@openhi/constructs 0.0.85 → 0.0.87

package/lib/index.mjs

@@ -3,7 +3,7 @@ import {
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
   buildFhirCurrentResourceChangeDetail
-} from "./chunk-SWSN6GDD.mjs";
+} from "./chunk-CEOAGPYY.mjs";
 import {
   __commonJS,
   __toESM
@@ -347,6 +347,10 @@ var OpenHiService = class extends Stack {
     this.environmentHash = environmentHash;
     this.branchHash = branchHash;
     this.stackHash = stackHash;
+    this.node.setContext(
+      `availability-zones:account=${account}:region=${region}`,
+      [`${region}a`, `${region}b`, `${region}c`]
+    );
     Tags.of(this).add(`${appName}:repo-name`, repoName.slice(0, 255));
     Tags.of(this).add(`${appName}:branch-name`, branchName.slice(0, 255));
     Tags.of(this).add(`${appName}:service-type`, id.slice(0, 255));
@@ -530,6 +534,46 @@ var _RootGraphqlApi = class _RootGraphqlApi extends GraphqlApi {
 _RootGraphqlApi.SSM_PARAM_NAME = "ROOT_GRAPHQL_API";
 var RootGraphqlApi = _RootGraphqlApi;
 
+// src/components/cognito/cognito-fixture-seeder-client.ts
+import { Duration } from "aws-cdk-lib";
+import {
+  UserPoolClient
+} from "aws-cdk-lib/aws-cognito";
+var CognitoFixtureSeederClient = class extends UserPoolClient {
+  constructor(scope, props) {
+    const { userPool, ...rest } = props;
+    super(scope, "fixture-seeder-client", {
+      userPool,
+      generateSecret: false,
+      authFlows: {
+        userPassword: true
+      },
+      // No OAuth flows — the seeder calls Cognito's `InitiateAuth`
+      // directly with USER_PASSWORD_AUTH, not through the hosted-UI
+      // OAuth grant flows the SPA client uses. `disableOAuth: true`
+      // causes CDK to omit `AllowedOAuthFlowsUserPoolClient` entirely;
+      // passing an empty `oAuth` block instead still flips that flag on
+      // and Cognito rejects the create call for missing flows/scopes.
+      disableOAuth: true,
+      // Short-lived tokens: a seeder run takes seconds, not hours.
+      // 1h access-token validity is the minimum Cognito permits and is
+      // plenty for a fixture run.
+      accessTokenValidity: Duration.hours(1),
+      idTokenValidity: Duration.hours(1),
+      refreshTokenValidity: Duration.days(1),
+      preventUserExistenceErrors: true,
+      ...rest
+    });
+  }
+};
+/**
+ * SSM parameter name suffix used to publish this client's ID for
+ * cross-stack lookups. Built into a full parameter name via
+ * `buildParameterName` with `serviceType` AUTH (since the auth stack
+ * owns this resource).
+ */
+CognitoFixtureSeederClient.SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
+
 // src/components/cognito/cognito-user-pool.ts
 import {
   UserPool,
@@ -569,8 +613,8 @@ var CognitoUserPool = class extends UserPool {
 CognitoUserPool.SSM_PARAM_NAME = "COGNITO_USER_POOL";
 
 // src/components/cognito/cognito-user-pool-client.ts
-import { UserPoolClient } from "aws-cdk-lib/aws-cognito";
-var CognitoUserPoolClient = class extends UserPoolClient {
+import { UserPoolClient as UserPoolClient2 } from "aws-cdk-lib/aws-cognito";
+var CognitoUserPoolClient = class extends UserPoolClient2 {
   constructor(scope, props) {
     super(scope, "user-pool-client", {
       /**
@@ -629,13 +673,13 @@ var CognitoUserPoolKmsKey = class extends Key {
  */
 CognitoUserPoolKmsKey.SSM_PARAM_NAME = "COGNITO_USER_POOL_KMS_KEY";
 
-// src/components/cognito/pre-token-generation-lambda.ts
+// src/components/cognito/post-authentication-lambda.ts
 import fs from "fs";
 import path from "path";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Construct } from "constructs";
-var HANDLER_NAME = "pre-token-generation.handler.js";
+var HANDLER_NAME = "post-authentication.handler.js";
 function resolveHandlerEntry(dirname) {
   const sameDir = path.join(dirname, HANDLER_NAME);
   if (fs.existsSync(sameDir)) {
@@ -644,9 +688,9 @@ function resolveHandlerEntry(dirname) {
   const fromLib = path.join(dirname, "..", "..", "..", "lib", HANDLER_NAME);
   return fromLib;
 }
-var PreTokenGenerationLambda = class extends Construct {
+var PostAuthenticationLambda = class extends Construct {
   constructor(scope) {
-    super(scope, "pre-token-generation-lambda");
+    super(scope, "post-authentication-lambda");
     this.lambda = new NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry(__dirname),
       runtime: Runtime.NODEJS_LATEST,
@@ -655,24 +699,50 @@ var PreTokenGenerationLambda = class extends Construct {
   }
 };
 
-// src/components/dynamodb/data-store-historical-archive.ts
+// src/components/cognito/pre-token-generation-lambda.ts
 import fs2 from "fs";
 import path2 from "path";
-import { Duration, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
-import * as kinesisfirehose from "aws-cdk-lib/aws-kinesisfirehose";
 import { Runtime as Runtime2 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction2 } from "aws-cdk-lib/aws-lambda-nodejs";
-import * as s3 from "aws-cdk-lib/aws-s3";
 import { Construct as Construct2 } from "constructs";
-var HANDLER_NAME2 = "firehose-archive-transform.handler.js";
+var HANDLER_NAME2 = "pre-token-generation.handler.js";
 function resolveHandlerEntry2(dirname) {
   const sameDir = path2.join(dirname, HANDLER_NAME2);
   if (fs2.existsSync(sameDir)) {
     return sameDir;
   }
-  return path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+  const fromLib = path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+  return fromLib;
 }
-var DataStoreHistoricalArchive = class extends Construct2 {
+var PreTokenGenerationLambda = class extends Construct2 {
+  constructor(scope) {
+    super(scope, "pre-token-generation-lambda");
+    this.lambda = new NodejsFunction2(this, "handler", {
+      entry: resolveHandlerEntry2(__dirname),
+      runtime: Runtime2.NODEJS_LATEST,
+      memorySize: 1024
+    });
+  }
+};
+
+// src/components/dynamodb/data-store-historical-archive.ts
+import fs3 from "fs";
+import path3 from "path";
+import { Duration as Duration2, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
+import * as kinesisfirehose from "aws-cdk-lib/aws-kinesisfirehose";
+import { Runtime as Runtime3 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction3 } from "aws-cdk-lib/aws-lambda-nodejs";
+import * as s3 from "aws-cdk-lib/aws-s3";
+import { Construct as Construct3 } from "constructs";
+var HANDLER_NAME3 = "firehose-archive-transform.handler.js";
+function resolveHandlerEntry3(dirname) {
+  const sameDir = path3.join(dirname, HANDLER_NAME3);
+  if (fs3.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path3.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+}
+var DataStoreHistoricalArchive = class extends Construct3 {
   constructor(scope, id, props) {
     super(scope, id);
     this.archiveBucket = new s3.Bucket(this, "ArchiveBucket", {
@@ -692,11 +762,11 @@ var DataStoreHistoricalArchive = class extends Construct2 {
       versioned: false
     }) : void 0;
     this.putEventsFailureDlqBucket = putEventsFailureDlqBucket;
-    this.transformFunction = new NodejsFunction2(this, "FirehoseTransform", {
-      entry: resolveHandlerEntry2(__dirname),
-      runtime: Runtime2.NODEJS_LATEST,
+    this.transformFunction = new NodejsFunction3(this, "FirehoseTransform", {
+      entry: resolveHandlerEntry3(__dirname),
+      runtime: Runtime3.NODEJS_LATEST,
       memorySize: 512,
-      timeout: Duration.minutes(1),
+      timeout: Duration2.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
       environment: props.dataEventBus && putEventsFailureDlqBucket ? {
         DATA_EVENT_BUS_NAME: props.dataEventBus.eventBusName,
@@ -712,14 +782,14 @@ var DataStoreHistoricalArchive = class extends Construct2 {
     const processor = new kinesisfirehose.LambdaFunctionProcessor(
       this.transformFunction,
       {
-        bufferInterval: Duration.seconds(60),
+        bufferInterval: Duration2.seconds(60),
         bufferSize: Size.mebibytes(3),
         retries: 3
       }
     );
     const destination = new kinesisfirehose.S3Bucket(this.archiveBucket, {
       compression: kinesisfirehose.Compression.GZIP,
-      bufferingInterval: Duration.seconds(300),
+      bufferingInterval: Duration2.seconds(300),
       // Firehose requires SizeInMBs ≥ 64 when dynamic partitioning is enabled.
       bufferingSize: Size.mebibytes(64),
       processors: [processor],
@@ -789,7 +859,15 @@ var DynamoDbDataStore = class extends Table {
         type: AttributeType.STRING
       },
       projectionType: ProjectionType.INCLUDE,
-      nonKeyAttributes: ["srcType", "srcId", "path", "srcPk", "srcSk", "ts"]
+      nonKeyAttributes: [
+        "summary",
+        "vid",
+        "lastUpdated",
+        "createdDate",
+        "modifiedDate",
+        "createdById",
+        "modifiedById"
+      ]
     });
     this.addGlobalSecondaryIndex({
       indexName: "GSI2",
@@ -802,32 +880,12 @@ var DynamoDbDataStore = class extends Table {
         type: AttributeType.STRING
       },
       projectionType: ProjectionType.INCLUDE,
-      nonKeyAttributes: ["resourcePk", "resourceSk", "display", "status"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI3",
-      partitionKey: {
-        name: "GSI3PK",
-        type: AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI3SK",
-        type: AttributeType.STRING
-      },
-      projectionType: ProjectionType.INCLUDE,
-      nonKeyAttributes: ["resourcePk", "resourceSk"]
-    });
-    this.addGlobalSecondaryIndex({
-      indexName: "GSI4",
-      partitionKey: {
-        name: "GSI4PK",
-        type: AttributeType.STRING
-      },
-      sortKey: {
-        name: "GSI4SK",
-        type: AttributeType.STRING
-      },
-      projectionType: ProjectionType.ALL
+      nonKeyAttributes: [
+        "id",
+        "currentTenant",
+        "currentWorkspace",
+        "displayName"
+      ]
     });
   }
 };
@@ -876,8 +934,172 @@ var OpsEventBus = class _OpsEventBus extends EventBus2 {
   }
 };
 
+// src/components/postgres/data-store-postgres-replica.ts
+import fs4 from "fs";
+import path4 from "path";
+import { Duration as Duration3, Stack as Stack2 } from "aws-cdk-lib";
+import * as ec2 from "aws-cdk-lib/aws-ec2";
+import { Runtime as Runtime4, StartingPosition } from "aws-cdk-lib/aws-lambda";
+import { KinesisEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
+import { NodejsFunction as NodejsFunction4 } from "aws-cdk-lib/aws-lambda-nodejs";
+import * as rds from "aws-cdk-lib/aws-rds";
+import { Construct as Construct4 } from "constructs";
+var HANDLER_NAME4 = "data-store-postgres-replication.handler.js";
+var DEFAULT_DATABASE_NAME = "openhi";
+var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
+var POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME = "POSTGRES_REPLICA_CLUSTER_ARN";
+var POSTGRES_REPLICA_SECRET_ARN_SSM_NAME = "POSTGRES_REPLICA_SECRET_ARN";
+var POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME = "POSTGRES_REPLICA_DATABASE_NAME";
+function resolveHandlerEntry4(dirname) {
+  const sameDir = path4.join(dirname, HANDLER_NAME4);
+  if (fs4.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path4.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
+}
+function getPostgresReplicaSchemaName(branchHash) {
+  const candidate = `b_${branchHash.toLowerCase()}`;
+  if (!SCHEMA_NAME_PATTERN.test(candidate)) {
+    throw new Error(
+      `Branch hash ${JSON.stringify(branchHash)} produces an invalid Postgres schema name ${JSON.stringify(candidate)}; expected /[a-z_][a-z0-9_]{0,62}/.`
+    );
+  }
+  return candidate;
+}
+var DataStorePostgresReplica = class extends Construct4 {
+  /**
+   * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
+   * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
+   * the cluster.
+   */
+  static clusterArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
+      serviceType: "data"
+    });
+  }
+  /**
+   * Resolve the credentials secret ARN published by an upstream
+   * {@link DataStorePostgresReplica}. Use from any stack that needs to grant
+   * `secretsmanager:GetSecretValue` against the secret.
+   */
+  static secretArnFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+      serviceType: "data"
+    });
+  }
+  /**
+   * Resolve the database name published by an upstream
+   * {@link DataStorePostgresReplica}.
+   */
+  static databaseNameFromConstruct(scope) {
+    return DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
+      serviceType: "data"
+    });
+  }
+  constructor(scope, id, props) {
+    super(scope, id);
+    this.databaseName = props.databaseName ?? DEFAULT_DATABASE_NAME;
+    this.schemaName = getPostgresReplicaSchemaName(props.branchHash);
+    const region = Stack2.of(this).region;
+    this.vpc = props.vpc ?? new ec2.Vpc(this, "Vpc", {
+      availabilityZones: [`${region}a`, `${region}b`],
+      natGateways: 0,
+      subnetConfiguration: [
+        {
+          name: "isolated",
+          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
+          cidrMask: 24
+        }
+      ]
+    });
+    this.cluster = new rds.DatabaseCluster(this, "Cluster", {
+      clusterIdentifier: `openhi-dstore-pg-${props.stackHash}`,
+      engine: rds.DatabaseClusterEngine.auroraPostgres({
+        version: rds.AuroraPostgresEngineVersion.VER_16_4
+      }),
+      vpc: this.vpc,
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      writer: rds.ClusterInstance.serverlessV2("writer"),
+      serverlessV2MinCapacity: props.minCapacity ?? 1,
+      serverlessV2MaxCapacity: props.maxCapacity ?? 2,
+      defaultDatabaseName: this.databaseName,
+      credentials: rds.Credentials.fromGeneratedSecret("openhi_admin"),
+      storageEncrypted: true,
+      removalPolicy: props.removalPolicy,
+      // Phase 2 of ADR 2026-04-17-01: the REST API Lambda queries Postgres
+      // via the RDS Data API (HTTPS) so it can stay out of the cluster's VPC.
+      // Direct `pg` from the replication Lambda continues to work in parallel.
+      enableDataApi: true
+    });
+    this.publishCoordinatesToSsm();
+    this.replicationFunction = new NodejsFunction4(this, "ReplicationFunction", {
+      entry: resolveHandlerEntry4(__dirname),
+      runtime: Runtime4.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: Duration3.minutes(1),
+      vpc: this.vpc,
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      description: "Replicates DynamoDB current-resource changes into the Postgres `resources` JSONB table (ADR 2026-04-17-01).",
+      environment: {
+        OPENHI_PG_HOST: this.cluster.clusterEndpoint.hostname,
+        OPENHI_PG_PORT: this.cluster.clusterEndpoint.port.toString(),
+        OPENHI_PG_DATABASE: this.databaseName,
+        OPENHI_PG_SCHEMA: this.schemaName,
+        OPENHI_PG_SECRET_ARN: this.cluster.secret.secretArn,
+        OPENHI_PG_SSL: "true"
+      },
+      bundling: {
+        minify: true,
+        sourceMap: false,
+        // pg has conditional/optional deps (pg-native, pg-cloudflare) that
+        // historically misbehave when bundled by esbuild; keep it as a real
+        // node_module in the Lambda zip instead.
+        nodeModules: ["pg"]
+      }
+    });
+    this.cluster.secret.grantRead(this.replicationFunction);
+    this.cluster.connections.allowDefaultPortFrom(this.replicationFunction);
+    this.replicationFunction.addEventSource(
+      new KinesisEventSource(props.kinesisStream, {
+        startingPosition: StartingPosition.LATEST,
+        batchSize: 100,
+        maxBatchingWindow: Duration3.seconds(5),
+        retryAttempts: 10,
+        bisectBatchOnError: true,
+        parallelizationFactor: 2,
+        reportBatchItemFailures: true
+      })
+    );
+  }
+  /**
+   * Publishes the cluster ARN, secret ARN, and database name as discoverable
+   * SSM parameters so the REST API stack (and any future read-side consumer)
+   * can wire RDS Data API access without a direct CDK cross-stack reference.
+   */
+  publishCoordinatesToSsm() {
+    new DiscoverableStringParameter(this, "cluster-arn-param", {
+      ssmParamName: POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
+      stringValue: this.cluster.clusterArn,
+      description: "ARN of the Aurora Serverless v2 cluster backing the Postgres replication tier (ADR 2026-04-17-01)."
+    });
+    new DiscoverableStringParameter(this, "secret-arn-param", {
+      ssmParamName: POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+      stringValue: this.cluster.secret.secretArn,
+      description: "ARN of the Secrets Manager secret with credentials for the Postgres replication tier."
+    });
+    new DiscoverableStringParameter(this, "database-name-param", {
+      ssmParamName: POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
+      stringValue: this.databaseName,
+      description: "Database name within the Postgres replication cluster."
+    });
+  }
+};
+
 // src/components/route-53/child-hosted-zone.ts
-import { Duration as Duration2 } from "aws-cdk-lib";
+import { Duration as Duration4 } from "aws-cdk-lib";
 import {
   HostedZone,
   NsRecord
@@ -889,7 +1111,7 @@ var ChildHostedZone = class extends HostedZone {
       zone: props.parentHostedZone,
       recordName: this.zoneName,
       values: this.hostedZoneNameServers || [],
-      ttl: Duration2.minutes(5)
+      ttl: Duration4.minutes(5)
     });
   }
 };
@@ -899,8 +1121,8 @@ var ChildHostedZone = class extends HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-import { Construct as Construct3 } from "constructs";
-var RootHostedZone = class extends Construct3 {
+import { Construct as Construct5 } from "constructs";
+var RootHostedZone = class extends Construct5 {
 };
 
 // src/components/static-hosting/static-hosting.ts
@@ -910,10 +1132,10 @@ import {
 } from "aws-cdk-lib/aws-cloudfront";
 import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
-import { Duration as Duration3 } from "aws-cdk-lib/core";
-import { Construct as Construct4 } from "constructs";
+import { Duration as Duration5 } from "aws-cdk-lib/core";
+import { Construct as Construct6 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends Construct4 {
+var _StaticHosting = class _StaticHosting extends Construct6 {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -931,9 +1153,9 @@ var _StaticHosting = class _StaticHosting extends Construct4 {
     const cachePolicy = new CachePolicy(this, "cache-policy", {
       cachePolicyName: `static-hosting-10s-${stack.branchHash}`,
       comment: "Low TTL (10s) for static hosting; no invalidation",
-      defaultTtl: Duration3.seconds(10),
-      minTtl: Duration3.seconds(0),
-      maxTtl: Duration3.seconds(10)
+      defaultTtl: Duration5.seconds(10),
+      minTtl: Duration5.seconds(0),
+      maxTtl: Duration5.seconds(10)
     });
     this.distribution = new Distribution(this, "distribution", {
       defaultBehavior: {
@@ -965,14 +1187,17 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ARN = "STATIC_HOSTING_DISTRIBUTION_AR
 var StaticHosting = _StaticHosting;
 
 // src/services/open-hi-auth-service.ts
+var import_config4 = __toESM(require_lib());
 import {
   LambdaVersion,
   UserPool as UserPool2,
-  UserPoolClient as UserPoolClient2,
+  UserPoolClient as UserPoolClient3,
   UserPoolDomain as UserPoolDomain2,
   UserPoolOperation
 } from "aws-cdk-lib/aws-cognito";
+import { PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { Key as Key2 } from "aws-cdk-lib/aws-kms";
+import { Stack as Stack3 } from "aws-cdk-lib/core";
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
@@ -995,12 +1220,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
         serviceType: _OpenHiAuthService.SERVICE_TYPE
       }
     );
-    return UserPoolClient2.fromUserPoolClientId(
+    return UserPoolClient3.fromUserPoolClientId(
       scope,
       "user-pool-client",
       userPoolClientId
     );
   }
+  /**
+   * Returns the dedicated fixture-seeder IUserPoolClient by looking up
+   * its ID from SSM. Only non-prod auth stacks publish this parameter
+   * (per the conditional in {@link createFixtureSeederClient}); calling
+   * this against a prod-deployed stack will fail at lookup time.
+   *
+   * Consumed by `OpenHiRestApiService` (in non-prod) so the authorizer
+   * accepts tokens issued by this client, and by the seed-fixtures CLI
+   * to drive USER_PASSWORD_AUTH against this client's ID.
+   */
+  static fixtureSeederClientFromConstruct(scope) {
+    const clientId = DiscoverableStringParameter.valueForLookupName(scope, {
+      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
+      serviceType: _OpenHiAuthService.SERVICE_TYPE
+    });
+    return UserPoolClient3.fromUserPoolClientId(
+      scope,
+      "fixture-seeder-client",
+      clientId
+    );
+  }
   /**
    * Returns an IUserPoolDomain by looking up the Auth stack's User Pool Domain from SSM.
    */
@@ -1029,9 +1275,12 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.props = props;
     this.userPoolKmsKey = this.createUserPoolKmsKey();
     this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.userPool = this.createUserPool();
+    this.grantPostAuthenticationPermissions();
     this.userPoolClient = this.createUserPoolClient();
     this.userPoolDomain = this.createUserPoolDomain();
+    this.fixtureSeederClient = this.createFixtureSeederClient();
   }
   /**
    * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
@@ -1055,6 +1304,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const construct = new PreTokenGenerationLambda(this);
     return construct.lambda;
   }
+  /**
+   * Creates the Post Authentication Lambda (Cognito trigger). Calls
+   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
+   * sessions per ADR 2026-03-17-01.
+   */
+  createPostAuthenticationLambda() {
+    const construct = new PostAuthenticationLambda(this);
+    return construct.lambda;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1070,6 +1328,10 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       this.preTokenGenerationLambda,
       LambdaVersion.V2_0
     );
+    userPool.addTrigger(
+      UserPoolOperation.POST_AUTHENTICATION,
+      this.postAuthenticationLambda
+    );
     new DiscoverableStringParameter(this, "user-pool-param", {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
       stringValue: userPool.userPoolId,
@@ -1077,6 +1339,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return userPool;
   }
+  /**
+   * Grants the Post Authentication Lambda permission to call
+   * `cognito-idp:AdminUserGlobalSignOut`.
+   *
+   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
+   * because the User Pool registers this Lambda as a Post Authentication
+   * trigger, creating the cycle:
+   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
+   * Using `formatArn` avoids referencing the User Pool resource directly
+   * while still scoping to user pools in this account+region. The Lambda
+   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
+   * so the runtime target is constrained by the trigger contract.
+   */
+  grantPostAuthenticationPermissions() {
+    this.postAuthenticationLambda.addToRolePolicy(
+      new PolicyStatement({
+        actions: ["cognito-idp:AdminUserGlobalSignOut"],
+        resources: [
+          Stack3.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: "*"
+          })
+        ]
+      })
+    );
+  }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
    * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
@@ -1093,6 +1382,31 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return client;
   }
+  /**
+   * Creates the dedicated USER_PASSWORD_AUTH app client for the
+   * `@openhi/seed-fixtures` CLI, **only** in non-prod environments.
+   * Returns `undefined` when this stack is being deployed to a prod
+   * stage so the prod auth stack carries no fixture-seeder code path.
+   *
+   * Operator post-deploy: create a `fixture-seeder` Cognito user with
+   * a service password (manually via console or scripted with
+   * `aws cognito-idp admin-create-user`); the CLI consumes those creds
+   * via env vars to drive `InitiateAuth`.
+   */
+  createFixtureSeederClient() {
+    if (this.ohEnv.ohStage.stageType === import_config4.OPEN_HI_STAGE.PROD) {
+      return void 0;
+    }
+    const client = new CognitoFixtureSeederClient(this, {
+      userPool: this.userPool
+    });
+    new DiscoverableStringParameter(this, "fixture-seeder-client-param", {
+      ssmParamName: CognitoFixtureSeederClient.SSM_PARAM_NAME,
+      stringValue: client.userPoolClientId,
+      description: "Cognito User Pool Client ID for the OpenHI fixture-seeder CLI (USER_PASSWORD_AUTH; non-prod only); cross-stack reference"
+    });
+    return client;
+  }
   /**
    * Creates the User Pool Domain (Cognito hosted UI) and exports domain name to SSM.
    * Look up via {@link OpenHiAuthService.userPoolDomainFromConstruct}.
@@ -1224,6 +1538,7 @@ _OpenHiGlobalService.SERVICE_TYPE = "global";
 var OpenHiGlobalService = _OpenHiGlobalService;
 
 // src/services/open-hi-rest-api-service.ts
+var import_config5 = __toESM(require_lib());
 import {
   CorsHttpMethod,
   DomainName,
@@ -1235,14 +1550,14 @@ import {
 } from "aws-cdk-lib/aws-apigatewayv2";
 import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers";
 import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
-import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Effect, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
 import {
   ARecord,
   HostedZone as HostedZone3,
   RecordTarget
 } from "aws-cdk-lib/aws-route53";
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
-import { Duration as Duration4 } from "aws-cdk-lib/core";
+import { Duration as Duration6 } from "aws-cdk-lib/core";
 
 // src/services/open-hi-data-service.ts
 import { StreamViewType, Table as Table2 } from "aws-cdk-lib/aws-dynamodb";
@@ -1288,7 +1603,11 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
       "data-store-change-stream",
       {
         streamName: `openhi-dstore-cdc-${this.branchHash}`,
-        streamMode: kinesis.StreamMode.ON_DEMAND
+        streamMode: kinesis.StreamMode.ON_DEMAND,
+        // CDK default for kinesis.Stream is RETAIN, which strands the stream
+        // when a non-prod stack is destroyed. Use the service's policy so
+        // non-prod tears down cleanly while prod retains.
+        removalPolicy: this.removalPolicy
       }
     );
     this.dataStore = this.createDataStore();
@@ -1302,6 +1621,16 @@ var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
         dataEventBus: this.dataEventBus
       }
     );
+    this.dataStorePostgresReplica = new DataStorePostgresReplica(
+      this,
+      "data-store-postgres-replica",
+      {
+        kinesisStream: this.dataStoreChangeStream,
+        removalPolicy: this.removalPolicy,
+        stackHash: this.stackHash,
+        branchHash: this.branchHash
+      }
+    );
   }
   /**
    * Creates the data event bus.
@@ -1332,57 +1661,61 @@ _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
 // src/data/lambda/cors-options-lambda.ts
-import fs3 from "fs";
-import path3 from "path";
-import { Runtime as Runtime3 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction3 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct5 } from "constructs";
-var HANDLER_NAME3 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry3(dirname) {
-  const sameDir = path3.join(dirname, HANDLER_NAME3);
-  if (fs3.existsSync(sameDir)) {
+import fs5 from "fs";
+import path5 from "path";
+import { Runtime as Runtime5 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction5 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct7 } from "constructs";
+var HANDLER_NAME5 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry5(dirname) {
+  const sameDir = path5.join(dirname, HANDLER_NAME5);
+  if (fs5.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path3.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+  const fromLib = path5.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
   return fromLib;
 }
-var CorsOptionsLambda = class extends Construct5 {
+var CorsOptionsLambda = class extends Construct7 {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new NodejsFunction3(this, "handler", {
-      entry: resolveHandlerEntry3(__dirname),
-      runtime: Runtime3.NODEJS_LATEST,
+    this.lambda = new NodejsFunction5(this, "handler", {
+      entry: resolveHandlerEntry5(__dirname),
+      runtime: Runtime5.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-import fs4 from "fs";
-import path4 from "path";
-import { Runtime as Runtime4 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction4 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct6 } from "constructs";
-var HANDLER_NAME4 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry4(dirname) {
-  const sameDir = path4.join(dirname, HANDLER_NAME4);
-  if (fs4.existsSync(sameDir)) {
+import fs6 from "fs";
+import path6 from "path";
+import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct8 } from "constructs";
+var HANDLER_NAME6 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = path6.join(dirname, HANDLER_NAME6);
+  if (fs6.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path4.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
+  const fromLib = path6.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
   return fromLib;
 }
-var RestApiLambda = class extends Construct6 {
+var RestApiLambda = class extends Construct8 {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new NodejsFunction4(this, "handler", {
-      entry: resolveHandlerEntry4(__dirname),
-      runtime: Runtime4.NODEJS_LATEST,
+    this.lambda = new NodejsFunction6(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: Runtime6.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
         BRANCH_TAG_VALUE: props.branchTagValue,
-        HTTP_API_TAG_VALUE: props.httpApiTagValue
+        HTTP_API_TAG_VALUE: props.httpApiTagValue,
+        OPENHI_PG_CLUSTER_ARN: props.postgresClusterArn,
+        OPENHI_PG_SECRET_ARN: props.postgresSecretArn,
+        OPENHI_PG_DATABASE: props.postgresDatabase,
+        OPENHI_PG_SCHEMA: props.postgresSchema
       },
       bundling: {
         minify: true,
@@ -1501,11 +1834,36 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
    */
   createRestApiLambdaAndRoutes(hostedZone, domainName) {
     const dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+    const postgresClusterArn = DataStorePostgresReplica.clusterArnFromConstruct(this);
+    const postgresSecretArn = DataStorePostgresReplica.secretArnFromConstruct(this);
+    const postgresDatabase = DataStorePostgresReplica.databaseNameFromConstruct(this);
+    const postgresSchema = getPostgresReplicaSchemaName(this.branchHash);
     const { lambda } = new RestApiLambda(this, {
       dynamoTableName: dataStoreTable.tableName,
       branchTagValue: this.branchName,
-      httpApiTagValue: RootHttpApi.SSM_PARAM_NAME
+      httpApiTagValue: RootHttpApi.SSM_PARAM_NAME,
+      postgresClusterArn,
+      postgresSecretArn,
+      postgresDatabase,
+      postgresSchema
     });
+    lambda.addToRolePolicy(
+      new PolicyStatement2({
+        effect: Effect.ALLOW,
+        actions: [
+          "rds-data:ExecuteStatement",
+          "rds-data:BatchExecuteStatement"
+        ],
+        resources: [postgresClusterArn]
+      })
+    );
+    lambda.addToRolePolicy(
+      new PolicyStatement2({
+        effect: Effect.ALLOW,
+        actions: ["secretsmanager:GetSecretValue"],
+        resources: [postgresSecretArn]
+      })
+    );
     const dynamoActions = [
       "dynamodb:GetItem",
       "dynamodb:Query",
@@ -1519,14 +1877,14 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new PolicyStatement({
+      new PolicyStatement2({
         effect: Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement({
+      new PolicyStatement2({
         effect: Effect.ALLOW,
         actions: [
           "ssm:GetParameter",
@@ -1585,10 +1943,16 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
   createRootHttpApi(domainName) {
     const userPool = OpenHiAuthService.userPoolFromConstruct(this);
     const userPoolClient = OpenHiAuthService.userPoolClientFromConstruct(this);
+    const userPoolClients = [userPoolClient];
+    if (this.ohEnv.ohStage.stageType !== import_config5.OPEN_HI_STAGE.PROD) {
+      userPoolClients.push(
+        OpenHiAuthService.fixtureSeederClientFromConstruct(this)
+      );
+    }
     const cognitoAuthorizer = new HttpUserPoolAuthorizer(
       "cognito-authorizer",
       userPool,
-      { userPoolClients: [userPoolClient] }
+      { userPoolClients }
     );
     const { corsPreflight: cors, ...restRootHttpApiProps } = this.props.rootHttpApiProps ?? {};
     const corsPreflight = cors !== void 0 ? {
@@ -1607,7 +1971,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? Duration4.days(1),
+      maxAge: cors.maxAge ?? Duration6.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -1673,6 +2037,7 @@ _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 export {
   ChildHostedZone,
+  CognitoFixtureSeederClient,
   CognitoUserPool,
   CognitoUserPoolClient,
   CognitoUserPoolDomain,
@@ -1682,6 +2047,7 @@ export {
   DATA_STORE_CHANGE_EVENT_SOURCE,
   DataEventBus,
   DataStoreHistoricalArchive,
+  DataStorePostgresReplica,
   DiscoverableStringParameter,
   DynamoDbDataStore,
   OpenHiApp,
@@ -1694,6 +2060,10 @@ export {
   OpenHiService,
   OpenHiStage,
   OpsEventBus,
+  POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
+  POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
+  POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PostAuthenticationLambda,
   PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,
@@ -1703,6 +2073,7 @@ export {
   STATIC_HOSTING_SERVICE_TYPE,
   StaticHosting,
   buildFhirCurrentResourceChangeDetail,
-  getDynamoDbDataStoreTableName
+  getDynamoDbDataStoreTableName,
+  getPostgresReplicaSchemaName
 };
 //# sourceMappingURL=index.mjs.map