@openhi/constructs 0.0.137 → 0.0.138

package/lib/index.js

@@ -798,6 +798,8 @@ __export(src_exports, {
   DataStorePostgresReplica: () => DataStorePostgresReplica,
   DiscoverableStringParameter: () => DiscoverableStringParameter,
   DynamoDbDataStore: () => DynamoDbDataStore,
+  LOCALHOST_OAUTH_CALLBACK_URLS: () => LOCALHOST_OAUTH_CALLBACK_URLS,
+  LOCALHOST_OAUTH_LOGOUT_URLS: () => LOCALHOST_OAUTH_LOGOUT_URLS,
   OPENHI_REPO_TAG_KEY_ENV_VAR: () => OPENHI_REPO_TAG_KEY_ENV_VAR,
   OPENHI_RESOURCE_URN_SYSTEM: () => OPENHI_RESOURCE_URN_SYSTEM,
   OPENHI_TAG_KEY_PREFIX_ENV_VAR: () => OPENHI_TAG_KEY_PREFIX_ENV_VAR,
@@ -1473,23 +1475,10 @@ var import_aws_cognito2 = require("aws-cdk-lib/aws-cognito");
 var CognitoUserPoolClient = class extends import_aws_cognito2.UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
-      /**
-       * Defaults
-       */
+      // Default: SPA client (no secret). OAuth flow + callback/logout URL
+      // composition is the owning service's responsibility — pass via
+      // `props.oAuth` (see `OpenHiAuthService.resolveOAuthRedirectUrls`).
       generateSecret: false,
-      oAuth: {
-        flows: {
-          authorizationCodeGrant: true,
-          implicitCodeGrant: true
-        },
-        callbackUrls: [
-          `http://localhost:3000/oauth/callback`,
-          `https://localhost:3000/oauth/callback`
-        ]
-      },
-      /**
-       * Overrideable props
-       */
       ...props
     });
   }
@@ -2816,10 +2805,11 @@ var StaticContent = class extends import_constructs10.Construct {
 };
 
 // src/services/open-hi-auth-service.ts
+var import_config7 = __toESM(require_lib());
 var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
-var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
+var import_aws_iam7 = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
-var import_core = require("aws-cdk-lib/core");
+var import_core2 = require("aws-cdk-lib/core");
 
 // src/services/open-hi-data-service.ts
 var import_config4 = __toESM(require_lib());
@@ -6792,620 +6782,247 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
 _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
-// src/workflows/control-plane/user-onboarding/events.ts
-var USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
-var PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
-var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
-  const attrs = event.request?.userAttributes ?? {};
-  const cognitoSub = attrs.sub?.trim();
-  if (!cognitoSub) {
-    return void 0;
-  }
-  const email = attrs.email?.trim();
-  const displayName = email || event.userName || cognitoSub;
-  return {
-    cognitoSub,
-    ...email ? { email } : {},
-    displayName,
-    trigger: {
-      source: "cognito.post-confirmation",
-      triggerSource: event.triggerSource,
-      userPoolId: event.userPoolId,
-      userName: event.userName,
-      clientId: event.callerContext?.clientId
-    }
-  };
-};
+// src/services/open-hi-website-service.ts
+var import_config6 = __toESM(require_lib());
+var import_aws_s32 = require("aws-cdk-lib/aws-s3");
 
-// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+// src/services/open-hi-rest-api-service.ts
+var import_config5 = __toESM(require_lib());
+var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
+var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
+var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
+var import_aws_iam5 = require("aws-cdk-lib/aws-iam");
+var import_aws_route535 = require("aws-cdk-lib/aws-route53");
+var import_aws_route53_targets3 = require("aws-cdk-lib/aws-route53-targets");
+var import_core = require("aws-cdk-lib/core");
+var import_constructs19 = require("constructs");
+
+// src/data/lambda/cors-options-lambda.ts
 var import_node_fs9 = __toESM(require("fs"));
 var import_node_path9 = __toESM(require("path"));
-var import_aws_cdk_lib15 = require("aws-cdk-lib");
-var import_aws_events8 = require("aws-cdk-lib/aws-events");
-var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
-var import_aws_iam5 = require("aws-cdk-lib/aws-iam");
 var import_aws_lambda10 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs10 = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs17 = require("constructs");
-var HANDLER_NAME9 = "provision-default-workspace.handler.js";
+var HANDLER_NAME9 = "cors-options-lambda.handler.js";
 function resolveHandlerEntry9(dirname) {
   const sameDir = import_node_path9.default.join(dirname, HANDLER_NAME9);
   if (import_node_fs9.default.existsSync(sameDir)) {
     return sameDir;
   }
-  return import_node_path9.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME9);
+  const fromLib = import_node_path9.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME9);
+  return fromLib;
 }
-var ProvisionDefaultWorkspaceLambda = class extends import_constructs17.Construct {
-  constructor(scope, props) {
-    super(scope, "provision-default-workspace-lambda");
+var CorsOptionsLambda = class extends import_constructs17.Construct {
+  constructor(scope, id = "cors-options-lambda") {
+    super(scope, id);
     this.lambda = new import_aws_lambda_nodejs10.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry9(__dirname),
       runtime: import_aws_lambda10.Runtime.NODEJS_LATEST,
-      memorySize: 1024,
-      environment: {
-        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
-      }
-    });
-    props.dataStoreTable.grant(
-      this.lambda,
-      "dynamodb:PutItem",
-      "dynamodb:UpdateItem"
-    );
-    this.lambda.addToRolePolicy(
-      new import_aws_iam5.PolicyStatement({
-        effect: import_aws_iam5.Effect.ALLOW,
-        actions: ["dynamodb:Query"],
-        resources: [`${props.dataStoreTable.tableArn}/index/*`]
-      })
-    );
-    this.rule = new import_aws_events8.Rule(this, "rule", {
-      eventBus: props.controlEventBus,
-      eventPattern: {
-        source: [USER_ONBOARDING_EVENT_SOURCE],
-        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
-      },
-      targets: [
-        new import_aws_events_targets4.LambdaFunction(this.lambda, {
-          retryAttempts: 2,
-          maxEventAge: import_aws_cdk_lib15.Duration.hours(2)
-        })
-      ]
+      memorySize: 128
     });
   }
 };
 
-// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+// src/data/lambda/rest-api-lambda.ts
+var import_node_fs10 = __toESM(require("fs"));
+var import_node_path10 = __toESM(require("path"));
+var import_aws_lambda11 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs11 = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs18 = require("constructs");
-var UserOnboardingWorkflow = class extends import_constructs18.Construct {
+var HANDLER_NAME10 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry10(dirname) {
+  const sameDir = import_node_path10.default.join(dirname, HANDLER_NAME10);
+  if (import_node_fs10.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  const fromLib = import_node_path10.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
+  return fromLib;
+}
+var RestApiLambda = class extends import_constructs18.Construct {
   constructor(scope, props) {
-    super(scope, "user-onboarding-workflow");
-    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
-      dataStoreTable: props.dataStoreTable,
-      controlEventBus: props.controlEventBus
+    super(scope, "rest-api-lambda");
+    this.lambda = new import_aws_lambda_nodejs11.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry10(__dirname),
+      runtime: import_aws_lambda11.Runtime.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName,
+        BRANCH_TAG_VALUE: props.branchTagValue,
+        HTTP_API_TAG_VALUE: props.httpApiTagValue,
+        OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
+        OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
+        OPENHI_PG_DATABASE: props.postgresDatabase,
+        OPENHI_PG_SCHEMA: props.postgresSchema,
+        ...props.extraEnvironment
+      },
+      bundling: {
+        minify: true,
+        sourceMap: false
+      }
     });
   }
 };
 
-// src/services/open-hi-auth-service.ts
-var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
-    /**
-     * Cross-stack reference to the data store table. Cached so repeated
-     * lookups share a single CDK construct id ("dynamo-db-data-store") in
-     * this stack — a second `Table.fromTableName` call under the same scope
-     * would collide.
-     */
-    this._dataStoreTable = null;
-    this._controlEventBus = null;
-    this.props = props;
-    this.userPoolKmsKey = this.createUserPoolKmsKey();
-    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
-    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
-    this.postConfirmationLambda = this.createPostConfirmationLambda();
-    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
-    this.userPool = this.createUserPool();
-    this.grantPreTokenGenerationPermissions();
-    this.grantPostAuthenticationPermissions();
-    this.grantPostConfirmationPermissions();
-    this.userPoolClient = this.createUserPoolClient();
-    this.userPoolDomain = this.createUserPoolDomain();
-  }
+// src/services/open-hi-rest-api-service.ts
+var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
+var REST_API_DOMAIN_NAME_SSM_NAME = "REST_API_DOMAIN_NAME";
+var DEV_CORS_ALLOW_ORIGINS = [
+  "http://localhost:3000",
+  "https://localhost:3000",
+  "http://localhost:5173",
+  "https://localhost:5173",
+  "http://127.0.0.1:3000",
+  "https://127.0.0.1:3000",
+  "http://127.0.0.1:5173",
+  "https://127.0.0.1:5173"
+];
+var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   /**
-   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
+   * Compose the REST API's full per-deploy domain. Thin wrapper over
+   * {@link OpenHiService.composeServiceDomain} that pins `domainPrefix`
+   * to {@link API_DOMAIN_PREFIX}.
+   *
+   * Use from sibling stacks that need to predict the API's hostname
+   * before the REST API stack is synthesised.
    */
-  static userPoolFromConstruct(scope) {
-    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static composeFullDomain(opts) {
+    return OpenHiService.composeServiceDomain({
+      ...opts,
+      domainPrefix: _OpenHiRestApiService.API_DOMAIN_PREFIX
     });
-    return import_aws_cognito4.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
-  }
-  /**
-   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
-   */
-  static userPoolClientFromConstruct(scope) {
-    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
-      scope,
-      {
-        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
-        serviceType: _OpenHiAuthService.SERVICE_TYPE
-      }
-    );
-    return import_aws_cognito4.UserPoolClient.fromUserPoolClientId(
-      scope,
-      "user-pool-client",
-      userPoolClientId
-    );
   }
   /**
-   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
    */
-  static userPoolDomainFromConstruct(scope) {
-    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static rootHttpApiFromConstruct(scope) {
+    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
+    return import_aws_apigatewayv22.HttpApi.fromHttpApiAttributes(scope, "http-api", { httpApiId });
   }
   /**
-   * Returns the full Cognito Hosted UI base URL (e.g.
-   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
-   * the Auth stack's User Pool Domain from SSM and composing it with the
-   * calling stack's region.
-   *
-   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
-   * but works across stacks where the looked-up `IUserPoolDomain` is an
-   * `Import` and does not carry the `baseUrl()` method. Assumes the
-   * domain was created as a Cognito-managed prefix domain (the only
-   * variant `OpenHiAuthService.createUserPoolDomain` produces).
+   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
+   * Use in other stacks for E2E, scripts, or config.
    */
-  static userPoolDomainBaseUrlFromConstruct(scope) {
-    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static restApiBaseUrlFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    const region = import_core.Stack.of(scope).region;
-    return `https://${domainName}.auth.${region}.amazoncognito.com`;
   }
   /**
-   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
+   * Returns the REST API's custom domain name (bare hostname, no scheme — e.g.
+   * `api.example.com`) by looking it up from SSM. Use as the host for a
+   * CloudFront `HttpOrigin` so the website's distribution can proxy `/api/*`
+   * to this stack's API Gateway without per-branch DNS knowledge.
    */
-  static userPoolKmsKeyFromConstruct(scope) {
-    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
-      serviceType: _OpenHiAuthService.SERVICE_TYPE
+  static restApiDomainNameFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      serviceType: _OpenHiRestApiService.SERVICE_TYPE
     });
-    return import_aws_kms2.Key.fromKeyArn(scope, "kms-key", keyArn);
   }
   get serviceType() {
-    return _OpenHiAuthService.SERVICE_TYPE;
+    return _OpenHiRestApiService.SERVICE_TYPE;
   }
-  /**
-   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
-   * Override to customize.
-   */
-  createUserPoolKmsKey() {
-    const key = new CognitoUserPoolKmsKey(this);
-    new DiscoverableStringParameter(this, "kms-key-param", {
-      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
-      stringValue: key.keyArn,
-      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
-    });
-    return key;
-  }
-  /**
-   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
-   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
-   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
-   * both the ID token and the access token (ADR 2026-03-17-01).
-   */
-  createPreTokenGenerationLambda() {
-    const construct = new PreTokenGenerationLambda(this, {
-      dynamoTableName: this.dataStoreTable().tableName
-    });
-    return construct.lambda;
-  }
-  /**
-   * Creates the Post Authentication Lambda (Cognito trigger). Calls
-   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
-   * sessions per ADR 2026-03-17-01.
-   */
-  createPostAuthenticationLambda() {
-    const construct = new PostAuthenticationLambda(this);
-    return construct.lambda;
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const hostedZone = this.createHostedZone();
+    const certificate = this.createCertificate();
+    this.apiDomainName = this.createApiDomainNameString(hostedZone);
+    this.createRestApiBaseUrlParameter(this.apiDomainName);
+    this.createRestApiDomainNameParameter(this.apiDomainName);
+    const domainName = this.createDomainName(hostedZone, certificate);
+    this.rootHttpApi = this.createRootHttpApi(domainName);
+    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
   }
   /**
-   * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
-   * confirmation, publishes a control-plane workflow event; provisioning lives
-   * behind EventBridge.
+   * Validates that config required for the REST API stack is present.
    */
-  createPostConfirmationLambda() {
-    const construct = new PostConfirmationLambda(this, {
-      controlEventBusName: this.controlEventBus().eventBusName
-    });
-    return construct.lambda;
-  }
-  createUserOnboardingWorkflow() {
-    return new UserOnboardingWorkflow(this, {
-      controlEventBus: this.controlEventBus(),
-      dataStoreTable: this.dataStoreTable()
-    });
-  }
-  dataStoreTable() {
-    if (this._dataStoreTable === null) {
-      this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
     }
-    return this._dataStoreTable;
-  }
-  controlEventBus() {
-    if (this._controlEventBus === null) {
-      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
     }
-    return this._controlEventBus;
   }
   /**
-   * Creates the Cognito User Pool and exports its ID to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
+   * Creates the hosted zone reference (imported from config).
    * Override to customize.
    */
-  createUserPool() {
-    const userPool = new CognitoUserPool(this, {
-      ...this.props.userPoolProps,
-      customSenderKmsKey: this.userPoolKmsKey
-    });
-    userPool.addTrigger(
-      import_aws_cognito4.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
-      this.preTokenGenerationLambda,
-      import_aws_cognito4.LambdaVersion.V2_0
-    );
-    userPool.addTrigger(
-      import_aws_cognito4.UserPoolOperation.POST_AUTHENTICATION,
-      this.postAuthenticationLambda
-    );
-    userPool.addTrigger(
-      import_aws_cognito4.UserPoolOperation.POST_CONFIRMATION,
-      this.postConfirmationLambda
-    );
-    new DiscoverableStringParameter(this, "user-pool-param", {
-      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
-      stringValue: userPool.userPoolId,
-      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
+  createHostedZone() {
+    const { config } = this.props;
+    return import_aws_route535.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
+      hostedZoneId: config.hostedZoneId,
+      zoneName: config.zoneName
     });
-    return userPool;
   }
   /**
-   * Grants the Pre Token Generation Lambda read-only access on the data
-   * store table and its GSIs. The Lambda only needs:
-   * - `Query` on GSI2 to resolve a User by Cognito `sub`
-   * - `GetItem` on the base table for direct User reads
-   *
-   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
-   * falls into the absent-claims path; repair belongs in a separate backfill.
+   * Creates the wildcard certificate (imported from Global stack via SSM).
+   * Override to customize.
    */
-  grantPreTokenGenerationPermissions() {
-    const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
-    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
-    this.preTokenGenerationLambda.addToRolePolicy(
-      new import_aws_iam6.PolicyStatement({
-        effect: import_aws_iam6.Effect.ALLOW,
-        actions: [...dynamoActions],
-        resources: [`${dataStoreTable.tableArn}/index/*`]
-      })
-    );
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
   }
   /**
-   * Grants the Post Authentication Lambda permission to call
-   * `cognito-idp:AdminUserGlobalSignOut`.
-   *
-   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
-   * because the User Pool registers this Lambda as a Post Authentication
-   * trigger, creating the cycle:
-   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
-   * Using `formatArn` avoids referencing the User Pool resource directly
-   * while still scoping to user pools in this account+region. The Lambda
-   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
-   * so the runtime target is constrained by the trigger contract.
+   * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
+   * Delegates to {@link OpenHiRestApiService.composeFullDomain} so the
+   * release-vs-feature composition stays in one place; picks up
+   * `this.defaultReleaseBranch` (not a hard-coded `"main"`).
+   * Override to customize.
    */
-  grantPostAuthenticationPermissions() {
-    this.postAuthenticationLambda.addToRolePolicy(
-      new import_aws_iam6.PolicyStatement({
-        actions: ["cognito-idp:AdminUserGlobalSignOut"],
-        resources: [
-          import_core.Stack.of(this).formatArn({
-            service: "cognito-idp",
-            resource: "userpool",
-            resourceName: "*"
-          })
-        ]
-      })
-    );
+  createApiDomainNameString(hostedZone) {
+    return _OpenHiRestApiService.composeFullDomain({
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName: hostedZone.zoneName
+    });
   }
   /**
-   * Grants the Post Confirmation Lambda publish-only access to the
-   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
+   * Creates the SSM parameter for the REST API base URL.
+   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
+   * Override to customize.
    */
-  grantPostConfirmationPermissions() {
-    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
+  createRestApiBaseUrlParameter(apiDomainName) {
+    const restApiBaseUrl = `https://${apiDomainName}`;
+    new DiscoverableStringParameter(this, "rest-api-base-url-param", {
+      ssmParamName: REST_API_BASE_URL_SSM_NAME,
+      stringValue: restApiBaseUrl,
+      description: "REST API base URL for this deployment (E2E, scripts)"
+    });
   }
   /**
-   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
-   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Creates the SSM parameter exposing the REST API's custom domain (bare
+   * hostname, no scheme). Consumed by the website service as the CloudFront
+   * `/api/*` origin host.
+   * Look up via {@link OpenHiRestApiService.restApiDomainNameFromConstruct}.
    * Override to customize.
    */
-  createUserPoolClient() {
-    const client = new CognitoUserPoolClient(this, {
-      userPool: this.userPool
-    });
-    new DiscoverableStringParameter(this, "user-pool-client-param", {
-      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
-      stringValue: client.userPoolClientId,
-      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
+  createRestApiDomainNameParameter(apiDomainName) {
+    new DiscoverableStringParameter(this, "rest-api-domain-name-param", {
+      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
+      stringValue: apiDomainName,
+      description: "REST API custom domain name (bare hostname) for cross-stack CloudFront origin lookup"
     });
-    return client;
   }
   /**
-   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
-   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Creates the API Gateway custom domain name resource.
    * Override to customize.
    */
-  createUserPoolDomain() {
-    const domain = new CognitoUserPoolDomain(this, {
-      userPool: this.userPool,
-      cognitoDomain: {
-        domainPrefix: `auth-${this.branchHash}`
-      }
-    });
-    new DiscoverableStringParameter(this, "user-pool-domain-param", {
-      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
-      stringValue: domain.domainName,
-      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
-    });
-    return domain;
-  }
-};
-_OpenHiAuthService.SERVICE_TYPE = "auth";
-var OpenHiAuthService = _OpenHiAuthService;
-
-// src/services/open-hi-rest-api-service.ts
-var import_config5 = __toESM(require_lib());
-var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
-var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
-var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
-var import_aws_iam7 = require("aws-cdk-lib/aws-iam");
-var import_aws_route535 = require("aws-cdk-lib/aws-route53");
-var import_aws_route53_targets3 = require("aws-cdk-lib/aws-route53-targets");
-var import_core2 = require("aws-cdk-lib/core");
-var import_constructs21 = require("constructs");
-
-// src/data/lambda/cors-options-lambda.ts
-var import_node_fs10 = __toESM(require("fs"));
-var import_node_path10 = __toESM(require("path"));
-var import_aws_lambda11 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs11 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs19 = require("constructs");
-var HANDLER_NAME10 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry10(dirname) {
-  const sameDir = import_node_path10.default.join(dirname, HANDLER_NAME10);
-  if (import_node_fs10.default.existsSync(sameDir)) {
-    return sameDir;
-  }
-  const fromLib = import_node_path10.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME10);
-  return fromLib;
-}
-var CorsOptionsLambda = class extends import_constructs19.Construct {
-  constructor(scope, id = "cors-options-lambda") {
-    super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs11.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry10(__dirname),
-      runtime: import_aws_lambda11.Runtime.NODEJS_LATEST,
-      memorySize: 128
-    });
-  }
-};
-
-// src/data/lambda/rest-api-lambda.ts
-var import_node_fs11 = __toESM(require("fs"));
-var import_node_path11 = __toESM(require("path"));
-var import_aws_lambda12 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs12 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs20 = require("constructs");
-var HANDLER_NAME11 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry11(dirname) {
-  const sameDir = import_node_path11.default.join(dirname, HANDLER_NAME11);
-  if (import_node_fs11.default.existsSync(sameDir)) {
-    return sameDir;
-  }
-  const fromLib = import_node_path11.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME11);
-  return fromLib;
-}
-var RestApiLambda = class extends import_constructs20.Construct {
-  constructor(scope, props) {
-    super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs12.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry11(__dirname),
-      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
-      memorySize: 1024,
-      environment: {
-        DYNAMO_TABLE_NAME: props.dynamoTableName,
-        BRANCH_TAG_VALUE: props.branchTagValue,
-        HTTP_API_TAG_VALUE: props.httpApiTagValue,
-        OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
-        OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
-        OPENHI_PG_DATABASE: props.postgresDatabase,
-        OPENHI_PG_SCHEMA: props.postgresSchema,
-        ...props.extraEnvironment
-      },
-      bundling: {
-        minify: true,
-        sourceMap: false
-      }
-    });
-  }
-};
-
-// src/services/open-hi-rest-api-service.ts
-var REST_API_BASE_URL_SSM_NAME = "REST_API_BASE_URL";
-var REST_API_DOMAIN_NAME_SSM_NAME = "REST_API_DOMAIN_NAME";
-var DEV_CORS_ALLOW_ORIGINS = [
-  "http://localhost:3000",
-  "https://localhost:3000",
-  "http://localhost:5173",
-  "https://localhost:5173",
-  "http://127.0.0.1:3000",
-  "https://127.0.0.1:3000",
-  "http://127.0.0.1:5173",
-  "https://127.0.0.1:5173"
-];
-var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
-  /**
-   * Compose the REST API's full per-deploy domain. Thin wrapper over
-   * {@link OpenHiService.composeServiceDomain} that pins `domainPrefix`
-   * to {@link API_DOMAIN_PREFIX}.
-   *
-   * Use from sibling stacks that need to predict the API's hostname
-   * before the REST API stack is synthesised.
-   */
-  static composeFullDomain(opts) {
-    return OpenHiService.composeServiceDomain({
-      ...opts,
-      domainPrefix: _OpenHiRestApiService.API_DOMAIN_PREFIX
-    });
-  }
-  /**
-   * Returns an IHttpApi by looking up the REST API stack's HTTP API ID from SSM.
-   */
-  static rootHttpApiFromConstruct(scope) {
-    const httpApiId = DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: RootHttpApi.SSM_PARAM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-    return import_aws_apigatewayv22.HttpApi.fromHttpApiAttributes(scope, "http-api", { httpApiId });
-  }
-  /**
-   * Returns the REST API base URL (e.g. https://api.example.com) by looking it up from SSM.
-   * Use in other stacks for E2E, scripts, or config.
-   */
-  static restApiBaseUrlFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: REST_API_BASE_URL_SSM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-  }
-  /**
-   * Returns the REST API's custom domain name (bare hostname, no scheme — e.g.
-   * `api.example.com`) by looking it up from SSM. Use as the host for a
-   * CloudFront `HttpOrigin` so the website's distribution can proxy `/api/*`
-   * to this stack's API Gateway without per-branch DNS knowledge.
-   */
-  static restApiDomainNameFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
-      serviceType: _OpenHiRestApiService.SERVICE_TYPE
-    });
-  }
-  get serviceType() {
-    return _OpenHiRestApiService.SERVICE_TYPE;
-  }
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiRestApiService.SERVICE_TYPE, props);
-    this.props = props;
-    this.validateConfig(props);
-    const hostedZone = this.createHostedZone();
-    const certificate = this.createCertificate();
-    this.apiDomainName = this.createApiDomainNameString(hostedZone);
-    this.createRestApiBaseUrlParameter(this.apiDomainName);
-    this.createRestApiDomainNameParameter(this.apiDomainName);
-    const domainName = this.createDomainName(hostedZone, certificate);
-    this.rootHttpApi = this.createRootHttpApi(domainName);
-    this.createRestApiLambdaAndRoutes(hostedZone, domainName);
-  }
-  /**
-   * Validates that config required for the REST API stack is present.
-   */
-  validateConfig(props) {
-    const { config } = props;
-    if (!config) {
-      throw new Error("Config is required");
-    }
-    if (!config.hostedZoneId) {
-      throw new Error("Hosted zone ID is required");
-    }
-    if (!config.zoneName) {
-      throw new Error("Zone name is required");
-    }
-  }
-  /**
-   * Creates the hosted zone reference (imported from config).
-   * Override to customize.
-   */
-  createHostedZone() {
-    const { config } = this.props;
-    return import_aws_route535.HostedZone.fromHostedZoneAttributes(this, "root-zone", {
-      hostedZoneId: config.hostedZoneId,
-      zoneName: config.zoneName
-    });
-  }
-  /**
-   * Creates the wildcard certificate (imported from Global stack via SSM).
-   * Override to customize.
-   */
-  createCertificate() {
-    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
-  }
-  /**
-   * Returns the API domain name string (e.g. api.example.com or api-\{prefix\}.example.com).
-   * Delegates to {@link OpenHiRestApiService.composeFullDomain} so the
-   * release-vs-feature composition stays in one place; picks up
-   * `this.defaultReleaseBranch` (not a hard-coded `"main"`).
-   * Override to customize.
-   */
-  createApiDomainNameString(hostedZone) {
-    return _OpenHiRestApiService.composeFullDomain({
-      branchName: this.branchName,
-      defaultReleaseBranch: this.defaultReleaseBranch,
-      childZonePrefix: this.childZonePrefix,
-      zoneName: hostedZone.zoneName
-    });
-  }
-  /**
-   * Creates the SSM parameter for the REST API base URL.
-   * Look up via {@link OpenHiRestApiService.restApiBaseUrlFromConstruct}.
-   * Override to customize.
-   */
-  createRestApiBaseUrlParameter(apiDomainName) {
-    const restApiBaseUrl = `https://${apiDomainName}`;
-    new DiscoverableStringParameter(this, "rest-api-base-url-param", {
-      ssmParamName: REST_API_BASE_URL_SSM_NAME,
-      stringValue: restApiBaseUrl,
-      description: "REST API base URL for this deployment (E2E, scripts)"
-    });
-  }
-  /**
-   * Creates the SSM parameter exposing the REST API's custom domain (bare
-   * hostname, no scheme). Consumed by the website service as the CloudFront
-   * `/api/*` origin host.
-   * Look up via {@link OpenHiRestApiService.restApiDomainNameFromConstruct}.
-   * Override to customize.
-   */
-  createRestApiDomainNameParameter(apiDomainName) {
-    new DiscoverableStringParameter(this, "rest-api-domain-name-param", {
-      ssmParamName: REST_API_DOMAIN_NAME_SSM_NAME,
-      stringValue: apiDomainName,
-      description: "REST API custom domain name (bare hostname) for cross-stack CloudFront origin lookup"
-    });
-  }
-  /**
-   * Creates the API Gateway custom domain name resource.
-   * Override to customize.
-   */
-  createDomainName(_hostedZone, certificate) {
-    const apiDomainName = this.createApiDomainNameString(_hostedZone);
-    return new import_aws_apigatewayv22.DomainName(this, "domain", {
-      domainName: apiDomainName,
-      certificate
+  createDomainName(_hostedZone, certificate) {
+    const apiDomainName = this.createApiDomainNameString(_hostedZone);
+    return new import_aws_apigatewayv22.DomainName(this, "domain", {
+      domainName: apiDomainName,
+      certificate
     });
   }
   /**
@@ -7430,8 +7047,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       extraEnvironment
     });
     lambda.addToRolePolicy(
-      new import_aws_iam7.PolicyStatement({
-        effect: import_aws_iam7.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -7440,8 +7057,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam7.PolicyStatement({
-        effect: import_aws_iam7.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -7459,15 +7076,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new import_aws_iam7.PolicyStatement({
-        effect: import_aws_iam7.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam7.PolicyStatement({
-        effect: import_aws_iam7.Effect.ALLOW,
+      new import_aws_iam5.PolicyStatement({
+        effect: import_aws_iam5.Effect.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -7548,11 +7165,18 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     const { corsPreflight: cors, ...restRootHttpApiProps } = this.props.rootHttpApiProps ?? {};
     const isNonProd = this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD;
     const callerOrigins = cors?.allowOrigins ?? [];
-    const mergedOrigins = isNonProd ? Array.from(/* @__PURE__ */ new Set([...callerOrigins, ...DEV_CORS_ALLOW_ORIGINS])) : callerOrigins;
-    const corsPreflight = cors !== void 0 || isNonProd ? this.buildCorsPreflightOptions(mergedOrigins, cors) : void 0;
+    const autoOrigins = this.resolveAutoInjectedCorsOrigins();
+    const mergedOrigins = Array.from(
+      /* @__PURE__ */ new Set([
+        ...callerOrigins,
+        ...autoOrigins,
+        ...isNonProd ? DEV_CORS_ALLOW_ORIGINS : []
+      ])
+    );
+    const corsPreflight = this.buildCorsPreflightOptions(mergedOrigins, cors);
     const rootHttpApi = new RootHttpApi(this, {
       ...restRootHttpApiProps,
-      ...corsPreflight !== void 0 && { corsPreflight },
+      corsPreflight,
       defaultDomainMapping: {
         domainName,
         mappingKey: void 0
@@ -7566,6 +7190,33 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     });
     return rootHttpApi;
   }
+  /**
+   * Returns the admin-console and marketing-website origins this REST API
+   * stack should accept by default, composed from the same branch context
+   * the website service will see at synth time. Both hostnames are
+   * `https://`-only — they always resolve to real DNS records.
+   *
+   * Auto-injected on every stage (no `isNonProd` gate) so the admin SPA can
+   * call the API cross-origin without the caller having to predict the
+   * per-deploy hostname. Override to customize the auto-injected set.
+   */
+  resolveAutoInjectedCorsOrigins() {
+    const zoneName = this.props.config.zoneName;
+    const adminHost = OpenHiWebsiteService.composeFullDomain({
+      domainPrefix: ADMIN_DOMAIN_PREFIX,
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName
+    });
+    const websiteHost = OpenHiWebsiteService.composeFullDomain({
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName
+    });
+    return [`https://${adminHost}`, `https://${websiteHost}`];
+  }
   /**
    * Builds the full `CorsPreflightOptions` from a merged origins array,
    * filling defaults for `allowMethods`/`allowHeaders`/`allowCredentials`/
@@ -7585,7 +7236,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       ],
       allowHeaders: cors?.allowHeaders ?? ["Content-Type", "Authorization"],
       allowCredentials: cors?.allowCredentials ?? true,
-      maxAge: cors?.maxAge ?? import_core2.Duration.days(1),
+      maxAge: cors?.maxAge ?? import_core.Duration.days(1),
       ...cors?.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -7603,7 +7254,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
    * client-side from `window.location.origin`.
    */
   resolveRuntimeConfigEnvVars() {
-    const cognitoScope = new import_constructs21.Construct(this, "runtime-config");
+    const cognitoScope = new import_constructs19.Construct(this, "runtime-config");
     const userPool = OpenHiAuthService.userPoolFromConstruct(cognitoScope);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(cognitoScope);
     const cognitoDomainUrl = OpenHiAuthService.userPoolDomainBaseUrlFromConstruct(cognitoScope);
@@ -7623,330 +7274,774 @@ _OpenHiRestApiService.SERVICE_TYPE = "rest-api";
 _OpenHiRestApiService.API_DOMAIN_PREFIX = "api";
 var OpenHiRestApiService = _OpenHiRestApiService;
 
-// src/services/open-hi-graphql-service.ts
-var import_aws_appsync2 = require("aws-cdk-lib/aws-appsync");
-var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
+// src/services/open-hi-website-service.ts
+var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
+var ADMIN_DOMAIN_PREFIX = "admin";
+var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
-   * Returns the GraphQL API by looking up the GraphQL stack's API ID from SSM.
-   * Use from other stacks to obtain an IGraphqlApi reference.
+   * Compose the website's full per-deploy domain. Thin wrapper over
+   * {@link OpenHiService.composeServiceDomain} that fills in
+   * {@link DEFAULT_DOMAIN_PREFIX} when `domainPrefix` is omitted.
+   *
+   * Use from sibling stacks that need to predict the website's hostname
+   * before the website stack is synthesised — e.g. the REST API stack
+   * computing its CORS `allowOrigins` for the admin-console.
    */
-  static graphqlApiFromConstruct(scope) {
-    return RootGraphqlApi.fromConstruct(scope);
+  static composeFullDomain(opts) {
+    return OpenHiService.composeServiceDomain({
+      ...opts,
+      domainPrefix: opts.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX
+    });
   }
-  get serviceType() {
-    return _OpenHiGraphqlService.SERVICE_TYPE;
+  /**
+   * Looks up the static-hosting bucket ARN published by the release-branch
+   * deploy of this service.
+   */
+  static bucketArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ARN published by the release-branch
+   * deploy of this service.
+   */
+  static distributionArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution domain
+   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   */
+  static distributionDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the CloudFront distribution ID published by the release-branch
+   * deploy of this service.
+   */
+  static distributionIdFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Looks up the website's full domain (e.g. www.example.com) published by
+   * the release-branch deploy of this service.
+   */
+  static fullDomainFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  get serviceType() {
+    return _OpenHiWebsiteService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props) {
+    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
+    this.props = props;
+    this.validateConfig(props);
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    const hostedZone = this.createHostedZone();
+    this.fullDomain = this.computeFullDomain(hostedZone);
+    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
+    if (shouldCreateHostingInfra) {
+      const certificate = this.createCertificate();
+      this.staticHosting = this.createStaticHosting({
+        certificate,
+        hostedZone
+      });
+      this.createFullDomainParameter();
+    } else if (!isReleaseBranch) {
+      this.perBranchHostname = this.createPerBranchHostname(hostedZone);
+    }
+    if (props.createStaticContent !== false) {
+      const bucket = this.resolveStaticHostingBucket();
+      this.staticContent = this.createStaticContent(bucket);
+    }
+  }
+  /**
+   * Validates that config required for the website stack is present.
+   */
+  validateConfig(props) {
+    const { config } = props;
+    if (!config) {
+      throw new Error("Config is required");
+    }
+    if (!config.zoneName) {
+      throw new Error("Zone name is required");
+    }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required to import the website zone");
+    }
+  }
+  /**
+   * Imports the website's hosted zone from config attributes (no SSM lookup).
+   * The website attaches DNS records here on the release-branch deploy and
+   * the same zone is imported on feature-branch deploys for any sub-domain
+   * routing.
+   * Override to customize.
+   */
+  createHostedZone() {
+    return OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
+    });
+  }
+  /**
+   * Returns the wildcard certificate looked up from the Global service.
+   * Override to customize.
+   */
+  createCertificate() {
+    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  }
+  /**
+   * Computes the full website domain from `domainPrefix`,
+   * `childZonePrefix`, and the child zone name. Release-branch deploys
+   * serve at `\<domainPrefix\>.\<zone\>` (e.g. `admin.dev.openhi.org`);
+   * every other deploy serves a per-PR preview at
+   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>`
+   * (e.g. `admin-feat-1093-patient-migration.dev.openhi.org`).
+   *
+   * Delegates to {@link OpenHiWebsiteService.composeFullDomain} so the
+   * release-vs-feature composition stays in one place.
+   */
+  computeFullDomain(hostedZone) {
+    return _OpenHiWebsiteService.composeFullDomain({
+      domainPrefix: this.props.domainPrefix,
+      branchName: this.branchName,
+      defaultReleaseBranch: this.defaultReleaseBranch,
+      childZonePrefix: this.childZonePrefix,
+      zoneName: hostedZone.zoneName
+    });
+  }
+  /**
+   * Returns the sub-domain label (left of the zone) for the current
+   * deploy. Used for the per-branch S3 key prefix passed to
+   * {@link StaticContent} so the upload prefix always matches the
+   * served hostname.
+   *
+   * Non-release deploys compose the per-PR slug as
+   * `\<domainPrefix\>-\<childZonePrefix\>`, mirroring the REST API's
+   * `api-\<childZonePrefix\>` convention. When `domainPrefix` is `admin`
+   * (the only consumer today), the resulting sub-domain starts with
+   * {@link PER_BRANCH_PREVIEW_PREFIX}, so the per-PR S3 key prefix
+   * matches what `StaticHosting`'s lifecycle rule expires.
+   */
+  computeSubDomain() {
+    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
+    const domainPrefix = this.props.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX;
+    if (isReleaseBranch) {
+      return domainPrefix;
+    }
+    return `${domainPrefix}-${this.childZonePrefix}`;
+  }
+  /**
+   * Creates the StaticHosting infrastructure (bucket + distribution +
+   * Lambda@Edge + 4 SSM params + DNS). The release-branch distribution
+   * adds `*.\<zone\>` as a wildcard alt-name on top of the canonical
+   * hostname so per-PR previews resolve via the same distribution.
+   *
+   * The bucket carries an S3 lifecycle rule that expires per-PR
+   * preview content (keys under {@link PER_BRANCH_PREVIEW_PREFIX})
+   * on non-production stages. PROD never gets the rule — see
+   * `enablePreviewLifecycle`.
+   */
+  createStaticHosting(deps) {
+    const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
+    const wildcardSan = `*.${deps.hostedZone.zoneName}`;
+    return new StaticHosting(this, "static-hosting", {
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      certificate: deps.certificate,
+      hostedZone: deps.hostedZone,
+      domainNames: [this.fullDomain, wildcardSan],
+      description: `OpenHI website (${this.fullDomain})`,
+      prefixPattern: PER_BRANCH_PREVIEW_PREFIX,
+      enablePreviewLifecycle: this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD,
+      ...restApi !== void 0 && { restApi }
+    });
+  }
+  /**
+   * Resolves the REST API custom-domain hostname from the rest-api stack's
+   * `REST_API_DOMAIN_NAME` SSM parameter. Wrapped in a private method so
+   * it can be overridden / stubbed in subclasses and tests.
+   */
+  resolveRestApi() {
+    return {
+      domainName: OpenHiRestApiService.restApiDomainNameFromConstruct(this)
+    };
+  }
+  /**
+   * Creates the SSM parameter that publishes the website's full domain.
+   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   */
+  createFullDomainParameter() {
+    new DiscoverableStringParameter(this, "full-domain-param", {
+      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      stringValue: this.fullDomain,
+      description: "Full website domain (e.g. www.example.com)"
+    });
+  }
+  /**
+   * Creates the StaticContent uploader. Receives the resolved static-hosting
+   * bucket from the constructor — on the release-branch deploy this is the
+   * just-created {@link staticHosting} bucket (no SSM round-trip within a
+   * single stack); on every other deploy it is imported from the bucket ARN
+   * the release-branch deploy publishes to SSM, addressed against
+   * {@link OpenHiService.releaseBranchHash}. See
+   * {@link resolveStaticHostingBucket}.
+   *
+   * The S3 key prefix is `\<sub-domain\>.\<zone\>/\<contentDest\>` so the
+   * upload location matches the Host-header-derived folder the Lambda@Edge
+   * viewer-request handler prepends. Passing the zone name (rather than
+   * `this.fullDomain`) for the `fullDomain` prop keeps the prefix flat —
+   * `admin-feat-foo.dev.openhi.org/`, not
+   * `admin-feat-foo.admin.dev.openhi.org/`.
+   */
+  createStaticContent(bucket) {
+    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
+    return new StaticContent(this, "static-content", {
+      bucket,
+      contentSourceDirectory,
+      contentDestinationDirectory,
+      subDomain: this.computeSubDomain(),
+      fullDomain: this.config.zoneName
+    });
+  }
+  /**
+   * Creates the per-PR `PerBranchHostname` alias record on non-release
+   * branch deploys. The record points
+   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>` at the release-branch
+   * CloudFront distribution (resolved from SSM against
+   * {@link OpenHiService.releaseBranchHash}).
+   */
+  createPerBranchHostname(hostedZone) {
+    return new PerBranchHostname(this, "per-branch-hostname", {
+      hostname: this.fullDomain,
+      hostedZone,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+    });
+  }
+  /**
+   * Returns an {@link IBucket} pointing at the static-hosting bucket the
+   * uploaders write to. On the release-branch deploy this is the bucket
+   * just provisioned by {@link staticHosting}; on every other deploy it's
+   * imported from the bucket ARN the release-branch deploy publishes to
+   * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+   */
+  resolveStaticHostingBucket() {
+    if (this.staticHosting) {
+      return this.staticHosting.bucket;
+    }
+    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      branchHash: this.releaseBranchHash
+    });
+    return import_aws_s32.Bucket.fromBucketArn(this, "shared-bucket", bucketArn);
+  }
+};
+_OpenHiWebsiteService.SERVICE_TYPE = "website";
+/**
+ * Default `domainPrefix` for this service when none is supplied.
+ * Release-branch hostname is `www.<zone>`; per-PR preview hostname is
+ * `www-<childZonePrefix>.<zone>`.
+ */
+_OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX = "www";
+var OpenHiWebsiteService = _OpenHiWebsiteService;
+
+// src/workflows/control-plane/user-onboarding/events.ts
+var USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
+var PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
+var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
+  const attrs = event.request?.userAttributes ?? {};
+  const cognitoSub = attrs.sub?.trim();
+  if (!cognitoSub) {
+    return void 0;
+  }
+  const email = attrs.email?.trim();
+  const displayName = email || event.userName || cognitoSub;
+  return {
+    cognitoSub,
+    ...email ? { email } : {},
+    displayName,
+    trigger: {
+      source: "cognito.post-confirmation",
+      triggerSource: event.triggerSource,
+      userPoolId: event.userPoolId,
+      userName: event.userName,
+      clientId: event.callerContext?.clientId
+    }
+  };
+};
+
+// src/workflows/control-plane/user-onboarding/provision-default-workspace-lambda.ts
+var import_node_fs11 = __toESM(require("fs"));
+var import_node_path11 = __toESM(require("path"));
+var import_aws_cdk_lib15 = require("aws-cdk-lib");
+var import_aws_events8 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets4 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda12 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs12 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs20 = require("constructs");
+var HANDLER_NAME11 = "provision-default-workspace.handler.js";
+function resolveHandlerEntry11(dirname) {
+  const sameDir = import_node_path11.default.join(dirname, HANDLER_NAME11);
+  if (import_node_fs11.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path11.default.join(dirname, "..", "..", "..", "..", "lib", HANDLER_NAME11);
+}
+var ProvisionDefaultWorkspaceLambda = class extends import_constructs20.Construct {
+  constructor(scope, props) {
+    super(scope, "provision-default-workspace-lambda");
+    this.lambda = new import_aws_lambda_nodejs12.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry11(__dirname),
+      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.lambda,
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem"
+    );
+    this.lambda.addToRolePolicy(
+      new import_aws_iam6.PolicyStatement({
+        effect: import_aws_iam6.Effect.ALLOW,
+        actions: ["dynamodb:Query"],
+        resources: [`${props.dataStoreTable.tableArn}/index/*`]
+      })
+    );
+    this.rule = new import_aws_events8.Rule(this, "rule", {
+      eventBus: props.controlEventBus,
+      eventPattern: {
+        source: [USER_ONBOARDING_EVENT_SOURCE],
+        detailType: [PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE]
+      },
+      targets: [
+        new import_aws_events_targets4.LambdaFunction(this.lambda, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib15.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/user-onboarding/user-onboarding-workflow.ts
+var import_constructs21 = require("constructs");
+var UserOnboardingWorkflow = class extends import_constructs21.Construct {
+  constructor(scope, props) {
+    super(scope, "user-onboarding-workflow");
+    this.provisionDefaultWorkspace = new ProvisionDefaultWorkspaceLambda(this, {
+      dataStoreTable: props.dataStoreTable,
+      controlEventBus: props.controlEventBus
+    });
   }
+};
+
+// src/services/open-hi-auth-service.ts
+var LOCALHOST_OAUTH_CALLBACK_URLS = [
+  "http://localhost:3000/oauth/callback",
+  "https://localhost:3000/oauth/callback"
+];
+var LOCALHOST_OAUTH_LOGOUT_URLS = [
+  "http://localhost:3000/oauth/logout",
+  "https://localhost:3000/oauth/logout"
+];
+var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiGraphqlService.SERVICE_TYPE, props);
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    /**
+     * Cross-stack reference to the data store table. Cached so repeated
+     * lookups share a single CDK construct id ("dynamo-db-data-store") in
+     * this stack — a second `Table.fromTableName` call under the same scope
+     * would collide.
+     */
+    this._dataStoreTable = null;
+    this._controlEventBus = null;
     this.props = props;
-    this.rootGraphqlApi = this.createRootGraphqlApi();
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
+    this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userOnboardingWorkflow = this.createUserOnboardingWorkflow();
+    this.userPool = this.createUserPool();
+    this.grantPreTokenGenerationPermissions();
+    this.grantPostAuthenticationPermissions();
+    this.grantPostConfirmationPermissions();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
   }
-  /** Creates the root GraphQL API with Cognito user pool. */
-  createRootGraphqlApi() {
-    const userPool = OpenHiAuthService.userPoolFromConstruct(this);
-    return new RootGraphqlApi(this, {
-      authorizationConfig: {
-        defaultAuthorization: {
-          authorizationType: import_aws_appsync2.AuthorizationType.USER_POOL,
-          userPoolConfig: {
-            userPool,
-            defaultAction: import_aws_appsync2.UserPoolDefaultAction.ALLOW
-          }
-        }
+  /**
+   * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
+   */
+  static userPoolFromConstruct(scope) {
+    const userPoolId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return import_aws_cognito4.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
+  }
+  /**
+   * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
+   */
+  static userPoolClientFromConstruct(scope) {
+    const userPoolClientId = DiscoverableStringParameter.valueForLookupName(
+      scope,
+      {
+        ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+        serviceType: _OpenHiAuthService.SERVICE_TYPE
       }
+    );
+    return import_aws_cognito4.UserPoolClient.fromUserPoolClientId(
+      scope,
+      "user-pool-client",
+      userPoolClientId
+    );
+  }
+  /**
+   * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
+   */
+  static userPoolDomainFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
   }
-};
-_OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
-var OpenHiGraphqlService = _OpenHiGraphqlService;
-
-// src/services/open-hi-website-service.ts
-var import_config6 = __toESM(require_lib());
-var import_aws_s32 = require("aws-cdk-lib/aws-s3");
-var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
-var ADMIN_DOMAIN_PREFIX = "admin";
-var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
-   * Compose the website's full per-deploy domain. Thin wrapper over
-   * {@link OpenHiService.composeServiceDomain} that fills in
-   * {@link DEFAULT_DOMAIN_PREFIX} when `domainPrefix` is omitted.
+   * Returns the full Cognito Hosted UI base URL (e.g.
+   * `https://auth-abc.auth.us-east-2.amazoncognito.com`) by looking up
+   * the Auth stack's User Pool Domain from SSM and composing it with the
+   * calling stack's region.
    *
-   * Use from sibling stacks that need to predict the website's hostname
-   * before the website stack is synthesised — e.g. the REST API stack
-   * computing its CORS `allowOrigins` for the admin-console.
+   * Equivalent to `UserPoolDomain.baseUrl()` on the concrete construct,
+   * but works across stacks where the looked-up `IUserPoolDomain` is an
+   * `Import` and does not carry the `baseUrl()` method. Assumes the
+   * domain was created as a Cognito-managed prefix domain (the only
+   * variant `OpenHiAuthService.createUserPoolDomain` produces).
    */
-  static composeFullDomain(opts) {
-    return OpenHiService.composeServiceDomain({
-      ...opts,
-      domainPrefix: opts.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX
+  static userPoolDomainBaseUrlFromConstruct(scope) {
+    const domainName = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    const region = import_core2.Stack.of(scope).region;
+    return `https://${domainName}.auth.${region}.amazoncognito.com`;
   }
   /**
-   * Looks up the static-hosting bucket ARN published by the release-branch
-   * deploy of this service.
+   * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
    */
-  static bucketArnFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  static userPoolKmsKeyFromConstruct(scope) {
+    const keyArn = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
+    return import_aws_kms2.Key.fromKeyArn(scope, "kms-key", keyArn);
+  }
+  get serviceType() {
+    return _OpenHiAuthService.SERVICE_TYPE;
   }
   /**
-   * Looks up the CloudFront distribution ARN published by the release-branch
-   * deploy of this service.
+   * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
+   * Override to customize.
    */
-  static distributionArnFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createUserPoolKmsKey() {
+    const key = new CognitoUserPoolKmsKey(this);
+    new DiscoverableStringParameter(this, "kms-key-param", {
+      ssmParamName: CognitoUserPoolKmsKey.SSM_PARAM_NAME,
+      stringValue: key.keyArn,
+      description: "KMS key ARN for Cognito User Pool (e.g. custom sender); cross-stack reference"
     });
+    return key;
   }
   /**
-   * Looks up the CloudFront distribution domain
-   * (e.g. dXXXXX.cloudfront.net) published by the release-branch deploy.
+   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+   * both the ID token and the access token (ADR 2026-03-17-01).
    */
-  static distributionDomainFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createPreTokenGenerationLambda() {
+    const construct = new PreTokenGenerationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
     });
+    return construct.lambda;
   }
   /**
-   * Looks up the CloudFront distribution ID published by the release-branch
-   * deploy of this service.
+   * Creates the Post Authentication Lambda (Cognito trigger). Calls
+   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
+   * sessions per ADR 2026-03-17-01.
    */
-  static distributionIdFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
-    });
+  createPostAuthenticationLambda() {
+    const construct = new PostAuthenticationLambda(this);
+    return construct.lambda;
   }
   /**
-   * Looks up the website's full domain (e.g. www.example.com) published by
-   * the release-branch deploy of this service.
+   * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
+   * confirmation, publishes a control-plane workflow event; provisioning lives
+   * behind EventBridge.
    */
-  static fullDomainFromConstruct(scope) {
-    return DiscoverableStringParameter.valueForLookupName(scope, {
-      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+  createPostConfirmationLambda() {
+    const construct = new PostConfirmationLambda(this, {
+      controlEventBusName: this.controlEventBus().eventBusName
     });
+    return construct.lambda;
   }
-  get serviceType() {
-    return _OpenHiWebsiteService.SERVICE_TYPE;
+  createUserOnboardingWorkflow() {
+    return new UserOnboardingWorkflow(this, {
+      controlEventBus: this.controlEventBus(),
+      dataStoreTable: this.dataStoreTable()
+    });
   }
-  constructor(ohEnv, props) {
-    super(ohEnv, _OpenHiWebsiteService.SERVICE_TYPE, props);
-    this.props = props;
-    this.validateConfig(props);
-    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
-    const hostedZone = this.createHostedZone();
-    this.fullDomain = this.computeFullDomain(hostedZone);
-    const shouldCreateHostingInfra = props.createHostingInfrastructure ?? isReleaseBranch;
-    if (shouldCreateHostingInfra) {
-      const certificate = this.createCertificate();
-      this.staticHosting = this.createStaticHosting({
-        certificate,
-        hostedZone
-      });
-      this.createFullDomainParameter();
-    } else if (!isReleaseBranch) {
-      this.perBranchHostname = this.createPerBranchHostname(hostedZone);
-    }
-    if (props.createStaticContent !== false) {
-      const bucket = this.resolveStaticHostingBucket();
-      this.staticContent = this.createStaticContent(bucket);
+  dataStoreTable() {
+    if (this._dataStoreTable === null) {
+      this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
     }
+    return this._dataStoreTable;
   }
-  /**
-   * Validates that config required for the website stack is present.
-   */
-  validateConfig(props) {
-    const { config } = props;
-    if (!config) {
-      throw new Error("Config is required");
-    }
-    if (!config.zoneName) {
-      throw new Error("Zone name is required");
-    }
-    if (!config.hostedZoneId) {
-      throw new Error("Hosted zone ID is required to import the website zone");
+  controlEventBus() {
+    if (this._controlEventBus === null) {
+      this._controlEventBus = OpenHiGlobalService.controlEventBusFromConstruct(this);
     }
+    return this._controlEventBus;
   }
   /**
-   * Imports the website's hosted zone from config attributes (no SSM lookup).
-   * The website attaches DNS records here on the release-branch deploy and
-   * the same zone is imported on feature-branch deploys for any sub-domain
-   * routing.
+   * Creates the Cognito User Pool and exports its ID to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
    * Override to customize.
    */
-  createHostedZone() {
-    return OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
-      zoneName: this.config.zoneName,
-      hostedZoneId: this.config.hostedZoneId
+  createUserPool() {
+    const userPool = new CognitoUserPool(this, {
+      ...this.props.userPoolProps,
+      customSenderKmsKey: this.userPoolKmsKey
+    });
+    userPool.addTrigger(
+      import_aws_cognito4.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
+      this.preTokenGenerationLambda,
+      import_aws_cognito4.LambdaVersion.V2_0
+    );
+    userPool.addTrigger(
+      import_aws_cognito4.UserPoolOperation.POST_AUTHENTICATION,
+      this.postAuthenticationLambda
+    );
+    userPool.addTrigger(
+      import_aws_cognito4.UserPoolOperation.POST_CONFIRMATION,
+      this.postConfirmationLambda
+    );
+    new DiscoverableStringParameter(this, "user-pool-param", {
+      ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
+      stringValue: userPool.userPoolId,
+      description: "Cognito User Pool ID for this Auth stack; cross-stack reference"
     });
+    return userPool;
   }
   /**
-   * Returns the wildcard certificate looked up from the Global service.
-   * Override to customize.
+   * Grants the Pre Token Generation Lambda read-only access on the data
+   * store table and its GSIs. The Lambda only needs:
+   * - `Query` on GSI2 to resolve a User by Cognito `sub`
+   * - `GetItem` on the base table for direct User reads
+   *
+   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+   * falls into the absent-claims path; repair belongs in a separate backfill.
    */
-  createCertificate() {
-    return OpenHiGlobalService.rootWildcardCertificateFromConstruct(this);
+  grantPreTokenGenerationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
+    this.preTokenGenerationLambda.addToRolePolicy(
+      new import_aws_iam7.PolicyStatement({
+        effect: import_aws_iam7.Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
   }
   /**
-   * Computes the full website domain from `domainPrefix`,
-   * `childZonePrefix`, and the child zone name. Release-branch deploys
-   * serve at `\<domainPrefix\>.\<zone\>` (e.g. `admin.dev.openhi.org`);
-   * every other deploy serves a per-PR preview at
-   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>`
-   * (e.g. `admin-feat-1093-patient-migration.dev.openhi.org`).
+   * Grants the Post Authentication Lambda permission to call
+   * `cognito-idp:AdminUserGlobalSignOut`.
    *
-   * Delegates to {@link OpenHiWebsiteService.composeFullDomain} so the
-   * release-vs-feature composition stays in one place.
+   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
+   * because the User Pool registers this Lambda as a Post Authentication
+   * trigger, creating the cycle:
+   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
+   * Using `formatArn` avoids referencing the User Pool resource directly
+   * while still scoping to user pools in this account+region. The Lambda
+   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
+   * so the runtime target is constrained by the trigger contract.
    */
-  computeFullDomain(hostedZone) {
-    return _OpenHiWebsiteService.composeFullDomain({
-      domainPrefix: this.props.domainPrefix,
-      branchName: this.branchName,
-      defaultReleaseBranch: this.defaultReleaseBranch,
-      childZonePrefix: this.childZonePrefix,
-      zoneName: hostedZone.zoneName
-    });
+  grantPostAuthenticationPermissions() {
+    this.postAuthenticationLambda.addToRolePolicy(
+      new import_aws_iam7.PolicyStatement({
+        actions: ["cognito-idp:AdminUserGlobalSignOut"],
+        resources: [
+          import_core2.Stack.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: "*"
+          })
+        ]
+      })
+    );
   }
   /**
-   * Returns the sub-domain label (left of the zone) for the current
-   * deploy. Used for the per-branch S3 key prefix passed to
-   * {@link StaticContent} so the upload prefix always matches the
-   * served hostname.
-   *
-   * Non-release deploys compose the per-PR slug as
-   * `\<domainPrefix\>-\<childZonePrefix\>`, mirroring the REST API's
-   * `api-\<childZonePrefix\>` convention. When `domainPrefix` is `admin`
-   * (the only consumer today), the resulting sub-domain starts with
-   * {@link PER_BRANCH_PREVIEW_PREFIX}, so the per-PR S3 key prefix
-   * matches what `StaticHosting`'s lifecycle rule expires.
+   * Grants the Post Confirmation Lambda publish-only access to the
+   * control-plane event bus. Workflow Lambdas own DynamoDB writes.
    */
-  computeSubDomain() {
-    const isReleaseBranch = this.branchName === this.defaultReleaseBranch;
-    const domainPrefix = this.props.domainPrefix ?? _OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX;
-    if (isReleaseBranch) {
-      return domainPrefix;
-    }
-    return `${domainPrefix}-${this.childZonePrefix}`;
+  grantPostConfirmationPermissions() {
+    this.controlEventBus().grantPutEventsTo(this.postConfirmationLambda);
   }
   /**
-   * Creates the StaticHosting infrastructure (bucket + distribution +
-   * Lambda@Edge + 4 SSM params + DNS). The release-branch distribution
-   * adds `*.\<zone\>` as a wildcard alt-name on top of the canonical
-   * hostname so per-PR previews resolve via the same distribution.
-   *
-   * The bucket carries an S3 lifecycle rule that expires per-PR
-   * preview content (keys under {@link PER_BRANCH_PREVIEW_PREFIX})
-   * on non-production stages. PROD never gets the rule — see
-   * `enablePreviewLifecycle`.
+   * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
+   * OAuth flows are enabled with auto-injected callback/logout URLs derived
+   * from this stack's branch context (see {@link resolveOAuthRedirectUrls}).
+   * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
+   * Override to customize.
    */
-  createStaticHosting(deps) {
-    const restApi = this.props.restApi === true ? this.resolveRestApi() : void 0;
-    const wildcardSan = `*.${deps.hostedZone.zoneName}`;
-    return new StaticHosting(this, "static-hosting", {
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      certificate: deps.certificate,
-      hostedZone: deps.hostedZone,
-      domainNames: [this.fullDomain, wildcardSan],
-      description: `OpenHI website (${this.fullDomain})`,
-      prefixPattern: PER_BRANCH_PREVIEW_PREFIX,
-      enablePreviewLifecycle: this.ohEnv.ohStage.stageType !== import_config6.OPEN_HI_STAGE.PROD,
-      ...restApi !== void 0 && { restApi }
+  createUserPoolClient() {
+    const { callbackUrls, logoutUrls } = this.resolveOAuthRedirectUrls();
+    const client = new CognitoUserPoolClient(this, {
+      userPool: this.userPool,
+      oAuth: {
+        flows: {
+          authorizationCodeGrant: true,
+          implicitCodeGrant: true
+        },
+        callbackUrls,
+        logoutUrls
+      }
+    });
+    new DiscoverableStringParameter(this, "user-pool-client-param", {
+      ssmParamName: CognitoUserPoolClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for this Auth stack; cross-stack reference"
     });
+    return client;
   }
   /**
-   * Resolves the REST API custom-domain hostname from the rest-api stack's
-   * `REST_API_DOMAIN_NAME` SSM parameter. Wrapped in a private method so
-   * it can be overridden / stubbed in subclasses and tests.
+   * Returns the OAuth `callbackUrls` and `logoutUrls` the Cognito User Pool
+   * Client should accept. Composed from the same branch context the website
+   * service will see at synth time:
+   *
+   * - `https://admin{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
+   * - `https://www{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
+   *
+   * Both deployed-host pairs are auto-injected on every stage. On non-prod
+   * stages the localhost dev URLs from {@link LOCALHOST_OAUTH_CALLBACK_URLS}
+   * / {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
+   * deliberately excluded.
+   *
+   * If `zoneName` is absent (no-DNS test configurations), the deployed-host
+   * pairs are skipped — only the localhost set survives, and only on
+   * non-prod. Override to customize.
    */
-  resolveRestApi() {
+  resolveOAuthRedirectUrls() {
+    const isNonProd = this.ohEnv.ohStage.stageType !== import_config7.OPEN_HI_STAGE.PROD;
+    const zoneName = this.props.config?.zoneName;
+    const deployedOrigins = [];
+    if (zoneName !== void 0) {
+      const adminHost = OpenHiWebsiteService.composeFullDomain({
+        domainPrefix: ADMIN_DOMAIN_PREFIX,
+        branchName: this.branchName,
+        defaultReleaseBranch: this.defaultReleaseBranch,
+        childZonePrefix: this.childZonePrefix,
+        zoneName
+      });
+      const websiteHost = OpenHiWebsiteService.composeFullDomain({
+        branchName: this.branchName,
+        defaultReleaseBranch: this.defaultReleaseBranch,
+        childZonePrefix: this.childZonePrefix,
+        zoneName
+      });
+      deployedOrigins.push(`https://${adminHost}`, `https://${websiteHost}`);
+    }
+    const localhostCallbacks = isNonProd ? LOCALHOST_OAUTH_CALLBACK_URLS : [];
+    const localhostLogouts = isNonProd ? LOCALHOST_OAUTH_LOGOUT_URLS : [];
     return {
-      domainName: OpenHiRestApiService.restApiDomainNameFromConstruct(this)
+      callbackUrls: [
+        ...deployedOrigins.map((o) => `${o}/oauth/callback`),
+        ...localhostCallbacks
+      ],
+      logoutUrls: [
+        ...deployedOrigins.map((o) => `${o}/oauth/logout`),
+        ...localhostLogouts
+      ]
     };
   }
   /**
-   * Creates the SSM parameter that publishes the website's full domain.
-   * Look up via {@link OpenHiWebsiteService.fullDomainFromConstruct}.
+   * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
+   * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
+   * Override to customize.
    */
-  createFullDomainParameter() {
-    new DiscoverableStringParameter(this, "full-domain-param", {
-      ssmParamName: SSM_PARAM_NAME_FULL_DOMAIN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      stringValue: this.fullDomain,
-      description: "Full website domain (e.g. www.example.com)"
+  createUserPoolDomain() {
+    const domain = new CognitoUserPoolDomain(this, {
+      userPool: this.userPool,
+      cognitoDomain: {
+        domainPrefix: `auth-${this.branchHash}`
+      }
     });
-  }
-  /**
-   * Creates the StaticContent uploader. Receives the resolved static-hosting
-   * bucket from the constructor — on the release-branch deploy this is the
-   * just-created {@link staticHosting} bucket (no SSM round-trip within a
-   * single stack); on every other deploy it is imported from the bucket ARN
-   * the release-branch deploy publishes to SSM, addressed against
-   * {@link OpenHiService.releaseBranchHash}. See
-   * {@link resolveStaticHostingBucket}.
-   *
-   * The S3 key prefix is `\<sub-domain\>.\<zone\>/\<contentDest\>` so the
-   * upload location matches the Host-header-derived folder the Lambda@Edge
-   * viewer-request handler prepends. Passing the zone name (rather than
-   * `this.fullDomain`) for the `fullDomain` prop keeps the prefix flat —
-   * `admin-feat-foo.dev.openhi.org/`, not
-   * `admin-feat-foo.admin.dev.openhi.org/`.
-   */
-  createStaticContent(bucket) {
-    const { contentSourceDirectory, contentDestinationDirectory } = this.props;
-    return new StaticContent(this, "static-content", {
-      bucket,
-      contentSourceDirectory,
-      contentDestinationDirectory,
-      subDomain: this.computeSubDomain(),
-      fullDomain: this.config.zoneName
+    new DiscoverableStringParameter(this, "user-pool-domain-param", {
+      ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
+      stringValue: domain.domainName,
+      description: "Cognito User Pool Domain (hosted UI) for this Auth stack; cross-stack reference"
     });
+    return domain;
   }
+};
+_OpenHiAuthService.SERVICE_TYPE = "auth";
+var OpenHiAuthService = _OpenHiAuthService;
+
+// src/services/open-hi-graphql-service.ts
+var import_aws_appsync2 = require("aws-cdk-lib/aws-appsync");
+var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
   /**
-   * Creates the per-PR `PerBranchHostname` alias record on non-release
-   * branch deploys. The record points
-   * `\<domainPrefix\>-\<childZonePrefix\>.\<zone\>` at the release-branch
-   * CloudFront distribution (resolved from SSM against
-   * {@link OpenHiService.releaseBranchHash}).
+   * Returns the GraphQL API by looking up the GraphQL stack's API ID from SSM.
+   * Use from other stacks to obtain an IGraphqlApi reference.
    */
-  createPerBranchHostname(hostedZone) {
-    return new PerBranchHostname(this, "per-branch-hostname", {
-      hostname: this.fullDomain,
-      hostedZone,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
-    });
+  static graphqlApiFromConstruct(scope) {
+    return RootGraphqlApi.fromConstruct(scope);
   }
-  /**
-   * Returns an {@link IBucket} pointing at the static-hosting bucket the
-   * uploaders write to. On the release-branch deploy this is the bucket
-   * just provisioned by {@link staticHosting}; on every other deploy it's
-   * imported from the bucket ARN the release-branch deploy publishes to
-   * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
-   */
-  resolveStaticHostingBucket() {
-    if (this.staticHosting) {
-      return this.staticHosting.bucket;
-    }
-    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
-      branchHash: this.releaseBranchHash
+  get serviceType() {
+    return _OpenHiGraphqlService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiGraphqlService.SERVICE_TYPE, props);
+    this.props = props;
+    this.rootGraphqlApi = this.createRootGraphqlApi();
+  }
+  /** Creates the root GraphQL API with Cognito user pool. */
+  createRootGraphqlApi() {
+    const userPool = OpenHiAuthService.userPoolFromConstruct(this);
+    return new RootGraphqlApi(this, {
+      authorizationConfig: {
+        defaultAuthorization: {
+          authorizationType: import_aws_appsync2.AuthorizationType.USER_POOL,
+          userPoolConfig: {
+            userPool,
+            defaultAction: import_aws_appsync2.UserPoolDefaultAction.ALLOW
+          }
+        }
+      }
     });
-    return import_aws_s32.Bucket.fromBucketArn(this, "shared-bucket", bucketArn);
   }
 };
-_OpenHiWebsiteService.SERVICE_TYPE = "website";
-/**
- * Default `domainPrefix` for this service when none is supplied.
- * Release-branch hostname is `www.<zone>`; per-PR preview hostname is
- * `www-<childZonePrefix>.<zone>`.
- */
-_OpenHiWebsiteService.DEFAULT_DOMAIN_PREFIX = "www";
-var OpenHiWebsiteService = _OpenHiWebsiteService;
+_OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
+var OpenHiGraphqlService = _OpenHiGraphqlService;
 
 // src/workflows/control-plane/owning-delete-cascade/events.ts
 var import_workflows5 = __toESM(require_lib2());
@@ -8482,6 +8577,8 @@ var RenameCascadeWorkflow = class extends import_constructs25.Construct {
   DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
+  LOCALHOST_OAUTH_CALLBACK_URLS,
+  LOCALHOST_OAUTH_LOGOUT_URLS,
   OPENHI_REPO_TAG_KEY_ENV_VAR,
   OPENHI_RESOURCE_URN_SYSTEM,
   OPENHI_TAG_KEY_PREFIX_ENV_VAR,