@openhi/constructs 0.0.114 → 0.0.116

package/lib/index.d.ts

@@ -3,7 +3,7 @@ import { Construct, IConstruct } from 'constructs';
 import { ICertificate, Certificate, CertificateProps } from 'aws-cdk-lib/aws-certificatemanager';
 import { IHttpApi, HttpApiProps, HttpApi, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
 import { IGraphqlApi, GraphqlApi, GraphqlApiProps } from 'aws-cdk-lib/aws-appsync';
-import { UserPoolClient, UserPoolClientProps, IUserPool, UserPool, UserPoolProps, UserPoolDomain, UserPoolDomainProps, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
+import { UserPool, UserPoolProps, UserPoolClient, UserPoolClientProps, UserPoolDomain, UserPoolDomainProps, IUserPool, IUserPoolClient, IUserPoolDomain } from 'aws-cdk-lib/aws-cognito';
 import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
 import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { AttributeValue } from '@aws-sdk/client-dynamodb';
@@ -19,11 +19,11 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as rds from 'aws-cdk-lib/aws-rds';
 import { HostedZone, HostedZoneProps, IHostedZone, HostedZoneAttributes } from 'aws-cdk-lib/aws-route53';
 import { StringParameterProps, StringParameter } from 'aws-cdk-lib/aws-ssm';
-import { Distribution, DistributionProps } from 'aws-cdk-lib/aws-cloudfront';
+import { Distribution, DistributionProps, CachePolicyProps } from 'aws-cdk-lib/aws-cloudfront';
 import { StateMachine } from 'aws-cdk-lib/aws-stepfunctions';
 import { RenamableEntityType } from '@openhi/workflows';
 export { ControlPlaneOwningDeleteCompleteV1, ControlPlaneOwningDeleteCompleteV1Detail, ControlPlaneOwningDeleteFailedV1, ControlPlaneOwningDeleteFailedV1Detail, ControlPlaneOwningDeleteV1, ControlPlaneOwningDeleteV1Detail, ControlPlaneRenameCompleteV1, ControlPlaneRenameCompleteV1Detail, ControlPlaneRenameFailedV1, ControlPlaneRenameFailedV1Detail, ControlPlaneRenameV1, ControlPlaneRenameV1Detail, OPENHI_DATA_SOURCE, OPENHI_OPS_SOURCE, OWNING_ENTITY_TYPE, OwningEntityType, PlatformDeploymentCompletedV1, PlatformSystemDataSeededV1, RENAMABLE_ENTITY_TYPE, RenamableEntityType } from '@openhi/workflows';
-import { PlatformRoleCode } from '@openhi/types';
+import { PlatformRoleCode, Patient, Practitioner, Observation, Encounter, Account } from '@openhi/types';
 import { PostConfirmationTriggerEvent } from 'aws-lambda';
 
 /*******************************************************************************
@@ -123,6 +123,21 @@ interface DynamoDbStreamKinesisRecord {
     };
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/components/static-hosting/static-hosting.viewer-request-handler.md
+ */
+/**
+ * Hosting mode controls how path-like URIs get a default document.
+ *
+ * - `spa`: path-like URIs (e.g. `/dashboard`, `/patients/123`) rewrite to
+ *   `/index.html` so the single-page app's root index is served and the
+ *   client-side router handles the path.
+ * - `static`: path-like URIs append `/index.html` (e.g. `/docs` becomes
+ *   `/docs/index.html`) so multi-page static sites can serve distinct
+ *   HTML per path.
+ */
+type HostingMode = "spa" | "static";
+
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/owning-delete-cascade/events.md
  *
@@ -514,10 +529,9 @@ declare const DEMO_PERIOD: {
  * `"platform"` literal is a reserved value that never matches a real
  * Tenant id and signals "this RA scopes across all tenants".
  *
- * Renaming this constant is a wire-format break — the IAM grant in
- * `seed-demo-data-lambda.ts` enumerates exact-match `LeadingKeys`
- * computed from this value, and the in-band records written under it
- * become unreachable if the sentinel changes.
+ * Renaming this constant is a wire-format break — the handler emits
+ * RoleAssignment records keyed on this value, and the in-band records
+ * written under it become unreachable if the sentinel changes.
  */
 declare const PLATFORM_SCOPE_TENANT_ID = "platform";
 /** Placeholder Tenant id seeded by the workflow as the dev-user `currentTenant`. */
@@ -558,8 +572,8 @@ interface DemoWorkspaceSpec {
     readonly name: string;
     /**
      * Role suffix used in the demo URN value (`<scenario>:<roleSuffix>`).
-     * Mirrors seed-fixtures' role suffix convention: `workspace` for
-     * single-workspace tenants, `workspace-<sub>` for the mixed tenant.
+     * `workspace` for single-workspace tenants, `workspace-<sub>` for the
+     * mixed tenant.
      */
     readonly roleSuffix: string;
 }
@@ -572,8 +586,7 @@ interface DemoTenantSpec {
     /**
      * Scenario slug — `placeholder`, `demo-wound-care`, `demo-primary-care`,
      * `demo-mixed`. The placeholder tenant's slug is `placeholder`; the
-     * three demo tenants mirror seed-fixtures' `fixture-*` slugs renamed
-     * to `demo-*`.
+     * three demo tenants use `demo-*` slugs.
      */
     readonly scenario: string;
     /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
@@ -608,8 +621,6 @@ declare const demoMembershipId: (devUserId: string, tenantId: string) => string;
 declare const demoRoleAssignmentId: (devUserId: string, tenantId: string, roleCode: PlatformRoleCode) => string;
 /**
  * Demo-scenario FHIR `Identifier` entry — `urn:openhi:demo:<scenario>:<role>`.
- * Mirrors the `urn:openhi:fixture:<scenario>:<role>` pattern from
- * `@openhi/seed-fixtures/src/urn.ts`, renamed to the `demo` namespace.
  */
 declare const demoScenarioIdentifier: (scenario: string, roleSuffix: string) => {
     system: string;
@@ -638,48 +649,6 @@ declare const openhiResourceIdentifier: (params: {
  * is no per-(user, tenant) variance to drive from.
  */
 declare const demoRolesForUserInTenant: (_user: DemoDevUser, _tenantId: string) => ReadonlyArray<PlatformRoleCode>;
-/**
- * DynamoDB single-table partition-key builders. The IAM grant in
- * `seed-demo-data-lambda.ts` uses these to enumerate exact-match
- * `dynamodb:LeadingKeys` values; the entity definitions in
- * `data/dynamo/entities/control/` own the canonical key templates.
- *
- * These builders MUST emit the keys ElectroDB actually writes — not
- * the entity definition's pretty template. None of the control-plane
- * entities sets `casing: "none"` on the base-table PK template, so
- * ElectroDB applies its default lowercase casing at runtime: the
- * entity's `ROLE#ID#${id}` becomes `role#id#<id>` on the wire. A
- * builder that returns the uppercase template form produces a
- * silently-broken IAM grant (every PutItem denied with "no
- * identity-based policy allows" because the request's leading-key
- * never matches a policy value).
- */
-declare const rolePartitionKey: (roleId: string) => string;
-declare const demoTenantPartitionKey: (tenantId: string) => string;
-declare const demoWorkspacePartitionKey: (tenantId: string, workspaceId: string) => string;
-declare const demoMembershipPartitionKey: (tenantId: string, membershipId: string) => string;
-declare const demoRoleAssignmentPartitionKey: (tenantId: string, roleAssignmentId: string) => string;
-/** User entity PK template — `USER#ID#<id>` → `user#id#<id>` on the wire. */
-declare const demoUserPartitionKey: (userId: string) => string;
-/**
- * Tenant + Workspace PKs the workflow writes on every fire: the 4
- * tenant PKs (placeholder + 3 demo) plus their workspaces (1 + 1 + 1 + 2 = 5).
- */
-declare const demoBasePartitionKeys: () => ReadonlyArray<string>;
-/**
- * Membership + RoleAssignment + User PKs the workflow writes per dev
- * user. Empty when `devUsers` is empty (used by tests). The list
- * mirrors the handler's iteration order so the IAM grant covers every
- * write the handler can make.
- *
- * Per dev user the function emits:
- *   - one User PK,
- *   - per tenant in {@link DEMO_TENANT_SPECS}: one Membership PK plus
- *     one `tenant-admin` RoleAssignment PK,
- *   - one platform-scoped `system-admin` RoleAssignment PK keyed by
- *     {@link PLATFORM_SCOPE_TENANT_ID}.
- */
-declare const demoDevUserPartitionKeys: (devUsers: ReadonlyArray<DemoDevUser>) => ReadonlyArray<string>;
 
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/user-onboarding/events.md
@@ -914,7 +883,7 @@ declare class OpenHiApp extends App {
  *
  * @public
  */
-type OpenHiServiceType = "auth" | "rest-api" | "data" | "global" | "graphql-api";
+type OpenHiServiceType = "auth" | "rest-api" | "data" | "global" | "graphql-api" | "website";
 /**
  * Tag-key suffixes applied by every OpenHiService stack via Tags.of().
  * Full keys are composed `${appName}:${suffix}` — see {@link openHiTagKey}.
@@ -1089,47 +1058,6 @@ declare class RootGraphqlApi extends GraphqlApi {
     constructor(scope: Construct, props?: Omit<RootGraphqlApiProps, "name">);
 }
 
-interface CognitoFixtureSeederClientProps extends Partial<Omit<UserPoolClientProps, "userPool" | "generateSecret">> {
-    readonly userPool: IUserPool;
-}
-/**
- * Dedicated Cognito app client for the OpenHI fixture-seeder CLI
- * (`@openhi/seed-fixtures`).
- *
- * Why a dedicated client (vs reusing the SPA client):
- * - Tightly scoped: only the seeder consumes tokens issued here, so an
- *   audit trail of seeder activity is cleanly separable.
- * - Decoupled from the SPA client's OAuth flows — no risk of breaking
- *   web-app sign-in by tweaking auth-flow settings here.
- * - Stage-conditional creation upstream (only provisioned in non-prod
- *   environments) means prod stacks never carry a code path that could
- *   issue a fixture-seeder token in the first place.
- *
- * Why USER_PASSWORD_AUTH (vs M2M client-credentials):
- * - Cognito's M2M tier has a per-app-client monthly fee plus per-token
- *   activity charges. For sporadic non-prod fixture runs the per-client
- *   fee dominates the bill, especially if every dev branch spins up
- *   its own auth stack.
- * - USER_PASSWORD_AUTH against a service `fixture-seeder` user keeps
- *   the cost in MAU territory (free under the 50K MAU tier).
- * - Tradeoff: passwords need rotation and the service user must be
- *   provisioned per non-prod environment (manual or scripted post-deploy).
- *
- * No client secret (`generateSecret: false`): USER_PASSWORD_AUTH
- * authenticates with the password directly; a secret would just add
- * another credential to manage without strengthening anything.
- */
-declare class CognitoFixtureSeederClient extends UserPoolClient {
-    /**
-     * SSM parameter name suffix used to publish this client's ID for
-     * cross-stack lookups. Built into a full parameter name via
-     * `buildParameterName` with `serviceType` AUTH (since the auth stack
-     * owns this resource).
-     */
-    static readonly SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
-    constructor(scope: Construct, props: CognitoFixtureSeederClientProps);
-}
-
 /**
  * @see sites/www-docs/content/packages/@openhi/constructs/components/cognito/cognito-user-pool.md
  */
@@ -1676,6 +1604,79 @@ declare class DiscoverableStringParameter extends StringParameter {
     constructor(scope: Construct, id: string, props: DiscoverableStringParameterProps);
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/components/static-hosting/static-content.md
+ */
+/*******************************************************************************
+ *
+ *  STATIC CONTENT UPLOADER
+ *
+ *  This construct uploads a directory of content from a local location into S3.
+ *
+ *  To support PR and branch specific builds, each S3 bucket can store content
+ *  for multiple domains and builds, using the following format:
+ *
+ *  S3-bucket/<sub-domain>.<full-domain>/*
+ *
+ *  A bucket used to store content for stage.openhi.org might have the
+ *  following directory structure (all in the same bucket):
+ *
+ *  /www.stage.openhi.org/* -> serves content to www.stage.openhi.org
+ *  /feature-7.stage.openhi.org/* -> serves content to feature-7.stage.openhi.org
+ *  /pr-123.stage.openhi.org/* -> serves content to pr-123.stage.openhi.org
+ *
+ ******************************************************************************/
+/**
+ * Props for the StaticContent construct.
+ */
+interface StaticContentProps {
+    /**
+     * Absolute path to directory containing content for the website.
+     */
+    readonly contentSourceDirectory: string;
+    /**
+     * Directory to place content into. Should start with a slash.
+     * Example: '/widget'
+     *
+     * @default "/"
+     */
+    readonly contentDestinationDirectory?: string;
+    /**
+     * The sub domain prefix (e.g. "feature-7"). Used as the per-branch folder
+     * name in the bucket so each branch deploys to its own prefix.
+     *
+     * @default the current stack's branch name (kebab-cased)
+     */
+    readonly subDomain?: string;
+    /**
+     * The full domain (e.g. "stage.openhi.org"). Used together with
+     * `subDomain` to form the destination prefix
+     * `<sub-domain>.<full-domain>`.
+     */
+    readonly fullDomain: string;
+    /**
+     * Service type used to look up the static-hosting bucket ARN via
+     * DiscoverableStringParameter.
+     *
+     * @default STATIC_HOSTING_SERVICE_TYPE ("website")
+     */
+    readonly serviceType?: string;
+}
+/**
+ * Static content uploader: deploys a local directory to the static-hosting
+ * S3 bucket under `<sub-domain>.<full-domain>/<dest>` so each branch
+ * deploys to its own prefix without clobbering siblings. The bucket ARN is
+ * looked up via DiscoverableStringParameter so the uploader can run on a
+ * feature-branch stack while the bucket itself was provisioned by the
+ * release-branch service stack.
+ */
+declare class StaticContent extends Construct {
+    constructor(scope: Construct, id: string, props: StaticContentProps);
+}
+
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/components/static-hosting/static-hosting.md
+ */
 /**
  * Service type for the website service. Used in SSM parameter paths and by
  * OpenHiWebsiteService for fromConstruct() lookups.
@@ -1690,21 +1691,61 @@ interface StaticHostingProps {
      */
     readonly bucketProps?: Omit<BucketProps, "bucketName">;
     /**
-     * Optional CloudFront distribution props. Do not enable invalidation.
-     * Default TTL is 10 seconds via a custom cache policy.
+     * Optional CloudFront distribution props. Defaults wire a custom cache
+     * policy (60s/300s with gzip+brotli), `REDIRECT_TO_HTTPS`, and
+     * `ALLOW_GET_HEAD_OPTIONS` on the default behavior; overrides apply on top.
      */
     readonly distributionProps?: Omit<DistributionProps, "defaultBehavior" | "defaultRootObject">;
+    /**
+     * Optional cache policy overrides. Defaults: `defaultTtl=60s`, `maxTtl=300s`,
+     * `minTtl=0s`, gzip+brotli enabled, no headers/cookies/query strings cached.
+     */
+    readonly cachePolicyProps?: Omit<CachePolicyProps, "cachePolicyName">;
+    /**
+     * Wildcard certificate to attach to the CloudFront distribution. When
+     * supplied together with `hostedZone` and `domainNames`, CloudFront serves
+     * the listed domains and Route53 ARecords are created in the zone.
+     *
+     * @default - no custom certificate; CloudFront default domain is served
+     */
+    readonly certificate?: ICertificate;
+    /**
+     * Hosted zone to create Route53 ARecords in. Required together with
+     * `certificate` and `domainNames` to attach a custom domain.
+     */
+    readonly hostedZone?: IHostedZone;
+    /**
+     * Domain names to attach to the CloudFront distribution. Each name also
+     * gets an ARecord in `hostedZone`.
+     */
+    readonly domainNames?: ReadonlyArray<string>;
+    /**
+     * Selects how path-like URIs are rewritten by the viewer-request
+     * Lambda@Edge handler.
+     *
+     * - `spa` (default): path-like URIs rewrite to `/index.html`.
+     * - `static`: path-like URIs append `/index.html`.
+     *
+     * @default "spa"
+     */
+    readonly hostingMode?: HostingMode;
     /**
      * Service type for SSM parameter paths.
+     *
      * @default STATIC_HOSTING_SERVICE_TYPE ("website")
      */
     readonly serviceType?: string;
+    /**
+     * Optional human-readable description used in distribution comment and
+     * SSM parameter descriptions.
+     */
+    readonly description?: string;
 }
 /**
  * Static hosting: S3 bucket (private) + CloudFront distribution with Origin
- * Access Control (OAC). Stores bucket ARN and distribution ARN in SSM via
- * DiscoverableStringParameter for cross-stack lookup. No cache invalidation;
- * default TTL 10 seconds.
+ * Access Control (OAC) + Lambda@Edge viewer-request handler. Publishes
+ * bucket ARN, distribution ARN, distribution domain, and distribution ID
+ * via DiscoverableStringParameter for cross-stack lookup.
  */
 declare class StaticHosting extends Construct {
     /**
@@ -1715,8 +1756,18 @@ declare class StaticHosting extends Construct {
      * SSM parameter name for the CloudFront distribution ARN.
      */
     static readonly SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_ARN";
+    /**
+     * SSM parameter name for the CloudFront distribution domain
+     * (e.g. dXXXXX.cloudfront.net).
+     */
+    static readonly SSM_PARAM_NAME_DISTRIBUTION_DOMAIN = "STATIC_HOSTING_DISTRIBUTION_DOMAIN";
+    /**
+     * SSM parameter name for the CloudFront distribution ID.
+     */
+    static readonly SSM_PARAM_NAME_DISTRIBUTION_ID = "STATIC_HOSTING_DISTRIBUTION_ID";
     readonly bucket: IBucket;
     readonly distribution: Distribution;
+    readonly viewerRequestHandler: NodejsFunction;
     constructor(scope: Construct, id: string, props?: StaticHostingProps);
 }
 
@@ -1800,17 +1851,6 @@ declare class OpenHiAuthService extends OpenHiService {
      * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
      */
     static userPoolClientFromConstruct(scope: Construct): IUserPoolClient;
-    /**
-     * Returns the dedicated fixture-seeder IUserPoolClient by looking up
-     * its ID from SSM. Only non-prod auth stacks publish this parameter
-     * (per the conditional in {@link createFixtureSeederClient}); calling
-     * this against a prod-deployed stack will fail at lookup time.
-     *
-     * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
-     * accepts tokens issued by this client, and by the seed-fixtures CLI
-     * to drive USER_PASSWORD_AUTH against this client's ID.
-     */
-    static fixtureSeederClientFromConstruct(scope: Construct): IUserPoolClient;
     /**
      * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
      */
@@ -1830,12 +1870,6 @@ declare class OpenHiAuthService extends OpenHiService {
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
-    /**
-     * Dedicated USER_PASSWORD_AUTH client for the seed-fixtures CLI.
-     * Only created in non-prod environments (see
-     * {@link createFixtureSeederClient}). `undefined` in prod.
-     */
-    readonly fixtureSeederClient?: IUserPoolClient;
     /**
      * Cross-stack reference to the data store table. Cached so repeated
      * lookups share a single CDK construct id ("dynamo-db-data-store") in
@@ -1914,18 +1948,6 @@ declare class OpenHiAuthService extends OpenHiService {
      * Override to customize.
      */
     protected createUserPoolClient(): IUserPoolClient;
-    /**
-     * Creates the dedicated USER_PASSWORD_AUTH app client for the
-     * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
-     * Returns `undefined` when this stack is being deployed to a prod
-     * stage so the prod auth stack carries no fixture-seeder code path.
-     *
-     * Operator post-deploy: create a `fixture-seeder` Cognito user with
-     * a service password (manually via console or scripted with
-     * `aws cognito-idp admin-create-user`); the CLI consumes those creds
-     * via env vars to drive `InitiateAuth`.
-     */
-    protected createFixtureSeederClient(): IUserPoolClient | undefined;
     /**
      * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
      * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -2191,12 +2213,69 @@ declare class OpenHiRestApiService extends OpenHiService {
     protected createRootHttpApi(domainName: DomainName): RootHttpApi;
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-demo-data/data-plane-fixtures.md
+ *
+ * Hand-authored FHIR data-plane fixture bodies the `seed-demo-data`
+ * workflow upserts into the data store on every non-prod deploy.
+ * Mirrors the OPS-009 v1 resource set: Patient, Practitioner,
+ * Observation, Encounter, Account.
+ *
+ * Ids are deterministic — re-fires of the workflow upsert the same
+ * records, satisfying the workflow's idempotency contract (no
+ * duplicates) and letting the IAM grant in `seed-demo-data-lambda.ts`
+ * enumerate exact-match `dynamodb:LeadingKeys` rather than a wildcard.
+ *
+ * The placeholder tenant carries no data-plane fixtures — only the
+ * three real demo tenants (wound-care, primary-care, mixed) get
+ * Patient/Practitioner/Observation/Encounter/Account records. The
+ * placeholder tenant exists solely as a routing target for the
+ * Cognito pre-token-generation fallback and never holds clinical
+ * data.
+ */
+/**
+ * Logical group of FHIR resources owned by a single (tenant, workspace)
+ * pair. The workflow walks `DEMO_DATA_PLANE_FIXTURES` and writes every
+ * entry against the matching workspace's `OpenHiContext`.
+ */
+interface DemoWorkspaceDataPlaneFixtures {
+    readonly tenantId: string;
+    readonly workspaceId: string;
+    /**
+     * Scenario slug used in the demo-URN identifier — mirrors the
+     * `DemoTenantSpec.scenario` value for the parent tenant. For the
+     * mixed tenant both workspaces share the `demo-mixed` scenario.
+     */
+    readonly scenario: string;
+    readonly patients: ReadonlyArray<Patient>;
+    readonly practitioners: ReadonlyArray<Practitioner>;
+    readonly observations: ReadonlyArray<Observation>;
+    readonly encounters: ReadonlyArray<Encounter>;
+    readonly accounts: ReadonlyArray<Account>;
+}
+/**
+ * Per-workspace fixtures the data-plane phase writes on every fire.
+ * The placeholder tenant carries no fixtures. The mixed tenant carries
+ * one fixture group per workspace; the two single-workspace tenants
+ * carry one each. Total: 4 fixture groups × ≈ 9 resources = ~36
+ * data-plane records.
+ *
+ * Ids embed the tenant + workspace slug so they remain unambiguous
+ * across the four workspaces (the FHIR resource id is the only thing
+ * that survives into the partition key, so a duplicate id across
+ * workspaces would still collide on read paths that scan-by-id).
+ */
+declare const DEMO_DATA_PLANE_FIXTURES: ReadonlyArray<DemoWorkspaceDataPlaneFixtures>;
+
 interface SeedDemoDataLambdaProps {
     /**
      * Data-store table the workflow upserts demo-data records into.
-     * Wired via `DYNAMO_TABLE_NAME` env var; granted scoped read on the
-     * Role PKs (pre-flight check) and scoped write on the enumerated
-     * demo Tenant / Workspace / Membership / RoleAssignment / User PKs.
+     * Wired via `DYNAMO_TABLE_NAME` env var; granted `dynamodb:GetItem`
+     * (pre-flight Role lookup) and `dynamodb:PutItem`/`dynamodb:UpdateItem`
+     * (write phase). The grants are scoped to the table ARN only; the
+     * handler itself is the scope guarantee for which records the
+     * workflow touches (see the construct body for the previous
+     * `LeadingKeys`-based grants and the reason they were dropped).
      */
     readonly dataStoreTable: ITable;
     /**
@@ -2465,6 +2544,141 @@ declare class OpenHiGraphqlService extends OpenHiService {
     protected createRootGraphqlApi(): RootGraphqlApi;
 }
 
+/**
+ * @see sites/www-docs/content/packages/@openhi/constructs/services/open-hi-website-service.md
+ */
+interface OpenHiWebsiteServiceProps extends OpenHiServiceProps {
+    /**
+     * Sub-domain prefix attached to the child zone (e.g. "www" -> "www.<zone>").
+     *
+     * @default "www"
+     */
+    readonly domainPrefix?: string;
+    /**
+     * Absolute path to the local directory whose contents should be uploaded
+     * to the static-hosting bucket. Required.
+     */
+    readonly contentSourceDirectory: string;
+    /**
+     * Path under the per-branch destination prefix to upload into. Should start
+     * with a slash.
+     *
+     * @default "/"
+     */
+    readonly contentDestinationDirectory?: string;
+    /**
+     * Force the `StaticHosting` infrastructure (bucket + distribution +
+     * Lambda@Edge + DNS + 4 SSM params) to be created on this branch even when
+     * it is not the release branch. Useful for one-off bootstraps and tests.
+     *
+     * When omitted, hosting infrastructure is created only on
+     * `defaultReleaseBranch`. The `StaticContent` uploader is always
+     * created so feature branches can publish their content under their own
+     * sub-domain folder against the release-branch bucket.
+     *
+     * @default - true on release branch, false otherwise
+     */
+    readonly createHostingInfrastructure?: boolean;
+}
+/**
+ * SSM parameter name suffix for the website's full domain
+ * (e.g. www.example.com).
+ */
+declare const SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
+/**
+ * Website service stack: composes StaticHosting (only on release-branch
+ * deploys) and StaticContent (always) so feature branches can ship their
+ * content to a per-branch sub-domain folder against the release-branch
+ * bucket without provisioning duplicate infrastructure.
+ *
+ * Resources are created in protected methods; subclasses may override to
+ * customize.
+ */
+declare class OpenHiWebsiteService extends OpenHiService {
+    static readonly SERVICE_TYPE: "website";
+    /**
+     * Looks up the static-hosting bucket ARN published by the release-branch
+     * deploy of this service.
+     */
+    static bucketArnFromConstruct(scope: Construct): string;
+    /**
+     * Looks up the CloudFront distribution ARN published by the release-branch
+     * deploy of this service.
+     */
+    static distributionArnFromConstruct(scope: Construct): string;
+    /**
+     * Looks up the CloudFront distribution domain
+     * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+     */
+    static distributionDomainFromConstruct(scope: Construct): string;
+    /**
+     * Looks up the CloudFront distribution ID published by the release-branch
+     * deploy of this service.
+     */
+    static distributionIdFromConstruct(scope: Construct): string;
+    /**
+     * Looks up the website's full domain (e.g. www.example.com) published by
+     * the release-branch deploy of this service.
+     */
+    static fullDomainFromConstruct(scope: Construct): string;
+    get serviceType(): string;
+    /** Override so this.props is typed with this service's options. */
+    props: OpenHiWebsiteServiceProps;
+    /**
+     * Full domain served by this website (e.g. www.example.com). Derived from
+     * `domainPrefix` and the child hosted zone name.
+     */
+    readonly fullDomain: string;
+    /**
+     * The hosting construct, only created on release-branch deploys (or when
+     * `createHostingInfrastructure` is true).
+     */
+    readonly staticHosting?: StaticHosting;
+    /**
+     * The content uploader, always created.
+     */
+    readonly staticContent: StaticContent;
+    constructor(ohEnv: OpenHiEnvironment, props: OpenHiWebsiteServiceProps);
+    /**
+     * Validates that config required for the website stack is present.
+     */
+    protected validateConfig(props: OpenHiWebsiteServiceProps): void;
+    /**
+     * Looks up the child hosted zone published by the Global service.
+     * Override to customize.
+     */
+    protected createHostedZone(): IHostedZone;
+    /**
+     * Returns the wildcard certificate looked up from the Global service.
+     * Override to customize.
+     */
+    protected createCertificate(): ICertificate;
+    /**
+     * Computes the full website domain from `domainPrefix` and the child
+     * zone name.
+     */
+    protected computeFullDomain(hostedZone: IHostedZone): string;
+    /**
+     * Creates the StaticHosting infrastructure (bucket + distribution +
+     * Lambda@Edge + 4 SSM params + DNS).
+     */
+    protected createStaticHosting(deps: {
+        certificate: ICertificate;
+        hostedZone: IHostedZone;
+    }): StaticHosting;
+    /**
+     * Creates the SSM parameter that publishes the website's full domain.
+     * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+     */
+    protected createFullDomainParameter(): void;
+    /**
+     * Creates the StaticContent uploader. Always created so feature-branch
+     * deploys can publish content to their own sub-domain folder against the
+     * release-branch bucket.
+     */
+    protected createStaticContent(): StaticContent;
+}
+
 interface OwningDeleteCascadeLambdasProps {
     /** Data-store table the cascade reads (Query) and writes (DeleteItem / TransactWriteItems) against. */
     readonly dataStoreTable: ITable;
@@ -2649,5 +2863,5 @@ declare class RenameCascadeWorkflow extends Construct {
     constructor(scope: Construct, props: RenameCascadeWorkflowProps);
 }
 
-export { BRIDGED_STATUSES, CLOUDFORMATION_EVENT_SOURCE, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, CONTROL_EVENT_BUS_NAME_ENV_VAR, ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_PERIOD, DEMO_TENANT_SPECS, DEMO_URN_SYSTEM, DEV_USERS, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OPENHI_REPO_TAG_KEY_ENV_VAR, OPENHI_RESOURCE_URN_SYSTEM, OPENHI_TAG_KEY_PREFIX_ENV_VAR, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OWNING_DELETE_CASCADE_CONSUMER_NAME, OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY, OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES, OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, OwningDeleteCascadeLambdas, OwningDeleteCascadeWorkflow, PLACEHOLDER_TENANT_ID, PLACEHOLDER_WORKSPACE_ID, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM, PLATFORM_SCOPE_TENANT_ID, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, PlatformDeployBridge, PlatformDeployBridgeLambda, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, ProvisionDefaultWorkspaceLambda, RENAME_CASCADE_CONSUMER_NAME, RENAME_CASCADE_DEFAULT_CONCURRENCY, RENAME_CASCADE_FAILED_THRESHOLD, RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, RenameCascadeWorkflow, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, SEED_DEMO_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, SeedDemoDataWorkflow, SeedSystemDataLambda, SeedSystemDataWorkflow, StaticHosting, USER_ONBOARDING_EVENT_SOURCE, UserOnboardingWorkflow, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, buildFhirCurrentResourceChangeDetail, buildProvisionDefaultWorkspaceRequestedDetail, demoBasePartitionKeys, demoDevUserPartitionKeys, demoMembershipId, demoMembershipPartitionKey, demoRoleAssignmentId, demoRoleAssignmentPartitionKey, demoRolesForUserInTenant, demoScenarioIdentifier, demoTenantPartitionKey, demoUserPartitionKey, demoWorkspacePartitionKey, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey, openhiResourceIdentifier, rolePartitionKey };
-export type { BridgedStatus, BuildParameterNameProps, CascadeChunkInput, CascadeFinalizeInput, CascadeFinalizeOutput, CascadeListInput, CascadeListOutput, ChildHostedZoneProps, CloudFormationStackStatusChangeDetail, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DemoDevUser, DemoTenantSpec, DemoWorkspaceSpec, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, GrantConsumerOptions, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflowProps, PlatformDeployBridgeLambdaProps, PlatformDeployBridgeProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RenameCascadeChunkInput, RenameCascadeFinalizeInput, RenameCascadeFinalizeOutput, RenameCascadeLambdasProps, RenameCascadeListInput, RenameCascadeListOutput, RenameCascadeWorkflowProps, RootGraphqlApiProps, RootHttpApiProps, SeedDemoDataLambdaProps, SeedDemoDataWorkflowProps, SeedSystemDataLambdaProps, SeedSystemDataWorkflowProps, StaticHostingProps, UserOnboardingWorkflowProps, WorkflowDedupTableProps };
+export { BRIDGED_STATUSES, CLOUDFORMATION_EVENT_SOURCE, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, CONTROL_EVENT_BUS_NAME_ENV_VAR, ChildHostedZone, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_DATA_PLANE_FIXTURES, DEMO_PERIOD, DEMO_TENANT_SPECS, DEMO_URN_SYSTEM, DEV_USERS, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OPENHI_REPO_TAG_KEY_ENV_VAR, OPENHI_RESOURCE_URN_SYSTEM, OPENHI_TAG_KEY_PREFIX_ENV_VAR, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OWNING_DELETE_CASCADE_CONSUMER_NAME, OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY, OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES, OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpenHiWebsiteService, OpsEventBus, OwningDeleteCascadeLambdas, OwningDeleteCascadeWorkflow, PLACEHOLDER_TENANT_ID, PLACEHOLDER_WORKSPACE_ID, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM, PLATFORM_SCOPE_TENANT_ID, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, PlatformDeployBridge, PlatformDeployBridgeLambda, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, ProvisionDefaultWorkspaceLambda, RENAME_CASCADE_CONSUMER_NAME, RENAME_CASCADE_DEFAULT_CONCURRENCY, RENAME_CASCADE_FAILED_THRESHOLD, RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, RenameCascadeWorkflow, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, SEED_DEMO_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, SSM_PARAM_NAME_FULL_DOMAIN, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, SeedDemoDataWorkflow, SeedSystemDataLambda, SeedSystemDataWorkflow, StaticContent, StaticHosting, USER_ONBOARDING_EVENT_SOURCE, UserOnboardingWorkflow, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, buildFhirCurrentResourceChangeDetail, buildProvisionDefaultWorkspaceRequestedDetail, demoMembershipId, demoRoleAssignmentId, demoRolesForUserInTenant, demoScenarioIdentifier, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey, openhiResourceIdentifier };
+export type { BridgedStatus, BuildParameterNameProps, CascadeChunkInput, CascadeFinalizeInput, CascadeFinalizeOutput, CascadeListInput, CascadeListOutput, ChildHostedZoneProps, CloudFormationStackStatusChangeDetail, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DemoDevUser, DemoTenantSpec, DemoWorkspaceDataPlaneFixtures, DemoWorkspaceSpec, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, GrantConsumerOptions, HostingMode, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, OpenHiWebsiteServiceProps, OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflowProps, PlatformDeployBridgeLambdaProps, PlatformDeployBridgeProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RenameCascadeChunkInput, RenameCascadeFinalizeInput, RenameCascadeFinalizeOutput, RenameCascadeLambdasProps, RenameCascadeListInput, RenameCascadeListOutput, RenameCascadeWorkflowProps, RootGraphqlApiProps, RootHttpApiProps, SeedDemoDataLambdaProps, SeedDemoDataWorkflowProps, SeedSystemDataLambdaProps, SeedSystemDataWorkflowProps, StaticContentProps, StaticHostingProps, UserOnboardingWorkflowProps, WorkflowDedupTableProps };