@openhi/constructs 0.0.91 → 0.0.93

package/lib/index.js

@@ -121,6 +121,7 @@ __export(src_exports, {
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME: () => POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME: () => POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
   PostAuthenticationLambda: () => PostAuthenticationLambda,
+  PostConfirmationLambda: () => PostConfirmationLambda,
   PreTokenGenerationLambda: () => PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi: () => RootGraphqlApi,
@@ -749,13 +750,13 @@ var PostAuthenticationLambda = class extends import_constructs.Construct {
   }
 };
 
-// src/components/cognito/pre-token-generation-lambda.ts
+// src/components/cognito/post-confirmation-lambda.ts
 var import_node_fs2 = __toESM(require("fs"));
 var import_node_path2 = __toESM(require("path"));
 var import_aws_lambda2 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_nodejs2 = require("aws-cdk-lib/aws-lambda-nodejs");
 var import_constructs2 = require("constructs");
-var HANDLER_NAME2 = "pre-token-generation.handler.js";
+var HANDLER_NAME2 = "post-confirmation.handler.js";
 function resolveHandlerEntry2(dirname) {
   const sameDir = import_node_path2.default.join(dirname, HANDLER_NAME2);
   if (import_node_fs2.default.existsSync(sameDir)) {
@@ -764,13 +765,45 @@ function resolveHandlerEntry2(dirname) {
   const fromLib = import_node_path2.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
   return fromLib;
 }
-var PreTokenGenerationLambda = class extends import_constructs2.Construct {
-  constructor(scope) {
-    super(scope, "pre-token-generation-lambda");
+var PostConfirmationLambda = class extends import_constructs2.Construct {
+  constructor(scope, props) {
+    super(scope, "post-confirmation-lambda");
     this.lambda = new import_aws_lambda_nodejs2.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry2(__dirname),
       runtime: import_aws_lambda2.Runtime.NODEJS_LATEST,
-      memorySize: 1024
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
+    });
+  }
+};
+
+// src/components/cognito/pre-token-generation-lambda.ts
+var import_node_fs3 = __toESM(require("fs"));
+var import_node_path3 = __toESM(require("path"));
+var import_aws_lambda3 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs3 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs3 = require("constructs");
+var HANDLER_NAME3 = "pre-token-generation.handler.js";
+function resolveHandlerEntry3(dirname) {
+  const sameDir = import_node_path3.default.join(dirname, HANDLER_NAME3);
+  if (import_node_fs3.default.existsSync(sameDir)) {
+    return sameDir;
+  }
+  const fromLib = import_node_path3.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+  return fromLib;
+}
+var PreTokenGenerationLambda = class extends import_constructs3.Construct {
+  constructor(scope, props) {
+    super(scope, "pre-token-generation-lambda");
+    this.lambda = new import_aws_lambda_nodejs3.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry3(__dirname),
+      runtime: import_aws_lambda3.Runtime.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
     });
   }
 };
@@ -897,23 +930,23 @@ function buildFhirCurrentResourceChangeDetail(record, keys) {
 }
 
 // src/components/dynamodb/data-store-historical-archive.ts
-var import_node_fs3 = __toESM(require("fs"));
-var import_node_path3 = __toESM(require("path"));
+var import_node_fs4 = __toESM(require("fs"));
+var import_node_path4 = __toESM(require("path"));
 var import_aws_cdk_lib7 = require("aws-cdk-lib");
 var kinesisfirehose = __toESM(require("aws-cdk-lib/aws-kinesisfirehose"));
-var import_aws_lambda3 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs3 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_aws_lambda4 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs4 = require("aws-cdk-lib/aws-lambda-nodejs");
 var s3 = __toESM(require("aws-cdk-lib/aws-s3"));
-var import_constructs3 = require("constructs");
-var HANDLER_NAME3 = "firehose-archive-transform.handler.js";
-function resolveHandlerEntry3(dirname) {
-  const sameDir = import_node_path3.default.join(dirname, HANDLER_NAME3);
-  if (import_node_fs3.default.existsSync(sameDir)) {
+var import_constructs4 = require("constructs");
+var HANDLER_NAME4 = "firehose-archive-transform.handler.js";
+function resolveHandlerEntry4(dirname) {
+  const sameDir = import_node_path4.default.join(dirname, HANDLER_NAME4);
+  if (import_node_fs4.default.existsSync(sameDir)) {
     return sameDir;
   }
-  return import_node_path3.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+  return import_node_path4.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
 }
-var DataStoreHistoricalArchive = class extends import_constructs3.Construct {
+var DataStoreHistoricalArchive = class extends import_constructs4.Construct {
   constructor(scope, id, props) {
     super(scope, id);
     this.archiveBucket = new s3.Bucket(this, "ArchiveBucket", {
@@ -933,9 +966,9 @@ var DataStoreHistoricalArchive = class extends import_constructs3.Construct {
       versioned: false
     }) : void 0;
     this.putEventsFailureDlqBucket = putEventsFailureDlqBucket;
-    this.transformFunction = new import_aws_lambda_nodejs3.NodejsFunction(this, "FirehoseTransform", {
-      entry: resolveHandlerEntry3(__dirname),
-      runtime: import_aws_lambda3.Runtime.NODEJS_LATEST,
+    this.transformFunction = new import_aws_lambda_nodejs4.NodejsFunction(this, "FirehoseTransform", {
+      entry: resolveHandlerEntry4(__dirname),
+      runtime: import_aws_lambda4.Runtime.NODEJS_LATEST,
       memorySize: 512,
       timeout: import_aws_cdk_lib7.Duration.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
@@ -1113,27 +1146,27 @@ var OpsEventBus = class _OpsEventBus extends import_aws_events2.EventBus {
 };
 
 // src/components/postgres/data-store-postgres-replica.ts
-var import_node_fs4 = __toESM(require("fs"));
-var import_node_path4 = __toESM(require("path"));
+var import_node_fs5 = __toESM(require("fs"));
+var import_node_path5 = __toESM(require("path"));
 var import_aws_cdk_lib8 = require("aws-cdk-lib");
 var ec2 = __toESM(require("aws-cdk-lib/aws-ec2"));
-var import_aws_lambda4 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda5 = require("aws-cdk-lib/aws-lambda");
 var import_aws_lambda_event_sources = require("aws-cdk-lib/aws-lambda-event-sources");
-var import_aws_lambda_nodejs4 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_aws_lambda_nodejs5 = require("aws-cdk-lib/aws-lambda-nodejs");
 var rds = __toESM(require("aws-cdk-lib/aws-rds"));
-var import_constructs4 = require("constructs");
-var HANDLER_NAME4 = "data-store-postgres-replication.handler.js";
+var import_constructs5 = require("constructs");
+var HANDLER_NAME5 = "data-store-postgres-replication.handler.js";
 var DEFAULT_DATABASE_NAME = "openhi";
 var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
 var POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME = "POSTGRES_REPLICA_CLUSTER_ARN";
 var POSTGRES_REPLICA_SECRET_ARN_SSM_NAME = "POSTGRES_REPLICA_SECRET_ARN";
 var POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME = "POSTGRES_REPLICA_DATABASE_NAME";
-function resolveHandlerEntry4(dirname) {
-  const sameDir = import_node_path4.default.join(dirname, HANDLER_NAME4);
-  if (import_node_fs4.default.existsSync(sameDir)) {
+function resolveHandlerEntry5(dirname) {
+  const sameDir = import_node_path5.default.join(dirname, HANDLER_NAME5);
+  if (import_node_fs5.default.existsSync(sameDir)) {
     return sameDir;
   }
-  return import_node_path4.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
+  return import_node_path5.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
 }
 function getPostgresReplicaSchemaName(branchHash) {
   const candidate = `b_${branchHash.toLowerCase()}`;
@@ -1144,7 +1177,7 @@ function getPostgresReplicaSchemaName(branchHash) {
   }
   return candidate;
 }
-var DataStorePostgresReplica = class extends import_constructs4.Construct {
+var DataStorePostgresReplica = class extends import_constructs5.Construct {
   /**
    * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
    * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
@@ -1213,9 +1246,9 @@ var DataStorePostgresReplica = class extends import_constructs4.Construct {
       enableDataApi: true
     });
     this.publishCoordinatesToSsm();
-    this.replicationFunction = new import_aws_lambda_nodejs4.NodejsFunction(this, "ReplicationFunction", {
-      entry: resolveHandlerEntry4(__dirname),
-      runtime: import_aws_lambda4.Runtime.NODEJS_LATEST,
+    this.replicationFunction = new import_aws_lambda_nodejs5.NodejsFunction(this, "ReplicationFunction", {
+      entry: resolveHandlerEntry5(__dirname),
+      runtime: import_aws_lambda5.Runtime.NODEJS_LATEST,
       memorySize: 512,
       timeout: import_aws_cdk_lib8.Duration.minutes(1),
       vpc: this.vpc,
@@ -1242,7 +1275,7 @@ var DataStorePostgresReplica = class extends import_constructs4.Construct {
     this.cluster.connections.allowDefaultPortFrom(this.replicationFunction);
     this.replicationFunction.addEventSource(
       new import_aws_lambda_event_sources.KinesisEventSource(props.kinesisStream, {
-        startingPosition: import_aws_lambda4.StartingPosition.LATEST,
+        startingPosition: import_aws_lambda5.StartingPosition.LATEST,
         batchSize: 100,
         maxBatchingWindow: import_aws_cdk_lib8.Duration.seconds(5),
         retryAttempts: 10,
@@ -1296,8 +1329,8 @@ var ChildHostedZone = class extends import_aws_route53.HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-var import_constructs5 = require("constructs");
-var RootHostedZone = class extends import_constructs5.Construct {
+var import_constructs6 = require("constructs");
+var RootHostedZone = class extends import_constructs6.Construct {
 };
 
 // src/components/static-hosting/static-hosting.ts
@@ -1305,9 +1338,9 @@ var import_aws_cloudfront = require("aws-cdk-lib/aws-cloudfront");
 var import_aws_cloudfront_origins = require("aws-cdk-lib/aws-cloudfront-origins");
 var import_aws_s3 = require("aws-cdk-lib/aws-s3");
 var import_core = require("aws-cdk-lib/core");
-var import_constructs6 = require("constructs");
+var import_constructs7 = require("constructs");
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends import_constructs6.Construct {
+var _StaticHosting = class _StaticHosting extends import_constructs7.Construct {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1364,7 +1397,132 @@ var import_aws_cognito5 = require("aws-cdk-lib/aws-cognito");
 var import_aws_iam = require("aws-cdk-lib/aws-iam");
 var import_aws_kms2 = require("aws-cdk-lib/aws-kms");
 var import_core2 = require("aws-cdk-lib/core");
+
+// src/services/open-hi-data-service.ts
+var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
+var import_aws_events3 = require("aws-cdk-lib/aws-events");
+var kinesis = __toESM(require("aws-cdk-lib/aws-kinesis"));
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
+  /**
+   * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static dataEventBusFromConstruct(scope) {
+    return import_aws_events3.EventBus.fromEventBusName(
+      scope,
+      "data-event-bus",
+      DataEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static opsEventBusFromConstruct(scope) {
+    return import_aws_events3.EventBus.fromEventBusName(
+      scope,
+      "ops-event-bus",
+      OpsEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
+   */
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return import_aws_dynamodb2.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  }
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    this.props = props;
+    this.dataEventBus = this.createDataEventBus();
+    this.opsEventBus = this.createOpsEventBus();
+    this.dataStoreChangeStream = new kinesis.Stream(
+      this,
+      "data-store-change-stream",
+      {
+        streamName: `openhi-dstore-cdc-${this.branchHash}`,
+        streamMode: kinesis.StreamMode.ON_DEMAND,
+        // CDK default for kinesis.Stream is RETAIN, which strands the stream
+        // when a non-prod stack is destroyed. Use the service's policy so
+        // non-prod tears down cleanly while prod retains.
+        removalPolicy: this.removalPolicy
+      }
+    );
+    this.dataStore = this.createDataStore();
+    this.dataStoreHistoricalArchive = new DataStoreHistoricalArchive(
+      this,
+      "data-store-historical-archive",
+      {
+        kinesisStream: this.dataStoreChangeStream,
+        removalPolicy: this.removalPolicy,
+        stackHash: this.stackHash,
+        dataEventBus: this.dataEventBus
+      }
+    );
+    this.dataStorePostgresReplica = new DataStorePostgresReplica(
+      this,
+      "data-store-postgres-replica",
+      {
+        kinesisStream: this.dataStoreChangeStream,
+        removalPolicy: this.removalPolicy,
+        stackHash: this.stackHash,
+        branchHash: this.branchHash
+      }
+    );
+  }
+  /**
+   * Creates the data event bus.
+   * Override to customize.
+   */
+  createDataEventBus() {
+    return new DataEventBus(this);
+  }
+  /**
+   * Creates the ops event bus.
+   * Override to customize.
+   */
+  createOpsEventBus() {
+    return new OpsEventBus(this);
+  }
+  /**
+   * Creates the single-table DynamoDB data store.
+   * Override to customize.
+   */
+  createDataStore() {
+    return new DynamoDbDataStore(this, "dynamo-db-data-store", {
+      kinesisStream: this.dataStoreChangeStream,
+      stream: import_aws_dynamodb2.StreamViewType.NEW_AND_OLD_IMAGES
+    });
+  }
+};
+_OpenHiDataService.SERVICE_TYPE = "data";
+var OpenHiDataService = _OpenHiDataService;
+
+// src/services/open-hi-auth-service.ts
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    /**
+     * Cross-stack reference to the data store table. Cached so repeated
+     * lookups share a single CDK construct id ("dynamo-db-data-store") in
+     * this stack — a second `Table.fromTableName` call under the same scope
+     * would collide.
+     */
+    this._dataStoreTable = null;
+    this.props = props;
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
+    this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userPool = this.createUserPool();
+    this.grantPreTokenGenerationPermissions();
+    this.grantPostAuthenticationPermissions();
+    this.grantPostConfirmationPermissions();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
+    this.fixtureSeederClient = this.createFixtureSeederClient();
+  }
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
    */
@@ -1436,18 +1594,6 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   get serviceType() {
     return _OpenHiAuthService.SERVICE_TYPE;
   }
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
-    this.props = props;
-    this.userPoolKmsKey = this.createUserPoolKmsKey();
-    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
-    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
-    this.userPool = this.createUserPool();
-    this.grantPostAuthenticationPermissions();
-    this.userPoolClient = this.createUserPoolClient();
-    this.userPoolDomain = this.createUserPoolDomain();
-    this.fixtureSeederClient = this.createFixtureSeederClient();
-  }
   /**
    * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
    * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
@@ -1463,11 +1609,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     return key;
   }
   /**
-   * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
-   * openhi_* claims to the access token only; trigger version V2_0 may be required.
+   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+   * both the ID token and the access token (ADR 2026-03-17-01).
    */
   createPreTokenGenerationLambda() {
-    const construct = new PreTokenGenerationLambda(this);
+    const construct = new PreTokenGenerationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
+    });
     return construct.lambda;
   }
   /**
@@ -1479,6 +1629,25 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const construct = new PostAuthenticationLambda(this);
     return construct.lambda;
   }
+  /**
+   * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
+   * confirmation, writes the new user's default Tenant, Workspace,
+   * Memberships, and `tenant-user` RoleAssignment, plus a User record
+   * carrying the Cognito `sub` and current tenant/workspace pointers
+   * (ADR 2026-03-17-01 invariants).
+   */
+  createPostConfirmationLambda() {
+    const construct = new PostConfirmationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
+    });
+    return construct.lambda;
+  }
+  dataStoreTable() {
+    if (this._dataStoreTable === null) {
+      this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+    }
+    return this._dataStoreTable;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1498,6 +1667,10 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       import_aws_cognito5.UserPoolOperation.POST_AUTHENTICATION,
       this.postAuthenticationLambda
     );
+    userPool.addTrigger(
+      import_aws_cognito5.UserPoolOperation.POST_CONFIRMATION,
+      this.postConfirmationLambda
+    );
     new DiscoverableStringParameter(this, "user-pool-param", {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
       stringValue: userPool.userPoolId,
@@ -1505,6 +1678,27 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return userPool;
   }
+  /**
+   * Grants the Pre Token Generation Lambda read-only access on the data
+   * store table and its GSIs. The Lambda only needs:
+   * - `Query` on GSI2 to resolve a User by Cognito `sub`
+   * - `GetItem` on the base table for direct User reads
+   *
+   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+   * falls into the absent-claims path; repair belongs in a separate backfill.
+   */
+  grantPreTokenGenerationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
+    this.preTokenGenerationLambda.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
+  }
   /**
    * Grants the Post Authentication Lambda permission to call
    * `cognito-idp:AdminUserGlobalSignOut`.
@@ -1532,6 +1726,28 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       })
     );
   }
+  /**
+   * Grants the Post Confirmation Lambda write access to the data store
+   * table (and its GSIs) so it can seed the new user's Tenant, Workspace,
+   * Memberships, RoleAssignment, and User records on sign-up confirmation.
+   */
+  grantPostConfirmationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = [
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:DescribeTable"
+    ];
+    dataStoreTable.grant(this.postConfirmationLambda, ...dynamoActions);
+    this.postConfirmationLambda.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
+  }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
    * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
@@ -1708,154 +1924,53 @@ var import_aws_route533 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
 var import_core3 = require("aws-cdk-lib/core");
 
-// src/services/open-hi-data-service.ts
-var import_aws_dynamodb2 = require("aws-cdk-lib/aws-dynamodb");
-var import_aws_events3 = require("aws-cdk-lib/aws-events");
-var kinesis = __toESM(require("aws-cdk-lib/aws-kinesis"));
-var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
-  /**
-   * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
-   */
-  static dataEventBusFromConstruct(scope) {
-    return import_aws_events3.EventBus.fromEventBusName(
-      scope,
-      "data-event-bus",
-      DataEventBus.getEventBusName(scope)
-    );
-  }
-  /**
-   * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
-   */
-  static opsEventBusFromConstruct(scope) {
-    return import_aws_events3.EventBus.fromEventBusName(
-      scope,
-      "ops-event-bus",
-      OpsEventBus.getEventBusName(scope)
-    );
-  }
-  /**
-   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
-   */
-  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
-    return import_aws_dynamodb2.Table.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
-  }
-  get serviceType() {
-    return _OpenHiDataService.SERVICE_TYPE;
-  }
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
-    this.props = props;
-    this.dataEventBus = this.createDataEventBus();
-    this.opsEventBus = this.createOpsEventBus();
-    this.dataStoreChangeStream = new kinesis.Stream(
-      this,
-      "data-store-change-stream",
-      {
-        streamName: `openhi-dstore-cdc-${this.branchHash}`,
-        streamMode: kinesis.StreamMode.ON_DEMAND,
-        // CDK default for kinesis.Stream is RETAIN, which strands the stream
-        // when a non-prod stack is destroyed. Use the service's policy so
-        // non-prod tears down cleanly while prod retains.
-        removalPolicy: this.removalPolicy
-      }
-    );
-    this.dataStore = this.createDataStore();
-    this.dataStoreHistoricalArchive = new DataStoreHistoricalArchive(
-      this,
-      "data-store-historical-archive",
-      {
-        kinesisStream: this.dataStoreChangeStream,
-        removalPolicy: this.removalPolicy,
-        stackHash: this.stackHash,
-        dataEventBus: this.dataEventBus
-      }
-    );
-    this.dataStorePostgresReplica = new DataStorePostgresReplica(
-      this,
-      "data-store-postgres-replica",
-      {
-        kinesisStream: this.dataStoreChangeStream,
-        removalPolicy: this.removalPolicy,
-        stackHash: this.stackHash,
-        branchHash: this.branchHash
-      }
-    );
-  }
-  /**
-   * Creates the data event bus.
-   * Override to customize.
-   */
-  createDataEventBus() {
-    return new DataEventBus(this);
-  }
-  /**
-   * Creates the ops event bus.
-   * Override to customize.
-   */
-  createOpsEventBus() {
-    return new OpsEventBus(this);
-  }
-  /**
-   * Creates the single-table DynamoDB data store.
-   * Override to customize.
-   */
-  createDataStore() {
-    return new DynamoDbDataStore(this, "dynamo-db-data-store", {
-      kinesisStream: this.dataStoreChangeStream,
-      stream: import_aws_dynamodb2.StreamViewType.NEW_AND_OLD_IMAGES
-    });
-  }
-};
-_OpenHiDataService.SERVICE_TYPE = "data";
-var OpenHiDataService = _OpenHiDataService;
-
 // src/data/lambda/cors-options-lambda.ts
-var import_node_fs5 = __toESM(require("fs"));
-var import_node_path5 = __toESM(require("path"));
-var import_aws_lambda5 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs5 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs7 = require("constructs");
-var HANDLER_NAME5 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry5(dirname) {
-  const sameDir = import_node_path5.default.join(dirname, HANDLER_NAME5);
-  if (import_node_fs5.default.existsSync(sameDir)) {
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
+var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs8 = require("constructs");
+var HANDLER_NAME6 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
+  if (import_node_fs6.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path5.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
+  const fromLib = import_node_path6.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
   return fromLib;
 }
-var CorsOptionsLambda = class extends import_constructs7.Construct {
+var CorsOptionsLambda = class extends import_constructs8.Construct {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new import_aws_lambda_nodejs5.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry5(__dirname),
-      runtime: import_aws_lambda5.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-var import_node_fs6 = __toESM(require("fs"));
-var import_node_path6 = __toESM(require("path"));
-var import_aws_lambda6 = require("aws-cdk-lib/aws-lambda");
-var import_aws_lambda_nodejs6 = require("aws-cdk-lib/aws-lambda-nodejs");
-var import_constructs8 = require("constructs");
-var HANDLER_NAME6 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry6(dirname) {
-  const sameDir = import_node_path6.default.join(dirname, HANDLER_NAME6);
-  if (import_node_fs6.default.existsSync(sameDir)) {
+var import_node_fs7 = __toESM(require("fs"));
+var import_node_path7 = __toESM(require("path"));
+var import_aws_lambda7 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs7 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs9 = require("constructs");
+var HANDLER_NAME7 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry7(dirname) {
+  const sameDir = import_node_path7.default.join(dirname, HANDLER_NAME7);
+  if (import_node_fs7.default.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = import_node_path6.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
+  const fromLib = import_node_path7.default.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
   return fromLib;
 }
-var RestApiLambda = class extends import_constructs8.Construct {
+var RestApiLambda = class extends import_constructs9.Construct {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new import_aws_lambda_nodejs6.NodejsFunction(this, "handler", {
-      entry: resolveHandlerEntry6(__dirname),
-      runtime: import_aws_lambda6.Runtime.NODEJS_LATEST,
+    this.lambda = new import_aws_lambda_nodejs7.NodejsFunction(this, "handler", {
+      entry: resolveHandlerEntry7(__dirname),
+      runtime: import_aws_lambda7.Runtime.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -2211,6 +2326,7 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
   PostAuthenticationLambda,
+  PostConfirmationLambda,
   PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,