@openhi/constructs 0.0.86 → 0.0.87

package/lib/index.d.mts

@@ -474,6 +474,14 @@ declare class CognitoUserPoolKmsKey extends Key {
     constructor(scope: Construct, props?: KeyProps);
 }
 
+/**
+ * Lambda used as Cognito Post Authentication trigger.
+ */
+declare class PostAuthenticationLambda extends Construct {
+    readonly lambda: NodejsFunction;
+    constructor(scope: Construct);
+}
+
 /**
  * Lambda used as Cognito Pre Token Generation trigger.
  */
@@ -931,6 +939,7 @@ declare class OpenHiAuthService extends OpenHiService {
     props: OpenHiAuthServiceProps;
     readonly userPoolKmsKey: IKey;
     readonly preTokenGenerationLambda: IFunction;
+    readonly postAuthenticationLambda: IFunction;
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
@@ -952,12 +961,32 @@ declare class OpenHiAuthService extends OpenHiService {
      * openhi_* claims to the access token only; trigger version V2_0 may be required.
      */
     protected createPreTokenGenerationLambda(): IFunction;
+    /**
+     * Creates the Post Authentication Lambda (Cognito trigger). Calls
+     * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
+     * sessions per ADR 2026-03-17-01.
+     */
+    protected createPostAuthenticationLambda(): IFunction;
     /**
      * Creates the Cognito User Pool and exports its ID to SSM.
      * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
      * Override to customize.
      */
     protected createUserPool(): IUserPool;
+    /**
+     * Grants the Post Authentication Lambda permission to call
+     * `cognito-idp:AdminUserGlobalSignOut`.
+     *
+     * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
+     * because the User Pool registers this Lambda as a Post Authentication
+     * trigger, creating the cycle:
+     *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
+     * Using `formatArn` avoids referencing the User Pool resource directly
+     * while still scoping to user pools in this account+region. The Lambda
+     * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
+     * so the runtime target is constrained by the trigger contract.
+     */
+    protected grantPostAuthenticationPermissions(): void;
     /**
      * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
      * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
@@ -1219,4 +1248,4 @@ declare class OpenHiGraphqlService extends OpenHiService {
     protected createRootGraphqlApi(): RootGraphqlApi;
 }
 
-export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoFixtureSeederClient, type CognitoFixtureSeederClientProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, type StaticHostingProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };
+export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoFixtureSeederClient, type CognitoFixtureSeederClientProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PostAuthenticationLambda, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, type StaticHostingProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };

package/lib/index.d.ts

@@ -569,6 +569,14 @@ declare class CognitoUserPoolKmsKey extends Key {
     constructor(scope: Construct, props?: KeyProps);
 }
 
+/**
+ * Lambda used as Cognito Post Authentication trigger.
+ */
+declare class PostAuthenticationLambda extends Construct {
+    readonly lambda: NodejsFunction;
+    constructor(scope: Construct);
+}
+
 /**
  * Lambda used as Cognito Pre Token Generation trigger.
  */
@@ -1026,6 +1034,7 @@ declare class OpenHiAuthService extends OpenHiService {
     props: OpenHiAuthServiceProps;
     readonly userPoolKmsKey: IKey;
     readonly preTokenGenerationLambda: IFunction;
+    readonly postAuthenticationLambda: IFunction;
     readonly userPool: IUserPool;
     readonly userPoolClient: IUserPoolClient;
     readonly userPoolDomain: IUserPoolDomain;
@@ -1047,12 +1056,32 @@ declare class OpenHiAuthService extends OpenHiService {
      * openhi_* claims to the access token only; trigger version V2_0 may be required.
      */
     protected createPreTokenGenerationLambda(): IFunction;
+    /**
+     * Creates the Post Authentication Lambda (Cognito trigger). Calls
+     * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
+     * sessions per ADR 2026-03-17-01.
+     */
+    protected createPostAuthenticationLambda(): IFunction;
     /**
      * Creates the Cognito User Pool and exports its ID to SSM.
      * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
      * Override to customize.
      */
     protected createUserPool(): IUserPool;
+    /**
+     * Grants the Post Authentication Lambda permission to call
+     * `cognito-idp:AdminUserGlobalSignOut`.
+     *
+     * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
+     * because the User Pool registers this Lambda as a Post Authentication
+     * trigger, creating the cycle:
+     *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
+     * Using `formatArn` avoids referencing the User Pool resource directly
+     * while still scoping to user pools in this account+region. The Lambda
+     * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
+     * so the runtime target is constrained by the trigger contract.
+     */
+    protected grantPostAuthenticationPermissions(): void;
     /**
      * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
      * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
@@ -1314,5 +1343,5 @@ declare class OpenHiGraphqlService extends OpenHiService {
     protected createRootGraphqlApi(): RootGraphqlApi;
 }
 
-export { ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };
+export { ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PostAuthenticationLambda, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };
 export type { BuildParameterNameProps, ChildHostedZoneProps, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, RootGraphqlApiProps, RootHttpApiProps, StaticHostingProps };

package/lib/index.js

@@ -120,6 +120,7 @@ __export(src_exports, {
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME: () => POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME: () => POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME: () => POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PostAuthenticationLambda: () => PostAuthenticationLambda,
   PreTokenGenerationLambda: () => PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi: () => RootGraphqlApi,
@@ -722,13 +723,13 @@ var CognitoUserPoolKmsKey = class extends import_aws_kms.Key {
  */
 CognitoUserPoolKmsKey.SSM_PARAM_NAME = "COGNITO_USER_POOL_KMS_KEY";
 
-// src/components/cognito/pre-token-generation-lambda.ts
+// src/components/cognito/post-authentication-lambda.ts
 var import_node_fs = __toESM(require("fs"));
 var import_node_path = __toESM(require("path"));
 var import_aws_lambda = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs = require("constructs");
-var HANDLER_NAME = "pre-token-generation.handler.js";
+var HANDLER_NAME = "post-authentication.handler.js";
 function resolveHandlerEntry(dirname) {
   const sameDir = import_node_path.default.join(dirname, HANDLER_NAME);
   if (import_node_fs.default.existsSync(sameDir)) {
@@ -737,9 +738,9 @@ function resolveHandlerEntry(dirname) {
   const fromLib = import_node_path.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME);
   return fromLib;
 }
-var PreTokenGenerationLambda = class extends import_constructs.Construct {
+var PostAuthenticationLambda = class extends import_constructs.Construct {
   constructor(scope) {
-    super(scope, "pre-token-generation-lambda");
+    super(scope, "post-authentication-lambda");
     this.lambda = new import_aws_lambda_nodejs.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry(__dirname),
       runtime: import_aws_lambda.Runtime.NODEJS_LATEST,
@@ -748,6 +749,32 @@ var PreTokenGenerationLambda = class extends import_constructs.Construct {
   }
 };
 
+// src/components/cognito/pre-token-generation-lambda.ts
+var import_node_fs2 = __toESM(require("fs"));
+var import_node_path2 = __toESM(require("path"));
+var import_aws_lambda2 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs2 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs2 = require("constructs");
+var HANDLER_NAME2 = "pre-token-generation.handler.js";
+function resolveHandlerEntry2(dirname) {
+  const sameDir = import_node_path2.default.join(dirname, HANDLER_NAME2);
+  if (import_node_fs2.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  const fromLib = import_node_path2.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+  return fromLib;
+}
+var PreTokenGenerationLambda = class extends import_constructs2.Construct {
+  constructor(scope) {
+    super(scope, "pre-token-generation-lambda");
+    this.lambda = new import_aws_lambda_nodejs2.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry2(__dirname),
+      runtime: import_aws_lambda2.Runtime.NODEJS_LATEST,
+      memorySize: 1024
+    });
+  }
+};
+
 // src/components/dynamodb/dynamodb-stream-record.ts
 function dynamodbValueToJs(av) {
   if (av.S !== void 0) {
@@ -870,23 +897,23 @@ function buildFhirCurrentResourceChangeDetail(record, keys) {
 }
 
 // src/components/dynamodb/data-store-historical-archive.ts
-var import_node_fs2 = __toESM(require("fs"));
-var import_node_path2 = __toESM(require("path"));
+var import_node_fs3 = __toESM(require("fs"));
+var import_node_path3 = __toESM(require("path"));
 var import_aws_cdk_lib7 = require("aws-cdk-lib");
 var kinesisfirehose = __toESM(require("aws-cdk-lib/aws-kinesisfirehose"));
-var import_aws_lambda2 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs2 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_aws_lambda3 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs3 = require("aws-cdk-lib/aws-lambda-nodejs");
 var s3 = __toESM(require("aws-cdk-lib/aws-s3"));
-var import_constructs2 = require("constructs");
-var HANDLER_NAME2 = "firehose-archive-transform.handler.js";
-function resolveHandlerEntry2(dirname) {
-  const sameDir = import_node_path2.default.join(dirname, HANDLER_NAME2);
-  if (import_node_fs2.default.existsSync(sameDir)) {
+var import_constructs3 = require("constructs");
+var HANDLER_NAME3 = "firehose-archive-transform.handler.js";
+function resolveHandlerEntry3(dirname) {
+  const sameDir = import_node_path3.default.join(dirname, HANDLER_NAME3);
+  if (import_node_fs3.default.existsSync(sameDir)) {
     return sameDir;
   }
-  return import_node_path2.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+  return import_node_path3.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
 }
-var DataStoreHistoricalArchive = class extends import_constructs2.Construct {
+var DataStoreHistoricalArchive = class extends import_constructs3.Construct {
   constructor(scope, id, props) {
     super(scope, id);
     this.archiveBucket = new s3.Bucket(this, "ArchiveBucket", {
@@ -906,9 +933,9 @@ var DataStoreHistoricalArchive = class extends import_constructs2.Construct {
       versioned: false
     }) : void 0;
     this.putEventsFailureDlqBucket = putEventsFailureDlqBucket;
-    this.transformFunction = new import_aws_lambda_nodejs2.NodejsFunction(this, "FirehoseTransform", {
-      entry: resolveHandlerEntry2(__dirname),
-      runtime: import_aws_lambda2.Runtime.NODEJS_LATEST,
+    this.transformFunction = new import_aws_lambda_nodejs3.NodejsFunction(this, "FirehoseTransform", {
+      entry: resolveHandlerEntry3(__dirname),
+      runtime: import_aws_lambda3.Runtime.NODEJS_LATEST,
       memorySize: 512,
       timeout: import_aws_cdk_lib7.Duration.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
@@ -1074,27 +1101,27 @@ var OpsEventBus = class _OpsEventBus extends import_aws_events2.EventBus {
 };
 
 // src/components/postgres/data-store-postgres-replica.ts
-var import_node_fs3 = __toESM(require("fs"));
-var import_node_path3 = __toESM(require("path"));
+var import_node_fs4 = __toESM(require("fs"));
+var import_node_path4 = __toESM(require("path"));
 var import_aws_cdk_lib8 = require("aws-cdk-lib");
 var ec2 = __toESM(require("aws-cdk-lib/aws-ec2"));
-var import_aws_lambda3 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda4 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_event_sources = require("aws-cdk-lib/aws-lambda-event-sources");
-var import_aws_lambda_nodejs3 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_aws_lambda_nodejs4 = require("aws-cdk-lib/aws-lambda-nodejs");
 var rds = __toESM(require("aws-cdk-lib/aws-rds"));
-var import_constructs3 = require("constructs");
-var HANDLER_NAME3 = "data-store-postgres-replication.handler.js";
+var import_constructs4 = require("constructs");
+var HANDLER_NAME4 = "data-store-postgres-replication.handler.js";
 var DEFAULT_DATABASE_NAME = "openhi";
 var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
 var POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME = "POSTGRES_REPLICA_CLUSTER_ARN";
 var POSTGRES_REPLICA_SECRET_ARN_SSM_NAME = "POSTGRES_REPLICA_SECRET_ARN";
 var POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME = "POSTGRES_REPLICA_DATABASE_NAME";
-function resolveHandlerEntry3(dirname) {
-  const sameDir = import_node_path3.default.join(dirname, HANDLER_NAME3);
-  if (import_node_fs3.default.existsSync(sameDir)) {
+function resolveHandlerEntry4(dirname) {
+  const sameDir = import_node_path4.default.join(dirname, HANDLER_NAME4);
+  if (import_node_fs4.default.existsSync(sameDir)) {
     return sameDir;
   }
-  return import_node_path3.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+  return import_node_path4.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
 }
 function getPostgresReplicaSchemaName(branchHash) {
   const candidate = `b_${branchHash.toLowerCase()}`;
@@ -1105,7 +1132,7 @@ function getPostgresReplicaSchemaName(branchHash) {
   }
   return candidate;
 }
-var DataStorePostgresReplica = class extends import_constructs3.Construct {
+var DataStorePostgresReplica = class extends import_constructs4.Construct {
   /**
    * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
    * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
@@ -1174,9 +1201,9 @@ var DataStorePostgresReplica = class extends import_constructs3.Construct {
       enableDataApi: true
     });
     this.publishCoordinatesToSsm();
-    this.replicationFunction = new import_aws_lambda_nodejs3.NodejsFunction(this, "ReplicationFunction", {
-      entry: resolveHandlerEntry3(__dirname),
-      runtime: import_aws_lambda3.Runtime.NODEJS_LATEST,
+    this.replicationFunction = new import_aws_lambda_nodejs4.NodejsFunction(this, "ReplicationFunction", {
+      entry: resolveHandlerEntry4(__dirname),
+      runtime: import_aws_lambda4.Runtime.NODEJS_LATEST,
       memorySize: 512,
       timeout: import_aws_cdk_lib8.Duration.minutes(1),
       vpc: this.vpc,
@@ -1203,7 +1230,7 @@ var DataStorePostgresReplica = class extends import_constructs3.Construct {
     this.cluster.connections.allowDefaultPortFrom(this.replicationFunction);
     this.replicationFunction.addEventSource(
       new import_aws_lambda_event_sources.KinesisEventSource(props.kinesisStream, {
-        startingPosition: import_aws_lambda3.StartingPosition.LATEST,
+        startingPosition: import_aws_lambda4.StartingPosition.LATEST,
         batchSize: 100,
         maxBatchingWindow: import_aws_cdk_lib8.Duration.seconds(5),
         retryAttempts: 10,
@@ -1257,8 +1284,8 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-var import_constructs4 = require("constructs");
-var RootHostedZone = class extends import_constructs4.Construct {
+var import_constructs5 = require("constructs");
+var RootHostedZone = class extends import_constructs5.Construct {
 };
 
 // src/components/static-hosting/static-hosting.ts
@@ -1266,9 +1293,9 @@ var import_aws_cloudfront = require("aws-cdk-lib/aws-cloudfront");
 var import_aws_cloudfront_origins = require("aws-cdk-lib/aws-cloudfront-origins");
 var import_aws_s3 = require("aws-cdk-lib/aws-s3");
 var import_core = require("aws-cdk-lib/core");
-var import_constructs5 = require("constructs");
+var import_constructs6 = require("constructs");
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends import_constructs5.Construct {
+var _StaticHosting = class _StaticHosting extends import_constructs6.Construct {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1322,7 +1349,9 @@ var StaticHosting = _StaticHosting;
 // src/services/open-hi-auth-service.ts
 var import_config4 = __toESM(require_lib());
 var import_aws_cognito5 = require("aws-cdk-lib/aws-cognito");
+var import_aws_iam = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
+var import_core2 = require("aws-cdk-lib/core");
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
@@ -1400,7 +1429,9 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.props = props;
     this.userPoolKmsKey = this.createUserPoolKmsKey();
     this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.userPool = this.createUserPool();
+    this.grantPostAuthenticationPermissions();
     this.userPoolClient = this.createUserPoolClient();
     this.userPoolDomain = this.createUserPoolDomain();
     this.fixtureSeederClient = this.createFixtureSeederClient();
@@ -1427,6 +1458,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const construct = new PreTokenGenerationLambda(this);
     return construct.lambda;
   }
+  /**
+   * Creates the Post Authentication Lambda (Cognito trigger). Calls
+   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
+   * sessions per ADR 2026-03-17-01.
+   */
+  createPostAuthenticationLambda() {
+    const construct = new PostAuthenticationLambda(this);
+    return construct.lambda;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1442,6 +1482,10 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       this.preTokenGenerationLambda,
       import_aws_cognito5.LambdaVersion.V2_0
     );
+    userPool.addTrigger(
+      import_aws_cognito5.UserPoolOperation.POST_AUTHENTICATION,
+      this.postAuthenticationLambda
+    );
     new DiscoverableStringParameter(this, "user-pool-param", {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
       stringValue: userPool.userPoolId,
@@ -1449,6 +1493,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return userPool;
   }
+  /**
+   * Grants the Post Authentication Lambda permission to call
+   * `cognito-idp:AdminUserGlobalSignOut`.
+   *
+   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
+   * because the User Pool registers this Lambda as a Post Authentication
+   * trigger, creating the cycle:
+   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
+   * Using `formatArn` avoids referencing the User Pool resource directly
+   * while still scoping to user pools in this account+region. The Lambda
+   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
+   * so the runtime target is constrained by the trigger contract.
+   */
+  grantPostAuthenticationPermissions() {
+    this.postAuthenticationLambda.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        actions: ["cognito-idp:AdminUserGlobalSignOut"],
+        resources: [
+          import_core2.Stack.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: "*"
+          })
+        ]
+      })
+    );
+  }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
    * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
@@ -1620,10 +1691,10 @@ var import_config5 = __toESM(require_lib());
 var import_aws_apigatewayv22 = require("aws-cdk-lib/aws-apigatewayv2");
 var import_aws_apigatewayv2_authorizers = require("aws-cdk-lib/aws-apigatewayv2-authorizers");
 var import_aws_apigatewayv2_integrations = require("aws-cdk-lib/aws-apigatewayv2-integrations");
-var import_aws_iam = require("aws-cdk-lib/aws-iam");
+var import_aws_iam2 = require("aws-cdk-lib/aws-iam");
 var import_aws_route533 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
-var import_core2 = require("aws-cdk-lib/core");
+var import_core3 = require("aws-cdk-lib/core");
 
 // src/services/open-hi-data-service.ts
 var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
@@ -1727,52 +1798,52 @@ _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
 // src/data/lambda/cors-options-lambda.ts
-var import_node_fs4 = __toESM(require("fs"));
-var import_node_path4 = __toESM(require("path"));
-var import_aws_lambda4 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs4 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs6 = require("constructs");
-var HANDLER_NAME4 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry4(dirname) {
-  const sameDir = import_node_path4.default.join(dirname, HANDLER_NAME4);
-  if (import_node_fs4.default.existsSync(sameDir)) {
+var import_node_fs5 = __toESM(require("fs"));
+var import_node_path5 = __toESM(require("path"));
+var import_aws_lambda5 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs5 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs7 = require("constructs");
+var HANDLER_NAME5 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry5(dirname) {
+  const sameDir = import_node_path5.default.join(dirname, HANDLER_NAME5);
+  if (import_node_fs5.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path4.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
+  const fromLib = import_node_path5.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
   return fromLib;
 }
-var CorsOptionsLambda = class extends import_constructs6.Construct {
+var CorsOptionsLambda = class extends import_constructs7.Construct {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs4.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry4(__dirname),
-      runtime: import_aws_lambda4.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs5.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry5(__dirname),
+      runtime: import_aws_lambda5.Runtime.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-var import_node_fs5 = __toESM(require("fs"));
-var import_node_path5 = __toESM(require("path"));
-var import_aws_lambda5 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs5 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs7 = require("constructs");
-var HANDLER_NAME5 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry5(dirname) {
-  const sameDir = import_node_path5.default.join(dirname, HANDLER_NAME5);
-  if (import_node_fs5.default.existsSync(sameDir)) {
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
+var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs8 = require("constructs");
+var HANDLER_NAME6 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
+  if (import_node_fs6.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path5.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
+  const fromLib = import_node_path6.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
   return fromLib;
 }
-var RestApiLambda = class extends import_constructs7.Construct {
+var RestApiLambda = class extends import_constructs8.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs5.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry5(__dirname),
-      runtime: import_aws_lambda5.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -1914,8 +1985,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresSchema
     });
     lambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
+      new import_aws_iam2.PolicyStatement({
+        effect: import_aws_iam2.Effect.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -1924,8 +1995,8 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
+      new import_aws_iam2.PolicyStatement({
+        effect: import_aws_iam2.Effect.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -1943,15 +2014,15 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
+      new import_aws_iam2.PolicyStatement({
+        effect: import_aws_iam2.Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new import_aws_iam.PolicyStatement({
-        effect: import_aws_iam.Effect.ALLOW,
+      new import_aws_iam2.PolicyStatement({
+        effect: import_aws_iam2.Effect.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -2037,7 +2108,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
         "Authorization"
       ],
       allowCredentials: cors.allowCredentials ?? true,
-      maxAge: cors.maxAge ?? import_core2.Duration.days(1),
+      maxAge: cors.maxAge ?? import_core3.Duration.days(1),
       ...cors.exposeHeaders !== void 0 && {
         exposeHeaders: cors.exposeHeaders
       }
@@ -2127,6 +2198,7 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PostAuthenticationLambda,
   PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,