@openhi/constructs 0.0.104 → 0.0.105

package/lib/post-confirmation.handler.js

@@ -23,920 +23,66 @@ __export(post_confirmation_handler_exports, {
   handler: () => handler
 });
 module.exports = __toCommonJS(post_confirmation_handler_exports);
-var import_types = require("@openhi/types");
-var import_ulid = require("ulid");
+var import_client_eventbridge = require("@aws-sdk/client-eventbridge");
 
-// src/data/dynamo/dynamo-control-service.ts
-var import_electrodb8 = require("electrodb");
-
-// src/data/dynamo/dynamo-client.ts
-var import_client_dynamodb = require("@aws-sdk/client-dynamodb");
-var defaultTableName = process.env.DYNAMO_TABLE_NAME ?? "jesttesttable";
-var dynamoClient = new import_client_dynamodb.DynamoDBClient({
-  ...process.env.MOCK_DYNAMODB_ENDPOINT && {
-    endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,
-    sslEnabled: false,
-    region: "local"
-  }
-});
-
-// src/data/dynamo/entities/control/configuration-entity.ts
-var import_electrodb = require("electrodb");
-
-// src/data/dynamo/shard.ts
-var SHARD_COUNT = 4;
-function computeShard(id) {
-  let hash = 2166136261;
-  for (let i = 0; i < id.length; i++) {
-    hash ^= id.charCodeAt(i);
-    hash = Math.imul(hash, 16777619);
-  }
-  return (hash >>> 0) % SHARD_COUNT;
-}
-
-// src/data/dynamo/entities/control/control-entity-common.ts
-var gsi1ShardAttribute = {
-  type: "string",
-  watch: ["id"],
-  set: (_val, item) => {
-    if (typeof item?.id !== "string" || item.id.length === 0) {
-      return void 0;
-    }
-    return String(computeShard(item.id));
+// src/workflows/control-plane/user-onboarding/events.ts
+var USER_ONBOARDING_EVENT_SOURCE = "openhi.control.user-onboarding";
+var PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE = "ProvisionDefaultWorkspaceRequested";
+var buildProvisionDefaultWorkspaceRequestedDetail = (event) => {
+  const attrs = event.request?.userAttributes ?? {};
+  const cognitoSub = attrs.sub?.trim();
+  if (!cognitoSub) {
+    return void 0;
   }
-};
-
-// src/data/dynamo/entities/control/configuration-entity.ts
-var ConfigurationEntity = new import_electrodb.Entity({
-  model: {
-    entity: "configuration",
-    service: "control",
-    version: "01"
-  },
-  attributes: {
-    /** Sort key. "CURRENT" for current version; version history in S3. */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** Tenant scope. Use "BASELINE" when the config is baseline default (no tenant). */
-    tenantId: {
-      type: "string",
-      required: true,
-      default: "BASELINE"
-    },
-    /** Workspace scope. Use "-" when absent. */
-    workspaceId: {
-      type: "string",
-      required: true,
-      default: "-"
-    },
-    /** User scope. Use "-" when absent. */
-    userId: {
-      type: "string",
-      required: true,
-      default: "-"
-    },
-    /** Role scope. Use "-" when absent. */
-    roleId: {
-      type: "string",
-      required: true,
-      default: "-"
-    },
-    /** Config type (category), e.g. endpoints, branding, display. */
-    key: {
-      type: "string",
-      required: true
-    },
-    /** FHIR Resource.id; logical id in URL and for the Configuration resource. */
-    id: {
-      type: "string",
-      required: true
-    },
-    /** Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. */
-    resource: {
-      type: "string",
-      required: true
-    },
-    /**
-     * Summary projection (key display fields as JSON string: id, key, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
-     */
-    summary: {
-      type: "string",
-      required: true
-    },
-    /** Version id (e.g. ULID). Tracks current version; S3 history key. */
-    vid: {
-      type: "string",
-      required: true
-    },
-    lastUpdated: {
-      type: "string",
-      required: true
-    },
-    gsi1Shard: gsi1ShardAttribute,
-    deleted: {
-      type: "boolean",
-      required: false
-    },
-    bundleId: {
-      type: "string",
-      required: false
-    },
-    msgId: {
-      type: "string",
-      required: false
-    }
-  },
-  indexes: {
-    /** Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. */
-    record: {
-      pk: {
-        field: "PK",
-        composite: ["tenantId", "workspaceId", "userId", "roleId"],
-        template: "CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}"
-      },
-      sk: {
-        field: "SK",
-        composite: ["key", "sk"],
-        template: "KEY#${key}#SK#${sk}"
-      }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
-     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
-     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
-     * hierarchical resolution in one query; use base table GetItem in fallback order
-     * (user → workspace → tenant → baseline) for that.
-     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
-     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["tenantId", "workspaceId", "gsi1Shard"],
-        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["lastUpdated", "id"],
-        template: "${lastUpdated}#${id}"
-      }
-    }
-  }
-});
-
-// src/data/dynamo/entities/control/membership-entity.ts
-var import_electrodb2 = require("electrodb");
-var MembershipEntity = new import_electrodb2.Entity({
-  model: {
-    entity: "membership",
-    service: "control",
-    version: "01"
-  },
-  attributes: {
-    /** Sort key sentinel. Always "CURRENT". */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** Tenant in which the user has membership (required). */
-    tenantId: {
-      type: "string",
-      required: true
-    },
-    /** FHIR Resource.id; membership id. */
-    id: {
-      type: "string",
-      required: true
-    },
-    /** Full Membership resource serialized as JSON string. */
-    resource: {
-      type: "string",
-      required: true
-    },
-    /**
-     * Summary projection (key display fields as JSON string: id, displayName, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
-     */
-    summary: {
-      type: "string",
-      required: true
-    },
-    /** Version id (e.g. ULID). */
-    vid: {
-      type: "string",
-      required: true
-    },
-    lastUpdated: {
-      type: "string",
-      required: true
-    },
-    gsi1Shard: gsi1ShardAttribute,
-    deleted: {
-      type: "boolean",
-      required: false
-    },
-    bundleId: {
-      type: "string",
-      required: false
-    },
-    msgId: {
-      type: "string",
-      required: false
-    }
-  },
-  indexes: {
-    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
-    record: {
-      pk: {
-        field: "PK",
-        composite: ["tenantId", "id"],
-        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
-      },
-      sk: {
-        field: "SK",
-        composite: ["sk"],
-        template: "${sk}"
-      }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
-     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
-     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
-     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["tenantId", "gsi1Shard"],
-        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["lastUpdated", "id"],
-        template: "${lastUpdated}#${id}"
-      }
-    }
-  }
-});
-
-// src/data/dynamo/entities/control/role-entity.ts
-var import_electrodb3 = require("electrodb");
-var RoleEntity = new import_electrodb3.Entity({
-  model: {
-    entity: "role",
-    service: "control",
-    version: "01"
-  },
-  attributes: {
-    /** Sort key sentinel. Always "CURRENT". */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** FHIR Resource.id; role id. */
-    id: {
-      type: "string",
-      required: true
-    },
-    /** Full Role resource serialized as JSON string. */
-    resource: {
-      type: "string",
-      required: true
-    },
-    /**
-     * Summary projection (key display fields as JSON string: id, displayName, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
-     */
-    summary: {
-      type: "string",
-      required: true
-    },
-    /** Version id (e.g. ULID). */
-    vid: {
-      type: "string",
-      required: true
-    },
-    lastUpdated: {
-      type: "string",
-      required: true
-    },
-    gsi1Shard: gsi1ShardAttribute,
-    deleted: {
-      type: "boolean",
-      required: false
-    },
-    bundleId: {
-      type: "string",
-      required: false
-    },
-    msgId: {
-      type: "string",
-      required: false
-    }
-  },
-  indexes: {
-    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
-    record: {
-      pk: {
-        field: "PK",
-        composite: ["id"],
-        template: "ROLE#ID#${id}"
-      },
-      sk: {
-        field: "SK",
-        composite: ["sk"],
-        template: "${sk}"
-      }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
-     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
-     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
-     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["gsi1Shard"],
-        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["lastUpdated", "id"],
-        template: "${lastUpdated}#${id}"
-      }
-    }
-  }
-});
-
-// src/data/dynamo/entities/control/roleassignment-entity.ts
-var import_electrodb4 = require("electrodb");
-var RoleAssignmentEntity = new import_electrodb4.Entity({
-  model: {
-    entity: "roleassignment",
-    service: "control",
-    version: "01"
-  },
-  attributes: {
-    /** Sort key sentinel. Always "CURRENT". */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** Tenant in which the role assignment applies (required). */
-    tenantId: {
-      type: "string",
-      required: true
-    },
-    /** FHIR Resource.id; role assignment id. */
-    id: {
-      type: "string",
-      required: true
-    },
-    /** Full RoleAssignment resource serialized as JSON string. */
-    resource: {
-      type: "string",
-      required: true
-    },
-    /**
-     * Summary projection (key display fields as JSON string: id, displayName, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
-     */
-    summary: {
-      type: "string",
-      required: true
-    },
-    /** Version id (e.g. ULID). */
-    vid: {
-      type: "string",
-      required: true
-    },
-    lastUpdated: {
-      type: "string",
-      required: true
-    },
-    gsi1Shard: gsi1ShardAttribute,
-    deleted: {
-      type: "boolean",
-      required: false
-    },
-    bundleId: {
-      type: "string",
-      required: false
-    },
-    msgId: {
-      type: "string",
-      required: false
-    }
-  },
-  indexes: {
-    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
-    record: {
-      pk: {
-        field: "PK",
-        composite: ["tenantId", "id"],
-        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
-      },
-      sk: {
-        field: "SK",
-        composite: ["sk"],
-        template: "${sk}"
-      }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
-     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
-     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
-     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["tenantId", "gsi1Shard"],
-        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["lastUpdated", "id"],
-        template: "${lastUpdated}#${id}"
-      }
-    }
-  }
-});
-
-// src/data/dynamo/entities/control/tenant-entity.ts
-var import_electrodb5 = require("electrodb");
-var TenantEntity = new import_electrodb5.Entity({
-  model: {
-    entity: "tenant",
-    service: "control",
-    version: "01"
-  },
-  attributes: {
-    /** Sort key sentinel. Always "CURRENT". */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** The tenant's own id (= resource id). Drives the partition key. */
-    tenantId: {
-      type: "string",
-      required: true
-    },
-    /** FHIR Resource.id; logical id in URL. Equals tenantId. */
-    id: {
-      type: "string",
-      required: true
-    },
-    /** Full Tenant resource serialized as JSON string. */
-    resource: {
-      type: "string",
-      required: true
-    },
-    /**
-     * Summary projection (key display fields as JSON string: id, displayName, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
-     */
-    summary: {
-      type: "string",
-      required: true
-    },
-    /** Version id (e.g. ULID). */
-    vid: {
-      type: "string",
-      required: true
-    },
-    lastUpdated: {
-      type: "string",
-      required: true
-    },
-    gsi1Shard: gsi1ShardAttribute,
-    deleted: {
-      type: "boolean",
-      required: false
-    },
-    bundleId: {
-      type: "string",
-      required: false
-    },
-    msgId: {
-      type: "string",
-      required: false
-    }
-  },
-  indexes: {
-    /** Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. */
-    record: {
-      pk: {
-        field: "PK",
-        composite: ["tenantId"],
-        template: "TENANT#ID#${tenantId}"
-      },
-      sk: {
-        field: "SK",
-        composite: ["sk"],
-        template: "${sk}"
-      }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
-     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
-     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is `<ISO-8601 lastUpdated>#<id>` (control-plane
-     * unlabeled per DR-004). `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["gsi1Shard"],
-        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["lastUpdated", "id"],
-        template: "${lastUpdated}#${id}"
-      }
-    }
-  }
-});
-
-// src/data/dynamo/entities/control/user-entity.ts
-var import_electrodb6 = require("electrodb");
-var UserEntity = new import_electrodb6.Entity({
-  model: {
-    entity: "user",
-    service: "control",
-    version: "01"
-  },
-  attributes: {
-    /** Sort key sentinel. Always "CURRENT". */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** FHIR Resource.id; platform user id (ohi_uid). */
-    id: {
-      type: "string",
-      required: true
-    },
-    /** Full User resource serialized as JSON string. */
-    resource: {
-      type: "string",
-      required: true
-    },
-    /**
-     * Summary projection (key display fields as JSON string: id, displayName, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
-     */
-    summary: {
-      type: "string",
-      required: true
-    },
-    /**
-     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
-     * Post Confirmation Lambda (#770) lands; required thereafter.
-     */
-    cognitoSub: {
-      type: "string",
-      required: false
-    },
-    /** Version id (e.g. ULID). */
-    vid: {
-      type: "string",
-      required: true
-    },
-    lastUpdated: {
-      type: "string",
-      required: true
-    },
-    gsi1Shard: gsi1ShardAttribute,
-    deleted: {
-      type: "boolean",
-      required: false
-    },
-    bundleId: {
-      type: "string",
-      required: false
-    },
-    msgId: {
-      type: "string",
-      required: false
-    }
-  },
-  indexes: {
-    /** Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
-    record: {
-      pk: {
-        field: "PK",
-        composite: ["id"],
-        template: "USER#ID#${id}"
-      },
-      sk: {
-        field: "SK",
-        composite: ["sk"],
-        template: "${sk}"
-      }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
-     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
-     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
-     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z` characters.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["gsi1Shard"],
-        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["lastUpdated", "id"],
-        template: "${lastUpdated}#${id}"
-      }
-    },
-    /**
-     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
-     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
-     * not indexed.
-     */
-    gsi2: {
-      index: "GSI2",
-      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
-      pk: {
-        field: "GSI2PK",
-        casing: "none",
-        composite: ["cognitoSub"],
-        template: "USER#SUB#${cognitoSub}"
-      },
-      sk: {
-        field: "GSI2SK",
-        casing: "none",
-        composite: [],
-        template: "CURRENT"
-      }
-    }
-  }
-});
-
-// src/data/dynamo/entities/control/workspace-entity.ts
-var import_electrodb7 = require("electrodb");
-var WorkspaceEntity = new import_electrodb7.Entity({
-  model: {
-    entity: "workspace",
-    service: "control",
-    version: "01"
-  },
-  attributes: {
-    /** Sort key sentinel. Always "CURRENT". */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** Tenant that contains this workspace (required). */
-    tenantId: {
-      type: "string",
-      required: true
-    },
-    /** FHIR Resource.id; logical id in URL. */
-    id: {
-      type: "string",
-      required: true
-    },
-    /** Full Workspace resource serialized as JSON string. */
-    resource: {
-      type: "string",
-      required: true
-    },
-    /**
-     * Summary projection (key display fields as JSON string: id, displayName, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
-     */
-    summary: {
-      type: "string",
-      required: true
-    },
-    /** Version id (e.g. ULID). */
-    vid: {
-      type: "string",
-      required: true
-    },
-    lastUpdated: {
-      type: "string",
-      required: true
-    },
-    gsi1Shard: gsi1ShardAttribute,
-    deleted: {
-      type: "boolean",
-      required: false
-    },
-    bundleId: {
-      type: "string",
-      required: false
-    },
-    msgId: {
-      type: "string",
-      required: false
-    }
-  },
-  indexes: {
-    /** Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
-    record: {
-      pk: {
-        field: "PK",
-        composite: ["tenantId", "id"],
-        template: "TID#${tenantId}#WORKSPACE#ID#${id}"
-      },
-      sk: {
-        field: "SK",
-        composite: ["sk"],
-        template: "${sk}"
-      }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
-     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
-     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
-     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["tenantId", "gsi1Shard"],
-        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["lastUpdated", "id"],
-        template: "${lastUpdated}#${id}"
-      }
-    }
-  }
-});
-
-// src/data/dynamo/dynamo-control-service.ts
-var controlPlaneEntities = {
-  configuration: ConfigurationEntity,
-  membership: MembershipEntity,
-  role: RoleEntity,
-  roleAssignment: RoleAssignmentEntity,
-  tenant: TenantEntity,
-  user: UserEntity,
-  workspace: WorkspaceEntity
-};
-var controlPlaneService = new import_electrodb8.Service(controlPlaneEntities, {
-  table: defaultTableName,
-  client: dynamoClient
-});
-var DynamoControlService = {
-  entities: controlPlaneService.entities
-};
-function getDynamoControlService(tableName) {
-  const resolved = tableName ?? defaultTableName;
-  const service = new import_electrodb8.Service(controlPlaneEntities, {
-    table: resolved,
-    client: dynamoClient
-  });
+  const email = attrs.email?.trim();
+  const displayName = email || event.userName || cognitoSub;
   return {
-    entities: service.entities
+    cognitoSub,
+    ...email ? { email } : {},
+    displayName,
+    trigger: {
+      source: "cognito.post-confirmation",
+      triggerSource: event.triggerSource,
+      userPoolId: event.userPoolId,
+      userName: event.userName,
+      clientId: event.callerContext?.clientId
+    }
   };
-}
+};
 
 // src/components/cognito/post-confirmation.handler.ts
-function summaryFor(resource) {
-  return JSON.stringify((0, import_types.extractSummary)(resource));
-}
+var eventBridgeClient = new import_client_eventbridge.EventBridgeClient({});
 var handler = async (event, _context) => {
   try {
-    const { sub, email } = event.request.userAttributes;
-    const displayName = email ?? event.userName ?? sub;
-    const userId = (0, import_ulid.ulid)();
-    const tenantId = (0, import_ulid.ulid)();
-    const workspaceId = (0, import_ulid.ulid)();
-    const userTenantMembershipId = (0, import_ulid.ulid)();
-    const userWorkspaceMembershipId = (0, import_ulid.ulid)();
-    const roleAssignmentId = (0, import_ulid.ulid)();
-    const lastUpdated = (/* @__PURE__ */ new Date()).toISOString();
-    const vid = "1";
-    const service = getDynamoControlService();
-    const tenantResource = {
-      resourceType: "Tenant",
-      id: tenantId,
-      displayName: `${displayName}'s Practice`,
-      status: "active"
-    };
-    const workspaceResource = {
-      resourceType: "Workspace",
-      id: workspaceId,
-      displayName: "Default Workspace",
-      status: "active",
-      tenant: { reference: `Tenant/${tenantId}` }
-    };
-    const userResource = {
-      resourceType: "User",
-      id: userId,
-      displayName,
-      status: "active",
-      currentTenant: { reference: `Tenant/${tenantId}` },
-      currentWorkspace: { reference: `Workspace/${workspaceId}` }
-    };
-    const userTenantMembershipResource = {
-      resourceType: "Membership",
-      id: userTenantMembershipId,
-      status: "active",
-      user: { reference: `User/${userId}` },
-      tenant: { reference: `Tenant/${tenantId}` }
-    };
-    const userWorkspaceMembershipResource = {
-      resourceType: "Membership",
-      id: userWorkspaceMembershipId,
-      status: "active",
-      user: { reference: `User/${userId}` },
-      tenant: { reference: `Tenant/${tenantId}` },
-      workspace: { reference: `Workspace/${workspaceId}` }
-    };
-    const roleAssignmentResource = {
-      resourceType: "RoleAssignment",
-      id: roleAssignmentId,
-      status: "active",
-      user: { reference: `User/${userId}` },
-      tenant: { reference: `Tenant/${tenantId}` },
-      role: "tenant-user"
-    };
-    await service.entities.tenant.put({
-      tenantId,
-      id: tenantId,
-      resource: JSON.stringify(tenantResource),
-      summary: summaryFor(tenantResource),
-      vid,
-      lastUpdated
-    }).go();
-    await service.entities.workspace.put({
-      tenantId,
-      id: workspaceId,
-      resource: JSON.stringify(workspaceResource),
-      summary: summaryFor(workspaceResource),
-      vid,
-      lastUpdated
-    }).go();
-    await service.entities.user.put({
-      id: userId,
-      cognitoSub: sub,
-      resource: JSON.stringify(userResource),
-      summary: summaryFor(userResource),
-      vid,
-      lastUpdated
-    }).go();
-    await service.entities.membership.put({
-      tenantId,
-      id: userTenantMembershipId,
-      resource: JSON.stringify(userTenantMembershipResource),
-      summary: summaryFor(userTenantMembershipResource),
-      vid,
-      lastUpdated
-    }).go();
-    await service.entities.membership.put({
-      tenantId,
-      id: userWorkspaceMembershipId,
-      resource: JSON.stringify(userWorkspaceMembershipResource),
-      summary: summaryFor(userWorkspaceMembershipResource),
-      vid,
-      lastUpdated
-    }).go();
-    await service.entities.roleAssignment.put({
-      tenantId,
-      id: roleAssignmentId,
-      resource: JSON.stringify(roleAssignmentResource),
-      summary: summaryFor(roleAssignmentResource),
-      vid,
-      lastUpdated
-    }).go();
+    const busName = process.env.CONTROL_EVENT_BUS_NAME?.trim();
+    const detail = buildProvisionDefaultWorkspaceRequestedDetail(event);
+    if (!busName || !detail) {
+      console.warn(
+        "PostConfirmation onboarding event not published; missing event bus or cognitoSub"
+      );
+      return event;
+    }
+    const result = await eventBridgeClient.send(
+      new import_client_eventbridge.PutEventsCommand({
+        Entries: [
+          {
+            EventBusName: busName,
+            Source: USER_ONBOARDING_EVENT_SOURCE,
+            DetailType: PROVISION_DEFAULT_WORKSPACE_DETAIL_TYPE,
+            Detail: JSON.stringify(detail)
+          }
+        ]
+      })
+    );
+    if ((result.FailedEntryCount ?? 0) > 0) {
+      console.warn(
+        "PostConfirmation onboarding event publication failed",
+        result.Entries
+      );
+    }
   } catch (err) {
     console.warn(
-      "PostConfirmation onboarding failed; returning event unchanged",
+      "PostConfirmation onboarding event publication failed; returning event unchanged",
       err
     );
   }