.POST_CONFIRMATION,
       this.postConfirmationLambda
     );
     new DiscoverableStringParameter(this, "user-pool-param", {
@@ -6342,31 +6640,6 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return client;
   }
-  /**
-   * Creates the dedicated USER_PASSWORD_AUTH app client for the
-   * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
-   * Returns `undefined` when this stack is being deployed to a prod
-   * stage so the prod auth stack carries no fixture-seeder code path.
-   *
-   * Operator post-deploy: create a `fixture-seeder` Cognito user with
-   * a service password (manually via console or scripted with
-   * `aws cognito-idp admin-create-user`); the CLI consumes those creds
-   * via env vars to drive `InitiateAuth`.
-   */
-  createFixtureSeederClient() {
-    if (this.ohEnv.ohStage.stageType === import_config5.OPEN_HI_STAGE.PROD) {
-      return void 0;
-    }
-    const client = new CognitoFixtureSeederClient(this, {
-      userPool: this.userPool
-    });
-    new DiscoverableStringParameter(this, "fixture-seeder-client-param", {
-      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
-      stringValue: client.userPoolClientId,
-      description: "Cognito User Pool Client ID for the OpenHI fixture-seeder CLI (USER_PASSWORD_AUTH; non-prod only); cross-stack reference"
-    });
-    return client;
-  }
   /**
    * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
    * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -6391,7 +6664,6 @@ _OpenHiAuthService.SERVICE_TYPE = "auth";
 var OpenHiAuthService = _OpenHiAuthService;
 
 // src/services/open-hi-rest-api-service.ts
-var import_config6 = __toESM(require_lib());
 var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
 var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
 var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
@@ -6683,16 +6955,10 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   createRootHttpApi(domainName) {
     const userPool = OpenHiAuthService.userPoolFromConstruct(this);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(this);
-    const userPoolClients = [userPoolClient];
-    if (this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD) {
-      userPoolClients.push(
-        OpenHiAuthService.fixtureSeederClientFromConstruct(this)
-      );
-    }
     const cognitoAuthorizer = new import_aws_apigatewayv2_authorizers.HttpUserPoolAuthorizer(
       "cognito-authorizer",
       userPool,
-      { userPoolClients }
+      { userPoolClients: [userPoolClient] }
     );
     const { corsPreflight: cors, ...restRootHttpApiProps } = this.props.rootHttpApiProps ?? {};
     const corsPreflight = cors !== void 0 ? {
@@ -6783,7 +7049,7 @@ var OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR = "OWNING_DELETE_OPS_EVENT_BUS_NAME";
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
 var import_node_fs12 = __toESM(require("fs"));
 var import_node_path12 = __toESM(require("path"));
-var import_aws_cdk_lib15 = require("aws-cdk-lib");
+var import_aws_cdk_lib14 = require("aws-cdk-lib");
 var import_aws_iam8 = require("aws-cdk-lib/aws-iam");
 var import_aws_lambda12 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs12 = require("aws-cdk-lib/aws-lambda-nodejs");
@@ -6807,7 +7073,7 @@ var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
       entry: listResolved.entry,
       runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib15.Duration.minutes(1),
+      timeout: import_aws_cdk_lib14.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -6821,7 +7087,7 @@ var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
       entry: deleteResolved.entry,
       runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib15.Duration.minutes(1),
+      timeout: import_aws_cdk_lib14.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -6840,7 +7106,7 @@ var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
       entry: finalizeResolved.entry,
       runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib15.Duration.minutes(1),
+      timeout: import_aws_cdk_lib14.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
@@ -6858,7 +7124,7 @@ var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
 };
 
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.ts
-var import_aws_cdk_lib16 = require("aws-cdk-lib");
+var import_aws_cdk_lib15 = require("aws-cdk-lib");
 var import_aws_events9 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets5 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_stepfunctions = require("aws-cdk-lib/aws-stepfunctions");
@@ -6973,7 +7239,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs20.Construct {
       }
     });
     const interPageWait = new import_aws_stepfunctions.Wait(this, "inter-page-wait", {
-      time: import_aws_stepfunctions.WaitTime.duration(import_aws_cdk_lib16.Duration.seconds(0))
+      time: import_aws_stepfunctions.WaitTime.duration(import_aws_cdk_lib15.Duration.seconds(0))
     });
     const isExhausted = new import_aws_stepfunctions.Choice(this, "is-exhausted");
     const finalize = new import_aws_stepfunctions_tasks.LambdaInvoke(this, "finalize", {
@@ -7004,7 +7270,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs20.Construct {
       // Long timeout because real-world cascades can run minutes when
       // a workspace has thousands of members. The stuck-cascade alarm
       // fires at 15 minutes; the state machine itself does not abort.
-      timeout: import_aws_cdk_lib16.Duration.hours(2)
+      timeout: import_aws_cdk_lib15.Duration.hours(2)
     });
     this.rule = new import_aws_events9.Rule(this, "rule", {
       eventBus: props.dataEventBus,
@@ -7015,7 +7281,7 @@ var OwningDeleteCascadeWorkflow = class extends import_constructs20.Construct {
       targets: [
         new import_aws_events_targets5.SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib16.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib15.Duration.hours(2)
         })
       ]
     });
@@ -7033,7 +7299,7 @@ var RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR = "RENAME_CASCADE_OPS_EVENT_BUS_NAME";
 // src/workflows/control-plane/rename-cascade/rename-cascade-lambdas.ts
 var import_node_fs13 = __toESM(require("fs"));
 var import_node_path13 = __toESM(require("path"));
-var import_aws_cdk_lib17 = require("aws-cdk-lib");
+var import_aws_cdk_lib16 = require("aws-cdk-lib");
 var import_aws_iam9 = require("aws-cdk-lib/aws-iam");
 var import_aws_lambda13 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs13 = require("aws-cdk-lib/aws-lambda-nodejs");
@@ -7057,7 +7323,7 @@ var RenameCascadeLambdas = class extends import_constructs21.Construct {
       entry: listResolved.entry,
       runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib17.Duration.minutes(1),
+      timeout: import_aws_cdk_lib16.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -7071,7 +7337,7 @@ var RenameCascadeLambdas = class extends import_constructs21.Construct {
       entry: rewriteResolved.entry,
       runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib17.Duration.minutes(1),
+      timeout: import_aws_cdk_lib16.Duration.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -7090,7 +7356,7 @@ var RenameCascadeLambdas = class extends import_constructs21.Construct {
       entry: finalizeResolved.entry,
       runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib17.Duration.minutes(1),
+      timeout: import_aws_cdk_lib16.Duration.minutes(1),
       environment: {
         [RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
       }
@@ -7106,7 +7372,7 @@ var RenameCascadeLambdas = class extends import_constructs21.Construct {
 };
 
 // src/workflows/control-plane/rename-cascade/rename-cascade-workflow.ts
-var import_aws_cdk_lib18 = require("aws-cdk-lib");
+var import_aws_cdk_lib17 = require("aws-cdk-lib");
 var import_aws_events10 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets6 = require("aws-cdk-lib/aws-events-targets");
 var import_aws_stepfunctions2 = require("aws-cdk-lib/aws-stepfunctions");
@@ -7256,7 +7522,7 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
       // Long timeout — large renames may rewrite thousands of rows;
       // the `CascadeSlow` alarm fires at 300s p99 but the state
       // machine itself does not abort.
-      timeout: import_aws_cdk_lib18.Duration.hours(2)
+      timeout: import_aws_cdk_lib17.Duration.hours(2)
     });
     this.rule = new import_aws_events10.Rule(this, "rule", {
       eventBus: props.dataEventBus,
@@ -7267,7 +7533,7 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
       targets: [
         new import_aws_events_targets6.SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib18.Duration.hours(2)
+          maxEventAge: import_aws_cdk_lib17.Duration.hours(2)
         })
       ]
     });
@@ -7280,7 +7546,6 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
   CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
   CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone,
-  CognitoFixtureSeederClient,
   CognitoUserPool,
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
@@ -7295,6 +7560,7 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD,
   DEMO_TENANT_SPECS,
   DEMO_URN_SYSTEM,
@@ -7373,22 +7639,14 @@ var RenameCascadeWorkflow = class extends import_constructs22.Construct {
   WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail,
-  demoBasePartitionKeys,
-  demoDevUserPartitionKeys,
   demoMembershipId,
-  demoMembershipPartitionKey,
   demoRoleAssignmentId,
-  demoRoleAssignmentPartitionKey,
   demoRolesForUserInTenant,
   demoScenarioIdentifier,
-  demoTenantPartitionKey,
-  demoUserPartitionKey,
-  demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName,
   getPostgresReplicaSchemaName,
   getWorkflowDedupTableName,
   openHiTagKey,
-  openhiResourceIdentifier,
-  rolePartitionKey
+  openhiResourceIdentifier
 });
 //# sourceMappingURL=index.js.map