npm - @openhi/constructs - Versions diffs - 0.0.114 → 0.0.116 - Mend

@openhi/constructs 0.0.114 → 0.0.116

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/lib/chunk-AHYQFT4N.mjs +212 -0
package/lib/chunk-AHYQFT4N.mjs.map +1 -0
package/lib/{chunk-CUUKXDB2.mjs → chunk-AJQUWHFK.mjs} +460 -54
package/lib/chunk-AJQUWHFK.mjs.map +1 -0
package/lib/{chunk-GBDIGTNV.mjs → chunk-QWWLM452.mjs} +2 -2
package/lib/{chunk-QMBJ4VHC.mjs → chunk-U7L7T4XU.mjs} +25 -25
package/lib/{chunk-QMBJ4VHC.mjs.map → chunk-U7L7T4XU.mjs.map} +1 -1
package/lib/{chunk-NZRW7ROK.mjs → chunk-YYRWDEG4.mjs} +2 -2
package/lib/{chunk-KSFC72TT.mjs → chunk-ZHMHLK3S.mjs} +2 -2
package/lib/{events-DPodvl07.d.mts → events-CMG8xanm.d.mts} +7 -53
package/lib/{events-DPodvl07.d.ts → events-CMG8xanm.d.ts} +7 -53
package/lib/index.d.mts +330 -84
package/lib/index.d.ts +350 -136
package/lib/index.js +844 -301
package/lib/index.js.map +1 -1
package/lib/index.mjs +472 -304
package/lib/index.mjs.map +1 -1
package/lib/pre-token-generation.handler.mjs +3 -3
package/lib/provision-default-workspace.handler.mjs +3 -3
package/lib/rest-api-lambda.handler.mjs +282 -452
package/lib/rest-api-lambda.handler.mjs.map +1 -1
package/lib/seed-demo-data.handler.d.mts +6 -3
package/lib/seed-demo-data.handler.d.ts +6 -3
package/lib/seed-demo-data.handler.js +656 -0
package/lib/seed-demo-data.handler.js.map +1 -1
package/lib/seed-demo-data.handler.mjs +4 -4
package/lib/static-hosting.viewer-request-handler.d.mts +54 -0
package/lib/static-hosting.viewer-request-handler.d.ts +54 -0
package/lib/static-hosting.viewer-request-handler.js +79 -0
package/lib/static-hosting.viewer-request-handler.js.map +1 -0
package/lib/static-hosting.viewer-request-handler.mjs +53 -0
package/lib/static-hosting.viewer-request-handler.mjs.map +1 -0
package/package.json +2 -2
package/lib/chunk-53OHXLIL.mjs +0 -27
package/lib/chunk-53OHXLIL.mjs.map +0 -1
package/lib/chunk-CUUKXDB2.mjs.map +0 -1
/package/lib/{chunk-GBDIGTNV.mjs.map → chunk-QWWLM452.mjs.map} +0 -0
/package/lib/{chunk-NZRW7ROK.mjs.map → chunk-YYRWDEG4.mjs.map} +0 -0
/package/lib/{chunk-KSFC72TT.mjs.map → chunk-ZHMHLK3S.mjs.map} +0 -0

package/lib/index.d.mts CHANGED Viewed

@@ -4,7 +4,7 @@ import { IConstruct, Construct } from 'constructs';
 import { Certificate, CertificateProps, ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
 import { HttpApiProps, HttpApi, IHttpApi, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
 import { GraphqlApi, IGraphqlApi, GraphqlApiProps } from 'aws-cdk-lib/aws-appsync';
-import { UserPoolClient, UserPoolClientProps, IUserPool, UserPool, UserPoolProps, UserPoolDomain, UserPoolDomainProps, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
+import { UserPool, UserPoolProps, UserPoolClient, UserPoolClientProps, UserPoolDomain, UserPoolDomainProps, IUserPool, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
 import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
 import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { D as DynamoDbStreamKinesisRecord } from './dynamodb-stream-record-CJtV6a1t.mjs';
@@ -20,16 +20,17 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as rds from 'aws-cdk-lib/aws-rds';
 import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from 'aws-cdk-lib/aws-route53';
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
-import { Distribution, DistributionProps } from 'aws-cdk-lib/aws-cloudfront';
+import { Distribution, DistributionProps, CachePolicyProps } from 'aws-cdk-lib/aws-cloudfront';
+import { HostingMode } from './static-hosting.viewer-request-handler.mjs';
 export { C as CascadeChunkInput, a as CascadeFinalizeInput, b as CascadeFinalizeOutput, c as CascadeListInput, d as CascadeListOutput, O as OWNING_DELETE_CASCADE_CONSUMER_NAME, e as OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY, f as OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES, g as OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR } from './events-CjS-sm0W.mjs';
 import { StateMachine } from 'aws-cdk-lib/aws-stepfunctions';
 export { B as BRIDGED_STATUSES, a as BridgedStatus, C as CLOUDFORMATION_EVENT_SOURCE, b as CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, c as CONTROL_EVENT_BUS_NAME_ENV_VAR, d as CloudFormationStackStatusChangeDetail, O as OPENHI_REPO_TAG_KEY_ENV_VAR, e as OPENHI_TAG_KEY_PREFIX_ENV_VAR, P as PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM } from './events-BfrkMoBD.mjs';
 export { R as RENAME_CASCADE_CONSUMER_NAME, a as RENAME_CASCADE_DEFAULT_CONCURRENCY, b as RENAME_CASCADE_FAILED_THRESHOLD, c as RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, d as RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, e as RenameCascadeChunkInput, f as RenameCascadeFinalizeInput, g as RenameCascadeFinalizeOutput, h as RenameCascadeListInput, i as RenameCascadeListOutput } from './events-Da_cFgtc.mjs';
-export { D as DEMO_PERIOD, a as DEMO_TENANT_SPECS, b as DEMO_URN_SYSTEM, c as DEV_USERS, d as DemoDevUser, e as DemoTenantSpec, f as DemoWorkspaceSpec, O as OPENHI_RESOURCE_URN_SYSTEM, P as PLACEHOLDER_TENANT_ID, g as PLACEHOLDER_WORKSPACE_ID, h as PLATFORM_SCOPE_TENANT_ID, S as SEED_DEMO_DATA_CONSUMER_NAME, i as demoBasePartitionKeys, j as demoDevUserPartitionKeys, k as demoMembershipId, l as demoMembershipPartitionKey, m as demoRoleAssignmentId, n as demoRoleAssignmentPartitionKey, o as demoRolesForUserInTenant, p as demoScenarioIdentifier, q as demoTenantPartitionKey, r as demoUserPartitionKey, s as demoWorkspacePartitionKey, t as openhiResourceIdentifier, u as rolePartitionKey } from './events-DPodvl07.mjs';
+import { Patient, Practitioner, Observation, Encounter, Account } from '@openhi/types';
+export { D as DEMO_PERIOD, a as DEMO_TENANT_SPECS, b as DEMO_URN_SYSTEM, c as DEV_USERS, d as DemoDevUser, e as DemoTenantSpec, f as DemoWorkspaceSpec, O as OPENHI_RESOURCE_URN_SYSTEM, P as PLACEHOLDER_TENANT_ID, g as PLACEHOLDER_WORKSPACE_ID, h as PLATFORM_SCOPE_TENANT_ID, S as SEED_DEMO_DATA_CONSUMER_NAME, i as demoMembershipId, j as demoRoleAssignmentId, k as demoRolesForUserInTenant, l as demoScenarioIdentifier, o as openhiResourceIdentifier } from './events-CMG8xanm.mjs';
 export { P as PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, a as ProvisionDefaultWorkspaceRequestedDetail, U as USER_ONBOARDING_EVENT_SOURCE, b as buildProvisionDefaultWorkspaceRequestedDetail } from './events-CVA3_eEB.mjs';
 export { ControlPlaneOwningDeleteCompleteV1, ControlPlaneOwningDeleteCompleteV1Detail, ControlPlaneOwningDeleteFailedV1, ControlPlaneOwningDeleteFailedV1Detail, ControlPlaneOwningDeleteV1, ControlPlaneOwningDeleteV1Detail, ControlPlaneRenameCompleteV1, ControlPlaneRenameCompleteV1Detail, ControlPlaneRenameFailedV1, ControlPlaneRenameFailedV1Detail, ControlPlaneRenameV1, ControlPlaneRenameV1Detail, OPENHI_DATA_SOURCE, OPENHI_OPS_SOURCE, OWNING_ENTITY_TYPE, OwningEntityType, PlatformDeploymentCompletedV1, PlatformSystemDataSeededV1, RENAMABLE_ENTITY_TYPE, RenamableEntityType } from '@openhi/workflows';
 import '@aws-sdk/client-dynamodb';
-import '@openhi/types';
 import 'aws-lambda';
 /**
@@ -245,7 +246,7 @@ declare class OpenHiApp extends App {
  *
  * @public
  */
-type OpenHiServiceType = "auth" | "rest-api" | "data" | "global" | "graphql-api";
+type OpenHiServiceType = "auth" | "rest-api" | "data" | "global" | "graphql-api" | "website";
 /**
  * Tag-key suffixes applied by every OpenHiService stack via Tags.of().
  * Full keys are composed `${appName}:${suffix}` — see {@link openHiTagKey}.
@@ -420,47 +421,6 @@ declare class RootGraphqlApi extends GraphqlApi {
     constructor(scope: Construct, props?: Omit<RootGraphqlApiProps, "name">);
 }
-interface CognitoFixtureSeederClientProps extends Partial<Omit<UserPoolClientProps, "userPool" | "generateSecret">> {
-    readonly userPool: IUserPool;
-}
-/**
- * Dedicated Cognito app client for the OpenHI fixture-seeder CLI
- * (`@openhi/seed-fixtures`).
- *
- * Why a dedicated client (vs reusing the SPA client):
- * - Tightly scoped: only the seeder consumes tokens issued here, so an
- *   audit trail of seeder activity is cleanly separable.
- * - Decoupled from the SPA client's OAuth flows — no risk of breaking
- *   web-app sign-in by tweaking auth-flow settings here.
- * - Stage-conditional creation upstream (only provisioned in non-prod
- *   environments) means prod stacks never carry a code path that could
- *   issue a fixture-seeder token in the first place.
- *
- * Why USER_PASSWORD_AUTH (vs M2M client-credentials):
- * - Cognito's M2M tier has a per-app-client monthly fee plus per-token
- *   activity charges. For sporadic non-prod fixture runs the per-client
- *   fee dominates the bill, especially if every dev branch spins up
- *   its own auth stack.
- * - USER_PASSWORD_AUTH against a service `fixture-seeder` user keeps
- *   the cost in MAU territory (free under the 50K MAU tier).
- * - Tradeoff: passwords need rotation and the service user must be
- *   provisioned per non-prod environment (manual or scripted post-deploy).
- *
- * No client secret (`generateSecret: false`): USER_PASSWORD_AUTH
- * authenticates with the password directly; a secret would just add
- * another credential to manage without strengthening anything.
- */
-declare class CognitoFixtureSeederClient extends UserPoolClient {
-    /**
-     * SSM parameter name suffix used to publish this client's ID for
-     * cross-stack lookups. Built into a full parameter name via
-     * `buildParameterName` with `serviceType` AUTH (since the auth stack
-     * owns this resource).
-     */
-    static readonly SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
-    constructor(scope: Construct, props: CognitoFixtureSeederClientProps);
-}
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/components/cognito/cognito-user-pool.md
  */
@@ -1007,6 +967,79 @@ declare class DiscoverableStringParameter extends StringParameter {
     constructor(scope: Construct, id: string, props: DiscoverableStringParameterProps);
 }
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/components/static-hosting/static-content.md
+ */
+/*******************************************************************************
+ *
+ *  STATIC CONTENT UPLOADER
+ *
+ *  This construct uploads a directory of content from a local location into S3.
+ *
+ *  To support PR and branch specific builds, each S3 bucket can store content
+ *  for multiple domains and builds, using the following format:
+ *
+ *  S3-bucket/<sub-domain>.<full-domain>/*
+ *
+ *  A bucket used to store content for stage.openhi.org might have the
+ *  following directory structure (all in the same bucket):
+ *
+ *  /www.stage.openhi.org/* -> serves content to www.stage.openhi.org
+ *  /feature-7.stage.openhi.org/* -> serves content to feature-7.stage.openhi.org
+ *  /pr-123.stage.openhi.org/* -> serves content to pr-123.stage.openhi.org
+ *
+ ******************************************************************************/
+/**
+ * Props for the StaticContent construct.
+ */
+interface StaticContentProps {
+    /**
+     * Absolute path to directory containing content for the website.
+     */
+    readonly contentSourceDirectory: string;
+    /**
+     * Directory to place content into. Should start with a slash.
+     * Example: '/widget'
+     *
+     * @default "/"
+     */
+    readonly contentDestinationDirectory?: string;
+    /**
+     * The sub domain prefix (e.g. "feature-7"). Used as the per-branch folder
+     * name in the bucket so each branch deploys to its own prefix.
+     *
+     * @default the current stack's branch name (kebab-cased)
+     */
+    readonly subDomain?: string;
+    /**
+     * The full domain (e.g. "stage.openhi.org"). Used together with
+     * `subDomain` to form the destination prefix
+     * `<sub-domain>.<full-domain>`.
+     */
+    readonly fullDomain: string;
+    /**
+     * Service type used to look up the static-hosting bucket ARN via
+     * DiscoverableStringParameter.
+     *
+     * @default STATIC_HOSTING_SERVICE_TYPE ("website")
+     */
+    readonly serviceType?: string;
+}
+/**
+ * Static content uploader: deploys a local directory to the static-hosting
+ * S3 bucket under `<sub-domain>.<full-domain>/<dest>` so each branch
+ * deploys to its own prefix without clobbering siblings. The bucket ARN is
+ * looked up via DiscoverableStringParameter so the uploader can run on a
+ * feature-branch stack while the bucket itself was provisioned by the
+ * release-branch service stack.
+ */
+declare class StaticContent extends Construct {
+    constructor(scope: Construct, id: string, props: StaticContentProps);
+}
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/components/static-hosting/static-hosting.md
+ */
 /**
  * Service type for the website service. Used in SSM parameter paths and by
  * OpenHiWebsiteService for fromConstruct() lookups.
@@ -1021,21 +1054,61 @@ interface StaticHostingProps {
      */
     readonly bucketProps?: Omit<BucketProps, "bucketName">;
     /**
-     * Optional CloudFront distribution props. Do not enable invalidation.
-     * Default TTL is 10 seconds via a custom cache policy.
+     * Optional CloudFront distribution props. Defaults wire a custom cache
+     * policy (60s/300s with gzip+brotli), `REDIRECT_TO_HTTPS`, and
+     * `ALLOW_GET_HEAD_OPTIONS` on the default behavior; overrides apply on top.
      */
     readonly distributionProps?: Omit<DistributionProps, "defaultBehavior" | "defaultRootObject">;
+    /**
+     * Optional cache policy overrides. Defaults: `defaultTtl=60s`, `maxTtl=300s`,
+     * `minTtl=0s`, gzip+brotli enabled, no headers/cookies/query strings cached.
+     */
+    readonly cachePolicyProps?: Omit<CachePolicyProps, "cachePolicyName">;
+    /**
+     * Wildcard certificate to attach to the CloudFront distribution. When
+     * supplied together with `hostedZone` and `domainNames`, CloudFront serves
+     * the listed domains and Route53 ARecords are created in the zone.
+     *
+     * @default - no custom certificate; CloudFront default domain is served
+     */
+    readonly certificate?: ICertificate;
+    /**
+     * Hosted zone to create Route53 ARecords in. Required together with
+     * `certificate` and `domainNames` to attach a custom domain.
+     */
+    readonly hostedZone?: IHostedZone;
+    /**
+     * Domain names to attach to the CloudFront distribution. Each name also
+     * gets an ARecord in `hostedZone`.
+     */
+    readonly domainNames?: ReadonlyArray<string>;
+    /**
+     * Selects how path-like URIs are rewritten by the viewer-request
+     * Lambda@Edge handler.
+     *
+     * - `spa` (default): path-like URIs rewrite to `/index.html`.
+     * - `static`: path-like URIs append `/index.html`.
+     *
+     * @default "spa"
+     */
+    readonly hostingMode?: HostingMode;
     /**
      * Service type for SSM parameter paths.
+     *
      * @default STATIC_HOSTING_SERVICE_TYPE ("website")
      */
     readonly serviceType?: string;
+    /**
+     * Optional human-readable description used in distribution comment and
+     * SSM parameter descriptions.
+     */
+    readonly description?: string;
 }
 /**
  * Static hosting: S3 bucket (private) + CloudFront distribution with Origin
- * Access Control (OAC). Stores bucket ARN and distribution ARN in SSM via
- * DiscoverableStringParameter for cross-stack lookup. No cache invalidation;
- * default TTL 10 seconds.
+ * Access Control (OAC) + Lambda@Edge viewer-request handler. Publishes
+ * bucket ARN, distribution ARN, distribution domain, and distribution ID
+ * via DiscoverableStringParameter for cross-stack lookup.
  */
 declare class StaticHosting extends Construct {
     /**
@@ -1046,8 +1119,18 @@ declare class StaticHosting extends Construct {
      * SSM parameter name for the CloudFront distribution ARN.
      */
     static readonly SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_ARN";
+    /**
+     * SSM parameter name for the CloudFront distribution domain
+     * (e.g. dXXXXX.cloudfront.net).
+     */
+    static readonly SSM_PARAM_NAME_DISTRIBUTION_DOMAIN = "STATIC_HOSTING_DISTRIBUTION_DOMAIN";
+    /**
+     * SSM parameter name for the CloudFront distribution ID.
+     */
+    static readonly SSM_PARAM_NAME_DISTRIBUTION_ID = "STATIC_HOSTING_DISTRIBUTION_ID";
     readonly bucket: IBucket;
     readonly distribution: Distribution;
+    readonly viewerRequestHandler: NodejsFunction;
     constructor(scope: Construct, id: string, props?: StaticHostingProps);
 }
@@ -1131,17 +1214,6 @@ declare class OpenHiAuthService extends OpenHiService {
      * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
      */
     static userPoolClientFromConstruct(scope: Construct): IUserPoolClient;
-    /**
-     * Returns the dedicated fixture-seeder IUserPoolClient by looking up
-     * its ID from SSM. Only non-prod auth stacks publish this parameter
-     * (per the conditional in {@link createFixtureSeederClient}); calling
-     * this against a prod-deployed stack will fail at lookup time.
-     *
-     * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
-     * accepts tokens issued by this client, and by the seed-fixtures CLI
-     * to drive USER_PASSWORD_AUTH against this client's ID.
-     */
-    static fixtureSeederClientFromConstruct(scope: Construct): IUserPoolClient;
     /**
      * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
      */
@@ -1161,12 +1233,6 @@ declare class OpenHiAuthService extends OpenHiService {
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
-    /**
-     * Dedicated USER_PASSWORD_AUTH client for the seed-fixtures CLI.
-     * Only created in non-prod environments (see
-     * {@link createFixtureSeederClient}). `undefined` in prod.
-     */
-    readonly fixtureSeederClient?: IUserPoolClient;
     /**
      * Cross-stack reference to the data store table. Cached so repeated
      * lookups share a single CDK construct id ("dynamo-db-data-store") in
@@ -1245,18 +1311,6 @@ declare class OpenHiAuthService extends OpenHiService {
      * Override to customize.
      */
     protected createUserPoolClient(): IUserPoolClient;
-    /**
-     * Creates the dedicated USER_PASSWORD_AUTH app client for the
-     * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
-     * Returns `undefined` when this stack is being deployed to a prod
-     * stage so the prod auth stack carries no fixture-seeder code path.
-     *
-     * Operator post-deploy: create a `fixture-seeder` Cognito user with
-     * a service password (manually via console or scripted with
-     * `aws cognito-idp admin-create-user`); the CLI consumes those creds
-     * via env vars to drive `InitiateAuth`.
-     */
-    protected createFixtureSeederClient(): IUserPoolClient | undefined;
     /**
      * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
      * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -1522,12 +1576,69 @@ declare class OpenHiRestApiService extends OpenHiService {
     protected createRootHttpApi(domainName: DomainName): RootHttpApi;
 }
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-demo-data/data-plane-fixtures.md
+ *
+ * Hand-authored FHIR data-plane fixture bodies the `seed-demo-data`
+ * workflow upserts into the data store on every non-prod deploy.
+ * Mirrors the OPS-009 v1 resource set: Patient, Practitioner,
+ * Observation, Encounter, Account.
+ *
+ * Ids are deterministic — re-fires of the workflow upsert the same
+ * records, satisfying the workflow's idempotency contract (no
+ * duplicates) and letting the IAM grant in `seed-demo-data-lambda.ts`
+ * enumerate exact-match `dynamodb:LeadingKeys` rather than a wildcard.
+ *
+ * The placeholder tenant carries no data-plane fixtures — only the
+ * three real demo tenants (wound-care, primary-care, mixed) get
+ * Patient/Practitioner/Observation/Encounter/Account records. The
+ * placeholder tenant exists solely as a routing target for the
+ * Cognito pre-token-generation fallback and never holds clinical
+ * data.
+ */
+/**
+ * Logical group of FHIR resources owned by a single (tenant, workspace)
+ * pair. The workflow walks `DEMO_DATA_PLANE_FIXTURES` and writes every
+ * entry against the matching workspace's `OpenHiContext`.
+ */
+interface DemoWorkspaceDataPlaneFixtures {
+    readonly tenantId: string;
+    readonly workspaceId: string;
+    /**
+     * Scenario slug used in the demo-URN identifier — mirrors the
+     * `DemoTenantSpec.scenario` value for the parent tenant. For the
+     * mixed tenant both workspaces share the `demo-mixed` scenario.
+     */
+    readonly scenario: string;
+    readonly patients: ReadonlyArray<Patient>;
+    readonly practitioners: ReadonlyArray<Practitioner>;
+    readonly observations: ReadonlyArray<Observation>;
+    readonly encounters: ReadonlyArray<Encounter>;
+    readonly accounts: ReadonlyArray<Account>;
+}
+/**
+ * Per-workspace fixtures the data-plane phase writes on every fire.
+ * The placeholder tenant carries no fixtures. The mixed tenant carries
+ * one fixture group per workspace; the two single-workspace tenants
+ * carry one each. Total: 4 fixture groups × ≈ 9 resources = ~36
+ * data-plane records.
+ *
+ * Ids embed the tenant + workspace slug so they remain unambiguous
+ * across the four workspaces (the FHIR resource id is the only thing
+ * that survives into the partition key, so a duplicate id across
+ * workspaces would still collide on read paths that scan-by-id).
+ */
+declare const DEMO_DATA_PLANE_FIXTURES: ReadonlyArray<DemoWorkspaceDataPlaneFixtures>;
 interface SeedDemoDataLambdaProps {
     /**
      * Data-store table the workflow upserts demo-data records into.
-     * Wired via `DYNAMO_TABLE_NAME` env var; granted scoped read on the
-     * Role PKs (pre-flight check) and scoped write on the enumerated
-     * demo Tenant / Workspace / Membership / RoleAssignment / User PKs.
+     * Wired via `DYNAMO_TABLE_NAME` env var; granted `dynamodb:GetItem`
+     * (pre-flight Role lookup) and `dynamodb:PutItem`/`dynamodb:UpdateItem`
+     * (write phase). The grants are scoped to the table ARN only; the
+     * handler itself is the scope guarantee for which records the
+     * workflow touches (see the construct body for the previous
+     * `LeadingKeys`-based grants and the reason they were dropped).
      */
     readonly dataStoreTable: ITable;
     /**
@@ -1796,6 +1907,141 @@ declare class OpenHiGraphqlService extends OpenHiService {
     protected createRootGraphqlApi(): RootGraphqlApi;
 }
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/services/open-hi-website-service.md
+ */
+interface OpenHiWebsiteServiceProps extends OpenHiServiceProps {
+    /**
+     * Sub-domain prefix attached to the child zone (e.g. "www" -> "www.<zone>").
+     *
+     * @default "www"
+     */
+    readonly domainPrefix?: string;
+    /**
+     * Absolute path to the local directory whose contents should be uploaded
+     * to the static-hosting bucket. Required.
+     */
+    readonly contentSourceDirectory: string;
+    /**
+     * Path under the per-branch destination prefix to upload into. Should start
+     * with a slash.
+     *
+     * @default "/"
+     */
+    readonly contentDestinationDirectory?: string;
+    /**
+     * Force the `StaticHosting` infrastructure (bucket + distribution +
+     * Lambda@Edge + DNS + 4 SSM params) to be created on this branch even when
+     * it is not the release branch. Useful for one-off bootstraps and tests.
+     *
+     * When omitted, hosting infrastructure is created only on
+     * `defaultReleaseBranch`. The `StaticContent` uploader is always
+     * created so feature branches can publish their content under their own
+     * sub-domain folder against the release-branch bucket.
+     *
+     * @default - true on release branch, false otherwise
+     */
+    readonly createHostingInfrastructure?: boolean;
+}
+/**
+ * SSM parameter name suffix for the website's full domain
+ * (e.g. www.example.com).
+ */
+declare const SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
+/**
+ * Website service stack: composes StaticHosting (only on release-branch
+ * deploys) and StaticContent (always) so feature branches can ship their
+ * content to a per-branch sub-domain folder against the release-branch
+ * bucket without provisioning duplicate infrastructure.
+ *
+ * Resources are created in protected methods; subclasses may override to
+ * customize.
+ */
+declare class OpenHiWebsiteService extends OpenHiService {
+    static readonly SERVICE_TYPE: "website";
+    /**
+     * Looks up the static-hosting bucket ARN published by the release-branch
+     * deploy of this service.
+     */
+    static bucketArnFromConstruct(scope: Construct): string;
+    /**
+     * Looks up the CloudFront distribution ARN published by the release-branch
+     * deploy of this service.
+     */
+    static distributionArnFromConstruct(scope: Construct): string;
+    /**
+     * Looks up the CloudFront distribution domain
+     * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+     */
+    static distributionDomainFromConstruct(scope: Construct): string;
+    /**
+     * Looks up the CloudFront distribution ID published by the release-branch
+     * deploy of this service.
+     */
+    static distributionIdFromConstruct(scope: Construct): string;
+    /**
+     * Looks up the website's full domain (e.g. www.example.com) published by
+     * the release-branch deploy of this service.
+     */
+    static fullDomainFromConstruct(scope: Construct): string;
+    get serviceType(): string;
+    /** Override so this.props is typed with this service's options. */
+    props: OpenHiWebsiteServiceProps;
+    /**
+     * Full domain served by this website (e.g. www.example.com). Derived from
+     * `domainPrefix` and the child hosted zone name.
+     */
+    readonly fullDomain: string;
+    /**
+     * The hosting construct, only created on release-branch deploys (or when
+     * `createHostingInfrastructure` is true).
+     */
+    readonly staticHosting?: StaticHosting;
+    /**
+     * The content uploader, always created.
+     */
+    readonly staticContent: StaticContent;
+    constructor(ohEnv: OpenHiEnvironment, props: OpenHiWebsiteServiceProps);
+    /**
+     * Validates that config required for the website stack is present.
+     */
+    protected validateConfig(props: OpenHiWebsiteServiceProps): void;
+    /**
+     * Looks up the child hosted zone published by the Global service.
+     * Override to customize.
+     */
+    protected createHostedZone(): IHostedZone;
+    /**
+     * Returns the wildcard certificate looked up from the Global service.
+     * Override to customize.
+     */
+    protected createCertificate(): ICertificate;
+    /**
+     * Computes the full website domain from `domainPrefix` and the child
+     * zone name.
+     */
+    protected computeFullDomain(hostedZone: IHostedZone): string;
+    /**
+     * Creates the StaticHosting infrastructure (bucket + distribution +
+     * Lambda@Edge + 4 SSM params + DNS).
+     */
+    protected createStaticHosting(deps: {
+        certificate: ICertificate;
+        hostedZone: IHostedZone;
+    }): StaticHosting;
+    /**
+     * Creates the SSM parameter that publishes the website's full domain.
+     * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+     */
+    protected createFullDomainParameter(): void;
+    /**
+     * Creates the StaticContent uploader. Always created so feature-branch
+     * deploys can publish content to their own sub-domain folder against the
+     * release-branch bucket.
+     */
+    protected createStaticContent(): StaticContent;
+}
 interface OwningDeleteCascadeLambdasProps {
     /** Data-store table the cascade reads (Query) and writes (DeleteItem / TransactWriteItems) against. */
     readonly dataStoreTable: ITable;
@@ -1980,4 +2226,4 @@ declare class RenameCascadeWorkflow extends Construct {
     constructor(scope: Construct, props: RenameCascadeWorkflowProps);
 }
-export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoFixtureSeederClient, type CognitoFixtureSeederClientProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, type GrantConsumerOptions, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, OwningDeleteCascadeLambdas, type OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflow, type OwningDeleteCascadeWorkflowProps, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PlatformDeployBridge, PlatformDeployBridgeLambda, type PlatformDeployBridgeLambdaProps, type PlatformDeployBridgeProps, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambda, type ProvisionDefaultWorkspaceLambdaProps, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, type RenameCascadeLambdasProps, RenameCascadeWorkflow, type RenameCascadeWorkflowProps, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, type SeedDemoDataLambdaProps, SeedDemoDataWorkflow, type SeedDemoDataWorkflowProps, SeedSystemDataLambda, type SeedSystemDataLambdaProps, SeedSystemDataWorkflow, type SeedSystemDataWorkflowProps, StaticHosting, type StaticHostingProps, UserOnboardingWorkflow, type UserOnboardingWorkflowProps, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, type WorkflowDedupTableProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey };
+export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_DATA_PLANE_FIXTURES, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, type DemoWorkspaceDataPlaneFixtures, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, type GrantConsumerOptions, HostingMode, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpenHiWebsiteService, type OpenHiWebsiteServiceProps, OpsEventBus, OwningDeleteCascadeLambdas, type OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflow, type OwningDeleteCascadeWorkflowProps, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PlatformDeployBridge, PlatformDeployBridgeLambda, type PlatformDeployBridgeLambdaProps, type PlatformDeployBridgeProps, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambda, type ProvisionDefaultWorkspaceLambdaProps, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, type RenameCascadeLambdasProps, RenameCascadeWorkflow, type RenameCascadeWorkflowProps, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, SSM_PARAM_NAME_FULL_DOMAIN, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, type SeedDemoDataLambdaProps, SeedDemoDataWorkflow, type SeedDemoDataWorkflowProps, SeedSystemDataLambda, type SeedSystemDataLambdaProps, SeedSystemDataWorkflow, type SeedSystemDataWorkflowProps, StaticContent, type StaticContentProps, StaticHosting, type StaticHostingProps, UserOnboardingWorkflow, type UserOnboardingWorkflowProps, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, type WorkflowDedupTableProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey };