npm - @openhi/constructs - Versions diffs - 0.0.105 → 0.0.107 - Mend

@openhi/constructs 0.0.105 → 0.0.107

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (73) hide show

package/lib/chunk-36UPY7YQ.mjs +529 -0
package/lib/chunk-36UPY7YQ.mjs.map +1 -0
package/lib/chunk-AGF3RAAZ.mjs +20 -0
package/lib/chunk-AGF3RAAZ.mjs.map +1 -0
package/lib/{chunk-BXEG7IOZ.mjs → chunk-AO3E22CS.mjs} +2 -2
package/lib/{chunk-WNUH2WDZ.mjs → chunk-CHPEQRXU.mjs} +2 -2
package/lib/chunk-JUNL76HF.mjs +428 -0
package/lib/chunk-JUNL76HF.mjs.map +1 -0
package/lib/chunk-L6UAP4KP.mjs +27 -0
package/lib/chunk-L6UAP4KP.mjs.map +1 -0
package/lib/{chunk-3QS3WKRC.mjs → chunk-LZOMFHX3.mjs} +9 -2
package/lib/chunk-SYBADQXI.mjs +607 -0
package/lib/chunk-SYBADQXI.mjs.map +1 -0
package/lib/chunk-VXX4I3EF.mjs +19 -0
package/lib/chunk-VXX4I3EF.mjs.map +1 -0
package/lib/{chunk-36YCDLLA.mjs → chunk-VYDIGFIX.mjs} +75 -481
package/lib/chunk-VYDIGFIX.mjs.map +1 -0
package/lib/chunk-YU2HRNUP.mjs +33 -0
package/lib/chunk-YU2HRNUP.mjs.map +1 -0
package/lib/chunk-YZZDUJHI.mjs +37 -0
package/lib/chunk-YZZDUJHI.mjs.map +1 -0
package/lib/cors-options-lambda.handler.mjs +1 -1
package/lib/data-store-postgres-replication.handler.mjs +1 -1
package/lib/events-BfrkMoBD.d.mts +44 -0
package/lib/events-BfrkMoBD.d.ts +44 -0
package/lib/events-DPodvl07.d.mts +207 -0
package/lib/events-DPodvl07.d.ts +207 -0
package/lib/firehose-archive-transform.handler.mjs +1 -1
package/lib/index.d.mts +417 -9
package/lib/index.d.ts +663 -10
package/lib/index.js +2398 -111
package/lib/index.js.map +1 -1
package/lib/index.mjs +779 -104
package/lib/index.mjs.map +1 -1
package/lib/openhi-context-CaBH8SFo.d.mts +39 -0
package/lib/openhi-context-CaBH8SFo.d.ts +39 -0
package/lib/platform-deploy-bridge.handler.d.mts +14 -0
package/lib/platform-deploy-bridge.handler.d.ts +14 -0
package/lib/platform-deploy-bridge.handler.js +762 -0
package/lib/platform-deploy-bridge.handler.js.map +1 -0
package/lib/platform-deploy-bridge.handler.mjs +134 -0
package/lib/platform-deploy-bridge.handler.mjs.map +1 -0
package/lib/post-authentication.handler.mjs +1 -1
package/lib/post-confirmation.handler.mjs +1 -1
package/lib/pre-token-generation.handler.js +76 -31
package/lib/pre-token-generation.handler.js.map +1 -1
package/lib/pre-token-generation.handler.mjs +5 -3
package/lib/pre-token-generation.handler.mjs.map +1 -1
package/lib/provision-default-workspace.handler.js +86 -41
package/lib/provision-default-workspace.handler.js.map +1 -1
package/lib/provision-default-workspace.handler.mjs +6 -4
package/lib/provision-default-workspace.handler.mjs.map +1 -1
package/lib/rest-api-lambda.handler.js +114 -59
package/lib/rest-api-lambda.handler.js.map +1 -1
package/lib/rest-api-lambda.handler.mjs +40 -61
package/lib/rest-api-lambda.handler.mjs.map +1 -1
package/lib/seed-demo-data.handler.d.mts +107 -0
package/lib/seed-demo-data.handler.d.ts +107 -0
package/lib/seed-demo-data.handler.js +2037 -0
package/lib/seed-demo-data.handler.js.map +1 -0
package/lib/seed-demo-data.handler.mjs +23 -0
package/lib/seed-demo-data.handler.mjs.map +1 -0
package/lib/seed-system-data.handler.d.mts +64 -0
package/lib/seed-system-data.handler.d.ts +64 -0
package/lib/seed-system-data.handler.js +1631 -0
package/lib/seed-system-data.handler.js.map +1 -0
package/lib/seed-system-data.handler.mjs +135 -0
package/lib/seed-system-data.handler.mjs.map +1 -0
package/package.json +4 -2
package/lib/chunk-36YCDLLA.mjs.map +0 -1
/package/lib/{chunk-BXEG7IOZ.mjs.map → chunk-AO3E22CS.mjs.map} +0 -0
/package/lib/{chunk-WNUH2WDZ.mjs.map → chunk-CHPEQRXU.mjs.map} +0 -0
/package/lib/{chunk-3QS3WKRC.mjs.map → chunk-LZOMFHX3.mjs.map} +0 -0

package/lib/seed-system-data.handler.js ADDED Viewed

@@ -0,0 +1,1631 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// ../workflows/lib/envelope-version.js
+var require_envelope_version = __commonJS({
+  "../workflows/lib/envelope-version.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ENVELOPE_VERSION = void 0;
+    exports2.isSupportedEnvelopeVersion = isSupportedEnvelopeVersion;
+    exports2.ENVELOPE_VERSION = "1.0";
+    var ENVELOPE_VERSION_PATTERN = /^\d+\.\d+$/;
+    var MIN_SUPPORTED_MAJOR = 1;
+    var MAX_SUPPORTED_MAJOR = 1;
+    function isSupportedEnvelopeVersion(version) {
+      if (!ENVELOPE_VERSION_PATTERN.test(version)) {
+        return false;
+      }
+      const major = Number.parseInt(version.split(".")[0], 10);
+      return major >= MIN_SUPPORTED_MAJOR && major <= MAX_SUPPORTED_MAJOR;
+    }
+  }
+});
+// ../workflows/lib/envelope.js
+var require_envelope = __commonJS({
+  "../workflows/lib/envelope.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.MissingActorContextError = void 0;
+    exports2.isWorkflowUserActor = isWorkflowUserActor;
+    exports2.isWorkflowSystemActor = isWorkflowSystemActor;
+    exports2.workflowUserActorFromClaims = workflowUserActorFromClaims;
+    function isWorkflowUserActor(actor) {
+      return actor.ohi_uid !== void 0;
+    }
+    function isWorkflowSystemActor(actor) {
+      return actor.system !== void 0;
+    }
+    function workflowUserActorFromClaims(claims) {
+      if (claims.ohi_tid === void 0 || claims.ohi_wid === void 0) {
+        throw new MissingActorContextError("workflowUserActorFromClaims: ohi_tid and ohi_wid are required on the workflow user-actor; the caller's JWT is missing one or both. Use a system-actor for pre-provisioning bootstrap workflows.");
+      }
+      return {
+        ohi_tid: claims.ohi_tid,
+        ohi_wid: claims.ohi_wid,
+        ohi_uid: claims.ohi_uid,
+        ohi_uname: claims.ohi_uname
+      };
+    }
+    var MissingActorContextError = class extends Error {
+      /** @param message - human-readable description of the missing claim. */
+      constructor(message) {
+        super(message);
+        this.name = "MissingActorContextError";
+      }
+    };
+    exports2.MissingActorContextError = MissingActorContextError;
+  }
+});
+// ../workflows/lib/sources.js
+var require_sources = __commonJS({
+  "../workflows/lib/sources.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = void 0;
+    exports2.OPENHI_CONTROL_SOURCE = "openhi.control";
+    exports2.OPENHI_DATA_SOURCE = "openhi.data";
+    exports2.OPENHI_OPS_SOURCE = "openhi.ops";
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = {
+      [exports2.OPENHI_CONTROL_SOURCE]: "openhi-control-event-bus",
+      [exports2.OPENHI_DATA_SOURCE]: "openhi-data-event-bus",
+      [exports2.OPENHI_OPS_SOURCE]: "openhi-ops-event-bus"
+    };
+  }
+});
+// ../workflows/lib/detail-types/registry.js
+var require_registry = __commonJS({
+  "../workflows/lib/detail-types/registry.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.InvalidDetailTypeRegistrationError = void 0;
+    exports2.defineDetailType = defineDetailType;
+    exports2.isWellFormedDetailType = isWellFormedDetailType;
+    function defineDetailType(entry) {
+      if (!isWellFormedDetailType(entry.detailType)) {
+        throw new InvalidDetailTypeRegistrationError(`Detail-type "${entry.detailType}" does not match the platform-wide format <area>.<event>.v<integer>. See TR-016 \xA7Open Items #2.`);
+      }
+      return entry;
+    }
+    var DETAIL_TYPE_PATTERN = /^[a-z0-9]+(?:-[a-z0-9]+)*\.[a-z0-9]+(?:-[a-z0-9]+)*\.v\d+$/;
+    function isWellFormedDetailType(detailType) {
+      return DETAIL_TYPE_PATTERN.test(detailType);
+    }
+    var InvalidDetailTypeRegistrationError = class extends Error {
+      /** @param message - human-readable description of the violation. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidDetailTypeRegistrationError";
+      }
+    };
+    exports2.InvalidDetailTypeRegistrationError = InvalidDetailTypeRegistrationError;
+  }
+});
+// ../workflows/lib/detail-types/platform.js
+var require_platform = __commonJS({
+  "../workflows/lib/detail-types/platform.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = void 0;
+    var sources_1 = require_sources();
+    var registry_1 = require_registry();
+    exports2.PlatformDeploymentCompletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.deployment-completed.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.PlatformSystemDataSeededV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.system-data-seeded.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+  }
+});
+// ../workflows/lib/detail-types/index.js
+var require_detail_types = __commonJS({
+  "../workflows/lib/detail-types/index.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_platform(), exports2);
+    __exportStar(require_registry(), exports2);
+  }
+});
+// ../workflows/lib/publisher.js
+var require_publisher = __commonJS({
+  "../workflows/lib/publisher.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowPublishError = void 0;
+    exports2.workflowsClient = workflowsClient;
+    exports2.publishWorkflowEvent = publishWorkflowEvent2;
+    var node_crypto_1 = require("crypto");
+    var client_eventbridge_1 = require("@aws-sdk/client-eventbridge");
+    var envelope_version_1 = require_envelope_version();
+    var sources_1 = require_sources();
+    function workflowsClient(bridge, options = {}) {
+      return {
+        publish: (entry, payload, ctx) => publishWorkflowEvent2(bridge, entry, payload, ctx, options)
+      };
+    }
+    async function publishWorkflowEvent2(bridge, entry, payload, ctx, options = {}) {
+      const eventIdGenerator = options.eventIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const correlationIdGenerator = options.correlationIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const now = options.now ?? (() => /* @__PURE__ */ new Date());
+      const envelope = {
+        eventId: eventIdGenerator(),
+        attempt: 1,
+        correlationId: ctx.correlationId ?? correlationIdGenerator(),
+        causationId: ctx.causationId ?? null,
+        actor: ctx.actor,
+        occurredAt: now().toISOString(),
+        envelopeVersion: envelope_version_1.ENVELOPE_VERSION,
+        payload
+      };
+      const busName = options.busNameByPlane?.[entry.source] ?? sources_1.DEFAULT_BUS_NAME_BY_SOURCE[entry.source];
+      const result = await bridge.send(new client_eventbridge_1.PutEventsCommand({
+        Entries: [
+          {
+            EventBusName: busName,
+            Source: entry.source,
+            DetailType: entry.detailType,
+            Detail: JSON.stringify(envelope)
+          }
+        ]
+      }));
+      if ((result.FailedEntryCount ?? 0) > 0) {
+        const first = result.Entries?.[0];
+        throw new WorkflowPublishError(`EventBridge rejected ${entry.detailType} publish on bus ${busName}: ${first?.ErrorCode ?? "unknown"} \u2014 ${first?.ErrorMessage ?? "no error message"}`);
+      }
+      return { eventId: envelope.eventId };
+    }
+    var WorkflowPublishError = class extends Error {
+      /** @param message - human-readable description of the failed publish. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowPublishError";
+      }
+    };
+    exports2.WorkflowPublishError = WorkflowPublishError;
+  }
+});
+// ../workflows/lib/consumer.js
+var require_consumer = __commonJS({
+  "../workflows/lib/consumer.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = void 0;
+    exports2.parseWorkflowEvent = parseWorkflowEvent2;
+    var envelope_version_1 = require_envelope_version();
+    function parseWorkflowEvent2(event, expected) {
+      if (event.source !== expected.source) {
+        throw new InvalidWorkflowEventError(`EventBridge source "${event.source}" does not match expected detail-type's source "${expected.source}".`);
+      }
+      if (event["detail-type"] !== expected.detailType) {
+        throw new InvalidWorkflowEventError(`EventBridge detail-type "${event["detail-type"]}" does not match expected "${expected.detailType}".`);
+      }
+      const candidate = asEnvelopeCandidate(event.detail);
+      if (!(0, envelope_version_1.isSupportedEnvelopeVersion)(candidate.envelopeVersion)) {
+        throw new UnsupportedEnvelopeVersionError(`Envelope version "${candidate.envelopeVersion}" is outside the SDK's supported range.`);
+      }
+      const envelope = {
+        eventId: candidate.eventId,
+        attempt: candidate.attempt,
+        correlationId: candidate.correlationId,
+        causationId: candidate.causationId,
+        actor: candidate.actor,
+        occurredAt: candidate.occurredAt,
+        envelopeVersion: candidate.envelopeVersion,
+        payload: candidate.payload
+      };
+      return {
+        envelope,
+        dedupKey: { eventId: envelope.eventId, attempt: envelope.attempt }
+      };
+    }
+    function asEnvelopeCandidate(detail) {
+      if (detail === null || typeof detail !== "object") {
+        throw new InvalidWorkflowEventError("EventBridge detail is not a non-null object.");
+      }
+      const obj = detail;
+      assertString(obj, "eventId");
+      assertPositiveInteger(obj, "attempt");
+      assertString(obj, "correlationId");
+      assertCausationId(obj);
+      assertActor(obj);
+      assertString(obj, "occurredAt");
+      assertString(obj, "envelopeVersion");
+      if (!("payload" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: payload.");
+      }
+      return obj;
+    }
+    function assertString(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "string" || value.length === 0) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a non-empty string.`);
+      }
+    }
+    function assertPositiveInteger(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "number" || !Number.isInteger(value) || value < 1) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a 1-indexed integer.`);
+      }
+    }
+    function assertCausationId(obj) {
+      if (!("causationId" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: causationId.");
+      }
+      const value = obj.causationId;
+      if (value !== null && (typeof value !== "string" || value.length === 0)) {
+        throw new InvalidWorkflowEventError('Envelope field "causationId" must be a non-empty string or null.');
+      }
+    }
+    function assertActor(obj) {
+      const actor = obj.actor;
+      if (actor === null || typeof actor !== "object") {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be an object.');
+      }
+      const actorObj = actor;
+      const isUserActor = typeof actorObj.ohi_uid === "string" && typeof actorObj.ohi_uname === "string" && typeof actorObj.ohi_tid === "string" && typeof actorObj.ohi_wid === "string";
+      const isSystemActor = typeof actorObj.system === "string";
+      if (!isUserActor && !isSystemActor) {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be either a user-actor (ohi_tid, ohi_wid, ohi_uid, ohi_uname) or a system-actor ({ system: string }).');
+      }
+    }
+    var InvalidWorkflowEventError = class extends Error {
+      /** @param message - human-readable description of the validation failure. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidWorkflowEventError";
+      }
+    };
+    exports2.InvalidWorkflowEventError = InvalidWorkflowEventError;
+    var UnsupportedEnvelopeVersionError = class extends Error {
+      /** @param message - human-readable description of the unsupported version. */
+      constructor(message) {
+        super(message);
+        this.name = "UnsupportedEnvelopeVersionError";
+      }
+    };
+    exports2.UnsupportedEnvelopeVersionError = UnsupportedEnvelopeVersionError;
+  }
+});
+// ../workflows/lib/dedup/env.js
+var require_env = __commonJS({
+  "../workflows/lib/dedup/env.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = void 0;
+    exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = "OPENHI_WORKFLOW_DEDUP_TABLE_NAME";
+    exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = 14 * 24 * 60 * 60;
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = 64;
+  }
+});
+// ../workflows/lib/dedup/workflow-dedup-client.js
+var require_workflow_dedup_client = __commonJS({
+  "../workflows/lib/dedup/workflow-dedup-client.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowDedupInvalidInputError = exports2.WorkflowDedupTableNameMissingError = void 0;
+    exports2.workflowDedupClient = workflowDedupClient2;
+    exports2.recordIfAbsent = recordIfAbsent;
+    exports2.markFailed = markFailed;
+    exports2.encodeSortKey = encodeSortKey;
+    var client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
+    var env_1 = require_env();
+    function workflowDedupClient2(dynamodb, options = {}) {
+      return {
+        recordIfAbsent: (input) => recordIfAbsent(dynamodb, input, options),
+        markFailed: (input) => markFailed(dynamodb, input, options)
+      };
+    }
+    async function recordIfAbsent(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      const ttlSeconds = input.ttlSeconds ?? options.defaultTtlSeconds ?? env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+      if (!Number.isInteger(ttlSeconds) || ttlSeconds <= 0) {
+        throw new WorkflowDedupInvalidInputError(`ttlSeconds must be a positive integer; got ${ttlSeconds}.`);
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      const expiresAt = Math.floor(now.getTime() / 1e3) + ttlSeconds;
+      try {
+        await dynamodb.send(new client_dynamodb_1.PutItemCommand({
+          TableName: tableName,
+          Item: {
+            consumerName: { S: input.consumerName },
+            sk: { S: sk },
+            eventId: { S: input.eventId },
+            attempt: { N: String(input.attempt) },
+            recordedAt: { S: now.toISOString() },
+            expiresAt: { N: String(expiresAt) }
+          },
+          ConditionExpression: "attribute_not_exists(consumerName) AND attribute_not_exists(sk)"
+        }));
+        return { recorded: true };
+      } catch (err) {
+        if (err instanceof client_dynamodb_1.ConditionalCheckFailedException) {
+          return { recorded: false, alreadyProcessed: true };
+        }
+        throw err;
+      }
+    }
+    async function markFailed(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      if (input.reason.length === 0) {
+        throw new WorkflowDedupInvalidInputError("reason must be non-empty.");
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      await dynamodb.send(new client_dynamodb_1.UpdateItemCommand({
+        TableName: tableName,
+        Key: {
+          consumerName: { S: input.consumerName },
+          sk: { S: sk }
+        },
+        UpdateExpression: "SET #failed = :failed, #failureReason = :reason, #failedAt = :failedAt",
+        ExpressionAttributeNames: {
+          "#failed": "failed",
+          "#failureReason": "failureReason",
+          "#failedAt": "failedAt"
+        },
+        ExpressionAttributeValues: {
+          ":failed": { BOOL: true },
+          ":reason": { S: input.reason },
+          ":failedAt": { S: now.toISOString() }
+        }
+      }));
+    }
+    function encodeSortKey(eventId, attempt) {
+      if (eventId.length === 0) {
+        throw new WorkflowDedupInvalidInputError("eventId must be non-empty.");
+      }
+      return `${eventId}#${attempt}`;
+    }
+    function resolveTableName(explicit) {
+      const name = explicit ?? process.env[env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR];
+      if (!name) {
+        throw new WorkflowDedupTableNameMissingError(`Workflow dedup table name not set. Pass options.tableName or set ${env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR}.`);
+      }
+      return name;
+    }
+    function assertConsumerName(consumerName) {
+      if (consumerName.length === 0) {
+        throw new WorkflowDedupInvalidInputError("consumerName must be non-empty.");
+      }
+      if (consumerName.length > env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {
+        throw new WorkflowDedupInvalidInputError(`consumerName must be \u2264${env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`);
+      }
+      if (/\s/.test(consumerName)) {
+        throw new WorkflowDedupInvalidInputError("consumerName must not contain whitespace.");
+      }
+    }
+    function assertPositiveInteger(value, field) {
+      if (!Number.isInteger(value) || value < 1) {
+        throw new WorkflowDedupInvalidInputError(`${field} must be a 1-indexed integer; got ${value}.`);
+      }
+    }
+    function defaultNow() {
+      return /* @__PURE__ */ new Date();
+    }
+    var WorkflowDedupTableNameMissingError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupTableNameMissingError";
+      }
+    };
+    exports2.WorkflowDedupTableNameMissingError = WorkflowDedupTableNameMissingError;
+    var WorkflowDedupInvalidInputError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupInvalidInputError";
+      }
+    };
+    exports2.WorkflowDedupInvalidInputError = WorkflowDedupInvalidInputError;
+  }
+});
+// ../workflows/lib/dedup/index.js
+var require_dedup = __commonJS({
+  "../workflows/lib/dedup/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = void 0;
+    var env_1 = require_env();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    var workflow_dedup_client_1 = require_workflow_dedup_client();
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.workflowDedupClient;
+    } });
+  }
+});
+// ../workflows/lib/index.js
+var require_lib = __commonJS({
+  "../workflows/lib/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.InvalidDetailTypeRegistrationError = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
+    var envelope_version_1 = require_envelope_version();
+    Object.defineProperty(exports2, "ENVELOPE_VERSION", { enumerable: true, get: function() {
+      return envelope_version_1.ENVELOPE_VERSION;
+    } });
+    Object.defineProperty(exports2, "isSupportedEnvelopeVersion", { enumerable: true, get: function() {
+      return envelope_version_1.isSupportedEnvelopeVersion;
+    } });
+    var envelope_1 = require_envelope();
+    Object.defineProperty(exports2, "MissingActorContextError", { enumerable: true, get: function() {
+      return envelope_1.MissingActorContextError;
+    } });
+    Object.defineProperty(exports2, "isWorkflowSystemActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowSystemActor;
+    } });
+    Object.defineProperty(exports2, "isWorkflowUserActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowUserActor;
+    } });
+    Object.defineProperty(exports2, "workflowUserActorFromClaims", { enumerable: true, get: function() {
+      return envelope_1.workflowUserActorFromClaims;
+    } });
+    var sources_1 = require_sources();
+    Object.defineProperty(exports2, "DEFAULT_BUS_NAME_BY_SOURCE", { enumerable: true, get: function() {
+      return sources_1.DEFAULT_BUS_NAME_BY_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_CONTROL_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_CONTROL_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_DATA_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_DATA_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_OPS_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_OPS_SOURCE;
+    } });
+    var detail_types_1 = require_detail_types();
+    Object.defineProperty(exports2, "InvalidDetailTypeRegistrationError", { enumerable: true, get: function() {
+      return detail_types_1.InvalidDetailTypeRegistrationError;
+    } });
+    Object.defineProperty(exports2, "PlatformDeploymentCompletedV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformDeploymentCompletedV1;
+    } });
+    Object.defineProperty(exports2, "PlatformSystemDataSeededV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformSystemDataSeededV1;
+    } });
+    Object.defineProperty(exports2, "defineDetailType", { enumerable: true, get: function() {
+      return detail_types_1.defineDetailType;
+    } });
+    Object.defineProperty(exports2, "isWellFormedDetailType", { enumerable: true, get: function() {
+      return detail_types_1.isWellFormedDetailType;
+    } });
+    var publisher_1 = require_publisher();
+    Object.defineProperty(exports2, "WorkflowPublishError", { enumerable: true, get: function() {
+      return publisher_1.WorkflowPublishError;
+    } });
+    Object.defineProperty(exports2, "publishWorkflowEvent", { enumerable: true, get: function() {
+      return publisher_1.publishWorkflowEvent;
+    } });
+    Object.defineProperty(exports2, "workflowsClient", { enumerable: true, get: function() {
+      return publisher_1.workflowsClient;
+    } });
+    var consumer_1 = require_consumer();
+    Object.defineProperty(exports2, "InvalidWorkflowEventError", { enumerable: true, get: function() {
+      return consumer_1.InvalidWorkflowEventError;
+    } });
+    Object.defineProperty(exports2, "UnsupportedEnvelopeVersionError", { enumerable: true, get: function() {
+      return consumer_1.UnsupportedEnvelopeVersionError;
+    } });
+    Object.defineProperty(exports2, "parseWorkflowEvent", { enumerable: true, get: function() {
+      return consumer_1.parseWorkflowEvent;
+    } });
+    var dedup_1 = require_dedup();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return dedup_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return dedup_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return dedup_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return dedup_1.workflowDedupClient;
+    } });
+  }
+});
+// src/workflows/control-plane/seed-system-data/seed-system-data.handler.ts
+var seed_system_data_handler_exports = {};
+__export(seed_system_data_handler_exports, {
+  handler: () => handler,
+  runSeedSystemData: () => runSeedSystemData
+});
+module.exports = __toCommonJS(seed_system_data_handler_exports);
+var import_client_dynamodb2 = require("@aws-sdk/client-dynamodb");
+var import_client_eventbridge = require("@aws-sdk/client-eventbridge");
+var import_types3 = require("@openhi/types");
+var import_workflows2 = __toESM(require_lib());
+// src/workflows/control-plane/seed-system-data/events.ts
+var import_workflows = __toESM(require_lib());
+var SEED_SYSTEM_DATA_CONSUMER_NAME = "seed-system-data";
+var SEED_SYSTEM_DATA_ACTOR_SYSTEM = "seed-system-data";
+var SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+// src/data/operations/control/role/role-create-operation.ts
+var import_types2 = require("@openhi/types");
+// src/data/dynamo/dynamo-control-service.ts
+var import_electrodb8 = require("electrodb");
+// src/data/dynamo/dynamo-client.ts
+var import_client_dynamodb = require("@aws-sdk/client-dynamodb");
+var defaultTableName = process.env.DYNAMO_TABLE_NAME ?? "jesttesttable";
+var dynamoClient = new import_client_dynamodb.DynamoDBClient({
+  ...process.env.MOCK_DYNAMODB_ENDPOINT && {
+    endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,
+    sslEnabled: false,
+    region: "local"
+  }
+});
+// src/data/dynamo/entities/control/configuration-entity.ts
+var import_electrodb = require("electrodb");
+// src/data/dynamo/entities/control/control-entity-common.ts
+var import_types = require("@openhi/types");
+// src/data/dynamo/shard.ts
+var SHARD_COUNT = 4;
+function computeShard(id) {
+  let hash = 2166136261;
+  for (let i = 0; i < id.length; i++) {
+    hash ^= id.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) % SHARD_COUNT;
+}
+// src/data/dynamo/entities/control/control-entity-common.ts
+var gsi1ShardAttribute = {
+  type: "string",
+  watch: ["id"],
+  set: (_val, item) => {
+    if (typeof item?.id !== "string" || item.id.length === 0) {
+      return void 0;
+    }
+    return String(computeShard(item.id));
+  }
+};
+var gsi1skAttribute = {
+  type: "string",
+  watch: ["resource", "lastUpdated", "id"],
+  set: (_val, item) => {
+    const id = typeof item?.id === "string" ? item.id : "";
+    const lastUpdated = typeof item?.lastUpdated === "string" ? item.lastUpdated : "";
+    const fallback = `${lastUpdated}#${id}`;
+    if (typeof item?.resource !== "string" || item.resource.length === 0) {
+      return fallback;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(item.resource);
+    } catch {
+      return fallback;
+    }
+    if (!parsed || typeof parsed !== "object") return fallback;
+    const resourceType = parsed.resourceType;
+    if (typeof resourceType !== "string") return fallback;
+    const label = (0, import_types.extractLabel)(parsed);
+    return label !== void 0 ? `${label}#${id}` : fallback;
+  }
+};
+// src/data/dynamo/entities/control/configuration-entity.ts
+var ConfigurationEntity = new import_electrodb.Entity({
+  model: {
+    entity: "configuration",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key. "CURRENT" for current version; version history in S3. */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant scope. Use "BASELINE" when the config is baseline default (no tenant). */
+    tenantId: {
+      type: "string",
+      required: true,
+      default: "BASELINE"
+    },
+    /** Workspace scope. Use "-" when absent. */
+    workspaceId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** User scope. Use "-" when absent. */
+    userId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Role scope. Use "-" when absent. */
+    roleId: {
+      type: "string",
+      required: true,
+      default: "-"
+    },
+    /** Config type (category), e.g. endpoints, branding, display. */
+    key: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL and for the Configuration resource. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, key, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). Tracks current version; S3 history key. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "workspaceId", "userId", "roleId"],
+        template: "CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["key", "sk"],
+        template: "KEY#${key}#SK#${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
+     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
+     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
+     * hierarchical resolution in one query; use base table GetItem in fallback order
+     * (user → workspace → tenant → baseline) for that.
+     * SK is `<key>#<id>` — Configuration's `key` is a required entity attribute (the
+     * config category: endpoints, branding, display, …) and the natural sort/lookup
+     * dimension. `casing: "none"` preserves the literal key value.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "workspaceId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["key", "id"],
+        template: "${key}#${id}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/membership-entity.ts
+var import_electrodb2 = require("electrodb");
+var MembershipEntity = new import_electrodb2.Entity({
+  model: {
+    entity: "membership",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the user has membership (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; membership id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Membership resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/role-entity.ts
+var import_electrodb3 = require("electrodb");
+var RoleEntity = new import_electrodb3.Entity({
+  model: {
+    entity: "role",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; role id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Role resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "ROLE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/roleassignment-entity.ts
+var import_electrodb4 = require("electrodb");
+var RoleAssignmentEntity = new import_electrodb4.Entity({
+  model: {
+    entity: "roleassignment",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the role assignment applies (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; role assignment id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full RoleAssignment resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/tenant-entity.ts
+var import_electrodb5 = require("electrodb");
+var TenantEntity = new import_electrodb5.Entity({
+  model: {
+    entity: "tenant",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** The tenant's own id (= resource id). Drives the partition key. */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. Equals tenantId. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Tenant resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId"],
+        template: "TENANT#ID#${tenantId}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
+     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
+     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is derived via `gsi1skAttribute` —
+     * `<normalizedName>#<id>` when the resource carries a `name`, else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/user-entity.ts
+var import_electrodb6 = require("electrodb");
+var UserEntity = new import_electrodb6.Entity({
+  model: {
+    entity: "user",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; platform user id (ohi_uid). */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full User resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
+     * Post Confirmation Lambda (#770) lands; required thereafter.
+     */
+    cognitoSub: {
+      type: "string",
+      required: false
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "USER#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable (string `name`/`title` via introspection), else `<lastUpdated>#<id>`
+     * (DR-004). `casing: "none"` preserves the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    },
+    /**
+     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
+     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
+     * not indexed.
+     */
+    gsi2: {
+      index: "GSI2",
+      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
+      pk: {
+        field: "GSI2PK",
+        casing: "none",
+        composite: ["cognitoSub"],
+        template: "USER#SUB#${cognitoSub}"
+      },
+      sk: {
+        field: "GSI2SK",
+        casing: "none",
+        composite: [],
+        template: "CURRENT"
+      }
+    }
+  }
+});
+// src/data/dynamo/entities/control/workspace-entity.ts
+var import_electrodb7 = require("electrodb");
+var WorkspaceEntity = new import_electrodb7.Entity({
+  model: {
+    entity: "workspace",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant that contains this workspace (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; logical id in URL. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Workspace resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
+     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
+     * SK is derived via `gsi1skAttribute` — `<normalizedName>#<id>` when the resource
+     * carries a `name`, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves
+     * the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+// src/data/dynamo/dynamo-control-service.ts
+var controlPlaneEntities = {
+  configuration: ConfigurationEntity,
+  membership: MembershipEntity,
+  role: RoleEntity,
+  roleAssignment: RoleAssignmentEntity,
+  tenant: TenantEntity,
+  user: UserEntity,
+  workspace: WorkspaceEntity
+};
+var controlPlaneService = new import_electrodb8.Service(controlPlaneEntities, {
+  table: defaultTableName,
+  client: dynamoClient
+});
+var DynamoControlService = {
+  entities: controlPlaneService.entities
+};
+function getDynamoControlService(tableName) {
+  const resolved = tableName ?? defaultTableName;
+  const service = new import_electrodb8.Service(controlPlaneEntities, {
+    table: resolved,
+    client: dynamoClient
+  });
+  return {
+    entities: service.entities
+  };
+}
+// src/data/operations/control/role/role-create-operation.ts
+async function createRoleOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `role-${Date.now()}`;
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `1`;
+  const resource = { resourceType: "Role", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types2.extractSummary)(resource));
+  await service.entities.role.put({
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+// src/workflows/control-plane/seed-system-data/seed-system-data.handler.ts
+var errorMessage = (err) => {
+  if (err instanceof Error) {
+    return err.message;
+  }
+  return String(err);
+};
+var idForRoleCode = (code) => {
+  for (const key of Object.keys(import_types3.PLATFORM_ROLE_IDS)) {
+    if (import_types3.PLATFORM_ROLE_CONCEPTS[key].code === code) {
+      return import_types3.PLATFORM_ROLE_IDS[key];
+    }
+  }
+  throw new Error(`No id mapping for role code "${code}".`);
+};
+var seedSystemRoles = async (context) => {
+  for (const concept of Object.values(import_types3.PLATFORM_ROLE_CONCEPTS)) {
+    const id = idForRoleCode(concept.code);
+    await createRoleOperation({
+      context,
+      body: {
+        id,
+        resource: {
+          resourceType: "Role",
+          code: concept.code,
+          display: concept.display,
+          active: true
+        }
+      }
+    });
+  }
+};
+var runSeedSystemData = async (event, deps) => {
+  const parsed = (0, import_workflows2.parseWorkflowEvent)(event, import_workflows.PlatformDeploymentCompletedV1);
+  const recordResult = await deps.dedupClient.recordIfAbsent({
+    consumerName: SEED_SYSTEM_DATA_CONSUMER_NAME,
+    eventId: parsed.dedupKey.eventId,
+    attempt: parsed.dedupKey.attempt
+  });
+  if (!recordResult.recorded) {
+    return;
+  }
+  const lastUpdated = parsed.envelope.occurredAt;
+  const context = {
+    tenantId: "",
+    workspaceId: "",
+    date: lastUpdated,
+    actorId: "platform-deploy-bridge",
+    actorName: "Platform Deploy Bridge",
+    actorType: "internal-system",
+    source: "step-function"
+  };
+  try {
+    await deps.seedRoles(context);
+  } catch (err) {
+    await deps.dedupClient.markFailed({
+      consumerName: SEED_SYSTEM_DATA_CONSUMER_NAME,
+      eventId: parsed.dedupKey.eventId,
+      attempt: parsed.dedupKey.attempt,
+      reason: errorMessage(err)
+    });
+    throw err;
+  }
+  const sourcePayload = parsed.envelope.payload;
+  await deps.publishSeeded({
+    payload: {
+      sourceEventId: parsed.envelope.eventId,
+      sourceStackId: sourcePayload.stackId,
+      seededRecordCount: Object.keys(import_types3.PLATFORM_ROLE_IDS).length
+    },
+    envelope: {
+      correlationId: parsed.envelope.correlationId,
+      causationId: parsed.envelope.eventId
+    }
+  });
+};
+var productionDependencies = () => {
+  const dynamodb = new import_client_dynamodb2.DynamoDBClient({});
+  const eventBridge = new import_client_eventbridge.EventBridgeClient({});
+  return {
+    dedupClient: (0, import_workflows2.workflowDedupClient)(dynamodb),
+    seedRoles: seedSystemRoles,
+    publishSeeded: async (input) => {
+      const controlBusName = process.env[SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR];
+      if (!controlBusName) {
+        throw new Error(
+          `seed-system-data: ${SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR} env var is required to publish system-data-seeded events.`
+        );
+      }
+      return (0, import_workflows2.publishWorkflowEvent)(
+        eventBridge,
+        import_workflows.PlatformSystemDataSeededV1,
+        input.payload,
+        {
+          actor: { system: SEED_SYSTEM_DATA_ACTOR_SYSTEM },
+          correlationId: input.envelope.correlationId,
+          causationId: input.envelope.causationId
+        },
+        {
+          busNameByPlane: { [import_workflows2.OPENHI_CONTROL_SOURCE]: controlBusName }
+        }
+      );
+    }
+  };
+};
+var handler = async (event) => runSeedSystemData(event, productionDependencies());
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  handler,
+  runSeedSystemData
+});
+//# sourceMappingURL=seed-system-data.handler.js.map