@openhi/constructs 0.0.114 → 0.0.116

package/lib/index.mjs

@@ -11,6 +11,7 @@ import {
   import_workflows as import_workflows2
 } from "./chunk-WPCBVDFZ.mjs";
 import {
+  DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD,
   DEMO_TENANT_SPECS,
   DEMO_URN_SYSTEM,
@@ -21,21 +22,13 @@ import {
   PLATFORM_SCOPE_TENANT_ID,
   SEED_DEMO_DATA_CONSUMER_NAME,
   SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR,
-  demoBasePartitionKeys,
-  demoDevUserPartitionKeys,
   demoMembershipId,
-  demoMembershipPartitionKey,
   demoRoleAssignmentId,
-  demoRoleAssignmentPartitionKey,
   demoRolesForUserInTenant,
   demoScenarioIdentifier,
-  demoTenantPartitionKey,
-  demoUserPartitionKey,
-  demoWorkspacePartitionKey,
   import_workflows,
-  openhiResourceIdentifier,
-  rolePartitionKey
-} from "./chunk-CUUKXDB2.mjs";
+  openhiResourceIdentifier
+} from "./chunk-AJQUWHFK.mjs";
 import {
   OWNING_DELETE_CASCADE_CONSUMER_NAME,
   OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY,
@@ -51,7 +44,7 @@ import {
   RENAME_CASCADE_SLOW_THRESHOLD_SECONDS,
   import_workflows as import_workflows4
 } from "./chunk-23PUSHBV.mjs";
-import "./chunk-53OHXLIL.mjs";
+import "./chunk-AHYQFT4N.mjs";
 import {
   PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
   USER_ONBOARDING_EVENT_SOURCE,
@@ -69,10 +62,10 @@ import {
 import {
   require_lib
 } from "./chunk-ZM4GDHHC.mjs";
-import "./chunk-GBDIGTNV.mjs";
+import "./chunk-QWWLM452.mjs";
 import "./chunk-HQ67J7BP.mjs";
 import "./chunk-QJDHVMKT.mjs";
-import "./chunk-QMBJ4VHC.mjs";
+import "./chunk-U7L7T4XU.mjs";
 import "./chunk-FYHBHHWK.mjs";
 import "./chunk-6NBGYGFL.mjs";
 import "./chunk-TRY7JGWO.mjs";
@@ -620,46 +613,6 @@ var _RootGraphqlApi = class _RootGraphqlApi extends GraphqlApi {
 _RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
 var RootGraphqlApi = _RootGraphqlApi;
 
-// src/components/cognito/cognito-fixture-seeder-client.ts
-import { Duration } from "aws-cdk-lib";
-import {
-  UserPoolClient
-} from "aws-cdk-lib/aws-cognito";
-var CognitoFixtureSeederClient = class extends UserPoolClient {
-  constructor(scope, props) {
-    const { userPool, ...rest } = props;
-    super(scope, "fixture-seeder-client", {
-      userPool,
-      generateSecret: false,
-      authFlows: {
-        userPassword: true
-      },
-      // No OAuth flows — the seeder calls Cognito's `InitiateAuth`
-      // directly with USER_PASSWORD_AUTH, not through the hosted-UI
-      // OAuth grant flows the SPA client uses. `disableOAuth: true`
-      // causes CDK to omit `AllowedOAuthFlowsUserPoolClient` entirely;
-      // passing an empty `oAuth` block instead still flips that flag on
-      // and Cognito rejects the create call for missing flows/scopes.
-      disableOAuth: true,
-      // Short-lived tokens: a seeder run takes seconds, not hours.
-      // 1h access-token validity is the minimum Cognito permits and is
-      // plenty for a fixture run.
-      accessTokenValidity: Duration.hours(1),
-      idTokenValidity: Duration.hours(1),
-      refreshTokenValidity: Duration.days(1),
-      preventUserExistenceErrors: true,
-      ...rest
-    });
-  }
-};
-/**
- * SSM parameter name suffix used to publish this client's ID for
- * cross-stack lookups. Built into a full parameter name via
- * `buildParameterName` with `serviceType` AUTH (since the auth stack
- * owns this resource).
- */
-CognitoFixtureSeederClient.SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
-
 // src/components/cognito/cognito-user-pool.ts
 import {
   FeaturePlan,
@@ -704,8 +657,8 @@ var CognitoUserPool = class extends UserPool {
 CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
 
 // src/components/cognito/cognito-user-pool-client.ts
-import { UserPoolClient as UserPoolClient2 } from "aws-cdk-lib/aws-cognito";
-var CognitoUserPoolClient = class extends UserPoolClient2 {
+import { UserPoolClient } from "aws-cdk-lib/aws-cognito";
+var CognitoUserPoolClient = class extends UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
       /**
@@ -850,7 +803,7 @@ var PreTokenGenerationLambda = class extends Construct3 {
 // src/components/dynamodb/data-store-historical-archive.ts
 import fs4 from "fs";
 import path4 from "path";
-import { Duration as Duration2, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
+import { Duration, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
 import * as kinesisfirehose from "aws-cdk-lib/aws-kinesisfirehose";
 import { Runtime as Runtime4 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction4 } from "aws-cdk-lib/aws-lambda-nodejs";
@@ -888,7 +841,7 @@ var DataStoreHistoricalArchive = class extends Construct4 {
       entry: resolveHandlerEntry4(__dirname),
       runtime: Runtime4.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration2.minutes(1),
+      timeout: Duration.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
       environment: props.dataEventBus && putEventsFailureDlqBucket ? {
         DATA_EVENT_BUS_NAME: props.dataEventBus.eventBusName,
@@ -904,14 +857,14 @@ var DataStoreHistoricalArchive = class extends Construct4 {
     const processor = new kinesisfirehose.LambdaFunctionProcessor(
       this.transformFunction,
       {
-        bufferInterval: Duration2.seconds(60),
+        bufferInterval: Duration.seconds(60),
         bufferSize: Size.mebibytes(3),
         retries: 3
       }
     );
     const destination = new kinesisfirehose.S3Bucket(this.archiveBucket, {
       compression: kinesisfirehose.Compression.GZIP,
-      bufferingInterval: Duration2.seconds(300),
+      bufferingInterval: Duration.seconds(300),
       // Firehose requires SizeInMBs ≥ 64 when dynamic partitioning is enabled.
       bufferingSize: Size.mebibytes(64),
       processors: [processor],
@@ -1291,7 +1244,7 @@ var ControlEventBus = class _ControlEventBus extends EventBus3 {
 // src/components/postgres/data-store-postgres-replica.ts
 import fs5 from "fs";
 import path5 from "path";
-import { Duration as Duration3, Stack as Stack2 } from "aws-cdk-lib";
+import { Duration as Duration2, Stack as Stack2 } from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import { Runtime as Runtime5, StartingPosition } from "aws-cdk-lib/aws-lambda";
 import { KinesisEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
@@ -1393,7 +1346,7 @@ var DataStorePostgresReplica = class extends Construct6 {
       entry: resolveHandlerEntry5(__dirname),
       runtime: Runtime5.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration3.minutes(1),
+      timeout: Duration2.minutes(1),
       vpc: this.vpc,
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
       description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
@@ -1420,7 +1373,7 @@ var DataStorePostgresReplica = class extends Construct6 {
       new KinesisEventSource(props.kinesisStream, {
         startingPosition: StartingPosition.LATEST,
         batchSize: 100,
-        maxBatchingWindow: Duration3.seconds(5),
+        maxBatchingWindow: Duration2.seconds(5),
         retryAttempts: 10,
         bisectBatchOnError: true,
         parallelizationFactor: 2,
@@ -1453,7 +1406,7 @@ var DataStorePostgresReplica = class extends Construct6 {
 };
 
 // src/components/route-53/child-hosted-zone.ts
-import { Duration as Duration4 } from "aws-cdk-lib";
+import { Duration as Duration3 } from "aws-cdk-lib";
 import {
   HostedZone,
   NsRecord
@@ -1465,7 +1418,7 @@ var ChildHostedZone = class extends HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: Duration4.minutes(5)
+      ttl: Duration3.minutes(5)
     });
   }
 };
@@ -1479,14 +1432,39 @@ import { Construct as Construct7 } from "constructs";
 var RootHostedZone = class extends Construct7 {
 };
 
+// src/components/static-hosting/static-content.ts
+import { Bucket as Bucket3 } from "aws-cdk-lib/aws-s3";
+import { BucketDeployment, Source } from "aws-cdk-lib/aws-s3-deployment";
+import { paramCase as paramCase2 } from "change-case";
+import { Construct as Construct9 } from "constructs";
+
 // src/components/static-hosting/static-hosting.ts
+import * as fs6 from "fs";
+import * as path6 from "path";
+import { Duration as Duration4 } from "aws-cdk-lib";
 import {
+  AccessLevel,
+  AllowedMethods,
+  CacheCookieBehavior,
+  CacheHeaderBehavior,
   CachePolicy,
-  Distribution
+  CacheQueryStringBehavior,
+  Distribution,
+  LambdaEdgeEventType,
+  S3OriginAccessControl,
+  Signing,
+  ViewerProtocolPolicy
 } from "aws-cdk-lib/aws-cloudfront";
 import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
+import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
+import {
+  ARecord,
+  RecordTarget
+} from "aws-cdk-lib/aws-route53";
+import { CloudFrontTarget } from "aws-cdk-lib/aws-route53-targets";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
-import { Duration as Duration5 } from "aws-cdk-lib/core";
 import { Construct as Construct8 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
 var _StaticHosting = class _StaticHosting extends Construct8 {
@@ -1494,6 +1472,7 @@ var _StaticHosting = class _StaticHosting extends Construct8 {
     super(scope, id);
     const stack = OpenHiService.of(scope);
     const serviceType = props.serviceType ?? STATIC_HOSTING_SERVICE_TYPE;
+    const hostingMode = props.hostingMode ?? "spa";
     this.bucket = new Bucket2(this, "bucket", {
       blockPublicAccess: {
         blockPublicAcls: true,
@@ -1503,30 +1482,105 @@ var _StaticHosting = class _StaticHosting extends Construct8 {
       },
       ...props.bucketProps
     });
-    const origin = S3BucketOrigin.withOriginAccessControl(this.bucket);
+    const handlerJs = path6.join(
+      __dirname,
+      "static-hosting.viewer-request-handler.js"
+    );
+    const handlerTs = path6.join(
+      __dirname,
+      "static-hosting.viewer-request-handler.ts"
+    );
+    const handlerEntry = fs6.existsSync(handlerJs) ? handlerJs : handlerTs;
+    this.viewerRequestHandler = new NodejsFunction6(
+      this,
+      "viewer-request-handler",
+      {
+        entry: handlerEntry,
+        handler: hostingMode === "static" ? "staticHandler" : "spaHandler",
+        memorySize: 128,
+        runtime: Runtime6.NODEJS_LATEST,
+        logGroup: new LogGroup(this, "viewer-request-handler-log-group", {
+          retention: RetentionDays.ONE_MONTH
+        })
+      }
+    );
     const cachePolicy = new CachePolicy(this, "cache-policy", {
-      cachePolicyName: `static-hosting-10s-${stack.branchHash}`,
-      comment: "Low TTL (10s) for static hosting; no invalidation",
-      defaultTtl: Duration5.seconds(10),
-      minTtl: Duration5.seconds(0),
-      maxTtl: Duration5.seconds(10)
-    });
+      cachePolicyName: `static-hosting-${stack.branchHash}`,
+      comment: "Static hosting default: 60s default / 300s max, gzip+brotli.",
+      defaultTtl: Duration4.seconds(60),
+      minTtl: Duration4.seconds(0),
+      maxTtl: Duration4.seconds(300),
+      headerBehavior: CacheHeaderBehavior.none(),
+      queryStringBehavior: CacheQueryStringBehavior.none(),
+      cookieBehavior: CacheCookieBehavior.none(),
+      enableAcceptEncodingGzip: true,
+      enableAcceptEncodingBrotli: true,
+      ...props.cachePolicyProps
+    });
+    const oac = new S3OriginAccessControl(this, "origin-access-control", {
+      signing: Signing.SIGV4_NO_OVERRIDE
+    });
+    const origin = S3BucketOrigin.withOriginAccessControl(this.bucket, {
+      originAccessControl: oac,
+      originAccessLevels: [AccessLevel.READ]
+    });
+    const hasCustomDomain = props.certificate !== void 0 && props.hostedZone !== void 0 && props.domainNames !== void 0 && props.domainNames.length > 0;
     this.distribution = new Distribution(this, "distribution", {
+      comment: `Static hosting distribution for ${props.description ?? id}`,
+      ...hasCustomDomain ? {
+        certificate: props.certificate,
+        domainNames: [...props.domainNames]
+      } : {},
+      defaultRootObject: "index.html",
       defaultBehavior: {
         origin,
-        cachePolicy
+        viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        cachePolicy,
+        allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
+        edgeLambdas: [
+          {
+            functionVersion: this.viewerRequestHandler.currentVersion,
+            eventType: LambdaEdgeEventType.VIEWER_REQUEST,
+            includeBody: false
+          }
+        ]
       },
       ...props.distributionProps
     });
+    if (hasCustomDomain) {
+      props.domainNames.forEach((domainName, index) => {
+        new ARecord(this, `dns-record-${index}`, {
+          zone: props.hostedZone,
+          recordName: domainName,
+          target: RecordTarget.fromAlias(
+            new CloudFrontTarget(this.distribution)
+          )
+        });
+      });
+    }
     new DiscoverableStringParameter(this, "bucket-arn-param", {
       ssmParamName: _StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
       serviceType,
-      stringValue: this.bucket.bucketArn
+      stringValue: this.bucket.bucketArn,
+      description: `Static hosting bucket ARN (${props.description ?? id})`
     });
     new DiscoverableStringParameter(this, "distribution-arn-param", {
       ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
       serviceType,
-      stringValue: this.distribution.distributionArn
+      stringValue: this.distribution.distributionArn,
+      description: `Static hosting distribution ARN (${props.description ?? id})`
+    });
+    new DiscoverableStringParameter(this, "distribution-domain-param", {
+      ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType,
+      stringValue: this.distribution.domainName,
+      description: `Static hosting distribution domain (${props.description ?? id})`
+    });
+    new DiscoverableStringParameter(this, "distribution-id-param", {
+      ssmParamName: _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType,
+      stringValue: this.distribution.distributionId,
+      description: `Static hosting distribution ID (${props.description ?? id})`
     });
   }
 };
@@ -1538,14 +1592,51 @@ _StaticHosting.SSM_PARAM_NAME_BUCKET_ARN = "STATIC_HOSTING_BUCKET_ARN";
  * SSM parameter name for the CloudFront distribution ARN.
  */
 _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_ARN";
+/**
+ * SSM parameter name for the CloudFront distribution domain
+ * (e.g. dXXXXX.cloudfront.net).
+ */
+_StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN = "STATIC_HOSTING_DISTRIBUTION_DOMAIN";
+/**
+ * SSM parameter name for the CloudFront distribution ID.
+ */
+_StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID = "STATIC_HOSTING_DISTRIBUTION_ID";
 var StaticHosting = _StaticHosting;
 
+// src/components/static-hosting/static-content.ts
+var StaticContent = class extends Construct9 {
+  constructor(scope, id, props) {
+    super(scope, id);
+    const stack = OpenHiService.of(scope);
+    const {
+      contentSourceDirectory,
+      contentDestinationDirectory = "/",
+      subDomain = stack.branchName,
+      fullDomain,
+      serviceType = STATIC_HOSTING_SERVICE_TYPE
+    } = props;
+    const keyPrefix = [paramCase2(subDomain), fullDomain].join(".");
+    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType
+    });
+    const bucket = Bucket3.fromBucketArn(this, "bucket", bucketArn);
+    const isTestEnv = process.env.JEST_WORKER_ID !== void 0;
+    const sources = isTestEnv ? [] : [Source.asset(contentSourceDirectory)];
+    new BucketDeployment(this, "deploy", {
+      sources,
+      destinationBucket: bucket,
+      retainOnDelete: false,
+      destinationKeyPrefix: `${keyPrefix}${contentDestinationDirectory}`
+    });
+  }
+};
+
 // src/services/open-hi-auth-service.ts
-var import_config5 = __toESM(require_lib2());
 import {
   LambdaVersion,
   UserPool as UserPool2,
-  UserPoolClient as UserPoolClient3,
+  UserPoolClient as UserPoolClient2,
   UserPoolDomain as UserPoolDomain2,
   UserPoolOperation
 } from "aws-cdk-lib/aws-cognito";
@@ -1570,27 +1661,27 @@ import {
 import { StringParameter as StringParameter3 } from "aws-cdk-lib/aws-ssm";
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
-import { Construct as Construct10 } from "constructs";
+import { Construct as Construct11 } from "constructs";
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge-lambda.ts
-import fs6 from "fs";
-import path6 from "path";
-import { Duration as Duration6, Stack as Stack3 } from "aws-cdk-lib";
+import fs7 from "fs";
+import path7 from "path";
+import { Duration as Duration5, Stack as Stack3 } from "aws-cdk-lib";
 import { Rule } from "aws-cdk-lib/aws-events";
 import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct9 } from "constructs";
+import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct10 } from "constructs";
 var HANDLER_NAME6 = "platform-deploy-bridge.handler.js";
 function resolveHandlerEntry6(dirname) {
-  const sameDir = path6.join(dirname, HANDLER_NAME6);
-  if (fs6.existsSync(sameDir)) {
+  const sameDir = path7.join(dirname, HANDLER_NAME6);
+  if (fs7.existsSync(sameDir)) {
     return sameDir;
   }
-  return path6.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
+  return path7.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME6);
 }
-var PlatformDeployBridgeLambda = class extends Construct9 {
+var PlatformDeployBridgeLambda = class extends Construct10 {
   constructor(scope, props) {
     super(scope, "platform-deploy-bridge-lambda");
     const service = OpenHiService.of(this);
@@ -1603,11 +1694,11 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
     const ownSuffix = `-${service.serviceId}-${Stack3.of(this).account}-${Stack3.of(this).region}`;
     const sharedPrefix = ownStackName.endsWith(ownSuffix) ? ownStackName.slice(0, -ownSuffix.length) : service.branchHash;
     const stackIdPrefix = `arn:aws:cloudformation:${Stack3.of(this).region}:${Stack3.of(this).account}:stack/${sharedPrefix}-`;
-    this.lambda = new NodejsFunction6(this, "handler", {
+    this.lambda = new NodejsFunction7(this, "handler", {
       entry: resolveHandlerEntry6(__dirname),
-      runtime: Runtime6.NODEJS_LATEST,
+      runtime: Runtime7.NODEJS_LATEST,
       memorySize: 256,
-      timeout: Duration6.seconds(30),
+      timeout: Duration5.seconds(30),
       environment: {
         [CONTROL_EVENT_BUS_NAME_ENV_VAR]: props.controlEventBus.eventBusName,
         [OPENHI_REPO_TAG_KEY_ENV_VAR]: repoTagKey,
@@ -1638,7 +1729,7 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
       targets: [
         new LambdaFunction(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration6.hours(2)
+          maxEventAge: Duration5.hours(2)
         })
       ]
     });
@@ -1646,7 +1737,7 @@ var PlatformDeployBridgeLambda = class extends Construct9 {
 };
 
 // src/workflows/control-plane/platform-deploy-bridge/platform-deploy-bridge.ts
-var PlatformDeployBridge = class extends Construct10 {
+var PlatformDeployBridge = class extends Construct11 {
   constructor(scope, props) {
     super(scope, "platform-deploy-bridge");
     this.bridgeLambda = new PlatformDeployBridgeLambda(this, {
@@ -1839,64 +1930,48 @@ _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
 
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
-import fs7 from "fs";
-import path7 from "path";
-import { PLATFORM_ROLE_IDS } from "@openhi/types";
-import { Duration as Duration7, Stack as Stack4 } from "aws-cdk-lib";
+import fs8 from "fs";
+import path8 from "path";
+import { Duration as Duration6, Stack as Stack4 } from "aws-cdk-lib";
 import { Rule as Rule2 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction2 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect3, PolicyStatement as PolicyStatement3 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct11 } from "constructs";
+import { Runtime as Runtime8 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction8 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct12 } from "constructs";
 var HANDLER_NAME7 = "seed-demo-data.handler.js";
 function resolveHandlerEntry7(dirname) {
-  const sameDir = path7.join(dirname, HANDLER_NAME7);
-  if (fs7.existsSync(sameDir)) {
+  const sameDir = path8.join(dirname, HANDLER_NAME7);
+  if (fs8.existsSync(sameDir)) {
     return sameDir;
   }
-  return path7.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME7);
+  return path8.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME7);
 }
-var SeedDemoDataLambda = class extends Construct11 {
+var SeedDemoDataLambda = class extends Construct12 {
   constructor(scope, props) {
     super(scope, "seed-demo-data-lambda");
-    this.lambda = new NodejsFunction7(this, "handler", {
+    this.lambda = new NodejsFunction8(this, "handler", {
       entry: resolveHandlerEntry7(__dirname),
-      runtime: Runtime7.NODEJS_LATEST,
+      runtime: Runtime8.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration7.minutes(2),
+      timeout: Duration6.minutes(2),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
       }
     });
-    const roleReadKeys = Object.values(PLATFORM_ROLE_IDS).map(rolePartitionKey);
     this.lambda.addToRolePolicy(
       new PolicyStatement3({
         effect: Effect3.ALLOW,
         actions: ["dynamodb:GetItem"],
-        resources: [props.dataStoreTable.tableArn],
-        conditions: {
-          "ForAllValues:StringEquals": {
-            "dynamodb:LeadingKeys": roleReadKeys
-          }
-        }
+        resources: [props.dataStoreTable.tableArn]
       })
     );
-    const writeKeys = [
-      ...demoBasePartitionKeys(),
-      ...demoDevUserPartitionKeys(DEV_USERS)
-    ];
     this.lambda.addToRolePolicy(
       new PolicyStatement3({
         effect: Effect3.ALLOW,
         actions: ["dynamodb:PutItem", "dynamodb:UpdateItem"],
-        resources: [props.dataStoreTable.tableArn],
-        conditions: {
-          "ForAllValues:StringEquals": {
-            "dynamodb:LeadingKeys": writeKeys
-          }
-        }
+        resources: [props.dataStoreTable.tableArn]
       })
     );
     this.lambda.addToRolePolicy(
@@ -1925,7 +2000,7 @@ var SeedDemoDataLambda = class extends Construct11 {
       targets: [
         new LambdaFunction2(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration7.hours(2)
+          maxEventAge: Duration6.hours(2)
         })
       ]
     });
@@ -1933,8 +2008,8 @@ var SeedDemoDataLambda = class extends Construct11 {
 };
 
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-workflow.ts
-import { Construct as Construct12 } from "constructs";
-var SeedDemoDataWorkflow = class extends Construct12 {
+import { Construct as Construct13 } from "constructs";
+var SeedDemoDataWorkflow = class extends Construct13 {
   constructor(scope, props) {
     super(scope, "seed-demo-data-workflow");
     this.seedDemoData = new SeedDemoDataLambda(this, {
@@ -1951,38 +2026,38 @@ var SeedDemoDataWorkflow = class extends Construct12 {
 };
 
 // src/workflows/control-plane/seed-system-data/seed-system-data-lambda.ts
-import fs8 from "fs";
-import path8 from "path";
-import { PLATFORM_ROLE_IDS as PLATFORM_ROLE_IDS2 } from "@openhi/types";
-import { Duration as Duration8, Stack as Stack5 } from "aws-cdk-lib";
+import fs9 from "fs";
+import path9 from "path";
+import { PLATFORM_ROLE_IDS } from "@openhi/types";
+import { Duration as Duration7, Stack as Stack5 } from "aws-cdk-lib";
 import { Rule as Rule3 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction3 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect4, PolicyStatement as PolicyStatement4 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime8 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction8 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct13 } from "constructs";
+import { Runtime as Runtime9 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction9 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct14 } from "constructs";
 var HANDLER_NAME8 = "seed-system-data.handler.js";
 function resolveHandlerEntry8(dirname) {
-  const sameDir = path8.join(dirname, HANDLER_NAME8);
-  if (fs8.existsSync(sameDir)) {
+  const sameDir = path9.join(dirname, HANDLER_NAME8);
+  if (fs9.existsSync(sameDir)) {
     return sameDir;
   }
-  return path8.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME8);
+  return path9.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME8);
 }
-var SeedSystemDataLambda = class extends Construct13 {
+var SeedSystemDataLambda = class extends Construct14 {
   constructor(scope, props) {
     super(scope, "seed-system-data-lambda");
-    this.lambda = new NodejsFunction8(this, "handler", {
+    this.lambda = new NodejsFunction9(this, "handler", {
       entry: resolveHandlerEntry8(__dirname),
-      runtime: Runtime8.NODEJS_LATEST,
+      runtime: Runtime9.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration8.minutes(1),
+      timeout: Duration7.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
       }
     });
-    const roleArns = Object.values(PLATFORM_ROLE_IDS2).map(
+    const roleArns = Object.values(PLATFORM_ROLE_IDS).map(
       (id) => `role#id#${id}`
     );
     this.lambda.addToRolePolicy(
@@ -2013,7 +2088,7 @@ var SeedSystemDataLambda = class extends Construct13 {
       targets: [
         new LambdaFunction3(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration8.hours(2)
+          maxEventAge: Duration7.hours(2)
         })
       ]
     });
@@ -2021,8 +2096,8 @@ var SeedSystemDataLambda = class extends Construct13 {
 };
 
 // src/workflows/control-plane/seed-system-data/seed-system-data-workflow.ts
-import { Construct as Construct14 } from "constructs";
-var SeedSystemDataWorkflow = class extends Construct14 {
+import { Construct as Construct15 } from "constructs";
+var SeedSystemDataWorkflow = class extends Construct15 {
   constructor(scope, props) {
     super(scope, "seed-system-data-workflow");
     this.seedSystemData = new SeedSystemDataLambda(this, {
@@ -2148,29 +2223,29 @@ _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
 // src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
-import fs9 from "fs";
-import path9 from "path";
-import { Duration as Duration9 } from "aws-cdk-lib";
+import fs10 from "fs";
+import path10 from "path";
+import { Duration as Duration8 } from "aws-cdk-lib";
 import { Rule as Rule4 } from "aws-cdk-lib/aws-events";
 import { LambdaFunction as LambdaFunction4 } from "aws-cdk-lib/aws-events-targets";
 import { Effect as Effect5, PolicyStatement as PolicyStatement5 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime9 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction9 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct15 } from "constructs";
+import { Runtime as Runtime10 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction10 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct16 } from "constructs";
 var HANDLER_NAME9 = "provision-default-workspace.handler.js";
 function resolveHandlerEntry9(dirname) {
-  const sameDir = path9.join(dirname, HANDLER_NAME9);
-  if (fs9.existsSync(sameDir)) {
+  const sameDir = path10.join(dirname, HANDLER_NAME9);
+  if (fs10.existsSync(sameDir)) {
     return sameDir;
   }
-  return path9.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
+  return path10.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
 }
-var ProvisionDefaultWorkspaceLambda = class extends Construct15 {
+var ProvisionDefaultWorkspaceLambda = class extends Construct16 {
   constructor(scope, props) {
     super(scope, "provision-default-workspace-lambda");
-    this.lambda = new NodejsFunction9(this, "handler", {
+    this.lambda = new NodejsFunction10(this, "handler", {
       entry: resolveHandlerEntry9(__dirname),
-      runtime: Runtime9.NODEJS_LATEST,
+      runtime: Runtime10.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
@@ -2197,7 +2272,7 @@ var ProvisionDefaultWorkspaceLambda = class extends Construct15 {
       targets: [
         new LambdaFunction4(this.lambda, {
           retryAttempts: 2,
-          maxEventAge: Duration9.hours(2)
+          maxEventAge: Duration8.hours(2)
         })
       ]
     });
@@ -2205,8 +2280,8 @@ var ProvisionDefaultWorkspaceLambda = class extends Construct15 {
 };
 
 // src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
-import { Construct as Construct16 } from "constructs";
-var UserOnboardingWorkflow = class extends Construct16 {
+import { Construct as Construct17 } from "constructs";
+var UserOnboardingWorkflow = class extends Construct17 {
   constructor(scope, props) {
     super(scope, "user-onboarding-workflow");
     this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
@@ -2240,7 +2315,6 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.grantPostConfirmationPermissions();
     this.userPoolClient = this.createUserPoolClient();
     this.userPoolDomain = this.createUserPoolDomain();
-    this.fixtureSeederClient = this.createFixtureSeederClient();
   }
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
@@ -2263,33 +2337,12 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
         serviceType: _OpenHiAuthService.SERVICE_TYPE
       }
     );
-    return UserPoolClient3.fromUserPoolClientId(
+    return UserPoolClient2.fromUserPoolClientId(
       scope,
       "user-pool-client",
       userPoolClientId
     );
   }
-  /**
-   * Returns the dedicated fixture-seeder IUserPoolClient by looking up
-   * its ID from SSM. Only non-prod auth stacks publish this parameter
-   * (per the conditional in {@link createFixtureSeederClient}); calling
-   * this against a prod-deployed stack will fail at lookup time.
-   *
-   * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
-   * accepts tokens issued by this client, and by the seed-fixtures CLI
-   * to drive USER_PASSWORD_AUTH against this client's ID.
-   */
-  static fixtureSeederClientFromConstruct(scope) {
-    const clientId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
-    });
-    return UserPoolClient3.fromUserPoolClientId(
-      scope,
-      "fixture-seeder-client",
-      clientId
-    );
-  }
   /**
    * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
    */
@@ -2478,31 +2531,6 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return client;
   }
-  /**
-   * Creates the dedicated USER_PASSWORD_AUTH app client for the
-   * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
-   * Returns `undefined` when this stack is being deployed to a prod
-   * stage so the prod auth stack carries no fixture-seeder code path.
-   *
-   * Operator post-deploy: create a `fixture-seeder` Cognito user with
-   * a service password (manually via console or scripted with
-   * `aws cognito-idp admin-create-user`); the CLI consumes those creds
-   * via env vars to drive `InitiateAuth`.
-   */
-  createFixtureSeederClient() {
-    if (this.ohEnv.ohStage.stageType === import_config5.OPEN_HI_STAGE.PROD) {
-      return void 0;
-    }
-    const client = new CognitoFixtureSeederClient(this, {
-      userPool: this.userPool
-    });
-    new DiscoverableStringParameter(this, "fixture-seeder-client-param", {
-      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
-      stringValue: client.userPoolClientId,
-      description: "Cognito User Pool Client ID for the OpenHI fixture-seeder CLI (USER_PASSWORD_AUTH; non-prod only); cross-stack reference"
-    });
-    return client;
-  }
   /**
    * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
    * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -2527,7 +2555,6 @@ _OpenHiAuthService.SERVICE_TYPE = "auth";
 var OpenHiAuthService = _OpenHiAuthService;
 
 // src/services/open-hi-rest-api-service.ts
-var import_config6 = __toESM(require_lib2());
 import {
   CorsHttpMethod,
   DomainName,
@@ -2541,60 +2568,60 @@ import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers
 import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
 import { Effect as Effect7, PolicyStatement as PolicyStatement7 } from "aws-cdk-lib/aws-iam";
 import {
-  ARecord,
+  ARecord as ARecord2,
   HostedZone as HostedZone3,
-  RecordTarget
+  RecordTarget as RecordTarget2
 } from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
-import { Duration as Duration10 } from "aws-cdk-lib/core";
+import { Duration as Duration9 } from "aws-cdk-lib/core";
 
 // src/data/lambda/cors-options-lambda.ts
-import fs10 from "fs";
-import path10 from "path";
-import { Runtime as Runtime10 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction10 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct17 } from "constructs";
+import fs11 from "fs";
+import path11 from "path";
+import { Runtime as Runtime11 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction11 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct18 } from "constructs";
 var HANDLER_NAME10 = "cors-options-lambda.handler.js";
 function resolveHandlerEntry10(dirname) {
-  const sameDir = path10.join(dirname, HANDLER_NAME10);
-  if (fs10.existsSync(sameDir)) {
+  const sameDir = path11.join(dirname, HANDLER_NAME10);
+  if (fs11.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path10.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
+  const fromLib = path11.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
   return fromLib;
 }
-var CorsOptionsLambda = class extends Construct17 {
+var CorsOptionsLambda = class extends Construct18 {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new NodejsFunction10(this, "handler", {
+    this.lambda = new NodejsFunction11(this, "handler", {
       entry: resolveHandlerEntry10(__dirname),
-      runtime: Runtime10.NODEJS_LATEST,
+      runtime: Runtime11.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-import fs11 from "fs";
-import path11 from "path";
-import { Runtime as Runtime11 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction11 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct18 } from "constructs";
+import fs12 from "fs";
+import path12 from "path";
+import { Runtime as Runtime12 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction12 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct19 } from "constructs";
 var HANDLER_NAME11 = "rest-api-lambda.handler.js";
 function resolveHandlerEntry11(dirname) {
-  const sameDir = path11.join(dirname, HANDLER_NAME11);
-  if (fs11.existsSync(sameDir)) {
+  const sameDir = path12.join(dirname, HANDLER_NAME11);
+  if (fs12.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path11.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
+  const fromLib = path12.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
   return fromLib;
 }
-var RestApiLambda = class extends Construct18 {
+var RestApiLambda = class extends Construct19 {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new NodejsFunction11(this, "handler", {
+    this.lambda = new NodejsFunction12(this, "handler", {
       entry: resolveHandlerEntry11(__dirname),
-      runtime: Runtime11.NODEJS_LATEST,
+      runtime: Runtime12.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -2812,10 +2839,10 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       integration
     });
     const apiPrefix = this.branchName === "main" ? `api` : `api-${this.childZonePrefix}`;
-    new ARecord(this, "api-a-record", {
+    new ARecord2(this, "api-a-record", {
       zone: hostedZone,
       recordName: apiPrefix,
-      target: RecordTarget.fromAlias(
+      target: RecordTarget2.fromAlias(
         new ApiGatewayv2DomainProperties(
           domainName.regionalDomainName,
           domainName.regionalHostedZoneId
@@ -2831,16 +2858,10 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   createRootHttpApi(domainName) {
     const userPool = OpenHiAuthService.userPoolFromConstruct(this);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(this);
-    const userPoolClients = [userPoolClient];
-    if (this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD) {
-      userPoolClients.push(
-        OpenHiAuthService.fixtureSeederClientFromConstruct(this)
-      );
-    }
     const cognitoAuthorizer = new HttpUserPoolAuthorizer(
       "cognito-authorizer",
       userPool,
-      { userPoolClients }
+      { userPoolClients: [userPoolClient] }
     );
     const { corsPreflight: cors, ...restRootHttpApiProps } = this.props.rootHttpApiProps ?? {};
     const corsPreflight = cors !== void 0 ? {
@@ -2859,7 +2880,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? Duration10.days(1),
+      maxAge: cors.maxAge ?? Duration9.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -2924,34 +2945,186 @@ var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
 _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 
+// src/services/open-hi-website-service.ts
+var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
+var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
+  /**
+   * Looks up the static-hosting bucket ARN published by the release-branch
+   * deploy of this service.
+   */
+  static bucketArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ARN published by the release-branch
+   * deploy of this service.
+   */
+  static distributionArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution domain
+   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   */
+  static distributionDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ID published by the release-branch
+   * deploy of this service.
+   */
+  static distributionIdFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the website's full domain (e.g. www.example.com) published by
+   * the release-branch deploy of this service.
+   */
+  static fullDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiWebsiteService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props) {
+    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    this.fullDomain = this.computeFullDomain(hostedZone);
+    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? this.branchName === this.defaultReleaseBranch;
+    if (shouldCreateHostingInfra) {
+      const certificate = this.createCertificate();
+      this.staticHosting = this.createStaticHosting({
+        certificate,
+        hostedZone
+      });
+      this.createFullDomainParameter();
+    }
+    this.staticContent = this.createStaticContent();
+  }
+  /**
+   * Validates that config required for the website stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
+  }
+  /**
+   * Looks up the child hosted zone published by the Global service.
+   * Override to customize.
+   */
+  createHostedZone() {
+    return OpenHiGlobalService.childHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName
+    });
+  }
+  /**
+   * Returns the wildcard certificate looked up from the Global service.
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Computes the full website domain from `domainPrefix` and the child
+   * zone name.
+   */
+  computeFullDomain(hostedZone) {
+    const prefix = this.props.domainPrefix ?? "www";
+    return [prefix, hostedZone.zoneName].join(".");
+  }
+  /**
+   * Creates the StaticHosting infrastructure (bucket + distribution +
+   * Lambda@Edge + 4 SSM params + DNS).
+   */
+  createStaticHosting(deps) {
+    return new StaticHosting(this, "static-hosting", {
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      certificate: deps.certificate,
+      hostedZone: deps.hostedZone,
+      domainNames: [this.fullDomain],
+      description: `OpenHI website (${this.fullDomain})`
+    });
+  }
+  /**
+   * Creates the SSM parameter that publishes the website's full domain.
+   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   */
+  createFullDomainParameter() {
+    new DiscoverableStringParameter(this, "full-domain-param", {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      stringValue: this.fullDomain,
+      description: "Full website domain (e.g. www.example.com)"
+    });
+  }
+  /**
+   * Creates the StaticContent uploader. Always created so feature-branch
+   * deploys can publish content to their own sub-domain folder against the
+   * release-branch bucket.
+   */
+  createStaticContent() {
+    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
+    return new StaticContent(this, "static-content", {
+      contentSourceDirectory,
+      contentDestinationDirectory,
+      fullDomain: this.fullDomain,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+};
+_OpenHiWebsiteService.SERVICE_TYPE = "website";
+var OpenHiWebsiteService = _OpenHiWebsiteService;
+
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
-import fs12 from "fs";
-import path12 from "path";
-import { Duration as Duration11 } from "aws-cdk-lib";
+import fs13 from "fs";
+import path13 from "path";
+import { Duration as Duration10 } from "aws-cdk-lib";
 import { Effect as Effect8, PolicyStatement as PolicyStatement8 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime12 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction12 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct19 } from "constructs";
+import { Runtime as Runtime13 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction13 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct20 } from "constructs";
 function resolveHandlerEntry12(dirname, handlerName) {
-  const sameDir = path12.join(dirname, handlerName);
-  if (fs12.existsSync(sameDir)) {
+  const sameDir = path13.join(dirname, handlerName);
+  if (fs13.existsSync(sameDir)) {
     return { entry: sameDir, handler: "handler" };
   }
-  const libDir = path12.join(dirname, "..", "..", "..", "..", "lib", handlerName);
+  const libDir = path13.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var OwningDeleteCascadeLambdas = class extends Construct19 {
+var OwningDeleteCascadeLambdas = class extends Construct20 {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-lambdas");
     const listResolved = resolveHandlerEntry12(
       __dirname,
       "list-chunks.handler.js"
     );
-    this.listChunks = new NodejsFunction12(this, "list-chunks-handler", {
+    this.listChunks = new NodejsFunction13(this, "list-chunks-handler", {
       entry: listResolved.entry,
-      runtime: Runtime12.NODEJS_LATEST,
+      runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration11.minutes(1),
+      timeout: Duration10.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -2961,11 +3134,11 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
       __dirname,
       "delete-chunk.handler.js"
     );
-    this.deleteChunk = new NodejsFunction12(this, "delete-chunk-handler", {
+    this.deleteChunk = new NodejsFunction13(this, "delete-chunk-handler", {
       entry: deleteResolved.entry,
-      runtime: Runtime12.NODEJS_LATEST,
+      runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration11.minutes(1),
+      timeout: Duration10.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -2980,11 +3153,11 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
       __dirname,
       "finalize.handler.js"
     );
-    this.finalize = new NodejsFunction12(this, "finalize-handler", {
+    this.finalize = new NodejsFunction13(this, "finalize-handler", {
       entry: finalizeResolved.entry,
-      runtime: Runtime12.NODEJS_LATEST,
+      runtime: Runtime13.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration11.minutes(1),
+      timeout: Duration10.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
         [OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
@@ -3002,7 +3175,7 @@ var OwningDeleteCascadeLambdas = class extends Construct19 {
 };
 
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.ts
-import { Duration as Duration12 } from "aws-cdk-lib";
+import { Duration as Duration11 } from "aws-cdk-lib";
 import { Rule as Rule5 } from "aws-cdk-lib/aws-events";
 import { SfnStateMachine } from "aws-cdk-lib/aws-events-targets";
 import {
@@ -3018,8 +3191,8 @@ import {
   WaitTime
 } from "aws-cdk-lib/aws-stepfunctions";
 import { LambdaInvoke } from "aws-cdk-lib/aws-stepfunctions-tasks";
-import { Construct as Construct20 } from "constructs";
-var OwningDeleteCascadeWorkflow = class extends Construct20 {
+import { Construct as Construct21 } from "constructs";
+var OwningDeleteCascadeWorkflow = class extends Construct21 {
   constructor(scope, props) {
     super(scope, "owning-delete-cascade-workflow");
     this.lambdas = new OwningDeleteCascadeLambdas(this, {
@@ -3128,7 +3301,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       }
     });
     const interPageWait = new Wait(this, "inter-page-wait", {
-      time: WaitTime.duration(Duration12.seconds(0))
+      time: WaitTime.duration(Duration11.seconds(0))
     });
     const isExhausted = new Choice(this, "is-exhausted");
     const finalize = new LambdaInvoke(this, "finalize", {
@@ -3159,7 +3332,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       // Long timeout because real-world cascades can run minutes when
       // a workspace has thousands of members. The stuck-cascade alarm
       // fires at 15 minutes; the state machine itself does not abort.
-      timeout: Duration12.hours(2)
+      timeout: Duration11.hours(2)
     });
     this.rule = new Rule5(this, "rule", {
       eventBus: props.dataEventBus,
@@ -3170,7 +3343,7 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
       targets: [
         new SfnStateMachine(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: Duration12.hours(2)
+          maxEventAge: Duration11.hours(2)
         })
       ]
     });
@@ -3178,33 +3351,33 @@ var OwningDeleteCascadeWorkflow = class extends Construct20 {
 };
 
 // src/workflows/control-plane/rename-cascade/rename-cascade-lambdas.ts
-import fs13 from "fs";
-import path13 from "path";
-import { Duration as Duration13 } from "aws-cdk-lib";
+import fs14 from "fs";
+import path14 from "path";
+import { Duration as Duration12 } from "aws-cdk-lib";
 import { Effect as Effect9, PolicyStatement as PolicyStatement9 } from "aws-cdk-lib/aws-iam";
-import { Runtime as Runtime13 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction13 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct21 } from "constructs";
+import { Runtime as Runtime14 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction14 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct22 } from "constructs";
 function resolveHandlerEntry13(dirname, handlerName) {
-  const sameDir = path13.join(dirname, handlerName);
-  if (fs13.existsSync(sameDir)) {
+  const sameDir = path14.join(dirname, handlerName);
+  if (fs14.existsSync(sameDir)) {
     return { entry: sameDir, handler: "handler" };
   }
-  const libDir = path13.join(dirname, "..", "..", "..", "..", "lib", handlerName);
+  const libDir = path14.join(dirname, "..", "..", "..", "..", "lib", handlerName);
   return { entry: libDir, handler: "handler" };
 }
-var RenameCascadeLambdas = class extends Construct21 {
+var RenameCascadeLambdas = class extends Construct22 {
   constructor(scope, props) {
     super(scope, "rename-cascade-lambdas");
     const listResolved = resolveHandlerEntry13(
       __dirname,
       "rename-list-targets.handler.js"
     );
-    this.listTargets = new NodejsFunction13(this, "list-targets-handler", {
+    this.listTargets = new NodejsFunction14(this, "list-targets-handler", {
       entry: listResolved.entry,
-      runtime: Runtime13.NODEJS_LATEST,
+      runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration13.minutes(1),
+      timeout: Duration12.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3214,11 +3387,11 @@ var RenameCascadeLambdas = class extends Construct21 {
       __dirname,
       "rename-rewrite-chunk.handler.js"
     );
-    this.rewriteChunk = new NodejsFunction13(this, "rewrite-chunk-handler", {
+    this.rewriteChunk = new NodejsFunction14(this, "rewrite-chunk-handler", {
       entry: rewriteResolved.entry,
-      runtime: Runtime13.NODEJS_LATEST,
+      runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration13.minutes(1),
+      timeout: Duration12.minutes(1),
       environment: {
         DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
       }
@@ -3233,11 +3406,11 @@ var RenameCascadeLambdas = class extends Construct21 {
       __dirname,
       "rename-finalize.handler.js"
     );
-    this.finalize = new NodejsFunction13(this, "finalize-handler", {
+    this.finalize = new NodejsFunction14(this, "finalize-handler", {
       entry: finalizeResolved.entry,
-      runtime: Runtime13.NODEJS_LATEST,
+      runtime: Runtime14.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration13.minutes(1),
+      timeout: Duration12.minutes(1),
       environment: {
         [RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
       }
@@ -3253,7 +3426,7 @@ var RenameCascadeLambdas = class extends Construct21 {
 };
 
 // src/workflows/control-plane/rename-cascade/rename-cascade-workflow.ts
-import { Duration as Duration14 } from "aws-cdk-lib";
+import { Duration as Duration13 } from "aws-cdk-lib";
 import { Rule as Rule6 } from "aws-cdk-lib/aws-events";
 import { SfnStateMachine as SfnStateMachine2 } from "aws-cdk-lib/aws-events-targets";
 import {
@@ -3267,8 +3440,8 @@ import {
   TaskInput as TaskInput2
 } from "aws-cdk-lib/aws-stepfunctions";
 import { LambdaInvoke as LambdaInvoke2 } from "aws-cdk-lib/aws-stepfunctions-tasks";
-import { Construct as Construct22 } from "constructs";
-var RenameCascadeWorkflow = class extends Construct22 {
+import { Construct as Construct23 } from "constructs";
+var RenameCascadeWorkflow = class extends Construct23 {
   constructor(scope, props) {
     super(scope, "rename-cascade-workflow");
     this.lambdas = new RenameCascadeLambdas(this, {
@@ -3412,7 +3585,7 @@ var RenameCascadeWorkflow = class extends Construct22 {
       // Long timeout — large renames may rewrite thousands of rows;
       // the `CascadeSlow` alarm fires at 300s p99 but the state
       // machine itself does not abort.
-      timeout: Duration14.hours(2)
+      timeout: Duration13.hours(2)
     });
     this.rule = new Rule6(this, "rule", {
       eventBus: props.dataEventBus,
@@ -3423,7 +3596,7 @@ var RenameCascadeWorkflow = class extends Construct22 {
       targets: [
         new SfnStateMachine2(this.stateMachine, {
           retryAttempts: 2,
-          maxEventAge: Duration14.hours(2)
+          maxEventAge: Duration13.hours(2)
         })
       ]
     });
@@ -3444,7 +3617,6 @@ export {
   CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE,
   CONTROL_EVENT_BUS_NAME_ENV_VAR,
   ChildHostedZone,
-  CognitoFixtureSeederClient,
   CognitoUserPool,
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
@@ -3459,6 +3631,7 @@ export {
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
+  DEMO_DATA_PLANE_FIXTURES,
   DEMO_PERIOD,
   DEMO_TENANT_SPECS,
   DEMO_URN_SYSTEM,
@@ -3489,6 +3662,7 @@ export {
   OpenHiRestApiService,
   OpenHiService,
   OpenHiStage,
+  OpenHiWebsiteService,
   OpsEventBus,
   OwningDeleteCascadeLambdas,
   OwningDeleteCascadeWorkflow,
@@ -3524,11 +3698,13 @@ export {
   SEED_SYSTEM_DATA_ACTOR_SYSTEM,
   SEED_SYSTEM_DATA_CONSUMER_NAME,
   SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,
+  SSM_PARAM_NAME_FULL_DOMAIN,
   STATIC_HOSTING_SERVICE_TYPE,
   SeedDemoDataLambda,
   SeedDemoDataWorkflow,
   SeedSystemDataLambda,
   SeedSystemDataWorkflow,
+  StaticContent,
   StaticHosting,
   USER_ONBOARDING_EVENT_SOURCE,
   UserOnboardingWorkflow,
@@ -3537,22 +3713,14 @@ export {
   WorkflowDedupTableDuplicateError,
   buildFhirCurrentResourceChangeDetail,
   buildProvisionDefaultWorkspaceRequestedDetail,
-  demoBasePartitionKeys,
-  demoDevUserPartitionKeys,
   demoMembershipId,
-  demoMembershipPartitionKey,
   demoRoleAssignmentId,
-  demoRoleAssignmentPartitionKey,
   demoRolesForUserInTenant,
   demoScenarioIdentifier,
-  demoTenantPartitionKey,
-  demoUserPartitionKey,
-  demoWorkspacePartitionKey,
   getDynamoDbDataStoreTableName,
   getPostgresReplicaSchemaName,
   getWorkflowDedupTableName,
   openHiTagKey,
-  openhiResourceIdentifier,
-  rolePartitionKey
+  openhiResourceIdentifier
 };
 //# sourceMappingURL=index.mjs.map