@openhi/constructs 0.0.158 → 0.0.160

package/lib/chunk-BQMJSDOD.mjs

@@ -1,1136 +0,0 @@
-import {
-  createAccountOperation,
-  createEncounterOperation,
-  createObservationOperation,
-  createPatientOperation,
-  createPractitionerOperation,
-  getRoleByIdOperation
-} from "./chunk-E6MCKJVS.mjs";
-import {
-  require_lib
-} from "./chunk-ZM4GDHHC.mjs";
-import {
-  PLATFORM_SCOPE_TENANT_ID,
-  createMembershipOperation,
-  createRoleAssignmentOperation,
-  createTenantOperation,
-  createWorkspaceOperation
-} from "./chunk-CFJDATDK.mjs";
-import {
-  NotFoundError
-} from "./chunk-FYHBHHWK.mjs";
-import {
-  getDynamoControlService
-} from "./chunk-VZCPGQXA.mjs";
-import {
-  __toESM
-} from "./chunk-LZOMFHX3.mjs";
-
-// src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
-var import_workflows2 = __toESM(require_lib());
-import {
-  AdminCreateUserCommand,
-  AdminGetUserCommand,
-  AdminSetUserPasswordCommand,
-  CognitoIdentityProviderClient,
-  UsernameExistsException
-} from "@aws-sdk/client-cognito-identity-provider";
-import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
-import {
-  GetParameterCommand,
-  ParameterNotFound,
-  SSMClient
-} from "@aws-sdk/client-ssm";
-import {
-  PLATFORM_ROLE_CODE as PLATFORM_ROLE_CODE2,
-  PLATFORM_ROLE_CONCEPTS,
-  PLATFORM_ROLE_IDS,
-  extractSummary
-} from "@openhi/types";
-
-// src/workflows/control-plane/seed-demo-data/events.ts
-var import_workflows = __toESM(require_lib());
-import { PLATFORM_ROLE_CODE } from "@openhi/types";
-var SEED_DEMO_DATA_CONSUMER_NAME = "seed-demo-data";
-var DEMO_URN_SYSTEM = "urn:openhi:demo";
-var OPENHI_RESOURCE_URN_SYSTEM = "http://openhi.org/";
-var DEMO_PERIOD = { start: "2026-01-01T00:00:00Z" };
-var PLACEHOLDER_TENANT_ID = "placeholder-tenant-id";
-var PLACEHOLDER_WORKSPACE_ID = "placeholder-workspace-id";
-var DEV_USERS = [
-  { id: "dev-russell", email: "russell@codedrifters.com" },
-  { id: "dev-cameron", email: "cameron@codedrifters.com" },
-  { id: "dev-neelima", email: "neelima@codedrifters.com" },
-  { id: "dev-garon", email: "garon@codedrifters.com" },
-  { id: "dev-dave", email: "dave@codedrifters.com" },
-  { id: "dev-drew", email: "drew@codedrifters.com" },
-  { id: "dev-jessica", email: "jessica@codedrifters.com" },
-  { id: "dev-jared", email: "jared@codedrifters.com" },
-  { id: "dev-goddess", email: "goddess@codedrifters.com" },
-  // Dedicated end-to-end test principal for admin-console Playwright
-  // specs (issue #1275). Reuses the standard DEV_USERS plumbing
-  // (Cognito user + DynamoDB User + per-tenant Memberships +
-  // tenant-admin RAs + platform-scoped system-admin RA) and the
-  // existing SSM-sourced password convention from #1249 — the
-  // operator provisions the SecureString at
-  // /openhi/seed/users/e2e-admin-console_at_codedrifters.com/password
-  // out of band, and the seeded Cognito user picks it up via
-  // AdminSetUserPassword on every seed run.
-  { id: "dev-e2e-admin-console", email: "e2e-admin-console@codedrifters.com" }
-];
-var DEMO_TENANT_SPECS = [
-  {
-    scenario: "placeholder",
-    tenantId: PLACEHOLDER_TENANT_ID,
-    tenantName: "OpenHI Placeholder Tenant",
-    workspaces: [
-      {
-        id: PLACEHOLDER_WORKSPACE_ID,
-        name: "OpenHI Placeholder Workspace",
-        roleSuffix: "workspace"
-      }
-    ]
-  },
-  {
-    scenario: "demo-wound-care",
-    tenantId: "demo-wound-care-tenant",
-    tenantName: "Cedarbrook Wound Healing Institute",
-    workspaces: [
-      {
-        id: "demo-wound-care-workspace",
-        name: "Cedarbrook Outpatient Wound Clinic",
-        roleSuffix: "workspace"
-      }
-    ]
-  },
-  {
-    scenario: "demo-primary-care",
-    tenantId: "demo-primary-care-tenant",
-    tenantName: "Maple Ridge Family Medicine",
-    workspaces: [
-      {
-        id: "demo-primary-care-workspace",
-        name: "Maple Ridge Main Street Office",
-        roleSuffix: "workspace"
-      }
-    ]
-  },
-  {
-    scenario: "demo-mixed",
-    tenantId: "demo-mixed-tenant",
-    tenantName: "Northbridge Health Network",
-    workspaces: [
-      {
-        id: "demo-mixed-workspace-wound-care",
-        name: "Northbridge Wound Care Center",
-        roleSuffix: "workspace-wound-care"
-      },
-      {
-        id: "demo-mixed-workspace-primary-care",
-        name: "Northbridge Family Practice",
-        roleSuffix: "workspace-primary-care"
-      }
-    ]
-  }
-];
-var demoMembershipId = (devUserId, tenantId) => `demo-membership-${devUserId}-${tenantId}`;
-var demoRoleAssignmentId = (devUserId, tenantId, roleCode) => `demo-roleassignment-${devUserId}-${tenantId}-${roleCode}`;
-var demoScenarioIdentifier = (scenario, roleSuffix) => ({
-  system: DEMO_URN_SYSTEM,
-  value: `${scenario}:${roleSuffix}`
-});
-var openhiResourceIdentifier = (params) => ({
-  use: "unversioned",
-  system: OPENHI_RESOURCE_URN_SYSTEM,
-  value: `urn:ohi:${params.tenantId}:${params.workspaceId}:${params.resourceType}:${params.id}`
-});
-var demoRolesForUserInTenant = (_user, _tenantId) => {
-  void _user;
-  void _tenantId;
-  return [PLATFORM_ROLE_CODE.TENANT_ADMIN];
-};
-
-// src/workflows/control-plane/seed-demo-data/data-plane-fixtures.ts
-var fixtureIdentifiers = (scenario, tenantId, workspaceId, resourceType, id, roleSuffix) => [
-  demoScenarioIdentifier(scenario, roleSuffix),
-  openhiResourceIdentifier({
-    tenantId,
-    workspaceId,
-    resourceType,
-    id
-  })
-];
-var buildWoundCareFixtures = (scenario, tenantId, workspaceId, idPrefix) => ({
-  tenantId,
-  workspaceId,
-  scenario,
-  patients: [
-    {
-      resourceType: "Patient",
-      id: `${idPrefix}-patient-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Patient",
-        `${idPrefix}-patient-1`,
-        `patient-1`
-      ),
-      active: true,
-      name: [{ family: "Carter", given: ["Eleanor"], use: "official" }],
-      gender: "female",
-      birthDate: "1952-04-18"
-    },
-    {
-      resourceType: "Patient",
-      id: `${idPrefix}-patient-2`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Patient",
-        `${idPrefix}-patient-2`,
-        `patient-2`
-      ),
-      active: true,
-      name: [{ family: "Nguyen", given: ["Hao"], use: "official" }],
-      gender: "male",
-      birthDate: "1968-11-02"
-    }
-  ],
-  practitioners: [
-    {
-      resourceType: "Practitioner",
-      id: `${idPrefix}-practitioner-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Practitioner",
-        `${idPrefix}-practitioner-1`,
-        `practitioner-1`
-      ),
-      active: true,
-      name: [{ family: "Reyes", given: ["Maria"], prefix: ["Dr."] }],
-      gender: "female"
-    },
-    {
-      resourceType: "Practitioner",
-      id: `${idPrefix}-practitioner-2`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Practitioner",
-        `${idPrefix}-practitioner-2`,
-        `practitioner-2`
-      ),
-      active: true,
-      name: [{ family: "Okafor", given: ["Chinedu"], prefix: ["Dr."] }],
-      gender: "male"
-    }
-  ],
-  observations: [
-    {
-      resourceType: "Observation",
-      id: `${idPrefix}-observation-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Observation",
-        `${idPrefix}-observation-1`,
-        `observation-1`
-      ),
-      status: "final",
-      code: {
-        coding: [
-          {
-            system: "http://loinc.org",
-            code: "39135-9",
-            display: "Wound size"
-          }
-        ]
-      },
-      subject: { reference: `Patient/${idPrefix}-patient-1` },
-      valueString: "3.2cm x 2.1cm"
-    },
-    {
-      resourceType: "Observation",
-      id: `${idPrefix}-observation-2`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Observation",
-        `${idPrefix}-observation-2`,
-        `observation-2`
-      ),
-      status: "final",
-      code: {
-        coding: [
-          {
-            system: "http://loinc.org",
-            code: "72287-2",
-            display: "Wound exudate amount"
-          }
-        ]
-      },
-      subject: { reference: `Patient/${idPrefix}-patient-2` },
-      valueString: "moderate"
-    }
-  ],
-  encounters: [
-    {
-      resourceType: "Encounter",
-      id: `${idPrefix}-encounter-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Encounter",
-        `${idPrefix}-encounter-1`,
-        `encounter-1`
-      ),
-      status: "finished",
-      class: {
-        system: "http://terminology.hl7.org/CodeSystem/v3-ActCode",
-        code: "AMB",
-        display: "ambulatory"
-      },
-      subject: { reference: `Patient/${idPrefix}-patient-1` }
-    },
-    {
-      resourceType: "Encounter",
-      id: `${idPrefix}-encounter-2`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Encounter",
-        `${idPrefix}-encounter-2`,
-        `encounter-2`
-      ),
-      status: "finished",
-      class: {
-        system: "http://terminology.hl7.org/CodeSystem/v3-ActCode",
-        code: "AMB",
-        display: "ambulatory"
-      },
-      subject: { reference: `Patient/${idPrefix}-patient-2` }
-    }
-  ],
-  accounts: [
-    {
-      resourceType: "Account",
-      id: `${idPrefix}-account-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Account",
-        `${idPrefix}-account-1`,
-        `account-1`
-      ),
-      status: "active",
-      name: "Wound-care self-pay account",
-      subject: [{ reference: `Patient/${idPrefix}-patient-1` }]
-    }
-  ]
-});
-var buildPrimaryCareFixtures = (scenario, tenantId, workspaceId, idPrefix) => ({
-  tenantId,
-  workspaceId,
-  scenario,
-  patients: [
-    {
-      resourceType: "Patient",
-      id: `${idPrefix}-patient-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Patient",
-        `${idPrefix}-patient-1`,
-        `patient-1`
-      ),
-      active: true,
-      name: [{ family: "Bennett", given: ["Sophia"], use: "official" }],
-      gender: "female",
-      birthDate: "1985-06-09"
-    },
-    {
-      resourceType: "Patient",
-      id: `${idPrefix}-patient-2`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Patient",
-        `${idPrefix}-patient-2`,
-        `patient-2`
-      ),
-      active: true,
-      name: [{ family: "Patel", given: ["Arjun"], use: "official" }],
-      gender: "male",
-      birthDate: "1979-02-21"
-    }
-  ],
-  practitioners: [
-    {
-      resourceType: "Practitioner",
-      id: `${idPrefix}-practitioner-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Practitioner",
-        `${idPrefix}-practitioner-1`,
-        `practitioner-1`
-      ),
-      active: true,
-      name: [{ family: "Lin", given: ["Wei"], prefix: ["Dr."] }],
-      gender: "female"
-    },
-    {
-      resourceType: "Practitioner",
-      id: `${idPrefix}-practitioner-2`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Practitioner",
-        `${idPrefix}-practitioner-2`,
-        `practitioner-2`
-      ),
-      active: true,
-      name: [{ family: "Kowalski", given: ["Piotr"], prefix: ["Dr."] }],
-      gender: "male"
-    }
-  ],
-  observations: [
-    {
-      resourceType: "Observation",
-      id: `${idPrefix}-observation-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Observation",
-        `${idPrefix}-observation-1`,
-        `observation-1`
-      ),
-      status: "final",
-      code: {
-        coding: [
-          {
-            system: "http://loinc.org",
-            code: "8480-6",
-            display: "Systolic blood pressure"
-          }
-        ]
-      },
-      subject: { reference: `Patient/${idPrefix}-patient-1` },
-      valueQuantity: { value: 122, unit: "mm[Hg]" }
-    },
-    {
-      resourceType: "Observation",
-      id: `${idPrefix}-observation-2`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Observation",
-        `${idPrefix}-observation-2`,
-        `observation-2`
-      ),
-      status: "final",
-      code: {
-        coding: [
-          {
-            system: "http://loinc.org",
-            code: "8462-4",
-            display: "Diastolic blood pressure"
-          }
-        ]
-      },
-      subject: { reference: `Patient/${idPrefix}-patient-2` },
-      valueQuantity: { value: 78, unit: "mm[Hg]" }
-    }
-  ],
-  encounters: [
-    {
-      resourceType: "Encounter",
-      id: `${idPrefix}-encounter-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Encounter",
-        `${idPrefix}-encounter-1`,
-        `encounter-1`
-      ),
-      status: "finished",
-      class: {
-        system: "http://terminology.hl7.org/CodeSystem/v3-ActCode",
-        code: "AMB",
-        display: "ambulatory"
-      },
-      subject: { reference: `Patient/${idPrefix}-patient-1` }
-    },
-    {
-      resourceType: "Encounter",
-      id: `${idPrefix}-encounter-2`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Encounter",
-        `${idPrefix}-encounter-2`,
-        `encounter-2`
-      ),
-      status: "in-progress",
-      class: {
-        system: "http://terminology.hl7.org/CodeSystem/v3-ActCode",
-        code: "AMB",
-        display: "ambulatory"
-      },
-      subject: { reference: `Patient/${idPrefix}-patient-2` }
-    }
-  ],
-  accounts: [
-    {
-      resourceType: "Account",
-      id: `${idPrefix}-account-1`,
-      identifier: fixtureIdentifiers(
-        scenario,
-        tenantId,
-        workspaceId,
-        "Account",
-        `${idPrefix}-account-1`,
-        `account-1`
-      ),
-      status: "active",
-      name: "Primary-care insurance account",
-      subject: [{ reference: `Patient/${idPrefix}-patient-1` }]
-    }
-  ]
-});
-var DEMO_DATA_PLANE_FIXTURES = [
-  buildWoundCareFixtures(
-    "demo-wound-care",
-    "demo-wound-care-tenant",
-    "demo-wound-care-workspace",
-    "demo-wound-care"
-  ),
-  buildPrimaryCareFixtures(
-    "demo-primary-care",
-    "demo-primary-care-tenant",
-    "demo-primary-care-workspace",
-    "demo-primary-care"
-  ),
-  buildWoundCareFixtures(
-    "demo-mixed",
-    "demo-mixed-tenant",
-    "demo-mixed-workspace-wound-care",
-    "demo-mixed-wound-care"
-  ),
-  buildPrimaryCareFixtures(
-    "demo-mixed",
-    "demo-mixed-tenant",
-    "demo-mixed-workspace-primary-care",
-    "demo-mixed-primary-care"
-  )
-];
-var _validateFixturesAgainstTenantSpecs = () => {
-  for (const group of DEMO_DATA_PLANE_FIXTURES) {
-    if (group.tenantId === PLACEHOLDER_TENANT_ID) {
-      throw new Error(
-        "The placeholder tenant must not carry data-plane fixtures."
-      );
-    }
-    const tenant = DEMO_TENANT_SPECS.find((s) => s.tenantId === group.tenantId);
-    if (!tenant) {
-      throw new Error(
-        `Fixture references unknown tenantId "${group.tenantId}". Add a matching entry to DEMO_TENANT_SPECS first.`
-      );
-    }
-    const workspace = tenant.workspaces.find(
-      (ws) => ws.id === group.workspaceId
-    );
-    if (!workspace) {
-      throw new Error(
-        `Fixture references unknown workspaceId "${group.workspaceId}" for tenant "${group.tenantId}".`
-      );
-    }
-  }
-};
-_validateFixturesAgainstTenantSpecs();
-
-// src/workflows/control-plane/seed-demo-data/seed-demo-data.handler.ts
-var SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR = "SEED_DEMO_DATA_USER_POOL_ID";
-var errorMessage = (err) => {
-  if (err instanceof Error) {
-    return err.message;
-  }
-  return String(err);
-};
-var tryRun = async (failures, phase, scope, resourceType, resourceId, fn) => {
-  try {
-    await fn();
-    return true;
-  } catch (err) {
-    failures.push({ phase, scope, resourceType, resourceId, error: err });
-    return false;
-  }
-};
-var aggregateFailureError = (failures) => {
-  const summary = failures.map(
-    (f) => `${f.phase} ${f.scope}/${f.resourceType}/${f.resourceId}: ${errorMessage(
-      f.error
-    )}`
-  ).join("; ");
-  return new Error(
-    `seed-demo-data: ${failures.length} item(s) failed across phases: ${summary}`
-  );
-};
-var idForRoleCode = (code) => {
-  for (const key of Object.keys(PLATFORM_ROLE_IDS)) {
-    if (PLATFORM_ROLE_CONCEPTS[key].code === code) {
-      return PLATFORM_ROLE_IDS[key];
-    }
-  }
-  throw new Error(`No id mapping for role code "${code}".`);
-};
-var verifySystemRolesExist = async () => {
-  const probeContext = {
-    tenantId: "",
-    workspaceId: "",
-    date: (/* @__PURE__ */ new Date(0)).toISOString(),
-    actorId: "platform-deploy-bridge",
-    actorName: "Platform Deploy Bridge",
-    actorType: "internal-system",
-    source: "step-function"
-  };
-  for (const id of Object.values(PLATFORM_ROLE_IDS)) {
-    try {
-      await getRoleByIdOperation({ context: probeContext, id });
-    } catch (err) {
-      if (err instanceof NotFoundError) {
-        throw new Error(
-          `seed-demo-data pre-flight: control-plane Role "${id}" is missing. Ensure seed-system-data has run on this environment before retrying.`
-        );
-      }
-      throw err;
-    }
-  }
-};
-var tenantResourceBody = (spec) => ({
-  name: spec.tenantName,
-  active: true,
-  identifier: [
-    demoScenarioIdentifier(spec.scenario, "tenant"),
-    openhiResourceIdentifier({
-      tenantId: spec.tenantId,
-      workspaceId: "",
-      resourceType: "Tenant",
-      id: spec.tenantId
-    })
-  ]
-});
-var workspaceResourceBody = (spec, workspace) => ({
-  name: workspace.name,
-  active: true,
-  identifier: [
-    demoScenarioIdentifier(spec.scenario, workspace.roleSuffix),
-    openhiResourceIdentifier({
-      tenantId: spec.tenantId,
-      workspaceId: "",
-      resourceType: "Workspace",
-      id: workspace.id
-    })
-  ],
-  tenant: { reference: `Tenant/${spec.tenantId}`, type: "Tenant" }
-});
-var membershipResourceBody = (spec, user, membershipId) => ({
-  identifier: [
-    demoScenarioIdentifier(spec.scenario, `membership-${user.id}`),
-    openhiResourceIdentifier({
-      tenantId: spec.tenantId,
-      workspaceId: "",
-      resourceType: "Membership",
-      id: membershipId
-    })
-  ],
-  user: { reference: `User/${user.id}`, type: "User" },
-  tenant: { reference: `Tenant/${spec.tenantId}`, type: "Tenant" },
-  period: DEMO_PERIOD
-});
-var roleAssignmentResourceBody = (scenario, tenantId, user, roleCode, roleAssignmentId) => ({
-  identifier: [
-    demoScenarioIdentifier(scenario, `roleassignment-${user.id}-${roleCode}`),
-    openhiResourceIdentifier({
-      tenantId,
-      workspaceId: "",
-      resourceType: "RoleAssignment",
-      id: roleAssignmentId
-    })
-  ],
-  user: { reference: `User/${user.id}`, type: "User" },
-  role: { reference: `Role/${idForRoleCode(roleCode)}`, type: "Role" },
-  tenant: { reference: `Tenant/${tenantId}`, type: "Tenant" },
-  period: DEMO_PERIOD
-});
-var userResourceBody = (user, cognitoSub) => ({
-  resourceType: "User",
-  id: user.id,
-  name: [{ text: user.email }],
-  status: "active",
-  cognitoSub,
-  currentTenant: { reference: `Tenant/${PLACEHOLDER_TENANT_ID}` },
-  currentWorkspace: { reference: `Workspace/${PLACEHOLDER_WORKSPACE_ID}` }
-});
-var upsertUser = async (context, user, cognitoSub) => {
-  const service = getDynamoControlService();
-  const resource = userResourceBody(user, cognitoSub);
-  const summary = JSON.stringify(extractSummary(resource));
-  await service.entities.user.put({
-    id: user.id,
-    cognitoSub,
-    resource: JSON.stringify(resource),
-    summary,
-    vid: "1",
-    lastUpdated: context.date ?? (/* @__PURE__ */ new Date()).toISOString()
-  }).go();
-};
-var seedWorkspaceDataPlane = async (baseContext, group, failures) => {
-  const workspaceContext = {
-    ...baseContext,
-    tenantId: group.tenantId,
-    workspaceId: group.workspaceId
-  };
-  const scope = `${group.tenantId}/${group.workspaceId}`;
-  for (const patient of group.patients) {
-    await tryRun(
-      failures,
-      "phase-3",
-      scope,
-      "Patient",
-      patient.id ?? "",
-      () => createPatientOperation({
-        context: workspaceContext,
-        body: patient
-      })
-    );
-  }
-  for (const practitioner of group.practitioners) {
-    await tryRun(
-      failures,
-      "phase-3",
-      scope,
-      "Practitioner",
-      practitioner.id ?? "",
-      () => createPractitionerOperation({
-        context: workspaceContext,
-        body: practitioner
-      })
-    );
-  }
-  for (const observation of group.observations) {
-    await tryRun(
-      failures,
-      "phase-3",
-      scope,
-      "Observation",
-      observation.id ?? "",
-      () => createObservationOperation({
-        context: workspaceContext,
-        body: observation
-      })
-    );
-  }
-  for (const encounter of group.encounters) {
-    await tryRun(
-      failures,
-      "phase-3",
-      scope,
-      "Encounter",
-      encounter.id ?? "",
-      () => createEncounterOperation({
-        context: workspaceContext,
-        body: encounter
-      })
-    );
-  }
-  for (const account of group.accounts) {
-    await tryRun(
-      failures,
-      "phase-3",
-      scope,
-      "Account",
-      account.id ?? "",
-      () => createAccountOperation({
-        context: workspaceContext,
-        body: account
-      })
-    );
-  }
-};
-var seedDemoGraph = async (params) => {
-  const { baseContext, devUsers, cognito } = params;
-  const failures = [];
-  for (const spec of DEMO_TENANT_SPECS) {
-    const tenantContext = {
-      ...baseContext,
-      tenantId: spec.tenantId
-    };
-    await tryRun(
-      failures,
-      "phase-1",
-      spec.tenantId,
-      "Tenant",
-      spec.tenantId,
-      () => createTenantOperation({
-        context: tenantContext,
-        body: { id: spec.tenantId, resource: tenantResourceBody(spec) }
-      })
-    );
-    for (const workspace of spec.workspaces) {
-      await tryRun(
-        failures,
-        "phase-1",
-        spec.tenantId,
-        "Workspace",
-        workspace.id,
-        () => createWorkspaceOperation({
-          context: tenantContext,
-          body: {
-            id: workspace.id,
-            resource: workspaceResourceBody(spec, workspace)
-          }
-        })
-      );
-    }
-  }
-  for (const user of devUsers) {
-    let cognitoSub;
-    try {
-      cognitoSub = await cognito.ensureUser(user.email);
-    } catch (err) {
-      failures.push({
-        phase: "phase-2",
-        scope: user.id,
-        resourceType: "CognitoUser",
-        resourceId: user.email,
-        error: err
-      });
-      continue;
-    }
-    await tryRun(
-      failures,
-      "phase-2",
-      user.id,
-      "User",
-      user.id,
-      () => upsertUser(baseContext, user, cognitoSub)
-    );
-    for (const spec of DEMO_TENANT_SPECS) {
-      const tenantContext = {
-        ...baseContext,
-        tenantId: spec.tenantId
-      };
-      const userScope = `${user.id}@${spec.tenantId}`;
-      const membershipId = demoMembershipId(user.id, spec.tenantId);
-      await tryRun(
-        failures,
-        "phase-2",
-        userScope,
-        "Membership",
-        membershipId,
-        () => createMembershipOperation({
-          context: tenantContext,
-          body: {
-            id: membershipId,
-            resource: membershipResourceBody(spec, user, membershipId)
-          }
-        })
-      );
-      for (const roleCode of demoRolesForUserInTenant(user, spec.tenantId)) {
-        const raId = demoRoleAssignmentId(user.id, spec.tenantId, roleCode);
-        await tryRun(
-          failures,
-          "phase-2",
-          userScope,
-          "RoleAssignment",
-          raId,
-          () => createRoleAssignmentOperation({
-            context: tenantContext,
-            body: {
-              id: raId,
-              resource: roleAssignmentResourceBody(
-                spec.scenario,
-                spec.tenantId,
-                user,
-                roleCode,
-                raId
-              )
-            }
-          })
-        );
-      }
-    }
-    const platformContext = {
-      ...baseContext,
-      tenantId: PLATFORM_SCOPE_TENANT_ID
-    };
-    const platformRoleCode = PLATFORM_ROLE_CODE2.SYSTEM_ADMIN;
-    const platformRaId = demoRoleAssignmentId(
-      user.id,
-      PLATFORM_SCOPE_TENANT_ID,
-      platformRoleCode
-    );
-    await tryRun(
-      failures,
-      "phase-2",
-      `${user.id}@${PLATFORM_SCOPE_TENANT_ID}`,
-      "RoleAssignment",
-      platformRaId,
-      () => createRoleAssignmentOperation({
-        context: platformContext,
-        body: {
-          id: platformRaId,
-          resource: roleAssignmentResourceBody(
-            "platform",
-            PLATFORM_SCOPE_TENANT_ID,
-            user,
-            platformRoleCode,
-            platformRaId
-          )
-        }
-      })
-    );
-  }
-  for (const group of DEMO_DATA_PLANE_FIXTURES) {
-    try {
-      await seedWorkspaceDataPlane(baseContext, group, failures);
-    } catch (err) {
-      failures.push({
-        phase: "phase-3",
-        scope: `${group.tenantId}/${group.workspaceId}`,
-        resourceType: "Workspace",
-        resourceId: group.workspaceId,
-        error: err
-      });
-    }
-  }
-  if (failures.length > 0) {
-    throw aggregateFailureError(failures);
-  }
-};
-var runSeedDemoData = async (event, deps, devUsers) => {
-  const parsed = (0, import_workflows2.parseWorkflowEvent)(event, import_workflows.PlatformSystemDataSeededV1);
-  const recordResult = await deps.dedupClient.recordIfAbsent({
-    consumerName: SEED_DEMO_DATA_CONSUMER_NAME,
-    eventId: parsed.dedupKey.eventId,
-    attempt: parsed.dedupKey.attempt
-  });
-  if (!recordResult.recorded) {
-    return;
-  }
-  const baseContext = {
-    tenantId: "",
-    workspaceId: "",
-    date: parsed.envelope.occurredAt,
-    actorId: "platform-deploy-bridge",
-    actorName: "Platform Deploy Bridge",
-    actorType: "internal-system",
-    source: "step-function"
-  };
-  try {
-    await deps.verifyRoles();
-    await deps.seedDemoGraph({
-      baseContext,
-      devUsers,
-      cognito: deps.cognito
-    });
-  } catch (err) {
-    await deps.dedupClient.markFailed({
-      consumerName: SEED_DEMO_DATA_CONSUMER_NAME,
-      eventId: parsed.dedupKey.eventId,
-      attempt: parsed.dedupKey.attempt,
-      reason: errorMessage(err)
-    });
-    throw err;
-  }
-};
-var SEED_USER_PASSWORD_PARAMETER_PREFIX = "/openhi/seed/users/";
-var SSM_PATH_SEGMENT = /^[A-Za-z0-9_.-]+$/;
-var emailToSsmPath = (email) => {
-  if (typeof email !== "string" || email.length === 0) {
-    throw new Error(
-      `emailToSsmPath: email must be a non-empty string (received "${String(email)}").`
-    );
-  }
-  const atIdx = email.indexOf("@");
-  if (atIdx === -1 || atIdx !== email.lastIndexOf("@")) {
-    throw new Error(
-      `emailToSsmPath: email "${email}" must contain exactly one "@" character.`
-    );
-  }
-  const localPart = email.slice(0, atIdx);
-  const domainPart = email.slice(atIdx + 1);
-  if (localPart.length === 0 || domainPart.length === 0) {
-    throw new Error(
-      `emailToSsmPath: email "${email}" must have a non-empty local-part and domain.`
-    );
-  }
-  if (!SSM_PATH_SEGMENT.test(localPart) || !SSM_PATH_SEGMENT.test(domainPart)) {
-    throw new Error(
-      `emailToSsmPath: email "${email}" contains characters that would produce an invalid SSM parameter path (only A-Z, a-z, 0-9, '.', '-', and '_' are allowed).`
-    );
-  }
-  return `${SEED_USER_PASSWORD_PARAMETER_PREFIX}${localPart}_at_${domainPart}/password`;
-};
-var cachedSsmClient;
-var getSsmClient = () => {
-  if (!cachedSsmClient) {
-    cachedSsmClient = new SSMClient({});
-  }
-  return cachedSsmClient;
-};
-var __resetSsmClientForTests = () => {
-  cachedSsmClient = void 0;
-};
-var fetchSeedUserPassword = async (email) => {
-  const path = emailToSsmPath(email);
-  const client = getSsmClient();
-  try {
-    const result = await client.send(
-      new GetParameterCommand({ Name: path, WithDecryption: true })
-    );
-    const value = result.Parameter?.Value;
-    if (typeof value !== "string" || value.length === 0) {
-      throw new Error(
-        `fetchSeedUserPassword: SSM parameter "${path}" returned an empty value.`
-      );
-    }
-    return value;
-  } catch (err) {
-    if (err instanceof ParameterNotFound) {
-      throw new Error(
-        `fetchSeedUserPassword: SSM parameter "${path}" not found. Provision a SecureString at "${path}" with the dev user's password before re-running seed-demo-data.`
-      );
-    }
-    throw err;
-  }
-};
-var productionCognitoProvisioner = () => {
-  const client = new CognitoIdentityProviderClient({});
-  const userPoolId = process.env[SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR];
-  if (!userPoolId || userPoolId.trim() === "") {
-    throw new Error(
-      `${SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR} is not set; the seed-demo-data Lambda cannot provision Cognito users without a user-pool id.`
-    );
-  }
-  const subFromAttributes = (attrs) => {
-    for (const attr of attrs ?? []) {
-      if (attr.Name === "sub" && typeof attr.Value === "string") {
-        return attr.Value;
-      }
-    }
-    return void 0;
-  };
-  const setPassword = async (email, password) => {
-    await client.send(
-      new AdminSetUserPasswordCommand({
-        UserPoolId: userPoolId,
-        Username: email,
-        Password: password,
-        Permanent: true
-      })
-    );
-  };
-  return {
-    ensureUser: async (email) => {
-      const password = await fetchSeedUserPassword(email);
-      try {
-        const created = await client.send(
-          new AdminCreateUserCommand({
-            UserPoolId: userPoolId,
-            Username: email,
-            MessageAction: "SUPPRESS",
-            UserAttributes: [
-              { Name: "email", Value: email },
-              { Name: "email_verified", Value: "true" }
-            ]
-          })
-        );
-        await setPassword(email, password);
-        const sub = subFromAttributes(created.User?.Attributes);
-        if (!sub) {
-          throw new Error(
-            `AdminCreateUser response for "${email}" did not carry a sub attribute.`
-          );
-        }
-        return sub;
-      } catch (err) {
-        if (err instanceof UsernameExistsException) {
-          await setPassword(email, password);
-          const got = await client.send(
-            new AdminGetUserCommand({
-              UserPoolId: userPoolId,
-              Username: email
-            })
-          );
-          const sub = subFromAttributes(got.UserAttributes);
-          if (!sub) {
-            throw new Error(
-              `AdminGetUser response for "${email}" did not carry a sub attribute.`
-            );
-          }
-          return sub;
-        }
-        throw err;
-      }
-    }
-  };
-};
-var productionDependencies = () => {
-  const dynamodb = new DynamoDBClient({});
-  const cognito = productionCognitoProvisioner();
-  return {
-    dedupClient: (0, import_workflows2.workflowDedupClient)(dynamodb),
-    verifyRoles: verifySystemRolesExist,
-    seedDemoGraph,
-    cognito
-  };
-};
-var handler = async (event) => runSeedDemoData(event, productionDependencies(), DEV_USERS);
-
-export {
-  import_workflows,
-  SEED_DEMO_DATA_CONSUMER_NAME,
-  DEMO_URN_SYSTEM,
-  OPENHI_RESOURCE_URN_SYSTEM,
-  DEMO_PERIOD,
-  PLACEHOLDER_TENANT_ID,
-  PLACEHOLDER_WORKSPACE_ID,
-  DEV_USERS,
-  DEMO_TENANT_SPECS,
-  demoMembershipId,
-  demoRoleAssignmentId,
-  demoScenarioIdentifier,
-  openhiResourceIdentifier,
-  demoRolesForUserInTenant,
-  DEMO_DATA_PLANE_FIXTURES,
-  SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR,
-  seedDemoGraph,
-  runSeedDemoData,
-  SEED_USER_PASSWORD_PARAMETER_PREFIX,
-  emailToSsmPath,
-  __resetSsmClientForTests,
-  fetchSeedUserPassword,
-  productionCognitoProvisioner,
-  handler
-};
-//# sourceMappingURL=chunk-BQMJSDOD.mjs.map