@openhi/constructs 0.0.114 → 0.0.115

package/lib/index.d.ts

@@ -3,7 +3,7 @@ import { Construct, IConstruct } from 'constructs';
 import { ICertificate, Certificate, CertificateProps } from 'aws-cdk-lib/aws-certificatemanager';
 import { IHttpApi, HttpApiProps, HttpApi, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
 import { IGraphqlApi, GraphqlApi, GraphqlApiProps } from 'aws-cdk-lib/aws-appsync';
-import { UserPoolClient, UserPoolClientProps, IUserPool, UserPool, UserPoolProps, UserPoolDomain, UserPoolDomainProps, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
+import { UserPool, UserPoolProps, UserPoolClient, UserPoolClientProps, UserPoolDomain, UserPoolDomainProps, IUserPool, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
 import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
 import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { AttributeValue } from '@aws-sdk/client-dynamodb';
@@ -23,7 +23,7 @@ import { Distribution, DistributionProps } from 'aws-cdk-lib/aws-cloudfront';
 import { StateMachine } from 'aws-cdk-lib/aws-stepfunctions';
 import { RenamableEntityType } from '@openhi/workflows';
 export { ControlPlaneOwningDeleteCompleteV1, ControlPlaneOwningDeleteCompleteV1Detail, ControlPlaneOwningDeleteFailedV1, ControlPlaneOwningDeleteFailedV1Detail, ControlPlaneOwningDeleteV1, ControlPlaneOwningDeleteV1Detail, ControlPlaneRenameCompleteV1, ControlPlaneRenameCompleteV1Detail, ControlPlaneRenameFailedV1, ControlPlaneRenameFailedV1Detail, ControlPlaneRenameV1, ControlPlaneRenameV1Detail, OPENHI_DATA_SOURCE, OPENHI_OPS_SOURCE, OWNING_ENTITY_TYPE, OwningEntityType, PlatformDeploymentCompletedV1, PlatformSystemDataSeededV1, RENAMABLE_ENTITY_TYPE, RenamableEntityType } from '@openhi/workflows';
-import { PlatformRoleCode } from '@openhi/types';
+import { PlatformRoleCode, Patient, Practitioner, Observation, Encounter, Account } from '@openhi/types';
 import { PostConfirmationTriggerEvent } from 'aws-lambda';
 
 /*******************************************************************************
@@ -514,10 +514,9 @@ declare const DEMO_PERIOD: {
  * `"platform"` literal is a reserved value that never matches a real
  * Tenant id and signals "this RA scopes across all tenants".
  *
- * Renaming this constant is a wire-format break — the IAM grant in
- * `seed-demo-data-lambda.ts` enumerates exact-match `LeadingKeys`
- * computed from this value, and the in-band records written under it
- * become unreachable if the sentinel changes.
+ * Renaming this constant is a wire-format break — the handler emits
+ * RoleAssignment records keyed on this value, and the in-band records
+ * written under it become unreachable if the sentinel changes.
  */
 declare const PLATFORM_SCOPE_TENANT_ID = "platform";
 /** Placeholder Tenant id seeded by the workflow as the dev-user `currentTenant`. */
@@ -558,8 +557,8 @@ interface DemoWorkspaceSpec {
     readonly name: string;
     /**
      * Role suffix used in the demo URN value (`<scenario>:<roleSuffix>`).
-     * Mirrors seed-fixtures' role suffix convention: `workspace` for
-     * single-workspace tenants, `workspace-<sub>` for the mixed tenant.
+     * `workspace` for single-workspace tenants, `workspace-<sub>` for the
+     * mixed tenant.
      */
     readonly roleSuffix: string;
 }
@@ -572,8 +571,7 @@ interface DemoTenantSpec {
     /**
      * Scenario slug — `placeholder`, `demo-wound-care`, `demo-primary-care`,
      * `demo-mixed`. The placeholder tenant's slug is `placeholder`; the
-     * three demo tenants mirror seed-fixtures' `fixture-*` slugs renamed
-     * to `demo-*`.
+     * three demo tenants use `demo-*` slugs.
      */
     readonly scenario: string;
     /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
@@ -608,8 +606,6 @@ declare const demoMembershipId: (devUserId: string, tenantId: string) => string;
 declare const demoRoleAssignmentId: (devUserId: string, tenantId: string, roleCode: PlatformRoleCode) => string;
 /**
  * Demo-scenario FHIR `Identifier` entry — `urn:openhi:demo:<scenario>:<role>`.
- * Mirrors the `urn:openhi:fixture:<scenario>:<role>` pattern from
- * `@openhi/seed-fixtures/src/urn.ts`, renamed to the `demo` namespace.
  */
 declare const demoScenarioIdentifier: (scenario: string, roleSuffix: string) => {
     system: string;
@@ -638,48 +634,6 @@ declare const openhiResourceIdentifier: (params: {
  * is no per-(user, tenant) variance to drive from.
  */
 declare const demoRolesForUserInTenant: (_user: DemoDevUser, _tenantId: string) => ReadonlyArray<PlatformRoleCode>;
-/**
- * DynamoDB single-table partition-key builders. The IAM grant in
- * `seed-demo-data-lambda.ts` uses these to enumerate exact-match
- * `dynamodb:LeadingKeys` values; the entity definitions in
- * `data/dynamo/entities/control/` own the canonical key templates.
- *
- * These builders MUST emit the keys ElectroDB actually writes — not
- * the entity definition's pretty template. None of the control-plane
- * entities sets `casing: "none"` on the base-table PK template, so
- * ElectroDB applies its default lowercase casing at runtime: the
- * entity's `ROLE#ID#${id}` becomes `role#id#<id>` on the wire. A
- * builder that returns the uppercase template form produces a
- * silently-broken IAM grant (every PutItem denied with "no
- * identity-based policy allows" because the request's leading-key
- * never matches a policy value).
- */
-declare const rolePartitionKey: (roleId: string) => string;
-declare const demoTenantPartitionKey: (tenantId: string) => string;
-declare const demoWorkspacePartitionKey: (tenantId: string, workspaceId: string) => string;
-declare const demoMembershipPartitionKey: (tenantId: string, membershipId: string) => string;
-declare const demoRoleAssignmentPartitionKey: (tenantId: string, roleAssignmentId: string) => string;
-/** User entity PK template — `USER#ID#<id>` → `user#id#<id>` on the wire. */
-declare const demoUserPartitionKey: (userId: string) => string;
-/**
- * Tenant + Workspace PKs the workflow writes on every fire: the 4
- * tenant PKs (placeholder + 3 demo) plus their workspaces (1 + 1 + 1 + 2 = 5).
- */
-declare const demoBasePartitionKeys: () => ReadonlyArray<string>;
-/**
- * Membership + RoleAssignment + User PKs the workflow writes per dev
- * user. Empty when `devUsers` is empty (used by tests). The list
- * mirrors the handler's iteration order so the IAM grant covers every
- * write the handler can make.
- *
- * Per dev user the function emits:
- *   - one User PK,
- *   - per tenant in {@link DEMO_TENANT_SPECS}: one Membership PK plus
- *     one `tenant-admin` RoleAssignment PK,
- *   - one platform-scoped `system-admin` RoleAssignment PK keyed by
- *     {@link PLATFORM_SCOPE_TENANT_ID}.
- */
-declare const demoDevUserPartitionKeys: (devUsers: ReadonlyArray<DemoDevUser>) => ReadonlyArray<string>;
 
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/user-onboarding/events.md
@@ -1089,47 +1043,6 @@ declare class RootGraphqlApi extends GraphqlApi {
     constructor(scope: Construct, props?: Omit<RootGraphqlApiProps, "name">);
 }
 
-interface CognitoFixtureSeederClientProps extends Partial<Omit<UserPoolClientProps, "userPool" | "generateSecret">> {
-    readonly userPool: IUserPool;
-}
-/**
- * Dedicated Cognito app client for the OpenHI fixture-seeder CLI
- * (`@openhi/seed-fixtures`).
- *
- * Why a dedicated client (vs reusing the SPA client):
- * - Tightly scoped: only the seeder consumes tokens issued here, so an
- *   audit trail of seeder activity is cleanly separable.
- * - Decoupled from the SPA client's OAuth flows — no risk of breaking
- *   web-app sign-in by tweaking auth-flow settings here.
- * - Stage-conditional creation upstream (only provisioned in non-prod
- *   environments) means prod stacks never carry a code path that could
- *   issue a fixture-seeder token in the first place.
- *
- * Why USER_PASSWORD_AUTH (vs M2M client-credentials):
- * - Cognito's M2M tier has a per-app-client monthly fee plus per-token
- *   activity charges. For sporadic non-prod fixture runs the per-client
- *   fee dominates the bill, especially if every dev branch spins up
- *   its own auth stack.
- * - USER_PASSWORD_AUTH against a service `fixture-seeder` user keeps
- *   the cost in MAU territory (free under the 50K MAU tier).
- * - Tradeoff: passwords need rotation and the service user must be
- *   provisioned per non-prod environment (manual or scripted post-deploy).
- *
- * No client secret (`generateSecret: false`): USER_PASSWORD_AUTH
- * authenticates with the password directly; a secret would just add
- * another credential to manage without strengthening anything.
- */
-declare class CognitoFixtureSeederClient extends UserPoolClient {
-    /**
-     * SSM parameter name suffix used to publish this client's ID for
-     * cross-stack lookups. Built into a full parameter name via
-     * `buildParameterName` with `serviceType` AUTH (since the auth stack
-     * owns this resource).
-     */
-    static readonly SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
-    constructor(scope: Construct, props: CognitoFixtureSeederClientProps);
-}
-
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/components/cognito/cognito-user-pool.md
  */
@@ -1800,17 +1713,6 @@ declare class OpenHiAuthService extends OpenHiService {
      * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
      */
     static userPoolClientFromConstruct(scope: Construct): IUserPoolClient;
-    /**
-     * Returns the dedicated fixture-seeder IUserPoolClient by looking up
-     * its ID from SSM. Only non-prod auth stacks publish this parameter
-     * (per the conditional in {@link createFixtureSeederClient}); calling
-     * this against a prod-deployed stack will fail at lookup time.
-     *
-     * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
-     * accepts tokens issued by this client, and by the seed-fixtures CLI
-     * to drive USER_PASSWORD_AUTH against this client's ID.
-     */
-    static fixtureSeederClientFromConstruct(scope: Construct): IUserPoolClient;
     /**
      * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
      */
@@ -1830,12 +1732,6 @@ declare class OpenHiAuthService extends OpenHiService {
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
-    /**
-     * Dedicated USER_PASSWORD_AUTH client for the seed-fixtures CLI.
-     * Only created in non-prod environments (see
-     * {@link createFixtureSeederClient}). `undefined` in prod.
-     */
-    readonly fixtureSeederClient?: IUserPoolClient;
     /**
      * Cross-stack reference to the data store table. Cached so repeated
      * lookups share a single CDK construct id ("dynamo-db-data-store") in
@@ -1914,18 +1810,6 @@ declare class OpenHiAuthService extends OpenHiService {
      * Override to customize.
      */
     protected createUserPoolClient(): IUserPoolClient;
-    /**
-     * Creates the dedicated USER_PASSWORD_AUTH app client for the
-     * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
-     * Returns `undefined` when this stack is being deployed to a prod
-     * stage so the prod auth stack carries no fixture-seeder code path.
-     *
-     * Operator post-deploy: create a `fixture-seeder` Cognito user with
-     * a service password (manually via console or scripted with
-     * `aws cognito-idp admin-create-user`); the CLI consumes those creds
-     * via env vars to drive `InitiateAuth`.
-     */
-    protected createFixtureSeederClient(): IUserPoolClient | undefined;
     /**
      * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
      * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -2191,12 +2075,69 @@ declare class OpenHiRestApiService extends OpenHiService {
     protected createRootHttpApi(domainName: DomainName): RootHttpApi;
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-demo-data/data-plane-fixtures.md
+ *
+ * Hand-authored FHIR data-plane fixture bodies the `seed-demo-data`
+ * workflow upserts into the data store on every non-prod deploy.
+ * Mirrors the OPS-009 v1 resource set: Patient, Practitioner,
+ * Observation, Encounter, Account.
+ *
+ * Ids are deterministic — re-fires of the workflow upsert the same
+ * records, satisfying the workflow's idempotency contract (no
+ * duplicates) and letting the IAM grant in `seed-demo-data-lambda.ts`
+ * enumerate exact-match `dynamodb:LeadingKeys` rather than a wildcard.
+ *
+ * The placeholder tenant carries no data-plane fixtures — only the
+ * three real demo tenants (wound-care, primary-care, mixed) get
+ * Patient/Practitioner/Observation/Encounter/Account records. The
+ * placeholder tenant exists solely as a routing target for the
+ * Cognito pre-token-generation fallback and never holds clinical
+ * data.
+ */
+/**
+ * Logical group of FHIR resources owned by a single (tenant, workspace)
+ * pair. The workflow walks `DEMO_DATA_PLANE_FIXTURES` and writes every
+ * entry against the matching workspace's `OpenHiContext`.
+ */
+interface DemoWorkspaceDataPlaneFixtures {
+    readonly tenantId: string;
+    readonly workspaceId: string;
+    /**
+     * Scenario slug used in the demo-URN identifier — mirrors the
+     * `DemoTenantSpec.scenario` value for the parent tenant. For the
+     * mixed tenant both workspaces share the `demo-mixed` scenario.
+     */
+    readonly scenario: string;
+    readonly patients: ReadonlyArray<Patient>;
+    readonly practitioners: ReadonlyArray<Practitioner>;
+    readonly observations: ReadonlyArray<Observation>;
+    readonly encounters: ReadonlyArray<Encounter>;
+    readonly accounts: ReadonlyArray<Account>;
+}
+/**
+ * Per-workspace fixtures the data-plane phase writes on every fire.
+ * The placeholder tenant carries no fixtures. The mixed tenant carries
+ * one fixture group per workspace; the two single-workspace tenants
+ * carry one each. Total: 4 fixture groups × ≈ 9 resources = ~36
+ * data-plane records.
+ *
+ * Ids embed the tenant + workspace slug so they remain unambiguous
+ * across the four workspaces (the FHIR resource id is the only thing
+ * that survives into the partition key, so a duplicate id across
+ * workspaces would still collide on read paths that scan-by-id).
+ */
+declare const DEMO_DATA_PLANE_FIXTURES: ReadonlyArray<DemoWorkspaceDataPlaneFixtures>;
+
 interface SeedDemoDataLambdaProps {
     /**
      * Data-store table the workflow upserts demo-data records into.
-     * Wired via `DYNAMO_TABLE_NAME` env var; granted scoped read on the
-     * Role PKs (pre-flight check) and scoped write on the enumerated
-     * demo Tenant / Workspace / Membership / RoleAssignment / User PKs.
+     * Wired via `DYNAMO_TABLE_NAME` env var; granted `dynamodb:GetItem`
+     * (pre-flight Role lookup) and `dynamodb:PutItem`/`dynamodb:UpdateItem`
+     * (write phase). The grants are scoped to the table ARN only; the
+     * handler itself is the scope guarantee for which records the
+     * workflow touches (see the construct body for the previous
+     * `LeadingKeys`-based grants and the reason they were dropped).
      */
     readonly dataStoreTable: ITable;
     /**
@@ -2649,5 +2590,5 @@ declare class RenameCascadeWorkflow extends Construct {
     constructor(scope: Construct, props: RenameCascadeWorkflowProps);
 }
 
-export { BRIDGED_STATUSES, CLOUDFORMATION_EVENT_SOURCE, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, CONTROL_EVENT_BUS_NAME_ENV_VAR, ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_PERIOD, DEMO_TENANT_SPECS, DEMO_URN_SYSTEM, DEV_USERS, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OPENHI_REPO_TAG_KEY_ENV_VAR, OPENHI_RESOURCE_URN_SYSTEM, OPENHI_TAG_KEY_PREFIX_ENV_VAR, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OWNING_DELETE_CASCADE_CONSUMER_NAME, OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY, OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES, OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, OwningDeleteCascadeLambdas, OwningDeleteCascadeWorkflow, PLACEHOLDER_TENANT_ID, PLACEHOLDER_WORKSPACE_ID, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM, PLATFORM_SCOPE_TENANT_ID, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, PlatformDeployBridge, PlatformDeployBridgeLambda, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, ProvisionDefaultWorkspaceLambda, RENAME_CASCADE_CONSUMER_NAME, RENAME_CASCADE_DEFAULT_CONCURRENCY, RENAME_CASCADE_FAILED_THRESHOLD, RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, RenameCascadeWorkflow, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, SEED_DEMO_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, SeedDemoDataWorkflow, SeedSystemDataLambda, SeedSystemDataWorkflow, StaticHosting, USER_ONBOARDING_EVENT_SOURCE, UserOnboardingWorkflow, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, buildFhirCurrentResourceChangeDetail, buildProvisionDefaultWorkspaceRequestedDetail, demoBasePartitionKeys, demoDevUserPartitionKeys, demoMembershipId, demoMembershipPartitionKey, demoRoleAssignmentId, demoRoleAssignmentPartitionKey, demoRolesForUserInTenant, demoScenarioIdentifier, demoTenantPartitionKey, demoUserPartitionKey, demoWorkspacePartitionKey, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey, openhiResourceIdentifier, rolePartitionKey };
-export type { BridgedStatus, BuildParameterNameProps, CascadeChunkInput, CascadeFinalizeInput, CascadeFinalizeOutput, CascadeListInput, CascadeListOutput, ChildHostedZoneProps, CloudFormationStackStatusChangeDetail, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DemoDevUser, DemoTenantSpec, DemoWorkspaceSpec, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, GrantConsumerOptions, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflowProps, PlatformDeployBridgeLambdaProps, PlatformDeployBridgeProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RenameCascadeChunkInput, RenameCascadeFinalizeInput, RenameCascadeFinalizeOutput, RenameCascadeLambdasProps, RenameCascadeListInput, RenameCascadeListOutput, RenameCascadeWorkflowProps, RootGraphqlApiProps, RootHttpApiProps, SeedDemoDataLambdaProps, SeedDemoDataWorkflowProps, SeedSystemDataLambdaProps, SeedSystemDataWorkflowProps, StaticHostingProps, UserOnboardingWorkflowProps, WorkflowDedupTableProps };
+export { BRIDGED_STATUSES, CLOUDFORMATION_EVENT_SOURCE, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, CONTROL_EVENT_BUS_NAME_ENV_VAR, ChildHostedZone, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_DATA_PLANE_FIXTURES, DEMO_PERIOD, DEMO_TENANT_SPECS, DEMO_URN_SYSTEM, DEV_USERS, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OPENHI_REPO_TAG_KEY_ENV_VAR, OPENHI_RESOURCE_URN_SYSTEM, OPENHI_TAG_KEY_PREFIX_ENV_VAR, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OWNING_DELETE_CASCADE_CONSUMER_NAME, OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY, OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES, OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, OwningDeleteCascadeLambdas, OwningDeleteCascadeWorkflow, PLACEHOLDER_TENANT_ID, PLACEHOLDER_WORKSPACE_ID, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM, PLATFORM_SCOPE_TENANT_ID, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, PlatformDeployBridge, PlatformDeployBridgeLambda, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, ProvisionDefaultWorkspaceLambda, RENAME_CASCADE_CONSUMER_NAME, RENAME_CASCADE_DEFAULT_CONCURRENCY, RENAME_CASCADE_FAILED_THRESHOLD, RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, RenameCascadeWorkflow, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, SEED_DEMO_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, SeedDemoDataWorkflow, SeedSystemDataLambda, SeedSystemDataWorkflow, StaticHosting, USER_ONBOARDING_EVENT_SOURCE, UserOnboardingWorkflow, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, buildFhirCurrentResourceChangeDetail, buildProvisionDefaultWorkspaceRequestedDetail, demoMembershipId, demoRoleAssignmentId, demoRolesForUserInTenant, demoScenarioIdentifier, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey, openhiResourceIdentifier };
+export type { BridgedStatus, BuildParameterNameProps, CascadeChunkInput, CascadeFinalizeInput, CascadeFinalizeOutput, CascadeListInput, CascadeListOutput, ChildHostedZoneProps, CloudFormationStackStatusChangeDetail, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DemoDevUser, DemoTenantSpec, DemoWorkspaceDataPlaneFixtures, DemoWorkspaceSpec, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, GrantConsumerOptions, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflowProps, PlatformDeployBridgeLambdaProps, PlatformDeployBridgeProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RenameCascadeChunkInput, RenameCascadeFinalizeInput, RenameCascadeFinalizeOutput, RenameCascadeLambdasProps, RenameCascadeListInput, RenameCascadeListOutput, RenameCascadeWorkflowProps, RootGraphqlApiProps, RootHttpApiProps, SeedDemoDataLambdaProps, SeedDemoDataWorkflowProps, SeedSystemDataLambdaProps, SeedSystemDataWorkflowProps, StaticHostingProps, UserOnboardingWorkflowProps, WorkflowDedupTableProps };