@openhi/constructs 0.0.152 → 0.0.154

package/lib/seed-demo-data.handler.d.mts

@@ -97,13 +97,40 @@ declare const seedDemoGraph: (params: {
  */
 declare const runSeedDemoData: (event: SeedDemoDataEvent, deps: SeedDemoDataDependencies, devUsers: ReadonlyArray<DemoDevUser>) => Promise<void>;
 /**
- * Deterministic password derived from the user's email. Re-running
- * the algorithm with the same email reproduces the password, so devs
- * can recover their own credentials from the docs page without the
- * workflow ever surfacing them. The shape satisfies the default
- * Cognito password policy (≥8 chars, upper + lower + number + symbol).
+ * SSM parameter-path prefix that hosts every seeded dev user's
+ * password. The full path for a single user is
+ * `${SEED_USER_PASSWORD_PARAMETER_PREFIX}<email_safe>/password`
+ * where `<email_safe>` is `<user>_at_<domain>` (see
+ * {@link emailToSsmPath}). The trailing `/password` segment leaves
+ * room for additional per-user parameters under the same email
+ * prefix in future phases without renaming the existing entries.
  */
-declare const devPasswordForEmail: (email: string) => string;
+declare const SEED_USER_PASSWORD_PARAMETER_PREFIX = "/openhi/seed/users/";
+/**
+ * Map an email address to its canonical SSM parameter path. The
+ * `@` separator is replaced with the literal sentinel `_at_` so
+ * the resulting path is a single SSM-legal name. Throws when the
+ * email is empty, missing exactly one `@`, or contains characters
+ * that would produce an invalid SSM path.
+ *
+ * Example: `alice@codedrifters.com` →
+ * `/openhi/seed/users/alice_at_codedrifters.com/password`.
+ */
+declare const emailToSsmPath: (email: string) => string;
+/**
+ * Test seam: reset the module-scoped SSM client cache. Unit tests
+ * that swap in different mocks across `it` blocks call this in
+ * `beforeEach` so each test gets a fresh client instance.
+ */
+declare const __resetSsmClientForTests: () => void;
+/**
+ * Read a seeded dev user's password from SSM Parameter Store. The
+ * parameter is expected to be a `SecureString` provisioned out of
+ * band by an operator (see the runbook in phase 3 of #1249). On
+ * `ParameterNotFound`, the error message includes the exact
+ * expected path so the operator can copy-paste-fix.
+ */
+declare const fetchSeedUserPassword: (email: string) => Promise<string>;
 /**
  * Production Cognito provisioner backed by the AWS SDK. Reads the
  * user-pool id from the env var the lambda construct injects.
@@ -111,13 +138,21 @@ declare const devPasswordForEmail: (email: string) => string;
  * Idempotency contract:
  *   - On first invocation, calls `AdminCreateUser` (with
  *     `MessageAction: SUPPRESS` so no invitation email fires) then
- *     `AdminSetUserPassword` (permanent). Returns the new user's sub.
+ *     `AdminSetUserPassword` (permanent, from the SSM-sourced
+ *     value). Returns the new user's sub.
  *   - On subsequent invocations, `AdminCreateUser` throws
  *     `UsernameExistsException`; the provisioner catches it, calls
- *     `AdminGetUser` to read the existing user's sub, and returns
- *     **without** touching the password or any attribute.
+ *     `AdminGetUser` to read the existing user's sub, and **also
+ *     re-applies the current SSM-sourced password** via
+ *     `AdminSetUserPassword`. This is the rotation seam: operators
+ *     update the SSM SecureString value and re-publish the seed
+ *     event to push a fresh password down to Cognito.
+ *
+ * The SSM password is fetched once per email up-front so the new-
+ * user and rotation branches share the same value and at most one
+ * `GetParameter` call lands per `ensureUser` invocation.
  */
 declare const productionCognitoProvisioner: () => CognitoProvisioner;
 declare const handler: (event: SeedDemoDataEvent) => Promise<void>;
 
-export { type CognitoProvisioner, SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR, type SeedDemoDataDependencies, devPasswordForEmail, handler, productionCognitoProvisioner, runSeedDemoData, seedDemoGraph };
+export { type CognitoProvisioner, SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR, SEED_USER_PASSWORD_PARAMETER_PREFIX, type SeedDemoDataDependencies, __resetSsmClientForTests, emailToSsmPath, fetchSeedUserPassword, handler, productionCognitoProvisioner, runSeedDemoData, seedDemoGraph };

package/lib/seed-demo-data.handler.d.ts

@@ -97,13 +97,40 @@ declare const seedDemoGraph: (params: {
  */
 declare const runSeedDemoData: (event: SeedDemoDataEvent, deps: SeedDemoDataDependencies, devUsers: ReadonlyArray<DemoDevUser>) => Promise<void>;
 /**
- * Deterministic password derived from the user's email. Re-running
- * the algorithm with the same email reproduces the password, so devs
- * can recover their own credentials from the docs page without the
- * workflow ever surfacing them. The shape satisfies the default
- * Cognito password policy (≥8 chars, upper + lower + number + symbol).
+ * SSM parameter-path prefix that hosts every seeded dev user's
+ * password. The full path for a single user is
+ * `${SEED_USER_PASSWORD_PARAMETER_PREFIX}<email_safe>/password`
+ * where `<email_safe>` is `<user>_at_<domain>` (see
+ * {@link emailToSsmPath}). The trailing `/password` segment leaves
+ * room for additional per-user parameters under the same email
+ * prefix in future phases without renaming the existing entries.
  */
-declare const devPasswordForEmail: (email: string) => string;
+declare const SEED_USER_PASSWORD_PARAMETER_PREFIX = "/openhi/seed/users/";
+/**
+ * Map an email address to its canonical SSM parameter path. The
+ * `@` separator is replaced with the literal sentinel `_at_` so
+ * the resulting path is a single SSM-legal name. Throws when the
+ * email is empty, missing exactly one `@`, or contains characters
+ * that would produce an invalid SSM path.
+ *
+ * Example: `alice@codedrifters.com` →
+ * `/openhi/seed/users/alice_at_codedrifters.com/password`.
+ */
+declare const emailToSsmPath: (email: string) => string;
+/**
+ * Test seam: reset the module-scoped SSM client cache. Unit tests
+ * that swap in different mocks across `it` blocks call this in
+ * `beforeEach` so each test gets a fresh client instance.
+ */
+declare const __resetSsmClientForTests: () => void;
+/**
+ * Read a seeded dev user's password from SSM Parameter Store. The
+ * parameter is expected to be a `SecureString` provisioned out of
+ * band by an operator (see the runbook in phase 3 of #1249). On
+ * `ParameterNotFound`, the error message includes the exact
+ * expected path so the operator can copy-paste-fix.
+ */
+declare const fetchSeedUserPassword: (email: string) => Promise<string>;
 /**
  * Production Cognito provisioner backed by the AWS SDK. Reads the
  * user-pool id from the env var the lambda construct injects.
@@ -111,13 +138,21 @@ declare const devPasswordForEmail: (email: string) => string;
  * Idempotency contract:
  *   - On first invocation, calls `AdminCreateUser` (with
  *     `MessageAction: SUPPRESS` so no invitation email fires) then
- *     `AdminSetUserPassword` (permanent). Returns the new user's sub.
+ *     `AdminSetUserPassword` (permanent, from the SSM-sourced
+ *     value). Returns the new user's sub.
  *   - On subsequent invocations, `AdminCreateUser` throws
  *     `UsernameExistsException`; the provisioner catches it, calls
- *     `AdminGetUser` to read the existing user's sub, and returns
- *     **without** touching the password or any attribute.
+ *     `AdminGetUser` to read the existing user's sub, and **also
+ *     re-applies the current SSM-sourced password** via
+ *     `AdminSetUserPassword`. This is the rotation seam: operators
+ *     update the SSM SecureString value and re-publish the seed
+ *     event to push a fresh password down to Cognito.
+ *
+ * The SSM password is fetched once per email up-front so the new-
+ * user and rotation branches share the same value and at most one
+ * `GetParameter` call lands per `ensureUser` invocation.
  */
 declare const productionCognitoProvisioner: () => CognitoProvisioner;
 declare const handler: (event: SeedDemoDataEvent) => Promise<void>;
 
-export { type CognitoProvisioner, SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR, type SeedDemoDataDependencies, devPasswordForEmail, handler, productionCognitoProvisioner, runSeedDemoData, seedDemoGraph };
+export { type CognitoProvisioner, SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR, SEED_USER_PASSWORD_PARAMETER_PREFIX, type SeedDemoDataDependencies, __resetSsmClientForTests, emailToSsmPath, fetchSeedUserPassword, handler, productionCognitoProvisioner, runSeedDemoData, seedDemoGraph };

package/lib/seed-demo-data.handler.js

@@ -707,16 +707,19 @@ var require_lib = __commonJS({
 var seed_demo_data_handler_exports = {};
 __export(seed_demo_data_handler_exports, {
   SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR: () => SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR,
-  devPasswordForEmail: () => devPasswordForEmail,
+  SEED_USER_PASSWORD_PARAMETER_PREFIX: () => SEED_USER_PASSWORD_PARAMETER_PREFIX,
+  __resetSsmClientForTests: () => __resetSsmClientForTests,
+  emailToSsmPath: () => emailToSsmPath,
+  fetchSeedUserPassword: () => fetchSeedUserPassword,
   handler: () => handler,
   productionCognitoProvisioner: () => productionCognitoProvisioner,
   runSeedDemoData: () => runSeedDemoData,
   seedDemoGraph: () => seedDemoGraph
 });
 module.exports = __toCommonJS(seed_demo_data_handler_exports);
-var import_node_crypto = require("crypto");
 var import_client_cognito_identity_provider = require("@aws-sdk/client-cognito-identity-provider");
 var import_client_dynamodb2 = require("@aws-sdk/client-dynamodb");
+var import_client_ssm = require("@aws-sdk/client-ssm");
 var import_types12 = require("@openhi/types");
 var import_workflows2 = __toESM(require_lib());
 
@@ -5412,10 +5415,66 @@ var runSeedDemoData = async (event, deps, devUsers) => {
     throw err;
   }
 };
-var devPasswordForEmail = (email) => {
-  const digest = (0, import_node_crypto.createHash)("sha256").update(email).digest();
-  const base64url = digest.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-  return `Dev-${base64url.slice(0, 20)}!1`;
+var SEED_USER_PASSWORD_PARAMETER_PREFIX = "/openhi/seed/users/";
+var SSM_PATH_SEGMENT = /^[A-Za-z0-9_.-]+$/;
+var emailToSsmPath = (email) => {
+  if (typeof email !== "string" || email.length === 0) {
+    throw new Error(
+      `emailToSsmPath: email must be a non-empty string (received "${String(email)}").`
+    );
+  }
+  const atIdx = email.indexOf("@");
+  if (atIdx === -1 || atIdx !== email.lastIndexOf("@")) {
+    throw new Error(
+      `emailToSsmPath: email "${email}" must contain exactly one "@" character.`
+    );
+  }
+  const localPart = email.slice(0, atIdx);
+  const domainPart = email.slice(atIdx + 1);
+  if (localPart.length === 0 || domainPart.length === 0) {
+    throw new Error(
+      `emailToSsmPath: email "${email}" must have a non-empty local-part and domain.`
+    );
+  }
+  if (!SSM_PATH_SEGMENT.test(localPart) || !SSM_PATH_SEGMENT.test(domainPart)) {
+    throw new Error(
+      `emailToSsmPath: email "${email}" contains characters that would produce an invalid SSM parameter path (only A-Z, a-z, 0-9, '.', '-', and '_' are allowed).`
+    );
+  }
+  return `${SEED_USER_PASSWORD_PARAMETER_PREFIX}${localPart}_at_${domainPart}/password`;
+};
+var cachedSsmClient;
+var getSsmClient = () => {
+  if (!cachedSsmClient) {
+    cachedSsmClient = new import_client_ssm.SSMClient({});
+  }
+  return cachedSsmClient;
+};
+var __resetSsmClientForTests = () => {
+  cachedSsmClient = void 0;
+};
+var fetchSeedUserPassword = async (email) => {
+  const path = emailToSsmPath(email);
+  const client = getSsmClient();
+  try {
+    const result = await client.send(
+      new import_client_ssm.GetParameterCommand({ Name: path, WithDecryption: true })
+    );
+    const value = result.Parameter?.Value;
+    if (typeof value !== "string" || value.length === 0) {
+      throw new Error(
+        `fetchSeedUserPassword: SSM parameter "${path}" returned an empty value.`
+      );
+    }
+    return value;
+  } catch (err) {
+    if (err instanceof import_client_ssm.ParameterNotFound) {
+      throw new Error(
+        `fetchSeedUserPassword: SSM parameter "${path}" not found. Provision a SecureString at "${path}" with the dev user's password before re-running seed-demo-data.`
+      );
+    }
+    throw err;
+  }
 };
 var productionCognitoProvisioner = () => {
   const client = new import_client_cognito_identity_provider.CognitoIdentityProviderClient({});
@@ -5433,8 +5492,19 @@ var productionCognitoProvisioner = () => {
     }
     return void 0;
   };
+  const setPassword = async (email, password) => {
+    await client.send(
+      new import_client_cognito_identity_provider.AdminSetUserPasswordCommand({
+        UserPoolId: userPoolId,
+        Username: email,
+        Password: password,
+        Permanent: true
+      })
+    );
+  };
   return {
     ensureUser: async (email) => {
+      const password = await fetchSeedUserPassword(email);
       try {
         const created = await client.send(
           new import_client_cognito_identity_provider.AdminCreateUserCommand({
@@ -5447,14 +5517,7 @@ var productionCognitoProvisioner = () => {
             ]
           })
         );
-        await client.send(
-          new import_client_cognito_identity_provider.AdminSetUserPasswordCommand({
-            UserPoolId: userPoolId,
-            Username: email,
-            Password: devPasswordForEmail(email),
-            Permanent: true
-          })
-        );
+        await setPassword(email, password);
         const sub = subFromAttributes(created.User?.Attributes);
         if (!sub) {
           throw new Error(
@@ -5464,6 +5527,7 @@ var productionCognitoProvisioner = () => {
         return sub;
       } catch (err) {
         if (err instanceof import_client_cognito_identity_provider.UsernameExistsException) {
+          await setPassword(email, password);
           const got = await client.send(
             new import_client_cognito_identity_provider.AdminGetUserCommand({
               UserPoolId: userPoolId,
@@ -5497,7 +5561,10 @@ var handler = async (event) => runSeedDemoData(event, productionDependencies(),
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR,
-  devPasswordForEmail,
+  SEED_USER_PASSWORD_PARAMETER_PREFIX,
+  __resetSsmClientForTests,
+  emailToSsmPath,
+  fetchSeedUserPassword,
   handler,
   productionCognitoProvisioner,
   runSeedDemoData,