@openhi/constructs 0.0.104 → 0.0.106

package/lib/provision-default-workspace.handler.js

@@ -0,0 +1,1172 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/workflows/control-plane/user-onboarding/provision-default-workspace.handler.ts
+var provision_default_workspace_handler_exports = {};
+__export(provision_default_workspace_handler_exports, {
+  handler: () => handler
+});
+module.exports = __toCommonJS(provision_default_workspace_handler_exports);
+var import_node_crypto = require("crypto");
+var import_types9 = require("@openhi/types");
+
+// src/data/dynamo/dynamo-control-service.ts
+var import_electrodb8 = require("electrodb");
+
+// src/data/dynamo/dynamo-client.ts
+var import_client_dynamodb = require("@aws-sdk/client-dynamodb");
+var defaultTableName = process.env.DYNAMO_TABLE_NAME ?? "jesttesttable";
+var dynamoClient = new import_client_dynamodb.DynamoDBClient({
+  ...process.env.MOCK_DYNAMODB_ENDPOINT && {
+    endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,
+    sslEnabled: false,
+    region: "local"
+  }
+});
+
+// src/data/dynamo/entities/control/configuration-entity.ts
+var import_electrodb = require("electrodb");
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var import_types = require("@openhi/types");
+
+// src/data/dynamo/shard.ts
+var SHARD_COUNT = 4;
+function computeShard(id) {
+  let hash = 2166136261;
+  for (let i = 0; i < id.length; i++) {
+    hash ^= id.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) % SHARD_COUNT;
+}
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var gsi1ShardAttribute = {
+  type: "string",
+  watch: ["id"],
+  set: (_val, item) => {
+    if (typeof item?.id !== "string" || item.id.length === 0) {
+      return void 0;
+    }
+    return String(computeShard(item.id));
+  }
+};
+var gsi1skAttribute = {
+  type: "string",
+  watch: ["resource", "lastUpdated", "id"],
+  set: (_val, item) => {
+    const id = typeof item?.id === "string" ? item.id : "";
+    const lastUpdated = typeof item?.lastUpdated === "string" ? item.lastUpdated : "";
+    const fallback = `${lastUpdated}#${id}`;
+    if (typeof item?.resource !== "string" || item.resource.length === 0) {
+      return fallback;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(item.resource);
+    } catch {
+      return fallback;
+    }
+    if (!parsed || typeof parsed !== "object") return fallback;
+    const resourceType = parsed.resourceType;
+    if (typeof resourceType !== "string") return fallback;
+    const label = (0, import_types.extractLabel)(parsed);
+    return label !== void 0 ? `${label}#${id}` : fallback;
+  }
+};
+
+// src/data/dynamo/entities/control/configuration-entity.ts
+var ConfigurationEntity = new import_electrodb.Entity({
+  model: {
+    entity: "configuration",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key. "CURRENT" for current version; version history in S3. */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant scope. Use "BASELINE" when the config is baseline default (no tenant). */
+    tenantId: {
+      type: "string",
+      required: true,
+      default: "BASELINE"
+    },
+    /** Workspace scope. Use "-" when absent. */
+    workspaceId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** User scope. Use "-" when absent. */
+    userId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Role scope. Use "-" when absent. */
+    roleId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Config type (category), e.g. endpoints, branding, display. */
+    key: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL and for the Configuration resource. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, key, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). Tracks current version; S3 history key. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "workspaceId", "userId", "roleId"],
+        template: "CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["key", "sk"],
+        template: "KEY#${key}#SK#${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
+     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
+     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
+     * hierarchical resolution in one query; use base table GetItem in fallback order
+     * (user → workspace → tenant → baseline) for that.
+     * SK is `<key>#<id>` — Configuration's `key` is a required entity attribute (the
+     * config category: endpoints, branding, display, …) and the natural sort/lookup
+     * dimension. `casing: "none"` preserves the literal key value.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "workspaceId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["key", "id"],
+        template: "${key}#${id}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/membership-entity.ts
+var import_electrodb2 = require("electrodb");
+var MembershipEntity = new import_electrodb2.Entity({
+  model: {
+    entity: "membership",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the user has membership (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; membership id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Membership resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/role-entity.ts
+var import_electrodb3 = require("electrodb");
+var RoleEntity = new import_electrodb3.Entity({
+  model: {
+    entity: "role",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; role id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Role resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "ROLE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/roleassignment-entity.ts
+var import_electrodb4 = require("electrodb");
+var RoleAssignmentEntity = new import_electrodb4.Entity({
+  model: {
+    entity: "roleassignment",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the role assignment applies (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; role assignment id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full RoleAssignment resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/tenant-entity.ts
+var import_electrodb5 = require("electrodb");
+var TenantEntity = new import_electrodb5.Entity({
+  model: {
+    entity: "tenant",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** The tenant's own id (= resource id). Drives the partition key. */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. Equals tenantId. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Tenant resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId"],
+        template: "TENANT#ID#${tenantId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
+     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
+     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is derived via `gsi1skAttribute` —
+     * `<normalizedName>#<id>` when the resource carries a `name`, else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/user-entity.ts
+var import_electrodb6 = require("electrodb");
+var UserEntity = new import_electrodb6.Entity({
+  model: {
+    entity: "user",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; platform user id (ohi_uid). */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full User resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
+     * Post Confirmation Lambda (#770) lands; required thereafter.
+     */
+    cognitoSub: {
+      type: "string",
+      required: false
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "USER#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable (string `name`/`title` via introspection), else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    },
+    /**
+     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
+     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
+     * not indexed.
+     */
+    gsi2: {
+      index: "GSI2",
+      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
+      pk: {
+        field: "GSI2PK",
+        casing: "none",
+        composite: ["cognitoSub"],
+        template: "USER#SUB#${cognitoSub}"
+      },
+      sk: {
+        field: "GSI2SK",
+        casing: "none",
+        composite: [],
+        template: "CURRENT"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/workspace-entity.ts
+var import_electrodb7 = require("electrodb");
+var WorkspaceEntity = new import_electrodb7.Entity({
+  model: {
+    entity: "workspace",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant that contains this workspace (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Workspace resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
+     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — `<normalizedName>#<id>` when the resource
+     * carries a `name`, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves
+     * the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/dynamo-control-service.ts
+var controlPlaneEntities = {
+  configuration: ConfigurationEntity,
+  membership: MembershipEntity,
+  role: RoleEntity,
+  roleAssignment: RoleAssignmentEntity,
+  tenant: TenantEntity,
+  user: UserEntity,
+  workspace: WorkspaceEntity
+};
+var controlPlaneService = new import_electrodb8.Service(controlPlaneEntities, {
+  table: defaultTableName,
+  client: dynamoClient
+});
+var DynamoControlService = {
+  entities: controlPlaneService.entities
+};
+function getDynamoControlService(tableName) {
+  const resolved = tableName ?? defaultTableName;
+  const service = new import_electrodb8.Service(controlPlaneEntities, {
+    table: resolved,
+    client: dynamoClient
+  });
+  return {
+    entities: service.entities
+  };
+}
+
+// src/data/operations/control/membership/membership-create-operation.ts
+var import_types2 = require("@openhi/types");
+async function createMembershipOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `membership-${Date.now()}`;
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `1`;
+  const resource = { resourceType: "Membership", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types2.extractSummary)(resource));
+  await service.entities.membership.put({
+    tenantId: context.tenantId,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/operations/control/roleassignment/roleassignment-create-operation.ts
+var import_types3 = require("@openhi/types");
+async function createRoleAssignmentOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `roleassignment-${Date.now()}`;
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `1`;
+  const resource = { resourceType: "RoleAssignment", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types3.extractSummary)(resource));
+  await service.entities.roleAssignment.put({
+    tenantId: context.tenantId,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/operations/control/tenant/tenant-create-operation.ts
+var import_types4 = require("@openhi/types");
+async function createTenantOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `tenant-${Date.now()}`;
+  const lastUpdated = context.date;
+  const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const resource = { resourceType: "Tenant", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types4.extractSummary)(resource));
+  await service.entities.tenant.put({
+    tenantId: id,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return { id, resource, meta: { lastUpdated, versionId: vid } };
+}
+
+// src/data/operations/control/user/user-create-operation.ts
+var import_types5 = require("@openhi/types");
+
+// src/data/operations/control/user/user-find-by-sub-operation.ts
+async function findUserBySubOperation(params) {
+  const { cognitoSub, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const result = await service.entities.user.query.gsi2({ cognitoSub }).go({ limit: 1 });
+  const item = result.data?.[0];
+  if (!item) {
+    return void 0;
+  }
+  return {
+    id: item.id,
+    cognitoSub: item.cognitoSub,
+    resource: item.resource,
+    vid: item.vid
+  };
+}
+
+// src/data/operations/data-operations-common.ts
+var import_types6 = require("@openhi/types");
+
+// src/lib/compression.ts
+var import_node_zlib = require("zlib");
+
+// src/data/operations/control/user/user-update-operation.ts
+var import_types7 = require("@openhi/types");
+
+// src/data/operations/control/user/user-resource-helpers.ts
+function parseUserResource(resource) {
+  try {
+    return JSON.parse(resource);
+  } catch {
+    return void 0;
+  }
+}
+
+// src/data/operations/control/workspace/workspace-create-operation.ts
+var import_types8 = require("@openhi/types");
+async function createWorkspaceOperation(params) {
+  const { context, body, tableName } = params;
+  const { tenantId } = context;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `workspace-${Date.now()}`;
+  const lastUpdated = context.date;
+  const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const resource = { resourceType: "Workspace", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types8.extractSummary)(resource));
+  await service.entities.workspace.put({
+    tenantId,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return { id, resource, meta: { lastUpdated, versionId: vid } };
+}
+
+// src/data/operations/fhir-reference.ts
+function idFromReference(reference, prefix) {
+  if (!reference || !reference.startsWith(prefix)) {
+    return void 0;
+  }
+  const id = reference.slice(prefix.length);
+  return id.length > 0 ? id : void 0;
+}
+
+// src/workflows/control-plane/user-onboarding/provision-default-workspace.handler.ts
+var CURRENT_SK = "CURRENT";
+var VID = "1";
+var summaryFor = (resource) => {
+  return JSON.stringify((0, import_types9.extractSummary)(resource));
+};
+var stableOnboardingId = (kind, cognitoSub) => {
+  return (0, import_node_crypto.createHash)("sha256").update(kind).update("\0").update(cognitoSub).digest("hex").slice(0, 26).toUpperCase();
+};
+var handler = async (event) => {
+  const detail = event.detail;
+  if (!detail?.cognitoSub) {
+    console.warn(
+      "ProvisionDefaultWorkspace: event missing cognitoSub; skipping"
+    );
+    return;
+  }
+  const service = getDynamoControlService();
+  const existingUser = await findUserBySubOperation({
+    context: {
+      tenantId: "",
+      workspaceId: "",
+      date: "",
+      actorId: "",
+      actorName: "",
+      actorType: "internal-system"
+    },
+    cognitoSub: detail.cognitoSub
+  });
+  const existingResource = existingUser ? parseUserResource(existingUser.resource) : void 0;
+  const existingTenantId = idFromReference(
+    existingResource?.currentTenant?.reference,
+    "Tenant/"
+  );
+  const existingWorkspaceId = idFromReference(
+    existingResource?.currentWorkspace?.reference,
+    "Workspace/"
+  );
+  if (existingUser && existingTenantId && existingWorkspaceId) {
+    return;
+  }
+  const displayName = detail.displayName || detail.email || event.resources?.[0] || detail.cognitoSub;
+  const userId = existingUser?.id ?? detail.userId ?? stableOnboardingId("user", detail.cognitoSub);
+  const tenantId = stableOnboardingId("tenant", detail.cognitoSub);
+  const workspaceId = stableOnboardingId("workspace", detail.cognitoSub);
+  const userTenantMembershipId = stableOnboardingId(
+    "tenant-membership",
+    detail.cognitoSub
+  );
+  const userWorkspaceMembershipId = stableOnboardingId(
+    "workspace-membership",
+    detail.cognitoSub
+  );
+  const roleAssignmentId = stableOnboardingId(
+    "tenant-user-role-assignment",
+    detail.cognitoSub
+  );
+  const lastUpdated = (/* @__PURE__ */ new Date()).toISOString();
+  const context = {
+    tenantId,
+    workspaceId,
+    date: lastUpdated,
+    actorId: userId,
+    actorName: displayName,
+    actorType: "internal-system"
+  };
+  const tenantResource = {
+    id: tenantId,
+    displayName: `${displayName}'s Practice`,
+    status: "active"
+  };
+  const workspaceResource = {
+    id: workspaceId,
+    displayName: "Default Workspace",
+    status: "active",
+    tenant: { reference: `Tenant/${tenantId}` }
+  };
+  const userResource = {
+    ...existingResource ?? {},
+    resourceType: "User",
+    id: userId,
+    name: existingResource?.name ?? [{ text: displayName }],
+    status: "active",
+    currentTenant: { reference: `Tenant/${tenantId}` },
+    currentWorkspace: { reference: `Workspace/${workspaceId}` }
+  };
+  const userTenantMembershipResource = {
+    id: userTenantMembershipId,
+    status: "active",
+    user: { reference: `User/${userId}` },
+    tenant: { reference: `Tenant/${tenantId}` }
+  };
+  const userWorkspaceMembershipResource = {
+    id: userWorkspaceMembershipId,
+    status: "active",
+    user: { reference: `User/${userId}` },
+    tenant: { reference: `Tenant/${tenantId}` },
+    workspace: { reference: `Workspace/${workspaceId}` }
+  };
+  const roleAssignmentResource = {
+    id: roleAssignmentId,
+    status: "active",
+    user: { reference: `User/${userId}` },
+    tenant: { reference: `Tenant/${tenantId}` },
+    role: "tenant-user"
+  };
+  await createTenantOperation({
+    context,
+    body: { id: tenantId, resource: tenantResource }
+  });
+  await createWorkspaceOperation({
+    context,
+    body: { id: workspaceId, resource: workspaceResource }
+  });
+  if (existingUser) {
+    await service.entities.user.patch({ id: userId, sk: CURRENT_SK }).set({
+      resource: JSON.stringify(userResource),
+      summary: summaryFor(userResource),
+      cognitoSub: detail.cognitoSub,
+      vid: VID,
+      lastUpdated
+    }).go();
+  } else {
+    await service.entities.user.put({
+      id: userId,
+      cognitoSub: detail.cognitoSub,
+      resource: JSON.stringify(userResource),
+      summary: summaryFor(userResource),
+      vid: VID,
+      lastUpdated
+    }).go();
+  }
+  await createMembershipOperation({
+    context,
+    body: {
+      id: userTenantMembershipId,
+      resource: userTenantMembershipResource
+    }
+  });
+  await createMembershipOperation({
+    context,
+    body: {
+      id: userWorkspaceMembershipId,
+      resource: userWorkspaceMembershipResource
+    }
+  });
+  await createRoleAssignmentOperation({
+    context,
+    body: { id: roleAssignmentId, resource: roleAssignmentResource }
+  });
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  handler
+});
+//# sourceMappingURL=provision-default-workspace.handler.js.map