npm - @openhi/constructs - Versions diffs - 0.0.136 → 0.0.138 - Mend

@openhi/constructs 0.0.136 → 0.0.138

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/index.js CHANGED Viewed

@@ -798,6 +798,8 @@ __export(src_exports, {
   DataStorePostgresReplica: () => DataStorePostgresReplica,
   DiscoverableStringParameter: () => DiscoverableStringParameter,
   DynamoDbDataStore: () => DynamoDbDataStore,
+  LOCALHOST_OAUTH_CALLBACK_URLS: () => LOCALHOST_OAUTH_CALLBACK_URLS,
+  LOCALHOST_OAUTH_LOGOUT_URLS: () => LOCALHOST_OAUTH_LOGOUT_URLS,
   OPENHI_REPO_TAG_KEY_ENV_VAR: () => OPENHI_REPO_TAG_KEY_ENV_VAR,
   OPENHI_RESOURCE_URN_SYSTEM: () => OPENHI_RESOURCE_URN_SYSTEM,
   OPENHI_TAG_KEY_PREFIX_ENV_VAR: () => OPENHI_TAG_KEY_PREFIX_ENV_VAR,
@@ -1473,23 +1475,10 @@ var import_aws_cognito2 = require("aws-cdk-lib/aws-cognito");
 var CognitoUserPoolClient = class extends import_aws_cognito2.UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
-      /**
-       * Defaults
-       */
+      // Default: SPA client (no secret). OAuth flow + callback/logout URL
+      // composition is the owning service's responsibility — pass via
+      // `props.oAuth` (see `OpenHiAuthService.resolveOAuthRedirectUrls`).
       generateSecret: false,
-      oAuth: {
-        flows: {
-          authorizationCodeGrant: true,
-          implicitCodeGrant: true
-        },
-        callbackUrls: [
-          `http://localhost:3000/oauth/callback`,
-          `https://localhost:3000/oauth/callback`
-        ]
-      },
-      /**
-       * Overrideable props
-       */
       ...props
     });
   }
@@ -2322,10 +2311,11 @@ var DataStorePostgresReplica = class extends import_constructs6.Construct {
       bundling: {
         minify: true,
         sourceMap: false,
-        // pg has conditional/optional deps (pg-native, pg-cloudflare) that
-        // historically misbehave when bundled by esbuild; keep it as a real
-        // node_module in the Lambda zip instead.
-        nodeModules: ["pg"]
+        // pg's conditional optional deps (pg-native, pg-cloudflare) are
+        // marked external so esbuild does not try to resolve them — pg's
+        // runtime code wraps the requires in try/catch and falls back to
+        // the pure-JS client when they are not present.
+        externalModules: ["pg-native", "pg-cloudflare"]
       }
     });
     this.cluster.secret.grantRead(this.replicationFunction);
@@ -2815,10 +2805,11 @@ var StaticContent = class extends import_constructs10.Construct {
 };
 // src/services/open-hi-auth-service.ts
+var import_config7 = __toESM(require_lib());
 var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
-var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
+var import_aws_iam7 = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
-var import_core = require("aws-cdk-lib/core");
+var import_core2 = require("aws-cdk-lib/core");
 // src/services/open-hi-data-service.ts
 var import_config4 = __toESM(require_lib());
@@ -6791,620 +6782,247 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
 _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
-// src/workflows/control-plane/user-onboarding/events.ts
-var USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
-var PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
-var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
-  const attrs = event.request?.userAttributes ?? {};
-  const cognitoSub = attrs.sub?.trim();
-  if (!cognitoSub) {
-    return void 0;
-  }
-  const email = attrs.email?.trim();
-  const displayName = email || event.userName || cognitoSub;
-  return {
-    cognitoSub,
-    ...email ? { email } : {},
-    displayName,
-    trigger: {
-      source: "cognito.post-confirmation",
-      triggerSource: event.triggerSource,
-      userPoolId: event.userPoolId,
-      userName: event.userName,
-      clientId: event.callerContext?.clientId
-    }
-  };
-};
+// src/services/open-hi-website-service.ts
+var import_config6 = __toESM(require_lib());
+var import_aws_s32 = require("aws-cdk-lib/aws-s3");
-// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+// src/services/open-hi-rest-api-service.ts
+var import_config5 = __toESM(require_lib());
+var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
+var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
+var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
+var import_aws_iam5 = require("aws-cdk-lib/aws-iam");
+var import_aws_route535 = require("aws-cdk-lib/aws-route53");
+var import_aws_route53_targets3 = require("aws-cdk-lib/aws-route53-targets");
+var import_core = require("aws-cdk-lib/core");
+var import_constructs19 = require("constructs");
+// src/data/lambda/cors-options-lambda.ts
 var import_node_fs9 = __toESM(require("fs"));
 var import_node_path9 = __toESM(require("path"));
-var import_aws_cdk_lib15 = require("aws-cdk-lib");
-var import_aws_events8 = require("aws-cdk-lib/aws-events");
-var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
-var import_aws_iam5 = require("aws-cdk-lib/aws-iam");
 var import_aws_lambda10 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs10 = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs17 = require("constructs");
-var HANDLER_NAME9 = "provision-default-workspace.handler.js";
+var HANDLER_NAME9 = "cors-options-lambda.handler.js";
 function resolveHandlerEntry9(dirname) {
   const sameDir = import_node_path9.default.join(dirname, HANDLER_NAME9);
   if (import_node_fs9.default.existsSync(sameDir)) {
     return sameDir;
   }
-  return import_node_path9.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
+  const fromLib = import_node_path9.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME9);
+  return fromLib;
 }
-var ProvisionDefaultWorkspaceLambda = class extends import_constructs17.Construct {
-  constructor(scope, props) {
-    super(scope, "provision-default-workspace-lambda");
+var CorsOptionsLambda = class extends import_constructs17.Construct {
+  constructor(scope, id = "cors-options-lambda") {
+    super(scope, id);
     this.lambda = new import_aws_lambda_nodejs10.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry9(__dirname),
       runtime: import_aws_lambda10.Runtime.NODEJS_LATEST,
-      memorySize: 1024,
-      environment: {
-        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
-      }
-    });
-    props.dataStoreTable.grant(
-      this.lambda,
-      "dynamodb:PutItem",
-      "dynamodb:UpdateItem"
-    );
-    this.lambda.addToRolePolicy(
-      new import_aws_iam5.PolicyStatement({
-        effect: import_aws_iam5.Effect.ALLOW,
-        actions: ["dynamodb:Query"],
-        resources: [`${props.dataStoreTable.tableArn}/index/*`]
-      })
-    );
-    this.rule = new import_aws_events8.Rule(this, "rule", {
-      eventBus: props.controlEventBus,
-      eventPattern: {
-        source: [USER_ONBOARDING_EVENT_SOURCE],
-        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
-      },
-      targets: [
-        new import_aws_events_targets4.LambdaFunction(this.lambda, {
-          retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib15.Duration.hours(2)
-        })
-      ]
+      memorySize: 128
     });
   }
 };
-// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+// src/data/lambda/rest-api-lambda.ts
+var import_node_fs10 = __toESM(require("fs"));
+var import_node_path10 = __toESM(require("path"));
+var import_aws_lambda11 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs11 = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs18 = require("constructs");
-var UserOnboardingWorkflow = class extends import_constructs18.Construct {
+var HANDLER_NAME10 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry10(dirname) {
+  const sameDir = import_node_path10.default.join(dirname, HANDLER_NAME10);
+  if (import_node_fs10.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  const fromLib = import_node_path10.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
+  return fromLib;
+}
+var RestApiLambda = class extends import_constructs18.Construct {
   constructor(scope, props) {
-    super(scope, "user-onboarding-workflow");
-    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
-      dataStoreTable: props.dataStoreTable,
-      controlEventBus: props.controlEventBus
+    super(scope, "rest-api-lambda");
+    this.lambda = new import_aws_lambda_nodejs11.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry10(__dirname),
+      runtime: import_aws_lambda11.Runtime.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName,
+        BRANCH_TAG_VALUE: props.branchTagValue,
+        HTTP_API_TAG_VALUE: props.httpApiTagValue,
+        OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
+        OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
+        OPENHI_PG_DATABASE: props.postgresDatabase,
+        OPENHI_PG_SCHEMA: props.postgresSchema,
+        ...props.extraEnvironment
+      },
+      bundling: {
+        minify: true,
+        sourceMap: false
+      }
     });
   }
 };
-// src/services/open-hi-auth-service.ts
-var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
-    /**
-     * Cross-stack reference to the data store table. Cached so repeated
-     * lookups share a single CDK construct id ("dynamo-db-data-store") in
-     * this stack — a second `Table.fromTableName` call under the same scope
-     * would collide.
-     */
-    this._dataStoreTable = null;
-    this._controlEventBus = null;
-    this.props = props;
-    this.userPoolKmsKey = this.createUserPoolKmsKey();
-    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
-    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
-    this.postConfirmationLambda = this.createPostConfirmationLambda();
-    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
-    this.userPool = this.createUserPool();
-    this.grantPreTokenGenerationPermissions();
-    this.grantPostAuthenticationPermissions();
-    this.grantPostConfirmationPermissions();
-    this.userPoolClient = this.createUserPoolClient();
-    this.userPoolDomain = this.createUserPoolDomain();
-  }
+// src/services/open-hi-rest-api-service.ts
+var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
+var REST_API_DOMAIN_NAME_SSM_NAME = "REST_API_DOMAIN_NAME";
+var DEV_CORS_ALLOW_ORIGINS = [
+  "http://localhost:3000",
+  "https://localhost:3000",
+  "http://localhost:5173",
+  "https://localhost:5173",
+  "http://127.0.0.1:3000",
+  "https://127.0.0.1:3000",
+  "http://127.0.0.1:5173",
+  "https://127.0.0.1:5173"
+];
+var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   /**
-   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
+   * Compose the REST API's full per-deploy domain. Thin wrapper over
+   * {@link OpenHiService.composeServiceDomain} that pins `domainPrefix`
+   * to {@link API_DOMAIN_PREFIX}.
+   *
+   * Use from sibling stacks that need to predict the API's hostname
+   * before the REST API stack is synthesised.
    */
-  static userPoolFromConstruct(scope) {
-    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static composeFullDomain(opts) {
+    return OpenHiService.composeServiceDomain({
+      ...opts,
+      domainPrefix: _OpenHiRestApiService.API_DOMAIN_PREFIX
     });
-    return import_aws_cognito4.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
-  }
-  /**
-   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
-   */
-  static userPoolClientFromConstruct(scope) {
-    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
-      scope,
-      {
-        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
-        serviceType: _OpenHiAuthService.SERVICE_TYPE
-      }
-    );
-    return import_aws_cognito4.UserPoolClient.fromUserPoolClientId(
-      scope,
-      "user-pool-client",
-      userPoolClientId
-    );
   }
   /**
-   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
    */
-  static userPoolDomainFromConstruct(scope) {
-    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static rootHttpApiFromConstruct(scope) {
+    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
+    return import_aws_apigatewayv22.HttpApi.fromHttpApiAttributes(scope, "http-api", { httpApiId });
   }
   /**
-   * Returns the full Cognito Hosted UI base URL (e.g.
-   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
-   * the Auth stack's User Pool Domain from SSM and composing it with the
-   * calling stack's region.
-   *
-   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
-   * but works across stacks where the looked-up `IUserPoolDomain` is an
-   * `Import` and does not carry the `baseUrl()` method. Assumes the
-   * domain was created as a Cognito-managed prefix domain (the only
-   * variant `OpenHiAuthService.createUserPoolDomain` produces).
+   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
+   * Use in other stacks for E2E, scripts, or config.
    */
-  static userPoolDomainBaseUrlFromConstruct(scope) {
-    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static restApiBaseUrlFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    const region = import_core.Stack.of(scope).region;
-    return `https://${domainName}.auth.${region}.amazoncognito.com`;
   }
   /**
-   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
+   * Returns the REST API's custom domain name (bare hostname, no scheme — e.g.
+   * `api.example.com`) by looking it up from SSM. Use as the host for a
+   * CloudFront `HttpOrigin` so the website's distribution can proxy `/api/*`
+   * to this stack's API Gateway without per-branch DNS knowledge.
    */
-  static userPoolKmsKeyFromConstruct(scope) {
-    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static restApiDomainNameFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    return import_aws_kms2.Key.fromKeyArn(scope, "kms-key", keyArn);
   }
   get serviceType() {
-    return _OpenHiAuthService.SERVICE_TYPE;
+    return _OpenHiRestApiService.SERVICE_TYPE;
   }
-  /**
-   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
-   * Override to customize.
-   */
-  createUserPoolKmsKey() {
-    const key = new CognitoUserPoolKmsKey(this);
-    new DiscoverableStringParameter(this, "kms-key-param", {
-      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
-      stringValue: key.keyArn,
-      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
-    });
-    return key;
-  }
-  /**
-   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
-   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
-   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
-   * both the ID token and the access token (ADR 2026-03-17-01).
-   */
-  createPreTokenGenerationLambda() {
-    const construct = new PreTokenGenerationLambda(this, {
-      dynamoTableName: this.dataStoreTable().tableName
-    });
-    return construct.lambda;
-  }
-  /**
-   * Creates the Post Authentication Lambda (Cognito trigger). Calls
-   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
-   * sessions per ADR 2026-03-17-01.
-   */
-  createPostAuthenticationLambda() {
-    const construct = new PostAuthenticationLambda(this);
-    return construct.lambda;
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    const certificate = this.createCertificate();
+    this.apiDomainName = this.createApiDomainNameString(hostedZone);
+    this.createRestApiBaseUrlParameter(this.apiDomainName);
+    this.createRestApiDomainNameParameter(this.apiDomainName);
+    const domainName = this.createDomainName(hostedZone, certificate);
+    this.rootHttpApi = this.createRootHttpApi(domainName);
+    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
   }
   /**
-   * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-   * confirmation, publishes a control-plane workflow event; provisioning lives
-   * behind EventBridge.
+   * Validates that config required for the REST API stack is present.
    */
-  createPostConfirmationLambda() {
-    const construct = new PostConfirmationLambda(this, {
-      controlEventBusName: this.controlEventBus().eventBusName
-    });
-    return construct.lambda;
-  }
-  createUserOnboardingWorkflow() {
-    return new UserOnboardingWorkflow(this, {
-      controlEventBus: this.controlEventBus(),
-      dataStoreTable: this.dataStoreTable()
-    });
-  }
-  dataStoreTable() {
-    if (this._dataStoreTable === null) {
-      this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
     }
-    return this._dataStoreTable;
-  }
-  controlEventBus() {
-    if (this._controlEventBus === null) {
-      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
     }
-    return this._controlEventBus;
   }
   /**
-   * Creates the Cognito User Pool and exports its ID to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
+   * Creates the hosted zone reference (imported from config).
    * Override to customize.
    */
-  createUserPool() {
-    const userPool = new CognitoUserPool(this, {
-      ...this.props.userPoolProps,
-      customSenderKmsKey: this.userPoolKmsKey
-    });
-    userPool.addTrigger(
-      import_aws_cognito4.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
-      this.preTokenGenerationLambda,
-      import_aws_cognito4.LambdaVersion.V2_0
-    );
-    userPool.addTrigger(
-      import_aws_cognito4.UserPoolOperation.POST_AUTHENTICATION,
-      this.postAuthenticationLambda
-    );
-    userPool.addTrigger(
-      import_aws_cognito4.UserPoolOperation.POST_CONFIRMATION,
-      this.postConfirmationLambda
-    );
-    new DiscoverableStringParameter(this, "user-pool-param", {
-      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
-      stringValue: userPool.userPoolId,
-      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
+  createHostedZone() {
+    const { config } = this.props;
+    return import_aws_route535.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
+      hostedZoneId: config.hostedZoneId,
+      zoneName: config.zoneName
     });
-    return userPool;
   }
   /**
-   * Grants the Pre Token Generation Lambda read-only access on the data
-   * store table and its GSIs. The Lambda only needs:
-   * - `Query` on GSI2 to resolve a User by Cognito `sub`
-   * - `GetItem` on the base table for direct User reads
-   *
-   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
-   * falls into the absent-claims path; repair belongs in a separate backfill.
+   * Creates the wildcard certificate (imported from Global stack via SSM).
+   * Override to customize.
    */
-  grantPreTokenGenerationPermissions() {
-    const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
-    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
-    this.preTokenGenerationLambda.addToRolePolicy(
-      new import_aws_iam6.PolicyStatement({
-        effect: import_aws_iam6.Effect.ALLOW,
-        actions: [...dynamoActions],
-        resources: [`${dataStoreTable.tableArn}/index/*`]
-      })
-    );
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
   }
   /**
-   * Grants the Post Authentication Lambda permission to call
-   * `cognito-idp:AdminUserGlobalSignOut`.
-   *
-   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
-   * because the User Pool registers this Lambda as a Post Authentication
-   * trigger, creating the cycle:
-   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
-   * Using `formatArn` avoids referencing the User Pool resource directly
-   * while still scoping to user pools in this account+region. The Lambda
-   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
-   * so the runtime target is constrained by the trigger contract.
+   * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
+   * Delegates to {@link OpenHiRestApiService.composeFullDomain} so the
+   * release-vs-feature composition stays in one place; picks up
+   * `this.defaultReleaseBranch` (not a hard-coded `"main"`).
+   * Override to customize.
    */
-  grantPostAuthenticationPermissions() {
-    this.postAuthenticationLambda.addToRolePolicy(
-      new import_aws_iam6.PolicyStatement({
-        actions: ["cognito-idp:AdminUserGlobalSignOut"],
-        resources: [
-          import_core.Stack.of(this).formatArn({
-            service: "cognito-idp",
-            resource: "userpool",
-            resourceName: "*"
-          })
-        ]
-      })
-    );
+  createApiDomainNameString(hostedZone) {
+    return _OpenHiRestApiService.composeFullDomain({
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName: hostedZone.zoneName
+    });
   }
   /**
-   * Grants the Post Confirmation Lambda publish-only access to the
-   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
+   * Creates the SSM parameter for the REST API base URL.
+   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
+   * Override to customize.
    */
-  grantPostConfirmationPermissions() {
-    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
+  createRestApiBaseUrlParameter(apiDomainName) {
+    const restApiBaseUrl = `https://${apiDomainName}`;
+    new DiscoverableStringParameter(this, "rest-api-base-url-param", {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      stringValue: restApiBaseUrl,
+      description: "REST API base URL for this deployment (E2E, scripts)"
+    });
   }
   /**
-   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
-   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Creates the SSM parameter exposing the REST API's custom domain (bare
+   * hostname, no scheme). Consumed by the website service as the CloudFront
+   * `/api/*` origin host.
+   * Look up via {@link OpenHiRestApiService.restApiDomainNameFromConstruct}.
    * Override to customize.
    */
-  createUserPoolClient() {
-    const client = new CognitoUserPoolClient(this, {
-      userPool: this.userPool
-    });
-    new DiscoverableStringParameter(this, "user-pool-client-param", {
-      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
-      stringValue: client.userPoolClientId,
-      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
+  createRestApiDomainNameParameter(apiDomainName) {
+    new DiscoverableStringParameter(this, "rest-api-domain-name-param", {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      stringValue: apiDomainName,
+      description: "REST API custom domain name (bare hostname) for cross-stack CloudFront origin lookup"
     });
-    return client;
   }
   /**
-   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Creates the API Gateway custom domain name resource.
    * Override to customize.
    */
-  createUserPoolDomain() {
-    const domain = new CognitoUserPoolDomain(this, {
-      userPool: this.userPool,
-      cognitoDomain: {
-        domainPrefix: `auth-${this.branchHash}`
-      }
-    });
-    new DiscoverableStringParameter(this, "user-pool-domain-param", {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      stringValue: domain.domainName,
-      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
-    });
-    return domain;
-  }
-};
-_OpenHiAuthService.SERVICE_TYPE = "auth";
-var OpenHiAuthService = _OpenHiAuthService;
-// src/services/open-hi-rest-api-service.ts
-var import_config5 = __toESM(require_lib());
-var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
-var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
-var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
-var import_aws_iam7 = require("aws-cdk-lib/aws-iam");
-var import_aws_route535 = require("aws-cdk-lib/aws-route53");
-var import_aws_route53_targets3 = require("aws-cdk-lib/aws-route53-targets");
-var import_core2 = require("aws-cdk-lib/core");
-var import_constructs21 = require("constructs");
-// src/data/lambda/cors-options-lambda.ts
-var import_node_fs10 = __toESM(require("fs"));
-var import_node_path10 = __toESM(require("path"));
-var import_aws_lambda11 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs11 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs19 = require("constructs");
-var HANDLER_NAME10 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry10(dirname) {
-  const sameDir = import_node_path10.default.join(dirname, HANDLER_NAME10);
-  if (import_node_fs10.default.existsSync(sameDir)) {
-    return sameDir;
-  }
-  const fromLib = import_node_path10.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
-  return fromLib;
-}
-var CorsOptionsLambda = class extends import_constructs19.Construct {
-  constructor(scope, id = "cors-options-lambda") {
-    super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs11.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry10(__dirname),
-      runtime: import_aws_lambda11.Runtime.NODEJS_LATEST,
-      memorySize: 128
-    });
-  }
-};
-// src/data/lambda/rest-api-lambda.ts
-var import_node_fs11 = __toESM(require("fs"));
-var import_node_path11 = __toESM(require("path"));
-var import_aws_lambda12 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs12 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs20 = require("constructs");
-var HANDLER_NAME11 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry11(dirname) {
-  const sameDir = import_node_path11.default.join(dirname, HANDLER_NAME11);
-  if (import_node_fs11.default.existsSync(sameDir)) {
-    return sameDir;
-  }
-  const fromLib = import_node_path11.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
-  return fromLib;
-}
-var RestApiLambda = class extends import_constructs20.Construct {
-  constructor(scope, props) {
-    super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs12.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry11(__dirname),
-      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
-      memorySize: 1024,
-      environment: {
-        DYNAMO_TABLE_NAME: props.dynamoTableName,
-        BRANCH_TAG_VALUE: props.branchTagValue,
-        HTTP_API_TAG_VALUE: props.httpApiTagValue,
-        OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
-        OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
-        OPENHI_PG_DATABASE: props.postgresDatabase,
-        OPENHI_PG_SCHEMA: props.postgresSchema,
-        ...props.extraEnvironment
-      },
-      bundling: {
-        minify: true,
-        sourceMap: false
-      }
-    });
-  }
-};
-// src/services/open-hi-rest-api-service.ts
-var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
-var REST_API_DOMAIN_NAME_SSM_NAME = "REST_API_DOMAIN_NAME";
-var DEV_CORS_ALLOW_ORIGINS = [
-  "http://localhost:3000",
-  "https://localhost:3000",
-  "http://localhost:5173",
-  "https://localhost:5173",
-  "http://127.0.0.1:3000",
-  "https://127.0.0.1:3000",
-  "http://127.0.0.1:5173",
-  "https://127.0.0.1:5173"
-];
-var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
-  /**
-   * Compose the REST API's full per-deploy domain. Thin wrapper over
-   * {@link OpenHiService.composeServiceDomain} that pins `domainPrefix`
-   * to {@link API_DOMAIN_PREFIX}.
-   *
-   * Use from sibling stacks that need to predict the API's hostname
-   * before the REST API stack is synthesised.
-   */
-  static composeFullDomain(opts) {
-    return OpenHiService.composeServiceDomain({
-      ...opts,
-      domainPrefix: _OpenHiRestApiService.API_DOMAIN_PREFIX
-    });
-  }
-  /**
-   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
-   */
-  static rootHttpApiFromConstruct(scope) {
-    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-    return import_aws_apigatewayv22.HttpApi.fromHttpApiAttributes(scope, "http-api", { httpApiId });
-  }
-  /**
-   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
-   * Use in other stacks for E2E, scripts, or config.
-   */
-  static restApiBaseUrlFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: REST_API_BASE_URL_SSM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-  }
-  /**
-   * Returns the REST API's custom domain name (bare hostname, no scheme — e.g.
-   * `api.example.com`) by looking it up from SSM. Use as the host for a
-   * CloudFront `HttpOrigin` so the website's distribution can proxy `/api/*`
-   * to this stack's API Gateway without per-branch DNS knowledge.
-   */
-  static restApiDomainNameFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-  }
-  get serviceType() {
-    return _OpenHiRestApiService.SERVICE_TYPE;
-  }
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
-    this.props = props;
-    this.validateConfig(props);
-    const hostedZone = this.createHostedZone();
-    const certificate = this.createCertificate();
-    this.apiDomainName = this.createApiDomainNameString(hostedZone);
-    this.createRestApiBaseUrlParameter(this.apiDomainName);
-    this.createRestApiDomainNameParameter(this.apiDomainName);
-    const domainName = this.createDomainName(hostedZone, certificate);
-    this.rootHttpApi = this.createRootHttpApi(domainName);
-    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
-  }
-  /**
-   * Validates that config required for the REST API stack is present.
-   */
-  validateConfig(props) {
-    const { config } = props;
-    if (!config) {
-      throw new Error("Config is required");
-    }
-    if (!config.hostedZoneId) {
-      throw new Error("Hosted zone ID is required");
-    }
-    if (!config.zoneName) {
-      throw new Error("Zone name is required");
-    }
-  }
-  /**
-   * Creates the hosted zone reference (imported from config).
-   * Override to customize.
-   */
-  createHostedZone() {
-    const { config } = this.props;
-    return import_aws_route535.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
-      hostedZoneId: config.hostedZoneId,
-      zoneName: config.zoneName
-    });
-  }
-  /**
-   * Creates the wildcard certificate (imported from Global stack via SSM).
-   * Override to customize.
-   */
-  createCertificate() {
-    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
-  }
-  /**
-   * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
-   * Delegates to {@link OpenHiRestApiService.composeFullDomain} so the
-   * release-vs-feature composition stays in one place; picks up
-   * `this.defaultReleaseBranch` (not a hard-coded `"main"`).
-   * Override to customize.
-   */
-  createApiDomainNameString(hostedZone) {
-    return _OpenHiRestApiService.composeFullDomain({
-      branchName: this.branchName,
-      defaultReleaseBranch: this.defaultReleaseBranch,
-      childZonePrefix: this.childZonePrefix,
-      zoneName: hostedZone.zoneName
-    });
-  }
-  /**
-   * Creates the SSM parameter for the REST API base URL.
-   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
-   * Override to customize.
-   */
-  createRestApiBaseUrlParameter(apiDomainName) {
-    const restApiBaseUrl = `https://${apiDomainName}`;
-    new DiscoverableStringParameter(this, "rest-api-base-url-param", {
-      ssmParamName: REST_API_BASE_URL_SSM_NAME,
-      stringValue: restApiBaseUrl,
-      description: "REST API base URL for this deployment (E2E, scripts)"
-    });
-  }
-  /**
-   * Creates the SSM parameter exposing the REST API's custom domain (bare
-   * hostname, no scheme). Consumed by the website service as the CloudFront
-   * `/api/*` origin host.
-   * Look up via {@link OpenHiRestApiService.restApiDomainNameFromConstruct}.
-   * Override to customize.
-   */
-  createRestApiDomainNameParameter(apiDomainName) {
-    new DiscoverableStringParameter(this, "rest-api-domain-name-param", {
-      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
-      stringValue: apiDomainName,
-      description: "REST API custom domain name (bare hostname) for cross-stack CloudFront origin lookup"
-    });
-  }
-  /**
-   * Creates the API Gateway custom domain name resource.
-   * Override to customize.
-   */
-  createDomainName(_hostedZone, certificate) {
-    const apiDomainName = this.createApiDomainNameString(_hostedZone);
-    return new import_aws_apigatewayv22.DomainName(this, "domain", {
-      domainName: apiDomainName,
-      certificate
+  createDomainName(_hostedZone, certificate) {
+    const apiDomainName = this.createApiDomainNameString(_hostedZone);
+    return new import_aws_apigatewayv22.DomainName(this, "domain", {
+      domainName: apiDomainName,
+      certificate
     });
   }
   /**
@@ -7429,8 +7047,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       extraEnvironment
     });
     lambda.addToRolePolicy(
-      new import_aws_iam7.PolicyStatement({
-        effect: import_aws_iam7.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -7439,8 +7057,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam7.PolicyStatement({
-        effect: import_aws_iam7.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -7458,15 +7076,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new import_aws_iam7.PolicyStatement({
-        effect: import_aws_iam7.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam7.PolicyStatement({
-        effect: import_aws_iam7.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -7547,11 +7165,18 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const { corsPreflight: cors, ...restRootHttpApiProps } = this.props.rootHttpApiProps ?? {};
     const isNonProd = this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD;
     const callerOrigins = cors?.allowOrigins ?? [];
-    const mergedOrigins = isNonProd ? Array.from(/* @__PURE__ */ new Set([...callerOrigins, ...DEV_CORS_ALLOW_ORIGINS])) : callerOrigins;
-    const corsPreflight = cors !== void 0 || isNonProd ? this.buildCorsPreflightOptions(mergedOrigins, cors) : void 0;
+    const autoOrigins = this.resolveAutoInjectedCorsOrigins();
+    const mergedOrigins = Array.from(
+      /* @__PURE__ */ new Set([
+        ...callerOrigins,
+        ...autoOrigins,
+        ...isNonProd ? DEV_CORS_ALLOW_ORIGINS : []
+      ])
+    );
+    const corsPreflight = this.buildCorsPreflightOptions(mergedOrigins, cors);
     const rootHttpApi = new RootHttpApi(this, {
       ...restRootHttpApiProps,
-      ...corsPreflight !== void 0 && { corsPreflight },
+      corsPreflight,
       defaultDomainMapping: {
         domainName,
         mappingKey: void 0
@@ -7565,6 +7190,33 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     });
     return rootHttpApi;
   }
+  /**
+   * Returns the admin-console and marketing-website origins this REST API
+   * stack should accept by default, composed from the same branch context
+   * the website service will see at synth time. Both hostnames are
+   * `https://`-only — they always resolve to real DNS records.
+   *
+   * Auto-injected on every stage (no `isNonProd` gate) so the admin SPA can
+   * call the API cross-origin without the caller having to predict the
+   * per-deploy hostname. Override to customize the auto-injected set.
+   */
+  resolveAutoInjectedCorsOrigins() {
+    const zoneName = this.props.config.zoneName;
+    const adminHost = OpenHiWebsiteService.composeFullDomain({
+      domainPrefix: ADMIN_DOMAIN_PREFIX,
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName
+    });
+    const websiteHost = OpenHiWebsiteService.composeFullDomain({
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName
+    });
+    return [`https://${adminHost}`, `https://${websiteHost}`];
+  }
   /**
    * Builds the full `CorsPreflightOptions` from a merged origins array,
    * filling defaults for `allowMethods`/`allowHeaders`/`allowCredentials`/
@@ -7584,7 +7236,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       ],
       allowHeaders: cors?.allowHeaders ?? ["Content-Type", "Authorization"],
       allowCredentials: cors?.allowCredentials ?? true,
-      maxAge: cors?.maxAge ?? import_core2.Duration.days(1),
+      maxAge: cors?.maxAge ?? import_core.Duration.days(1),
       ...cors?.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -7602,7 +7254,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
    * client-side from `window.location.origin`.
    */
   resolveRuntimeConfigEnvVars() {
-    const cognitoScope = new import_constructs21.Construct(this, "runtime-config");
+    const cognitoScope = new import_constructs19.Construct(this, "runtime-config");
     const userPool = OpenHiAuthService.userPoolFromConstruct(cognitoScope);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(cognitoScope);
     const cognitoDomainUrl = OpenHiAuthService.userPoolDomainBaseUrlFromConstruct(cognitoScope);
@@ -7622,330 +7274,774 @@ _OpenHiRestApiService.SERVICE_TYPE = "rest-api";
 _OpenHiRestApiService.API_DOMAIN_PREFIX = "api";
 var OpenHiRestApiService = _OpenHiRestApiService;
-// src/services/open-hi-graphql-service.ts
-var import_aws_appsync2 = require("aws-cdk-lib/aws-appsync");
-var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
+// src/services/open-hi-website-service.ts
+var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
+var ADMIN_DOMAIN_PREFIX = "admin";
+var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
-   * Returns the GraphQL API by looking up the GraphQL stack's API ID from SSM.
-   * Use from other stacks to obtain an IGraphqlApi reference.
+   * Compose the website's full per-deploy domain. Thin wrapper over
+   * {@link OpenHiService.composeServiceDomain} that fills in
+   * {@link DEFAULT_DOMAIN_PREFIX} when `domainPrefix` is omitted.
+   *
+   * Use from sibling stacks that need to predict the website's hostname
+   * before the website stack is synthesised — e.g. the REST API stack
+   * computing its CORS `allowOrigins` for the admin-console.
    */
-  static graphqlApiFromConstruct(scope) {
-    return RootGraphqlApi.fromConstruct(scope);
+  static composeFullDomain(opts) {
+    return OpenHiService.composeServiceDomain({
+      ...opts,
+      domainPrefix: opts.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX
+    });
   }
-  get serviceType() {
-    return _OpenHiGraphqlService.SERVICE_TYPE;
+  /**
+   * Looks up the static-hosting bucket ARN published by the release-branch
+   * deploy of this service.
+   */
+  static bucketArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ARN published by the release-branch
+   * deploy of this service.
+   */
+  static distributionArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution domain
+   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   */
+  static distributionDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ID published by the release-branch
+   * deploy of this service.
+   */
+  static distributionIdFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the website's full domain (e.g. www.example.com) published by
+   * the release-branch deploy of this service.
+   */
+  static fullDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiWebsiteService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props) {
+    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    const hostedZone = this.createHostedZone();
+    this.fullDomain = this.computeFullDomain(hostedZone);
+    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
+    if (shouldCreateHostingInfra) {
+      const certificate = this.createCertificate();
+      this.staticHosting = this.createStaticHosting({
+        certificate,
+        hostedZone
+      });
+      this.createFullDomainParameter();
+    } else if (!isReleaseBranch) {
+      this.perBranchHostname = this.createPerBranchHostname(hostedZone);
+    }
+    if (props.createStaticContent !== false) {
+      const bucket = this.resolveStaticHostingBucket();
+      this.staticContent = this.createStaticContent(bucket);
+    }
+  }
+  /**
+   * Validates that config required for the website stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required to import the website zone");
+    }
+  }
+  /**
+   * Imports the website's hosted zone from config attributes (no SSM lookup).
+   * The website attaches DNS records here on the release-branch deploy and
+   * the same zone is imported on feature-branch deploys for any sub-domain
+   * routing.
+   * Override to customize.
+   */
+  createHostedZone() {
+    return OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
+    });
+  }
+  /**
+   * Returns the wildcard certificate looked up from the Global service.
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Computes the full website domain from `domainPrefix`,
+   * `childZonePrefix`, and the child zone name. Release-branch deploys
+   * serve at `\<domainPrefix\>.\<zone\>` (e.g. `admin.dev.openhi.org`);
+   * every other deploy serves a per-PR preview at
+   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>`
+   * (e.g. `admin-feat-1093-patient-migration.dev.openhi.org`).
+   *
+   * Delegates to {@link OpenHiWebsiteService.composeFullDomain} so the
+   * release-vs-feature composition stays in one place.
+   */
+  computeFullDomain(hostedZone) {
+    return _OpenHiWebsiteService.composeFullDomain({
+      domainPrefix: this.props.domainPrefix,
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName: hostedZone.zoneName
+    });
+  }
+  /**
+   * Returns the sub-domain label (left of the zone) for the current
+   * deploy. Used for the per-branch S3 key prefix passed to
+   * {@link StaticContent} so the upload prefix always matches the
+   * served hostname.
+   *
+   * Non-release deploys compose the per-PR slug as
+   * `\<domainPrefix\>-\<childZonePrefix\>`, mirroring the REST API's
+   * `api-\<childZonePrefix\>` convention. When `domainPrefix` is `admin`
+   * (the only consumer today), the resulting sub-domain starts with
+   * {@link PER_BRANCH_PREVIEW_PREFIX}, so the per-PR S3 key prefix
+   * matches what `StaticHosting`'s lifecycle rule expires.
+   */
+  computeSubDomain() {
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    const domainPrefix = this.props.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX;
+    if (isReleaseBranch) {
+      return domainPrefix;
+    }
+    return `${domainPrefix}-${this.childZonePrefix}`;
+  }
+  /**
+   * Creates the StaticHosting infrastructure (bucket + distribution +
+   * Lambda@Edge + 4 SSM params + DNS). The release-branch distribution
+   * adds `*.\<zone\>` as a wildcard alt-name on top of the canonical
+   * hostname so per-PR previews resolve via the same distribution.
+   *
+   * The bucket carries an S3 lifecycle rule that expires per-PR
+   * preview content (keys under {@link PER_BRANCH_PREVIEW_PREFIX})
+   * on non-production stages. PROD never gets the rule — see
+   * `enablePreviewLifecycle`.
+   */
+  createStaticHosting(deps) {
+    const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
+    const wildcardSan = `*.${deps.hostedZone.zoneName}`;
+    return new StaticHosting(this, "static-hosting", {
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      certificate: deps.certificate,
+      hostedZone: deps.hostedZone,
+      domainNames: [this.fullDomain, wildcardSan],
+      description: `OpenHI website (${this.fullDomain})`,
+      prefixPattern: PER_BRANCH_PREVIEW_PREFIX,
+      enablePreviewLifecycle: this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD,
+      ...restApi !== void 0 && { restApi }
+    });
+  }
+  /**
+   * Resolves the REST API custom-domain hostname from the rest-api stack's
+   * `REST_API_DOMAIN_NAME` SSM parameter. Wrapped in a private method so
+   * it can be overridden / stubbed in subclasses and tests.
+   */
+  resolveRestApi() {
+    return {
+      domainName: OpenHiRestApiService.restApiDomainNameFromConstruct(this)
+    };
+  }
+  /**
+   * Creates the SSM parameter that publishes the website's full domain.
+   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   */
+  createFullDomainParameter() {
+    new DiscoverableStringParameter(this, "full-domain-param", {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      stringValue: this.fullDomain,
+      description: "Full website domain (e.g. www.example.com)"
+    });
+  }
+  /**
+   * Creates the StaticContent uploader. Receives the resolved static-hosting
+   * bucket from the constructor — on the release-branch deploy this is the
+   * just-created {@link staticHosting} bucket (no SSM round-trip within a
+   * single stack); on every other deploy it is imported from the bucket ARN
+   * the release-branch deploy publishes to SSM, addressed against
+   * {@link OpenHiService.releaseBranchHash}. See
+   * {@link resolveStaticHostingBucket}.
+   *
+   * The S3 key prefix is `\<sub-domain\>.\<zone\>/\<contentDest\>` so the
+   * upload location matches the Host-header-derived folder the Lambda@Edge
+   * viewer-request handler prepends. Passing the zone name (rather than
+   * `this.fullDomain`) for the `fullDomain` prop keeps the prefix flat —
+   * `admin-feat-foo.dev.openhi.org/`, not
+   * `admin-feat-foo.admin.dev.openhi.org/`.
+   */
+  createStaticContent(bucket) {
+    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
+    return new StaticContent(this, "static-content", {
+      bucket,
+      contentSourceDirectory,
+      contentDestinationDirectory,
+      subDomain: this.computeSubDomain(),
+      fullDomain: this.config.zoneName
+    });
+  }
+  /**
+   * Creates the per-PR `PerBranchHostname` alias record on non-release
+   * branch deploys. The record points
+   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>` at the release-branch
+   * CloudFront distribution (resolved from SSM against
+   * {@link OpenHiService.releaseBranchHash}).
+   */
+  createPerBranchHostname(hostedZone) {
+    return new PerBranchHostname(this, "per-branch-hostname", {
+      hostname: this.fullDomain,
+      hostedZone,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Returns an {@link IBucket} pointing at the static-hosting bucket the
+   * uploaders write to. On the release-branch deploy this is the bucket
+   * just provisioned by {@link staticHosting}; on every other deploy it's
+   * imported from the bucket ARN the release-branch deploy publishes to
+   * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+   */
+  resolveStaticHostingBucket() {
+    if (this.staticHosting) {
+      return this.staticHosting.bucket;
+    }
+    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      branchHash: this.releaseBranchHash
+    });
+    return import_aws_s32.Bucket.fromBucketArn(this, "shared-bucket", bucketArn);
+  }
+};
+_OpenHiWebsiteService.SERVICE_TYPE = "website";
+/**
+ * Default `domainPrefix` for this service when none is supplied.
+ * Release-branch hostname is `www.<zone>`; per-PR preview hostname is
+ * `www-<childZonePrefix>.<zone>`.
+ */
+_OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX = "www";
+var OpenHiWebsiteService = _OpenHiWebsiteService;
+// src/workflows/control-plane/user-onboarding/events.ts
+var USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
+var PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
+var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
+  const attrs = event.request?.userAttributes ?? {};
+  const cognitoSub = attrs.sub?.trim();
+  if (!cognitoSub) {
+    return void 0;
+  }
+  const email = attrs.email?.trim();
+  const displayName = email || event.userName || cognitoSub;
+  return {
+    cognitoSub,
+    ...email ? { email } : {},
+    displayName,
+    trigger: {
+      source: "cognito.post-confirmation",
+      triggerSource: event.triggerSource,
+      userPoolId: event.userPoolId,
+      userName: event.userName,
+      clientId: event.callerContext?.clientId
+    }
+  };
+};
+// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+var import_node_fs11 = __toESM(require("fs"));
+var import_node_path11 = __toESM(require("path"));
+var import_aws_cdk_lib15 = require("aws-cdk-lib");
+var import_aws_events8 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda12 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs12 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs20 = require("constructs");
+var HANDLER_NAME11 = "provision-default-workspace.handler.js";
+function resolveHandlerEntry11(dirname) {
+  const sameDir = import_node_path11.default.join(dirname, HANDLER_NAME11);
+  if (import_node_fs11.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path11.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME11);
+}
+var ProvisionDefaultWorkspaceLambda = class extends import_constructs20.Construct {
+  constructor(scope, props) {
+    super(scope, "provision-default-workspace-lambda");
+    this.lambda = new import_aws_lambda_nodejs12.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry11(__dirname),
+      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.lambda,
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem"
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam6.PolicyStatement({
+        effect: import_aws_iam6.Effect.ALLOW,
+        actions: ["dynamodb:Query"],
+        resources: [`${props.dataStoreTable.tableArn}/index/*`]
+      })
+    );
+    this.rule = new import_aws_events8.Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [USER_ONBOARDING_EVENT_SOURCE],
+        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
+      },
+      targets: [
+        new import_aws_events_targets4.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib15.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+var import_constructs21 = require("constructs");
+var UserOnboardingWorkflow = class extends import_constructs21.Construct {
+  constructor(scope, props) {
+    super(scope, "user-onboarding-workflow");
+    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
+      dataStoreTable: props.dataStoreTable,
+      controlEventBus: props.controlEventBus
+    });
   }
+};
+// src/services/open-hi-auth-service.ts
+var LOCALHOST_OAUTH_CALLBACK_URLS = [
+  "http://localhost:3000/oauth/callback",
+  "https://localhost:3000/oauth/callback"
+];
+var LOCALHOST_OAUTH_LOGOUT_URLS = [
+  "http://localhost:3000/oauth/logout",
+  "https://localhost:3000/oauth/logout"
+];
+var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiGraphqlService.SERVICE_TYPE, props);
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    /**
+     * Cross-stack reference to the data store table. Cached so repeated
+     * lookups share a single CDK construct id ("dynamo-db-data-store") in
+     * this stack — a second `Table.fromTableName` call under the same scope
+     * would collide.
+     */
+    this._dataStoreTable = null;
+    this._controlEventBus = null;
     this.props = props;
-    this.rootGraphqlApi = this.createRootGraphqlApi();
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
+    this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
+    this.userPool = this.createUserPool();
+    this.grantPreTokenGenerationPermissions();
+    this.grantPostAuthenticationPermissions();
+    this.grantPostConfirmationPermissions();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
   }
-  /** Creates the root GraphQL API with Cognito user pool. */
-  createRootGraphqlApi() {
-    const userPool = OpenHiAuthService.userPoolFromConstruct(this);
-    return new RootGraphqlApi(this, {
-      authorizationConfig: {
-        defaultAuthorization: {
-          authorizationType: import_aws_appsync2.AuthorizationType.USER_POOL,
-          userPoolConfig: {
-            userPool,
-            defaultAction: import_aws_appsync2.UserPoolDefaultAction.ALLOW
-          }
-        }
+  /**
+   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
+   */
+  static userPoolFromConstruct(scope) {
+    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return import_aws_cognito4.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
+  }
+  /**
+   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
+   */
+  static userPoolClientFromConstruct(scope) {
+    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
+      scope,
+      {
+        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+        serviceType: _OpenHiAuthService.SERVICE_TYPE
       }
+    );
+    return import_aws_cognito4.UserPoolClient.fromUserPoolClientId(
+      scope,
+      "user-pool-client",
+      userPoolClientId
+    );
+  }
+  /**
+   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   */
+  static userPoolDomainFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
   }
-};
-_OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
-var OpenHiGraphqlService = _OpenHiGraphqlService;
-// src/services/open-hi-website-service.ts
-var import_config6 = __toESM(require_lib());
-var import_aws_s32 = require("aws-cdk-lib/aws-s3");
-var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
-var ADMIN_DOMAIN_PREFIX = "admin";
-var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
-   * Compose the website's full per-deploy domain. Thin wrapper over
-   * {@link OpenHiService.composeServiceDomain} that fills in
-   * {@link DEFAULT_DOMAIN_PREFIX} when `domainPrefix` is omitted.
+   * Returns the full Cognito Hosted UI base URL (e.g.
+   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
+   * the Auth stack's User Pool Domain from SSM and composing it with the
+   * calling stack's region.
    *
-   * Use from sibling stacks that need to predict the website's hostname
-   * before the website stack is synthesised — e.g. the REST API stack
-   * computing its CORS `allowOrigins` for the admin-console.
+   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
+   * but works across stacks where the looked-up `IUserPoolDomain` is an
+   * `Import` and does not carry the `baseUrl()` method. Assumes the
+   * domain was created as a Cognito-managed prefix domain (the only
+   * variant `OpenHiAuthService.createUserPoolDomain` produces).
    */
-  static composeFullDomain(opts) {
-    return OpenHiService.composeServiceDomain({
-      ...opts,
-      domainPrefix: opts.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX
+  static userPoolDomainBaseUrlFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    const region = import_core2.Stack.of(scope).region;
+    return `https://${domainName}.auth.${region}.amazoncognito.com`;
   }
   /**
-   * Looks up the static-hosting bucket ARN published by the release-branch
-   * deploy of this service.
+   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
    */
-  static bucketArnFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  static userPoolKmsKeyFromConstruct(scope) {
+    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    return import_aws_kms2.Key.fromKeyArn(scope, "kms-key", keyArn);
+  }
+  get serviceType() {
+    return _OpenHiAuthService.SERVICE_TYPE;
   }
   /**
-   * Looks up the CloudFront distribution ARN published by the release-branch
-   * deploy of this service.
+   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
+   * Override to customize.
    */
-  static distributionArnFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createUserPoolKmsKey() {
+    const key = new CognitoUserPoolKmsKey(this);
+    new DiscoverableStringParameter(this, "kms-key-param", {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      stringValue: key.keyArn,
+      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
     });
+    return key;
   }
   /**
-   * Looks up the CloudFront distribution domain
-   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+   * both the ID token and the access token (ADR 2026-03-17-01).
    */
-  static distributionDomainFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createPreTokenGenerationLambda() {
+    const construct = new PreTokenGenerationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
     });
+    return construct.lambda;
   }
   /**
-   * Looks up the CloudFront distribution ID published by the release-branch
-   * deploy of this service.
+   * Creates the Post Authentication Lambda (Cognito trigger). Calls
+   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
+   * sessions per ADR 2026-03-17-01.
    */
-  static distributionIdFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
-    });
+  createPostAuthenticationLambda() {
+    const construct = new PostAuthenticationLambda(this);
+    return construct.lambda;
   }
   /**
-   * Looks up the website's full domain (e.g. www.example.com) published by
-   * the release-branch deploy of this service.
+   * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
+   * confirmation, publishes a control-plane workflow event; provisioning lives
+   * behind EventBridge.
    */
-  static fullDomainFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createPostConfirmationLambda() {
+    const construct = new PostConfirmationLambda(this, {
+      controlEventBusName: this.controlEventBus().eventBusName
     });
+    return construct.lambda;
   }
-  get serviceType() {
-    return _OpenHiWebsiteService.SERVICE_TYPE;
+  createUserOnboardingWorkflow() {
+    return new UserOnboardingWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStoreTable()
+    });
   }
-  constructor(ohEnv, props) {
-    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
-    this.props = props;
-    this.validateConfig(props);
-    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
-    const hostedZone = this.createHostedZone();
-    this.fullDomain = this.computeFullDomain(hostedZone);
-    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
-    if (shouldCreateHostingInfra) {
-      const certificate = this.createCertificate();
-      this.staticHosting = this.createStaticHosting({
-        certificate,
-        hostedZone
-      });
-      this.createFullDomainParameter();
-    } else if (!isReleaseBranch) {
-      this.perBranchHostname = this.createPerBranchHostname(hostedZone);
-    }
-    if (props.createStaticContent !== false) {
-      const bucket = this.resolveStaticHostingBucket();
-      this.staticContent = this.createStaticContent(bucket);
+  dataStoreTable() {
+    if (this._dataStoreTable === null) {
+      this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     }
+    return this._dataStoreTable;
   }
-  /**
-   * Validates that config required for the website stack is present.
-   */
-  validateConfig(props) {
-    const { config } = props;
-    if (!config) {
-      throw new Error("Config is required");
-    }
-    if (!config.zoneName) {
-      throw new Error("Zone name is required");
-    }
-    if (!config.hostedZoneId) {
-      throw new Error("Hosted zone ID is required to import the website zone");
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
     }
+    return this._controlEventBus;
   }
   /**
-   * Imports the website's hosted zone from config attributes (no SSM lookup).
-   * The website attaches DNS records here on the release-branch deploy and
-   * the same zone is imported on feature-branch deploys for any sub-domain
-   * routing.
+   * Creates the Cognito User Pool and exports its ID to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
    * Override to customize.
    */
-  createHostedZone() {
-    return OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
-      zoneName: this.config.zoneName,
-      hostedZoneId: this.config.hostedZoneId
+  createUserPool() {
+    const userPool = new CognitoUserPool(this, {
+      ...this.props.userPoolProps,
+      customSenderKmsKey: this.userPoolKmsKey
+    });
+    userPool.addTrigger(
+      import_aws_cognito4.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
+      this.preTokenGenerationLambda,
+      import_aws_cognito4.LambdaVersion.V2_0
+    );
+    userPool.addTrigger(
+      import_aws_cognito4.UserPoolOperation.POST_AUTHENTICATION,
+      this.postAuthenticationLambda
+    );
+    userPool.addTrigger(
+      import_aws_cognito4.UserPoolOperation.POST_CONFIRMATION,
+      this.postConfirmationLambda
+    );
+    new DiscoverableStringParameter(this, "user-pool-param", {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      stringValue: userPool.userPoolId,
+      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
     });
+    return userPool;
   }
   /**
-   * Returns the wildcard certificate looked up from the Global service.
-   * Override to customize.
+   * Grants the Pre Token Generation Lambda read-only access on the data
+   * store table and its GSIs. The Lambda only needs:
+   * - `Query` on GSI2 to resolve a User by Cognito `sub`
+   * - `GetItem` on the base table for direct User reads
+   *
+   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+   * falls into the absent-claims path; repair belongs in a separate backfill.
    */
-  createCertificate() {
-    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  grantPreTokenGenerationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
+    this.preTokenGenerationLambda.addToRolePolicy(
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
   }
   /**
-   * Computes the full website domain from `domainPrefix`,
-   * `childZonePrefix`, and the child zone name. Release-branch deploys
-   * serve at `\<domainPrefix\>.\<zone\>` (e.g. `admin.dev.openhi.org`);
-   * every other deploy serves a per-PR preview at
-   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>`
-   * (e.g. `admin-feat-1093-patient-migration.dev.openhi.org`).
+   * Grants the Post Authentication Lambda permission to call
+   * `cognito-idp:AdminUserGlobalSignOut`.
    *
-   * Delegates to {@link OpenHiWebsiteService.composeFullDomain} so the
-   * release-vs-feature composition stays in one place.
+   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
+   * because the User Pool registers this Lambda as a Post Authentication
+   * trigger, creating the cycle:
+   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
+   * Using `formatArn` avoids referencing the User Pool resource directly
+   * while still scoping to user pools in this account+region. The Lambda
+   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
+   * so the runtime target is constrained by the trigger contract.
    */
-  computeFullDomain(hostedZone) {
-    return _OpenHiWebsiteService.composeFullDomain({
-      domainPrefix: this.props.domainPrefix,
-      branchName: this.branchName,
-      defaultReleaseBranch: this.defaultReleaseBranch,
-      childZonePrefix: this.childZonePrefix,
-      zoneName: hostedZone.zoneName
-    });
+  grantPostAuthenticationPermissions() {
+    this.postAuthenticationLambda.addToRolePolicy(
+      new import_aws_iam7.PolicyStatement({
+        actions: ["cognito-idp:AdminUserGlobalSignOut"],
+        resources: [
+          import_core2.Stack.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: "*"
+          })
+        ]
+      })
+    );
   }
   /**
-   * Returns the sub-domain label (left of the zone) for the current
-   * deploy. Used for the per-branch S3 key prefix passed to
-   * {@link StaticContent} so the upload prefix always matches the
-   * served hostname.
-   *
-   * Non-release deploys compose the per-PR slug as
-   * `\<domainPrefix\>-\<childZonePrefix\>`, mirroring the REST API's
-   * `api-\<childZonePrefix\>` convention. When `domainPrefix` is `admin`
-   * (the only consumer today), the resulting sub-domain starts with
-   * {@link PER_BRANCH_PREVIEW_PREFIX}, so the per-PR S3 key prefix
-   * matches what `StaticHosting`'s lifecycle rule expires.
+   * Grants the Post Confirmation Lambda publish-only access to the
+   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
    */
-  computeSubDomain() {
-    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
-    const domainPrefix = this.props.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX;
-    if (isReleaseBranch) {
-      return domainPrefix;
-    }
-    return `${domainPrefix}-${this.childZonePrefix}`;
+  grantPostConfirmationPermissions() {
+    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
   }
   /**
-   * Creates the StaticHosting infrastructure (bucket + distribution +
-   * Lambda@Edge + 4 SSM params + DNS). The release-branch distribution
-   * adds `*.\<zone\>` as a wildcard alt-name on top of the canonical
-   * hostname so per-PR previews resolve via the same distribution.
-   *
-   * The bucket carries an S3 lifecycle rule that expires per-PR
-   * preview content (keys under {@link PER_BRANCH_PREVIEW_PREFIX})
-   * on non-production stages. PROD never gets the rule — see
-   * `enablePreviewLifecycle`.
+   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
+   * OAuth flows are enabled with auto-injected callback/logout URLs derived
+   * from this stack's branch context (see {@link resolveOAuthRedirectUrls}).
+   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Override to customize.
    */
-  createStaticHosting(deps) {
-    const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
-    const wildcardSan = `*.${deps.hostedZone.zoneName}`;
-    return new StaticHosting(this, "static-hosting", {
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      certificate: deps.certificate,
-      hostedZone: deps.hostedZone,
-      domainNames: [this.fullDomain, wildcardSan],
-      description: `OpenHI website (${this.fullDomain})`,
-      prefixPattern: PER_BRANCH_PREVIEW_PREFIX,
-      enablePreviewLifecycle: this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD,
-      ...restApi !== void 0 && { restApi }
+  createUserPoolClient() {
+    const { callbackUrls, logoutUrls } = this.resolveOAuthRedirectUrls();
+    const client = new CognitoUserPoolClient(this, {
+      userPool: this.userPool,
+      oAuth: {
+        flows: {
+          authorizationCodeGrant: true,
+          implicitCodeGrant: true
+        },
+        callbackUrls,
+        logoutUrls
+      }
+    });
+    new DiscoverableStringParameter(this, "user-pool-client-param", {
+      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
     });
+    return client;
   }
   /**
-   * Resolves the REST API custom-domain hostname from the rest-api stack's
-   * `REST_API_DOMAIN_NAME` SSM parameter. Wrapped in a private method so
-   * it can be overridden / stubbed in subclasses and tests.
+   * Returns the OAuth `callbackUrls` and `logoutUrls` the Cognito User Pool
+   * Client should accept. Composed from the same branch context the website
+   * service will see at synth time:
+   *
+   * - `https://admin{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
+   * - `https://www{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
+   *
+   * Both deployed-host pairs are auto-injected on every stage. On non-prod
+   * stages the localhost dev URLs from {@link LOCALHOST_OAUTH_CALLBACK_URLS}
+   * / {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
+   * deliberately excluded.
+   *
+   * If `zoneName` is absent (no-DNS test configurations), the deployed-host
+   * pairs are skipped — only the localhost set survives, and only on
+   * non-prod. Override to customize.
    */
-  resolveRestApi() {
+  resolveOAuthRedirectUrls() {
+    const isNonProd = this.ohEnv.ohStage.stageType !== import_config7.OPEN_HI_STAGE.PROD;
+    const zoneName = this.props.config?.zoneName;
+    const deployedOrigins = [];
+    if (zoneName !== void 0) {
+      const adminHost = OpenHiWebsiteService.composeFullDomain({
+        domainPrefix: ADMIN_DOMAIN_PREFIX,
+        branchName: this.branchName,
+        defaultReleaseBranch: this.defaultReleaseBranch,
+        childZonePrefix: this.childZonePrefix,
+        zoneName
+      });
+      const websiteHost = OpenHiWebsiteService.composeFullDomain({
+        branchName: this.branchName,
+        defaultReleaseBranch: this.defaultReleaseBranch,
+        childZonePrefix: this.childZonePrefix,
+        zoneName
+      });
+      deployedOrigins.push(`https://${adminHost}`, `https://${websiteHost}`);
+    }
+    const localhostCallbacks = isNonProd ? LOCALHOST_OAUTH_CALLBACK_URLS : [];
+    const localhostLogouts = isNonProd ? LOCALHOST_OAUTH_LOGOUT_URLS : [];
     return {
-      domainName: OpenHiRestApiService.restApiDomainNameFromConstruct(this)
+      callbackUrls: [
+        ...deployedOrigins.map((o) => `${o}/oauth/callback`),
+        ...localhostCallbacks
+      ],
+      logoutUrls: [
+        ...deployedOrigins.map((o) => `${o}/oauth/logout`),
+        ...localhostLogouts
+      ]
     };
   }
   /**
-   * Creates the SSM parameter that publishes the website's full domain.
-   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Override to customize.
    */
-  createFullDomainParameter() {
-    new DiscoverableStringParameter(this, "full-domain-param", {
-      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      stringValue: this.fullDomain,
-      description: "Full website domain (e.g. www.example.com)"
+  createUserPoolDomain() {
+    const domain = new CognitoUserPoolDomain(this, {
+      userPool: this.userPool,
+      cognitoDomain: {
+        domainPrefix: `auth-${this.branchHash}`
+      }
     });
-  }
-  /**
-   * Creates the StaticContent uploader. Receives the resolved static-hosting
-   * bucket from the constructor — on the release-branch deploy this is the
-   * just-created {@link staticHosting} bucket (no SSM round-trip within a
-   * single stack); on every other deploy it is imported from the bucket ARN
-   * the release-branch deploy publishes to SSM, addressed against
-   * {@link OpenHiService.releaseBranchHash}. See
-   * {@link resolveStaticHostingBucket}.
-   *
-   * The S3 key prefix is `\<sub-domain\>.\<zone\>/\<contentDest\>` so the
-   * upload location matches the Host-header-derived folder the Lambda@Edge
-   * viewer-request handler prepends. Passing the zone name (rather than
-   * `this.fullDomain`) for the `fullDomain` prop keeps the prefix flat —
-   * `admin-feat-foo.dev.openhi.org/`, not
-   * `admin-feat-foo.admin.dev.openhi.org/`.
-   */
-  createStaticContent(bucket) {
-    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
-    return new StaticContent(this, "static-content", {
-      bucket,
-      contentSourceDirectory,
-      contentDestinationDirectory,
-      subDomain: this.computeSubDomain(),
-      fullDomain: this.config.zoneName
+    new DiscoverableStringParameter(this, "user-pool-domain-param", {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      stringValue: domain.domainName,
+      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
     });
+    return domain;
   }
+};
+_OpenHiAuthService.SERVICE_TYPE = "auth";
+var OpenHiAuthService = _OpenHiAuthService;
+// src/services/open-hi-graphql-service.ts
+var import_aws_appsync2 = require("aws-cdk-lib/aws-appsync");
+var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
   /**
-   * Creates the per-PR `PerBranchHostname` alias record on non-release
-   * branch deploys. The record points
-   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>` at the release-branch
-   * CloudFront distribution (resolved from SSM against
-   * {@link OpenHiService.releaseBranchHash}).
+   * Returns the GraphQL API by looking up the GraphQL stack's API ID from SSM.
+   * Use from other stacks to obtain an IGraphqlApi reference.
    */
-  createPerBranchHostname(hostedZone) {
-    return new PerBranchHostname(this, "per-branch-hostname", {
-      hostname: this.fullDomain,
-      hostedZone,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
-    });
+  static graphqlApiFromConstruct(scope) {
+    return RootGraphqlApi.fromConstruct(scope);
   }
-  /**
-   * Returns an {@link IBucket} pointing at the static-hosting bucket the
-   * uploaders write to. On the release-branch deploy this is the bucket
-   * just provisioned by {@link staticHosting}; on every other deploy it's
-   * imported from the bucket ARN the release-branch deploy publishes to
-   * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
-   */
-  resolveStaticHostingBucket() {
-    if (this.staticHosting) {
-      return this.staticHosting.bucket;
-    }
-    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      branchHash: this.releaseBranchHash
+  get serviceType() {
+    return _OpenHiGraphqlService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiGraphqlService.SERVICE_TYPE, props);
+    this.props = props;
+    this.rootGraphqlApi = this.createRootGraphqlApi();
+  }
+  /** Creates the root GraphQL API with Cognito user pool. */
+  createRootGraphqlApi() {
+    const userPool = OpenHiAuthService.userPoolFromConstruct(this);
+    return new RootGraphqlApi(this, {
+      authorizationConfig: {
+        defaultAuthorization: {
+          authorizationType: import_aws_appsync2.AuthorizationType.USER_POOL,
+          userPoolConfig: {
+            userPool,
+            defaultAction: import_aws_appsync2.UserPoolDefaultAction.ALLOW
+          }
+        }
+      }
     });
-    return import_aws_s32.Bucket.fromBucketArn(this, "shared-bucket", bucketArn);
   }
 };
-_OpenHiWebsiteService.SERVICE_TYPE = "website";
-/**
- * Default `domainPrefix` for this service when none is supplied.
- * Release-branch hostname is `www.<zone>`; per-PR preview hostname is
- * `www-<childZonePrefix>.<zone>`.
- */
-_OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX = "www";
-var OpenHiWebsiteService = _OpenHiWebsiteService;
+_OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
+var OpenHiGraphqlService = _OpenHiGraphqlService;
 // src/workflows/control-plane/owning-delete-cascade/events.ts
 var import_workflows5 = __toESM(require_lib2());
@@ -8481,6 +8577,8 @@ var RenameCascadeWorkflow = class extends import_constructs25.Construct {
   DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
+  LOCALHOST_OAUTH_CALLBACK_URLS,
+  LOCALHOST_OAUTH_LOGOUT_URLS,
   OPENHI_REPO_TAG_KEY_ENV_VAR,
   OPENHI_RESOURCE_URN_SYSTEM,
   OPENHI_TAG_KEY_PREFIX_ENV_VAR,