@openhi/constructs 0.0.103 → 0.0.105

package/lib/chunk-36YCDLLA.mjs

@@ -0,0 +1,1258 @@
+// src/data/dynamo/dynamo-control-service.ts
+import { Service } from "electrodb";
+
+// src/data/dynamo/dynamo-client.ts
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+var defaultTableName = process.env.DYNAMO_TABLE_NAME ?? "jesttesttable";
+var dynamoClient = new DynamoDBClient({
+  ...process.env.MOCK_DYNAMODB_ENDPOINT && {
+    endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,
+    sslEnabled: false,
+    region: "local"
+  }
+});
+
+// src/data/dynamo/entities/control/configuration-entity.ts
+import { Entity } from "electrodb";
+
+// src/data/dynamo/shard.ts
+var SHARD_COUNT = 4;
+function computeShard(id) {
+  let hash = 2166136261;
+  for (let i = 0; i < id.length; i++) {
+    hash ^= id.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) % SHARD_COUNT;
+}
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var gsi1ShardAttribute = {
+  type: "string",
+  watch: ["id"],
+  set: (_val, item) => {
+    if (typeof item?.id !== "string" || item.id.length === 0) {
+      return void 0;
+    }
+    return String(computeShard(item.id));
+  }
+};
+
+// src/data/dynamo/entities/control/configuration-entity.ts
+var ConfigurationEntity = new Entity({
+  model: {
+    entity: "configuration",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key. "CURRENT" for current version; version history in S3. */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant scope. Use "BASELINE" when the config is baseline default (no tenant). */
+    tenantId: {
+      type: "string",
+      required: true,
+      default: "BASELINE"
+    },
+    /** Workspace scope. Use "-" when absent. */
+    workspaceId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** User scope. Use "-" when absent. */
+    userId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Role scope. Use "-" when absent. */
+    roleId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Config type (category), e.g. endpoints, branding, display. */
+    key: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL and for the Configuration resource. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, key, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). Tracks current version; S3 history key. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "workspaceId", "userId", "roleId"],
+        template: "CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["key", "sk"],
+        template: "KEY#${key}#SK#${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
+     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
+     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
+     * hierarchical resolution in one query; use base table GetItem in fallback order
+     * (user → workspace → tenant → baseline) for that.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "workspaceId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/membership-entity.ts
+import { Entity as Entity2 } from "electrodb";
+var MembershipEntity = new Entity2({
+  model: {
+    entity: "membership",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the user has membership (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; membership id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Membership resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/role-entity.ts
+import { Entity as Entity3 } from "electrodb";
+var RoleEntity = new Entity3({
+  model: {
+    entity: "role",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; role id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Role resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "ROLE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/roleassignment-entity.ts
+import { Entity as Entity4 } from "electrodb";
+var RoleAssignmentEntity = new Entity4({
+  model: {
+    entity: "roleassignment",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the role assignment applies (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; role assignment id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full RoleAssignment resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/tenant-entity.ts
+import { Entity as Entity5 } from "electrodb";
+var TenantEntity = new Entity5({
+  model: {
+    entity: "tenant",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** The tenant's own id (= resource id). Drives the partition key. */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. Equals tenantId. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Tenant resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId"],
+        template: "TENANT#ID#${tenantId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
+     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
+     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is `<ISO-8601 lastUpdated>#<id>` (control-plane
+     * unlabeled per DR-004). `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/user-entity.ts
+import { Entity as Entity6 } from "electrodb";
+var UserEntity = new Entity6({
+  model: {
+    entity: "user",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; platform user id (ohi_uid). */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full User resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
+     * Post Confirmation Lambda (#770) lands; required thereafter.
+     */
+    cognitoSub: {
+      type: "string",
+      required: false
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "USER#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z` characters.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    },
+    /**
+     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
+     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
+     * not indexed.
+     */
+    gsi2: {
+      index: "GSI2",
+      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
+      pk: {
+        field: "GSI2PK",
+        casing: "none",
+        composite: ["cognitoSub"],
+        template: "USER#SUB#${cognitoSub}"
+      },
+      sk: {
+        field: "GSI2SK",
+        casing: "none",
+        composite: [],
+        template: "CURRENT"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/workspace-entity.ts
+import { Entity as Entity7 } from "electrodb";
+var WorkspaceEntity = new Entity7({
+  model: {
+    entity: "workspace",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant that contains this workspace (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Workspace resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
+     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/dynamo-control-service.ts
+var controlPlaneEntities = {
+  configuration: ConfigurationEntity,
+  membership: MembershipEntity,
+  role: RoleEntity,
+  roleAssignment: RoleAssignmentEntity,
+  tenant: TenantEntity,
+  user: UserEntity,
+  workspace: WorkspaceEntity
+};
+var controlPlaneService = new Service(controlPlaneEntities, {
+  table: defaultTableName,
+  client: dynamoClient
+});
+var DynamoControlService = {
+  entities: controlPlaneService.entities
+};
+function getDynamoControlService(tableName) {
+  const resolved = tableName ?? defaultTableName;
+  const service = new Service(controlPlaneEntities, {
+    table: resolved,
+    client: dynamoClient
+  });
+  return {
+    entities: service.entities
+  };
+}
+
+// src/data/operations/control/user/user-create-operation.ts
+import { extractSummary } from "@openhi/types";
+async function createUserOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `user-${Date.now()}`;
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `1`;
+  const resource = { resourceType: "User", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary(resource));
+  await service.entities.user.put({
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/operations/control/user/user-delete-operation.ts
+async function deleteUserOperation(params) {
+  const { id, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  await service.entities.user.delete({ id, sk: "CURRENT" }).go();
+}
+
+// src/data/errors/domain-errors.ts
+var DomainError = class extends Error {
+  constructor(message, code, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = code;
+    this.details = options?.details;
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+};
+var NotFoundError = class extends DomainError {
+  constructor(message, options) {
+    super(message, "NOT_FOUND", options);
+  }
+};
+var ValidationError = class extends DomainError {
+  constructor(message, options) {
+    super(message, "VALIDATION", options);
+  }
+};
+var ConflictError = class extends DomainError {
+  constructor(message, options) {
+    super(message, "CONFLICT", options);
+  }
+};
+function domainErrorToHttpStatus(err) {
+  if (err instanceof NotFoundError) return 404;
+  if (err instanceof ValidationError) return 400;
+  if (err instanceof ConflictError) return 409;
+  return null;
+}
+
+// src/data/operations/control/user/user-get-by-id-operation.ts
+async function getUserByIdOperation(params) {
+  const { id, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const response = await service.entities.user.get({ id, sk: "CURRENT" }).go();
+  const item = response.data;
+  if (!item) {
+    throw new NotFoundError(`User not found: ${id}`);
+  }
+  const parsedResource = JSON.parse(item.resource);
+  return {
+    id,
+    resource: { resourceType: "User", id, ...parsedResource }
+  };
+}
+
+// src/data/operations/data-operations-common.ts
+import { extractSortKey, extractSummary as extractSummary2 } from "@openhi/types";
+
+// src/lib/compression.ts
+import { gzipSync, gunzipSync } from "zlib";
+var ENVELOPE_VERSION = 1;
+var COMPRESSION_ALGOS = {
+  NONE: "none",
+  GZIP: "gzip",
+  BROTLI: "brotli",
+  DEFLATE: "deflate"
+};
+function isEnvelope(obj) {
+  return typeof obj === "object" && obj !== null && "v" in obj && "algo" in obj && "payload" in obj && typeof obj.payload === "string";
+}
+function compressResource(jsonString, options) {
+  const algo = options?.algo ?? COMPRESSION_ALGOS.GZIP;
+  if (algo === COMPRESSION_ALGOS.NONE) {
+    const envelope2 = {
+      v: ENVELOPE_VERSION,
+      algo: COMPRESSION_ALGOS.NONE,
+      payload: jsonString
+    };
+    return JSON.stringify(envelope2);
+  }
+  const buf = Buffer.from(jsonString, "utf-8");
+  const payload = gzipSync(buf).toString("base64");
+  const envelope = {
+    v: ENVELOPE_VERSION,
+    algo: COMPRESSION_ALGOS.GZIP,
+    payload
+  };
+  return JSON.stringify(envelope);
+}
+function decompressResource(compressedOrRaw) {
+  try {
+    const parsed = JSON.parse(compressedOrRaw);
+    if (isEnvelope(parsed)) {
+      if (parsed.algo === COMPRESSION_ALGOS.GZIP) {
+        const buf = Buffer.from(parsed.payload, "base64");
+        return gunzipSync(buf).toString("utf-8");
+      }
+      if (parsed.algo === COMPRESSION_ALGOS.NONE) {
+        return parsed.payload;
+      }
+      return parsed.payload;
+    }
+  } catch {
+  }
+  try {
+    const buf = Buffer.from(compressedOrRaw, "base64");
+    if (buf.length >= 2 && buf[0] === 31 && buf[1] === 139) {
+      return gunzipSync(buf).toString("utf-8");
+    }
+  } catch {
+  }
+  return compressedOrRaw;
+}
+
+// src/data/audit-meta.ts
+var OPENHI_EXT = "http://openhi.org/fhir/StructureDefinition";
+function mergeAuditIntoMeta(meta, audit) {
+  const existing = meta ?? {};
+  const ext = [
+    ...Array.isArray(existing.extension) ? existing.extension : []
+  ];
+  const byUrl = new Map(ext.map((e) => [e.url, e]));
+  function set(url, value, type) {
+    if (value == null) return;
+    byUrl.set(url, { url, [type]: value });
+  }
+  set(`${OPENHI_EXT}/created-date`, audit.createdDate, "valueDateTime");
+  set(`${OPENHI_EXT}/created-by-id`, audit.createdById, "valueString");
+  set(`${OPENHI_EXT}/created-by-name`, audit.createdByName, "valueString");
+  set(`${OPENHI_EXT}/modified-date`, audit.modifiedDate, "valueDateTime");
+  set(`${OPENHI_EXT}/modified-by-id`, audit.modifiedById, "valueString");
+  set(`${OPENHI_EXT}/modified-by-name`, audit.modifiedByName, "valueString");
+  set(`${OPENHI_EXT}/deleted-date`, audit.deletedDate, "valueDateTime");
+  set(`${OPENHI_EXT}/deleted-by-id`, audit.deletedById, "valueString");
+  set(`${OPENHI_EXT}/deleted-by-name`, audit.deletedByName, "valueString");
+  return { ...existing, extension: Array.from(byUrl.values()) };
+}
+
+// src/data/operations/data-operations-common.ts
+var DATA_ENTITY_SK = "CURRENT";
+async function getDataEntityById(entity, tenantId, workspaceId, id, resourceLabel) {
+  const result = await entity.get({
+    tenantId,
+    workspaceId,
+    id,
+    sk: DATA_ENTITY_SK
+  }).go();
+  if (!result.data) {
+    throw new NotFoundError(`${resourceLabel} ${id} not found`, {
+      details: { id }
+    });
+  }
+  const parsed = JSON.parse(decompressResource(result.data.resource));
+  return {
+    id: result.data.id,
+    resource: { ...parsed, id: result.data.id }
+  };
+}
+async function deleteDataEntityById(entity, tenantId, workspaceId, id) {
+  await entity.delete({
+    tenantId,
+    workspaceId,
+    id,
+    sk: DATA_ENTITY_SK
+  }).go();
+}
+var BATCH_GET_MAX_ATTEMPTS = 3;
+var BATCH_GET_BASE_BACKOFF_MS = 50;
+async function batchGetWithRetry(entity, keys) {
+  if (keys.length === 0) return [];
+  const collected = [];
+  let pending = keys;
+  let attempt = 0;
+  while (pending.length > 0) {
+    if (attempt > 0) {
+      await new Promise(
+        (resolve) => setTimeout(resolve, BATCH_GET_BASE_BACKOFF_MS * 2 ** (attempt - 1))
+      );
+    }
+    attempt++;
+    const result = await entity.get(pending).go();
+    collected.push(...result.data);
+    const unprocessed = result.unprocessed ?? [];
+    if (unprocessed.length === 0) break;
+    if (attempt >= BATCH_GET_MAX_ATTEMPTS) {
+      throw new Error(
+        `BatchGet exhausted retries: ${unprocessed.length} key(s) still unprocessed after ${BATCH_GET_MAX_ATTEMPTS} attempt(s)`
+      );
+    }
+    pending = unprocessed;
+  }
+  return collected;
+}
+async function dispatchListMode(mode, shardResults, hooks) {
+  if (mode === "count") {
+    let total = 0;
+    for (const shardResult of shardResults) {
+      total += (shardResult.data ?? []).length;
+    }
+    return { entries: [], total };
+  }
+  if (mode === "summary") {
+    const entries2 = [];
+    for (const shardResult of shardResults) {
+      for (const item of shardResult.data ?? []) {
+        if (typeof item.summary !== "string") continue;
+        let parsed;
+        try {
+          parsed = JSON.parse(item.summary);
+        } catch {
+          continue;
+        }
+        entries2.push(hooks.buildSummaryEntry(item.id, parsed));
+      }
+    }
+    return { entries: entries2, total: entries2.length };
+  }
+  const orderedIds = [];
+  for (const shardResult of shardResults) {
+    for (const item of shardResult.data ?? []) {
+      orderedIds.push(item.id);
+    }
+  }
+  if (orderedIds.length === 0) return { entries: [], total: 0 };
+  const items = await hooks.hydrate(orderedIds);
+  const byId = new Map(items.map((item) => [hooks.getId(item), item]));
+  const entries = [];
+  for (const id of orderedIds) {
+    const item = byId.get(id);
+    if (!item) continue;
+    entries.push(hooks.buildEntry(id, item));
+  }
+  return { entries, total: entries.length };
+}
+async function listDataEntitiesByWorkspace(entity, tenantId, workspaceId, mode = "full") {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => entity.query.gsi1({ tenantId, workspaceId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(
+    mode,
+    shardResults,
+    {
+      hydrate: (orderedIds) => batchGetWithRetry(
+        entity,
+        orderedIds.map((id) => ({
+          tenantId,
+          workspaceId,
+          id,
+          sk: DATA_ENTITY_SK
+        }))
+      ),
+      getId: (item) => item.id,
+      buildEntry: (id, item) => {
+        const parsed = JSON.parse(decompressResource(item.resource));
+        return { id, resource: { ...parsed, id } };
+      },
+      buildSummaryEntry: (id, parsed) => ({
+        id,
+        resource: { ...parsed, id }
+      })
+    }
+  );
+}
+async function createDataEntityRecord(entity, tenantId, workspaceId, id, resourceWithAudit, fallbackDate) {
+  const lastUpdated = resourceWithAudit.meta?.lastUpdated ?? fallbackDate ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
+  const resourceLike = resourceWithAudit;
+  const summary = JSON.stringify(extractSummary2(resourceLike));
+  const gsi1sk = extractSortKey(resourceLike);
+  await entity.put({
+    sk: DATA_ENTITY_SK,
+    tenantId,
+    workspaceId,
+    id,
+    resource: compressResource(JSON.stringify(resourceWithAudit)),
+    summary,
+    vid,
+    lastUpdated,
+    gsi1sk
+  }).go();
+  return {
+    id,
+    resource: resourceWithAudit
+  };
+}
+function buildUpdatedResourceWithAudit(body, id, date, actorId, actorName, existingResourceStr, resourceType) {
+  const existingMeta = JSON.parse(existingResourceStr).meta;
+  const bodyWithMeta = body;
+  const resourceWithVersion = {
+    ...body,
+    resourceType,
+    id,
+    meta: {
+      ...bodyWithMeta.meta ?? {},
+      lastUpdated: date,
+      versionId: "2"
+    }
+  };
+  const resourceWithAudit = {
+    ...resourceWithVersion,
+    meta: mergeAuditIntoMeta(resourceWithVersion.meta ?? existingMeta, {
+      modifiedDate: date,
+      modifiedById: actorId,
+      modifiedByName: actorName
+    })
+  };
+  return {
+    resource: resourceWithAudit,
+    lastUpdated: date
+  };
+}
+async function updateDataEntityById(entity, tenantId, workspaceId, id, resourceLabel, context, buildPatched) {
+  const existing = await entity.get({
+    tenantId,
+    workspaceId,
+    id,
+    sk: DATA_ENTITY_SK
+  }).go();
+  if (!existing.data) {
+    throw new NotFoundError(`${resourceLabel} ${id} not found`, {
+      details: { id }
+    });
+  }
+  const existingStr = decompressResource(existing.data.resource);
+  const { resource, lastUpdated } = buildPatched(existingStr);
+  const resourceLike = resource;
+  const summary = JSON.stringify(extractSummary2(resourceLike));
+  const gsi1sk = extractSortKey(resourceLike);
+  await entity.patch({
+    tenantId,
+    workspaceId,
+    id,
+    sk: DATA_ENTITY_SK
+  }).set({
+    resource: compressResource(JSON.stringify(resource)),
+    summary,
+    lastUpdated,
+    gsi1sk
+  }).go();
+  return {
+    id,
+    resource
+  };
+}
+
+// src/data/operations/control/user/user-list-operation.ts
+var SK = "CURRENT";
+async function listUsersOperation(params) {
+  const { tableName, mode = "full" } = params;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.user,
+      orderedIds.map((id) => ({ id, sk: SK }))
+    ),
+    getId: (item) => item.id,
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "User",
+        id,
+        ...JSON.parse(item.resource)
+      }
+    }),
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: { resourceType: "User", id, ...parsed }
+    })
+  });
+}
+
+// src/data/operations/control/user/user-update-operation.ts
+import { extractSummary as extractSummary3 } from "@openhi/types";
+async function updateUserOperation(params) {
+  const { context, id, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const existing = await service.entities.user.get({ id, sk: "CURRENT" }).go();
+  if (!existing.data) {
+    throw new NotFoundError(`User not found: ${id}`);
+  }
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `${Date.now()}`;
+  const resource = { resourceType: "User", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary3(resource));
+  await service.entities.user.put({
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+export {
+  compressResource,
+  decompressResource,
+  defaultTableName,
+  dynamoClient,
+  SHARD_COUNT,
+  computeShard,
+  getDynamoControlService,
+  NotFoundError,
+  domainErrorToHttpStatus,
+  mergeAuditIntoMeta,
+  getDataEntityById,
+  deleteDataEntityById,
+  batchGetWithRetry,
+  dispatchListMode,
+  listDataEntitiesByWorkspace,
+  createDataEntityRecord,
+  buildUpdatedResourceWithAudit,
+  updateDataEntityById,
+  createUserOperation,
+  deleteUserOperation,
+  getUserByIdOperation,
+  listUsersOperation,
+  updateUserOperation
+};
+//# sourceMappingURL=chunk-36YCDLLA.mjs.map