@openhi/constructs 0.0.85 → 0.0.86

package/lib/index.js

@@ -94,6 +94,7 @@ var require_lib = __commonJS({
 var src_exports = {};
 __export(src_exports, {
   ChildHostedZone: () => ChildHostedZone,
+  CognitoFixtureSeederClient: () => CognitoFixtureSeederClient,
   CognitoUserPool: () => CognitoUserPool,
   CognitoUserPoolClient: () => CognitoUserPoolClient,
   CognitoUserPoolDomain: () => CognitoUserPoolDomain,
@@ -103,6 +104,7 @@ __export(src_exports, {
   DATA_STORE_CHANGE_EVENT_SOURCE: () => DATA_STORE_CHANGE_EVENT_SOURCE,
   DataEventBus: () => DataEventBus,
   DataStoreHistoricalArchive: () => DataStoreHistoricalArchive,
+  DataStorePostgresReplica: () => DataStorePostgresReplica,
   DiscoverableStringParameter: () => DiscoverableStringParameter,
   DynamoDbDataStore: () => DynamoDbDataStore,
   OpenHiApp: () => OpenHiApp,
@@ -115,6 +117,9 @@ __export(src_exports, {
   OpenHiService: () => OpenHiService,
   OpenHiStage: () => OpenHiStage,
   OpsEventBus: () => OpsEventBus,
+  POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME: () => POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
+  POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME: () => POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
+  POSTGRES_REPLICA_SECRET_ARN_SSM_NAME: () => POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
   PreTokenGenerationLambda: () => PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi: () => RootGraphqlApi,
@@ -124,7 +129,8 @@ __export(src_exports, {
   STATIC_HOSTING_SERVICE_TYPE: () => STATIC_HOSTING_SERVICE_TYPE,
   StaticHosting: () => StaticHosting,
   buildFhirCurrentResourceChangeDetail: () => buildFhirCurrentResourceChangeDetail,
-  getDynamoDbDataStoreTableName: () => getDynamoDbDataStoreTableName
+  getDynamoDbDataStoreTableName: () => getDynamoDbDataStoreTableName,
+  getPostgresReplicaSchemaName: () => getPostgresReplicaSchemaName
 });
 module.exports = __toCommonJS(src_exports);
 
@@ -402,6 +408,10 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
     this.environmentHash = environmentHash;
     this.branchHash = branchHash;
     this.stackHash = stackHash;
+    this.node.setContext(
+      `availability-zones:account=${account}:region=${region}`,
+      [`${region}a`, `${region}b`, `${region}c`]
+    );
     import_aws_cdk_lib4.Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
     import_aws_cdk_lib4.Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
     import_aws_cdk_lib4.Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
@@ -578,9 +588,47 @@ var _RootGraphqlApi = class _RootGraphqlApi extends import_aws_appsync.GraphqlAp
 _RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
 var RootGraphqlApi = _RootGraphqlApi;
 
-// src/components/cognito/cognito-user-pool.ts
+// src/components/cognito/cognito-fixture-seeder-client.ts
+var import_aws_cdk_lib6 = require("aws-cdk-lib");
 var import_aws_cognito = require("aws-cdk-lib/aws-cognito");
-var CognitoUserPool = class extends import_aws_cognito.UserPool {
+var CognitoFixtureSeederClient = class extends import_aws_cognito.UserPoolClient {
+  constructor(scope, props) {
+    const { userPool, ...rest } = props;
+    super(scope, "fixture-seeder-client", {
+      userPool,
+      generateSecret: false,
+      authFlows: {
+        userPassword: true
+      },
+      // No OAuth flows — the seeder calls Cognito's `InitiateAuth`
+      // directly with USER_PASSWORD_AUTH, not through the hosted-UI
+      // OAuth grant flows the SPA client uses. `disableOAuth: true`
+      // causes CDK to omit `AllowedOAuthFlowsUserPoolClient` entirely;
+      // passing an empty `oAuth` block instead still flips that flag on
+      // and Cognito rejects the create call for missing flows/scopes.
+      disableOAuth: true,
+      // Short-lived tokens: a seeder run takes seconds, not hours.
+      // 1h access-token validity is the minimum Cognito permits and is
+      // plenty for a fixture run.
+      accessTokenValidity: import_aws_cdk_lib6.Duration.hours(1),
+      idTokenValidity: import_aws_cdk_lib6.Duration.hours(1),
+      refreshTokenValidity: import_aws_cdk_lib6.Duration.days(1),
+      preventUserExistenceErrors: true,
+      ...rest
+    });
+  }
+};
+/**
+ * SSM parameter name suffix used to publish this client's ID for
+ * cross-stack lookups. Built into a full parameter name via
+ * `buildParameterName` with `serviceType` AUTH (since the auth stack
+ * owns this resource).
+ */
+CognitoFixtureSeederClient.SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
+
+// src/components/cognito/cognito-user-pool.ts
+var import_aws_cognito2 = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPool = class extends import_aws_cognito2.UserPool {
   constructor(scope, props = {}) {
     const service = OpenHiService.of(scope);
     super(scope, "user-pool", {
@@ -594,7 +642,7 @@ var CognitoUserPool = class extends import_aws_cognito.UserPool {
       userVerification: {
         emailSubject: "Verify your email!",
         emailBody: "Your verification code is {####}.",
-        emailStyle: import_aws_cognito.VerificationEmailStyle.CODE
+        emailStyle: import_aws_cognito2.VerificationEmailStyle.CODE
       },
       removalPolicy: props.removalPolicy ?? service.removalPolicy,
       /**
@@ -614,8 +662,8 @@ var CognitoUserPool = class extends import_aws_cognito.UserPool {
 CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
 
 // src/components/cognito/cognito-user-pool-client.ts
-var import_aws_cognito2 = require("aws-cdk-lib/aws-cognito");
-var CognitoUserPoolClient = class extends import_aws_cognito2.UserPoolClient {
+var import_aws_cognito3 = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPoolClient = class extends import_aws_cognito3.UserPoolClient {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
       /**
@@ -642,8 +690,8 @@ var CognitoUserPoolClient = class extends import_aws_cognito2.UserPoolClient {
 CognitoUserPoolClient.SSM_PARAM_NAME = "COGNITO_USER_POOL_CLIENT";
 
 // src/components/cognito/cognito-user-pool-domain.ts
-var import_aws_cognito3 = require("aws-cdk-lib/aws-cognito");
-var CognitoUserPoolDomain = class extends import_aws_cognito3.UserPoolDomain {
+var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
+var CognitoUserPoolDomain = class extends import_aws_cognito4.UserPoolDomain {
   constructor(scope, props) {
     const id = props.cognitoDomain?.domainPrefix ? "cognito-domain" : "custom-domain";
     super(scope, id, {
@@ -749,10 +797,6 @@ var EXCLUDED_CHANGE_DETAIL_KEYS = /* @__PURE__ */ new Set([
   "GSI1SK",
   "GSI2PK",
   "GSI2SK",
-  "GSI3PK",
-  "GSI3SK",
-  "GSI4PK",
-  "GSI4SK",
   /** Full FHIR JSON may contain PII; never list or ship in the bus payload. */
   "resource"
 ]);
@@ -828,7 +872,7 @@ function buildFhirCurrentResourceChangeDetail(record, keys) {
 // src/components/dynamodb/data-store-historical-archive.ts
 var import_node_fs2 = __toESM(require("fs"));
 var import_node_path2 = __toESM(require("path"));
-var import_aws_cdk_lib6 = require("aws-cdk-lib");
+var import_aws_cdk_lib7 = require("aws-cdk-lib");
 var kinesisfirehose = __toESM(require("aws-cdk-lib/aws-kinesisfirehose"));
 var import_aws_lambda2 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs2 = require("aws-cdk-lib/aws-lambda-nodejs");
@@ -850,7 +894,7 @@ var DataStoreHistoricalArchive = class extends import_constructs2.Construct {
       encryption: s3.BucketEncryption.S3_MANAGED,
       enforceSSL: true,
       removalPolicy: props.removalPolicy,
-      autoDeleteObjects: props.removalPolicy === import_aws_cdk_lib6.RemovalPolicy.DESTROY,
+      autoDeleteObjects: props.removalPolicy === import_aws_cdk_lib7.RemovalPolicy.DESTROY,
       versioned: true
     });
     const putEventsFailureDlqBucket = props.dataEventBus ? new s3.Bucket(this, "PutEventsFailureDlq", {
@@ -858,7 +902,7 @@ var DataStoreHistoricalArchive = class extends import_constructs2.Construct {
       encryption: s3.BucketEncryption.S3_MANAGED,
       enforceSSL: true,
       removalPolicy: props.removalPolicy,
-      autoDeleteObjects: props.removalPolicy === import_aws_cdk_lib6.RemovalPolicy.DESTROY,
+      autoDeleteObjects: props.removalPolicy === import_aws_cdk_lib7.RemovalPolicy.DESTROY,
       versioned: false
     }) : void 0;
     this.putEventsFailureDlqBucket = putEventsFailureDlqBucket;
@@ -866,7 +910,7 @@ var DataStoreHistoricalArchive = class extends import_constructs2.Construct {
       entry: resolveHandlerEntry2(__dirname),
       runtime: import_aws_lambda2.Runtime.NODEJS_LATEST,
       memorySize: 512,
-      timeout: import_aws_cdk_lib6.Duration.minutes(1),
+      timeout: import_aws_cdk_lib7.Duration.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
       environment: props.dataEventBus && putEventsFailureDlqBucket ? {
         DATA_EVENT_BUS_NAME: props.dataEventBus.eventBusName,
@@ -882,16 +926,16 @@ var DataStoreHistoricalArchive = class extends import_constructs2.Construct {
     const processor = new kinesisfirehose.LambdaFunctionProcessor(
       this.transformFunction,
       {
-        bufferInterval: import_aws_cdk_lib6.Duration.seconds(60),
-        bufferSize: import_aws_cdk_lib6.Size.mebibytes(3),
+        bufferInterval: import_aws_cdk_lib7.Duration.seconds(60),
+        bufferSize: import_aws_cdk_lib7.Size.mebibytes(3),
         retries: 3
       }
     );
     const destination = new kinesisfirehose.S3Bucket(this.archiveBucket, {
       compression: kinesisfirehose.Compression.GZIP,
-      bufferingInterval: import_aws_cdk_lib6.Duration.seconds(300),
+      bufferingInterval: import_aws_cdk_lib7.Duration.seconds(300),
       // Firehose requires SizeInMBs ≥ 64 when dynamic partitioning is enabled.
-      bufferingSize: import_aws_cdk_lib6.Size.mebibytes(64),
+      bufferingSize: import_aws_cdk_lib7.Size.mebibytes(64),
       processors: [processor],
       errorOutputPrefix: "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd/HH}/",
       loggingConfig: new kinesisfirehose.EnableLogging()
@@ -954,7 +998,15 @@ var DynamoDbDataStore = class extends import_aws_dynamodb.Table {
         type: import_aws_dynamodb.AttributeType.STRING
       },
       projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
-      nonKeyAttributes: ["srcType", "srcId", "path", "srcPk", "srcSk", "ts"]
+      nonKeyAttributes: [
+        "summary",
+        "vid",
+        "lastUpdated",
+        "createdDate",
+        "modifiedDate",
+        "createdById",
+        "modifiedById"
+      ]
     });
     this.addGlobalSecondaryIndex({
       indexName: "GSI2",
@@ -967,32 +1019,12 @@ var DynamoDbDataStore = class extends import_aws_dynamodb.Table {
         type: import_aws_dynamodb.AttributeType.STRING
       },
       projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
-      nonKeyAttributes: ["resourcePk", "resourceSk", "display", "status"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI3",
-      partitionKey: {
-        name: "GSI3PK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI3SK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      projectionType: import_aws_dynamodb.ProjectionType.INCLUDE,
-      nonKeyAttributes: ["resourcePk", "resourceSk"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI4",
-      partitionKey: {
-        name: "GSI4PK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI4SK",
-        type: import_aws_dynamodb.AttributeType.STRING
-      },
-      projectionType: import_aws_dynamodb.ProjectionType.ALL
+      nonKeyAttributes: [
+        "id",
+        "currentTenant",
+        "currentWorkspace",
+        "displayName"
+      ]
     });
   }
 };
@@ -1041,8 +1073,172 @@ var OpsEventBus = class _OpsEventBus extends import_aws_events2.EventBus {
   }
 };
 
+// src/components/postgres/data-store-postgres-replica.ts
+var import_node_fs3 = __toESM(require("fs"));
+var import_node_path3 = __toESM(require("path"));
+var import_aws_cdk_lib8 = require("aws-cdk-lib");
+var ec2 = __toESM(require("aws-cdk-lib/aws-ec2"));
+var import_aws_lambda3 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_event_sources = require("aws-cdk-lib/aws-lambda-event-sources");
+var import_aws_lambda_nodejs3 = require("aws-cdk-lib/aws-lambda-nodejs");
+var rds = __toESM(require("aws-cdk-lib/aws-rds"));
+var import_constructs3 = require("constructs");
+var HANDLER_NAME3 = "data-store-postgres-replication.handler.js";
+var DEFAULT_DATABASE_NAME = "openhi";
+var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
+var POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME = "POSTGRES_REPLICA_CLUSTER_ARN";
+var POSTGRES_REPLICA_SECRET_ARN_SSM_NAME = "POSTGRES_REPLICA_SECRET_ARN";
+var POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME = "POSTGRES_REPLICA_DATABASE_NAME";
+function resolveHandlerEntry3(dirname) {
+  const sameDir = import_node_path3.default.join(dirname, HANDLER_NAME3);
+  if (import_node_fs3.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return import_node_path3.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+}
+function getPostgresReplicaSchemaName(branchHash) {
+  const candidate = `b_${branchHash.toLowerCase()}`;
+  if (!SCHEMA_NAME_PATTERN.test(candidate)) {
+    throw new Error(
+      `Branch hash ${JSON.stringify(branchHash)} produces an invalid Postgres schema name ${JSON.stringify(candidate)}; expected /[a-z_][a-z0-9_]{0,62}/.`
+    );
+  }
+  return candidate;
+}
+var DataStorePostgresReplica = class extends import_constructs3.Construct {
+  /**
+   * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
+   * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
+   * the cluster.
+   */
+  static clusterArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
+      serviceType: "data"
+    });
+  }
+  /**
+   * Resolve the credentials secret ARN published by an upstream
+   * {@link DataStorePostgresReplica}. Use from any stack that needs to grant
+   * `secretsmanager:GetSecretValue` against the secret.
+   */
+  static secretArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+      serviceType: "data"
+    });
+  }
+  /**
+   * Resolve the database name published by an upstream
+   * {@link DataStorePostgresReplica}.
+   */
+  static databaseNameFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
+      serviceType: "data"
+    });
+  }
+  constructor(scope, id, props) {
+    super(scope, id);
+    this.databaseName = props.databaseName ?? DEFAULT_DATABASE_NAME;
+    this.schemaName = getPostgresReplicaSchemaName(props.branchHash);
+    const region = import_aws_cdk_lib8.Stack.of(this).region;
+    this.vpc = props.vpc ?? new ec2.Vpc(this, "Vpc", {
+      availabilityZones: [`${region}a`, `${region}b`],
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          name: "isolated",
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+          cidrMask: 24
+        }
+      ]
+    });
+    this.cluster = new rds.DatabaseCluster(this, "Cluster", {
+      clusterIdentifier: `openhi-dstore-pg-${props.stackHash}`,
+      engine: rds.DatabaseClusterEngine.auroraPostgres({
+        version: rds.AuroraPostgresEngineVersion.VER_16_4
+      }),
+      vpc: this.vpc,
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      writer: rds.ClusterInstance.serverlessV2("writer"),
+      serverlessV2MinCapacity: props.minCapacity ?? 1,
+      serverlessV2MaxCapacity: props.maxCapacity ?? 2,
+      defaultDatabaseName: this.databaseName,
+      credentials: rds.Credentials.fromGeneratedSecret("openhi_admin"),
+      storageEncrypted: true,
+      removalPolicy: props.removalPolicy,
+      // Phase 2 of ADR 2026-04-17-01: the REST API Lambda queries Postgres
+      // via the RDS Data API (HTTPS) so it can stay out of the cluster's VPC.
+      // Direct `pg` from the replication Lambda continues to work in parallel.
+      enableDataApi: true
+    });
+    this.publishCoordinatesToSsm();
+    this.replicationFunction = new import_aws_lambda_nodejs3.NodejsFunction(this, "ReplicationFunction", {
+      entry: resolveHandlerEntry3(__dirname),
+      runtime: import_aws_lambda3.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib8.Duration.minutes(1),
+      vpc: this.vpc,
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
+      environment: {
+        OPENHI_PG_HOST: this.cluster.clusterEndpoint.hostname,
+        OPENHI_PG_PORT: this.cluster.clusterEndpoint.port.toString(),
+        OPENHI_PG_DATABASE: this.databaseName,
+        OPENHI_PG_SCHEMA: this.schemaName,
+        OPENHI_PG_SECRET_ARN: this.cluster.secret.secretArn,
+        OPENHI_PG_SSL: "true"
+      },
+      bundling: {
+        minify: true,
+        sourceMap: false,
+        // pg has conditional/optional deps (pg-native, pg-cloudflare) that
+        // historically misbehave when bundled by esbuild; keep it as a real
+        // node_module in the Lambda zip instead.
+        nodeModules: ["pg"]
+      }
+    });
+    this.cluster.secret.grantRead(this.replicationFunction);
+    this.cluster.connections.allowDefaultPortFrom(this.replicationFunction);
+    this.replicationFunction.addEventSource(
+      new import_aws_lambda_event_sources.KinesisEventSource(props.kinesisStream, {
+        startingPosition: import_aws_lambda3.StartingPosition.LATEST,
+        batchSize: 100,
+        maxBatchingWindow: import_aws_cdk_lib8.Duration.seconds(5),
+        retryAttempts: 10,
+        bisectBatchOnError: true,
+        parallelizationFactor: 2,
+        reportBatchItemFailures: true
+      })
+    );
+  }
+  /**
+   * Publishes the cluster ARN, secret ARN, and database name as discoverable
+   * SSM parameters so the REST API stack (and any future read-side consumer)
+   * can wire RDS Data API access without a direct CDK cross-stack reference.
+   */
+  publishCoordinatesToSsm() {
+    new DiscoverableStringParameter(this, "cluster-arn-param", {
+      ssmParamName: POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
+      stringValue: this.cluster.clusterArn,
+      description: "ARN of the Aurora Serverless v2 cluster backing the Postgres replication tier (ADR 2026-04-17-01)."
+    });
+    new DiscoverableStringParameter(this, "secret-arn-param", {
+      ssmParamName: POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+      stringValue: this.cluster.secret.secretArn,
+      description: "ARN of the Secrets Manager secret with credentials for the Postgres replication tier."
+    });
+    new DiscoverableStringParameter(this, "database-name-param", {
+      ssmParamName: POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
+      stringValue: this.databaseName,
+      description: "Database name within the Postgres replication cluster."
+    });
+  }
+};
+
 // src/components/route-53/child-hosted-zone.ts
-var import_aws_cdk_lib7 = require("aws-cdk-lib");
+var import_aws_cdk_lib9 = require("aws-cdk-lib");
 var import_aws_route53 = require("aws-cdk-lib/aws-route53");
 var ChildHostedZone = class extends import_aws_route53.HostedZone {
   constructor(scope, id, props) {
@@ -1051,7 +1247,7 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: import_aws_cdk_lib7.Duration.minutes(5)
+      ttl: import_aws_cdk_lib9.Duration.minutes(5)
     });
   }
 };
@@ -1061,8 +1257,8 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-var import_constructs3 = require("constructs");
-var RootHostedZone = class extends import_constructs3.Construct {
+var import_constructs4 = require("constructs");
+var RootHostedZone = class extends import_constructs4.Construct {
 };
 
 // src/components/static-hosting/static-hosting.ts
@@ -1070,9 +1266,9 @@ var import_aws_cloudfront = require("aws-cdk-lib/aws-cloudfront");
 var import_aws_cloudfront_origins = require("aws-cdk-lib/aws-cloudfront-origins");
 var import_aws_s3 = require("aws-cdk-lib/aws-s3");
 var import_core = require("aws-cdk-lib/core");
-var import_constructs4 = require("constructs");
+var import_constructs5 = require("constructs");
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends import_constructs4.Construct {
+var _StaticHosting = class _StaticHosting extends import_constructs5.Construct {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1124,7 +1320,8 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_AR
 var StaticHosting = _StaticHosting;
 
 // src/services/open-hi-auth-service.ts
-var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
+var import_config4 = __toESM(require_lib());
+var import_aws_cognito5 = require("aws-cdk-lib/aws-cognito");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   /**
@@ -1135,7 +1332,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
       serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
-    return import_aws_cognito4.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
+    return import_aws_cognito5.UserPool.fromUserPoolId(scope, "user-pool", userPoolId);
   }
   /**
    * Returns an IUserPoolClient by looking up the Auth stack's User Pool Client ID from SSM.
@@ -1148,12 +1345,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
         serviceType: _OpenHiAuthService.SERVICE_TYPE
       }
     );
-    return import_aws_cognito4.UserPoolClient.fromUserPoolClientId(
+    return import_aws_cognito5.UserPoolClient.fromUserPoolClientId(
       scope,
       "user-pool-client",
       userPoolClientId
     );
   }
+  /**
+   * Returns the dedicated fixture-seeder IUserPoolClient by looking up
+   * its ID from SSM. Only non-prod auth stacks publish this parameter
+   * (per the conditional in {@link createFixtureSeederClient}); calling
+   * this against a prod-deployed stack will fail at lookup time.
+   *
+   * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
+   * accepts tokens issued by this client, and by the seed-fixtures CLI
+   * to drive USER_PASSWORD_AUTH against this client's ID.
+   */
+  static fixtureSeederClientFromConstruct(scope) {
+    const clientId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return import_aws_cognito5.UserPoolClient.fromUserPoolClientId(
+      scope,
+      "fixture-seeder-client",
+      clientId
+    );
+  }
   /**
    * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
    */
@@ -1162,7 +1380,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       ssmParamName: CognitoUserPoolDomain.SSM_PARAM_NAME,
       serviceType: _OpenHiAuthService.SERVICE_TYPE
     });
-    return import_aws_cognito4.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
+    return import_aws_cognito5.UserPoolDomain.fromDomainName(scope, "user-pool-domain", domainName);
   }
   /**
    * Returns an IKey (KMS) by looking up the Auth stack's User Pool KMS Key ARN from SSM.
@@ -1185,6 +1403,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.userPool = this.createUserPool();
     this.userPoolClient = this.createUserPoolClient();
     this.userPoolDomain = this.createUserPoolDomain();
+    this.fixtureSeederClient = this.createFixtureSeederClient();
   }
   /**
    * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
@@ -1219,9 +1438,9 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       customSenderKmsKey: this.userPoolKmsKey
     });
     userPool.addTrigger(
-      import_aws_cognito4.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
+      import_aws_cognito5.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG,
       this.preTokenGenerationLambda,
-      import_aws_cognito4.LambdaVersion.V2_0
+      import_aws_cognito5.LambdaVersion.V2_0
     );
     new DiscoverableStringParameter(this, "user-pool-param", {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
@@ -1246,6 +1465,31 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return client;
   }
+  /**
+   * Creates the dedicated USER_PASSWORD_AUTH app client for the
+   * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
+   * Returns `undefined` when this stack is being deployed to a prod
+   * stage so the prod auth stack carries no fixture-seeder code path.
+   *
+   * Operator post-deploy: create a `fixture-seeder` Cognito user with
+   * a service password (manually via console or scripted with
+   * `aws cognito-idp admin-create-user`); the CLI consumes those creds
+   * via env vars to drive `InitiateAuth`.
+   */
+  createFixtureSeederClient() {
+    if (this.ohEnv.ohStage.stageType === import_config4.OPEN_HI_STAGE.PROD) {
+      return void 0;
+    }
+    const client = new CognitoFixtureSeederClient(this, {
+      userPool: this.userPool
+    });
+    new DiscoverableStringParameter(this, "fixture-seeder-client-param", {
+      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for the OpenHI fixture-seeder CLI (USER_PASSWORD_AUTH; non-prod only); cross-stack reference"
+    });
+    return client;
+  }
   /**
    * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
    * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -1372,6 +1616,7 @@ _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
 
 // src/services/open-hi-rest-api-service.ts
+var import_config5 = __toESM(require_lib());
 var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
 var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
 var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
@@ -1424,7 +1669,11 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
       "data-store-change-stream",
       {
         streamName: `openhi-dstore-cdc-${this.branchHash}`,
-        streamMode: kinesis.StreamMode.ON_DEMAND
+        streamMode: kinesis.StreamMode.ON_DEMAND,
+        // CDK default for kinesis.Stream is RETAIN, which strands the stream
+        // when a non-prod stack is destroyed. Use the service's policy so
+        // non-prod tears down cleanly while prod retains.
+        removalPolicy: this.removalPolicy
       }
     );
     this.dataStore = this.createDataStore();
@@ -1438,6 +1687,16 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
         dataEventBus: this.dataEventBus
       }
     );
+    this.dataStorePostgresReplica = new DataStorePostgresReplica(
+      this,
+      "data-store-postgres-replica",
+      {
+        kinesisStream: this.dataStoreChangeStream,
+        removalPolicy: this.removalPolicy,
+        stackHash: this.stackHash,
+        branchHash: this.branchHash
+      }
+    );
   }
   /**
    * Creates the data event bus.
@@ -1468,57 +1727,61 @@ _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
 // src/data/lambda/cors-options-lambda.ts
-var import_node_fs3 = __toESM(require("fs"));
-var import_node_path3 = __toESM(require("path"));
-var import_aws_lambda3 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs3 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs5 = require("constructs");
-var HANDLER_NAME3 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry3(dirname) {
-  const sameDir = import_node_path3.default.join(dirname, HANDLER_NAME3);
-  if (import_node_fs3.default.existsSync(sameDir)) {
+var import_node_fs4 = __toESM(require("fs"));
+var import_node_path4 = __toESM(require("path"));
+var import_aws_lambda4 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs4 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs6 = require("constructs");
+var HANDLER_NAME4 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry4(dirname) {
+  const sameDir = import_node_path4.default.join(dirname, HANDLER_NAME4);
+  if (import_node_fs4.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path3.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+  const fromLib = import_node_path4.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
   return fromLib;
 }
-var CorsOptionsLambda = class extends import_constructs5.Construct {
+var CorsOptionsLambda = class extends import_constructs6.Construct {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs3.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry3(__dirname),
-      runtime: import_aws_lambda3.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs4.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry4(__dirname),
+      runtime: import_aws_lambda4.Runtime.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-var import_node_fs4 = __toESM(require("fs"));
-var import_node_path4 = __toESM(require("path"));
-var import_aws_lambda4 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs4 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs6 = require("constructs");
-var HANDLER_NAME4 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry4(dirname) {
-  const sameDir = import_node_path4.default.join(dirname, HANDLER_NAME4);
-  if (import_node_fs4.default.existsSync(sameDir)) {
+var import_node_fs5 = __toESM(require("fs"));
+var import_node_path5 = __toESM(require("path"));
+var import_aws_lambda5 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs5 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs7 = require("constructs");
+var HANDLER_NAME5 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry5(dirname) {
+  const sameDir = import_node_path5.default.join(dirname, HANDLER_NAME5);
+  if (import_node_fs5.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path4.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
+  const fromLib = import_node_path5.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
   return fromLib;
 }
-var RestApiLambda = class extends import_constructs6.Construct {
+var RestApiLambda = class extends import_constructs7.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs4.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry4(__dirname),
-      runtime: import_aws_lambda4.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs5.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry5(__dirname),
+      runtime: import_aws_lambda5.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
         BRANCH_TAG_VALUE: props.branchTagValue,
-        HTTP_API_TAG_VALUE: props.httpApiTagValue
+        HTTP_API_TAG_VALUE: props.httpApiTagValue,
+        OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
+        OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
+        OPENHI_PG_DATABASE: props.postgresDatabase,
+        OPENHI_PG_SCHEMA: props.postgresSchema
       },
       bundling: {
         minify: true,
@@ -1637,11 +1900,36 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
    */
   createRestApiLambdaAndRoutes(hostedZone, domainName) {
     const dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+    const postgresClusterArn = DataStorePostgresReplica.clusterArnFromConstruct(this);
+    const postgresSecretArn = DataStorePostgresReplica.secretArnFromConstruct(this);
+    const postgresDatabase = DataStorePostgresReplica.databaseNameFromConstruct(this);
+    const postgresSchema = getPostgresReplicaSchemaName(this.branchHash);
     const { lambda } = new RestApiLambda(this, {
       dynamoTableName: dataStoreTable.tableName,
       branchTagValue: this.branchName,
-      httpApiTagValue: RootHttpApi.SSM_PARAM_NAME
+      httpApiTagValue: RootHttpApi.SSM_PARAM_NAME,
+      postgresClusterArn,
+      postgresSecretArn,
+      postgresDatabase,
+      postgresSchema
     });
+    lambda.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: [
+          "rds-data:ExecuteStatement",
+          "rds-data:BatchExecuteStatement"
+        ],
+        resources: [postgresClusterArn]
+      })
+    );
+    lambda.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: ["secretsmanager:GetSecretValue"],
+        resources: [postgresSecretArn]
+      })
+    );
     const dynamoActions = [
       "dynamodb:GetItem",
       "dynamodb:Query",
@@ -1721,10 +2009,16 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   createRootHttpApi(domainName) {
     const userPool = OpenHiAuthService.userPoolFromConstruct(this);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(this);
+    const userPoolClients = [userPoolClient];
+    if (this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD) {
+      userPoolClients.push(
+        OpenHiAuthService.fixtureSeederClientFromConstruct(this)
+      );
+    }
     const cognitoAuthorizer = new import_aws_apigatewayv2_authorizers.HttpUserPoolAuthorizer(
       "cognito-authorizer",
       userPool,
-      { userPoolClients: [userPoolClient] }
+      { userPoolClients }
     );
     const { corsPreflight: cors, ...restRootHttpApiProps } = this.props.rootHttpApiProps ?? {};
     const corsPreflight = cors !== void 0 ? {
@@ -1807,6 +2101,7 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ChildHostedZone,
+  CognitoFixtureSeederClient,
   CognitoUserPool,
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
@@ -1816,6 +2111,7 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   DATA_STORE_CHANGE_EVENT_SOURCE,
   DataEventBus,
   DataStoreHistoricalArchive,
+  DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
   OpenHiApp,
@@ -1828,6 +2124,9 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   OpenHiService,
   OpenHiStage,
   OpsEventBus,
+  POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
+  POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
+  POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
   PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,
@@ -1837,6 +2136,7 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   STATIC_HOSTING_SERVICE_TYPE,
   StaticHosting,
   buildFhirCurrentResourceChangeDetail,
-  getDynamoDbDataStoreTableName
+  getDynamoDbDataStoreTableName,
+  getPostgresReplicaSchemaName
 });
 //# sourceMappingURL=index.js.map