@openhi/constructs 0.0.106 → 0.0.108

package/lib/seed-system-data.handler.mjs

@@ -6,11 +6,11 @@ import {
 } from "./chunk-AGF3RAAZ.mjs";
 import {
   createRoleOperation
-} from "./chunk-YU2HRNUP.mjs";
+} from "./chunk-AJ3G3THO.mjs";
 import {
   require_lib
 } from "./chunk-SYBADQXI.mjs";
-import "./chunk-VYDIGFIX.mjs";
+import "./chunk-QR5JVSCF.mjs";
 import {
   __toESM
 } from "./chunk-LZOMFHX3.mjs";
@@ -20,8 +20,8 @@ var import_workflows2 = __toESM(require_lib());
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { EventBridgeClient } from "@aws-sdk/client-eventbridge";
 import {
-  CONTROL_PLANE_ROLE_CONCEPTS,
-  CONTROL_PLANE_ROLE_IDS
+  PLATFORM_ROLE_CONCEPTS,
+  PLATFORM_ROLE_IDS
 } from "@openhi/types";
 var errorMessage = (err) => {
   if (err instanceof Error) {
@@ -30,15 +30,15 @@ var errorMessage = (err) => {
   return String(err);
 };
 var idForRoleCode = (code) => {
-  for (const key of Object.keys(CONTROL_PLANE_ROLE_IDS)) {
-    if (CONTROL_PLANE_ROLE_CONCEPTS[key].code === code) {
-      return CONTROL_PLANE_ROLE_IDS[key];
+  for (const key of Object.keys(PLATFORM_ROLE_IDS)) {
+    if (PLATFORM_ROLE_CONCEPTS[key].code === code) {
+      return PLATFORM_ROLE_IDS[key];
     }
   }
   throw new Error(`No id mapping for role code "${code}".`);
 };
 var seedSystemRoles = async (context) => {
-  for (const concept of Object.values(CONTROL_PLANE_ROLE_CONCEPTS)) {
+  for (const concept of Object.values(PLATFORM_ROLE_CONCEPTS)) {
     const id = idForRoleCode(concept.code);
     await createRoleOperation({
       context,
@@ -90,7 +90,7 @@ var runSeedSystemData = async (event, deps) => {
     payload: {
       sourceEventId: parsed.envelope.eventId,
       sourceStackId: sourcePayload.stackId,
-      seededRecordCount: Object.keys(CONTROL_PLANE_ROLE_IDS).length
+      seededRecordCount: Object.keys(PLATFORM_ROLE_IDS).length
     },
     envelope: {
       correlationId: parsed.envelope.correlationId,

package/lib/seed-system-data.handler.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/workflows/control-plane/seed-system-data/seed-system-data.handler.ts"],"sourcesContent":["import { DynamoDBClient } from \"@aws-sdk/client-dynamodb\";\nimport { EventBridgeClient } from \"@aws-sdk/client-eventbridge\";\nimport {\n  CONTROL_PLANE_ROLE_CONCEPTS,\n  CONTROL_PLANE_ROLE_IDS,\n  type ControlPlaneRoleCode,\n} from \"@openhi/types\";\nimport {\n  OPENHI_CONTROL_SOURCE,\n  parseWorkflowEvent,\n  publishWorkflowEvent,\n  workflowDedupClient,\n  type PlatformDeploymentCompletedV1Detail,\n  type PublishResult,\n  type WorkflowDedupClient,\n} from \"@openhi/workflows\";\nimport type { EventBridgeEvent } from \"aws-lambda\";\nimport {\n  PlatformDeploymentCompletedV1,\n  PlatformSystemDataSeededV1,\n  SEED_SYSTEM_DATA_ACTOR_SYSTEM,\n  SEED_SYSTEM_DATA_CONSUMER_NAME,\n  SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,\n} from \"./events\";\nimport type { OpenHiContext } from \"../../../data/openhi-context\";\nimport { createRoleOperation } from \"../../../data/operations/control/role/role-create-operation\";\n\n/**\n * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-system-data/seed-system-data-handler.md\n *\n * EventBridge workflow handler invoked once per platform-deploy event on\n * the control event bus. Idempotently re-asserts the platform-singleton\n * control-plane records (today: the three canonical Roles; future:\n * additional system data slotted in as sibling steps under the same\n * dedup record).\n */\n\ntype SeedSystemDataEvent = EventBridgeEvent<\n  \"platform.deployment-completed.v1\",\n  unknown\n>;\n\n/**\n * Input shape the handler passes to the completion publisher. Mirrors\n * the wire shape of `PlatformSystemDataSeededV1Detail` plus the\n * envelope-correlation fields the publisher needs to chain the new\n * event onto the originating deploy event.\n */\nexport interface PublishSeededInput {\n  /** Per-workflow payload — re-asserted record count + source event/stack ids. */\n  readonly payload: {\n    readonly sourceEventId: string;\n    readonly sourceStackId: string;\n    readonly seededRecordCount: number;\n  };\n  /**\n   * Envelope context propagated from the originating\n   * `platform.deployment-completed.v1` event so the chain is\n   * observable in logs.\n   */\n  readonly envelope: {\n    readonly correlationId: string;\n    readonly causationId: string;\n  };\n}\n\n/**\n * Dependency seam for tests. The factory mirrors the production\n * arrangement: a real DynamoDB client + the real `workflowDedupClient`\n * factory bound to the `OPENHI_WORKFLOW_DEDUP_TABLE_NAME` env var the\n * construct injects via `grantConsumer`.\n */\nexport interface SeedSystemDataDependencies {\n  readonly dedupClient: WorkflowDedupClient;\n  readonly seedRoles: (context: OpenHiContext) => Promise<void>;\n  /**\n   * Publishes the `platform.system-data-seeded.v1` completion event\n   * onto the control event bus. Called after a successful seed and\n   * before the handler returns — downstream consumers\n   * (`seed-demo-data`) subscribe to this event instead of the raw\n   * deploy-completion event so the dependency on system data is\n   * enforced by a happens-before edge.\n   */\n  readonly publishSeeded: (input: PublishSeededInput) => Promise<PublishResult>;\n}\n\nconst errorMessage = (err: unknown): string => {\n  if (err instanceof Error) {\n    return err.message;\n  }\n  return String(err);\n};\n\n/**\n * Lookup the stable record id for a given role code by walking the two\n * parallel generator-emitted constants. The `_IDS` / `_CONCEPTS` consts\n * are keyed by the same SCREAMING_SNAKE keys (the generator builds them\n * in lockstep), so a single key resolves both projections.\n */\nconst idForRoleCode = (code: ControlPlaneRoleCode): string => {\n  for (const key of Object.keys(CONTROL_PLANE_ROLE_IDS) as Array<\n    keyof typeof CONTROL_PLANE_ROLE_IDS\n  >) {\n    if (CONTROL_PLANE_ROLE_CONCEPTS[key].code === code) {\n      return CONTROL_PLANE_ROLE_IDS[key];\n    }\n  }\n  // Unreachable while `_IDS` and `_CONCEPTS` are emitted from the same\n  // CodeSystem: every code in `_CONCEPTS` has a matching id in `_IDS`.\n  throw new Error(`No id mapping for role code \"${code}\".`);\n};\n\n/**\n * Re-assert the three canonical control-plane Role records. Stable ids\n * from `CONTROL_PLANE_ROLE_IDS` make re-runs after dedup-TTL expiry\n * idempotent: every put with the same id+sk lands on the same primary\n * key and produces the same end state.\n */\nconst seedSystemRoles = async (context: OpenHiContext): Promise<void> => {\n  for (const concept of Object.values(CONTROL_PLANE_ROLE_CONCEPTS)) {\n    const id = idForRoleCode(concept.code);\n    await createRoleOperation({\n      context,\n      body: {\n        id,\n        resource: {\n          resourceType: \"Role\",\n          code: concept.code,\n          display: concept.display,\n          active: true,\n        },\n      },\n    });\n  }\n};\n\n/**\n * Test-visible orchestrator. The production `handler` calls this with\n * real dependencies; unit tests inject fakes.\n */\nexport const runSeedSystemData = async (\n  event: SeedSystemDataEvent,\n  deps: SeedSystemDataDependencies,\n): Promise<void> => {\n  const parsed = parseWorkflowEvent(event, PlatformDeploymentCompletedV1);\n\n  // Dedup is the single circuit-breaker between EventBridge's\n  // at-least-once redelivery and the DynamoDB writes below. If\n  // `recordIfAbsent` returns `recorded: false`, a prior invocation of\n  // this (eventId, attempt) tuple already ran to completion — there is\n  // nothing left to do, so we exit without re-iterating the catalog.\n  const recordResult = await deps.dedupClient.recordIfAbsent({\n    consumerName: SEED_SYSTEM_DATA_CONSUMER_NAME,\n    eventId: parsed.dedupKey.eventId,\n    attempt: parsed.dedupKey.attempt,\n  });\n  if (!recordResult.recorded) {\n    return;\n  }\n\n  // Role records are platform-wide singletons (per ADR 2026-03-13-02 §4)\n  // and live under the sentinel tenant/workspace coordinates the\n  // `role-entity` declares (`TID#-#WID#-`). We pass an internal-system\n  // context whose tenant/workspace fields are empty strings; the role\n  // create operation reads only `date` and audit metadata.\n  const lastUpdated = parsed.envelope.occurredAt;\n  const context: OpenHiContext = {\n    tenantId: \"\",\n    workspaceId: \"\",\n    date: lastUpdated,\n    actorId: \"platform-deploy-bridge\",\n    actorName: \"Platform Deploy Bridge\",\n    actorType: \"internal-system\",\n    source: \"step-function\",\n  };\n\n  try {\n    await deps.seedRoles(context);\n  } catch (err) {\n    // Mark the dedup row failed so the replay tooling (TR-016 follow-up)\n    // can re-publish the originating event with a fresh attempt. The\n    // re-throw keeps EventBridge's failure-detection path intact — the\n    // event ends up in the DLQ + the workflow Lambda's failure\n    // CloudWatch alarm fires.\n    await deps.dedupClient.markFailed({\n      consumerName: SEED_SYSTEM_DATA_CONSUMER_NAME,\n      eventId: parsed.dedupKey.eventId,\n      attempt: parsed.dedupKey.attempt,\n      reason: errorMessage(err),\n    });\n    throw err;\n  }\n\n  // Seeding succeeded — publish `platform.system-data-seeded.v1` so\n  // downstream consumers that depend on the platform-singleton\n  // records existing (today: `seed-demo-data`) are triggered by a\n  // happens-before edge rather than by EventBridge retry timing.\n  //\n  // A publish failure here does NOT roll back the seed — the records\n  // are already in the data store and idempotent on re-fire. We log\n  // and re-throw so EventBridge retries the whole event; on retry,\n  // dedup wins (no-op) and the publish path re-runs.\n  const sourcePayload = parsed.envelope\n    .payload as PlatformDeploymentCompletedV1Detail;\n  await deps.publishSeeded({\n    payload: {\n      sourceEventId: parsed.envelope.eventId,\n      sourceStackId: sourcePayload.stackId,\n      seededRecordCount: Object.keys(CONTROL_PLANE_ROLE_IDS).length,\n    },\n    envelope: {\n      correlationId: parsed.envelope.correlationId,\n      causationId: parsed.envelope.eventId,\n    },\n  });\n};\n\nconst productionDependencies = (): SeedSystemDataDependencies => {\n  const dynamodb = new DynamoDBClient({});\n  const eventBridge = new EventBridgeClient({});\n  return {\n    dedupClient: workflowDedupClient(dynamodb),\n    seedRoles: seedSystemRoles,\n    publishSeeded: async (input) => {\n      const controlBusName = process.env[SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR];\n      if (!controlBusName) {\n        throw new Error(\n          `seed-system-data: ${SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR} env var is required to publish system-data-seeded events.`,\n        );\n      }\n      return publishWorkflowEvent(\n        eventBridge,\n        PlatformSystemDataSeededV1,\n        input.payload,\n        {\n          actor: { system: SEED_SYSTEM_DATA_ACTOR_SYSTEM },\n          correlationId: input.envelope.correlationId,\n          causationId: input.envelope.causationId,\n        },\n        {\n          busNameByPlane: { [OPENHI_CONTROL_SOURCE]: controlBusName },\n        },\n      );\n    },\n  };\n};\n\nexport const handler = async (event: SeedSystemDataEvent): Promise<void> =>\n  runSeedSystemData(event, productionDependencies());\n"],"mappings":";;;;;;;;;;;;;;;;;;AAOA,IAAAA,oBAQO;AAfP,SAAS,sBAAsB;AAC/B,SAAS,yBAAyB;AAClC;AAAA,EACE;AAAA,EACA;AAAA,OAEK;AAgFP,IAAM,eAAe,CAAC,QAAyB;AAC7C,MAAI,eAAe,OAAO;AACxB,WAAO,IAAI;AAAA,EACb;AACA,SAAO,OAAO,GAAG;AACnB;AAQA,IAAM,gBAAgB,CAAC,SAAuC;AAC5D,aAAW,OAAO,OAAO,KAAK,sBAAsB,GAEjD;AACD,QAAI,4BAA4B,GAAG,EAAE,SAAS,MAAM;AAClD,aAAO,uBAAuB,GAAG;AAAA,IACnC;AAAA,EACF;AAGA,QAAM,IAAI,MAAM,gCAAgC,IAAI,IAAI;AAC1D;AAQA,IAAM,kBAAkB,OAAO,YAA0C;AACvE,aAAW,WAAW,OAAO,OAAO,2BAA2B,GAAG;AAChE,UAAM,KAAK,cAAc,QAAQ,IAAI;AACrC,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,MAAM;AAAA,QACJ;AAAA,QACA,UAAU;AAAA,UACR,cAAc;AAAA,UACd,MAAM,QAAQ;AAAA,UACd,SAAS,QAAQ;AAAA,UACjB,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAMO,IAAM,oBAAoB,OAC/B,OACA,SACkB;AAClB,QAAM,aAAS,sCAAmB,OAAO,8CAA6B;AAOtE,QAAM,eAAe,MAAM,KAAK,YAAY,eAAe;AAAA,IACzD,cAAc;AAAA,IACd,SAAS,OAAO,SAAS;AAAA,IACzB,SAAS,OAAO,SAAS;AAAA,EAC3B,CAAC;AACD,MAAI,CAAC,aAAa,UAAU;AAC1B;AAAA,EACF;AAOA,QAAM,cAAc,OAAO,SAAS;AACpC,QAAM,UAAyB;AAAA,IAC7B,UAAU;AAAA,IACV,aAAa;AAAA,IACb,MAAM;AAAA,IACN,SAAS;AAAA,IACT,WAAW;AAAA,IACX,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AAEA,MAAI;AACF,UAAM,KAAK,UAAU,OAAO;AAAA,EAC9B,SAAS,KAAK;AAMZ,UAAM,KAAK,YAAY,WAAW;AAAA,MAChC,cAAc;AAAA,MACd,SAAS,OAAO,SAAS;AAAA,MACzB,SAAS,OAAO,SAAS;AAAA,MACzB,QAAQ,aAAa,GAAG;AAAA,IAC1B,CAAC;AACD,UAAM;AAAA,EACR;AAWA,QAAM,gBAAgB,OAAO,SAC1B;AACH,QAAM,KAAK,cAAc;AAAA,IACvB,SAAS;AAAA,MACP,eAAe,OAAO,SAAS;AAAA,MAC/B,eAAe,cAAc;AAAA,MAC7B,mBAAmB,OAAO,KAAK,sBAAsB,EAAE;AAAA,IACzD;AAAA,IACA,UAAU;AAAA,MACR,eAAe,OAAO,SAAS;AAAA,MAC/B,aAAa,OAAO,SAAS;AAAA,IAC/B;AAAA,EACF,CAAC;AACH;AAEA,IAAM,yBAAyB,MAAkC;AAC/D,QAAM,WAAW,IAAI,eAAe,CAAC,CAAC;AACtC,QAAM,cAAc,IAAI,kBAAkB,CAAC,CAAC;AAC5C,SAAO;AAAA,IACL,iBAAa,uCAAoB,QAAQ;AAAA,IACzC,WAAW;AAAA,IACX,eAAe,OAAO,UAAU;AAC9B,YAAM,iBAAiB,QAAQ,IAAI,oCAAoC;AACvE,UAAI,CAAC,gBAAgB;AACnB,cAAM,IAAI;AAAA,UACR,qBAAqB,oCAAoC;AAAA,QAC3D;AAAA,MACF;AACA,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA,MAAM;AAAA,QACN;AAAA,UACE,OAAO,EAAE,QAAQ,8BAA8B;AAAA,UAC/C,eAAe,MAAM,SAAS;AAAA,UAC9B,aAAa,MAAM,SAAS;AAAA,QAC9B;AAAA,QACA;AAAA,UACE,gBAAgB,EAAE,CAAC,uCAAqB,GAAG,eAAe;AAAA,QAC5D;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAEO,IAAM,UAAU,OAAO,UAC5B,kBAAkB,OAAO,uBAAuB,CAAC;","names":["import_workflows"]}
+{"version":3,"sources":["../src/workflows/control-plane/seed-system-data/seed-system-data.handler.ts"],"sourcesContent":["import { DynamoDBClient } from \"@aws-sdk/client-dynamodb\";\nimport { EventBridgeClient } from \"@aws-sdk/client-eventbridge\";\nimport {\n  PLATFORM_ROLE_CONCEPTS,\n  PLATFORM_ROLE_IDS,\n  type PlatformRoleCode,\n} from \"@openhi/types\";\nimport {\n  OPENHI_CONTROL_SOURCE,\n  parseWorkflowEvent,\n  publishWorkflowEvent,\n  workflowDedupClient,\n  type PlatformDeploymentCompletedV1Detail,\n  type PublishResult,\n  type WorkflowDedupClient,\n} from \"@openhi/workflows\";\nimport type { EventBridgeEvent } from \"aws-lambda\";\nimport {\n  PlatformDeploymentCompletedV1,\n  PlatformSystemDataSeededV1,\n  SEED_SYSTEM_DATA_ACTOR_SYSTEM,\n  SEED_SYSTEM_DATA_CONSUMER_NAME,\n  SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR,\n} from \"./events\";\nimport type { OpenHiContext } from \"../../../data/openhi-context\";\nimport { createRoleOperation } from \"../../../data/operations/control/role/role-create-operation\";\n\n/**\n * @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/seed-system-data/seed-system-data-handler.md\n *\n * EventBridge workflow handler invoked once per platform-deploy event on\n * the control event bus. Idempotently re-asserts the platform-singleton\n * control-plane records (today: the three canonical Roles; future:\n * additional system data slotted in as sibling steps under the same\n * dedup record).\n */\n\ntype SeedSystemDataEvent = EventBridgeEvent<\n  \"platform.deployment-completed.v1\",\n  unknown\n>;\n\n/**\n * Input shape the handler passes to the completion publisher. Mirrors\n * the wire shape of `PlatformSystemDataSeededV1Detail` plus the\n * envelope-correlation fields the publisher needs to chain the new\n * event onto the originating deploy event.\n */\nexport interface PublishSeededInput {\n  /** Per-workflow payload — re-asserted record count + source event/stack ids. */\n  readonly payload: {\n    readonly sourceEventId: string;\n    readonly sourceStackId: string;\n    readonly seededRecordCount: number;\n  };\n  /**\n   * Envelope context propagated from the originating\n   * `platform.deployment-completed.v1` event so the chain is\n   * observable in logs.\n   */\n  readonly envelope: {\n    readonly correlationId: string;\n    readonly causationId: string;\n  };\n}\n\n/**\n * Dependency seam for tests. The factory mirrors the production\n * arrangement: a real DynamoDB client + the real `workflowDedupClient`\n * factory bound to the `OPENHI_WORKFLOW_DEDUP_TABLE_NAME` env var the\n * construct injects via `grantConsumer`.\n */\nexport interface SeedSystemDataDependencies {\n  readonly dedupClient: WorkflowDedupClient;\n  readonly seedRoles: (context: OpenHiContext) => Promise<void>;\n  /**\n   * Publishes the `platform.system-data-seeded.v1` completion event\n   * onto the control event bus. Called after a successful seed and\n   * before the handler returns — downstream consumers\n   * (`seed-demo-data`) subscribe to this event instead of the raw\n   * deploy-completion event so the dependency on system data is\n   * enforced by a happens-before edge.\n   */\n  readonly publishSeeded: (input: PublishSeededInput) => Promise<PublishResult>;\n}\n\nconst errorMessage = (err: unknown): string => {\n  if (err instanceof Error) {\n    return err.message;\n  }\n  return String(err);\n};\n\n/**\n * Lookup the stable record id for a given role code by walking the two\n * parallel generator-emitted constants. The `_IDS` / `_CONCEPTS` consts\n * are keyed by the same SCREAMING_SNAKE keys (the generator builds them\n * in lockstep), so a single key resolves both projections.\n */\nconst idForRoleCode = (code: PlatformRoleCode): string => {\n  for (const key of Object.keys(PLATFORM_ROLE_IDS) as Array<\n    keyof typeof PLATFORM_ROLE_IDS\n  >) {\n    if (PLATFORM_ROLE_CONCEPTS[key].code === code) {\n      return PLATFORM_ROLE_IDS[key];\n    }\n  }\n  // Unreachable while `_IDS` and `_CONCEPTS` are emitted from the same\n  // CodeSystem: every code in `_CONCEPTS` has a matching id in `_IDS`.\n  throw new Error(`No id mapping for role code \"${code}\".`);\n};\n\n/**\n * Re-assert the three canonical control-plane Role records. Stable ids\n * from `PLATFORM_ROLE_IDS` make re-runs after dedup-TTL expiry\n * idempotent: every put with the same id+sk lands on the same primary\n * key and produces the same end state.\n */\nconst seedSystemRoles = async (context: OpenHiContext): Promise<void> => {\n  for (const concept of Object.values(PLATFORM_ROLE_CONCEPTS)) {\n    const id = idForRoleCode(concept.code);\n    await createRoleOperation({\n      context,\n      body: {\n        id,\n        resource: {\n          resourceType: \"Role\",\n          code: concept.code,\n          display: concept.display,\n          active: true,\n        },\n      },\n    });\n  }\n};\n\n/**\n * Test-visible orchestrator. The production `handler` calls this with\n * real dependencies; unit tests inject fakes.\n */\nexport const runSeedSystemData = async (\n  event: SeedSystemDataEvent,\n  deps: SeedSystemDataDependencies,\n): Promise<void> => {\n  const parsed = parseWorkflowEvent(event, PlatformDeploymentCompletedV1);\n\n  // Dedup is the single circuit-breaker between EventBridge's\n  // at-least-once redelivery and the DynamoDB writes below. If\n  // `recordIfAbsent` returns `recorded: false`, a prior invocation of\n  // this (eventId, attempt) tuple already ran to completion — there is\n  // nothing left to do, so we exit without re-iterating the catalog.\n  const recordResult = await deps.dedupClient.recordIfAbsent({\n    consumerName: SEED_SYSTEM_DATA_CONSUMER_NAME,\n    eventId: parsed.dedupKey.eventId,\n    attempt: parsed.dedupKey.attempt,\n  });\n  if (!recordResult.recorded) {\n    return;\n  }\n\n  // Role records are platform-wide singletons (per ADR 2026-03-13-02 §4)\n  // and live under the sentinel tenant/workspace coordinates the\n  // `role-entity` declares (`TID#-#WID#-`). We pass an internal-system\n  // context whose tenant/workspace fields are empty strings; the role\n  // create operation reads only `date` and audit metadata.\n  const lastUpdated = parsed.envelope.occurredAt;\n  const context: OpenHiContext = {\n    tenantId: \"\",\n    workspaceId: \"\",\n    date: lastUpdated,\n    actorId: \"platform-deploy-bridge\",\n    actorName: \"Platform Deploy Bridge\",\n    actorType: \"internal-system\",\n    source: \"step-function\",\n  };\n\n  try {\n    await deps.seedRoles(context);\n  } catch (err) {\n    // Mark the dedup row failed so the replay tooling (TR-016 follow-up)\n    // can re-publish the originating event with a fresh attempt. The\n    // re-throw keeps EventBridge's failure-detection path intact — the\n    // event ends up in the DLQ + the workflow Lambda's failure\n    // CloudWatch alarm fires.\n    await deps.dedupClient.markFailed({\n      consumerName: SEED_SYSTEM_DATA_CONSUMER_NAME,\n      eventId: parsed.dedupKey.eventId,\n      attempt: parsed.dedupKey.attempt,\n      reason: errorMessage(err),\n    });\n    throw err;\n  }\n\n  // Seeding succeeded — publish `platform.system-data-seeded.v1` so\n  // downstream consumers that depend on the platform-singleton\n  // records existing (today: `seed-demo-data`) are triggered by a\n  // happens-before edge rather than by EventBridge retry timing.\n  //\n  // A publish failure here does NOT roll back the seed — the records\n  // are already in the data store and idempotent on re-fire. We log\n  // and re-throw so EventBridge retries the whole event; on retry,\n  // dedup wins (no-op) and the publish path re-runs.\n  const sourcePayload = parsed.envelope\n    .payload as PlatformDeploymentCompletedV1Detail;\n  await deps.publishSeeded({\n    payload: {\n      sourceEventId: parsed.envelope.eventId,\n      sourceStackId: sourcePayload.stackId,\n      seededRecordCount: Object.keys(PLATFORM_ROLE_IDS).length,\n    },\n    envelope: {\n      correlationId: parsed.envelope.correlationId,\n      causationId: parsed.envelope.eventId,\n    },\n  });\n};\n\nconst productionDependencies = (): SeedSystemDataDependencies => {\n  const dynamodb = new DynamoDBClient({});\n  const eventBridge = new EventBridgeClient({});\n  return {\n    dedupClient: workflowDedupClient(dynamodb),\n    seedRoles: seedSystemRoles,\n    publishSeeded: async (input) => {\n      const controlBusName = process.env[SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR];\n      if (!controlBusName) {\n        throw new Error(\n          `seed-system-data: ${SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR} env var is required to publish system-data-seeded events.`,\n        );\n      }\n      return publishWorkflowEvent(\n        eventBridge,\n        PlatformSystemDataSeededV1,\n        input.payload,\n        {\n          actor: { system: SEED_SYSTEM_DATA_ACTOR_SYSTEM },\n          correlationId: input.envelope.correlationId,\n          causationId: input.envelope.causationId,\n        },\n        {\n          busNameByPlane: { [OPENHI_CONTROL_SOURCE]: controlBusName },\n        },\n      );\n    },\n  };\n};\n\nexport const handler = async (event: SeedSystemDataEvent): Promise<void> =>\n  runSeedSystemData(event, productionDependencies());\n"],"mappings":";;;;;;;;;;;;;;;;;;AAOA,IAAAA,oBAQO;AAfP,SAAS,sBAAsB;AAC/B,SAAS,yBAAyB;AAClC;AAAA,EACE;AAAA,EACA;AAAA,OAEK;AAgFP,IAAM,eAAe,CAAC,QAAyB;AAC7C,MAAI,eAAe,OAAO;AACxB,WAAO,IAAI;AAAA,EACb;AACA,SAAO,OAAO,GAAG;AACnB;AAQA,IAAM,gBAAgB,CAAC,SAAmC;AACxD,aAAW,OAAO,OAAO,KAAK,iBAAiB,GAE5C;AACD,QAAI,uBAAuB,GAAG,EAAE,SAAS,MAAM;AAC7C,aAAO,kBAAkB,GAAG;AAAA,IAC9B;AAAA,EACF;AAGA,QAAM,IAAI,MAAM,gCAAgC,IAAI,IAAI;AAC1D;AAQA,IAAM,kBAAkB,OAAO,YAA0C;AACvE,aAAW,WAAW,OAAO,OAAO,sBAAsB,GAAG;AAC3D,UAAM,KAAK,cAAc,QAAQ,IAAI;AACrC,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,MAAM;AAAA,QACJ;AAAA,QACA,UAAU;AAAA,UACR,cAAc;AAAA,UACd,MAAM,QAAQ;AAAA,UACd,SAAS,QAAQ;AAAA,UACjB,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAMO,IAAM,oBAAoB,OAC/B,OACA,SACkB;AAClB,QAAM,aAAS,sCAAmB,OAAO,8CAA6B;AAOtE,QAAM,eAAe,MAAM,KAAK,YAAY,eAAe;AAAA,IACzD,cAAc;AAAA,IACd,SAAS,OAAO,SAAS;AAAA,IACzB,SAAS,OAAO,SAAS;AAAA,EAC3B,CAAC;AACD,MAAI,CAAC,aAAa,UAAU;AAC1B;AAAA,EACF;AAOA,QAAM,cAAc,OAAO,SAAS;AACpC,QAAM,UAAyB;AAAA,IAC7B,UAAU;AAAA,IACV,aAAa;AAAA,IACb,MAAM;AAAA,IACN,SAAS;AAAA,IACT,WAAW;AAAA,IACX,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AAEA,MAAI;AACF,UAAM,KAAK,UAAU,OAAO;AAAA,EAC9B,SAAS,KAAK;AAMZ,UAAM,KAAK,YAAY,WAAW;AAAA,MAChC,cAAc;AAAA,MACd,SAAS,OAAO,SAAS;AAAA,MACzB,SAAS,OAAO,SAAS;AAAA,MACzB,QAAQ,aAAa,GAAG;AAAA,IAC1B,CAAC;AACD,UAAM;AAAA,EACR;AAWA,QAAM,gBAAgB,OAAO,SAC1B;AACH,QAAM,KAAK,cAAc;AAAA,IACvB,SAAS;AAAA,MACP,eAAe,OAAO,SAAS;AAAA,MAC/B,eAAe,cAAc;AAAA,MAC7B,mBAAmB,OAAO,KAAK,iBAAiB,EAAE;AAAA,IACpD;AAAA,IACA,UAAU;AAAA,MACR,eAAe,OAAO,SAAS;AAAA,MAC/B,aAAa,OAAO,SAAS;AAAA,IAC/B;AAAA,EACF,CAAC;AACH;AAEA,IAAM,yBAAyB,MAAkC;AAC/D,QAAM,WAAW,IAAI,eAAe,CAAC,CAAC;AACtC,QAAM,cAAc,IAAI,kBAAkB,CAAC,CAAC;AAC5C,SAAO;AAAA,IACL,iBAAa,uCAAoB,QAAQ;AAAA,IACzC,WAAW;AAAA,IACX,eAAe,OAAO,UAAU;AAC9B,YAAM,iBAAiB,QAAQ,IAAI,oCAAoC;AACvE,UAAI,CAAC,gBAAgB;AACnB,cAAM,IAAI;AAAA,UACR,qBAAqB,oCAAoC;AAAA,QAC3D;AAAA,MACF;AACA,iBAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA,MAAM;AAAA,QACN;AAAA,UACE,OAAO,EAAE,QAAQ,8BAA8B;AAAA,UAC/C,eAAe,MAAM,SAAS;AAAA,UAC9B,aAAa,MAAM,SAAS;AAAA,QAC9B;AAAA,QACA;AAAA,UACE,gBAAgB,EAAE,CAAC,uCAAqB,GAAG,eAAe;AAAA,QAC5D;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAEO,IAAM,UAAU,OAAO,UAC5B,kBAAkB,OAAO,uBAAuB,CAAC;","names":["import_workflows"]}

package/package.json

@@ -71,7 +71,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.0.106",
+  "version": "0.0.108",
   "types": "lib/index.d.ts",
   "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"pnpm exec projen\".",
   "scripts": {

package/lib/chunk-AO3E22CS.mjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/data/operations/control/membership/membership-create-operation.ts","../src/data/operations/control/roleassignment/roleassignment-create-operation.ts","../src/data/operations/control/tenant/tenant-create-operation.ts","../src/data/operations/control/workspace/workspace-create-operation.ts"],"sourcesContent":["import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface MembershipCreateParams {\n  context: OpenHiContext;\n  body: { id?: string; resource?: Record<string, unknown> | string };\n  tableName?: string;\n}\n\nexport interface MembershipCreateResult {\n  id: string;\n  resource: { resourceType: string; id: string; [key: string]: unknown };\n  meta: { lastUpdated: string; versionId: string };\n}\n\nexport async function createMembershipOperation(\n  params: MembershipCreateParams,\n): Promise<MembershipCreateResult> {\n  const { context, body, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `membership-${Date.now()}`;\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const lastUpdated = context.date ?? new Date().toISOString();\n  const vid = `1`;\n\n  const resource = { resourceType: \"Membership\", id, ...parsedResource };\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  await service.entities.membership\n    .put({\n      tenantId: context.tenantId,\n      id,\n      resource: JSON.stringify(resource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  return {\n    id,\n    resource,\n    meta: { lastUpdated, versionId: vid },\n  };\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface RoleAssignmentCreateParams {\n  context: OpenHiContext;\n  body: { id?: string; resource?: Record<string, unknown> | string };\n  tableName?: string;\n}\n\nexport interface RoleAssignmentCreateResult {\n  id: string;\n  resource: { resourceType: string; id: string; [key: string]: unknown };\n  meta: { lastUpdated: string; versionId: string };\n}\n\nexport async function createRoleAssignmentOperation(\n  params: RoleAssignmentCreateParams,\n): Promise<RoleAssignmentCreateResult> {\n  const { context, body, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `roleassignment-${Date.now()}`;\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const lastUpdated = context.date ?? new Date().toISOString();\n  const vid = `1`;\n\n  const resource = { resourceType: \"RoleAssignment\", id, ...parsedResource };\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  await service.entities.roleAssignment\n    .put({\n      tenantId: context.tenantId,\n      id,\n      resource: JSON.stringify(resource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  return {\n    id,\n    resource,\n    meta: { lastUpdated, versionId: vid },\n  };\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface CreateTenantParams {\n  context: OpenHiContext;\n  body: {\n    id?: string;\n    resource?: Record<string, unknown> | string;\n  };\n  tableName?: string;\n}\n\nexport interface CreateTenantResult {\n  id: string;\n  resource: Record<string, unknown>;\n  meta: { lastUpdated: string; versionId: string };\n}\n\n/**\n * Creates a Tenant. Generates an id if not provided.\n */\nexport async function createTenantOperation(\n  params: CreateTenantParams,\n): Promise<CreateTenantResult> {\n  const { context, body, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `tenant-${Date.now()}`;\n  const lastUpdated = context.date;\n  const vid =\n    lastUpdated.replace(/[-:T.Z]/g, \"\").slice(0, 12) || Date.now().toString(36);\n\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const resource = { resourceType: \"Tenant\", id, ...parsedResource };\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  await service.entities.tenant\n    .put({\n      tenantId: id,\n      id,\n      resource: JSON.stringify(resource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  return { id, resource, meta: { lastUpdated, versionId: vid } };\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface CreateWorkspaceParams {\n  context: OpenHiContext;\n  body: {\n    id?: string;\n    resource?: Record<string, unknown> | string;\n  };\n  tableName?: string;\n}\n\nexport interface CreateWorkspaceResult {\n  id: string;\n  resource: Record<string, unknown>;\n  meta: { lastUpdated: string; versionId: string };\n}\n\n/**\n * Creates a Workspace scoped to the context tenant. Generates an id if not provided.\n */\nexport async function createWorkspaceOperation(\n  params: CreateWorkspaceParams,\n): Promise<CreateWorkspaceResult> {\n  const { context, body, tableName } = params;\n  const { tenantId } = context;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `workspace-${Date.now()}`;\n  const lastUpdated = context.date;\n  const vid =\n    lastUpdated.replace(/[-:T.Z]/g, \"\").slice(0, 12) || Date.now().toString(36);\n\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const resource = { resourceType: \"Workspace\", id, ...parsedResource };\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  await service.entities.workspace\n    .put({\n      tenantId,\n      id,\n      resource: JSON.stringify(resource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  return { id, resource, meta: { lastUpdated, versionId: vid } };\n}\n"],"mappings":";;;;;AAAA,SAAS,sBAA6C;AAgBtD,eAAsB,0BACpB,QACiC;AACjC,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,cAAc,KAAK,IAAI,CAAC;AAC9C,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,cAAc,QAAQ,SAAQ,oBAAI,KAAK,GAAE,YAAY;AAC3D,QAAM,MAAM;AAEZ,QAAM,WAAW,EAAE,cAAc,cAAc,IAAI,GAAG,eAAe;AACrE,QAAM,UAAU,KAAK,UAAU,eAAe,QAA4B,CAAC;AAE3E,QAAM,QAAQ,SAAS,WACpB,IAAI;AAAA,IACH,UAAU,QAAQ;AAAA,IAClB;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM,EAAE,aAAa,WAAW,IAAI;AAAA,EACtC;AACF;;;AClDA,SAAS,kBAAAA,uBAA6C;AAgBtD,eAAsB,8BACpB,QACqC;AACrC,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,kBAAkB,KAAK,IAAI,CAAC;AAClD,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,cAAc,QAAQ,SAAQ,oBAAI,KAAK,GAAE,YAAY;AAC3D,QAAM,MAAM;AAEZ,QAAM,WAAW,EAAE,cAAc,kBAAkB,IAAI,GAAG,eAAe;AACzE,QAAM,UAAU,KAAK,UAAUC,gBAAe,QAA4B,CAAC;AAE3E,QAAM,QAAQ,SAAS,eACpB,IAAI;AAAA,IACH,UAAU,QAAQ;AAAA,IAClB;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM,EAAE,aAAa,WAAW,IAAI;AAAA,EACtC;AACF;;;AClDA,SAAS,kBAAAC,uBAA6C;AAsBtD,eAAsB,sBACpB,QAC6B;AAC7B,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,UAAU,KAAK,IAAI,CAAC;AAC1C,QAAM,cAAc,QAAQ;AAC5B,QAAM,MACJ,YAAY,QAAQ,YAAY,EAAE,EAAE,MAAM,GAAG,EAAE,KAAK,KAAK,IAAI,EAAE,SAAS,EAAE;AAE5E,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,WAAW,EAAE,cAAc,UAAU,IAAI,GAAG,eAAe;AACjE,QAAM,UAAU,KAAK,UAAUC,gBAAe,QAA4B,CAAC;AAE3E,QAAM,QAAQ,SAAS,OACpB,IAAI;AAAA,IACH,UAAU;AAAA,IACV;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,SAAO,EAAE,IAAI,UAAU,MAAM,EAAE,aAAa,WAAW,IAAI,EAAE;AAC/D;;;ACrDA,SAAS,kBAAAC,uBAA6C;AAsBtD,eAAsB,yBACpB,QACgC;AAChC,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,EAAE,SAAS,IAAI;AACrB,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,aAAa,KAAK,IAAI,CAAC;AAC7C,QAAM,cAAc,QAAQ;AAC5B,QAAM,MACJ,YAAY,QAAQ,YAAY,EAAE,EAAE,MAAM,GAAG,EAAE,KAAK,KAAK,IAAI,EAAE,SAAS,EAAE;AAE5E,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,WAAW,EAAE,cAAc,aAAa,IAAI,GAAG,eAAe;AACpE,QAAM,UAAU,KAAK,UAAUC,gBAAe,QAA4B,CAAC;AAE3E,QAAM,QAAQ,SAAS,UACpB,IAAI;AAAA,IACH;AAAA,IACA;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,SAAO,EAAE,IAAI,UAAU,MAAM,EAAE,aAAa,WAAW,IAAI,EAAE;AAC/D;","names":["extractSummary","extractSummary","extractSummary","extractSummary","extractSummary","extractSummary"]}

package/lib/chunk-JUNL76HF.mjs

@@ -1,428 +0,0 @@
-import {
-  NotFoundError
-} from "./chunk-YZZDUJHI.mjs";
-import {
-  SHARD_COUNT,
-  getDynamoControlService
-} from "./chunk-VYDIGFIX.mjs";
-
-// src/data/operations/control/user/user-create-operation.ts
-import { extractSummary } from "@openhi/types";
-async function createUserOperation(params) {
-  const { context, body, tableName } = params;
-  const service = getDynamoControlService(tableName);
-  const id = body.id ?? `user-${Date.now()}`;
-  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
-  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
-  const vid = `1`;
-  const resource = { resourceType: "User", id, ...parsedResource };
-  const summary = JSON.stringify(extractSummary(resource));
-  await service.entities.user.put({
-    id,
-    resource: JSON.stringify(resource),
-    summary,
-    vid,
-    lastUpdated
-  }).go();
-  return {
-    id,
-    resource,
-    meta: { lastUpdated, versionId: vid }
-  };
-}
-
-// src/data/operations/control/user/user-delete-operation.ts
-async function deleteUserOperation(params) {
-  const { id, tableName } = params;
-  const service = getDynamoControlService(tableName);
-  await service.entities.user.delete({ id, sk: "CURRENT" }).go();
-}
-
-// src/data/operations/control/user/user-get-by-id-operation.ts
-async function getUserByIdOperation(params) {
-  const { id, tableName } = params;
-  const service = getDynamoControlService(tableName);
-  const response = await service.entities.user.get({ id, sk: "CURRENT" }).go();
-  const item = response.data;
-  if (!item) {
-    throw new NotFoundError(`User not found: ${id}`);
-  }
-  const parsedResource = JSON.parse(item.resource);
-  return {
-    id,
-    resource: { resourceType: "User", id, ...parsedResource }
-  };
-}
-
-// src/data/operations/data-operations-common.ts
-import { extractSortKey, extractSummary as extractSummary2 } from "@openhi/types";
-
-// src/lib/compression.ts
-import { gzipSync, gunzipSync } from "zlib";
-var ENVELOPE_VERSION = 1;
-var COMPRESSION_ALGOS = {
-  NONE: "none",
-  GZIP: "gzip",
-  BROTLI: "brotli",
-  DEFLATE: "deflate"
-};
-function isEnvelope(obj) {
-  return typeof obj === "object" && obj !== null && "v" in obj && "algo" in obj && "payload" in obj && typeof obj.payload === "string";
-}
-function compressResource(jsonString, options) {
-  const algo = options?.algo ?? COMPRESSION_ALGOS.GZIP;
-  if (algo === COMPRESSION_ALGOS.NONE) {
-    const envelope2 = {
-      v: ENVELOPE_VERSION,
-      algo: COMPRESSION_ALGOS.NONE,
-      payload: jsonString
-    };
-    return JSON.stringify(envelope2);
-  }
-  const buf = Buffer.from(jsonString, "utf-8");
-  const payload = gzipSync(buf).toString("base64");
-  const envelope = {
-    v: ENVELOPE_VERSION,
-    algo: COMPRESSION_ALGOS.GZIP,
-    payload
-  };
-  return JSON.stringify(envelope);
-}
-function decompressResource(compressedOrRaw) {
-  try {
-    const parsed = JSON.parse(compressedOrRaw);
-    if (isEnvelope(parsed)) {
-      if (parsed.algo === COMPRESSION_ALGOS.GZIP) {
-        const buf = Buffer.from(parsed.payload, "base64");
-        return gunzipSync(buf).toString("utf-8");
-      }
-      if (parsed.algo === COMPRESSION_ALGOS.NONE) {
-        return parsed.payload;
-      }
-      return parsed.payload;
-    }
-  } catch {
-  }
-  try {
-    const buf = Buffer.from(compressedOrRaw, "base64");
-    if (buf.length >= 2 && buf[0] === 31 && buf[1] === 139) {
-      return gunzipSync(buf).toString("utf-8");
-    }
-  } catch {
-  }
-  return compressedOrRaw;
-}
-
-// src/data/audit-meta.ts
-var OPENHI_EXT = "http://openhi.org/fhir/StructureDefinition";
-function mergeAuditIntoMeta(meta, audit) {
-  const existing = meta ?? {};
-  const ext = [
-    ...Array.isArray(existing.extension) ? existing.extension : []
-  ];
-  const byUrl = new Map(ext.map((e) => [e.url, e]));
-  function set(url, value, type) {
-    if (value == null) return;
-    byUrl.set(url, { url, [type]: value });
-  }
-  set(`${OPENHI_EXT}/created-date`, audit.createdDate, "valueDateTime");
-  set(`${OPENHI_EXT}/created-by-id`, audit.createdById, "valueString");
-  set(`${OPENHI_EXT}/created-by-name`, audit.createdByName, "valueString");
-  set(`${OPENHI_EXT}/modified-date`, audit.modifiedDate, "valueDateTime");
-  set(`${OPENHI_EXT}/modified-by-id`, audit.modifiedById, "valueString");
-  set(`${OPENHI_EXT}/modified-by-name`, audit.modifiedByName, "valueString");
-  set(`${OPENHI_EXT}/deleted-date`, audit.deletedDate, "valueDateTime");
-  set(`${OPENHI_EXT}/deleted-by-id`, audit.deletedById, "valueString");
-  set(`${OPENHI_EXT}/deleted-by-name`, audit.deletedByName, "valueString");
-  return { ...existing, extension: Array.from(byUrl.values()) };
-}
-
-// src/data/operations/data-operations-common.ts
-var DATA_ENTITY_SK = "CURRENT";
-async function getDataEntityById(entity, tenantId, workspaceId, id, resourceLabel) {
-  const result = await entity.get({
-    tenantId,
-    workspaceId,
-    id,
-    sk: DATA_ENTITY_SK
-  }).go();
-  if (!result.data) {
-    throw new NotFoundError(`${resourceLabel} ${id} not found`, {
-      details: { id }
-    });
-  }
-  const parsed = JSON.parse(decompressResource(result.data.resource));
-  return {
-    id: result.data.id,
-    resource: { ...parsed, id: result.data.id }
-  };
-}
-async function deleteDataEntityById(entity, tenantId, workspaceId, id) {
-  await entity.delete({
-    tenantId,
-    workspaceId,
-    id,
-    sk: DATA_ENTITY_SK
-  }).go();
-}
-var BATCH_GET_MAX_ATTEMPTS = 3;
-var BATCH_GET_BASE_BACKOFF_MS = 50;
-async function batchGetWithRetry(entity, keys) {
-  if (keys.length === 0) return [];
-  const collected = [];
-  let pending = keys;
-  let attempt = 0;
-  while (pending.length > 0) {
-    if (attempt > 0) {
-      await new Promise(
-        (resolve) => setTimeout(resolve, BATCH_GET_BASE_BACKOFF_MS * 2 ** (attempt - 1))
-      );
-    }
-    attempt++;
-    const result = await entity.get(pending).go();
-    collected.push(...result.data);
-    const unprocessed = result.unprocessed ?? [];
-    if (unprocessed.length === 0) break;
-    if (attempt >= BATCH_GET_MAX_ATTEMPTS) {
-      throw new Error(
-        `BatchGet exhausted retries: ${unprocessed.length} key(s) still unprocessed after ${BATCH_GET_MAX_ATTEMPTS} attempt(s)`
-      );
-    }
-    pending = unprocessed;
-  }
-  return collected;
-}
-async function dispatchListMode(mode, shardResults, hooks) {
-  if (mode === "count") {
-    let total = 0;
-    for (const shardResult of shardResults) {
-      total += (shardResult.data ?? []).length;
-    }
-    return { entries: [], total };
-  }
-  if (mode === "summary") {
-    const entries2 = [];
-    for (const shardResult of shardResults) {
-      for (const item of shardResult.data ?? []) {
-        if (typeof item.summary !== "string") continue;
-        let parsed;
-        try {
-          parsed = JSON.parse(item.summary);
-        } catch {
-          continue;
-        }
-        entries2.push(hooks.buildSummaryEntry(item.id, parsed));
-      }
-    }
-    return { entries: entries2, total: entries2.length };
-  }
-  const orderedIds = [];
-  for (const shardResult of shardResults) {
-    for (const item of shardResult.data ?? []) {
-      orderedIds.push(item.id);
-    }
-  }
-  if (orderedIds.length === 0) return { entries: [], total: 0 };
-  const items = await hooks.hydrate(orderedIds);
-  const byId = new Map(items.map((item) => [hooks.getId(item), item]));
-  const entries = [];
-  for (const id of orderedIds) {
-    const item = byId.get(id);
-    if (!item) continue;
-    entries.push(hooks.buildEntry(id, item));
-  }
-  return { entries, total: entries.length };
-}
-async function listDataEntitiesByWorkspace(entity, tenantId, workspaceId, mode = "full") {
-  const shardResults = await Promise.all(
-    Array.from(
-      { length: SHARD_COUNT },
-      (_, shard) => entity.query.gsi1({ tenantId, workspaceId, gsi1Shard: String(shard) }).go()
-    )
-  );
-  return dispatchListMode(
-    mode,
-    shardResults,
-    {
-      hydrate: (orderedIds) => batchGetWithRetry(
-        entity,
-        orderedIds.map((id) => ({
-          tenantId,
-          workspaceId,
-          id,
-          sk: DATA_ENTITY_SK
-        }))
-      ),
-      getId: (item) => item.id,
-      buildEntry: (id, item) => {
-        const parsed = JSON.parse(decompressResource(item.resource));
-        return { id, resource: { ...parsed, id } };
-      },
-      buildSummaryEntry: (id, parsed) => ({
-        id,
-        resource: { ...parsed, id }
-      })
-    }
-  );
-}
-async function createDataEntityRecord(entity, tenantId, workspaceId, id, resourceWithAudit, fallbackDate) {
-  const lastUpdated = resourceWithAudit.meta?.lastUpdated ?? fallbackDate ?? (/* @__PURE__ */ new Date()).toISOString();
-  const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
-  const resourceLike = resourceWithAudit;
-  const summary = JSON.stringify(extractSummary2(resourceLike));
-  const gsi1sk = extractSortKey(resourceLike);
-  await entity.put({
-    sk: DATA_ENTITY_SK,
-    tenantId,
-    workspaceId,
-    id,
-    resource: compressResource(JSON.stringify(resourceWithAudit)),
-    summary,
-    vid,
-    lastUpdated,
-    gsi1sk
-  }).go();
-  return {
-    id,
-    resource: resourceWithAudit
-  };
-}
-function buildUpdatedResourceWithAudit(body, id, date, actorId, actorName, existingResourceStr, resourceType) {
-  const existingMeta = JSON.parse(existingResourceStr).meta;
-  const bodyWithMeta = body;
-  const resourceWithVersion = {
-    ...body,
-    resourceType,
-    id,
-    meta: {
-      ...bodyWithMeta.meta ?? {},
-      lastUpdated: date,
-      versionId: "2"
-    }
-  };
-  const resourceWithAudit = {
-    ...resourceWithVersion,
-    meta: mergeAuditIntoMeta(resourceWithVersion.meta ?? existingMeta, {
-      modifiedDate: date,
-      modifiedById: actorId,
-      modifiedByName: actorName
-    })
-  };
-  return {
-    resource: resourceWithAudit,
-    lastUpdated: date
-  };
-}
-async function updateDataEntityById(entity, tenantId, workspaceId, id, resourceLabel, context, buildPatched) {
-  const existing = await entity.get({
-    tenantId,
-    workspaceId,
-    id,
-    sk: DATA_ENTITY_SK
-  }).go();
-  if (!existing.data) {
-    throw new NotFoundError(`${resourceLabel} ${id} not found`, {
-      details: { id }
-    });
-  }
-  const existingStr = decompressResource(existing.data.resource);
-  const { resource, lastUpdated } = buildPatched(existingStr);
-  const resourceLike = resource;
-  const summary = JSON.stringify(extractSummary2(resourceLike));
-  const gsi1sk = extractSortKey(resourceLike);
-  await entity.patch({
-    tenantId,
-    workspaceId,
-    id,
-    sk: DATA_ENTITY_SK
-  }).set({
-    resource: compressResource(JSON.stringify(resource)),
-    summary,
-    lastUpdated,
-    gsi1sk
-  }).go();
-  return {
-    id,
-    resource
-  };
-}
-
-// src/data/operations/control/user/user-list-operation.ts
-var SK = "CURRENT";
-async function listUsersOperation(params) {
-  const { tableName, mode = "full" } = params;
-  const service = getDynamoControlService(tableName);
-  const shardResults = await Promise.all(
-    Array.from(
-      { length: SHARD_COUNT },
-      (_, shard) => service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go()
-    )
-  );
-  return dispatchListMode(mode, shardResults, {
-    hydrate: (orderedIds) => batchGetWithRetry(
-      service.entities.user,
-      orderedIds.map((id) => ({ id, sk: SK }))
-    ),
-    getId: (item) => item.id,
-    buildEntry: (id, item) => ({
-      id,
-      resource: {
-        resourceType: "User",
-        id,
-        ...JSON.parse(item.resource)
-      }
-    }),
-    buildSummaryEntry: (id, parsed) => ({
-      id,
-      resource: { resourceType: "User", id, ...parsed }
-    })
-  });
-}
-
-// src/data/operations/control/user/user-update-operation.ts
-import { extractSummary as extractSummary3 } from "@openhi/types";
-async function updateUserOperation(params) {
-  const { context, id, body, tableName } = params;
-  const service = getDynamoControlService(tableName);
-  const existing = await service.entities.user.get({ id, sk: "CURRENT" }).go();
-  if (!existing.data) {
-    throw new NotFoundError(`User not found: ${id}`);
-  }
-  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
-  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
-  const vid = `${Date.now()}`;
-  const resource = { resourceType: "User", id, ...parsedResource };
-  const summary = JSON.stringify(extractSummary3(resource));
-  await service.entities.user.put({
-    id,
-    resource: JSON.stringify(resource),
-    summary,
-    vid,
-    lastUpdated
-  }).go();
-  return {
-    id,
-    resource,
-    meta: { lastUpdated, versionId: vid }
-  };
-}
-
-export {
-  compressResource,
-  decompressResource,
-  mergeAuditIntoMeta,
-  getDataEntityById,
-  deleteDataEntityById,
-  batchGetWithRetry,
-  dispatchListMode,
-  listDataEntitiesByWorkspace,
-  createDataEntityRecord,
-  buildUpdatedResourceWithAudit,
-  updateDataEntityById,
-  createUserOperation,
-  deleteUserOperation,
-  getUserByIdOperation,
-  listUsersOperation,
-  updateUserOperation
-};
-//# sourceMappingURL=chunk-JUNL76HF.mjs.map