@openhi/constructs 0.0.107 → 0.0.109

package/lib/chunk-2TPJ6HOF.mjs

@@ -0,0 +1,289 @@
+import {
+  ForbiddenError,
+  NotFoundError,
+  ValidationError,
+  batchGetWithRetry,
+  dispatchListMode
+} from "./chunk-IS4VQRI4.mjs";
+import {
+  SHARD_COUNT,
+  getDynamoControlService
+} from "./chunk-QR5JVSCF.mjs";
+
+// src/data/operations/control/user/user-find-by-sub-operation.ts
+async function findUserBySubOperation(params) {
+  const { cognitoSub, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const result = await service.entities.user.query.gsi2({ cognitoSub }).go({ limit: 1 });
+  const item = result.data?.[0];
+  if (!item) {
+    return void 0;
+  }
+  return {
+    id: item.id,
+    cognitoSub: item.cognitoSub,
+    resource: item.resource,
+    vid: item.vid
+  };
+}
+
+// src/data/operations/control/user/user-resource-helpers.ts
+function parseUserResource(resource) {
+  try {
+    return JSON.parse(resource);
+  } catch {
+    return void 0;
+  }
+}
+
+// src/data/operations/fhir-reference.ts
+function idFromReference(reference, prefix) {
+  if (!reference || !reference.startsWith(prefix)) {
+    return void 0;
+  }
+  const id = reference.slice(prefix.length);
+  return id.length > 0 ? id : void 0;
+}
+
+// src/data/operations/control/user/user-create-operation.ts
+import { extractSummary } from "@openhi/types";
+async function createUserOperation(params) {
+  const { context, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const id = body.id ?? `user-${Date.now()}`;
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `1`;
+  const resource = { resourceType: "User", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary(resource));
+  await service.entities.user.put({
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/operations/control/user/user-get-by-id-operation.ts
+async function getUserByIdOperation(params) {
+  const { id, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const response = await service.entities.user.get({ id, sk: "CURRENT" }).go();
+  const item = response.data;
+  if (!item) {
+    throw new NotFoundError(`User not found: ${id}`);
+  }
+  const parsedResource = JSON.parse(item.resource);
+  return {
+    id,
+    resource: { resourceType: "User", id, ...parsedResource }
+  };
+}
+
+// src/data/operations/control/user/user-list-operation.ts
+var SK = "CURRENT";
+async function listUsersOperation(params) {
+  const { tableName, mode = "full" } = params;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.user,
+      orderedIds.map((id) => ({ id, sk: SK }))
+    ),
+    getId: (item) => item.id,
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "User",
+        id,
+        ...JSON.parse(item.resource)
+      }
+    }),
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: { resourceType: "User", id, ...parsed }
+    })
+  });
+}
+
+// src/data/operations/control/user/user-switch-tenant-workspace-operation.ts
+import { extractSummary as extractSummary2 } from "@openhi/types";
+
+// src/data/operations/control/membership/membership-find-for-user-in-tenant-operation.ts
+var SK2 = "CURRENT";
+async function findMembershipsForUserInTenantOperation(params) {
+  const { tenantId, userId, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.membership.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const expectedUserRef = `User/${userId}`;
+  const memberships = [];
+  for (const shard of shardResults) {
+    for (const item of shard.data ?? []) {
+      if (item.sk !== SK2) {
+        continue;
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(item.resource);
+      } catch {
+        continue;
+      }
+      const userRef = parsed.user?.reference;
+      if (userRef !== expectedUserRef) {
+        continue;
+      }
+      memberships.push({ id: item.id, resource: parsed });
+    }
+  }
+  return { memberships };
+}
+function pickTenantMembership(memberships) {
+  return memberships.find(
+    (m) => m.resource.workspace == null
+  );
+}
+function pickWorkspaceMembership(memberships, workspaceId) {
+  const expectedWorkspaceRef = `Workspace/${workspaceId}`;
+  return memberships.find(
+    (m) => m.resource.workspace?.reference === expectedWorkspaceRef
+  );
+}
+
+// src/data/operations/control/user/user-switch-tenant-workspace-operation.ts
+var SK3 = "CURRENT";
+async function switchUserTenantWorkspaceOperation(params) {
+  const { cognitoSub, tenantReference, workspaceReference, tableName } = params;
+  const tenantId = idFromReference(tenantReference, "Tenant/");
+  if (!tenantId) {
+    throw new ValidationError(
+      "tenant.reference must be a 'Tenant/<id>' reference."
+    );
+  }
+  const workspaceId = idFromReference(workspaceReference, "Workspace/");
+  if (!workspaceId) {
+    throw new ValidationError(
+      "workspace.reference must be a 'Workspace/<id>' reference."
+    );
+  }
+  const user = await findUserBySubOperation({
+    // findUserBySubOperation does not read context fields; pass a stub.
+    context: {
+      tenantId: "",
+      workspaceId: "",
+      date: "",
+      actorId: "",
+      actorName: "",
+      actorType: "internal-system"
+    },
+    cognitoSub,
+    tableName
+  });
+  if (!user) {
+    throw new NotFoundError(
+      "User not yet provisioned for the authenticated Cognito subject."
+    );
+  }
+  const { memberships } = await findMembershipsForUserInTenantOperation({
+    tenantId,
+    userId: user.id,
+    tableName
+  });
+  if (!pickTenantMembership(memberships)) {
+    throw new ForbiddenError(`User is not a member of Tenant/${tenantId}.`);
+  }
+  if (!pickWorkspaceMembership(memberships, workspaceId)) {
+    throw new ForbiddenError(
+      `User is not a member of Workspace/${workspaceId} in Tenant/${tenantId}.`
+    );
+  }
+  const existingResource = parseUserResource(user.resource) ?? {};
+  const updatedResource = {
+    ...existingResource,
+    resourceType: "User",
+    id: user.id,
+    currentTenant: { reference: `Tenant/${tenantId}` },
+    currentWorkspace: { reference: `Workspace/${workspaceId}` }
+  };
+  const lastUpdated = (params.now ? params.now() : /* @__PURE__ */ new Date()).toISOString();
+  const vid = `${Date.now()}`;
+  const summary = JSON.stringify(
+    extractSummary2(updatedResource)
+  );
+  const service = getDynamoControlService(tableName);
+  await service.entities.user.patch({ id: user.id, sk: SK3 }).set({
+    resource: JSON.stringify(updatedResource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id: user.id,
+    resource: updatedResource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/operations/control/user/user-update-operation.ts
+import { extractSummary as extractSummary3 } from "@openhi/types";
+async function updateUserOperation(params) {
+  const { context, id, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const existing = await service.entities.user.get({ id, sk: "CURRENT" }).go();
+  if (!existing.data) {
+    throw new NotFoundError(`User not found: ${id}`);
+  }
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `${Date.now()}`;
+  const resource = { resourceType: "User", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary3(resource));
+  await service.entities.user.put({
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id,
+    resource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/operations/control/user/user-delete-operation.ts
+async function deleteUserOperation(params) {
+  const { id, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  await service.entities.user.delete({ id, sk: "CURRENT" }).go();
+}
+
+export {
+  createUserOperation,
+  deleteUserOperation,
+  getUserByIdOperation,
+  listUsersOperation,
+  updateUserOperation,
+  findUserBySubOperation,
+  parseUserResource,
+  idFromReference,
+  switchUserTenantWorkspaceOperation
+};
+//# sourceMappingURL=chunk-2TPJ6HOF.mjs.map

package/lib/chunk-2TPJ6HOF.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/data/operations/control/user/user-find-by-sub-operation.ts","../src/data/operations/control/user/user-resource-helpers.ts","../src/data/operations/fhir-reference.ts","../src/data/operations/control/user/user-create-operation.ts","../src/data/operations/control/user/user-get-by-id-operation.ts","../src/data/operations/control/user/user-list-operation.ts","../src/data/operations/control/user/user-switch-tenant-workspace-operation.ts","../src/data/operations/control/membership/membership-find-for-user-in-tenant-operation.ts","../src/data/operations/control/user/user-update-operation.ts","../src/data/operations/control/user/user-delete-operation.ts"],"sourcesContent":["import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface FindUserBySubParams {\n  context: OpenHiContext;\n  cognitoSub: string;\n  tableName?: string;\n}\n\nexport interface FindUserBySubResult {\n  id: string;\n  cognitoSub?: string;\n  resource: string;\n  vid: string;\n}\n\n/**\n * Look up a User by Cognito sub via GSI2, projecting the row to a stable\n * result shape. Returns `undefined` when no row matches.\n */\nexport async function findUserBySubOperation(\n  params: FindUserBySubParams,\n): Promise<FindUserBySubResult | undefined> {\n  const { cognitoSub, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const result = await service.entities.user.query\n    .gsi2({ cognitoSub })\n    .go({ limit: 1 });\n  const item = result.data?.[0];\n  if (!item) {\n    return undefined;\n  }\n  return {\n    id: item.id,\n    cognitoSub: item.cognitoSub,\n    resource: item.resource,\n    vid: item.vid,\n  };\n}\n","import type { User } from \"@openhi/types\";\n\n/**\n * Helpers for working with persisted OpenHI User resources. Co-located with\n * the User operations because both the Cognito triggers and the onboarding\n * workflow consume these alongside `findUserBySubOperation`.\n */\n\n// Defensive parse — JSON.parse may yield any shape, so every field is optional.\nexport type UserResource = Partial<User>;\n\n/**\n * Existing User resources are stored as JSON strings in the data store; parse\n * defensively so a malformed payload returns `undefined` rather than throwing.\n */\nexport function parseUserResource(resource: string): UserResource | undefined {\n  try {\n    return JSON.parse(resource) as UserResource;\n  } catch {\n    return undefined;\n  }\n}\n","/**\n * Pure helpers for working with FHIR Reference fields. Shared across data-plane\n * and control-plane operations and the handlers that wrap them.\n */\n\n/**\n * Extract the id portion from a FHIR-style reference such as `Patient/<id>` or\n * `Tenant/<id>`. Returns `undefined` if the reference is missing, does not\n * match the prefix, or has an empty id after the prefix.\n */\nexport function idFromReference(\n  reference: string | undefined,\n  prefix: string,\n): string | undefined {\n  if (!reference || !reference.startsWith(prefix)) {\n    return undefined;\n  }\n  const id = reference.slice(prefix.length);\n  return id.length > 0 ? id : undefined;\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface UserCreateParams {\n  context: OpenHiContext;\n  body: { id?: string; resource?: Record<string, unknown> | string };\n  tableName?: string;\n}\n\nexport interface UserCreateResult {\n  id: string;\n  resource: { resourceType: string; id: string; [key: string]: unknown };\n  meta: { lastUpdated: string; versionId: string };\n}\n\nexport async function createUserOperation(\n  params: UserCreateParams,\n): Promise<UserCreateResult> {\n  const { context, body, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `user-${Date.now()}`;\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const lastUpdated = context.date ?? new Date().toISOString();\n  const vid = `1`;\n\n  const resource = { resourceType: \"User\", id, ...parsedResource };\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  await service.entities.user\n    .put({\n      id,\n      resource: JSON.stringify(resource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  return {\n    id,\n    resource,\n    meta: { lastUpdated, versionId: vid },\n  };\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { NotFoundError } from \"../../../errors\";\nimport { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface UserGetByIdParams {\n  context: OpenHiContext;\n  id: string;\n  tableName?: string;\n}\n\nexport interface UserGetByIdResult {\n  id: string;\n  resource: { resourceType: string; id: string; [key: string]: unknown };\n}\n\nexport async function getUserByIdOperation(\n  params: UserGetByIdParams,\n): Promise<UserGetByIdResult> {\n  const { id, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const response = await service.entities.user.get({ id, sk: \"CURRENT\" }).go();\n\n  const item = response.data;\n  if (!item) {\n    throw new NotFoundError(`User not found: ${id}`);\n  }\n\n  const parsedResource = JSON.parse(item.resource) as Record<string, unknown>;\n\n  return {\n    id,\n    resource: { resourceType: \"User\", id, ...parsedResource },\n  };\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport {\n  batchGetWithRetry,\n  dispatchListMode,\n  type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface UserListParams {\n  context: OpenHiContext;\n  tableName?: string;\n  /** #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. */\n  mode?: ListOperationMode;\n}\n\nexport interface UserListResult {\n  entries: Array<{\n    id: string;\n    resource: { resourceType: string; id: string; [key: string]: unknown };\n  }>;\n  total: number;\n}\n\n/**\n * Lists Users via GSI1 (sharded). `mode` (default `\"full\"`) selects between BatchGet hydration,\n * summary-only (parse `summary` JSON projected on GSI1), or count-only (skip both). See\n * `dispatchListMode` in data-operations-common for the canonical mode contract.\n */\nexport async function listUsersOperation(\n  params: UserListParams,\n): Promise<UserListResult> {\n  const { tableName, mode = \"full\" } = params;\n  const service = getDynamoControlService(tableName);\n\n  const shardResults = await Promise.all(\n    Array.from({ length: SHARD_COUNT }, (_, shard) =>\n      service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go(),\n    ),\n  );\n\n  return dispatchListMode<\n    { id: string; resource: string },\n    UserListResult[\"entries\"][number]\n  >(mode, shardResults, {\n    hydrate: (orderedIds) =>\n      batchGetWithRetry(\n        service.entities.user,\n        orderedIds.map((id) => ({ id, sk: SK })),\n      ) as Promise<Array<{ id: string; resource: string }>>,\n    getId: (item) => item.id,\n    buildEntry: (id, item) => ({\n      id,\n      resource: {\n        resourceType: \"User\",\n        id,\n        ...(JSON.parse(item.resource) as Record<string, unknown>),\n      },\n    }),\n    buildSummaryEntry: (id, parsed) => ({\n      id,\n      resource: { resourceType: \"User\", id, ...parsed },\n    }),\n  });\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { findUserBySubOperation } from \"./user-find-by-sub-operation\";\nimport { parseUserResource } from \"./user-resource-helpers\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport {\n  ForbiddenError,\n  NotFoundError,\n  ValidationError,\n} from \"../../../errors\";\nimport { idFromReference } from \"../../fhir-reference\";\nimport {\n  findMembershipsForUserInTenantOperation,\n  pickTenantMembership,\n  pickWorkspaceMembership,\n} from \"../membership/membership-find-for-user-in-tenant-operation\";\n\nconst SK = \"CURRENT\";\n\nexport interface UserSwitchTenantWorkspaceParams {\n  cognitoSub: string;\n  tenantReference: string;\n  workspaceReference: string;\n  tableName?: string;\n  /** Override the clock — used by tests for deterministic `lastUpdated`. */\n  now?: () => Date;\n}\n\nexport interface UserSwitchTenantWorkspaceResult {\n  id: string;\n  resource: Record<string, unknown>;\n  meta: { lastUpdated: string; versionId: string };\n}\n\n/**\n * Update `currentTenant` and `currentWorkspace` on the User resource for the\n * caller authenticated by the given Cognito `sub`. All other fields on the\n * User are preserved.\n *\n * Throws:\n * - `ValidationError` when either reference is missing or malformed\n * - `NotFoundError` when no User matches the Cognito subject\n * - `ForbiddenError` when the caller lacks a tenant-level OR workspace-level\n *   Membership in the requested tenant / workspace\n *\n * @see https://github.com/codedrifters/openhi/issues/769\n */\nexport async function switchUserTenantWorkspaceOperation(\n  params: UserSwitchTenantWorkspaceParams,\n): Promise<UserSwitchTenantWorkspaceResult> {\n  const { cognitoSub, tenantReference, workspaceReference, tableName } = params;\n\n  const tenantId = idFromReference(tenantReference, \"Tenant/\");\n  if (!tenantId) {\n    throw new ValidationError(\n      \"tenant.reference must be a 'Tenant/<id>' reference.\",\n    );\n  }\n  const workspaceId = idFromReference(workspaceReference, \"Workspace/\");\n  if (!workspaceId) {\n    throw new ValidationError(\n      \"workspace.reference must be a 'Workspace/<id>' reference.\",\n    );\n  }\n\n  const user = await findUserBySubOperation({\n    // findUserBySubOperation does not read context fields; pass a stub.\n    context: {\n      tenantId: \"\",\n      workspaceId: \"\",\n      date: \"\",\n      actorId: \"\",\n      actorName: \"\",\n      actorType: \"internal-system\",\n    },\n    cognitoSub,\n    tableName,\n  });\n  if (!user) {\n    throw new NotFoundError(\n      \"User not yet provisioned for the authenticated Cognito subject.\",\n    );\n  }\n\n  const { memberships } = await findMembershipsForUserInTenantOperation({\n    tenantId,\n    userId: user.id,\n    tableName,\n  });\n  if (!pickTenantMembership(memberships)) {\n    throw new ForbiddenError(`User is not a member of Tenant/${tenantId}.`);\n  }\n  if (!pickWorkspaceMembership(memberships, workspaceId)) {\n    throw new ForbiddenError(\n      `User is not a member of Workspace/${workspaceId} in Tenant/${tenantId}.`,\n    );\n  }\n\n  const existingResource = parseUserResource(user.resource) ?? {};\n  const updatedResource: Record<string, unknown> = {\n    ...existingResource,\n    resourceType: \"User\",\n    id: user.id,\n    currentTenant: { reference: `Tenant/${tenantId}` },\n    currentWorkspace: { reference: `Workspace/${workspaceId}` },\n  };\n\n  const lastUpdated = (params.now ? params.now() : new Date()).toISOString();\n  const vid = `${Date.now()}`;\n  const summary = JSON.stringify(\n    extractSummary(updatedResource as FhirResourceLike),\n  );\n\n  const service = getDynamoControlService(tableName);\n  await service.entities.user\n    .patch({ id: user.id, sk: SK })\n    .set({\n      resource: JSON.stringify(updatedResource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  return {\n    id: user.id,\n    resource: updatedResource,\n    meta: { lastUpdated, versionId: vid },\n  };\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\n\nconst SK = \"CURRENT\";\n\nexport interface MembershipFindForUserInTenantParams {\n  tenantId: string;\n  userId: string;\n  tableName?: string;\n}\n\nexport interface MembershipMatch {\n  id: string;\n  resource: Record<string, unknown>;\n}\n\nexport interface MembershipFindForUserInTenantResult {\n  memberships: Array<MembershipMatch>;\n}\n\n/**\n * Return every Membership in `tenantId` whose `resource.user.reference`\n * equals `User/<userId>` — including both the tenant-level membership\n * (no `workspace` reference) and any workspace-level memberships.\n *\n * Implementation: fan-out GSI1 query across all four shards for the\n * tenant, parse the resource JSON, and filter by `user.reference`.\n *\n * Interim implementation — to be replaced by the adjacency-list\n * `USER#ID#<userId>` projection in #977 (ADR-018) once it lands. The\n * scan cost is bounded by the size of the target tenant; that's fine\n * for `POST /User/$switch` membership validation in v1 and avoids\n * pulling forward a partially-landed GSI.\n */\nexport async function findMembershipsForUserInTenantOperation(\n  params: MembershipFindForUserInTenantParams,\n): Promise<MembershipFindForUserInTenantResult> {\n  const { tenantId, userId, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const shardResults = await Promise.all(\n    Array.from({ length: SHARD_COUNT }, (_, shard) =>\n      service.entities.membership.query\n        .gsi1({ tenantId, gsi1Shard: String(shard) })\n        .go(),\n    ),\n  );\n\n  const expectedUserRef = `User/${userId}`;\n  const memberships: Array<MembershipMatch> = [];\n\n  for (const shard of shardResults) {\n    for (const item of shard.data ?? []) {\n      if (item.sk !== SK) {\n        continue;\n      }\n      let parsed: Record<string, unknown>;\n      try {\n        parsed = JSON.parse(item.resource) as Record<string, unknown>;\n      } catch {\n        continue;\n      }\n      const userRef = (parsed.user as { reference?: unknown } | undefined)\n        ?.reference;\n      if (userRef !== expectedUserRef) {\n        continue;\n      }\n      memberships.push({ id: item.id, resource: parsed });\n    }\n  }\n\n  return { memberships };\n}\n\n/**\n * Tenant-level Membership: caller is a member of the tenant but not\n * scoped to a specific Workspace (no `workspace.reference`).\n */\nexport function pickTenantMembership(\n  memberships: ReadonlyArray<MembershipMatch>,\n): MembershipMatch | undefined {\n  return memberships.find(\n    (m) =>\n      (m.resource.workspace as { reference?: unknown } | undefined) == null,\n  );\n}\n\n/**\n * Workspace-level Membership for the given workspace id, if the caller\n * is a member.\n */\nexport function pickWorkspaceMembership(\n  memberships: ReadonlyArray<MembershipMatch>,\n  workspaceId: string,\n): MembershipMatch | undefined {\n  const expectedWorkspaceRef = `Workspace/${workspaceId}`;\n  return memberships.find(\n    (m) =>\n      (m.resource.workspace as { reference?: unknown } | undefined)\n        ?.reference === expectedWorkspaceRef,\n  );\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { NotFoundError } from \"../../../errors\";\nimport { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface UserUpdateParams {\n  context: OpenHiContext;\n  id: string;\n  body: { resource?: Record<string, unknown> | string };\n  tableName?: string;\n}\n\nexport interface UserUpdateResult {\n  id: string;\n  resource: { resourceType: string; id: string; [key: string]: unknown };\n  meta: { lastUpdated: string; versionId: string };\n}\n\nexport async function updateUserOperation(\n  params: UserUpdateParams,\n): Promise<UserUpdateResult> {\n  const { context, id, body, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const existing = await service.entities.user.get({ id, sk: \"CURRENT\" }).go();\n  if (!existing.data) {\n    throw new NotFoundError(`User not found: ${id}`);\n  }\n\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const lastUpdated = context.date ?? new Date().toISOString();\n  const vid = `${Date.now()}`;\n\n  const resource = { resourceType: \"User\", id, ...parsedResource };\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  await service.entities.user\n    .put({\n      id,\n      resource: JSON.stringify(resource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  return {\n    id,\n    resource,\n    meta: { lastUpdated, versionId: vid },\n  };\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface UserDeleteParams {\n  context: OpenHiContext;\n  id: string;\n  tableName?: string;\n}\n\nexport async function deleteUserOperation(\n  params: UserDeleteParams,\n): Promise<void> {\n  const { id, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  await service.entities.user.delete({ id, sk: \"CURRENT\" }).go();\n}\n"],"mappings":";;;;;;;;;;;;;AAoBA,eAAsB,uBACpB,QAC0C;AAC1C,QAAM,EAAE,YAAY,UAAU,IAAI;AAClC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,SAAS,MAAM,QAAQ,SAAS,KAAK,MACxC,KAAK,EAAE,WAAW,CAAC,EACnB,GAAG,EAAE,OAAO,EAAE,CAAC;AAClB,QAAM,OAAO,OAAO,OAAO,CAAC;AAC5B,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,EACT;AACA,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,YAAY,KAAK;AAAA,IACjB,UAAU,KAAK;AAAA,IACf,KAAK,KAAK;AAAA,EACZ;AACF;;;ACxBO,SAAS,kBAAkB,UAA4C;AAC5E,MAAI;AACF,WAAO,KAAK,MAAM,QAAQ;AAAA,EAC5B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACXO,SAAS,gBACd,WACA,QACoB;AACpB,MAAI,CAAC,aAAa,CAAC,UAAU,WAAW,MAAM,GAAG;AAC/C,WAAO;AAAA,EACT;AACA,QAAM,KAAK,UAAU,MAAM,OAAO,MAAM;AACxC,SAAO,GAAG,SAAS,IAAI,KAAK;AAC9B;;;ACnBA,SAAS,sBAA6C;AAgBtD,eAAsB,oBACpB,QAC2B;AAC3B,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,QAAQ,KAAK,IAAI,CAAC;AACxC,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,cAAc,QAAQ,SAAQ,oBAAI,KAAK,GAAE,YAAY;AAC3D,QAAM,MAAM;AAEZ,QAAM,WAAW,EAAE,cAAc,QAAQ,IAAI,GAAG,eAAe;AAC/D,QAAM,UAAU,KAAK,UAAU,eAAe,QAA4B,CAAC;AAE3E,QAAM,QAAQ,SAAS,KACpB,IAAI;AAAA,IACH;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM,EAAE,aAAa,WAAW,IAAI;AAAA,EACtC;AACF;;;AClCA,eAAsB,qBACpB,QAC4B;AAC5B,QAAM,EAAE,IAAI,UAAU,IAAI;AAC1B,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,WAAW,MAAM,QAAQ,SAAS,KAAK,IAAI,EAAE,IAAI,IAAI,UAAU,CAAC,EAAE,GAAG;AAE3E,QAAM,OAAO,SAAS;AACtB,MAAI,CAAC,MAAM;AACT,UAAM,IAAI,cAAc,mBAAmB,EAAE,EAAE;AAAA,EACjD;AAEA,QAAM,iBAAiB,KAAK,MAAM,KAAK,QAAQ;AAE/C,SAAO;AAAA,IACL;AAAA,IACA,UAAU,EAAE,cAAc,QAAQ,IAAI,GAAG,eAAe;AAAA,EAC1D;AACF;;;ACzBA,IAAM,KAAK;AAsBX,eAAsB,mBACpB,QACyB;AACzB,QAAM,EAAE,WAAW,OAAO,OAAO,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,KAAK,MAAM,KAAK,EAAE,WAAW,OAAO,KAAK,EAAE,CAAC,EAAE,GAAG;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,iBAGL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,GAAG,EAAE;AAAA,IACzC;AAAA,IACF,OAAO,CAAC,SAAS,KAAK;AAAA,IACtB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,MAC9B;AAAA,IACF;AAAA,IACA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU,EAAE,cAAc,QAAQ,IAAI,GAAG,OAAO;AAAA,IAClD;AAAA,EACF,CAAC;AACH;;;AClEA,SAAS,kBAAAA,uBAA6C;;;ACGtD,IAAMC,MAAK;AA+BX,eAAsB,wCACpB,QAC8C;AAC9C,QAAM,EAAE,UAAU,QAAQ,UAAU,IAAI;AACxC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,WAAW,MACzB,KAAK,EAAE,UAAU,WAAW,OAAO,KAAK,EAAE,CAAC,EAC3C,GAAG;AAAA,IACR;AAAA,EACF;AAEA,QAAM,kBAAkB,QAAQ,MAAM;AACtC,QAAM,cAAsC,CAAC;AAE7C,aAAW,SAAS,cAAc;AAChC,eAAW,QAAQ,MAAM,QAAQ,CAAC,GAAG;AACnC,UAAI,KAAK,OAAOA,KAAI;AAClB;AAAA,MACF;AACA,UAAI;AACJ,UAAI;AACF,iBAAS,KAAK,MAAM,KAAK,QAAQ;AAAA,MACnC,QAAQ;AACN;AAAA,MACF;AACA,YAAM,UAAW,OAAO,MACpB;AACJ,UAAI,YAAY,iBAAiB;AAC/B;AAAA,MACF;AACA,kBAAY,KAAK,EAAE,IAAI,KAAK,IAAI,UAAU,OAAO,CAAC;AAAA,IACpD;AAAA,EACF;AAEA,SAAO,EAAE,YAAY;AACvB;AAMO,SAAS,qBACd,aAC6B;AAC7B,SAAO,YAAY;AAAA,IACjB,CAAC,MACE,EAAE,SAAS,aAAqD;AAAA,EACrE;AACF;AAMO,SAAS,wBACd,aACA,aAC6B;AAC7B,QAAM,uBAAuB,aAAa,WAAW;AACrD,SAAO,YAAY;AAAA,IACjB,CAAC,MACE,EAAE,SAAS,WACR,cAAc;AAAA,EACtB;AACF;;;ADrFA,IAAMC,MAAK;AA8BX,eAAsB,mCACpB,QAC0C;AAC1C,QAAM,EAAE,YAAY,iBAAiB,oBAAoB,UAAU,IAAI;AAEvE,QAAM,WAAW,gBAAgB,iBAAiB,SAAS;AAC3D,MAAI,CAAC,UAAU;AACb,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,cAAc,gBAAgB,oBAAoB,YAAY;AACpE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,uBAAuB;AAAA;AAAA,IAExC,SAAS;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,MACb,MAAM;AAAA,MACN,SAAS;AAAA,MACT,WAAW;AAAA,MACX,WAAW;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACD,MAAI,CAAC,MAAM;AACT,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,EAAE,YAAY,IAAI,MAAM,wCAAwC;AAAA,IACpE;AAAA,IACA,QAAQ,KAAK;AAAA,IACb;AAAA,EACF,CAAC;AACD,MAAI,CAAC,qBAAqB,WAAW,GAAG;AACtC,UAAM,IAAI,eAAe,kCAAkC,QAAQ,GAAG;AAAA,EACxE;AACA,MAAI,CAAC,wBAAwB,aAAa,WAAW,GAAG;AACtD,UAAM,IAAI;AAAA,MACR,qCAAqC,WAAW,cAAc,QAAQ;AAAA,IACxE;AAAA,EACF;AAEA,QAAM,mBAAmB,kBAAkB,KAAK,QAAQ,KAAK,CAAC;AAC9D,QAAM,kBAA2C;AAAA,IAC/C,GAAG;AAAA,IACH,cAAc;AAAA,IACd,IAAI,KAAK;AAAA,IACT,eAAe,EAAE,WAAW,UAAU,QAAQ,GAAG;AAAA,IACjD,kBAAkB,EAAE,WAAW,aAAa,WAAW,GAAG;AAAA,EAC5D;AAEA,QAAM,eAAe,OAAO,MAAM,OAAO,IAAI,IAAI,oBAAI,KAAK,GAAG,YAAY;AACzE,QAAM,MAAM,GAAG,KAAK,IAAI,CAAC;AACzB,QAAM,UAAU,KAAK;AAAA,IACnBC,gBAAe,eAAmC;AAAA,EACpD;AAEA,QAAM,UAAU,wBAAwB,SAAS;AACjD,QAAM,QAAQ,SAAS,KACpB,MAAM,EAAE,IAAI,KAAK,IAAI,IAAID,IAAG,CAAC,EAC7B,IAAI;AAAA,IACH,UAAU,KAAK,UAAU,eAAe;AAAA,IACxC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,UAAU;AAAA,IACV,MAAM,EAAE,aAAa,WAAW,IAAI;AAAA,EACtC;AACF;;;AEhIA,SAAS,kBAAAE,uBAA6C;AAkBtD,eAAsB,oBACpB,QAC2B;AAC3B,QAAM,EAAE,SAAS,IAAI,MAAM,UAAU,IAAI;AACzC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,WAAW,MAAM,QAAQ,SAAS,KAAK,IAAI,EAAE,IAAI,IAAI,UAAU,CAAC,EAAE,GAAG;AAC3E,MAAI,CAAC,SAAS,MAAM;AAClB,UAAM,IAAI,cAAc,mBAAmB,EAAE,EAAE;AAAA,EACjD;AAEA,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,cAAc,QAAQ,SAAQ,oBAAI,KAAK,GAAE,YAAY;AAC3D,QAAM,MAAM,GAAG,KAAK,IAAI,CAAC;AAEzB,QAAM,WAAW,EAAE,cAAc,QAAQ,IAAI,GAAG,eAAe;AAC/D,QAAM,UAAU,KAAK,UAAUC,gBAAe,QAA4B,CAAC;AAE3E,QAAM,QAAQ,SAAS,KACpB,IAAI;AAAA,IACH;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM,EAAE,aAAa,WAAW,IAAI;AAAA,EACtC;AACF;;;AC9CA,eAAsB,oBACpB,QACe;AACf,QAAM,EAAE,IAAI,UAAU,IAAI;AAC1B,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,QAAQ,SAAS,KAAK,OAAO,EAAE,IAAI,IAAI,UAAU,CAAC,EAAE,GAAG;AAC/D;","names":["extractSummary","SK","SK","extractSummary","extractSummary","extractSummary"]}

package/lib/{chunk-L6UAP4KP.mjs → chunk-7FUAMZOF.mjs}

@@ -1,9 +1,9 @@
 import {
   NotFoundError
-} from "./chunk-YZZDUJHI.mjs";
+} from "./chunk-IS4VQRI4.mjs";
 import {
   getDynamoControlService
-} from "./chunk-VYDIGFIX.mjs";
+} from "./chunk-QR5JVSCF.mjs";
 
 // src/data/operations/control/role/role-get-by-id-operation.ts
 async function getRoleByIdOperation(params) {
@@ -24,4 +24,4 @@ async function getRoleByIdOperation(params) {
 export {
   getRoleByIdOperation
 };
-//# sourceMappingURL=chunk-L6UAP4KP.mjs.map
+//# sourceMappingURL=chunk-7FUAMZOF.mjs.map

package/lib/{chunk-36UPY7YQ.mjs → chunk-7Q2IJ2J5.mjs}

@@ -1,6 +1,6 @@
 import {
   getRoleByIdOperation
-} from "./chunk-L6UAP4KP.mjs";
+} from "./chunk-7FUAMZOF.mjs";
 import {
   require_lib
 } from "./chunk-SYBADQXI.mjs";
@@ -9,13 +9,13 @@ import {
   createRoleAssignmentOperation,
   createTenantOperation,
   createWorkspaceOperation
-} from "./chunk-AO3E22CS.mjs";
+} from "./chunk-MULKGFIJ.mjs";
 import {
   NotFoundError
-} from "./chunk-YZZDUJHI.mjs";
+} from "./chunk-IS4VQRI4.mjs";
 import {
   getDynamoControlService
-} from "./chunk-VYDIGFIX.mjs";
+} from "./chunk-QR5JVSCF.mjs";
 import {
   __toESM
 } from "./chunk-LZOMFHX3.mjs";
@@ -526,4 +526,4 @@ export {
   productionCognitoProvisioner,
   handler
 };
-//# sourceMappingURL=chunk-36UPY7YQ.mjs.map
+//# sourceMappingURL=chunk-7Q2IJ2J5.mjs.map

package/lib/{chunk-YU2HRNUP.mjs → chunk-AJ3G3THO.mjs}

@@ -1,6 +1,6 @@
 import {
   getDynamoControlService
-} from "./chunk-VYDIGFIX.mjs";
+} from "./chunk-QR5JVSCF.mjs";
 
 // src/data/operations/control/role/role-create-operation.ts
 import { extractSummary } from "@openhi/types";
@@ -30,4 +30,4 @@ async function createRoleOperation(params) {
 export {
   createRoleOperation
 };
-//# sourceMappingURL=chunk-YU2HRNUP.mjs.map
+//# sourceMappingURL=chunk-AJ3G3THO.mjs.map

package/lib/chunk-BB5MK4L3.mjs

@@ -0,0 +1,96 @@
+import {
+  batchGetWithRetry,
+  dispatchListMode,
+  getDynamoDataService,
+  listDataEntitiesByWorkspace
+} from "./chunk-IS4VQRI4.mjs";
+import {
+  SHARD_COUNT,
+  getDynamoControlService
+} from "./chunk-QR5JVSCF.mjs";
+
+// src/data/operations/data/practitionerrole/practitionerrole-list-operation.ts
+async function listPractitionerRolesOperation(params) {
+  const { context, tableName, mode } = params;
+  const { tenantId, workspaceId } = context;
+  const service = getDynamoDataService(tableName);
+  return listDataEntitiesByWorkspace(
+    service.entities.practitionerrole,
+    tenantId,
+    workspaceId,
+    mode
+  );
+}
+
+// src/data/operations/control/membership/membership-list-operation.ts
+var SK = "CURRENT";
+async function listMembershipsOperation(params) {
+  const { context, tableName, mode = "full" } = params;
+  const tenantId = context.tenantId;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.membership.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.membership,
+      orderedIds.map((id) => ({ tenantId, id, sk: SK }))
+    ),
+    getId: (item) => item.id,
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "Membership",
+        id,
+        ...JSON.parse(item.resource)
+      }
+    }),
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: { resourceType: "Membership", id, ...parsed }
+    })
+  });
+}
+
+// src/data/operations/control/roleassignment/roleassignment-list-operation.ts
+var SK2 = "CURRENT";
+async function listRoleAssignmentsOperation(params) {
+  const { context, tableName, mode = "full" } = params;
+  const tenantId = context.tenantId;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.roleAssignment.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.roleAssignment,
+      orderedIds.map((id) => ({ tenantId, id, sk: SK2 }))
+    ),
+    getId: (item) => item.id,
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "RoleAssignment",
+        id,
+        ...JSON.parse(item.resource)
+      }
+    }),
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: { resourceType: "RoleAssignment", id, ...parsed }
+    })
+  });
+}
+
+export {
+  listPractitionerRolesOperation,
+  listMembershipsOperation,
+  listRoleAssignmentsOperation
+};
+//# sourceMappingURL=chunk-BB5MK4L3.mjs.map

package/lib/chunk-BB5MK4L3.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/data/operations/data/practitionerrole/practitionerrole-list-operation.ts","../src/data/operations/control/membership/membership-list-operation.ts","../src/data/operations/control/roleassignment/roleassignment-list-operation.ts"],"sourcesContent":["import type { PractitionerRole } from \"@openhi/types\";\nimport { getDynamoDataService } from \"../../../dynamo/dynamo-data-service\";\nimport {\n  type ListParams,\n  listDataEntitiesByWorkspace,\n  type ListResult,\n  type ListEntry,\n} from \"../../data-operations-common\";\n\n/**\n * List PractitionerRoles in a workspace (GSI1, sharded). Returns domain result for adapters to map to FHIR Bundle or other formats.\n *\n * @see sites/www-docs/content/packages/@openhi/constructs/data/shared-data-layer-layout.md\n */\nexport type ListPractitionerRolesParams = ListParams;\n\nexport type PractitionerRoleListEntry = ListEntry<PractitionerRole>;\n\nexport type ListPractitionerRolesResult = ListResult<PractitionerRole>;\n\n/**\n * Lists all PractitionerRoles in the workspace. Uses GSI1 (Unified Sharded List per ADR-011).\n * Throws on service errors; adapters map to HTTP/GraphQL/Step Function.\n */\nexport async function listPractitionerRolesOperation(\n  params: ListPractitionerRolesParams,\n): Promise<ListPractitionerRolesResult> {\n  const { context, tableName, mode } = params;\n  const { tenantId, workspaceId } = context;\n  const service = getDynamoDataService(tableName);\n  return listDataEntitiesByWorkspace<PractitionerRole>(\n    service.entities.practitionerrole as Parameters<\n      typeof listDataEntitiesByWorkspace\n    >[0],\n    tenantId,\n    workspaceId,\n    mode,\n  );\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport {\n  batchGetWithRetry,\n  dispatchListMode,\n  type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface MembershipListParams {\n  context: OpenHiContext;\n  tableName?: string;\n  /** #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. */\n  mode?: ListOperationMode;\n}\n\nexport interface MembershipListResult {\n  entries: Array<{\n    id: string;\n    resource: { resourceType: string; id: string; [key: string]: unknown };\n  }>;\n  total: number;\n}\n\n/**\n * Lists Memberships for the context tenant via GSI1 (sharded). See `dispatchListMode` for\n * the mode contract (#853).\n */\nexport async function listMembershipsOperation(\n  params: MembershipListParams,\n): Promise<MembershipListResult> {\n  const { context, tableName, mode = \"full\" } = params;\n  const tenantId = context.tenantId;\n  const service = getDynamoControlService(tableName);\n\n  const shardResults = await Promise.all(\n    Array.from({ length: SHARD_COUNT }, (_, shard) =>\n      service.entities.membership.query\n        .gsi1({ tenantId, gsi1Shard: String(shard) })\n        .go(),\n    ),\n  );\n\n  return dispatchListMode<\n    { id: string; resource: string },\n    MembershipListResult[\"entries\"][number]\n  >(mode, shardResults, {\n    hydrate: (orderedIds) =>\n      batchGetWithRetry(\n        service.entities.membership,\n        orderedIds.map((id) => ({ tenantId, id, sk: SK })),\n      ) as Promise<Array<{ id: string; resource: string }>>,\n    getId: (item) => item.id,\n    buildEntry: (id, item) => ({\n      id,\n      resource: {\n        resourceType: \"Membership\",\n        id,\n        ...(JSON.parse(item.resource) as Record<string, unknown>),\n      },\n    }),\n    buildSummaryEntry: (id, parsed) => ({\n      id,\n      resource: { resourceType: \"Membership\", id, ...parsed },\n    }),\n  });\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport {\n  batchGetWithRetry,\n  dispatchListMode,\n  type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface RoleAssignmentListParams {\n  context: OpenHiContext;\n  tableName?: string;\n  /** #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. */\n  mode?: ListOperationMode;\n}\n\nexport interface RoleAssignmentListResult {\n  entries: Array<{\n    id: string;\n    resource: { resourceType: string; id: string; [key: string]: unknown };\n  }>;\n  total: number;\n}\n\n/**\n * Lists RoleAssignments for the context tenant via GSI1 (sharded). See `dispatchListMode` for\n * the mode contract (#853).\n */\nexport async function listRoleAssignmentsOperation(\n  params: RoleAssignmentListParams,\n): Promise<RoleAssignmentListResult> {\n  const { context, tableName, mode = \"full\" } = params;\n  const tenantId = context.tenantId;\n  const service = getDynamoControlService(tableName);\n\n  const shardResults = await Promise.all(\n    Array.from({ length: SHARD_COUNT }, (_, shard) =>\n      service.entities.roleAssignment.query\n        .gsi1({ tenantId, gsi1Shard: String(shard) })\n        .go(),\n    ),\n  );\n\n  return dispatchListMode<\n    { id: string; resource: string },\n    RoleAssignmentListResult[\"entries\"][number]\n  >(mode, shardResults, {\n    hydrate: (orderedIds) =>\n      batchGetWithRetry(\n        service.entities.roleAssignment,\n        orderedIds.map((id) => ({ tenantId, id, sk: SK })),\n      ) as Promise<Array<{ id: string; resource: string }>>,\n    getId: (item) => item.id,\n    buildEntry: (id, item) => ({\n      id,\n      resource: {\n        resourceType: \"RoleAssignment\",\n        id,\n        ...(JSON.parse(item.resource) as Record<string, unknown>),\n      },\n    }),\n    buildSummaryEntry: (id, parsed) => ({\n      id,\n      resource: { resourceType: \"RoleAssignment\", id, ...parsed },\n    }),\n  });\n}\n"],"mappings":";;;;;;;;;;;;AAwBA,eAAsB,+BACpB,QACsC;AACtC,QAAM,EAAE,SAAS,WAAW,KAAK,IAAI;AACrC,QAAM,EAAE,UAAU,YAAY,IAAI;AAClC,QAAM,UAAU,qBAAqB,SAAS;AAC9C,SAAO;AAAA,IACL,QAAQ,SAAS;AAAA,IAGjB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;AC7BA,IAAM,KAAK;AAqBX,eAAsB,yBACpB,QAC+B;AAC/B,QAAM,EAAE,SAAS,WAAW,OAAO,OAAO,IAAI;AAC9C,QAAM,WAAW,QAAQ;AACzB,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,WAAW,MACzB,KAAK,EAAE,UAAU,WAAW,OAAO,KAAK,EAAE,CAAC,EAC3C,GAAG;AAAA,IACR;AAAA,EACF;AAEA,SAAO,iBAGL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,UAAU,IAAI,IAAI,GAAG,EAAE;AAAA,IACnD;AAAA,IACF,OAAO,CAAC,SAAS,KAAK;AAAA,IACtB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,MAC9B;AAAA,IACF;AAAA,IACA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU,EAAE,cAAc,cAAc,IAAI,GAAG,OAAO;AAAA,IACxD;AAAA,EACF,CAAC;AACH;;;AC3DA,IAAMA,MAAK;AAqBX,eAAsB,6BACpB,QACmC;AACnC,QAAM,EAAE,SAAS,WAAW,OAAO,OAAO,IAAI;AAC9C,QAAM,WAAW,QAAQ;AACzB,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,eAAe,MAC7B,KAAK,EAAE,UAAU,WAAW,OAAO,KAAK,EAAE,CAAC,EAC3C,GAAG;AAAA,IACR;AAAA,EACF;AAEA,SAAO,iBAGL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,UAAU,IAAI,IAAIA,IAAG,EAAE;AAAA,IACnD;AAAA,IACF,OAAO,CAAC,SAAS,KAAK;AAAA,IACtB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,MAC9B;AAAA,IACF;AAAA,IACA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU,EAAE,cAAc,kBAAkB,IAAI,GAAG,OAAO;AAAA,IAC5D;AAAA,EACF,CAAC;AACH;","names":["SK"]}