npm - @openhi/constructs - Versions diffs - 0.0.114 → 0.0.115 - Mend

@openhi/constructs 0.0.114 → 0.0.115

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/lib/chunk-AHYQFT4N.mjs +212 -0
package/lib/chunk-AHYQFT4N.mjs.map +1 -0
package/lib/{chunk-CUUKXDB2.mjs → chunk-AJQUWHFK.mjs} +460 -54
package/lib/chunk-AJQUWHFK.mjs.map +1 -0
package/lib/{chunk-GBDIGTNV.mjs → chunk-QWWLM452.mjs} +2 -2
package/lib/{chunk-QMBJ4VHC.mjs → chunk-U7L7T4XU.mjs} +25 -25
package/lib/{chunk-QMBJ4VHC.mjs.map → chunk-U7L7T4XU.mjs.map} +1 -1
package/lib/{chunk-NZRW7ROK.mjs → chunk-YYRWDEG4.mjs} +2 -2
package/lib/{chunk-KSFC72TT.mjs → chunk-ZHMHLK3S.mjs} +2 -2
package/lib/{events-DPodvl07.d.mts → events-CMG8xanm.d.mts} +7 -53
package/lib/{events-DPodvl07.d.ts → events-CMG8xanm.d.ts} +7 -53
package/lib/index.d.mts +64 -77
package/lib/index.d.ts +70 -129
package/lib/index.js +499 -241
package/lib/index.js.map +1 -1
package/lib/index.mjs +58 -184
package/lib/index.mjs.map +1 -1
package/lib/pre-token-generation.handler.mjs +3 -3
package/lib/provision-default-workspace.handler.mjs +3 -3
package/lib/rest-api-lambda.handler.mjs +282 -452
package/lib/rest-api-lambda.handler.mjs.map +1 -1
package/lib/seed-demo-data.handler.d.mts +6 -3
package/lib/seed-demo-data.handler.d.ts +6 -3
package/lib/seed-demo-data.handler.js +656 -0
package/lib/seed-demo-data.handler.js.map +1 -1
package/lib/seed-demo-data.handler.mjs +4 -4
package/package.json +1 -1
package/lib/chunk-53OHXLIL.mjs +0 -27
package/lib/chunk-53OHXLIL.mjs.map +0 -1
package/lib/chunk-CUUKXDB2.mjs.map +0 -1
/package/lib/{chunk-GBDIGTNV.mjs.map → chunk-QWWLM452.mjs.map} +0 -0
/package/lib/{chunk-NZRW7ROK.mjs.map → chunk-YYRWDEG4.mjs.map} +0 -0
/package/lib/{chunk-KSFC72TT.mjs.map → chunk-ZHMHLK3S.mjs.map} +0 -0

package/lib/index.mjs CHANGED Viewed

@@ -11,6 +11,7 @@ import {
   import_workflows as import_workflows2
 } from "./chunk-WPCBVDFZ.mjs";
 import {
+  DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD,
   DEMO_TENANT_SPECS,
   DEMO_URN_SYSTEM,
@@ -21,21 +22,13 @@ import {
   PLATFORM_SCOPE_TENANT_ID,
   SEED_DEMO_DATA_CONSUMER_NAME,
   SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR,
-  demoBasePartitionKeys,
-  demoDevUserPartitionKeys,
   demoMembershipId,
-  demoMembershipPartitionKey,
   demoRoleAssignmentId,
-  demoRoleAssignmentPartitionKey,
   demoRolesForUserInTenant,
   demoScenarioIdentifier,
-  demoTenantPartitionKey,
-  demoUserPartitionKey,
-  demoWorkspacePartitionKey,
   import_workflows,
-  openhiResourceIdentifier,
-  rolePartitionKey
-} from "./chunk-CUUKXDB2.mjs";
+  openhiResourceIdentifier
+} from "./chunk-AJQUWHFK.mjs";
 import {
   OWNING_DELETE_CASCADE_CONSUMER_NAME,
   OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY,
@@ -51,7 +44,7 @@ import {
   RENAME_CASCADE_SLOW_THRESHOLD_SECONDS,
   import_workflows as import_workflows4
 } from "./chunk-23PUSHBV.mjs";
-import "./chunk-53OHXLIL.mjs";
+import "./chunk-AHYQFT4N.mjs";
 import {
   PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
   USER_ONBOARDING_EVENT_SOURCE,
@@ -69,10 +62,10 @@ import {
 import {
   require_lib
 } from "./chunk-ZM4GDHHC.mjs";
-import "./chunk-GBDIGTNV.mjs";
+import "./chunk-QWWLM452.mjs";
 import "./chunk-HQ67J7BP.mjs";
 import "./chunk-QJDHVMKT.mjs";
-import "./chunk-QMBJ4VHC.mjs";
+import "./chunk-U7L7T4XU.mjs";
 import "./chunk-FYHBHHWK.mjs";
 import "./chunk-6NBGYGFL.mjs";
 import "./chunk-TRY7JGWO.mjs";
@@ -620,46 +613,6 @@ var _RootGraphqlApi = class _RootGraphqlApi extends GraphqlApi {
 _RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
 var RootGraphqlApi = _RootGraphqlApi;
-// src/components/cognito/cognito-fixture-seeder-client.ts
-import { Duration } from "aws-cdk-lib";
-import {
-  UserPoolClient
-} from "aws-cdk-lib/aws-cognito";
-var CognitoFixtureSeederClient = class extends UserPoolClient {
-  constructor(scope, props) {
-    const { userPool, ...rest } = props;
-    super(scope, "fixture-seeder-client", {
-      userPool,
-      generateSecret: false,
-      authFlows: {
-        userPassword: true
-      },
-      // No OAuth flows — the seeder calls Cognito's `InitiateAuth`
-      // directly with USER_PASSWORD_AUTH, not through the hosted-UI
-      // OAuth grant flows the SPA client uses. `disableOAuth: true`
-      // causes CDK to omit `AllowedOAuthFlowsUserPoolClient` entirely;
-      // passing an empty `oAuth` block instead still flips that flag on
-      // and Cognito rejects the create call for missing flows/scopes.
-      disableOAuth: true,
-      // Short-lived tokens: a seeder run takes seconds, not hours.
-      // 1h access-token validity is the minimum Cognito permits and is
-      // plenty for a fixture run.
-      accessTokenValidity: Duration.hours(1),
-      idTokenValidity: Duration.hours(1),
-      refreshTokenValidity: Duration.days(1),
-      preventUserExistenceErrors: true,
-      ...rest
-    });
-  }
-};
-/**
- * SSM parameter name suffix used to publish this client's ID for
- * cross-stack lookups. Built into a full parameter name via
- * `buildParameterName` with `serviceType` AUTH (since the auth stack
- * owns this resource).
- */
-CognitoFixtureSeederClient.SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
 // src/components/cognito/cognito-user-pool.ts
 import {
   FeaturePlan,
@@ -704,8 +657,8 @@ var CognitoUserPool = class extends UserPool {
 CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
 // src/components/cognito/cognito-user-pool-client.ts
-import { UserPoolClient as UserPoolClient2 } from "aws-cdk-lib/aws-cognito";
-var CognitoUserPoolClient = class extends UserPoolClient2 {
+import { UserPoolClient } from "aws-cdk-lib/aws-cognito";
+var CognitoUserPoolClient = class extends UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
       /**
@@ -850,7 +803,7 @@ var PreTokenGenerationLambda = class extends Construct3 {
 // src/components/dynamodb/data-store-historical-archive.ts
 import fs4 from "fs";
 import path4 from "path";
-import { Duration as Duration2, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
+import { Duration, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
 import * as kinesisfirehose from "aws-cdk-lib/aws-kinesisfirehose";
 import { Runtime as Runtime4 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction4 } from "aws-cdk-lib/aws-lambda-nodejs";
@@ -888,7 +841,7 @@ var DataStoreHistoricalArchive = class extends Construct4 {
       entry: resolveHandlerEntry4(__dirname),
       runtime: Runtime4.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration2.minutes(1),
+      timeout: Duration.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
       environment: props.dataEventBus && putEventsFailureDlqBucket ? {
         DATA_EVENT_BUS_NAME: props.dataEventBus.eventBusName,
@@ -904,14 +857,14 @@ var DataStoreHistoricalArchive = class extends Construct4 {
     const processor = new kinesisfirehose.LambdaFunctionProcessor(
       this.transformFunction,
       {
-        bufferInterval: Duration2.seconds(60),
+        bufferInterval: Duration.seconds(60),
         bufferSize: Size.mebibytes(3),
         retries: 3
       }
     );
     const destination = new kinesisfirehose.S3Bucket(this.archiveBucket, {
       compression: kinesisfirehose.Compression.GZIP,
-      bufferingInterval: Duration2.seconds(300),
+      bufferingInterval: Duration.seconds(300),
       // Firehose requires SizeInMBs ≥ 64 when dynamic partitioning is enabled.
       bufferingSize: Size.mebibytes(64),
       processors: [processor],
@@ -1291,7 +1244,7 @@ var ControlEventBus = class _ControlEventBus extends EventBus3 {
 // src/components/postgres/data-store-postgres-replica.ts
 import fs5 from "fs";
 import path5 from "path";
-import { Duration as Duration3, Stack as Stack2 } from "aws-cdk-lib";
+import { Duration as Duration2, Stack as Stack2 } from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import { Runtime as Runtime5, StartingPosition } from "aws-cdk-lib/aws-lambda";
 import { KinesisEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
@@ -1393,7 +1346,7 @@ var DataStorePostgresReplica = class extends Construct6 {
       entry: resolveHandlerEntry5(__dirname),
       runtime: Runtime5.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration3.minutes(1),
+      timeout: Duration2.minutes(1),
       vpc: this.vpc,
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
       description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
@@ -1420,7 +1373,7 @@ var DataStorePostgresReplica = class extends Construct6 {
       new KinesisEventSource(props.kinesisStream, {
         startingPosition: StartingPosition.LATEST,
         batchSize: 100,
-        maxBatchingWindow: Duration3.seconds(5),
+        maxBatchingWindow: Duration2.seconds(5),
         retryAttempts: 10,
         bisectBatchOnError: true,
         parallelizationFactor: 2,
@@ -1453,7 +1406,7 @@ var DataStorePostgresReplica = class extends Construct6 {
 };
 // src/components/route-53/child-hosted-zone.ts
-import { Duration as Duration4 } from "aws-cdk-lib";
+import { Duration as Duration3 } from "aws-cdk-lib";
 import {
   HostedZone,
   NsRecord
@@ -1465,7 +1418,7 @@ var ChildHostedZone = class extends HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: Duration4.minutes(5)
+      ttl: Duration3.minutes(5)
     });
   }
 };
@@ -1486,7 +1439,7 @@ import {
 } from "aws-cdk-lib/aws-cloudfront";
 import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
-import { Duration as Duration5 } from "aws-cdk-lib/core";
+import { Duration as Duration4 } from "aws-cdk-lib/core";
 import { Construct as Construct8 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
 var _StaticHosting = class _StaticHosting extends Construct8 {
@@ -1507,9 +1460,9 @@ var _StaticHosting = class _StaticHosting extends Construct8 {
     const cachePolicy = new CachePolicy(this, "cache-policy", {
       cachePolicyName: `static-hosting-10s-${stack.branchHash}`,
       comment: "Low TTL (10s) for static hosting; no invalidation",
-      defaultTtl: Duration5.seconds(10),
-      minTtl: Duration5.seconds(0),
-      maxTtl: Duration5.seconds(10)
+      defaultTtl: Duration4.seconds(10),
+      minTtl: Duration4.seconds(0),
+      maxTtl: Duration4.seconds(10)
     });
     this.distribution = new Distribution(this, "distribution", {
       defaultBehavior: {
@@ -1541,11 +1494,10 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_AR
 var StaticHosting = _StaticHosting;
 // src/services/open-hi-auth-service.ts
-var import_config5 = __toESM(require_lib2());
 import {
   LambdaVersion,
   UserPool as UserPool2,
-  UserPoolClient as UserPoolClient3,
+  UserPoolClient as UserPoolClient2,
   UserPoolDomain as UserPoolDomain2,
   UserPoolOperation
 } from "aws-cdk-lib/aws-cognito";
@@ -1575,7 +1527,7 @@ import { Construct as Construct10 } from "constructs";
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
 import fs6 from "fs";
 import path6 from "path";
-import { Duration as Duration6, Stack as Stack3 } from "aws-cdk-lib";
+import { Duration as Duration5, Stack as Stack3 } from "aws-cdk-lib";
 import { Rule } from "aws-cdk-lib/aws-events";
 import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
@@ -1607,7 +1559,7 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
       entry: resolveHandlerEntry6(__dirname),
       runtime: Runtime6.NODEJS_LATEST,
       memorySize: 256,
-      timeout: Duration6.seconds(30),
+      timeout: Duration5.seconds(30),
       environment: {
         [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
         [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
@@ -1638,7 +1590,7 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
       targets: [
         new LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration6.hours(2)
+          maxEventAge: Duration5.hours(2)
         })
       ]
     });
@@ -1841,8 +1793,7 @@ var OpenHiGlobalService = _OpenHiGlobalService;
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
 import fs7 from "fs";
 import path7 from "path";
-import { PLATFORM_ROLE_IDS } from "@openhi/types";
-import { Duration as Duration7, Stack as Stack4 } from "aws-cdk-lib";
+import { Duration as Duration6, Stack as Stack4 } from "aws-cdk-lib";
 import { Rule as Rule2 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction2 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect3, PolicyStatement as PolicyStatement3 } from "aws-cdk-lib/aws-iam";
@@ -1864,39 +1815,24 @@ var SeedDemoDataLambda = class extends Construct11 {
       entry: resolveHandlerEntry7(__dirname),
       runtime: Runtime7.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration7.minutes(2),
+      timeout: Duration6.minutes(2),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
       }
     });
-    const roleReadKeys = Object.values(PLATFORM_ROLE_IDS).map(rolePartitionKey);
     this.lambda.addToRolePolicy(
       new PolicyStatement3({
         effect: Effect3.ALLOW,
         actions: ["dynamodb:GetItem"],
-        resources: [props.dataStoreTable.tableArn],
-        conditions: {
-          "ForAllValues:StringEquals": {
-            "dynamodb:LeadingKeys": roleReadKeys
-          }
-        }
+        resources: [props.dataStoreTable.tableArn]
       })
     );
-    const writeKeys = [
-      ...demoBasePartitionKeys(),
-      ...demoDevUserPartitionKeys(DEV_USERS)
-    ];
     this.lambda.addToRolePolicy(
       new PolicyStatement3({
         effect: Effect3.ALLOW,
         actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
-        resources: [props.dataStoreTable.tableArn],
-        conditions: {
-          "ForAllValues:StringEquals": {
-            "dynamodb:LeadingKeys": writeKeys
-          }
-        }
+        resources: [props.dataStoreTable.tableArn]
       })
     );
     this.lambda.addToRolePolicy(
@@ -1925,7 +1861,7 @@ var SeedDemoDataLambda = class extends Construct11 {
       targets: [
         new LambdaFunction2(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration7.hours(2)
+          maxEventAge: Duration6.hours(2)
         })
       ]
     });
@@ -1953,8 +1889,8 @@ var SeedDemoDataWorkflow = class extends Construct12 {
 // src/workflows/control-plane/seed-system-data/seed-system-data-lambda.ts
 import fs8 from "fs";
 import path8 from "path";
-import { PLATFORM_ROLE_IDS as PLATFORM_ROLE_IDS2 } from "@openhi/types";
-import { Duration as Duration8, Stack as Stack5 } from "aws-cdk-lib";
+import { PLATFORM_ROLE_IDS } from "@openhi/types";
+import { Duration as Duration7, Stack as Stack5 } from "aws-cdk-lib";
 import { Rule as Rule3 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction3 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect4, PolicyStatement as PolicyStatement4 } from "aws-cdk-lib/aws-iam";
@@ -1976,13 +1912,13 @@ var SeedSystemDataLambda = class extends Construct13 {
       entry: resolveHandlerEntry8(__dirname),
       runtime: Runtime8.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration8.minutes(1),
+      timeout: Duration7.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
       }
     });
-    const roleArns = Object.values(PLATFORM_ROLE_IDS2).map(
+    const roleArns = Object.values(PLATFORM_ROLE_IDS).map(
       (id) => `role#id#${id}`
     );
     this.lambda.addToRolePolicy(
@@ -2013,7 +1949,7 @@ var SeedSystemDataLambda = class extends Construct13 {
       targets: [
         new LambdaFunction3(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration8.hours(2)
+          maxEventAge: Duration7.hours(2)
         })
       ]
     });
@@ -2150,7 +2086,7 @@ var OpenHiDataService = _OpenHiDataService;
 // src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
 import fs9 from "fs";
 import path9 from "path";
-import { Duration as Duration9 } from "aws-cdk-lib";
+import { Duration as Duration8 } from "aws-cdk-lib";
 import { Rule as Rule4 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction4 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect5, PolicyStatement as PolicyStatement5 } from "aws-cdk-lib/aws-iam";
@@ -2197,7 +2133,7 @@ var ProvisionDefaultWorkspaceLambda = class extends Construct15 {
       targets: [
         new LambdaFunction4(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration9.hours(2)
+          maxEventAge: Duration8.hours(2)
         })
       ]
     });
@@ -2240,7 +2176,6 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.grantPostConfirmationPermissions();
     this.userPoolClient = this.createUserPoolClient();
     this.userPoolDomain = this.createUserPoolDomain();
-    this.fixtureSeederClient = this.createFixtureSeederClient();
   }
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
@@ -2263,33 +2198,12 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
         serviceType: _OpenHiAuthService.SERVICE_TYPE
       }
     );
-    return UserPoolClient3.fromUserPoolClientId(
+    return UserPoolClient2.fromUserPoolClientId(
       scope,
       "user-pool-client",
       userPoolClientId
     );
   }
-  /**
-   * Returns the dedicated fixture-seeder IUserPoolClient by looking up
-   * its ID from SSM. Only non-prod auth stacks publish this parameter
-   * (per the conditional in {@link createFixtureSeederClient}); calling
-   * this against a prod-deployed stack will fail at lookup time.
-   *
-   * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
-   * accepts tokens issued by this client, and by the seed-fixtures CLI
-   * to drive USER_PASSWORD_AUTH against this client's ID.
-   */
-  static fixtureSeederClientFromConstruct(scope) {
-    const clientId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
-    });
-    return UserPoolClient3.fromUserPoolClientId(
-      scope,
-      "fixture-seeder-client",
-      clientId
-    );
-  }
   /**
    * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
    */
@@ -2478,31 +2392,6 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return client;
   }
-  /**
-   * Creates the dedicated USER_PASSWORD_AUTH app client for the
-   * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
-   * Returns `undefined` when this stack is being deployed to a prod
-   * stage so the prod auth stack carries no fixture-seeder code path.
-   *
-   * Operator post-deploy: create a `fixture-seeder` Cognito user with
-   * a service password (manually via console or scripted with
-   * `aws cognito-idp admin-create-user`); the CLI consumes those creds
-   * via env vars to drive `InitiateAuth`.
-   */
-  createFixtureSeederClient() {
-    if (this.ohEnv.ohStage.stageType === import_config5.OPEN_HI_STAGE.PROD) {
-      return void 0;
-    }
-    const client = new CognitoFixtureSeederClient(this, {
-      userPool: this.userPool
-    });
-    new DiscoverableStringParameter(this, "fixture-seeder-client-param", {
-      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
-      stringValue: client.userPoolClientId,
-      description: "Cognito User Pool Client ID for the OpenHI fixture-seeder CLI (USER_PASSWORD_AUTH; non-prod only); cross-stack reference"
-    });
-    return client;
-  }
   /**
    * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
    * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -2527,7 +2416,6 @@ _OpenHiAuthService.SERVICE_TYPE = "auth";
 var OpenHiAuthService = _OpenHiAuthService;
 // src/services/open-hi-rest-api-service.ts
-var import_config6 = __toESM(require_lib2());
 import {
   CorsHttpMethod,
   DomainName,
@@ -2546,7 +2434,7 @@ import {
   RecordTarget
 } from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
-import { Duration as Duration10 } from "aws-cdk-lib/core";
+import { Duration as Duration9 } from "aws-cdk-lib/core";
 // src/data/lambda/cors-options-lambda.ts
 import fs10 from "fs";
@@ -2831,16 +2719,10 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   createRootHttpApi(domainName) {
     const userPool = OpenHiAuthService.userPoolFromConstruct(this);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(this);
-    const userPoolClients = [userPoolClient];
-    if (this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD) {
-      userPoolClients.push(
-        OpenHiAuthService.fixtureSeederClientFromConstruct(this)
-      );
-    }
     const cognitoAuthorizer = new HttpUserPoolAuthorizer(
       "cognito-authorizer",
       userPool,
-      { userPoolClients }
+      { userPoolClients: [userPoolClient] }
     );
     const { corsPreflight: cors, ...restRootHttpApiProps } = this.props.rootHttpApiProps ?? {};
     const corsPreflight = cors !== void 0 ? {
@@ -2859,7 +2741,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? Duration10.days(1),
+      maxAge: cors.maxAge ?? Duration9.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -2927,7 +2809,7 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
 import fs12 from "fs";
 import path12 from "path";
-import { Duration as Duration11 } from "aws-cdk-lib";
+import { Duration as Duration10 } from "aws-cdk-lib";
 import { Effect as Effect8, PolicyStatement as PolicyStatement8 } from "aws-cdk-lib/aws-iam";
 import { Runtime as Runtime12 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction12 } from "aws-cdk-lib/aws-lambda-nodejs";
@@ -2951,7 +2833,7 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
       entry: listResolved.entry,
       runtime: Runtime12.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration11.minutes(1),
+      timeout: Duration10.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -2965,7 +2847,7 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
       entry: deleteResolved.entry,
       runtime: Runtime12.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration11.minutes(1),
+      timeout: Duration10.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -2984,7 +2866,7 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
       entry: finalizeResolved.entry,
       runtime: Runtime12.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration11.minutes(1),
+      timeout: Duration10.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
@@ -3002,7 +2884,7 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
 };
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.ts
-import { Duration as Duration12 } from "aws-cdk-lib";
+import { Duration as Duration11 } from "aws-cdk-lib";
 import { Rule as Rule5 } from "aws-cdk-lib/aws-events";
 import { SfnStateMachine } from "aws-cdk-lib/aws-events-targets";
 import {
@@ -3128,7 +3010,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       }
     });
     const interPageWait = new Wait(this, "inter-page-wait", {
-      time: WaitTime.duration(Duration12.seconds(0))
+      time: WaitTime.duration(Duration11.seconds(0))
     });
     const isExhausted = new Choice(this, "is-exhausted");
     const finalize = new LambdaInvoke(this, "finalize", {
@@ -3159,7 +3041,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       // Long timeout because real-world cascades can run minutes when
       // a workspace has thousands of members. The stuck-cascade alarm
       // fires at 15 minutes; the state machine itself does not abort.
-      timeout: Duration12.hours(2)
+      timeout: Duration11.hours(2)
     });
     this.rule = new Rule5(this, "rule", {
       eventBus: props.dataEventBus,
@@ -3170,7 +3052,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       targets: [
         new SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: Duration12.hours(2)
+          maxEventAge: Duration11.hours(2)
         })
       ]
     });
@@ -3180,7 +3062,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
 // src/workflows/control-plane/rename-cascade/rename-cascade-lambdas.ts
 import fs13 from "fs";
 import path13 from "path";
-import { Duration as Duration13 } from "aws-cdk-lib";
+import { Duration as Duration12 } from "aws-cdk-lib";
 import { Effect as Effect9, PolicyStatement as PolicyStatement9 } from "aws-cdk-lib/aws-iam";
 import { Runtime as Runtime13 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction13 } from "aws-cdk-lib/aws-lambda-nodejs";
@@ -3204,7 +3086,7 @@ var RenameCascadeLambdas = class extends Construct21 {
       entry: listResolved.entry,
       runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration13.minutes(1),
+      timeout: Duration12.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3218,7 +3100,7 @@ var RenameCascadeLambdas = class extends Construct21 {
       entry: rewriteResolved.entry,
       runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration13.minutes(1),
+      timeout: Duration12.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3237,7 +3119,7 @@ var RenameCascadeLambdas = class extends Construct21 {
       entry: finalizeResolved.entry,
       runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration13.minutes(1),
+      timeout: Duration12.minutes(1),
       environment: {
         [RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
       }
@@ -3253,7 +3135,7 @@ var RenameCascadeLambdas = class extends Construct21 {
 };
 // src/workflows/control-plane/rename-cascade/rename-cascade-workflow.ts
-import { Duration as Duration14 } from "aws-cdk-lib";
+import { Duration as Duration13 } from "aws-cdk-lib";
 import { Rule as Rule6 } from "aws-cdk-lib/aws-events";
 import { SfnStateMachine as SfnStateMachine2 } from "aws-cdk-lib/aws-events-targets";
 import {
@@ -3412,7 +3294,7 @@ var RenameCascadeWorkflow = class extends Construct22 {
       // Long timeout — large renames may rewrite thousands of rows;
       // the `CascadeSlow` alarm fires at 300s p99 but the state
       // machine itself does not abort.
-      timeout: Duration14.hours(2)
+      timeout: Duration13.hours(2)
     });
     this.rule = new Rule6(this, "rule", {
       eventBus: props.dataEventBus,
@@ -3423,7 +3305,7 @@ var RenameCascadeWorkflow = class extends Construct22 {
       targets: [
         new SfnStateMachine2(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: Duration14.hours(2)
+          maxEventAge: Duration13.hours(2)
         })
       ]
     });
@@ -3444,7 +3326,6 @@ export {
   CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
   CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone,
-  CognitoFixtureSeederClient,
   CognitoUserPool,
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
@@ -3459,6 +3340,7 @@ export {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD,
   DEMO_TENANT_SPECS,
   DEMO_URN_SYSTEM,
@@ -3537,22 +3419,14 @@ export {
   WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail,
-  demoBasePartitionKeys,
-  demoDevUserPartitionKeys,
   demoMembershipId,
-  demoMembershipPartitionKey,
   demoRoleAssignmentId,
-  demoRoleAssignmentPartitionKey,
   demoRolesForUserInTenant,
   demoScenarioIdentifier,
-  demoTenantPartitionKey,
-  demoUserPartitionKey,
-  demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName,
   getPostgresReplicaSchemaName,
   getWorkflowDedupTableName,
   openHiTagKey,
-  openhiResourceIdentifier,
-  rolePartitionKey
+  openhiResourceIdentifier
 };
 //# sourceMappingURL=index.mjs.map