npm - @openhi/constructs - Versions diffs - 0.0.136 → 0.0.138 - Mend

@openhi/constructs 0.0.136 → 0.0.138

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/index.mjs CHANGED Viewed

@@ -736,23 +736,10 @@ import { UserPoolClient } from "aws-cdk-lib/aws-cognito";
 var CognitoUserPoolClient = class extends UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
-      /**
-       * Defaults
-       */
+      // Default: SPA client (no secret). OAuth flow + callback/logout URL
+      // composition is the owning service's responsibility — pass via
+      // `props.oAuth` (see `OpenHiAuthService.resolveOAuthRedirectUrls`).
       generateSecret: false,
-      oAuth: {
-        flows: {
-          authorizationCodeGrant: true,
-          implicitCodeGrant: true
-        },
-        callbackUrls: [
-          `http://localhost:3000/oauth/callback`,
-          `https://localhost:3000/oauth/callback`
-        ]
-      },
-      /**
-       * Overrideable props
-       */
       ...props
     });
   }
@@ -1469,10 +1456,11 @@ var DataStorePostgresReplica = class extends Construct6 {
       bundling: {
         minify: true,
         sourceMap: false,
-        // pg has conditional/optional deps (pg-native, pg-cloudflare) that
-        // historically misbehave when bundled by esbuild; keep it as a real
-        // node_module in the Lambda zip instead.
-        nodeModules: ["pg"]
+        // pg's conditional optional deps (pg-native, pg-cloudflare) are
+        // marked external so esbuild does not try to resolve them — pg's
+        // runtime code wraps the requires in try/catch and falls back to
+        // the pure-JS client when they are not present.
+        externalModules: ["pg-native", "pg-cloudflare"]
       }
     });
     this.cluster.secret.grantRead(this.replicationFunction);
@@ -1988,6 +1976,7 @@ var StaticContent = class extends Construct10 {
 };
 // src/services/open-hi-auth-service.ts
+var import_config7 = __toESM(require_lib2());
 import {
   LambdaVersion,
   UserPool as UserPool2,
@@ -1995,7 +1984,7 @@ import {
   UserPoolDomain as UserPoolDomain2,
   UserPoolOperation
 } from "aws-cdk-lib/aws-cognito";
-import { Effect as Effect6, PolicyStatement as PolicyStatement6 } from "aws-cdk-lib/aws-iam";
+import { Effect as Effect7, PolicyStatement as PolicyStatement7 } from "aws-cdk-lib/aws-iam";
 import { Key as Key2 } from "aws-cdk-lib/aws-kms";
 import { Stack as Stack7 } from "aws-cdk-lib/core";
@@ -2577,633 +2566,285 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
 _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
-// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+// src/services/open-hi-website-service.ts
+var import_config6 = __toESM(require_lib2());
+import { Bucket as Bucket3 } from "aws-cdk-lib/aws-s3";
+// src/services/open-hi-rest-api-service.ts
+var import_config5 = __toESM(require_lib2());
+import {
+  CorsHttpMethod,
+  DomainName,
+  HttpApi as HttpApi2,
+  HttpMethod,
+  HttpNoneAuthorizer,
+  HttpRoute,
+  HttpRouteKey
+} from "aws-cdk-lib/aws-apigatewayv2";
+import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers";
+import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
+import { Effect as Effect5, PolicyStatement as PolicyStatement5 } from "aws-cdk-lib/aws-iam";
+import {
+  ARecord as ARecord3,
+  HostedZone as HostedZone3,
+  RecordTarget as RecordTarget3
+} from "aws-cdk-lib/aws-route53";
+import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
+import { Duration as Duration9 } from "aws-cdk-lib/core";
+import { Construct as Construct19 } from "constructs";
+// src/data/lambda/cors-options-lambda.ts
 import fs10 from "fs";
 import path10 from "path";
-import { Duration as Duration9 } from "aws-cdk-lib";
-import { Rule as Rule4 } from "aws-cdk-lib/aws-events";
-import { LambdaFunction as LambdaFunction4 } from "aws-cdk-lib/aws-events-targets";
-import { Effect as Effect5, PolicyStatement as PolicyStatement5 } from "aws-cdk-lib/aws-iam";
 import { Runtime as Runtime10 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction10 } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Construct as Construct17 } from "constructs";
-var HANDLER_NAME9 = "provision-default-workspace.handler.js";
+var HANDLER_NAME9 = "cors-options-lambda.handler.js";
 function resolveHandlerEntry9(dirname) {
   const sameDir = path10.join(dirname, HANDLER_NAME9);
   if (fs10.existsSync(sameDir)) {
     return sameDir;
   }
-  return path10.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
+  const fromLib = path10.join(dirname, "..", "..", "..", "lib", HANDLER_NAME9);
+  return fromLib;
 }
-var ProvisionDefaultWorkspaceLambda = class extends Construct17 {
-  constructor(scope, props) {
-    super(scope, "provision-default-workspace-lambda");
+var CorsOptionsLambda = class extends Construct17 {
+  constructor(scope, id = "cors-options-lambda") {
+    super(scope, id);
     this.lambda = new NodejsFunction10(this, "handler", {
       entry: resolveHandlerEntry9(__dirname),
       runtime: Runtime10.NODEJS_LATEST,
-      memorySize: 1024,
-      environment: {
-        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
-      }
-    });
-    props.dataStoreTable.grant(
-      this.lambda,
-      "dynamodb:PutItem",
-      "dynamodb:UpdateItem"
-    );
-    this.lambda.addToRolePolicy(
-      new PolicyStatement5({
-        effect: Effect5.ALLOW,
-        actions: ["dynamodb:Query"],
-        resources: [`${props.dataStoreTable.tableArn}/index/*`]
-      })
-    );
-    this.rule = new Rule4(this, "rule", {
-      eventBus: props.controlEventBus,
-      eventPattern: {
-        source: [USER_ONBOARDING_EVENT_SOURCE],
-        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
-      },
-      targets: [
-        new LambdaFunction4(this.lambda, {
-          retryAttempts: 2,
-          maxEventAge: Duration9.hours(2)
-        })
-      ]
+      memorySize: 128
     });
   }
 };
-// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+// src/data/lambda/rest-api-lambda.ts
+import fs11 from "fs";
+import path11 from "path";
+import { Runtime as Runtime11 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction11 } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Construct as Construct18 } from "constructs";
-var UserOnboardingWorkflow = class extends Construct18 {
+var HANDLER_NAME10 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry10(dirname) {
+  const sameDir = path11.join(dirname, HANDLER_NAME10);
+  if (fs11.existsSync(sameDir)) {
+    return sameDir;
+  }
+  const fromLib = path11.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
+  return fromLib;
+}
+var RestApiLambda = class extends Construct18 {
   constructor(scope, props) {
-    super(scope, "user-onboarding-workflow");
-    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
-      dataStoreTable: props.dataStoreTable,
-      controlEventBus: props.controlEventBus
+    super(scope, "rest-api-lambda");
+    this.lambda = new NodejsFunction11(this, "handler", {
+      entry: resolveHandlerEntry10(__dirname),
+      runtime: Runtime11.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName,
+        BRANCH_TAG_VALUE: props.branchTagValue,
+        HTTP_API_TAG_VALUE: props.httpApiTagValue,
+        OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
+        OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
+        OPENHI_PG_DATABASE: props.postgresDatabase,
+        OPENHI_PG_SCHEMA: props.postgresSchema,
+        ...props.extraEnvironment
+      },
+      bundling: {
+        minify: true,
+        sourceMap: false
+      }
     });
   }
 };
-// src/services/open-hi-auth-service.ts
-var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
-    /**
-     * Cross-stack reference to the data store table. Cached so repeated
-     * lookups share a single CDK construct id ("dynamo-db-data-store") in
-     * this stack — a second `Table.fromTableName` call under the same scope
-     * would collide.
-     */
-    this._dataStoreTable = null;
-    this._controlEventBus = null;
-    this.props = props;
-    this.userPoolKmsKey = this.createUserPoolKmsKey();
-    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
-    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
-    this.postConfirmationLambda = this.createPostConfirmationLambda();
-    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
-    this.userPool = this.createUserPool();
-    this.grantPreTokenGenerationPermissions();
-    this.grantPostAuthenticationPermissions();
-    this.grantPostConfirmationPermissions();
-    this.userPoolClient = this.createUserPoolClient();
-    this.userPoolDomain = this.createUserPoolDomain();
-  }
+// src/services/open-hi-rest-api-service.ts
+var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
+var REST_API_DOMAIN_NAME_SSM_NAME = "REST_API_DOMAIN_NAME";
+var DEV_CORS_ALLOW_ORIGINS = [
+  "http://localhost:3000",
+  "https://localhost:3000",
+  "http://localhost:5173",
+  "https://localhost:5173",
+  "http://127.0.0.1:3000",
+  "https://127.0.0.1:3000",
+  "http://127.0.0.1:5173",
+  "https://127.0.0.1:5173"
+];
+var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   /**
-   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
+   * Compose the REST API's full per-deploy domain. Thin wrapper over
+   * {@link OpenHiService.composeServiceDomain} that pins `domainPrefix`
+   * to {@link API_DOMAIN_PREFIX}.
+   *
+   * Use from sibling stacks that need to predict the API's hostname
+   * before the REST API stack is synthesised.
    */
-  static userPoolFromConstruct(scope) {
-    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static composeFullDomain(opts) {
+    return OpenHiService.composeServiceDomain({
+      ...opts,
+      domainPrefix: _OpenHiRestApiService.API_DOMAIN_PREFIX
     });
-    return UserPool2.fromUserPoolId(scope, "user-pool", userPoolId);
-  }
-  /**
-   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
-   */
-  static userPoolClientFromConstruct(scope) {
-    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
-      scope,
-      {
-        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
-        serviceType: _OpenHiAuthService.SERVICE_TYPE
-      }
-    );
-    return UserPoolClient2.fromUserPoolClientId(
-      scope,
-      "user-pool-client",
-      userPoolClientId
-    );
   }
   /**
-   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
    */
-  static userPoolDomainFromConstruct(scope) {
-    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static rootHttpApiFromConstruct(scope) {
+    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    return UserPoolDomain2.fromDomainName(scope, "user-pool-domain", domainName);
+    return HttpApi2.fromHttpApiAttributes(scope, "http-api", { httpApiId });
   }
   /**
-   * Returns the full Cognito Hosted UI base URL (e.g.
-   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
-   * the Auth stack's User Pool Domain from SSM and composing it with the
-   * calling stack's region.
-   *
-   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
-   * but works across stacks where the looked-up `IUserPoolDomain` is an
-   * `Import` and does not carry the `baseUrl()` method. Assumes the
-   * domain was created as a Cognito-managed prefix domain (the only
-   * variant `OpenHiAuthService.createUserPoolDomain` produces).
+   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
+   * Use in other stacks for E2E, scripts, or config.
    */
-  static userPoolDomainBaseUrlFromConstruct(scope) {
-    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static restApiBaseUrlFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    const region = Stack7.of(scope).region;
-    return `https://${domainName}.auth.${region}.amazoncognito.com`;
   }
   /**
-   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
+   * Returns the REST API's custom domain name (bare hostname, no scheme — e.g.
+   * `api.example.com`) by looking it up from SSM. Use as the host for a
+   * CloudFront `HttpOrigin` so the website's distribution can proxy `/api/*`
+   * to this stack's API Gateway without per-branch DNS knowledge.
    */
-  static userPoolKmsKeyFromConstruct(scope) {
-    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static restApiDomainNameFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    return Key2.fromKeyArn(scope, "kms-key", keyArn);
   }
   get serviceType() {
-    return _OpenHiAuthService.SERVICE_TYPE;
+    return _OpenHiRestApiService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    const certificate = this.createCertificate();
+    this.apiDomainName = this.createApiDomainNameString(hostedZone);
+    this.createRestApiBaseUrlParameter(this.apiDomainName);
+    this.createRestApiDomainNameParameter(this.apiDomainName);
+    const domainName = this.createDomainName(hostedZone, certificate);
+    this.rootHttpApi = this.createRootHttpApi(domainName);
+    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
   }
   /**
-   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
-   * Override to customize.
+   * Validates that config required for the REST API stack is present.
    */
-  createUserPoolKmsKey() {
-    const key = new CognitoUserPoolKmsKey(this);
-    new DiscoverableStringParameter(this, "kms-key-param", {
-      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
-      stringValue: key.keyArn,
-      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
-    });
-    return key;
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
   }
   /**
-   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
-   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
-   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
-   * both the ID token and the access token (ADR 2026-03-17-01).
+   * Creates the hosted zone reference (imported from config).
+   * Override to customize.
    */
-  createPreTokenGenerationLambda() {
-    const construct = new PreTokenGenerationLambda(this, {
-      dynamoTableName: this.dataStoreTable().tableName
+  createHostedZone() {
+    const { config } = this.props;
+    return HostedZone3.fromHostedZoneAttributes(this, "root-zone", {
+      hostedZoneId: config.hostedZoneId,
+      zoneName: config.zoneName
     });
-    return construct.lambda;
   }
   /**
-   * Creates the Post Authentication Lambda (Cognito trigger). Calls
-   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
-   * sessions per ADR 2026-03-17-01.
+   * Creates the wildcard certificate (imported from Global stack via SSM).
+   * Override to customize.
    */
-  createPostAuthenticationLambda() {
-    const construct = new PostAuthenticationLambda(this);
-    return construct.lambda;
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
   }
   /**
-   * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-   * confirmation, publishes a control-plane workflow event; provisioning lives
-   * behind EventBridge.
+   * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
+   * Delegates to {@link OpenHiRestApiService.composeFullDomain} so the
+   * release-vs-feature composition stays in one place; picks up
+   * `this.defaultReleaseBranch` (not a hard-coded `"main"`).
+   * Override to customize.
    */
-  createPostConfirmationLambda() {
-    const construct = new PostConfirmationLambda(this, {
-      controlEventBusName: this.controlEventBus().eventBusName
-    });
-    return construct.lambda;
-  }
-  createUserOnboardingWorkflow() {
-    return new UserOnboardingWorkflow(this, {
-      controlEventBus: this.controlEventBus(),
-      dataStoreTable: this.dataStoreTable()
+  createApiDomainNameString(hostedZone) {
+    return _OpenHiRestApiService.composeFullDomain({
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName: hostedZone.zoneName
     });
   }
-  dataStoreTable() {
-    if (this._dataStoreTable === null) {
-      this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
-    }
-    return this._dataStoreTable;
-  }
-  controlEventBus() {
-    if (this._controlEventBus === null) {
-      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
-    }
-    return this._controlEventBus;
-  }
   /**
-   * Creates the Cognito User Pool and exports its ID to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
+   * Creates the SSM parameter for the REST API base URL.
+   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
    * Override to customize.
    */
-  createUserPool() {
-    const userPool = new CognitoUserPool(this, {
-      ...this.props.userPoolProps,
-      customSenderKmsKey: this.userPoolKmsKey
-    });
-    userPool.addTrigger(
-      UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
-      this.preTokenGenerationLambda,
-      LambdaVersion.V2_0
-    );
-    userPool.addTrigger(
-      UserPoolOperation.POST_AUTHENTICATION,
-      this.postAuthenticationLambda
-    );
-    userPool.addTrigger(
-      UserPoolOperation.POST_CONFIRMATION,
-      this.postConfirmationLambda
-    );
-    new DiscoverableStringParameter(this, "user-pool-param", {
-      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
-      stringValue: userPool.userPoolId,
-      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
+  createRestApiBaseUrlParameter(apiDomainName) {
+    const restApiBaseUrl = `https://${apiDomainName}`;
+    new DiscoverableStringParameter(this, "rest-api-base-url-param", {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      stringValue: restApiBaseUrl,
+      description: "REST API base URL for this deployment (E2E, scripts)"
     });
-    return userPool;
-  }
-  /**
-   * Grants the Pre Token Generation Lambda read-only access on the data
-   * store table and its GSIs. The Lambda only needs:
-   * - `Query` on GSI2 to resolve a User by Cognito `sub`
-   * - `GetItem` on the base table for direct User reads
-   *
-   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
-   * falls into the absent-claims path; repair belongs in a separate backfill.
-   */
-  grantPreTokenGenerationPermissions() {
-    const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
-    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
-    this.preTokenGenerationLambda.addToRolePolicy(
-      new PolicyStatement6({
-        effect: Effect6.ALLOW,
-        actions: [...dynamoActions],
-        resources: [`${dataStoreTable.tableArn}/index/*`]
-      })
-    );
-  }
-  /**
-   * Grants the Post Authentication Lambda permission to call
-   * `cognito-idp:AdminUserGlobalSignOut`.
-   *
-   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
-   * because the User Pool registers this Lambda as a Post Authentication
-   * trigger, creating the cycle:
-   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
-   * Using `formatArn` avoids referencing the User Pool resource directly
-   * while still scoping to user pools in this account+region. The Lambda
-   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
-   * so the runtime target is constrained by the trigger contract.
-   */
-  grantPostAuthenticationPermissions() {
-    this.postAuthenticationLambda.addToRolePolicy(
-      new PolicyStatement6({
-        actions: ["cognito-idp:AdminUserGlobalSignOut"],
-        resources: [
-          Stack7.of(this).formatArn({
-            service: "cognito-idp",
-            resource: "userpool",
-            resourceName: "*"
-          })
-        ]
-      })
-    );
   }
   /**
-   * Grants the Post Confirmation Lambda publish-only access to the
-   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
+   * Creates the SSM parameter exposing the REST API's custom domain (bare
+   * hostname, no scheme). Consumed by the website service as the CloudFront
+   * `/api/*` origin host.
+   * Look up via {@link OpenHiRestApiService.restApiDomainNameFromConstruct}.
+   * Override to customize.
    */
-  grantPostConfirmationPermissions() {
-    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
+  createRestApiDomainNameParameter(apiDomainName) {
+    new DiscoverableStringParameter(this, "rest-api-domain-name-param", {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      stringValue: apiDomainName,
+      description: "REST API custom domain name (bare hostname) for cross-stack CloudFront origin lookup"
+    });
   }
   /**
-   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
-   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Creates the API Gateway custom domain name resource.
    * Override to customize.
    */
-  createUserPoolClient() {
-    const client = new CognitoUserPoolClient(this, {
-      userPool: this.userPool
-    });
-    new DiscoverableStringParameter(this, "user-pool-client-param", {
-      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
-      stringValue: client.userPoolClientId,
-      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
+  createDomainName(_hostedZone, certificate) {
+    const apiDomainName = this.createApiDomainNameString(_hostedZone);
+    return new DomainName(this, "domain", {
+      domainName: apiDomainName,
+      certificate
     });
-    return client;
   }
   /**
-   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
-   * Override to customize.
+   * Creates the Lambda integration, HTTP routes, and API DNS record.
+   * Override to customize. Uses {@link rootHttpApi} set by the constructor.
    */
-  createUserPoolDomain() {
-    const domain = new CognitoUserPoolDomain(this, {
-      userPool: this.userPool,
-      cognitoDomain: {
-        domainPrefix: `auth-${this.branchHash}`
-      }
-    });
-    new DiscoverableStringParameter(this, "user-pool-domain-param", {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      stringValue: domain.domainName,
-      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
-    });
-    return domain;
-  }
-};
-_OpenHiAuthService.SERVICE_TYPE = "auth";
-var OpenHiAuthService = _OpenHiAuthService;
-// src/services/open-hi-rest-api-service.ts
-var import_config5 = __toESM(require_lib2());
-import {
-  CorsHttpMethod,
-  DomainName,
-  HttpApi as HttpApi2,
-  HttpMethod,
-  HttpNoneAuthorizer,
-  HttpRoute,
-  HttpRouteKey
-} from "aws-cdk-lib/aws-apigatewayv2";
-import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers";
-import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
-import { Effect as Effect7, PolicyStatement as PolicyStatement7 } from "aws-cdk-lib/aws-iam";
-import {
-  ARecord as ARecord3,
-  HostedZone as HostedZone3,
-  RecordTarget as RecordTarget3
-} from "aws-cdk-lib/aws-route53";
-import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
-import { Duration as Duration10 } from "aws-cdk-lib/core";
-import { Construct as Construct21 } from "constructs";
-// src/data/lambda/cors-options-lambda.ts
-import fs11 from "fs";
-import path11 from "path";
-import { Runtime as Runtime11 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction11 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct19 } from "constructs";
-var HANDLER_NAME10 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry10(dirname) {
-  const sameDir = path11.join(dirname, HANDLER_NAME10);
-  if (fs11.existsSync(sameDir)) {
-    return sameDir;
-  }
-  const fromLib = path11.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
-  return fromLib;
-}
-var CorsOptionsLambda = class extends Construct19 {
-  constructor(scope, id = "cors-options-lambda") {
-    super(scope, id);
-    this.lambda = new NodejsFunction11(this, "handler", {
-      entry: resolveHandlerEntry10(__dirname),
-      runtime: Runtime11.NODEJS_LATEST,
-      memorySize: 128
-    });
-  }
-};
-// src/data/lambda/rest-api-lambda.ts
-import fs12 from "fs";
-import path12 from "path";
-import { Runtime as Runtime12 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction12 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct20 } from "constructs";
-var HANDLER_NAME11 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry11(dirname) {
-  const sameDir = path12.join(dirname, HANDLER_NAME11);
-  if (fs12.existsSync(sameDir)) {
-    return sameDir;
-  }
-  const fromLib = path12.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
-  return fromLib;
-}
-var RestApiLambda = class extends Construct20 {
-  constructor(scope, props) {
-    super(scope, "rest-api-lambda");
-    this.lambda = new NodejsFunction12(this, "handler", {
-      entry: resolveHandlerEntry11(__dirname),
-      runtime: Runtime12.NODEJS_LATEST,
-      memorySize: 1024,
-      environment: {
-        DYNAMO_TABLE_NAME: props.dynamoTableName,
-        BRANCH_TAG_VALUE: props.branchTagValue,
-        HTTP_API_TAG_VALUE: props.httpApiTagValue,
-        OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
-        OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
-        OPENHI_PG_DATABASE: props.postgresDatabase,
-        OPENHI_PG_SCHEMA: props.postgresSchema,
-        ...props.extraEnvironment
-      },
-      bundling: {
-        minify: true,
-        sourceMap: false
-      }
-    });
-  }
-};
-// src/services/open-hi-rest-api-service.ts
-var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
-var REST_API_DOMAIN_NAME_SSM_NAME = "REST_API_DOMAIN_NAME";
-var DEV_CORS_ALLOW_ORIGINS = [
-  "http://localhost:3000",
-  "https://localhost:3000",
-  "http://localhost:5173",
-  "https://localhost:5173",
-  "http://127.0.0.1:3000",
-  "https://127.0.0.1:3000",
-  "http://127.0.0.1:5173",
-  "https://127.0.0.1:5173"
-];
-var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
-  /**
-   * Compose the REST API's full per-deploy domain. Thin wrapper over
-   * {@link OpenHiService.composeServiceDomain} that pins `domainPrefix`
-   * to {@link API_DOMAIN_PREFIX}.
-   *
-   * Use from sibling stacks that need to predict the API's hostname
-   * before the REST API stack is synthesised.
-   */
-  static composeFullDomain(opts) {
-    return OpenHiService.composeServiceDomain({
-      ...opts,
-      domainPrefix: _OpenHiRestApiService.API_DOMAIN_PREFIX
-    });
-  }
-  /**
-   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
-   */
-  static rootHttpApiFromConstruct(scope) {
-    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-    return HttpApi2.fromHttpApiAttributes(scope, "http-api", { httpApiId });
-  }
-  /**
-   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
-   * Use in other stacks for E2E, scripts, or config.
-   */
-  static restApiBaseUrlFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: REST_API_BASE_URL_SSM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-  }
-  /**
-   * Returns the REST API's custom domain name (bare hostname, no scheme — e.g.
-   * `api.example.com`) by looking it up from SSM. Use as the host for a
-   * CloudFront `HttpOrigin` so the website's distribution can proxy `/api/*`
-   * to this stack's API Gateway without per-branch DNS knowledge.
-   */
-  static restApiDomainNameFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-  }
-  get serviceType() {
-    return _OpenHiRestApiService.SERVICE_TYPE;
-  }
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
-    this.props = props;
-    this.validateConfig(props);
-    const hostedZone = this.createHostedZone();
-    const certificate = this.createCertificate();
-    this.apiDomainName = this.createApiDomainNameString(hostedZone);
-    this.createRestApiBaseUrlParameter(this.apiDomainName);
-    this.createRestApiDomainNameParameter(this.apiDomainName);
-    const domainName = this.createDomainName(hostedZone, certificate);
-    this.rootHttpApi = this.createRootHttpApi(domainName);
-    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
-  }
-  /**
-   * Validates that config required for the REST API stack is present.
-   */
-  validateConfig(props) {
-    const { config } = props;
-    if (!config) {
-      throw new Error("Config is required");
-    }
-    if (!config.hostedZoneId) {
-      throw new Error("Hosted zone ID is required");
-    }
-    if (!config.zoneName) {
-      throw new Error("Zone name is required");
-    }
-  }
-  /**
-   * Creates the hosted zone reference (imported from config).
-   * Override to customize.
-   */
-  createHostedZone() {
-    const { config } = this.props;
-    return HostedZone3.fromHostedZoneAttributes(this, "root-zone", {
-      hostedZoneId: config.hostedZoneId,
-      zoneName: config.zoneName
-    });
-  }
-  /**
-   * Creates the wildcard certificate (imported from Global stack via SSM).
-   * Override to customize.
-   */
-  createCertificate() {
-    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
-  }
-  /**
-   * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
-   * Delegates to {@link OpenHiRestApiService.composeFullDomain} so the
-   * release-vs-feature composition stays in one place; picks up
-   * `this.defaultReleaseBranch` (not a hard-coded `"main"`).
-   * Override to customize.
-   */
-  createApiDomainNameString(hostedZone) {
-    return _OpenHiRestApiService.composeFullDomain({
-      branchName: this.branchName,
-      defaultReleaseBranch: this.defaultReleaseBranch,
-      childZonePrefix: this.childZonePrefix,
-      zoneName: hostedZone.zoneName
-    });
-  }
-  /**
-   * Creates the SSM parameter for the REST API base URL.
-   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
-   * Override to customize.
-   */
-  createRestApiBaseUrlParameter(apiDomainName) {
-    const restApiBaseUrl = `https://${apiDomainName}`;
-    new DiscoverableStringParameter(this, "rest-api-base-url-param", {
-      ssmParamName: REST_API_BASE_URL_SSM_NAME,
-      stringValue: restApiBaseUrl,
-      description: "REST API base URL for this deployment (E2E, scripts)"
-    });
-  }
-  /**
-   * Creates the SSM parameter exposing the REST API's custom domain (bare
-   * hostname, no scheme). Consumed by the website service as the CloudFront
-   * `/api/*` origin host.
-   * Look up via {@link OpenHiRestApiService.restApiDomainNameFromConstruct}.
-   * Override to customize.
-   */
-  createRestApiDomainNameParameter(apiDomainName) {
-    new DiscoverableStringParameter(this, "rest-api-domain-name-param", {
-      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
-      stringValue: apiDomainName,
-      description: "REST API custom domain name (bare hostname) for cross-stack CloudFront origin lookup"
-    });
-  }
-  /**
-   * Creates the API Gateway custom domain name resource.
-   * Override to customize.
-   */
-  createDomainName(_hostedZone, certificate) {
-    const apiDomainName = this.createApiDomainNameString(_hostedZone);
-    return new DomainName(this, "domain", {
-      domainName: apiDomainName,
-      certificate
-    });
-  }
-  /**
-   * Creates the Lambda integration, HTTP routes, and API DNS record.
-   * Override to customize. Uses {@link rootHttpApi} set by the constructor.
-   */
-  createRestApiLambdaAndRoutes(hostedZone, domainName) {
-    const dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
-    const postgresClusterArn = DataStorePostgresReplica.clusterArnFromConstruct(this);
-    const postgresSecretArn = DataStorePostgresReplica.secretArnFromConstruct(this);
-    const postgresDatabase = DataStorePostgresReplica.databaseNameFromConstruct(this);
-    const postgresSchema = getPostgresReplicaSchemaName(this.branchHash);
-    const extraEnvironment = this.resolveRuntimeConfigEnvVars();
-    const { lambda } = new RestApiLambda(this, {
-      dynamoTableName: dataStoreTable.tableName,
-      branchTagValue: this.branchName,
-      httpApiTagValue: RootHttpApi.SSM_PARAM_NAME,
-      postgresClusterArn,
-      postgresSecretArn,
-      postgresDatabase,
-      postgresSchema,
-      extraEnvironment
+  createRestApiLambdaAndRoutes(hostedZone, domainName) {
+    const dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+    const postgresClusterArn = DataStorePostgresReplica.clusterArnFromConstruct(this);
+    const postgresSecretArn = DataStorePostgresReplica.secretArnFromConstruct(this);
+    const postgresDatabase = DataStorePostgresReplica.databaseNameFromConstruct(this);
+    const postgresSchema = getPostgresReplicaSchemaName(this.branchHash);
+    const extraEnvironment = this.resolveRuntimeConfigEnvVars();
+    const { lambda } = new RestApiLambda(this, {
+      dynamoTableName: dataStoreTable.tableName,
+      branchTagValue: this.branchName,
+      httpApiTagValue: RootHttpApi.SSM_PARAM_NAME,
+      postgresClusterArn,
+      postgresSecretArn,
+      postgresDatabase,
+      postgresSchema,
+      extraEnvironment
     });
     lambda.addToRolePolicy(
-      new PolicyStatement7({
-        effect: Effect7.ALLOW,
+      new PolicyStatement5({
+        effect: Effect5.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -3212,8 +2853,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement7({
-        effect: Effect7.ALLOW,
+      new PolicyStatement5({
+        effect: Effect5.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -3231,15 +2872,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new PolicyStatement7({
-        effect: Effect7.ALLOW,
+      new PolicyStatement5({
+        effect: Effect5.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement7({
-        effect: Effect7.ALLOW,
+      new PolicyStatement5({
+        effect: Effect5.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -3320,11 +2961,18 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const { corsPreflight: cors, ...restRootHttpApiProps } = this.props.rootHttpApiProps ?? {};
     const isNonProd = this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD;
     const callerOrigins = cors?.allowOrigins ?? [];
-    const mergedOrigins = isNonProd ? Array.from(/* @__PURE__ */ new Set([...callerOrigins, ...DEV_CORS_ALLOW_ORIGINS])) : callerOrigins;
-    const corsPreflight = cors !== void 0 || isNonProd ? this.buildCorsPreflightOptions(mergedOrigins, cors) : void 0;
+    const autoOrigins = this.resolveAutoInjectedCorsOrigins();
+    const mergedOrigins = Array.from(
+      /* @__PURE__ */ new Set([
+        ...callerOrigins,
+        ...autoOrigins,
+        ...isNonProd ? DEV_CORS_ALLOW_ORIGINS : []
+      ])
+    );
+    const corsPreflight = this.buildCorsPreflightOptions(mergedOrigins, cors);
     const rootHttpApi = new RootHttpApi(this, {
       ...restRootHttpApiProps,
-      ...corsPreflight !== void 0 && { corsPreflight },
+      corsPreflight,
       defaultDomainMapping: {
         domainName,
         mappingKey: void 0
@@ -3338,6 +2986,33 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     });
     return rootHttpApi;
   }
+  /**
+   * Returns the admin-console and marketing-website origins this REST API
+   * stack should accept by default, composed from the same branch context
+   * the website service will see at synth time. Both hostnames are
+   * `https://`-only — they always resolve to real DNS records.
+   *
+   * Auto-injected on every stage (no `isNonProd` gate) so the admin SPA can
+   * call the API cross-origin without the caller having to predict the
+   * per-deploy hostname. Override to customize the auto-injected set.
+   */
+  resolveAutoInjectedCorsOrigins() {
+    const zoneName = this.props.config.zoneName;
+    const adminHost = OpenHiWebsiteService.composeFullDomain({
+      domainPrefix: ADMIN_DOMAIN_PREFIX,
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName
+    });
+    const websiteHost = OpenHiWebsiteService.composeFullDomain({
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName
+    });
+    return [`https://${adminHost}`, `https://${websiteHost}`];
+  }
   /**
    * Builds the full `CorsPreflightOptions` from a merged origins array,
    * filling defaults for `allowMethods`/`allowHeaders`/`allowCredentials`/
@@ -3357,7 +3032,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       ],
       allowHeaders: cors?.allowHeaders ?? ["Content-Type", "Authorization"],
       allowCredentials: cors?.allowCredentials ?? true,
-      maxAge: cors?.maxAge ?? Duration10.days(1),
+      maxAge: cors?.maxAge ?? Duration9.days(1),
       ...cors?.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -3375,7 +3050,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
    * client-side from `window.location.origin`.
    */
   resolveRuntimeConfigEnvVars() {
-    const cognitoScope = new Construct21(this, "runtime-config");
+    const cognitoScope = new Construct19(this, "runtime-config");
     const userPool = OpenHiAuthService.userPoolFromConstruct(cognitoScope);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(cognitoScope);
     const cognitoDomainUrl = OpenHiAuthService.userPoolDomainBaseUrlFromConstruct(cognitoScope);
@@ -3386,342 +3061,761 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       OPENHI_RUNTIME_CONFIG_API_BASE_URL: `https://${this.apiDomainName}`
     };
   }
-};
-_OpenHiRestApiService.SERVICE_TYPE = "rest-api";
-/**
- * Sub-domain prefix used by the REST API. Release-branch hostname is
- * `api.<zone>`; per-PR preview hostname is `api-<childZonePrefix>.<zone>`.
- */
-_OpenHiRestApiService.API_DOMAIN_PREFIX = "api";
-var OpenHiRestApiService = _OpenHiRestApiService;
-// src/services/open-hi-graphql-service.ts
-import {
-  AuthorizationType,
-  UserPoolDefaultAction
-} from "aws-cdk-lib/aws-appsync";
-var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
+};
+_OpenHiRestApiService.SERVICE_TYPE = "rest-api";
+/**
+ * Sub-domain prefix used by the REST API. Release-branch hostname is
+ * `api.<zone>`; per-PR preview hostname is `api-<childZonePrefix>.<zone>`.
+ */
+_OpenHiRestApiService.API_DOMAIN_PREFIX = "api";
+var OpenHiRestApiService = _OpenHiRestApiService;
+// src/services/open-hi-website-service.ts
+var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
+var ADMIN_DOMAIN_PREFIX = "admin";
+var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
+  /**
+   * Compose the website's full per-deploy domain. Thin wrapper over
+   * {@link OpenHiService.composeServiceDomain} that fills in
+   * {@link DEFAULT_DOMAIN_PREFIX} when `domainPrefix` is omitted.
+   *
+   * Use from sibling stacks that need to predict the website's hostname
+   * before the website stack is synthesised — e.g. the REST API stack
+   * computing its CORS `allowOrigins` for the admin-console.
+   */
+  static composeFullDomain(opts) {
+    return OpenHiService.composeServiceDomain({
+      ...opts,
+      domainPrefix: opts.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX
+    });
+  }
+  /**
+   * Looks up the static-hosting bucket ARN published by the release-branch
+   * deploy of this service.
+   */
+  static bucketArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ARN published by the release-branch
+   * deploy of this service.
+   */
+  static distributionArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution domain
+   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   */
+  static distributionDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ID published by the release-branch
+   * deploy of this service.
+   */
+  static distributionIdFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the website's full domain (e.g. www.example.com) published by
+   * the release-branch deploy of this service.
+   */
+  static fullDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiWebsiteService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props) {
+    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    const hostedZone = this.createHostedZone();
+    this.fullDomain = this.computeFullDomain(hostedZone);
+    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
+    if (shouldCreateHostingInfra) {
+      const certificate = this.createCertificate();
+      this.staticHosting = this.createStaticHosting({
+        certificate,
+        hostedZone
+      });
+      this.createFullDomainParameter();
+    } else if (!isReleaseBranch) {
+      this.perBranchHostname = this.createPerBranchHostname(hostedZone);
+    }
+    if (props.createStaticContent !== false) {
+      const bucket = this.resolveStaticHostingBucket();
+      this.staticContent = this.createStaticContent(bucket);
+    }
+  }
+  /**
+   * Validates that config required for the website stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required to import the website zone");
+    }
+  }
+  /**
+   * Imports the website's hosted zone from config attributes (no SSM lookup).
+   * The website attaches DNS records here on the release-branch deploy and
+   * the same zone is imported on feature-branch deploys for any sub-domain
+   * routing.
+   * Override to customize.
+   */
+  createHostedZone() {
+    return OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
+    });
+  }
+  /**
+   * Returns the wildcard certificate looked up from the Global service.
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Computes the full website domain from `domainPrefix`,
+   * `childZonePrefix`, and the child zone name. Release-branch deploys
+   * serve at `\<domainPrefix\>.\<zone\>` (e.g. `admin.dev.openhi.org`);
+   * every other deploy serves a per-PR preview at
+   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>`
+   * (e.g. `admin-feat-1093-patient-migration.dev.openhi.org`).
+   *
+   * Delegates to {@link OpenHiWebsiteService.composeFullDomain} so the
+   * release-vs-feature composition stays in one place.
+   */
+  computeFullDomain(hostedZone) {
+    return _OpenHiWebsiteService.composeFullDomain({
+      domainPrefix: this.props.domainPrefix,
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName: hostedZone.zoneName
+    });
+  }
+  /**
+   * Returns the sub-domain label (left of the zone) for the current
+   * deploy. Used for the per-branch S3 key prefix passed to
+   * {@link StaticContent} so the upload prefix always matches the
+   * served hostname.
+   *
+   * Non-release deploys compose the per-PR slug as
+   * `\<domainPrefix\>-\<childZonePrefix\>`, mirroring the REST API's
+   * `api-\<childZonePrefix\>` convention. When `domainPrefix` is `admin`
+   * (the only consumer today), the resulting sub-domain starts with
+   * {@link PER_BRANCH_PREVIEW_PREFIX}, so the per-PR S3 key prefix
+   * matches what `StaticHosting`'s lifecycle rule expires.
+   */
+  computeSubDomain() {
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    const domainPrefix = this.props.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX;
+    if (isReleaseBranch) {
+      return domainPrefix;
+    }
+    return `${domainPrefix}-${this.childZonePrefix}`;
+  }
+  /**
+   * Creates the StaticHosting infrastructure (bucket + distribution +
+   * Lambda@Edge + 4 SSM params + DNS). The release-branch distribution
+   * adds `*.\<zone\>` as a wildcard alt-name on top of the canonical
+   * hostname so per-PR previews resolve via the same distribution.
+   *
+   * The bucket carries an S3 lifecycle rule that expires per-PR
+   * preview content (keys under {@link PER_BRANCH_PREVIEW_PREFIX})
+   * on non-production stages. PROD never gets the rule — see
+   * `enablePreviewLifecycle`.
+   */
+  createStaticHosting(deps) {
+    const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
+    const wildcardSan = `*.${deps.hostedZone.zoneName}`;
+    return new StaticHosting(this, "static-hosting", {
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      certificate: deps.certificate,
+      hostedZone: deps.hostedZone,
+      domainNames: [this.fullDomain, wildcardSan],
+      description: `OpenHI website (${this.fullDomain})`,
+      prefixPattern: PER_BRANCH_PREVIEW_PREFIX,
+      enablePreviewLifecycle: this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD,
+      ...restApi !== void 0 && { restApi }
+    });
+  }
+  /**
+   * Resolves the REST API custom-domain hostname from the rest-api stack's
+   * `REST_API_DOMAIN_NAME` SSM parameter. Wrapped in a private method so
+   * it can be overridden / stubbed in subclasses and tests.
+   */
+  resolveRestApi() {
+    return {
+      domainName: OpenHiRestApiService.restApiDomainNameFromConstruct(this)
+    };
+  }
+  /**
+   * Creates the SSM parameter that publishes the website's full domain.
+   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   */
+  createFullDomainParameter() {
+    new DiscoverableStringParameter(this, "full-domain-param", {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      stringValue: this.fullDomain,
+      description: "Full website domain (e.g. www.example.com)"
+    });
+  }
+  /**
+   * Creates the StaticContent uploader. Receives the resolved static-hosting
+   * bucket from the constructor — on the release-branch deploy this is the
+   * just-created {@link staticHosting} bucket (no SSM round-trip within a
+   * single stack); on every other deploy it is imported from the bucket ARN
+   * the release-branch deploy publishes to SSM, addressed against
+   * {@link OpenHiService.releaseBranchHash}. See
+   * {@link resolveStaticHostingBucket}.
+   *
+   * The S3 key prefix is `\<sub-domain\>.\<zone\>/\<contentDest\>` so the
+   * upload location matches the Host-header-derived folder the Lambda@Edge
+   * viewer-request handler prepends. Passing the zone name (rather than
+   * `this.fullDomain`) for the `fullDomain` prop keeps the prefix flat —
+   * `admin-feat-foo.dev.openhi.org/`, not
+   * `admin-feat-foo.admin.dev.openhi.org/`.
+   */
+  createStaticContent(bucket) {
+    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
+    return new StaticContent(this, "static-content", {
+      bucket,
+      contentSourceDirectory,
+      contentDestinationDirectory,
+      subDomain: this.computeSubDomain(),
+      fullDomain: this.config.zoneName
+    });
+  }
+  /**
+   * Creates the per-PR `PerBranchHostname` alias record on non-release
+   * branch deploys. The record points
+   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>` at the release-branch
+   * CloudFront distribution (resolved from SSM against
+   * {@link OpenHiService.releaseBranchHash}).
+   */
+  createPerBranchHostname(hostedZone) {
+    return new PerBranchHostname(this, "per-branch-hostname", {
+      hostname: this.fullDomain,
+      hostedZone,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Returns an {@link IBucket} pointing at the static-hosting bucket the
+   * uploaders write to. On the release-branch deploy this is the bucket
+   * just provisioned by {@link staticHosting}; on every other deploy it's
+   * imported from the bucket ARN the release-branch deploy publishes to
+   * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+   */
+  resolveStaticHostingBucket() {
+    if (this.staticHosting) {
+      return this.staticHosting.bucket;
+    }
+    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      branchHash: this.releaseBranchHash
+    });
+    return Bucket3.fromBucketArn(this, "shared-bucket", bucketArn);
+  }
+};
+_OpenHiWebsiteService.SERVICE_TYPE = "website";
+/**
+ * Default `domainPrefix` for this service when none is supplied.
+ * Release-branch hostname is `www.<zone>`; per-PR preview hostname is
+ * `www-<childZonePrefix>.<zone>`.
+ */
+_OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX = "www";
+var OpenHiWebsiteService = _OpenHiWebsiteService;
+// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+import fs12 from "fs";
+import path12 from "path";
+import { Duration as Duration10 } from "aws-cdk-lib";
+import { Rule as Rule4 } from "aws-cdk-lib/aws-events";
+import { LambdaFunction as LambdaFunction4 } from "aws-cdk-lib/aws-events-targets";
+import { Effect as Effect6, PolicyStatement as PolicyStatement6 } from "aws-cdk-lib/aws-iam";
+import { Runtime as Runtime12 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction12 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct20 } from "constructs";
+var HANDLER_NAME11 = "provision-default-workspace.handler.js";
+function resolveHandlerEntry11(dirname) {
+  const sameDir = path12.join(dirname, HANDLER_NAME11);
+  if (fs12.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path12.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME11);
+}
+var ProvisionDefaultWorkspaceLambda = class extends Construct20 {
+  constructor(scope, props) {
+    super(scope, "provision-default-workspace-lambda");
+    this.lambda = new NodejsFunction12(this, "handler", {
+      entry: resolveHandlerEntry11(__dirname),
+      runtime: Runtime12.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.lambda,
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem"
+    );
+    this.lambda.addToRolePolicy(
+      new PolicyStatement6({
+        effect: Effect6.ALLOW,
+        actions: ["dynamodb:Query"],
+        resources: [`${props.dataStoreTable.tableArn}/index/*`]
+      })
+    );
+    this.rule = new Rule4(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [USER_ONBOARDING_EVENT_SOURCE],
+        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
+      },
+      targets: [
+        new LambdaFunction4(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: Duration10.hours(2)
+        })
+      ]
+    });
+  }
+};
+// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+import { Construct as Construct21 } from "constructs";
+var UserOnboardingWorkflow = class extends Construct21 {
+  constructor(scope, props) {
+    super(scope, "user-onboarding-workflow");
+    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
+      dataStoreTable: props.dataStoreTable,
+      controlEventBus: props.controlEventBus
+    });
+  }
+};
+// src/services/open-hi-auth-service.ts
+var LOCALHOST_OAUTH_CALLBACK_URLS = [
+  "http://localhost:3000/oauth/callback",
+  "https://localhost:3000/oauth/callback"
+];
+var LOCALHOST_OAUTH_LOGOUT_URLS = [
+  "http://localhost:3000/oauth/logout",
+  "https://localhost:3000/oauth/logout"
+];
+var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    /**
+     * Cross-stack reference to the data store table. Cached so repeated
+     * lookups share a single CDK construct id ("dynamo-db-data-store") in
+     * this stack — a second `Table.fromTableName` call under the same scope
+     * would collide.
+     */
+    this._dataStoreTable = null;
+    this._controlEventBus = null;
+    this.props = props;
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
+    this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
+    this.userPool = this.createUserPool();
+    this.grantPreTokenGenerationPermissions();
+    this.grantPostAuthenticationPermissions();
+    this.grantPostConfirmationPermissions();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
+  }
   /**
-   * Returns the GraphQL API by looking up the GraphQL stack's API ID from SSM.
-   * Use from other stacks to obtain an IGraphqlApi reference.
+   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
    */
-  static graphqlApiFromConstruct(scope) {
-    return RootGraphqlApi.fromConstruct(scope);
-  }
-  get serviceType() {
-    return _OpenHiGraphqlService.SERVICE_TYPE;
-  }
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiGraphqlService.SERVICE_TYPE, props);
-    this.props = props;
-    this.rootGraphqlApi = this.createRootGraphqlApi();
+  static userPoolFromConstruct(scope) {
+    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return UserPool2.fromUserPoolId(scope, "user-pool", userPoolId);
   }
-  /** Creates the root GraphQL API with Cognito user pool. */
-  createRootGraphqlApi() {
-    const userPool = OpenHiAuthService.userPoolFromConstruct(this);
-    return new RootGraphqlApi(this, {
-      authorizationConfig: {
-        defaultAuthorization: {
-          authorizationType: AuthorizationType.USER_POOL,
-          userPoolConfig: {
-            userPool,
-            defaultAction: UserPoolDefaultAction.ALLOW
-          }
-        }
+  /**
+   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
+   */
+  static userPoolClientFromConstruct(scope) {
+    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
+      scope,
+      {
+        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+        serviceType: _OpenHiAuthService.SERVICE_TYPE
       }
+    );
+    return UserPoolClient2.fromUserPoolClientId(
+      scope,
+      "user-pool-client",
+      userPoolClientId
+    );
+  }
+  /**
+   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   */
+  static userPoolDomainFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    return UserPoolDomain2.fromDomainName(scope, "user-pool-domain", domainName);
   }
-};
-_OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
-var OpenHiGraphqlService = _OpenHiGraphqlService;
-// src/services/open-hi-website-service.ts
-var import_config6 = __toESM(require_lib2());
-import { Bucket as Bucket3 } from "aws-cdk-lib/aws-s3";
-var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
-var ADMIN_DOMAIN_PREFIX = "admin";
-var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
-   * Compose the website's full per-deploy domain. Thin wrapper over
-   * {@link OpenHiService.composeServiceDomain} that fills in
-   * {@link DEFAULT_DOMAIN_PREFIX} when `domainPrefix` is omitted.
+   * Returns the full Cognito Hosted UI base URL (e.g.
+   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
+   * the Auth stack's User Pool Domain from SSM and composing it with the
+   * calling stack's region.
    *
-   * Use from sibling stacks that need to predict the website's hostname
-   * before the website stack is synthesised — e.g. the REST API stack
-   * computing its CORS `allowOrigins` for the admin-console.
+   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
+   * but works across stacks where the looked-up `IUserPoolDomain` is an
+   * `Import` and does not carry the `baseUrl()` method. Assumes the
+   * domain was created as a Cognito-managed prefix domain (the only
+   * variant `OpenHiAuthService.createUserPoolDomain` produces).
    */
-  static composeFullDomain(opts) {
-    return OpenHiService.composeServiceDomain({
-      ...opts,
-      domainPrefix: opts.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX
+  static userPoolDomainBaseUrlFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    const region = Stack7.of(scope).region;
+    return `https://${domainName}.auth.${region}.amazoncognito.com`;
   }
   /**
-   * Looks up the static-hosting bucket ARN published by the release-branch
-   * deploy of this service.
+   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
    */
-  static bucketArnFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  static userPoolKmsKeyFromConstruct(scope) {
+    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    return Key2.fromKeyArn(scope, "kms-key", keyArn);
+  }
+  get serviceType() {
+    return _OpenHiAuthService.SERVICE_TYPE;
   }
   /**
-   * Looks up the CloudFront distribution ARN published by the release-branch
-   * deploy of this service.
+   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
+   * Override to customize.
    */
-  static distributionArnFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createUserPoolKmsKey() {
+    const key = new CognitoUserPoolKmsKey(this);
+    new DiscoverableStringParameter(this, "kms-key-param", {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      stringValue: key.keyArn,
+      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
     });
+    return key;
   }
   /**
-   * Looks up the CloudFront distribution domain
-   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+   * both the ID token and the access token (ADR 2026-03-17-01).
    */
-  static distributionDomainFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createPreTokenGenerationLambda() {
+    const construct = new PreTokenGenerationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
     });
+    return construct.lambda;
   }
   /**
-   * Looks up the CloudFront distribution ID published by the release-branch
-   * deploy of this service.
+   * Creates the Post Authentication Lambda (Cognito trigger). Calls
+   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
+   * sessions per ADR 2026-03-17-01.
    */
-  static distributionIdFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
-    });
+  createPostAuthenticationLambda() {
+    const construct = new PostAuthenticationLambda(this);
+    return construct.lambda;
   }
   /**
-   * Looks up the website's full domain (e.g. www.example.com) published by
-   * the release-branch deploy of this service.
+   * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
+   * confirmation, publishes a control-plane workflow event; provisioning lives
+   * behind EventBridge.
    */
-  static fullDomainFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createPostConfirmationLambda() {
+    const construct = new PostConfirmationLambda(this, {
+      controlEventBusName: this.controlEventBus().eventBusName
     });
+    return construct.lambda;
   }
-  get serviceType() {
-    return _OpenHiWebsiteService.SERVICE_TYPE;
+  createUserOnboardingWorkflow() {
+    return new UserOnboardingWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStoreTable()
+    });
   }
-  constructor(ohEnv, props) {
-    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
-    this.props = props;
-    this.validateConfig(props);
-    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
-    const hostedZone = this.createHostedZone();
-    this.fullDomain = this.computeFullDomain(hostedZone);
-    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
-    if (shouldCreateHostingInfra) {
-      const certificate = this.createCertificate();
-      this.staticHosting = this.createStaticHosting({
-        certificate,
-        hostedZone
-      });
-      this.createFullDomainParameter();
-    } else if (!isReleaseBranch) {
-      this.perBranchHostname = this.createPerBranchHostname(hostedZone);
-    }
-    if (props.createStaticContent !== false) {
-      const bucket = this.resolveStaticHostingBucket();
-      this.staticContent = this.createStaticContent(bucket);
+  dataStoreTable() {
+    if (this._dataStoreTable === null) {
+      this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     }
+    return this._dataStoreTable;
   }
-  /**
-   * Validates that config required for the website stack is present.
-   */
-  validateConfig(props) {
-    const { config } = props;
-    if (!config) {
-      throw new Error("Config is required");
-    }
-    if (!config.zoneName) {
-      throw new Error("Zone name is required");
-    }
-    if (!config.hostedZoneId) {
-      throw new Error("Hosted zone ID is required to import the website zone");
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
     }
+    return this._controlEventBus;
   }
   /**
-   * Imports the website's hosted zone from config attributes (no SSM lookup).
-   * The website attaches DNS records here on the release-branch deploy and
-   * the same zone is imported on feature-branch deploys for any sub-domain
-   * routing.
+   * Creates the Cognito User Pool and exports its ID to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
    * Override to customize.
    */
-  createHostedZone() {
-    return OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
-      zoneName: this.config.zoneName,
-      hostedZoneId: this.config.hostedZoneId
+  createUserPool() {
+    const userPool = new CognitoUserPool(this, {
+      ...this.props.userPoolProps,
+      customSenderKmsKey: this.userPoolKmsKey
+    });
+    userPool.addTrigger(
+      UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
+      this.preTokenGenerationLambda,
+      LambdaVersion.V2_0
+    );
+    userPool.addTrigger(
+      UserPoolOperation.POST_AUTHENTICATION,
+      this.postAuthenticationLambda
+    );
+    userPool.addTrigger(
+      UserPoolOperation.POST_CONFIRMATION,
+      this.postConfirmationLambda
+    );
+    new DiscoverableStringParameter(this, "user-pool-param", {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      stringValue: userPool.userPoolId,
+      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
     });
+    return userPool;
   }
   /**
-   * Returns the wildcard certificate looked up from the Global service.
-   * Override to customize.
+   * Grants the Pre Token Generation Lambda read-only access on the data
+   * store table and its GSIs. The Lambda only needs:
+   * - `Query` on GSI2 to resolve a User by Cognito `sub`
+   * - `GetItem` on the base table for direct User reads
+   *
+   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+   * falls into the absent-claims path; repair belongs in a separate backfill.
    */
-  createCertificate() {
-    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  grantPreTokenGenerationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
+    this.preTokenGenerationLambda.addToRolePolicy(
+      new PolicyStatement7({
+        effect: Effect7.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
   }
   /**
-   * Computes the full website domain from `domainPrefix`,
-   * `childZonePrefix`, and the child zone name. Release-branch deploys
-   * serve at `\<domainPrefix\>.\<zone\>` (e.g. `admin.dev.openhi.org`);
-   * every other deploy serves a per-PR preview at
-   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>`
-   * (e.g. `admin-feat-1093-patient-migration.dev.openhi.org`).
+   * Grants the Post Authentication Lambda permission to call
+   * `cognito-idp:AdminUserGlobalSignOut`.
    *
-   * Delegates to {@link OpenHiWebsiteService.composeFullDomain} so the
-   * release-vs-feature composition stays in one place.
+   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
+   * because the User Pool registers this Lambda as a Post Authentication
+   * trigger, creating the cycle:
+   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
+   * Using `formatArn` avoids referencing the User Pool resource directly
+   * while still scoping to user pools in this account+region. The Lambda
+   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
+   * so the runtime target is constrained by the trigger contract.
    */
-  computeFullDomain(hostedZone) {
-    return _OpenHiWebsiteService.composeFullDomain({
-      domainPrefix: this.props.domainPrefix,
-      branchName: this.branchName,
-      defaultReleaseBranch: this.defaultReleaseBranch,
-      childZonePrefix: this.childZonePrefix,
-      zoneName: hostedZone.zoneName
-    });
+  grantPostAuthenticationPermissions() {
+    this.postAuthenticationLambda.addToRolePolicy(
+      new PolicyStatement7({
+        actions: ["cognito-idp:AdminUserGlobalSignOut"],
+        resources: [
+          Stack7.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: "*"
+          })
+        ]
+      })
+    );
   }
   /**
-   * Returns the sub-domain label (left of the zone) for the current
-   * deploy. Used for the per-branch S3 key prefix passed to
-   * {@link StaticContent} so the upload prefix always matches the
-   * served hostname.
-   *
-   * Non-release deploys compose the per-PR slug as
-   * `\<domainPrefix\>-\<childZonePrefix\>`, mirroring the REST API's
-   * `api-\<childZonePrefix\>` convention. When `domainPrefix` is `admin`
-   * (the only consumer today), the resulting sub-domain starts with
-   * {@link PER_BRANCH_PREVIEW_PREFIX}, so the per-PR S3 key prefix
-   * matches what `StaticHosting`'s lifecycle rule expires.
+   * Grants the Post Confirmation Lambda publish-only access to the
+   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
    */
-  computeSubDomain() {
-    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
-    const domainPrefix = this.props.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX;
-    if (isReleaseBranch) {
-      return domainPrefix;
-    }
-    return `${domainPrefix}-${this.childZonePrefix}`;
+  grantPostConfirmationPermissions() {
+    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
   }
   /**
-   * Creates the StaticHosting infrastructure (bucket + distribution +
-   * Lambda@Edge + 4 SSM params + DNS). The release-branch distribution
-   * adds `*.\<zone\>` as a wildcard alt-name on top of the canonical
-   * hostname so per-PR previews resolve via the same distribution.
-   *
-   * The bucket carries an S3 lifecycle rule that expires per-PR
-   * preview content (keys under {@link PER_BRANCH_PREVIEW_PREFIX})
-   * on non-production stages. PROD never gets the rule — see
-   * `enablePreviewLifecycle`.
+   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
+   * OAuth flows are enabled with auto-injected callback/logout URLs derived
+   * from this stack's branch context (see {@link resolveOAuthRedirectUrls}).
+   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Override to customize.
    */
-  createStaticHosting(deps) {
-    const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
-    const wildcardSan = `*.${deps.hostedZone.zoneName}`;
-    return new StaticHosting(this, "static-hosting", {
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      certificate: deps.certificate,
-      hostedZone: deps.hostedZone,
-      domainNames: [this.fullDomain, wildcardSan],
-      description: `OpenHI website (${this.fullDomain})`,
-      prefixPattern: PER_BRANCH_PREVIEW_PREFIX,
-      enablePreviewLifecycle: this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD,
-      ...restApi !== void 0 && { restApi }
+  createUserPoolClient() {
+    const { callbackUrls, logoutUrls } = this.resolveOAuthRedirectUrls();
+    const client = new CognitoUserPoolClient(this, {
+      userPool: this.userPool,
+      oAuth: {
+        flows: {
+          authorizationCodeGrant: true,
+          implicitCodeGrant: true
+        },
+        callbackUrls,
+        logoutUrls
+      }
+    });
+    new DiscoverableStringParameter(this, "user-pool-client-param", {
+      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
     });
+    return client;
   }
   /**
-   * Resolves the REST API custom-domain hostname from the rest-api stack's
-   * `REST_API_DOMAIN_NAME` SSM parameter. Wrapped in a private method so
-   * it can be overridden / stubbed in subclasses and tests.
+   * Returns the OAuth `callbackUrls` and `logoutUrls` the Cognito User Pool
+   * Client should accept. Composed from the same branch context the website
+   * service will see at synth time:
+   *
+   * - `https://admin{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
+   * - `https://www{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
+   *
+   * Both deployed-host pairs are auto-injected on every stage. On non-prod
+   * stages the localhost dev URLs from {@link LOCALHOST_OAUTH_CALLBACK_URLS}
+   * / {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
+   * deliberately excluded.
+   *
+   * If `zoneName` is absent (no-DNS test configurations), the deployed-host
+   * pairs are skipped — only the localhost set survives, and only on
+   * non-prod. Override to customize.
    */
-  resolveRestApi() {
+  resolveOAuthRedirectUrls() {
+    const isNonProd = this.ohEnv.ohStage.stageType !== import_config7.OPEN_HI_STAGE.PROD;
+    const zoneName = this.props.config?.zoneName;
+    const deployedOrigins = [];
+    if (zoneName !== void 0) {
+      const adminHost = OpenHiWebsiteService.composeFullDomain({
+        domainPrefix: ADMIN_DOMAIN_PREFIX,
+        branchName: this.branchName,
+        defaultReleaseBranch: this.defaultReleaseBranch,
+        childZonePrefix: this.childZonePrefix,
+        zoneName
+      });
+      const websiteHost = OpenHiWebsiteService.composeFullDomain({
+        branchName: this.branchName,
+        defaultReleaseBranch: this.defaultReleaseBranch,
+        childZonePrefix: this.childZonePrefix,
+        zoneName
+      });
+      deployedOrigins.push(`https://${adminHost}`, `https://${websiteHost}`);
+    }
+    const localhostCallbacks = isNonProd ? LOCALHOST_OAUTH_CALLBACK_URLS : [];
+    const localhostLogouts = isNonProd ? LOCALHOST_OAUTH_LOGOUT_URLS : [];
     return {
-      domainName: OpenHiRestApiService.restApiDomainNameFromConstruct(this)
+      callbackUrls: [
+        ...deployedOrigins.map((o) => `${o}/oauth/callback`),
+        ...localhostCallbacks
+      ],
+      logoutUrls: [
+        ...deployedOrigins.map((o) => `${o}/oauth/logout`),
+        ...localhostLogouts
+      ]
     };
   }
   /**
-   * Creates the SSM parameter that publishes the website's full domain.
-   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Override to customize.
    */
-  createFullDomainParameter() {
-    new DiscoverableStringParameter(this, "full-domain-param", {
-      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      stringValue: this.fullDomain,
-      description: "Full website domain (e.g. www.example.com)"
+  createUserPoolDomain() {
+    const domain = new CognitoUserPoolDomain(this, {
+      userPool: this.userPool,
+      cognitoDomain: {
+        domainPrefix: `auth-${this.branchHash}`
+      }
     });
-  }
-  /**
-   * Creates the StaticContent uploader. Receives the resolved static-hosting
-   * bucket from the constructor — on the release-branch deploy this is the
-   * just-created {@link staticHosting} bucket (no SSM round-trip within a
-   * single stack); on every other deploy it is imported from the bucket ARN
-   * the release-branch deploy publishes to SSM, addressed against
-   * {@link OpenHiService.releaseBranchHash}. See
-   * {@link resolveStaticHostingBucket}.
-   *
-   * The S3 key prefix is `\<sub-domain\>.\<zone\>/\<contentDest\>` so the
-   * upload location matches the Host-header-derived folder the Lambda@Edge
-   * viewer-request handler prepends. Passing the zone name (rather than
-   * `this.fullDomain`) for the `fullDomain` prop keeps the prefix flat —
-   * `admin-feat-foo.dev.openhi.org/`, not
-   * `admin-feat-foo.admin.dev.openhi.org/`.
-   */
-  createStaticContent(bucket) {
-    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
-    return new StaticContent(this, "static-content", {
-      bucket,
-      contentSourceDirectory,
-      contentDestinationDirectory,
-      subDomain: this.computeSubDomain(),
-      fullDomain: this.config.zoneName
+    new DiscoverableStringParameter(this, "user-pool-domain-param", {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      stringValue: domain.domainName,
+      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
     });
+    return domain;
   }
+};
+_OpenHiAuthService.SERVICE_TYPE = "auth";
+var OpenHiAuthService = _OpenHiAuthService;
+// src/services/open-hi-graphql-service.ts
+import {
+  AuthorizationType,
+  UserPoolDefaultAction
+} from "aws-cdk-lib/aws-appsync";
+var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
   /**
-   * Creates the per-PR `PerBranchHostname` alias record on non-release
-   * branch deploys. The record points
-   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>` at the release-branch
-   * CloudFront distribution (resolved from SSM against
-   * {@link OpenHiService.releaseBranchHash}).
+   * Returns the GraphQL API by looking up the GraphQL stack's API ID from SSM.
+   * Use from other stacks to obtain an IGraphqlApi reference.
    */
-  createPerBranchHostname(hostedZone) {
-    return new PerBranchHostname(this, "per-branch-hostname", {
-      hostname: this.fullDomain,
-      hostedZone,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
-    });
+  static graphqlApiFromConstruct(scope) {
+    return RootGraphqlApi.fromConstruct(scope);
   }
-  /**
-   * Returns an {@link IBucket} pointing at the static-hosting bucket the
-   * uploaders write to. On the release-branch deploy this is the bucket
-   * just provisioned by {@link staticHosting}; on every other deploy it's
-   * imported from the bucket ARN the release-branch deploy publishes to
-   * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
-   */
-  resolveStaticHostingBucket() {
-    if (this.staticHosting) {
-      return this.staticHosting.bucket;
-    }
-    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      branchHash: this.releaseBranchHash
+  get serviceType() {
+    return _OpenHiGraphqlService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiGraphqlService.SERVICE_TYPE, props);
+    this.props = props;
+    this.rootGraphqlApi = this.createRootGraphqlApi();
+  }
+  /** Creates the root GraphQL API with Cognito user pool. */
+  createRootGraphqlApi() {
+    const userPool = OpenHiAuthService.userPoolFromConstruct(this);
+    return new RootGraphqlApi(this, {
+      authorizationConfig: {
+        defaultAuthorization: {
+          authorizationType: AuthorizationType.USER_POOL,
+          userPoolConfig: {
+            userPool,
+            defaultAction: UserPoolDefaultAction.ALLOW
+          }
+        }
+      }
     });
-    return Bucket3.fromBucketArn(this, "shared-bucket", bucketArn);
   }
 };
-_OpenHiWebsiteService.SERVICE_TYPE = "website";
-/**
- * Default `domainPrefix` for this service when none is supplied.
- * Release-branch hostname is `www.<zone>`; per-PR preview hostname is
- * `www-<childZonePrefix>.<zone>`.
- */
-_OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX = "www";
-var OpenHiWebsiteService = _OpenHiWebsiteService;
+_OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
+var OpenHiGraphqlService = _OpenHiGraphqlService;
 // src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
 import fs13 from "fs";
@@ -4270,6 +4364,8 @@ export {
   DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
+  LOCALHOST_OAUTH_CALLBACK_URLS,
+  LOCALHOST_OAUTH_LOGOUT_URLS,
   OPENHI_REPO_TAG_KEY_ENV_VAR,
   OPENHI_RESOURCE_URN_SYSTEM,
   OPENHI_TAG_KEY_PREFIX_ENV_VAR,