@openhi/constructs 0.0.116 → 0.0.118

package/lib/firehose-archive-transform.handler.mjs

@@ -2,7 +2,7 @@ import {
   handler,
   parseCurrentResourceKeys,
   shouldDropAsGlobalTableReplicationRecord
-} from "./chunk-X5MHU7DA.mjs";
+} from "./chunk-I7IIPV5X.mjs";
 import "./chunk-CEOAGPYY.mjs";
 import "./chunk-LZOMFHX3.mjs";
 export {

package/lib/index.d.mts

@@ -1,5 +1,5 @@
 import { OPEN_HI_STAGE, OPEN_HI_DEPLOYMENT_TARGET_ROLE, OpenHiEnvironmentConfig, OpenHiConfig } from '@openhi/config';
-import { Stage, StageProps, App, AppProps, Stack, StackProps, RemovalPolicy } from 'aws-cdk-lib';
+import { Stage, StageProps, App, AppProps, Stack, StackProps, RemovalPolicy, Duration } from 'aws-cdk-lib';
 import { IConstruct, Construct } from 'constructs';
 import { Certificate, CertificateProps, ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
 import { HttpApiProps, HttpApi, IHttpApi, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
@@ -9,7 +9,7 @@ import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
 import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { D as DynamoDbStreamKinesisRecord } from './dynamodb-stream-record-CJtV6a1t.mjs';
 import * as events from 'aws-cdk-lib/aws-events';
-import { EventBus, EventBusProps, Rule, IEventBus } from 'aws-cdk-lib/aws-events';
+import { EventBus, Archive, EventBusProps, Rule, IEventBus } from 'aws-cdk-lib/aws-events';
 import * as kinesis from 'aws-cdk-lib/aws-kinesis';
 import * as kinesisfirehose from 'aws-cdk-lib/aws-kinesisfirehose';
 import * as s3 from 'aws-cdk-lib/aws-s3';
@@ -343,6 +343,15 @@ declare abstract class OpenHiService extends Stack {
      * Short hash unique to the environment and branch combination.
      */
     readonly branchHash: string;
+    /**
+     * Branch hash computed against {@link defaultReleaseBranch} rather than
+     * {@link branchName}. On the release branch this equals {@link branchHash};
+     * on every other branch it identifies the namespace the release-branch
+     * deploy of this service writes to. Use when looking up SSM parameters
+     * that only the release-branch stack publishes (e.g. shared static-hosting
+     * bucket ARN).
+     */
+    readonly releaseBranchHash: string;
     /**
      * Short hash unique to the specific stack/service.
      */
@@ -722,9 +731,14 @@ declare class WorkflowDedupConsumerNameInvalidError extends Error {
     constructor(message: string);
 }
 
-/**
- * @see sites/www-docs/content/packages/@openhi/constructs/components/event-bridge/data-event-bus.md
- */
+interface DataEventBusOptions {
+    /**
+     * Retention for the bus's event archive. Defaults to 7 days. Pass
+     * `Duration.days(0)` (or omit and override the archive in a subclass)
+     * to disable archiving entirely.
+     */
+    readonly archiveRetention?: Duration;
+}
 declare class DataEventBus extends EventBus {
     /*****************************************************************************
      *
@@ -734,7 +748,16 @@ declare class DataEventBus extends EventBus {
      *
      ****************************************************************************/
     static getEventBusName(scope: Construct): string;
-    constructor(scope: Construct, props?: EventBusProps);
+    /**
+     * Replay archive of every event written to this bus, retained for the
+     * configured TTL (default 7 days). Enables EventBridge `StartReplay`
+     * for incident response and ad-hoc backfill.
+     *
+     * Named `replayArchive` rather than `archive` to avoid shadowing the
+     * inherited `EventBus.archive(id, options)` instance method.
+     */
+    readonly replayArchive: Archive;
+    constructor(scope: Construct, props?: (EventBusProps & DataEventBusOptions) | undefined);
 }
 
 /**
@@ -993,6 +1016,12 @@ declare class DiscoverableStringParameter extends StringParameter {
  * Props for the StaticContent construct.
  */
 interface StaticContentProps {
+    /**
+     * Destination bucket the content is uploaded to. Callers resolve this
+     * reference themselves so the construct doesn't need to know whether the
+     * bucket was created in the same stack or imported across branches.
+     */
+    readonly bucket: IBucket;
     /**
      * Absolute path to directory containing content for the website.
      */
@@ -1017,21 +1046,14 @@ interface StaticContentProps {
      * `<sub-domain>.<full-domain>`.
      */
     readonly fullDomain: string;
-    /**
-     * Service type used to look up the static-hosting bucket ARN via
-     * DiscoverableStringParameter.
-     *
-     * @default STATIC_HOSTING_SERVICE_TYPE ("website")
-     */
-    readonly serviceType?: string;
 }
 /**
- * Static content uploader: deploys a local directory to the static-hosting
+ * Static content uploader: deploys a local directory to a static-hosting
  * S3 bucket under `<sub-domain>.<full-domain>/<dest>` so each branch
- * deploys to its own prefix without clobbering siblings. The bucket ARN is
- * looked up via DiscoverableStringParameter so the uploader can run on a
- * feature-branch stack while the bucket itself was provisioned by the
- * release-branch service stack.
+ * deploys to its own prefix without clobbering siblings. The destination
+ * bucket is supplied by the caller, which lets the same construct run in
+ * both same-stack (release-branch) and cross-stack/cross-branch
+ * (feature-branch) contexts.
  */
 declare class StaticContent extends Construct {
     constructor(scope: Construct, id: string, props: StaticContentProps);
@@ -1942,6 +1964,17 @@ interface OpenHiWebsiteServiceProps extends OpenHiServiceProps {
      * @default - true on release branch, false otherwise
      */
     readonly createHostingInfrastructure?: boolean;
+    /**
+     * Whether to create the `StaticContent` uploader. Set to `false` to skip
+     * it entirely on every branch — used as a one-shot bootstrap toggle while
+     * the release-branch deploy of this service first creates the static-hosting
+     * bucket and writes `STATIC_HOSTING_BUCKET_ARN` to SSM. Once that
+     * parameter exists, flip back to `true` so feature-branch deploys can read
+     * it and upload content under their per-branch sub-domain folder.
+     *
+     * @default true
+     */
+    readonly createStaticContent?: boolean;
 }
 /**
  * SSM parameter name suffix for the website's full domain
@@ -1998,16 +2031,23 @@ declare class OpenHiWebsiteService extends OpenHiService {
      */
     readonly staticHosting?: StaticHosting;
     /**
-     * The content uploader, always created.
+     * The content uploader. Created on every deploy unless
+     * {@link OpenHiWebsiteServiceProps.createStaticContent} is `false`, in
+     * which case the property is `undefined` and the stack ships no
+     * `BucketDeployment`. Used during release-branch bootstrap, before the
+     * shared static-hosting bucket has been written to SSM for the first time.
      */
-    readonly staticContent: StaticContent;
+    readonly staticContent?: StaticContent;
     constructor(ohEnv: OpenHiEnvironment, props: OpenHiWebsiteServiceProps);
     /**
      * Validates that config required for the website stack is present.
      */
     protected validateConfig(props: OpenHiWebsiteServiceProps): void;
     /**
-     * Looks up the child hosted zone published by the Global service.
+     * Imports the website's hosted zone from config attributes (no SSM lookup).
+     * The website attaches DNS records here on the release-branch deploy and
+     * the same zone is imported on feature-branch deploys for any sub-domain
+     * routing.
      * Override to customize.
      */
     protected createHostedZone(): IHostedZone;
@@ -2038,8 +2078,23 @@ declare class OpenHiWebsiteService extends OpenHiService {
      * Creates the StaticContent uploader. Always created so feature-branch
      * deploys can publish content to their own sub-domain folder against the
      * release-branch bucket.
+     *
+     * The destination bucket is resolved here so the construct never has to
+     * branch on release-vs-feature: on the release branch we pass the
+     * just-created {@link staticHosting} bucket directly (no SSM round-trip
+     * within a single stack); on every other branch we look up the bucket
+     * ARN published by the release-branch deploy, addressed against
+     * {@link OpenHiService.releaseBranchHash}.
      */
     protected createStaticContent(): StaticContent;
+    /**
+     * Returns an {@link IBucket} pointing at the static-hosting bucket the
+     * uploader writes to. On the release-branch deploy this is the bucket
+     * just provisioned by {@link staticHosting}; on every other deploy it's
+     * imported from the bucket ARN the release-branch deploy publishes to
+     * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+     */
+    protected resolveStaticHostingBucket(): IBucket;
 }
 
 interface OwningDeleteCascadeLambdasProps {
@@ -2226,4 +2281,4 @@ declare class RenameCascadeWorkflow extends Construct {
     constructor(scope: Construct, props: RenameCascadeWorkflowProps);
 }
 
-export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_DATA_PLANE_FIXTURES, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, type DemoWorkspaceDataPlaneFixtures, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, type GrantConsumerOptions, HostingMode, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpenHiWebsiteService, type OpenHiWebsiteServiceProps, OpsEventBus, OwningDeleteCascadeLambdas, type OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflow, type OwningDeleteCascadeWorkflowProps, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PlatformDeployBridge, PlatformDeployBridgeLambda, type PlatformDeployBridgeLambdaProps, type PlatformDeployBridgeProps, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambda, type ProvisionDefaultWorkspaceLambdaProps, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, type RenameCascadeLambdasProps, RenameCascadeWorkflow, type RenameCascadeWorkflowProps, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, SSM_PARAM_NAME_FULL_DOMAIN, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, type SeedDemoDataLambdaProps, SeedDemoDataWorkflow, type SeedDemoDataWorkflowProps, SeedSystemDataLambda, type SeedSystemDataLambdaProps, SeedSystemDataWorkflow, type SeedSystemDataWorkflowProps, StaticContent, type StaticContentProps, StaticHosting, type StaticHostingProps, UserOnboardingWorkflow, type UserOnboardingWorkflowProps, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, type WorkflowDedupTableProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey };
+export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_DATA_PLANE_FIXTURES, DataEventBus, type DataEventBusOptions, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, type DemoWorkspaceDataPlaneFixtures, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, type GrantConsumerOptions, HostingMode, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpenHiWebsiteService, type OpenHiWebsiteServiceProps, OpsEventBus, OwningDeleteCascadeLambdas, type OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflow, type OwningDeleteCascadeWorkflowProps, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PlatformDeployBridge, PlatformDeployBridgeLambda, type PlatformDeployBridgeLambdaProps, type PlatformDeployBridgeProps, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambda, type ProvisionDefaultWorkspaceLambdaProps, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, type RenameCascadeLambdasProps, RenameCascadeWorkflow, type RenameCascadeWorkflowProps, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, SSM_PARAM_NAME_FULL_DOMAIN, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, type SeedDemoDataLambdaProps, SeedDemoDataWorkflow, type SeedDemoDataWorkflowProps, SeedSystemDataLambda, type SeedSystemDataLambdaProps, SeedSystemDataWorkflow, type SeedSystemDataWorkflowProps, StaticContent, type StaticContentProps, StaticHosting, type StaticHostingProps, UserOnboardingWorkflow, type UserOnboardingWorkflowProps, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, type WorkflowDedupTableProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey };

package/lib/index.d.ts

@@ -1,4 +1,4 @@
-import { RemovalPolicy, App, AppProps, Stage, StageProps, Stack, StackProps } from 'aws-cdk-lib';
+import { Duration, RemovalPolicy, App, AppProps, Stage, StageProps, Stack, StackProps } from 'aws-cdk-lib';
 import { Construct, IConstruct } from 'constructs';
 import { ICertificate, Certificate, CertificateProps } from 'aws-cdk-lib/aws-certificatemanager';
 import { IHttpApi, HttpApiProps, HttpApi, DomainName } from 'aws-cdk-lib/aws-apigatewayv2';
@@ -8,7 +8,7 @@ import { Key, KeyProps, IKey } from 'aws-cdk-lib/aws-kms';
 import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { AttributeValue } from '@aws-sdk/client-dynamodb';
 import * as events from 'aws-cdk-lib/aws-events';
-import { EventBus, EventBusProps, Rule, IEventBus } from 'aws-cdk-lib/aws-events';
+import { EventBus, EventBusProps, Archive, Rule, IEventBus } from 'aws-cdk-lib/aws-events';
 import * as kinesis from 'aws-cdk-lib/aws-kinesis';
 import * as kinesisfirehose from 'aws-cdk-lib/aws-kinesisfirehose';
 import * as s3 from 'aws-cdk-lib/aws-s3';
@@ -980,6 +980,15 @@ declare abstract class OpenHiService extends Stack {
      * Short hash unique to the environment and branch combination.
      */
     readonly branchHash: string;
+    /**
+     * Branch hash computed against {@link defaultReleaseBranch} rather than
+     * {@link branchName}. On the release branch this equals {@link branchHash};
+     * on every other branch it identifies the namespace the release-branch
+     * deploy of this service writes to. Use when looking up SSM parameters
+     * that only the release-branch stack publishes (e.g. shared static-hosting
+     * bucket ARN).
+     */
+    readonly releaseBranchHash: string;
     /**
      * Short hash unique to the specific stack/service.
      */
@@ -1359,9 +1368,14 @@ declare class WorkflowDedupConsumerNameInvalidError extends Error {
     constructor(message: string);
 }
 
-/**
- * @see sites/www-docs/content/packages/@openhi/constructs/components/event-bridge/data-event-bus.md
- */
+interface DataEventBusOptions {
+    /**
+     * Retention for the bus's event archive. Defaults to 7 days. Pass
+     * `Duration.days(0)` (or omit and override the archive in a subclass)
+     * to disable archiving entirely.
+     */
+    readonly archiveRetention?: Duration;
+}
 declare class DataEventBus extends EventBus {
     /*****************************************************************************
      *
@@ -1371,7 +1385,16 @@ declare class DataEventBus extends EventBus {
      *
      ****************************************************************************/
     static getEventBusName(scope: Construct): string;
-    constructor(scope: Construct, props?: EventBusProps);
+    /**
+     * Replay archive of every event written to this bus, retained for the
+     * configured TTL (default 7 days). Enables EventBridge `StartReplay`
+     * for incident response and ad-hoc backfill.
+     *
+     * Named `replayArchive` rather than `archive` to avoid shadowing the
+     * inherited `EventBus.archive(id, options)` instance method.
+     */
+    readonly replayArchive: Archive;
+    constructor(scope: Construct, props?: (EventBusProps & DataEventBusOptions) | undefined);
 }
 
 /**
@@ -1630,6 +1653,12 @@ declare class DiscoverableStringParameter extends StringParameter {
  * Props for the StaticContent construct.
  */
 interface StaticContentProps {
+    /**
+     * Destination bucket the content is uploaded to. Callers resolve this
+     * reference themselves so the construct doesn't need to know whether the
+     * bucket was created in the same stack or imported across branches.
+     */
+    readonly bucket: IBucket;
     /**
      * Absolute path to directory containing content for the website.
      */
@@ -1654,21 +1683,14 @@ interface StaticContentProps {
      * `<sub-domain>.<full-domain>`.
      */
     readonly fullDomain: string;
-    /**
-     * Service type used to look up the static-hosting bucket ARN via
-     * DiscoverableStringParameter.
-     *
-     * @default STATIC_HOSTING_SERVICE_TYPE ("website")
-     */
-    readonly serviceType?: string;
 }
 /**
- * Static content uploader: deploys a local directory to the static-hosting
+ * Static content uploader: deploys a local directory to a static-hosting
  * S3 bucket under `<sub-domain>.<full-domain>/<dest>` so each branch
- * deploys to its own prefix without clobbering siblings. The bucket ARN is
- * looked up via DiscoverableStringParameter so the uploader can run on a
- * feature-branch stack while the bucket itself was provisioned by the
- * release-branch service stack.
+ * deploys to its own prefix without clobbering siblings. The destination
+ * bucket is supplied by the caller, which lets the same construct run in
+ * both same-stack (release-branch) and cross-stack/cross-branch
+ * (feature-branch) contexts.
  */
 declare class StaticContent extends Construct {
     constructor(scope: Construct, id: string, props: StaticContentProps);
@@ -2579,6 +2601,17 @@ interface OpenHiWebsiteServiceProps extends OpenHiServiceProps {
      * @default - true on release branch, false otherwise
      */
     readonly createHostingInfrastructure?: boolean;
+    /**
+     * Whether to create the `StaticContent` uploader. Set to `false` to skip
+     * it entirely on every branch — used as a one-shot bootstrap toggle while
+     * the release-branch deploy of this service first creates the static-hosting
+     * bucket and writes `STATIC_HOSTING_BUCKET_ARN` to SSM. Once that
+     * parameter exists, flip back to `true` so feature-branch deploys can read
+     * it and upload content under their per-branch sub-domain folder.
+     *
+     * @default true
+     */
+    readonly createStaticContent?: boolean;
 }
 /**
  * SSM parameter name suffix for the website's full domain
@@ -2635,16 +2668,23 @@ declare class OpenHiWebsiteService extends OpenHiService {
      */
     readonly staticHosting?: StaticHosting;
     /**
-     * The content uploader, always created.
+     * The content uploader. Created on every deploy unless
+     * {@link OpenHiWebsiteServiceProps.createStaticContent} is `false`, in
+     * which case the property is `undefined` and the stack ships no
+     * `BucketDeployment`. Used during release-branch bootstrap, before the
+     * shared static-hosting bucket has been written to SSM for the first time.
      */
-    readonly staticContent: StaticContent;
+    readonly staticContent?: StaticContent;
     constructor(ohEnv: OpenHiEnvironment, props: OpenHiWebsiteServiceProps);
     /**
      * Validates that config required for the website stack is present.
      */
     protected validateConfig(props: OpenHiWebsiteServiceProps): void;
     /**
-     * Looks up the child hosted zone published by the Global service.
+     * Imports the website's hosted zone from config attributes (no SSM lookup).
+     * The website attaches DNS records here on the release-branch deploy and
+     * the same zone is imported on feature-branch deploys for any sub-domain
+     * routing.
      * Override to customize.
      */
     protected createHostedZone(): IHostedZone;
@@ -2675,8 +2715,23 @@ declare class OpenHiWebsiteService extends OpenHiService {
      * Creates the StaticContent uploader. Always created so feature-branch
      * deploys can publish content to their own sub-domain folder against the
      * release-branch bucket.
+     *
+     * The destination bucket is resolved here so the construct never has to
+     * branch on release-vs-feature: on the release branch we pass the
+     * just-created {@link staticHosting} bucket directly (no SSM round-trip
+     * within a single stack); on every other branch we look up the bucket
+     * ARN published by the release-branch deploy, addressed against
+     * {@link OpenHiService.releaseBranchHash}.
      */
     protected createStaticContent(): StaticContent;
+    /**
+     * Returns an {@link IBucket} pointing at the static-hosting bucket the
+     * uploader writes to. On the release-branch deploy this is the bucket
+     * just provisioned by {@link staticHosting}; on every other deploy it's
+     * imported from the bucket ARN the release-branch deploy publishes to
+     * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+     */
+    protected resolveStaticHostingBucket(): IBucket;
 }
 
 interface OwningDeleteCascadeLambdasProps {
@@ -2864,4 +2919,4 @@ declare class RenameCascadeWorkflow extends Construct {
 }
 
 export { BRIDGED_STATUSES, CLOUDFORMATION_EVENT_SOURCE, CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, CONTROL_EVENT_BUS_NAME_ENV_VAR, ChildHostedZone, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, ControlEventBus, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DEMO_DATA_PLANE_FIXTURES, DEMO_PERIOD, DEMO_TENANT_SPECS, DEMO_URN_SYSTEM, DEV_USERS, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OPENHI_REPO_TAG_KEY_ENV_VAR, OPENHI_RESOURCE_URN_SYSTEM, OPENHI_TAG_KEY_PREFIX_ENV_VAR, OPENHI_TAG_SUFFIX_BRANCH_NAME, OPENHI_TAG_SUFFIX_REPO_NAME, OPENHI_TAG_SUFFIX_SERVICE_TYPE, OPENHI_TAG_SUFFIX_STAGE_TYPE, OWNING_DELETE_CASCADE_CONSUMER_NAME, OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY, OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES, OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpenHiWebsiteService, OpsEventBus, OwningDeleteCascadeLambdas, OwningDeleteCascadeWorkflow, PLACEHOLDER_TENANT_ID, PLACEHOLDER_WORKSPACE_ID, PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM, PLATFORM_SCOPE_TENANT_ID, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE, PlatformDeployBridge, PlatformDeployBridgeLambda, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, ProvisionDefaultWorkspaceLambda, RENAME_CASCADE_CONSUMER_NAME, RENAME_CASCADE_DEFAULT_CONCURRENCY, RENAME_CASCADE_FAILED_THRESHOLD, RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, REST_API_BASE_URL_SSM_NAME, RenameCascadeLambdas, RenameCascadeWorkflow, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, SEED_DEMO_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_ACTOR_SYSTEM, SEED_SYSTEM_DATA_CONSUMER_NAME, SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR, SSM_PARAM_NAME_FULL_DOMAIN, STATIC_HOSTING_SERVICE_TYPE, SeedDemoDataLambda, SeedDemoDataWorkflow, SeedSystemDataLambda, SeedSystemDataWorkflow, StaticContent, StaticHosting, USER_ONBOARDING_EVENT_SOURCE, UserOnboardingWorkflow, WorkflowDedupConsumerNameInvalidError, WorkflowDedupTable, WorkflowDedupTableDuplicateError, buildFhirCurrentResourceChangeDetail, buildProvisionDefaultWorkspaceRequestedDetail, demoMembershipId, demoRoleAssignmentId, demoRolesForUserInTenant, demoScenarioIdentifier, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName, getWorkflowDedupTableName, openHiTagKey, openhiResourceIdentifier };
-export type { BridgedStatus, BuildParameterNameProps, CascadeChunkInput, CascadeFinalizeInput, CascadeFinalizeOutput, CascadeListInput, CascadeListOutput, ChildHostedZoneProps, CloudFormationStackStatusChangeDetail, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DemoDevUser, DemoTenantSpec, DemoWorkspaceDataPlaneFixtures, DemoWorkspaceSpec, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, GrantConsumerOptions, HostingMode, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, OpenHiWebsiteServiceProps, OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflowProps, PlatformDeployBridgeLambdaProps, PlatformDeployBridgeProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RenameCascadeChunkInput, RenameCascadeFinalizeInput, RenameCascadeFinalizeOutput, RenameCascadeLambdasProps, RenameCascadeListInput, RenameCascadeListOutput, RenameCascadeWorkflowProps, RootGraphqlApiProps, RootHttpApiProps, SeedDemoDataLambdaProps, SeedDemoDataWorkflowProps, SeedSystemDataLambdaProps, SeedSystemDataWorkflowProps, StaticContentProps, StaticHostingProps, UserOnboardingWorkflowProps, WorkflowDedupTableProps };
+export type { BridgedStatus, BuildParameterNameProps, CascadeChunkInput, CascadeFinalizeInput, CascadeFinalizeOutput, CascadeListInput, CascadeListOutput, ChildHostedZoneProps, CloudFormationStackStatusChangeDetail, DataEventBusOptions, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DemoDevUser, DemoTenantSpec, DemoWorkspaceDataPlaneFixtures, DemoWorkspaceSpec, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, GrantConsumerOptions, HostingMode, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, OpenHiWebsiteServiceProps, OwningDeleteCascadeLambdasProps, OwningDeleteCascadeWorkflowProps, PlatformDeployBridgeLambdaProps, PlatformDeployBridgeProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, ProvisionDefaultWorkspaceLambdaProps, ProvisionDefaultWorkspaceRequestedDetail, RenameCascadeChunkInput, RenameCascadeFinalizeInput, RenameCascadeFinalizeOutput, RenameCascadeLambdasProps, RenameCascadeListInput, RenameCascadeListOutput, RenameCascadeWorkflowProps, RootGraphqlApiProps, RootHttpApiProps, SeedDemoDataLambdaProps, SeedDemoDataWorkflowProps, SeedSystemDataLambdaProps, SeedSystemDataWorkflowProps, StaticContentProps, StaticHostingProps, UserOnboardingWorkflowProps, WorkflowDedupTableProps };