@openhi/constructs 0.0.91 → 0.0.93

package/lib/index.mjs

@@ -699,13 +699,13 @@ var PostAuthenticationLambda = class extends Construct {
   }
 };
 
-// src/components/cognito/pre-token-generation-lambda.ts
+// src/components/cognito/post-confirmation-lambda.ts
 import fs2 from "fs";
 import path2 from "path";
 import { Runtime as Runtime2 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction2 } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Construct as Construct2 } from "constructs";
-var HANDLER_NAME2 = "pre-token-generation.handler.js";
+var HANDLER_NAME2 = "post-confirmation.handler.js";
 function resolveHandlerEntry2(dirname) {
   const sameDir = path2.join(dirname, HANDLER_NAME2);
   if (fs2.existsSync(sameDir)) {
@@ -714,35 +714,67 @@ function resolveHandlerEntry2(dirname) {
   const fromLib = path2.join(dirname, "..", "..", "..", "lib", HANDLER_NAME2);
   return fromLib;
 }
-var PreTokenGenerationLambda = class extends Construct2 {
-  constructor(scope) {
-    super(scope, "pre-token-generation-lambda");
+var PostConfirmationLambda = class extends Construct2 {
+  constructor(scope, props) {
+    super(scope, "post-confirmation-lambda");
     this.lambda = new NodejsFunction2(this, "handler", {
       entry: resolveHandlerEntry2(__dirname),
       runtime: Runtime2.NODEJS_LATEST,
-      memorySize: 1024
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
     });
   }
 };
 
-// src/components/dynamodb/data-store-historical-archive.ts
+// src/components/cognito/pre-token-generation-lambda.ts
 import fs3 from "fs";
 import path3 from "path";
-import { Duration as Duration2, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
-import * as kinesisfirehose from "aws-cdk-lib/aws-kinesisfirehose";
 import { Runtime as Runtime3 } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction as NodejsFunction3 } from "aws-cdk-lib/aws-lambda-nodejs";
-import * as s3 from "aws-cdk-lib/aws-s3";
 import { Construct as Construct3 } from "constructs";
-var HANDLER_NAME3 = "firehose-archive-transform.handler.js";
+var HANDLER_NAME3 = "pre-token-generation.handler.js";
 function resolveHandlerEntry3(dirname) {
   const sameDir = path3.join(dirname, HANDLER_NAME3);
   if (fs3.existsSync(sameDir)) {
     return sameDir;
   }
-  return path3.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+  const fromLib = path3.join(dirname, "..", "..", "..", "lib", HANDLER_NAME3);
+  return fromLib;
+}
+var PreTokenGenerationLambda = class extends Construct3 {
+  constructor(scope, props) {
+    super(scope, "pre-token-generation-lambda");
+    this.lambda = new NodejsFunction3(this, "handler", {
+      entry: resolveHandlerEntry3(__dirname),
+      runtime: Runtime3.NODEJS_LATEST,
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
+    });
+  }
+};
+
+// src/components/dynamodb/data-store-historical-archive.ts
+import fs4 from "fs";
+import path4 from "path";
+import { Duration as Duration2, RemovalPolicy as RemovalPolicy2, Size } from "aws-cdk-lib";
+import * as kinesisfirehose from "aws-cdk-lib/aws-kinesisfirehose";
+import { Runtime as Runtime4 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction4 } from "aws-cdk-lib/aws-lambda-nodejs";
+import * as s3 from "aws-cdk-lib/aws-s3";
+import { Construct as Construct4 } from "constructs";
+var HANDLER_NAME4 = "firehose-archive-transform.handler.js";
+function resolveHandlerEntry4(dirname) {
+  const sameDir = path4.join(dirname, HANDLER_NAME4);
+  if (fs4.existsSync(sameDir)) {
+    return sameDir;
+  }
+  return path4.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
 }
-var DataStoreHistoricalArchive = class extends Construct3 {
+var DataStoreHistoricalArchive = class extends Construct4 {
   constructor(scope, id, props) {
     super(scope, id);
     this.archiveBucket = new s3.Bucket(this, "ArchiveBucket", {
@@ -762,9 +794,9 @@ var DataStoreHistoricalArchive = class extends Construct3 {
       versioned: false
     }) : void 0;
     this.putEventsFailureDlqBucket = putEventsFailureDlqBucket;
-    this.transformFunction = new NodejsFunction3(this, "FirehoseTransform", {
-      entry: resolveHandlerEntry3(__dirname),
-      runtime: Runtime3.NODEJS_LATEST,
+    this.transformFunction = new NodejsFunction4(this, "FirehoseTransform", {
+      entry: resolveHandlerEntry4(__dirname),
+      runtime: Runtime4.NODEJS_LATEST,
       memorySize: 512,
       timeout: Duration2.minutes(1),
       description: "Firehose transform: filter CURRENT resource rows, S3 keys, EventBridge PutEvents",
@@ -947,27 +979,27 @@ var OpsEventBus = class _OpsEventBus extends EventBus2 {
 };
 
 // src/components/postgres/data-store-postgres-replica.ts
-import fs4 from "fs";
-import path4 from "path";
+import fs5 from "fs";
+import path5 from "path";
 import { Duration as Duration3, Stack as Stack2 } from "aws-cdk-lib";
 import * as ec2 from "aws-cdk-lib/aws-ec2";
-import { Runtime as Runtime4, StartingPosition } from "aws-cdk-lib/aws-lambda";
+import { Runtime as Runtime5, StartingPosition } from "aws-cdk-lib/aws-lambda";
 import { KinesisEventSource } from "aws-cdk-lib/aws-lambda-event-sources";
-import { NodejsFunction as NodejsFunction4 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { NodejsFunction as NodejsFunction5 } from "aws-cdk-lib/aws-lambda-nodejs";
 import * as rds from "aws-cdk-lib/aws-rds";
-import { Construct as Construct4 } from "constructs";
-var HANDLER_NAME4 = "data-store-postgres-replication.handler.js";
+import { Construct as Construct5 } from "constructs";
+var HANDLER_NAME5 = "data-store-postgres-replication.handler.js";
 var DEFAULT_DATABASE_NAME = "openhi";
 var SCHEMA_NAME_PATTERN = /^[a-z_][a-z0-9_]{0,62}$/;
 var POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME = "POSTGRES_REPLICA_CLUSTER_ARN";
 var POSTGRES_REPLICA_SECRET_ARN_SSM_NAME = "POSTGRES_REPLICA_SECRET_ARN";
 var POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME = "POSTGRES_REPLICA_DATABASE_NAME";
-function resolveHandlerEntry4(dirname) {
-  const sameDir = path4.join(dirname, HANDLER_NAME4);
-  if (fs4.existsSync(sameDir)) {
+function resolveHandlerEntry5(dirname) {
+  const sameDir = path5.join(dirname, HANDLER_NAME5);
+  if (fs5.existsSync(sameDir)) {
     return sameDir;
   }
-  return path4.join(dirname, "..", "..", "..", "lib", HANDLER_NAME4);
+  return path5.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
 }
 function getPostgresReplicaSchemaName(branchHash) {
   const candidate = `b_${branchHash.toLowerCase()}`;
@@ -978,7 +1010,7 @@ function getPostgresReplicaSchemaName(branchHash) {
   }
   return candidate;
 }
-var DataStorePostgresReplica = class extends Construct4 {
+var DataStorePostgresReplica = class extends Construct5 {
   /**
    * Resolve the cluster ARN published by an upstream {@link DataStorePostgresReplica}.
    * Use from any stack that needs to grant `rds-data:ExecuteStatement` against
@@ -1047,9 +1079,9 @@ var DataStorePostgresReplica = class extends Construct4 {
       enableDataApi: true
     });
     this.publishCoordinatesToSsm();
-    this.replicationFunction = new NodejsFunction4(this, "ReplicationFunction", {
-      entry: resolveHandlerEntry4(__dirname),
-      runtime: Runtime4.NODEJS_LATEST,
+    this.replicationFunction = new NodejsFunction5(this, "ReplicationFunction", {
+      entry: resolveHandlerEntry5(__dirname),
+      runtime: Runtime5.NODEJS_LATEST,
       memorySize: 512,
       timeout: Duration3.minutes(1),
       vpc: this.vpc,
@@ -1133,8 +1165,8 @@ var ChildHostedZone = class extends HostedZone {
 ChildHostedZone.SSM_PARAM_NAME = "CHILDHOSTEDZONE";
 
 // src/components/route-53/root-hosted-zone.ts
-import { Construct as Construct5 } from "constructs";
-var RootHostedZone = class extends Construct5 {
+import { Construct as Construct6 } from "constructs";
+var RootHostedZone = class extends Construct6 {
 };
 
 // src/components/static-hosting/static-hosting.ts
@@ -1145,9 +1177,9 @@ import {
 import { S3BucketOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
 import { Bucket as Bucket2 } from "aws-cdk-lib/aws-s3";
 import { Duration as Duration5 } from "aws-cdk-lib/core";
-import { Construct as Construct6 } from "constructs";
+import { Construct as Construct7 } from "constructs";
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends Construct6 {
+var _StaticHosting = class _StaticHosting extends Construct7 {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -1207,10 +1239,135 @@ import {
   UserPoolDomain as UserPoolDomain2,
   UserPoolOperation
 } from "aws-cdk-lib/aws-cognito";
-import { PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { Key as Key2 } from "aws-cdk-lib/aws-kms";
 import { Stack as Stack3 } from "aws-cdk-lib/core";
+
+// src/services/open-hi-data-service.ts
+import { StreamViewType, Table as Table2 } from "aws-cdk-lib/aws-dynamodb";
+import { EventBus as EventBus3 } from "aws-cdk-lib/aws-events";
+import * as kinesis from "aws-cdk-lib/aws-kinesis";
+var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
+  /**
+   * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static dataEventBusFromConstruct(scope) {
+    return EventBus3.fromEventBusName(
+      scope,
+      "data-event-bus",
+      DataEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
+   */
+  static opsEventBusFromConstruct(scope) {
+    return EventBus3.fromEventBusName(
+      scope,
+      "ops-event-bus",
+      OpsEventBus.getEventBusName(scope)
+    );
+  }
+  /**
+   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
+   */
+  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
+    return Table2.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
+  }
+  get serviceType() {
+    return _OpenHiDataService.SERVICE_TYPE;
+  }
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
+    this.props = props;
+    this.dataEventBus = this.createDataEventBus();
+    this.opsEventBus = this.createOpsEventBus();
+    this.dataStoreChangeStream = new kinesis.Stream(
+      this,
+      "data-store-change-stream",
+      {
+        streamName: `openhi-dstore-cdc-${this.branchHash}`,
+        streamMode: kinesis.StreamMode.ON_DEMAND,
+        // CDK default for kinesis.Stream is RETAIN, which strands the stream
+        // when a non-prod stack is destroyed. Use the service's policy so
+        // non-prod tears down cleanly while prod retains.
+        removalPolicy: this.removalPolicy
+      }
+    );
+    this.dataStore = this.createDataStore();
+    this.dataStoreHistoricalArchive = new DataStoreHistoricalArchive(
+      this,
+      "data-store-historical-archive",
+      {
+        kinesisStream: this.dataStoreChangeStream,
+        removalPolicy: this.removalPolicy,
+        stackHash: this.stackHash,
+        dataEventBus: this.dataEventBus
+      }
+    );
+    this.dataStorePostgresReplica = new DataStorePostgresReplica(
+      this,
+      "data-store-postgres-replica",
+      {
+        kinesisStream: this.dataStoreChangeStream,
+        removalPolicy: this.removalPolicy,
+        stackHash: this.stackHash,
+        branchHash: this.branchHash
+      }
+    );
+  }
+  /**
+   * Creates the data event bus.
+   * Override to customize.
+   */
+  createDataEventBus() {
+    return new DataEventBus(this);
+  }
+  /**
+   * Creates the ops event bus.
+   * Override to customize.
+   */
+  createOpsEventBus() {
+    return new OpsEventBus(this);
+  }
+  /**
+   * Creates the single-table DynamoDB data store.
+   * Override to customize.
+   */
+  createDataStore() {
+    return new DynamoDbDataStore(this, "dynamo-db-data-store", {
+      kinesisStream: this.dataStoreChangeStream,
+      stream: StreamViewType.NEW_AND_OLD_IMAGES
+    });
+  }
+};
+_OpenHiDataService.SERVICE_TYPE = "data";
+var OpenHiDataService = _OpenHiDataService;
+
+// src/services/open-hi-auth-service.ts
 var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
+  constructor(ohEnv, props = {}) {
+    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
+    /**
+     * Cross-stack reference to the data store table. Cached so repeated
+     * lookups share a single CDK construct id ("dynamo-db-data-store") in
+     * this stack — a second `Table.fromTableName` call under the same scope
+     * would collide.
+     */
+    this._dataStoreTable = null;
+    this.props = props;
+    this.userPoolKmsKey = this.createUserPoolKmsKey();
+    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
+    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
+    this.postConfirmationLambda = this.createPostConfirmationLambda();
+    this.userPool = this.createUserPool();
+    this.grantPreTokenGenerationPermissions();
+    this.grantPostAuthenticationPermissions();
+    this.grantPostConfirmationPermissions();
+    this.userPoolClient = this.createUserPoolClient();
+    this.userPoolDomain = this.createUserPoolDomain();
+    this.fixtureSeederClient = this.createFixtureSeederClient();
+  }
   /**
    * Returns an IUserPool by looking up the Auth stack's User Pool ID from SSM.
    */
@@ -1282,18 +1439,6 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   get serviceType() {
     return _OpenHiAuthService.SERVICE_TYPE;
   }
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiAuthService.SERVICE_TYPE, props);
-    this.props = props;
-    this.userPoolKmsKey = this.createUserPoolKmsKey();
-    this.preTokenGenerationLambda = this.createPreTokenGenerationLambda();
-    this.postAuthenticationLambda = this.createPostAuthenticationLambda();
-    this.userPool = this.createUserPool();
-    this.grantPostAuthenticationPermissions();
-    this.userPoolClient = this.createUserPoolClient();
-    this.userPoolDomain = this.createUserPoolDomain();
-    this.fixtureSeederClient = this.createFixtureSeederClient();
-  }
   /**
    * Creates the KMS key for the Cognito User Pool and exports its ARN to SSM.
    * Look up via {@link OpenHiAuthService.userPoolKmsKeyFromConstruct}.
@@ -1309,11 +1454,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     return key;
   }
   /**
-   * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
-   * openhi_* claims to the access token only; trigger version V2_0 may be required.
+   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+   * both the ID token and the access token (ADR 2026-03-17-01).
    */
   createPreTokenGenerationLambda() {
-    const construct = new PreTokenGenerationLambda(this);
+    const construct = new PreTokenGenerationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
+    });
     return construct.lambda;
   }
   /**
@@ -1325,6 +1474,25 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     const construct = new PostAuthenticationLambda(this);
     return construct.lambda;
   }
+  /**
+   * Creates the Post Confirmation Lambda (Cognito trigger). On sign-up
+   * confirmation, writes the new user's default Tenant, Workspace,
+   * Memberships, and `tenant-user` RoleAssignment, plus a User record
+   * carrying the Cognito `sub` and current tenant/workspace pointers
+   * (ADR 2026-03-17-01 invariants).
+   */
+  createPostConfirmationLambda() {
+    const construct = new PostConfirmationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
+    });
+    return construct.lambda;
+  }
+  dataStoreTable() {
+    if (this._dataStoreTable === null) {
+      this._dataStoreTable = OpenHiDataService.dynamoDbDataStoreFromConstruct(this);
+    }
+    return this._dataStoreTable;
+  }
   /**
    * Creates the Cognito User Pool and exports its ID to SSM.
    * Look up via {@link OpenHiAuthService.userPoolFromConstruct}.
@@ -1344,6 +1512,10 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       UserPoolOperation.POST_AUTHENTICATION,
       this.postAuthenticationLambda
     );
+    userPool.addTrigger(
+      UserPoolOperation.POST_CONFIRMATION,
+      this.postConfirmationLambda
+    );
     new DiscoverableStringParameter(this, "user-pool-param", {
       ssmParamName: CognitoUserPool.SSM_PARAM_NAME,
       stringValue: userPool.userPoolId,
@@ -1351,6 +1523,27 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return userPool;
   }
+  /**
+   * Grants the Pre Token Generation Lambda read-only access on the data
+   * store table and its GSIs. The Lambda only needs:
+   * - `Query` on GSI2 to resolve a User by Cognito `sub`
+   * - `GetItem` on the base table for direct User reads
+   *
+   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+   * falls into the absent-claims path; repair belongs in a separate backfill.
+   */
+  grantPreTokenGenerationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
+    this.preTokenGenerationLambda.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
+  }
   /**
    * Grants the Post Authentication Lambda permission to call
    * `cognito-idp:AdminUserGlobalSignOut`.
@@ -1378,6 +1571,28 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       })
     );
   }
+  /**
+   * Grants the Post Confirmation Lambda write access to the data store
+   * table (and its GSIs) so it can seed the new user's Tenant, Workspace,
+   * Memberships, RoleAssignment, and User records on sign-up confirmation.
+   */
+  grantPostConfirmationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = [
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:DescribeTable"
+    ];
+    dataStoreTable.grant(this.postConfirmationLambda, ...dynamoActions);
+    this.postConfirmationLambda.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
+  }
   /**
    * Creates the User Pool Client and exports its ID to SSM (AUTH service type).
    * Look up via {@link OpenHiAuthService.userPoolClientFromConstruct}.
@@ -1562,7 +1777,7 @@ import {
 } from "aws-cdk-lib/aws-apigatewayv2";
 import { HttpUserPoolAuthorizer } from "aws-cdk-lib/aws-apigatewayv2-authorizers";
 import { HttpLambdaIntegration } from "aws-cdk-lib/aws-apigatewayv2-integrations";
-import { Effect, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
+import { Effect as Effect2, PolicyStatement as PolicyStatement2 } from "aws-cdk-lib/aws-iam";
 import {
   ARecord,
   HostedZone as HostedZone3,
@@ -1571,154 +1786,53 @@ import {
 import { ApiGatewayv2DomainProperties } from "aws-cdk-lib/aws-route53-targets";
 import { Duration as Duration6 } from "aws-cdk-lib/core";
 
-// src/services/open-hi-data-service.ts
-import { StreamViewType, Table as Table2 } from "aws-cdk-lib/aws-dynamodb";
-import { EventBus as EventBus3 } from "aws-cdk-lib/aws-events";
-import * as kinesis from "aws-cdk-lib/aws-kinesis";
-var _OpenHiDataService = class _OpenHiDataService extends OpenHiService {
-  /**
-   * Returns the data event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
-   */
-  static dataEventBusFromConstruct(scope) {
-    return EventBus3.fromEventBusName(
-      scope,
-      "data-event-bus",
-      DataEventBus.getEventBusName(scope)
-    );
-  }
-  /**
-   * Returns the ops event bus by name (deterministic per branch). Use from other stacks to obtain an IEventBus reference.
-   */
-  static opsEventBusFromConstruct(scope) {
-    return EventBus3.fromEventBusName(
-      scope,
-      "ops-event-bus",
-      OpsEventBus.getEventBusName(scope)
-    );
-  }
-  /**
-   * Returns the data store table by name. Use from other stacks (e.g. REST API Lambda) to obtain an ITable reference.
-   */
-  static dynamoDbDataStoreFromConstruct(scope, id = "dynamo-db-data-store") {
-    return Table2.fromTableName(scope, id, getDynamoDbDataStoreTableName(scope));
-  }
-  get serviceType() {
-    return _OpenHiDataService.SERVICE_TYPE;
-  }
-  constructor(ohEnv, props = {}) {
-    super(ohEnv, _OpenHiDataService.SERVICE_TYPE, props);
-    this.props = props;
-    this.dataEventBus = this.createDataEventBus();
-    this.opsEventBus = this.createOpsEventBus();
-    this.dataStoreChangeStream = new kinesis.Stream(
-      this,
-      "data-store-change-stream",
-      {
-        streamName: `openhi-dstore-cdc-${this.branchHash}`,
-        streamMode: kinesis.StreamMode.ON_DEMAND,
-        // CDK default for kinesis.Stream is RETAIN, which strands the stream
-        // when a non-prod stack is destroyed. Use the service's policy so
-        // non-prod tears down cleanly while prod retains.
-        removalPolicy: this.removalPolicy
-      }
-    );
-    this.dataStore = this.createDataStore();
-    this.dataStoreHistoricalArchive = new DataStoreHistoricalArchive(
-      this,
-      "data-store-historical-archive",
-      {
-        kinesisStream: this.dataStoreChangeStream,
-        removalPolicy: this.removalPolicy,
-        stackHash: this.stackHash,
-        dataEventBus: this.dataEventBus
-      }
-    );
-    this.dataStorePostgresReplica = new DataStorePostgresReplica(
-      this,
-      "data-store-postgres-replica",
-      {
-        kinesisStream: this.dataStoreChangeStream,
-        removalPolicy: this.removalPolicy,
-        stackHash: this.stackHash,
-        branchHash: this.branchHash
-      }
-    );
-  }
-  /**
-   * Creates the data event bus.
-   * Override to customize.
-   */
-  createDataEventBus() {
-    return new DataEventBus(this);
-  }
-  /**
-   * Creates the ops event bus.
-   * Override to customize.
-   */
-  createOpsEventBus() {
-    return new OpsEventBus(this);
-  }
-  /**
-   * Creates the single-table DynamoDB data store.
-   * Override to customize.
-   */
-  createDataStore() {
-    return new DynamoDbDataStore(this, "dynamo-db-data-store", {
-      kinesisStream: this.dataStoreChangeStream,
-      stream: StreamViewType.NEW_AND_OLD_IMAGES
-    });
-  }
-};
-_OpenHiDataService.SERVICE_TYPE = "data";
-var OpenHiDataService = _OpenHiDataService;
-
 // src/data/lambda/cors-options-lambda.ts
-import fs5 from "fs";
-import path5 from "path";
-import { Runtime as Runtime5 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction5 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct7 } from "constructs";
-var HANDLER_NAME5 = "cors-options-lambda.handler.js";
-function resolveHandlerEntry5(dirname) {
-  const sameDir = path5.join(dirname, HANDLER_NAME5);
-  if (fs5.existsSync(sameDir)) {
+import fs6 from "fs";
+import path6 from "path";
+import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct8 } from "constructs";
+var HANDLER_NAME6 = "cors-options-lambda.handler.js";
+function resolveHandlerEntry6(dirname) {
+  const sameDir = path6.join(dirname, HANDLER_NAME6);
+  if (fs6.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path5.join(dirname, "..", "..", "..", "lib", HANDLER_NAME5);
+  const fromLib = path6.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
   return fromLib;
 }
-var CorsOptionsLambda = class extends Construct7 {
+var CorsOptionsLambda = class extends Construct8 {
   constructor(scope, id = "cors-options-lambda") {
     super(scope, id);
-    this.lambda = new NodejsFunction5(this, "handler", {
-      entry: resolveHandlerEntry5(__dirname),
-      runtime: Runtime5.NODEJS_LATEST,
+    this.lambda = new NodejsFunction6(this, "handler", {
+      entry: resolveHandlerEntry6(__dirname),
+      runtime: Runtime6.NODEJS_LATEST,
       memorySize: 128
     });
   }
 };
 
 // src/data/lambda/rest-api-lambda.ts
-import fs6 from "fs";
-import path6 from "path";
-import { Runtime as Runtime6 } from "aws-cdk-lib/aws-lambda";
-import { NodejsFunction as NodejsFunction6 } from "aws-cdk-lib/aws-lambda-nodejs";
-import { Construct as Construct8 } from "constructs";
-var HANDLER_NAME6 = "rest-api-lambda.handler.js";
-function resolveHandlerEntry6(dirname) {
-  const sameDir = path6.join(dirname, HANDLER_NAME6);
-  if (fs6.existsSync(sameDir)) {
+import fs7 from "fs";
+import path7 from "path";
+import { Runtime as Runtime7 } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction as NodejsFunction7 } from "aws-cdk-lib/aws-lambda-nodejs";
+import { Construct as Construct9 } from "constructs";
+var HANDLER_NAME7 = "rest-api-lambda.handler.js";
+function resolveHandlerEntry7(dirname) {
+  const sameDir = path7.join(dirname, HANDLER_NAME7);
+  if (fs7.existsSync(sameDir)) {
     return sameDir;
   }
-  const fromLib = path6.join(dirname, "..", "..", "..", "lib", HANDLER_NAME6);
+  const fromLib = path7.join(dirname, "..", "..", "..", "lib", HANDLER_NAME7);
   return fromLib;
 }
-var RestApiLambda = class extends Construct8 {
+var RestApiLambda = class extends Construct9 {
   constructor(scope, props) {
     super(scope, "rest-api-lambda");
-    this.lambda = new NodejsFunction6(this, "handler", {
-      entry: resolveHandlerEntry6(__dirname),
-      runtime: Runtime6.NODEJS_LATEST,
+    this.lambda = new NodejsFunction7(this, "handler", {
+      entry: resolveHandlerEntry7(__dirname),
+      runtime: Runtime7.NODEJS_LATEST,
       memorySize: 1024,
       environment: {
         DYNAMO_TABLE_NAME: props.dynamoTableName,
@@ -1861,7 +1975,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     });
     lambda.addToRolePolicy(
       new PolicyStatement2({
-        effect: Effect.ALLOW,
+        effect: Effect2.ALLOW,
         actions: [
           "rds-data:ExecuteStatement",
           "rds-data:BatchExecuteStatement"
@@ -1871,7 +1985,7 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     );
     lambda.addToRolePolicy(
       new PolicyStatement2({
-        effect: Effect.ALLOW,
+        effect: Effect2.ALLOW,
         actions: ["secretsmanager:GetSecretValue"],
         resources: [postgresSecretArn]
       })
@@ -1890,14 +2004,14 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
     dataStoreTable.grant(lambda, ...dynamoActions);
     lambda.addToRolePolicy(
       new PolicyStatement2({
-        effect: Effect.ALLOW,
+        effect: Effect2.ALLOW,
         actions: [...dynamoActions],
         resources: [`${dataStoreTable.tableArn}/index/*`]
       })
     );
     lambda.addToRolePolicy(
       new PolicyStatement2({
-        effect: Effect.ALLOW,
+        effect: Effect2.ALLOW,
         actions: [
           "ssm:GetParameter",
           "ssm:GetParameters",
@@ -2076,6 +2190,7 @@ export {
   POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME,
   POSTGRES_REPLICA_SECRET_ARN_SSM_NAME,
   PostAuthenticationLambda,
+  PostConfirmationLambda,
   PreTokenGenerationLambda,
   REST_API_BASE_URL_SSM_NAME,
   RootGraphqlApi,