@openhi/constructs 0.0.127 → 0.0.129

package/lib/delete-chunk.handler.mjs

@@ -1,11 +1,11 @@
 import {
   OWNING_DELETE_PROJECTION_ENTITY,
   deleteOwningChildChunkOperation
-} from "./chunk-W4KR4CSL.mjs";
+} from "./chunk-M7Y3BOQW.mjs";
 import "./chunk-ZM4GDHHC.mjs";
 import "./chunk-QJDHVMKT.mjs";
 import "./chunk-FYHBHHWK.mjs";
-import "./chunk-6NBGYGFL.mjs";
+import "./chunk-VZCPGQXA.mjs";
 import "./chunk-TRY7JGWO.mjs";
 import "./chunk-LZOMFHX3.mjs";
 

package/lib/delete-chunk.handler.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/workflows/control-plane/owning-delete-cascade/delete-chunk.handler.ts"],"sourcesContent":["/**\n * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/owning-delete-cascade/delete-chunk-handler.md\n *\n * Cascade Step Functions Map-iteration handler. Receives one chunk of\n * <=100 projection rows from the list-and-chunk step and issues a\n * single `TransactWriteItems` via `executeMultiWrite` (#1010).\n *\n * Idempotency: ElectroDB / DynamoDB SDK forwards the `chunkToken` as\n * the `ClientRequestToken` for the transaction, so a Map iteration\n * replayed by Step Functions retry lands on the same transaction id.\n * The state machine's `Catch` block also absorbs\n * `TransactionCanceledException` as a no-op success — common when a\n * prior replay already removed the rows.\n *\n * The handler never touches the canonical owning record; the finalize\n * step owns the canonical delete.\n */\n\nimport type { CascadeChunkInput } from \"./events\";\nimport { deleteOwningChildChunkOperation } from \"../../../data/operations/control/owning-delete/owning-delete-batch-delete-operation\";\nimport {\n  type OwningDeleteProjectionEntity,\n  OWNING_DELETE_PROJECTION_ENTITY,\n} from \"../../../data/operations/control/owning-delete/owning-delete-list-child-projections-operation\";\n\nexport interface DeleteChunkOutput {\n  readonly ownerType: string;\n  readonly ownerId: string;\n  readonly tenantId?: string;\n  readonly rowsDeleted: number;\n}\n\nfunction isKnownEntity(value: string): value is OwningDeleteProjectionEntity {\n  for (const known of Object.values(OWNING_DELETE_PROJECTION_ENTITY)) {\n    if (known === value) {\n      return true;\n    }\n  }\n  return false;\n}\n\nexport const handler = async (\n  input: CascadeChunkInput,\n): Promise<DeleteChunkOutput> => {\n  const rows = input.rows.map((row) => {\n    if (!isKnownEntity(row.entity)) {\n      throw new Error(\n        `owning-delete cascade delete-chunk: unknown projection entity '${row.entity}'`,\n      );\n    }\n    return {\n      entity: row.entity,\n      key: { ...row.key },\n    };\n  });\n\n  const result = await deleteOwningChildChunkOperation({\n    rows,\n    token: input.chunkToken,\n  });\n\n  return {\n    ownerType: input.ownerType,\n    ownerId: input.ownerId,\n    tenantId: input.tenantId,\n    rowsDeleted: result.rowsDeleted,\n  };\n};\n"],"mappings":";;;;;;;;;;;;AAgCA,SAAS,cAAc,OAAsD;AAC3E,aAAW,SAAS,OAAO,OAAO,+BAA+B,GAAG;AAClE,QAAI,UAAU,OAAO;AACnB,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEO,IAAM,UAAU,OACrB,UAC+B;AAC/B,QAAM,OAAO,MAAM,KAAK,IAAI,CAAC,QAAQ;AACnC,QAAI,CAAC,cAAc,IAAI,MAAM,GAAG;AAC9B,YAAM,IAAI;AAAA,QACR,kEAAkE,IAAI,MAAM;AAAA,MAC9E;AAAA,IACF;AACA,WAAO;AAAA,MACL,QAAQ,IAAI;AAAA,MACZ,KAAK,EAAE,GAAG,IAAI,IAAI;AAAA,IACpB;AAAA,EACF,CAAC;AAED,QAAM,SAAS,MAAM,gCAAgC;AAAA,IACnD;AAAA,IACA,OAAO,MAAM;AAAA,EACf,CAAC;AAED,SAAO;AAAA,IACL,WAAW,MAAM;AAAA,IACjB,SAAS,MAAM;AAAA,IACf,UAAU,MAAM;AAAA,IAChB,aAAa,OAAO;AAAA,EACtB;AACF;","names":[]}
+{"version":3,"sources":["../src/workflows/control-plane/owning-delete-cascade/delete-chunk.handler.ts"],"sourcesContent":["/**\n * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/owning-delete-cascade/delete-chunk-handler.md\n *\n * Cascade Step Functions Map-iteration handler. Receives one chunk of\n * \\<=100 projection rows from the list-and-chunk step and issues a\n * single `TransactWriteItems` via `executeMultiWrite` (#1010).\n *\n * Idempotency: ElectroDB / DynamoDB SDK forwards the `chunkToken` as\n * the `ClientRequestToken` for the transaction, so a Map iteration\n * replayed by Step Functions retry lands on the same transaction id.\n * The state machine's `Catch` block also absorbs\n * `TransactionCanceledException` as a no-op success — common when a\n * prior replay already removed the rows.\n *\n * The handler never touches the canonical owning record; the finalize\n * step owns the canonical delete.\n */\n\nimport type { CascadeChunkInput } from \"./events\";\nimport { deleteOwningChildChunkOperation } from \"../../../data/operations/control/owning-delete/owning-delete-batch-delete-operation\";\nimport {\n  type OwningDeleteProjectionEntity,\n  OWNING_DELETE_PROJECTION_ENTITY,\n} from \"../../../data/operations/control/owning-delete/owning-delete-list-child-projections-operation\";\n\nexport interface DeleteChunkOutput {\n  readonly ownerType: string;\n  readonly ownerId: string;\n  readonly tenantId?: string;\n  readonly rowsDeleted: number;\n}\n\nfunction isKnownEntity(value: string): value is OwningDeleteProjectionEntity {\n  for (const known of Object.values(OWNING_DELETE_PROJECTION_ENTITY)) {\n    if (known === value) {\n      return true;\n    }\n  }\n  return false;\n}\n\nexport const handler = async (\n  input: CascadeChunkInput,\n): Promise<DeleteChunkOutput> => {\n  const rows = input.rows.map((row) => {\n    if (!isKnownEntity(row.entity)) {\n      throw new Error(\n        `owning-delete cascade delete-chunk: unknown projection entity '${row.entity}'`,\n      );\n    }\n    return {\n      entity: row.entity,\n      key: { ...row.key },\n    };\n  });\n\n  const result = await deleteOwningChildChunkOperation({\n    rows,\n    token: input.chunkToken,\n  });\n\n  return {\n    ownerType: input.ownerType,\n    ownerId: input.ownerId,\n    tenantId: input.tenantId,\n    rowsDeleted: result.rowsDeleted,\n  };\n};\n"],"mappings":";;;;;;;;;;;;AAgCA,SAAS,cAAc,OAAsD;AAC3E,aAAW,SAAS,OAAO,OAAO,+BAA+B,GAAG;AAClE,QAAI,UAAU,OAAO;AACnB,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEO,IAAM,UAAU,OACrB,UAC+B;AAC/B,QAAM,OAAO,MAAM,KAAK,IAAI,CAAC,QAAQ;AACnC,QAAI,CAAC,cAAc,IAAI,MAAM,GAAG;AAC9B,YAAM,IAAI;AAAA,QACR,kEAAkE,IAAI,MAAM;AAAA,MAC9E;AAAA,IACF;AACA,WAAO;AAAA,MACL,QAAQ,IAAI;AAAA,MACZ,KAAK,EAAE,GAAG,IAAI,IAAI;AAAA,IACpB;AAAA,EACF,CAAC;AAED,QAAM,SAAS,MAAM,gCAAgC;AAAA,IACnD;AAAA,IACA,OAAO,MAAM;AAAA,EACf,CAAC;AAED,SAAO;AAAA,IACL,WAAW,MAAM;AAAA,IACjB,SAAS,MAAM;AAAA,IACf,UAAU,MAAM;AAAA,IAChB,aAAa,OAAO;AAAA,EACtB;AACF;","names":[]}

package/lib/{events-BfrkMoBD.d.mts → events-COI0BuMM.d.mts}

@@ -27,7 +27,7 @@ declare const PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM = "platform-deploy-bridge";
 /**
  * Subset of the CloudFormation Stack Status Change `detail` field the
  * bridge handler reads. AWS-side schema lives at
- * <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/monitoring-cloudformation.html>.
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/monitoring-cloudformation.html .
  */
 interface CloudFormationStackStatusChangeDetail {
     readonly "stack-id": string;

package/lib/{events-BfrkMoBD.d.ts → events-COI0BuMM.d.ts}

@@ -27,7 +27,7 @@ declare const PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM = "platform-deploy-bridge";
 /**
  * Subset of the CloudFormation Stack Status Change `detail` field the
  * bridge handler reads. AWS-side schema lives at
- * <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/monitoring-cloudformation.html>.
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/monitoring-cloudformation.html .
  */
 interface CloudFormationStackStatusChangeDetail {
     readonly "stack-id": string;

package/lib/index.d.mts

@@ -24,7 +24,7 @@ import { Distribution, DistributionProps, CachePolicyProps, BehaviorOptions } fr
 import { HostingMode } from './static-hosting.viewer-request-handler.mjs';
 export { C as CascadeChunkInput, a as CascadeFinalizeInput, b as CascadeFinalizeOutput, c as CascadeListInput, d as CascadeListOutput, O as OWNING_DELETE_CASCADE_CONSUMER_NAME, e as OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY, f as OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES, g as OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR } from './events-CjS-sm0W.mjs';
 import { StateMachine } from 'aws-cdk-lib/aws-stepfunctions';
-export { B as BRIDGED_STATUSES, a as BridgedStatus, C as CLOUDFORMATION_EVENT_SOURCE, b as CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, c as CONTROL_EVENT_BUS_NAME_ENV_VAR, d as CloudFormationStackStatusChangeDetail, O as OPENHI_REPO_TAG_KEY_ENV_VAR, e as OPENHI_TAG_KEY_PREFIX_ENV_VAR, P as PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM } from './events-BfrkMoBD.mjs';
+export { B as BRIDGED_STATUSES, a as BridgedStatus, C as CLOUDFORMATION_EVENT_SOURCE, b as CLOUDFORMATION_STACK_STATUS_CHANGE_DETAIL_TYPE, c as CONTROL_EVENT_BUS_NAME_ENV_VAR, d as CloudFormationStackStatusChangeDetail, O as OPENHI_REPO_TAG_KEY_ENV_VAR, e as OPENHI_TAG_KEY_PREFIX_ENV_VAR, P as PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM } from './events-COI0BuMM.mjs';
 export { R as RENAME_CASCADE_CONSUMER_NAME, a as RENAME_CASCADE_DEFAULT_CONCURRENCY, b as RENAME_CASCADE_FAILED_THRESHOLD, c as RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR, d as RENAME_CASCADE_SLOW_THRESHOLD_SECONDS, e as RenameCascadeChunkInput, f as RenameCascadeFinalizeInput, g as RenameCascadeFinalizeOutput, h as RenameCascadeListInput, i as RenameCascadeListOutput } from './events-Da_cFgtc.mjs';
 import { Patient, Practitioner, Observation, Encounter, Account } from '@openhi/types';
 export { D as DEMO_PERIOD, a as DEMO_TENANT_SPECS, b as DEMO_URN_SYSTEM, c as DEV_USERS, d as DemoDevUser, e as DemoTenantSpec, f as DemoWorkspaceSpec, O as OPENHI_RESOURCE_URN_SYSTEM, P as PLACEHOLDER_TENANT_ID, g as PLACEHOLDER_WORKSPACE_ID, h as PLATFORM_SCOPE_TENANT_ID, S as SEED_DEMO_DATA_CONSUMER_NAME, i as demoMembershipId, j as demoRoleAssignmentId, k as demoRolesForUserInTenant, l as demoScenarioIdentifier, o as openhiResourceIdentifier } from './events-CMG8xanm.mjs';
@@ -159,7 +159,6 @@ declare class OpenHiEnvironment extends Stage {
     props: OpenHiEnvironmentProps;
     /**
      * Finds the OpenHiEnvironment that contains the given construct.
-     * ```
      */
     static of(construct: IConstruct): OpenHiEnvironment | undefined;
     /**
@@ -194,7 +193,6 @@ declare class OpenHiEnvironment extends Stage {
 interface OpenHiAppProps extends AppProps {
     /**
      * Optional name for the application.
-     * ```
      */
     readonly appName?: string;
     /**
@@ -409,7 +407,7 @@ declare abstract class OpenHiService extends Stack {
      * @param id - Unique identifier for this service stack (e.g., "user-service")
      * @param props - Optional properties for configuring the service
      *
-     * @throws {Error} If account and region are not defined in props or environment
+     * @throws \{Error\} If account and region are not defined in props or environment
      *
      */
     constructor(ohEnv: OpenHiEnvironment, id: string, props?: OpenHiServiceProps);
@@ -1084,9 +1082,9 @@ declare class PerBranchHostname extends Construct {
  *  A bucket used to store content for stage.openhi.org might have the
  *  following directory structure (all in the same bucket):
  *
- *  /www.stage.openhi.org/* -> serves content to www.stage.openhi.org
- *  /feature-7.stage.openhi.org/* -> serves content to feature-7.stage.openhi.org
- *  /pr-123.stage.openhi.org/* -> serves content to pr-123.stage.openhi.org
+ *  /www.stage.openhi.org/* -\> serves content to www.stage.openhi.org
+ *  /feature-7.stage.openhi.org/* -\> serves content to feature-7.stage.openhi.org
+ *  /pr-123.stage.openhi.org/* -\> serves content to pr-123.stage.openhi.org
  *
  ******************************************************************************/
 /**
@@ -1367,6 +1365,19 @@ declare class OpenHiAuthService extends OpenHiService {
      * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
      */
     static userPoolDomainFromConstruct(scope: Construct): IUserPoolDomain;
+    /**
+     * Returns the full Cognito Hosted UI base URL (e.g.
+     * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
+     * the Auth stack's User Pool Domain from SSM and composing it with the
+     * calling stack's region.
+     *
+     * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
+     * but works across stacks where the looked-up `IUserPoolDomain` is an
+     * `Import` and does not carry the `baseUrl()` method. Assumes the
+     * domain was created as a Cognito-managed prefix domain (the only
+     * variant `OpenHiAuthService.createUserPoolDomain` produces).
+     */
+    static userPoolDomainBaseUrlFromConstruct(scope: Construct): string;
     /**
      * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
      */
@@ -1736,7 +1747,7 @@ declare class OpenHiRestApiService extends OpenHiService {
      */
     protected createCertificate(): ICertificate;
     /**
-     * Returns the API domain name string (e.g. api.example.com or api-{prefix}.example.com).
+     * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
      * Override to customize.
      */
     protected createApiDomainNameString(hostedZone: IHostedZone): string;
@@ -2119,7 +2130,7 @@ declare class OpenHiGraphqlService extends OpenHiService {
  */
 interface OpenHiWebsiteServiceProps extends OpenHiServiceProps {
     /**
-     * Sub-domain prefix attached to the child zone (e.g. "www" -> "www.<zone>").
+     * Sub-domain prefix attached to the child zone (e.g. "www" -\> "www.\<zone\>").
      *
      * @default "www"
      */
@@ -2320,7 +2331,7 @@ interface OwningDeleteCascadeLambdasProps {
  * grant pattern.
  *
  * - `listChunks` — pages through the owner's adjacency-list partition
- *   via ElectroDB Query, splits the page into <=100-item chunks for
+ *   via ElectroDB Query, splits the page into \<=100-item chunks for
  *   the inline Map state.
  * - `deleteChunk` — Map-iteration handler; submits one chunk as a
  *   single `TransactWriteItems` via `executeMultiWrite`. The state

package/lib/index.d.ts

@@ -273,7 +273,7 @@ declare const PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM = "platform-deploy-bridge";
 /**
  * Subset of the CloudFormation Stack Status Change `detail` field the
  * bridge handler reads. AWS-side schema lives at
- * <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/monitoring-cloudformation.html>.
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/monitoring-cloudformation.html .
  */
 interface CloudFormationStackStatusChangeDetail {
     readonly "stack-id": string;
@@ -796,7 +796,6 @@ declare class OpenHiEnvironment extends Stage {
     props: OpenHiEnvironmentProps;
     /**
      * Finds the OpenHiEnvironment that contains the given construct.
-     * ```
      */
     static of(construct: IConstruct): OpenHiEnvironment | undefined;
     /**
@@ -831,7 +830,6 @@ declare class OpenHiEnvironment extends Stage {
 interface OpenHiAppProps extends AppProps {
     /**
      * Optional name for the application.
-     * ```
      */
     readonly appName?: string;
     /**
@@ -1046,7 +1044,7 @@ declare abstract class OpenHiService extends Stack {
      * @param id - Unique identifier for this service stack (e.g., "user-service")
      * @param props - Optional properties for configuring the service
      *
-     * @throws {Error} If account and region are not defined in props or environment
+     * @throws \{Error\} If account and region are not defined in props or environment
      *
      */
     constructor(ohEnv: OpenHiEnvironment, id: string, props?: OpenHiServiceProps);
@@ -1721,9 +1719,9 @@ declare class PerBranchHostname extends Construct {
  *  A bucket used to store content for stage.openhi.org might have the
  *  following directory structure (all in the same bucket):
  *
- *  /www.stage.openhi.org/* -> serves content to www.stage.openhi.org
- *  /feature-7.stage.openhi.org/* -> serves content to feature-7.stage.openhi.org
- *  /pr-123.stage.openhi.org/* -> serves content to pr-123.stage.openhi.org
+ *  /www.stage.openhi.org/* -\> serves content to www.stage.openhi.org
+ *  /feature-7.stage.openhi.org/* -\> serves content to feature-7.stage.openhi.org
+ *  /pr-123.stage.openhi.org/* -\> serves content to pr-123.stage.openhi.org
  *
  ******************************************************************************/
 /**
@@ -2004,6 +2002,19 @@ declare class OpenHiAuthService extends OpenHiService {
      * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
      */
     static userPoolDomainFromConstruct(scope: Construct): IUserPoolDomain;
+    /**
+     * Returns the full Cognito Hosted UI base URL (e.g.
+     * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
+     * the Auth stack's User Pool Domain from SSM and composing it with the
+     * calling stack's region.
+     *
+     * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
+     * but works across stacks where the looked-up `IUserPoolDomain` is an
+     * `Import` and does not carry the `baseUrl()` method. Assumes the
+     * domain was created as a Cognito-managed prefix domain (the only
+     * variant `OpenHiAuthService.createUserPoolDomain` produces).
+     */
+    static userPoolDomainBaseUrlFromConstruct(scope: Construct): string;
     /**
      * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
      */
@@ -2373,7 +2384,7 @@ declare class OpenHiRestApiService extends OpenHiService {
      */
     protected createCertificate(): ICertificate;
     /**
-     * Returns the API domain name string (e.g. api.example.com or api-{prefix}.example.com).
+     * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
      * Override to customize.
      */
     protected createApiDomainNameString(hostedZone: IHostedZone): string;
@@ -2756,7 +2767,7 @@ declare class OpenHiGraphqlService extends OpenHiService {
  */
 interface OpenHiWebsiteServiceProps extends OpenHiServiceProps {
     /**
-     * Sub-domain prefix attached to the child zone (e.g. "www" -> "www.<zone>").
+     * Sub-domain prefix attached to the child zone (e.g. "www" -\> "www.\<zone\>").
      *
      * @default "www"
      */
@@ -2957,7 +2968,7 @@ interface OwningDeleteCascadeLambdasProps {
  * grant pattern.
  *
  * - `listChunks` — pages through the owner's adjacency-list partition
- *   via ElectroDB Query, splits the page into <=100-item chunks for
+ *   via ElectroDB Query, splits the page into \<=100-item chunks for
  *   the inline Map state.
  * - `deleteChunk` — Map-iteration handler; submits one chunk as a
  *   single `TransactWriteItems` via `executeMultiWrite`. The state

package/lib/index.js

@@ -929,7 +929,6 @@ var OpenHiEnvironment = class _OpenHiEnvironment extends import_aws_cdk_lib.Stag
   }
   /**
    * Finds the OpenHiEnvironment that contains the given construct.
-   * ```
    */
   static of(construct) {
     return construct.node.scopes.reverse().find(_OpenHiEnvironment.isOpenHiEnvironment);
@@ -1116,7 +1115,7 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
    * @param id - Unique identifier for this service stack (e.g., "user-service")
    * @param props - Optional properties for configuring the service
    *
-   * @throws {Error} If account and region are not defined in props or environment
+   * @throws \{Error\} If account and region are not defined in props or environment
    *
    */
   constructor(ohEnv, id, props = {}) {
@@ -3775,11 +3774,11 @@ var ConfigurationUserProjectionEntity = new import_electrodb2.Entity({
   },
   indexes: {
     /**
-     * Base table: PK = USER#ID#<userId>, SK = operation-supplied. A
-     * single `Query(PK = USER#ID#<userId>, SK begins_with
-     * 'CONFIGURATION#')` returns the user's user-scoped Configurations
-     * sorted by `<normalizedConfigName>` (then `<configurationId>` as
-     * the tiebreaker).
+     * Base table: PK = USER#ID#\<userId\>, SK = operation-supplied. A
+     * single `Query(PK = USER#ID#<userId>, SK begins_with 'CONFIGURATION#')`
+     * returns the user's user-scoped Configurations sorted by
+     * `<normalizedConfigName>` (then `<configurationId>` as the
+     * tiebreaker).
      */
     record: {
       pk: {
@@ -4167,11 +4166,12 @@ var MembershipUserProjectionEntity = new import_electrodb5.Entity({
   },
   indexes: {
     /**
-     * Base table: PK = USER#ID#<userId>, SK = operation-supplied.
+     * Base table: PK = USER#ID#\<userId\>, SK = operation-supplied.
      * Both pattern #3 and pattern #4 use this same index — the SK string
      * encodes the lane discriminator (`MEMBERSHIP#TENANT#…` vs
-     * `MEMBERSHIP#WORKSPACE#…`) so a single `Query(PK = USER#ID#<userId>,
-     * SK begins_with 'MEMBERSHIP#')` returns both lanes interleaved.
+     * `MEMBERSHIP#WORKSPACE#…`) so a single
+     * `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')`
+     * returns both lanes interleaved.
      */
     record: {
       pk: {
@@ -4674,12 +4674,12 @@ var RoleAssignmentUserProjectionEntity = new import_electrodb9.Entity({
   },
   indexes: {
     /**
-     * Base table: PK = USER#ID#<userId>, SK = operation-supplied. Both
+     * Base table: PK = USER#ID#\<userId\>, SK = operation-supplied. Both
      * sub-lanes (tenant-level and workspace-level) use this same index —
      * the SK string encodes the lane discriminator
      * (`ROLEASSIGNMENT#TENANT#…` vs `ROLEASSIGNMENT#WORKSPACE#…`) so a
-     * single `Query(PK = USER#ID#<userId>, SK begins_with
-     * 'ROLEASSIGNMENT#')` returns both lanes interleaved.
+     * single `Query(PK = USER#ID#<userId>, SK begins_with 'ROLEASSIGNMENT#')`
+     * returns both lanes interleaved.
      */
     record: {
       pk: {
@@ -6747,6 +6747,26 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
   }
+  /**
+   * Returns the full Cognito Hosted UI base URL (e.g.
+   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
+   * the Auth stack's User Pool Domain from SSM and composing it with the
+   * calling stack's region.
+   *
+   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
+   * but works across stacks where the looked-up `IUserPoolDomain` is an
+   * `Import` and does not carry the `baseUrl()` method. Assumes the
+   * domain was created as a Cognito-managed prefix domain (the only
+   * variant `OpenHiAuthService.createUserPoolDomain` produces).
+   */
+  static userPoolDomainBaseUrlFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    const region = import_core.Stack.of(scope).region;
+    return `https://${domainName}.auth.${region}.amazoncognito.com`;
+  }
   /**
    * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
    */
@@ -7110,7 +7130,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
   }
   /**
-   * Returns the API domain name string (e.g. api.example.com or api-{prefix}.example.com).
+   * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
    * Override to customize.
    */
   createApiDomainNameString(hostedZone) {
@@ -7344,11 +7364,11 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const cognitoScope = new import_constructs21.Construct(this, "runtime-config");
     const userPool = OpenHiAuthService.userPoolFromConstruct(cognitoScope);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(cognitoScope);
-    const userPoolDomain = OpenHiAuthService.userPoolDomainFromConstruct(cognitoScope);
+    const cognitoDomainUrl = OpenHiAuthService.userPoolDomainBaseUrlFromConstruct(cognitoScope);
     return {
       OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_ID: userPool.userPoolId,
       OPENHI_RUNTIME_CONFIG_COGNITO_USER_POOL_CLIENT_ID: userPoolClient.userPoolClientId,
-      OPENHI_RUNTIME_CONFIG_COGNITO_DOMAIN: userPoolDomain.domainName,
+      OPENHI_RUNTIME_CONFIG_COGNITO_DOMAIN_URL: cognitoDomainUrl,
       OPENHI_RUNTIME_CONFIG_COGNITO_REDIRECT_URI: this.props.runtimeConfig.cognitoRedirectUri,
       OPENHI_RUNTIME_CONFIG_API_BASE_URL: this.props.runtimeConfig.apiBaseUrl
     };