@openhi/constructs 0.0.86 → 0.0.87

package/lib/index.mjs

@@ -673,13 +673,13 @@ var CognitoUserPoolKmsKey = class extends Key {
  */
 CognitoUserPoolKmsKey.SSM_PARAM_NAME = "COGNITO_USER_POOL_KMS_KEY";
 
-// src/components/cognito/pre-token-generation-lambda.ts
+// src/components/cognito/post-authentication-lambda.ts
 import fs from "fs";
 import path from "path";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Construct } from "constructs";
-var HANDLER_NAME = "pre-token-generation.handler.js";
+var HANDLER_NAME = "post-authentication.handler.js";
 function resolveHandlerEntry(dirname) {
   const sameDir = path.join(dirname, HANDLER_NAME);
   if (fs.existsSync(sameDir)) {
@@ -688,9 +688,9 @@ function resolveHandlerEntry(dirname) {
   const fromLib = path.join(dirname, "..", "..", "..", "lib", HANDLER_NAME);
   return fromLib;
 }
-var PreTokenGenerationLambda = class extends Construct {
+var PostAuthenticationLambda = class extends Construct {
   constructor(scope) {
-    super(scope, "pre-token-generation-lambda");
+    super(scope, "post-authentication-lambda");
     this.lambda = new NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry(__dirname),
       runtime: Runtime.NODEJS_LATEST,
@@ -699,24 +699,50 @@ var PreTokenGenerationLambda = class extends Construct {
   }
 };
 
-// src/components/dynamodb/data-store-historical-archive.ts
+// src/components/cognito/pre-token-generation-lambda.ts
 import fs2 from "fs";
 import path2 from "path";
-import { Duration as Duration2, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
-import * as kinesisfirehose from "aws-cdk-lib/aws-kinesisfirehose";
 import { Runtime as Runtime2 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction2 } from "aws-cdk-lib/aws-lambda-nodejs";
-import * as s3 from "aws-cdk-lib/aws-s3";
 import { Construct as Construct2 } from "constructs";
-var HANDLER_NAME2 = "firehose-archive-transform.handler.js";
+var HANDLER_NAME2 = "pre-token-generation.handler.js";
 function resolveHandlerEntry2(dirname) {
   const sameDir = path2.join(dirname, HANDLER_NAME2);
   if (fs2.existsSync(sameDir)) {
     return sameDir;
   }
-  return path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+  const fromLib = path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
+  return fromLib;
 }
-var DataStoreHistoricalArchive = class extends Construct2 {
+var PreTokenGenerationLambda = class extends Construct2 {
+  constructor(scope) {
+    super(scope, "pre-token-generation-lambda");
+    this.lambda = new NodejsFunction2(this, "handler", {
+      entry: resolveHandlerEntry2(__dirname),
+      runtime: Runtime2.NODEJS_LATEST,
+      memorySize: 1024
+    });
+  }
+};
+
+// src/components/dynamodb/data-store-historical-archive.ts
+import fs3 from "fs";
+import path3 from "path";
+import { Duration as Duration2, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
+import * as kinesisfirehose from "aws-cdk-lib/aws-kinesisfirehose";
+import { Runtime as Runtime3 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction3 } from "aws-cdk-lib/aws-lambda-nodejs";
+import * as s3 from "aws-cdk-lib/aws-s3";
+import { Construct as Construct3 } from "constructs";
+var HANDLER_NAME3 = "firehose-archive-transform.handler.js";
+function resolveHandlerEntry3(dirname) {
+  const sameDir = path3.join(dirname, HANDLER_NAME3);
+  if (fs3.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path3.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+}
+var DataStoreHistoricalArchive = class extends Construct3 {
   constructor(scope, id, props) {
     super(scope, id);
     this.archiveBucket = new s3.Bucket(this, "ArchiveBucket", {
@@ -736,9 +762,9 @@ var DataStoreHistoricalArchive = class extends Construct2 {
       versioned: false
     }) : void 0;
     this.putEventsFailureDlqBucket = putEventsFailureDlqBucket;
-    this.transformFunction = new NodejsFunction2(this, "FirehoseTransform", {
-      entry: resolveHandlerEntry2(__dirname),
-      runtime: Runtime2.NODEJS_LATEST,
+    this.transformFunction = new NodejsFunction3(this, "FirehoseTransform", {
+      entry: resolveHandlerEntry3(__dirname),
+      runtime: Runtime3.NODEJS_LATEST,
       memorySize: 512,
       timeout: Duration2.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
@@ -909,27 +935,27 @@ var OpsEventBus = class _OpsEventBus extends EventBus2 {
 };
 
 // src/components/postgres/data-store-postgres-replica.ts
-import fs3 from "fs";
-import path3 from "path";
+import fs4 from "fs";
+import path4 from "path";
 import { Duration as Duration3, Stack as Stack2 } from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
-import { Runtime as Runtime3, StartingPosition } from "aws-cdk-lib/aws-lambda";
+import { Runtime as Runtime4, StartingPosition } from "aws-cdk-lib/aws-lambda";
 import { KinesisEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
-import { NodejsFunction as NodejsFunction3 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { NodejsFunction as NodejsFunction4 } from "aws-cdk-lib/aws-lambda-nodejs";
 import * as rds from "aws-cdk-lib/aws-rds";
-import { Construct as Construct3 } from "constructs";
-var HANDLER_NAME3 = "data-store-postgres-replication.handler.js";
+import { Construct as Construct4 } from "constructs";
+var HANDLER_NAME4 = "data-store-postgres-replication.handler.js";
 var DEFAULT_DATABASE_NAME = "openhi";
 var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
 var POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME = "POSTGRES_REPLICA_CLUSTER_ARN";
 var POSTGRES_REPLICA_SECRET_ARN_SSM_NAME = "POSTGRES_REPLICA_SECRET_ARN";
 var POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME = "POSTGRES_REPLICA_DATABASE_NAME";
-function resolveHandlerEntry3(dirname) {
-  const sameDir = path3.join(dirname, HANDLER_NAME3);
-  if (fs3.existsSync(sameDir)) {
+function resolveHandlerEntry4(dirname) {
+  const sameDir = path4.join(dirname, HANDLER_NAME4);
+  if (fs4.existsSync(sameDir)) {
     return sameDir;
   }
-  return path3.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+  return path4.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
 }
 function getPostgresReplicaSchemaName(branchHash) {
   const candidate = `b_${branchHash.toLowerCase()}`;
@@ -940,7 +966,7 @@ function getPostgresReplicaSchemaName(branchHash) {
   }
   return candidate;
 }
-var DataStorePostgresReplica = class extends Construct3 {
+var DataStorePostgresReplica = class extends Construct4 {
   /**
    * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
    * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
@@ -1009,9 +1035,9 @@ var DataStorePostgresReplica = class extends Construct3 {
       enableDataApi: true
     });
     this.publishCoordinatesToSsm();
-    this.replicationFunction = new NodejsFunction3(this, "ReplicationFunction", {
-      entry: resolveHandlerEntry3(__dirname),
-      runtime: Runtime3.NODEJS_LATEST,
+    this.replicationFunction = new NodejsFunction4(this, "ReplicationFunction", {
+      entry: resolveHandlerEntry4(__dirname),
+      runtime: Runtime4.NODEJS_LATEST,
       memorySize: 512,
       timeout: Duration3.minutes(1),
       vpc: this.vpc,
@@ -1095,8 +1121,8 @@ var ChildHostedZone = class extends HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-import { Construct as Construct4 } from "constructs";
-var RootHostedZone = class extends Construct4 {
+import { Construct as Construct5 } from "constructs";
+var RootHostedZone = class extends Construct5 {
 };
 
 // src/components/static-hosting/static-hosting.ts
@@ -1107,9 +1133,9 @@ import {
 import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
 import { Duration as Duration5 } from "aws-cdk-lib/core";
-import { Construct as Construct5 } from "constructs";
+import { Construct as Construct6 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends Construct5 {
+var _StaticHosting = class _StaticHosting extends Construct6 {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1169,7 +1195,9 @@ import {
   UserPoolDomain as UserPoolDomain2,
   UserPoolOperation
 } from "aws-cdk-lib/aws-cognito";
+import { PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { Key as Key2 } from "aws-cdk-lib/aws-kms";
+import { Stack as Stack3 } from "aws-cdk-lib/core";
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
@@ -1247,7 +1275,9 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.props = props;
     this.userPoolKmsKey = this.createUserPoolKmsKey();
     this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.userPool = this.createUserPool();
+    this.grantPostAuthenticationPermissions();
     this.userPoolClient = this.createUserPoolClient();
     this.userPoolDomain = this.createUserPoolDomain();
     this.fixtureSeederClient = this.createFixtureSeederClient();
@@ -1274,6 +1304,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const construct = new PreTokenGenerationLambda(this);
     return construct.lambda;
   }
+  /**
+   * Creates the Post Authentication Lambda (Cognito trigger). Calls
+   * AdminUserGlobalSignOut on every sign-in to enforce single-device-per-user
+   * sessions per ADR 2026-03-17-01.
+   */
+  createPostAuthenticationLambda() {
+    const construct = new PostAuthenticationLambda(this);
+    return construct.lambda;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1289,6 +1328,10 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       this.preTokenGenerationLambda,
       LambdaVersion.V2_0
     );
+    userPool.addTrigger(
+      UserPoolOperation.POST_AUTHENTICATION,
+      this.postAuthenticationLambda
+    );
     new DiscoverableStringParameter(this, "user-pool-param", {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
       stringValue: userPool.userPoolId,
@@ -1296,6 +1339,33 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return userPool;
   }
+  /**
+   * Grants the Post Authentication Lambda permission to call
+   * `cognito-idp:AdminUserGlobalSignOut`.
+   *
+   * Scoped via `Stack.of(this).formatArn` rather than `userPool.userPoolArn`
+   * because the User Pool registers this Lambda as a Post Authentication
+   * trigger, creating the cycle:
+   *   userPool → lambda (trigger ARN) → role policy → userPool ARN.
+   * Using `formatArn` avoids referencing the User Pool resource directly
+   * while still scoping to user pools in this account+region. The Lambda
+   * is invoked only by Cognito with a Cognito-provided `event.userPoolId`,
+   * so the runtime target is constrained by the trigger contract.
+   */
+  grantPostAuthenticationPermissions() {
+    this.postAuthenticationLambda.addToRolePolicy(
+      new PolicyStatement({
+        actions: ["cognito-idp:AdminUserGlobalSignOut"],
+        resources: [
+          Stack3.of(this).formatArn({
+            service: "cognito-idp",
+            resource: "userpool",
+            resourceName: "*"
+          })
+        ]
+      })
+    );
+  }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
    * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
@@ -1480,7 +1550,7 @@ import {
 } from "aws-cdk-lib/aws-apigatewayv2";
 import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers";
 import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
-import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Effect, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
 import {
   ARecord,
   HostedZone as HostedZone3,
@@ -1591,52 +1661,52 @@ _OpenHiDataService.SERVICE_TYPE = "data";
 var OpenHiDataService = _OpenHiDataService;
 
 // src/data/lambda/cors-options-lambda.ts
-import fs4 from "fs";
-import path4 from "path";
-import { Runtime as Runtime4 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction4 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct6 } from "constructs";
-var HANDLER_NAME4 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry4(dirname) {
-  const sameDir = path4.join(dirname, HANDLER_NAME4);
-  if (fs4.existsSync(sameDir)) {
+import fs5 from "fs";
+import path5 from "path";
+import { Runtime as Runtime5 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction5 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct7 } from "constructs";
+var HANDLER_NAME5 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry5(dirname) {
+  const sameDir = path5.join(dirname, HANDLER_NAME5);
+  if (fs5.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path4.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
+  const fromLib = path5.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
   return fromLib;
 }
-var CorsOptionsLambda = class extends Construct6 {
+var CorsOptionsLambda = class extends Construct7 {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new NodejsFunction4(this, "handler", {
-      entry: resolveHandlerEntry4(__dirname),
-      runtime: Runtime4.NODEJS_LATEST,
+    this.lambda = new NodejsFunction5(this, "handler", {
+      entry: resolveHandlerEntry5(__dirname),
+      runtime: Runtime5.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-import fs5 from "fs";
-import path5 from "path";
-import { Runtime as Runtime5 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction5 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct7 } from "constructs";
-var HANDLER_NAME5 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry5(dirname) {
-  const sameDir = path5.join(dirname, HANDLER_NAME5);
-  if (fs5.existsSync(sameDir)) {
+import fs6 from "fs";
+import path6 from "path";
+import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct8 } from "constructs";
+var HANDLER_NAME6 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = path6.join(dirname, HANDLER_NAME6);
+  if (fs6.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path5.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
+  const fromLib = path6.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
   return fromLib;
 }
-var RestApiLambda = class extends Construct7 {
+var RestApiLambda = class extends Construct8 {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new NodejsFunction5(this, "handler", {
-      entry: resolveHandlerEntry5(__dirname),
-      runtime: Runtime5.NODEJS_LATEST,
+    this.lambda = new NodejsFunction6(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: Runtime6.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -1778,7 +1848,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       postgresSchema
     });
     lambda.addToRolePolicy(
-      new PolicyStatement({
+      new PolicyStatement2({
         effect: Effect.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
@@ -1788,7 +1858,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement({
+      new PolicyStatement2({
         effect: Effect.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
@@ -1807,14 +1877,14 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     ];
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
-      new PolicyStatement({
+      new PolicyStatement2({
         effect: Effect.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
-      new PolicyStatement({
+      new PolicyStatement2({
         effect: Effect.ALLOW,
         actions: [
           "ssm:GetParameter",
@@ -1993,6 +2063,7 @@ export {
   POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME,
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
+  PostAuthenticationLambda,
   PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,