@openhi/constructs 0.0.110 → 0.0.112

package/lib/index.js

@@ -194,6 +194,56 @@ var require_registry = __commonJS({
   }
 });
 
+// ../workflows/lib/detail-types/control-plane.js
+var require_control_plane = __commonJS({
+  "../workflows/lib/detail-types/control-plane.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ControlPlaneRenameFailedV1 = exports2.ControlPlaneRenameCompleteV1 = exports2.ControlPlaneRenameV1 = exports2.RENAMABLE_ENTITY_TYPE = exports2.ControlPlaneOwningDeleteFailedV1 = exports2.ControlPlaneOwningDeleteCompleteV1 = exports2.ControlPlaneOwningDeleteV1 = exports2.OWNING_ENTITY_TYPE = void 0;
+    var sources_1 = require_sources();
+    var registry_1 = require_registry();
+    exports2.OWNING_ENTITY_TYPE = {
+      Workspace: "Workspace",
+      User: "User"
+    };
+    exports2.ControlPlaneOwningDeleteV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.owning-delete.v1",
+      source: sources_1.OPENHI_DATA_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneOwningDeleteCompleteV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.owning-delete-complete.v1",
+      source: sources_1.OPENHI_OPS_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneOwningDeleteFailedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.owning-delete-failed.v1",
+      source: sources_1.OPENHI_OPS_SOURCE,
+      dedupRequired: true
+    });
+    exports2.RENAMABLE_ENTITY_TYPE = {
+      Tenant: "Tenant",
+      User: "User",
+      Role: "Role"
+    };
+    exports2.ControlPlaneRenameV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.rename.v1",
+      source: sources_1.OPENHI_DATA_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneRenameCompleteV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.rename-complete.v1",
+      source: sources_1.OPENHI_OPS_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneRenameFailedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.rename-failed.v1",
+      source: sources_1.OPENHI_OPS_SOURCE,
+      dedupRequired: true
+    });
+  }
+});
+
 // ../workflows/lib/detail-types/platform.js
 var require_platform = __commonJS({
   "../workflows/lib/detail-types/platform.js"(exports2) {
@@ -236,6 +286,7 @@ var require_detail_types = __commonJS({
       for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_control_plane(), exports2);
     __exportStar(require_platform(), exports2);
     __exportStar(require_registry(), exports2);
   }
@@ -587,7 +638,7 @@ var require_lib2 = __commonJS({
   "../workflows/lib/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.InvalidDetailTypeRegistrationError = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.RENAMABLE_ENTITY_TYPE = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.OWNING_ENTITY_TYPE = exports2.InvalidDetailTypeRegistrationError = exports2.ControlPlaneRenameV1 = exports2.ControlPlaneRenameFailedV1 = exports2.ControlPlaneRenameCompleteV1 = exports2.ControlPlaneOwningDeleteV1 = exports2.ControlPlaneOwningDeleteFailedV1 = exports2.ControlPlaneOwningDeleteCompleteV1 = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
     var envelope_version_1 = require_envelope_version();
     Object.defineProperty(exports2, "ENVELOPE_VERSION", { enumerable: true, get: function() {
       return envelope_version_1.ENVELOPE_VERSION;
@@ -622,15 +673,39 @@ var require_lib2 = __commonJS({
       return sources_1.OPENHI_OPS_SOURCE;
     } });
     var detail_types_1 = require_detail_types();
+    Object.defineProperty(exports2, "ControlPlaneOwningDeleteCompleteV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneOwningDeleteCompleteV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneOwningDeleteFailedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneOwningDeleteFailedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneOwningDeleteV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneOwningDeleteV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRenameCompleteV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRenameCompleteV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRenameFailedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRenameFailedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRenameV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRenameV1;
+    } });
     Object.defineProperty(exports2, "InvalidDetailTypeRegistrationError", { enumerable: true, get: function() {
       return detail_types_1.InvalidDetailTypeRegistrationError;
     } });
+    Object.defineProperty(exports2, "OWNING_ENTITY_TYPE", { enumerable: true, get: function() {
+      return detail_types_1.OWNING_ENTITY_TYPE;
+    } });
     Object.defineProperty(exports2, "PlatformDeploymentCompletedV1", { enumerable: true, get: function() {
       return detail_types_1.PlatformDeploymentCompletedV1;
     } });
     Object.defineProperty(exports2, "PlatformSystemDataSeededV1", { enumerable: true, get: function() {
       return detail_types_1.PlatformSystemDataSeededV1;
     } });
+    Object.defineProperty(exports2, "RENAMABLE_ENTITY_TYPE", { enumerable: true, get: function() {
+      return detail_types_1.RENAMABLE_ENTITY_TYPE;
+    } });
     Object.defineProperty(exports2, "defineDetailType", { enumerable: true, get: function() {
       return detail_types_1.defineDetailType;
     } });
@@ -702,6 +777,12 @@ __export(src_exports, {
   CognitoUserPoolDomain: () => CognitoUserPoolDomain,
   CognitoUserPoolKmsKey: () => CognitoUserPoolKmsKey,
   ControlEventBus: () => ControlEventBus,
+  ControlPlaneOwningDeleteCompleteV1: () => import_workflows5.ControlPlaneOwningDeleteCompleteV1,
+  ControlPlaneOwningDeleteFailedV1: () => import_workflows5.ControlPlaneOwningDeleteFailedV1,
+  ControlPlaneOwningDeleteV1: () => import_workflows5.ControlPlaneOwningDeleteV1,
+  ControlPlaneRenameCompleteV1: () => import_workflows6.ControlPlaneRenameCompleteV1,
+  ControlPlaneRenameFailedV1: () => import_workflows6.ControlPlaneRenameFailedV1,
+  ControlPlaneRenameV1: () => import_workflows6.ControlPlaneRenameV1,
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES: () => DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE: () => DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE: () => DATA_STORE_CHANGE_EVENT_SOURCE,
@@ -721,6 +802,11 @@ __export(src_exports, {
   OPENHI_TAG_SUFFIX_REPO_NAME: () => OPENHI_TAG_SUFFIX_REPO_NAME,
   OPENHI_TAG_SUFFIX_SERVICE_TYPE: () => OPENHI_TAG_SUFFIX_SERVICE_TYPE,
   OPENHI_TAG_SUFFIX_STAGE_TYPE: () => OPENHI_TAG_SUFFIX_STAGE_TYPE,
+  OWNING_DELETE_CASCADE_CONSUMER_NAME: () => OWNING_DELETE_CASCADE_CONSUMER_NAME,
+  OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY: () => OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY,
+  OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES: () => OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES,
+  OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR: () => OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR,
+  OWNING_ENTITY_TYPE: () => import_workflows5.OWNING_ENTITY_TYPE,
   OpenHiApp: () => OpenHiApp,
   OpenHiAuthService: () => OpenHiAuthService,
   OpenHiDataService: () => OpenHiDataService,
@@ -731,6 +817,8 @@ __export(src_exports, {
   OpenHiService: () => OpenHiService,
   OpenHiStage: () => OpenHiStage,
   OpsEventBus: () => OpsEventBus,
+  OwningDeleteCascadeLambdas: () => OwningDeleteCascadeLambdas,
+  OwningDeleteCascadeWorkflow: () => OwningDeleteCascadeWorkflow,
   PLACEHOLDER_TENANT_ID: () => PLACEHOLDER_TENANT_ID,
   PLACEHOLDER_WORKSPACE_ID: () => PLACEHOLDER_WORKSPACE_ID,
   PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM: () => PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,
@@ -746,7 +834,15 @@ __export(src_exports, {
   PostConfirmationLambda: () => PostConfirmationLambda,
   PreTokenGenerationLambda: () => PreTokenGenerationLambda,
   ProvisionDefaultWorkspaceLambda: () => ProvisionDefaultWorkspaceLambda,
+  RENAMABLE_ENTITY_TYPE: () => import_workflows6.RENAMABLE_ENTITY_TYPE,
+  RENAME_CASCADE_CONSUMER_NAME: () => RENAME_CASCADE_CONSUMER_NAME,
+  RENAME_CASCADE_DEFAULT_CONCURRENCY: () => RENAME_CASCADE_DEFAULT_CONCURRENCY,
+  RENAME_CASCADE_FAILED_THRESHOLD: () => RENAME_CASCADE_FAILED_THRESHOLD,
+  RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR: () => RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR,
+  RENAME_CASCADE_SLOW_THRESHOLD_SECONDS: () => RENAME_CASCADE_SLOW_THRESHOLD_SECONDS,
   REST_API_BASE_URL_SSM_NAME: () => REST_API_BASE_URL_SSM_NAME,
+  RenameCascadeLambdas: () => RenameCascadeLambdas,
+  RenameCascadeWorkflow: () => RenameCascadeWorkflow,
   RootGraphqlApi: () => RootGraphqlApi,
   RootHostedZone: () => RootHostedZone,
   RootHttpApi: () => RootHttpApi,
@@ -2721,7 +2817,7 @@ var demoDevUserPartitionKeys = (devUsers) => {
 // src/workflows/control-plane/seed-demo-data/seed-demo-data-lambda.ts
 var import_node_fs7 = __toESM(require("fs"));
 var import_node_path7 = __toESM(require("path"));
-var import_types9 = require("@openhi/types");
+var import_types13 = require("@openhi/types");
 var import_aws_cdk_lib12 = require("aws-cdk-lib");
 var import_aws_events6 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets2 = require("aws-cdk-lib/aws-events-targets");
@@ -2734,11 +2830,11 @@ var import_constructs11 = require("constructs");
 var import_node_crypto = require("crypto");
 var import_client_cognito_identity_provider = require("@aws-sdk/client-cognito-identity-provider");
 var import_client_dynamodb2 = require("@aws-sdk/client-dynamodb");
-var import_types8 = require("@openhi/types");
+var import_types12 = require("@openhi/types");
 var import_workflows3 = __toESM(require_lib2());
 
 // src/data/dynamo/dynamo-control-service.ts
-var import_electrodb8 = require("electrodb");
+var import_electrodb14 = require("electrodb");
 
 // src/data/dynamo/dynamo-client.ts
 var import_client_dynamodb = require("@aws-sdk/client-dynamodb");
@@ -2802,6 +2898,60 @@ var gsi1skAttribute = {
     return label !== void 0 ? `${label}#${id}` : fallback;
   }
 };
+function extractRoleId(resource) {
+  const flat = resource.roleId;
+  if (typeof flat === "string" && flat.length > 0) return flat;
+  const role = resource.role;
+  if (role && typeof role === "object") {
+    const reference = role.reference;
+    if (typeof reference === "string" && reference.length > 0) {
+      const slash = reference.lastIndexOf("/");
+      const tail = slash >= 0 ? reference.slice(slash + 1) : reference;
+      if (tail.length > 0) return tail;
+    }
+  }
+  return void 0;
+}
+var roleAssignmentGsi1skAttribute = {
+  type: "string",
+  watch: ["resource", "denormalizedUserName", "lastUpdated", "id"],
+  set: (_val, item) => {
+    const id = typeof item?.id === "string" ? item.id : "";
+    const lastUpdated = typeof item?.lastUpdated === "string" ? item.lastUpdated : "";
+    const fallback = `${lastUpdated}#${id}`;
+    if (typeof item?.resource !== "string" || item.resource.length === 0) {
+      return fallback;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(item.resource);
+    } catch {
+      return fallback;
+    }
+    if (!parsed || typeof parsed !== "object") return fallback;
+    const roleId = extractRoleId(parsed);
+    if (roleId === void 0) return fallback;
+    const denormalizedUserName = typeof item.denormalizedUserName === "string" ? item.denormalizedUserName : "";
+    const normalizedUserName = denormalizedUserName.length > 0 ? (0, import_types2.normalizeLabel)(denormalizedUserName) : "";
+    if (normalizedUserName.length === 0) return fallback;
+    return `${roleId}#${normalizedUserName}#${id}`;
+  }
+};
+var membershipGsi1skAttribute = {
+  type: "string",
+  watch: ["denormalizedUserName", "lastUpdated", "id"],
+  set: (_val, item) => {
+    const id = typeof item?.id === "string" ? item.id : "";
+    const lastUpdated = typeof item?.lastUpdated === "string" ? item.lastUpdated : "";
+    const fallback = `${lastUpdated}#${id}`;
+    const denormalizedUserName = typeof item?.denormalizedUserName === "string" ? item.denormalizedUserName : "";
+    const normalizedUserName = denormalizedUserName.length > 0 ? (0, import_types2.normalizeLabel)(denormalizedUserName) : "";
+    if (normalizedUserName.length === 0) {
+      return fallback;
+    }
+    return `${normalizedUserName}#${id}`;
+  }
+};
 
 // src/data/dynamo/entities/control/configuration-entity.ts
 var ConfigurationEntity = new import_electrodb.Entity({
@@ -2928,218 +3078,241 @@ var ConfigurationEntity = new import_electrodb.Entity({
   }
 });
 
-// src/data/dynamo/entities/control/membership-entity.ts
+// src/data/dynamo/entities/control/configuration-user-projection-entity.ts
 var import_electrodb2 = require("electrodb");
-var MembershipEntity = new import_electrodb2.Entity({
+var ConfigurationUserProjectionEntity = new import_electrodb2.Entity({
   model: {
-    entity: "membership",
+    entity: "configurationUserProjection",
     service: "control",
     version: "01"
   },
   attributes: {
-    /** Sort key sentinel. Always "CURRENT". */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** Tenant in which the user has membership (required). */
-    tenantId: {
+    /**
+     * User partition discriminator. Renders as `USER#ID#<userId>` on the
+     * base-table PK. Always required — the projection has no meaning
+     * outside a user partition.
+     */
+    userId: {
       type: "string",
       required: true
     },
-    /** FHIR Resource.id; membership id. */
-    id: {
+    /**
+     * Pre-composed sort key — built by the operations-layer projection
+     * writer via `buildConfigurationUserProjectionSk`. The entity stores
+     * the value verbatim so the SK grammar (pattern #10 user-scope) is
+     * owned by the operations layer, not duplicated here.
+     */
+    sk: {
       type: "string",
       required: true
     },
-    /** Full Membership resource serialized as JSON string. */
-    resource: {
+    /**
+     * Configuration canonical-record id. Stored as a discriminating
+     * field so consumers can hydrate the canonical row via the
+     * Configuration get-by-id operation when the projection's `summary`
+     * is insufficient.
+     */
+    configurationId: {
       type: "string",
       required: true
     },
     /**
-     * Summary projection (key display fields as JSON string: id, displayName, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     * Tenant the Configuration is associated with. The canonical row
+     * keys off `(tenantId, workspaceId, userId, roleId)`; the projection
+     * carries `tenantId` so consumers reconstructing the canonical PK
+     * have the tenant segment without a hop.
      */
-    summary: {
+    tenantId: {
       type: "string",
       required: true
     },
-    /** Version id (e.g. ULID). */
-    vid: {
+    /**
+     * Scope marker. Always `"user"` on this projection — recorded
+     * explicitly so future scope-bearing projections (workspace,
+     * tenant, role) can share filter semantics in a unified
+     * cross-projection list query if one ever lands.
+     */
+    scope: {
       type: "string",
-      required: true
+      required: true,
+      default: "user"
     },
-    lastUpdated: {
+    /**
+     * Configuration's `key` attribute (config category, e.g. endpoints,
+     * branding, display). Mirrored from the canonical row so consumers
+     * reading the projection get the natural display label without a
+     * BatchGet hop. Doubles as the source of `<normalizedConfigName>` in
+     * the SK.
+     */
+    displayName: {
       type: "string",
-      required: true
-    },
-    gsi1Shard: gsi1ShardAttribute,
-    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
-    gsi1sk: gsi1skAttribute,
-    deleted: {
-      type: "boolean",
       required: false
     },
-    bundleId: {
+    /**
+     * Summary projection (key display fields as JSON string) — mirrored
+     * from the canonical Configuration row so user-partition queries do
+     * not need a BatchGet hop.
+     */
+    summary: {
       type: "string",
-      required: false
+      required: true
     },
-    msgId: {
+    /** Version id mirrored from the canonical Configuration row. */
+    vid: {
       type: "string",
-      required: false
+      required: true
     },
-    /**
-     * Denormalized `linked-data-identity` Reference (e.g. `Practitioner/abc`).
-     * Populated from the FHIR extension on the Membership resource at write
-     * time so future GSIs can index data-plane identity lookups without
-     * deserializing the full resource JSON. See ADR 2026-03-13-02 §6.
-     */
-    linkedDataIdentityRef: {
+    /** Last-updated timestamp mirrored from the canonical Configuration row. */
+    lastUpdated: {
       type: "string",
-      required: false
+      required: true
     }
   },
   indexes: {
-    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    /**
+     * Base table: PK = USER#ID#<userId>, SK = operation-supplied. A
+     * single `Query(PK = USER#ID#<userId>, SK begins_with
+     * 'CONFIGURATION#')` returns the user's user-scoped Configurations
+     * sorted by `<normalizedConfigName>` (then `<configurationId>` as
+     * the tiebreaker).
+     */
     record: {
       pk: {
         field: "PK",
-        composite: ["tenantId", "id"],
-        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
+        composite: ["userId"],
+        template: "USER#ID#${userId}"
       },
       sk: {
         field: "SK",
+        casing: "none",
         composite: ["sk"],
         template: "${sk}"
       }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
-     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
-     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
-     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
-     * normalized label and ISO-8601 `T`/`Z`.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["tenantId", "gsi1Shard"],
-        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["gsi1sk"],
-        template: "${gsi1sk}"
-      }
     }
   }
 });
 
-// src/data/dynamo/entities/control/role-entity.ts
+// src/data/dynamo/entities/control/configuration-workspace-projection-entity.ts
 var import_electrodb3 = require("electrodb");
-var RoleEntity = new import_electrodb3.Entity({
+var ConfigurationWorkspaceProjectionEntity = new import_electrodb3.Entity({
   model: {
-    entity: "role",
+    entity: "configurationWorkspaceProjection",
     service: "control",
     version: "01"
   },
   attributes: {
-    /** Sort key sentinel. Always "CURRENT". */
-    sk: {
-      type: "string",
-      required: true,
-      default: "CURRENT"
-    },
-    /** FHIR Resource.id; role id. */
-    id: {
+    /**
+     * Tenant the workspace belongs to. Renders as the leading segment
+     * of the base-table PK. Always required — the workspace partition
+     * is tenant-scoped per ADR-011.
+     */
+    tenantId: {
       type: "string",
       required: true
     },
-    /** Full Role resource serialized as JSON string. */
-    resource: {
+    /**
+     * Workspace partition discriminator. Renders as the trailing
+     * segment of the base-table PK
+     * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —
+     * the projection has no meaning outside a workspace partition.
+     */
+    workspaceId: {
       type: "string",
       required: true
     },
     /**
-     * Summary projection (key display fields as JSON string: id, displayName, status).
-     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     * Pre-composed sort key — built by the operations-layer projection
+     * writer via `buildConfigurationWorkspaceProjectionSk`. The entity
+     * stores the value verbatim so the SK grammar (pattern #10
+     * workspace-scope) is owned by the operations layer, not
+     * duplicated here.
      */
-    summary: {
+    sk: {
       type: "string",
       required: true
     },
-    /** Version id (e.g. ULID). */
-    vid: {
+    /**
+     * Configuration canonical-record id. Stored as a discriminating
+     * field so consumers can hydrate the canonical row via the
+     * Configuration get-by-id operation when the projection's `summary`
+     * is insufficient.
+     */
+    configurationId: {
       type: "string",
       required: true
     },
-    lastUpdated: {
+    /**
+     * Scope marker. Always `"workspace"` on this projection — recorded
+     * explicitly so future scope-bearing projections (user, tenant,
+     * role) can share filter semantics in a unified cross-projection
+     * list query if one ever lands.
+     */
+    scope: {
       type: "string",
-      required: true
+      required: true,
+      default: "workspace"
     },
-    gsi1Shard: gsi1ShardAttribute,
-    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
-    gsi1sk: gsi1skAttribute,
-    deleted: {
-      type: "boolean",
+    /**
+     * Configuration's `key` attribute (config category, e.g. endpoints,
+     * branding, display). Mirrored from the canonical row so consumers
+     * reading the projection get the natural display label without a
+     * BatchGet hop. Doubles as the source of `<normalizedConfigName>`
+     * in the SK.
+     */
+    displayName: {
+      type: "string",
       required: false
     },
-    bundleId: {
+    /**
+     * Summary projection (key display fields as JSON string) — mirrored
+     * from the canonical Configuration row so workspace-partition
+     * queries do not need a BatchGet hop.
+     */
+    summary: {
       type: "string",
-      required: false
+      required: true
     },
-    msgId: {
+    /** Version id mirrored from the canonical Configuration row. */
+    vid: {
       type: "string",
-      required: false
+      required: true
+    },
+    /** Last-updated timestamp mirrored from the canonical Configuration row. */
+    lastUpdated: {
+      type: "string",
+      required: true
     }
   },
   indexes: {
-    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    /**
+     * Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,
+     * SK = operation-supplied. A single
+     * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'CONFIGURATION#')`
+     * returns the workspace's workspace-scoped Configurations sorted by
+     * `<normalizedConfigName>` (then `<configurationId>` as the
+     * tiebreaker).
+     */
     record: {
       pk: {
         field: "PK",
-        composite: ["id"],
-        template: "ROLE#ID#${id}"
+        composite: ["tenantId", "workspaceId"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${workspaceId}"
       },
       sk: {
         field: "SK",
+        casing: "none",
         composite: ["sk"],
         template: "${sk}"
       }
-    },
-    /**
-     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
-     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
-     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
-     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
-     * normalized label and ISO-8601 `T`/`Z`.
-     */
-    gsi1: {
-      index: "GSI1",
-      pk: {
-        field: "GSI1PK",
-        composite: ["gsi1Shard"],
-        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
-      },
-      sk: {
-        field: "GSI1SK",
-        casing: "none",
-        composite: ["gsi1sk"],
-        template: "${gsi1sk}"
-      }
     }
   }
 });
 
-// src/data/dynamo/entities/control/roleassignment-entity.ts
+// src/data/dynamo/entities/control/membership-entity.ts
 var import_electrodb4 = require("electrodb");
-var RoleAssignmentEntity = new import_electrodb4.Entity({
+var MembershipEntity = new import_electrodb4.Entity({
   model: {
-    entity: "roleassignment",
+    entity: "membership",
     service: "control",
     version: "01"
   },
@@ -3150,17 +3323,17 @@ var RoleAssignmentEntity = new import_electrodb4.Entity({
       required: true,
       default: "CURRENT"
     },
-    /** Tenant in which the role assignment applies (required). */
+    /** Tenant in which the user has membership (required). */
     tenantId: {
       type: "string",
       required: true
     },
-    /** FHIR Resource.id; role assignment id. */
+    /** FHIR Resource.id; membership id. */
     id: {
       type: "string",
       required: true
     },
-    /** Full RoleAssignment resource serialized as JSON string. */
+    /** Full Membership resource serialized as JSON string. */
     resource: {
       type: "string",
       required: true
@@ -3183,8 +3356,14 @@ var RoleAssignmentEntity = new import_electrodb4.Entity({
       required: true
     },
     gsi1Shard: gsi1ShardAttribute,
-    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
-    gsi1sk: gsi1skAttribute,
+    /**
+     * Derived GSI1 sort key — `<normalizedUserName>#<id>` per ADR-018
+     * pattern #1 so a GSI1 query partitioned on the tenant range-scans
+     * by user-name prefix and returns memberships sorted by user name.
+     * Falls back to `<lastUpdated>#<id>` when `denormalizedUserName`
+     * is missing.
+     */
+    gsi1sk: membershipGsi1skAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -3196,49 +3375,863 @@ var RoleAssignmentEntity = new import_electrodb4.Entity({
     msgId: {
       type: "string",
       required: false
-    }
-  },
-  indexes: {
-    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
-    record: {
-      pk: {
-        field: "PK",
-        composite: ["tenantId", "id"],
-        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
-      },
-      sk: {
+    },
+    /**
+     * Denormalized `linked-data-identity` Reference (e.g. `Practitioner/abc`).
+     * Populated from the FHIR extension on the Membership resource at write
+     * time so future GSIs can index data-plane identity lookups without
+     * deserializing the full resource JSON. See ADR 2026-03-13-02 §6.
+     */
+    linkedDataIdentityRef: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized display name of the linked Tenant, captured at row
+     * last-write time. Promoted to a top-level attribute so the ADR-018
+     * adjacency-list projection SKs (pattern #3 — `MEMBERSHIP#TENANT#<normalizedTenantName>#…`)
+     * can be composed from a top-level field instead of digging into the
+     * `resource` JSON. Optional on the schema so pre-TR-024 rows do not
+     * break; the operations-layer multi-write helper (#1010) makes the
+     * field load-bearing at write time per TR-024 rule 2 (write-time
+     * source = canonical Tenant.displayName).
+     * @see TR-024 — Denormalized display-name attributes
+     */
+    denormalizedTenantName: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized display name of the linked User, captured at row
+     * last-write time. Promoted to a top-level attribute so the ADR-018
+     * adjacency-list canonical-record GSI1SK (pattern #1 —
+     * `<normalizedUserName>#<id>`) and workspace-projection SK (pattern #2)
+     * can be composed from a top-level field. Optional on the schema so
+     * pre-TR-024 rows do not break; the operations-layer multi-write helper
+     * (#1010) makes the field load-bearing at write time per TR-024 rule 2
+     * (write-time source = canonical User.displayName).
+     * @see TR-024 — Denormalized display-name attributes
+     */
+    denormalizedUserName: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#MEMBERSHIP#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `membershipGsi1skAttribute` — composes
+     * `<normalizedUserName>#<id>` per ADR-018 pattern #1 (users in a
+     * tenant, sorted by user name); falls back to `<lastUpdated>#<id>`
+     * when `denormalizedUserName` is missing. `casing: "none"` preserves
+     * the normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/membership-user-projection-entity.ts
+var import_electrodb5 = require("electrodb");
+var MembershipUserProjectionEntity = new import_electrodb5.Entity({
+  model: {
+    entity: "membershipUserProjection",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /**
+     * User partition discriminator. Renders as `USER#ID#<userId>` on the
+     * base-table PK. Always required — the projection has no meaning
+     * outside a user partition.
+     */
+    userId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Pre-composed sort key — built by the operations-layer projection
+     * writer via `buildMembershipUserProjectionSk*` helpers. The entity
+     * stores the value verbatim so the SK grammar (patterns #3 and #4)
+     * is owned by the operations layer, not duplicated here.
+     */
+    sk: {
+      type: "string",
+      required: true
+    },
+    /** Tenant in which the membership applies. Always required. */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Workspace the membership scopes to. Present iff the projection
+     * row is a pattern-#4 workspace sub-lane row; absent for pattern-#3
+     * tenant sub-lane rows.
+     */
+    workspaceId: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Membership canonical-record id. Stored as a discriminating field
+     * so consumers can hydrate the canonical row via
+     * `MembershipEntity.get({ tenantId, id: membershipId })` when the
+     * projection's `summary` is insufficient.
+     */
+    membershipId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id,
+     * displayName, status) — mirrored from the canonical Membership row
+     * so user-partition queries do not need a BatchGet hop.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id mirrored from the canonical Membership row. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    /** Last-updated timestamp mirrored from the canonical Membership row. */
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Denormalized Tenant display name — required to compose pattern-#3
+     * SK (`MEMBERSHIP#TENANT#<normalizedTenantName>#…`). Optional on the
+     * schema because pre-TR-024 rows may not carry a display name; the
+     * operations layer falls back gracefully when missing.
+     */
+    denormalizedTenantName: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized User display name — mirrored from the canonical
+     * Membership row per TR-024 rule 3 (canonical-record symmetry).
+     * Carried on the projection so consumers can render the user's
+     * display name without a hop to the User record.
+     */
+    denormalizedUserName: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized Workspace display name — required to compose
+     * pattern-#4 SK (`MEMBERSHIP#WORKSPACE#TID#<tenantId>#<normalizedWorkspaceName>#…`).
+     * Optional on the schema (TR-024 § Open Item #4 defers a formal
+     * Workspace-rename cascade); the operations layer falls back to a
+     * sentinel when missing so the SK still has a valid shape.
+     */
+    denormalizedWorkspaceName: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /**
+     * Base table: PK = USER#ID#<userId>, SK = operation-supplied.
+     * Both pattern #3 and pattern #4 use this same index — the SK string
+     * encodes the lane discriminator (`MEMBERSHIP#TENANT#…` vs
+     * `MEMBERSHIP#WORKSPACE#…`) so a single `Query(PK = USER#ID#<userId>,
+     * SK begins_with 'MEMBERSHIP#')` returns both lanes interleaved.
+     */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["userId"],
+        template: "USER#ID#${userId}"
+      },
+      sk: {
+        field: "SK",
+        casing: "none",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/membership-workspace-projection-entity.ts
+var import_electrodb6 = require("electrodb");
+var MembershipWorkspaceProjectionEntity = new import_electrodb6.Entity({
+  model: {
+    entity: "membershipWorkspaceProjection",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /**
+     * Tenant the workspace belongs to. Renders as the leading segment
+     * of the base-table PK. Always required — the workspace partition
+     * is tenant-scoped per ADR-011.
+     */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Workspace partition discriminator. Renders as the trailing
+     * segment of the base-table PK
+     * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —
+     * the projection has no meaning outside a workspace partition.
+     */
+    workspaceId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Pre-composed sort key — built by the operations-layer projection
+     * writer via `buildMembershipWorkspaceProjectionSk`. The entity
+     * stores the value verbatim so the SK grammar (pattern #2) is
+     * owned by the operations layer, not duplicated here.
+     */
+    sk: {
+      type: "string",
+      required: true
+    },
+    /**
+     * User the membership links. Stored as a discriminating field so
+     * consumers can hydrate the canonical User row via
+     * `UserEntity.get({ id: userId, sk: "CURRENT" })` when the
+     * projection's `summary` is insufficient.
+     */
+    userId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Membership canonical-record id. Stored as a discriminating field
+     * so consumers can hydrate the canonical row via
+     * `MembershipEntity.get({ tenantId, id: membershipId })` when the
+     * projection's `summary` is insufficient.
+     */
+    membershipId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id,
+     * displayName, status) — mirrored from the canonical Membership row
+     * so workspace-partition queries do not need a BatchGet hop.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id mirrored from the canonical Membership row. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    /** Last-updated timestamp mirrored from the canonical Membership row. */
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Denormalized User display name — required to compose the
+     * pattern-#2 SK (`MEMBERSHIP#<normalizedUserName>#…`). Optional on
+     * the schema because pre-TR-024 rows may not carry a display name;
+     * the operations layer falls back to a sentinel when missing so
+     * the SK still has a valid shape. The TR-023 rename-cascade
+     * pipeline rewrites the SK on a User rename.
+     */
+    denormalizedUserName: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /**
+     * Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,
+     * SK = operation-supplied. Pattern #2 uses this index — the SK
+     * encodes the entity-type prefix (`MEMBERSHIP#…`) so a
+     * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'MEMBERSHIP#')`
+     * returns every member projection for the workspace in normalized-
+     * user-name sort order.
+     */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "workspaceId"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${workspaceId}"
+      },
+      sk: {
+        field: "SK",
+        casing: "none",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/role-entity.ts
+var import_electrodb7 = require("electrodb");
+var RoleEntity = new import_electrodb7.Entity({
+  model: {
+    entity: "role",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** FHIR Resource.id; role id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full Role resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
+    gsi1sk: gsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["id"],
+        template: "ROLE#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
+     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
+     * normalized label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/roleassignment-entity.ts
+var import_electrodb8 = require("electrodb");
+var RoleAssignmentEntity = new import_electrodb8.Entity({
+  model: {
+    entity: "roleassignment",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /** Sort key sentinel. Always "CURRENT". */
+    sk: {
+      type: "string",
+      required: true,
+      default: "CURRENT"
+    },
+    /** Tenant in which the role assignment applies (required). */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /** FHIR Resource.id; role assignment id. */
+    id: {
+      type: "string",
+      required: true
+    },
+    /** Full RoleAssignment resource serialized as JSON string. */
+    resource: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id (e.g. ULID). */
+    vid: {
+      type: "string",
+      required: true
+    },
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    gsi1Shard: gsi1ShardAttribute,
+    /**
+     * Derived GSI1 sort key — discriminator-first
+     * `<roleId>#<normalizedUserName>#<id>` per ADR-018 pattern #8 so a
+     * GSI1 query partitioned on the tenant can `begins_with('<roleId>#')`
+     * to enumerate every user assigned to a given role, sorted by user
+     * name. Falls back to `<lastUpdated>#<id>` when either component is
+     * missing.
+     */
+    gsi1sk: roleAssignmentGsi1skAttribute,
+    deleted: {
+      type: "boolean",
+      required: false
+    },
+    bundleId: {
+      type: "string",
+      required: false
+    },
+    msgId: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized display name of the linked Tenant, captured at row
+     * last-write time. Promoted to a top-level attribute so the ADR-018
+     * adjacency-list user-projection SK (pattern #5 —
+     * `ROLEASSIGNMENT#TENANT#<normalizedRoleName>#<roleId>#TID#<tenantId>#<id>`)
+     * can be composed from a top-level field instead of digging into the
+     * `resource` JSON. Optional on the schema so pre-TR-024 rows do not
+     * break; the operations-layer multi-write helper (#1010) makes the
+     * field load-bearing at write time per TR-024 rule 2 (write-time
+     * source = canonical Tenant.displayName).
+     * @see TR-024 — Denormalized display-name attributes
+     */
+    denormalizedTenantName: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized display name of the linked User, captured at row
+     * last-write time. Promoted to a top-level attribute so the ADR-018
+     * adjacency-list canonical-record GSI1SK (pattern #8 —
+     * `<roleId>#<normalizedUserName>#<id>`) and workspace-projection SK
+     * (pattern #9) can be composed from a top-level field. Optional on
+     * the schema so pre-TR-024 rows do not break; the operations-layer
+     * multi-write helper (#1010) makes the field load-bearing at write
+     * time per TR-024 rule 2 (write-time source = canonical
+     * User.displayName).
+     * @see TR-024 — Denormalized display-name attributes
+     */
+    denormalizedUserName: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized display name of the linked Role, captured at row
+     * last-write time. Promoted to a top-level attribute so the ADR-018
+     * adjacency-list user-projection SK (pattern #5 —
+     * `ROLEASSIGNMENT#TENANT#<normalizedRoleName>#…`) can be composed from
+     * a top-level field. Optional on the schema so pre-TR-024 rows do not
+     * break; the operations-layer multi-write helper (#1010) makes the
+     * field load-bearing at write time per TR-024 rule 2 (write-time
+     * source = canonical Role.displayName).
+     * @see TR-024 — Denormalized display-name attributes
+     */
+    denormalizedRoleName: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /** Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["tenantId", "id"],
+        template: "TID#${tenantId}#ROLEASSIGNMENT#ID#${id}"
+      },
+      sk: {
+        field: "SK",
+        composite: ["sk"],
+        template: "${sk}"
+      }
+    },
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is derived via `roleAssignmentGsi1skAttribute` — composes the
+     * discriminator-first `<roleId>#<normalizedUserName>#<id>` shape per
+     * ADR-018 pattern #8 (users with a specific role in a tenant, sorted
+     * by user name); falls back to `<lastUpdated>#<id>` when either
+     * component is missing. `casing: "none"` preserves the normalized
+     * label and ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
+      pk: {
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
+      },
+      sk: {
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["gsi1sk"],
+        template: "${gsi1sk}"
+      }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/roleassignment-user-projection-entity.ts
+var import_electrodb9 = require("electrodb");
+var RoleAssignmentUserProjectionEntity = new import_electrodb9.Entity({
+  model: {
+    entity: "roleAssignmentUserProjection",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /**
+     * User partition discriminator. Renders as `USER#ID#<userId>` on the
+     * base-table PK. Always required — the projection has no meaning
+     * outside a user partition.
+     */
+    userId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Pre-composed sort key — built by the operations-layer projection
+     * writer via `buildRoleAssignmentUserProjectionSk*` helpers. The
+     * entity stores the value verbatim so the SK grammar (tenant-lane
+     * vs workspace-lane) is owned by the operations layer, not
+     * duplicated here.
+     */
+    sk: {
+      type: "string",
+      required: true
+    },
+    /** Tenant in which the role assignment applies. Always required. */
+    tenantId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Workspace the role assignment scopes to. Present iff the
+     * projection row is the workspace-level sub-lane; absent for
+     * tenant-level sub-lane rows.
+     */
+    workspaceId: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Role the assignment grants. Stored as a discriminating field so
+     * `Query(PK = USER#ID#<userId>, SK begins_with 'ROLEASSIGNMENT#…')`
+     * results carry the role id without a hop to the canonical row.
+     */
+    roleId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * RoleAssignment canonical-record id. Stored as a discriminating
+     * field so consumers can hydrate the canonical row via
+     * `RoleAssignmentEntity.get({ tenantId, id: roleAssignmentId })`
+     * when the projection's `summary` is insufficient.
+     */
+    roleAssignmentId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id,
+     * displayName, status) — mirrored from the canonical RoleAssignment
+     * row so user-partition queries do not need a BatchGet hop.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id mirrored from the canonical RoleAssignment row. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    /** Last-updated timestamp mirrored from the canonical RoleAssignment row. */
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Denormalized Tenant display name — mirrored from the canonical
+     * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).
+     * Optional on the schema because pre-TR-024 rows may not carry a
+     * display name; the operations layer falls back gracefully when
+     * missing.
+     */
+    denormalizedTenantName: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized User display name — mirrored from the canonical
+     * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).
+     * Carried on the projection so consumers can render the user's
+     * display name without a hop to the User record.
+     */
+    denormalizedUserName: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized Role display name — required to compose the SK's
+     * `<normalizedRoleName>` segment. Optional on the schema (pre-TR-024
+     * rows fall back to a sentinel) but expected to be present at write
+     * time per TR-024 rule 2 (write-time source =
+     * canonical Role.displayName).
+     */
+    denormalizedRoleName: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /**
+     * Base table: PK = USER#ID#<userId>, SK = operation-supplied. Both
+     * sub-lanes (tenant-level and workspace-level) use this same index —
+     * the SK string encodes the lane discriminator
+     * (`ROLEASSIGNMENT#TENANT#…` vs `ROLEASSIGNMENT#WORKSPACE#…`) so a
+     * single `Query(PK = USER#ID#<userId>, SK begins_with
+     * 'ROLEASSIGNMENT#')` returns both lanes interleaved.
+     */
+    record: {
+      pk: {
+        field: "PK",
+        composite: ["userId"],
+        template: "USER#ID#${userId}"
+      },
+      sk: {
         field: "SK",
+        casing: "none",
         composite: ["sk"],
         template: "${sk}"
       }
+    }
+  }
+});
+
+// src/data/dynamo/entities/control/roleassignment-workspace-projection-entity.ts
+var import_electrodb10 = require("electrodb");
+var RoleAssignmentWorkspaceProjectionEntity = new import_electrodb10.Entity({
+  model: {
+    entity: "roleAssignmentWorkspaceProjection",
+    service: "control",
+    version: "01"
+  },
+  attributes: {
+    /**
+     * Tenant the workspace belongs to. Renders as the leading segment
+     * of the base-table PK. Always required — the workspace partition
+     * is tenant-scoped per ADR-011.
+     */
+    tenantId: {
+      type: "string",
+      required: true
     },
     /**
-     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
-     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
-     * SK is derived via `gsi1skAttribute` — uses the resource's natural label when
-     * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: "none"` preserves the
-     * normalized label and ISO-8601 `T`/`Z`.
+     * Workspace partition discriminator. Renders as the trailing
+     * segment of the base-table PK
+     * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —
+     * the projection has no meaning outside a workspace partition.
      */
-    gsi1: {
-      index: "GSI1",
+    workspaceId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Pre-composed sort key — built by the operations-layer projection
+     * writer via `buildRoleAssignmentWorkspaceProjectionSk`. The entity
+     * stores the value verbatim so the SK grammar (pattern #9) is
+     * owned by the operations layer, not duplicated here.
+     */
+    sk: {
+      type: "string",
+      required: true
+    },
+    /**
+     * User the role assignment grants the role to. Stored as a
+     * discriminating field so consumers can hydrate the canonical User
+     * row via `UserEntity.get({ id: userId, sk: "CURRENT" })` when the
+     * projection's `summary` is insufficient.
+     */
+    userId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Role the assignment grants. Stored as a discriminating field —
+     * also rendered into the SK as the discriminator-first segment so
+     * `begins_with('ROLEASSIGNMENT#<roleId>#')` filters one role.
+     */
+    roleId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * RoleAssignment canonical-record id. Stored as a discriminating
+     * field so consumers can hydrate the canonical row via
+     * `RoleAssignmentEntity.get({ tenantId, id: roleAssignmentId })`
+     * when the projection's `summary` is insufficient.
+     */
+    roleAssignmentId: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Summary projection (key display fields as JSON string: id,
+     * displayName, status) — mirrored from the canonical RoleAssignment
+     * row so workspace-partition queries do not need a BatchGet hop.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /** Version id mirrored from the canonical RoleAssignment row. */
+    vid: {
+      type: "string",
+      required: true
+    },
+    /** Last-updated timestamp mirrored from the canonical RoleAssignment row. */
+    lastUpdated: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Denormalized User display name — required to compose the
+     * pattern-#9 SK (`ROLEASSIGNMENT#<roleId>#<normalizedUserName>#…`).
+     * Optional on the schema because pre-TR-024 rows may not carry a
+     * display name; the operations layer falls back to a sentinel when
+     * missing so the SK still has a valid shape. The TR-023 rename-
+     * cascade pipeline rewrites the SK on a User rename.
+     */
+    denormalizedUserName: {
+      type: "string",
+      required: false
+    },
+    /**
+     * Denormalized Role display name — mirrored from the canonical
+     * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).
+     * Carried on the projection so consumers can render the role's
+     * display name without a hop to the Role record. Not part of the
+     * SK (pattern #9 sorts on `<normalizedUserName>`, not role name) —
+     * a Role rename does NOT rewrite this SK.
+     */
+    denormalizedRoleName: {
+      type: "string",
+      required: false
+    }
+  },
+  indexes: {
+    /**
+     * Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,
+     * SK = operation-supplied. Pattern #9 uses this index — the SK
+     * encodes the entity-type prefix and discriminator-first roleId
+     * (`ROLEASSIGNMENT#<roleId>#…`) so
+     * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'ROLEASSIGNMENT#<roleId>#')`
+     * returns every user-assignment for that role in the workspace, sorted
+     * by normalized user name.
+     */
+    record: {
       pk: {
-        field: "GSI1PK",
-        composite: ["tenantId", "gsi1Shard"],
-        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
+        field: "PK",
+        composite: ["tenantId", "workspaceId"],
+        template: "TID#${tenantId}#WORKSPACE#ID#${workspaceId}"
       },
       sk: {
-        field: "GSI1SK",
+        field: "SK",
         casing: "none",
-        composite: ["gsi1sk"],
-        template: "${gsi1sk}"
+        composite: ["sk"],
+        template: "${sk}"
       }
     }
   }
 });
 
 // src/data/dynamo/entities/control/tenant-entity.ts
-var import_electrodb5 = require("electrodb");
-var TenantEntity = new import_electrodb5.Entity({
+var import_electrodb11 = require("electrodb");
+var TenantEntity = new import_electrodb11.Entity({
   model: {
     entity: "tenant",
     service: "control",
@@ -3338,8 +4331,8 @@ var TenantEntity = new import_electrodb5.Entity({
 });
 
 // src/data/dynamo/entities/control/user-entity.ts
-var import_electrodb6 = require("electrodb");
-var UserEntity = new import_electrodb6.Entity({
+var import_electrodb12 = require("electrodb");
+var UserEntity = new import_electrodb12.Entity({
   model: {
     entity: "user",
     service: "control",
@@ -3394,6 +4387,28 @@ var UserEntity = new import_electrodb6.Entity({
       type: "boolean",
       required: false
     },
+    /**
+     * TR-022 / ADR-018 lifecycle state for the cascade pipeline.
+     *
+     * - `active` (or undefined) — normal, readable state.
+     * - `deleting` — intermediate state set synchronously by the
+     *   hard-delete API entry point. The owning-delete cascade state
+     *   machine fans out from this transition (DynamoDB stream →
+     *   `control-plane.owning-delete.v1` → Step Functions). Readers MUST
+     *   short-circuit on `deleting` so partial cascades stay invisible.
+     * - `deleted-failed` — terminal failure state set by the cascade
+     *   finalize Lambda when the cascade run fails irrecoverably.
+     *   Operators recover by re-running the cascade or by direct
+     *   intervention.
+     *
+     * The cascade finalize step deletes the canonical record conditional
+     * on `lifecycleState = "deleting"`; on replay the conditional check
+     * fails and the finalize step treats that as a no-op success.
+     */
+    lifecycleState: {
+      type: ["active", "deleting", "deleted-failed"],
+      required: false
+    },
     bundleId: {
       type: "string",
       required: false
@@ -3463,8 +4478,8 @@ var UserEntity = new import_electrodb6.Entity({
 });
 
 // src/data/dynamo/entities/control/workspace-entity.ts
-var import_electrodb7 = require("electrodb");
-var WorkspaceEntity = new import_electrodb7.Entity({
+var import_electrodb13 = require("electrodb");
+var WorkspaceEntity = new import_electrodb13.Entity({
   model: {
     entity: "workspace",
     service: "control",
@@ -3516,6 +4531,28 @@ var WorkspaceEntity = new import_electrodb7.Entity({
       type: "boolean",
       required: false
     },
+    /**
+     * TR-022 / ADR-018 lifecycle state for the cascade pipeline.
+     *
+     * - `active` (or undefined) — normal, readable state.
+     * - `deleting` — intermediate state set synchronously by the
+     *   hard-delete API entry point. The owning-delete cascade state
+     *   machine fans out from this transition (DynamoDB stream →
+     *   `control-plane.owning-delete.v1` → Step Functions). Readers MUST
+     *   short-circuit on `deleting` so partial cascades stay invisible.
+     * - `deleted-failed` — terminal failure state set by the cascade
+     *   finalize Lambda when the cascade run fails irrecoverably.
+     *   Operators recover by re-running the cascade or by direct
+     *   intervention.
+     *
+     * The cascade finalize step deletes the canonical record conditional
+     * on `lifecycleState = "deleting"`; on replay the conditional check
+     * fails and the finalize step treats that as a no-op success.
+     */
+    lifecycleState: {
+      type: ["active", "deleting", "deleted-failed"],
+      required: false
+    },
     bundleId: {
       type: "string",
       required: false
@@ -3566,38 +4603,57 @@ var WorkspaceEntity = new import_electrodb7.Entity({
 // src/data/dynamo/dynamo-control-service.ts
 var controlPlaneEntities = {
   configuration: ConfigurationEntity,
+  configurationUserProjection: ConfigurationUserProjectionEntity,
+  configurationWorkspaceProjection: ConfigurationWorkspaceProjectionEntity,
   membership: MembershipEntity,
+  membershipUserProjection: MembershipUserProjectionEntity,
+  membershipWorkspaceProjection: MembershipWorkspaceProjectionEntity,
   role: RoleEntity,
   roleAssignment: RoleAssignmentEntity,
+  roleAssignmentUserProjection: RoleAssignmentUserProjectionEntity,
+  roleAssignmentWorkspaceProjection: RoleAssignmentWorkspaceProjectionEntity,
   tenant: TenantEntity,
   user: UserEntity,
   workspace: WorkspaceEntity
 };
-var controlPlaneService = new import_electrodb8.Service(controlPlaneEntities, {
+var controlPlaneService = new import_electrodb14.Service(controlPlaneEntities, {
   table: defaultTableName,
   client: dynamoClient
 });
 var DynamoControlService = {
-  entities: controlPlaneService.entities
+  entities: controlPlaneService.entities,
+  transaction: controlPlaneService.transaction
 };
 
 // src/data/operations/control/membership/membership-create-operation.ts
+var import_types5 = require("@openhi/types");
+
+// src/data/operations/control/membership/membership-user-projection.ts
 var import_types3 = require("@openhi/types");
 
-// src/data/operations/control/roleassignment/roleassignment-create-operation.ts
+// src/data/operations/control/membership/membership-workspace-projection.ts
 var import_types4 = require("@openhi/types");
 
+// src/data/operations/control/roleassignment/roleassignment-create-operation.ts
+var import_types8 = require("@openhi/types");
+
+// src/data/operations/control/roleassignment/roleassignment-user-projection.ts
+var import_types6 = require("@openhi/types");
+
+// src/data/operations/control/roleassignment/roleassignment-workspace-projection.ts
+var import_types7 = require("@openhi/types");
+
 // src/data/operations/control/tenant/tenant-create-operation.ts
-var import_types5 = require("@openhi/types");
+var import_types9 = require("@openhi/types");
 
 // src/data/operations/control/workspace/workspace-create-operation.ts
-var import_types7 = require("@openhi/types");
+var import_types11 = require("@openhi/types");
 
 // src/data/dynamo/dynamo-data-service.ts
-var import_electrodb10 = require("electrodb");
+var import_electrodb16 = require("electrodb");
 
 // src/data/dynamo/entities/data-entity-common.ts
-var import_electrodb9 = require("electrodb");
+var import_electrodb15 = require("electrodb");
 var dataEntityAttributes = {
   /** Sort key. "CURRENT" for current version; version history in S3. */
   sk: {
@@ -3693,7 +4749,7 @@ var dataEntityAttributes = {
   }
 };
 function createDataEntity(entity, resourceTypeLabel) {
-  return new import_electrodb9.Entity({
+  return new import_electrodb15.Entity({
     model: {
       entity,
       service: "data",
@@ -4607,16 +5663,17 @@ var dataPlaneEntities = {
   visionprescription: VisionPrescriptionEntity,
   verificationresult: VerificationResultEntity
 };
-var dataPlaneService = new import_electrodb10.Service(dataPlaneEntities, {
+var dataPlaneService = new import_electrodb16.Service(dataPlaneEntities, {
   table: defaultTableName,
   client: dynamoClient
 });
 var DynamoDataService = {
-  entities: dataPlaneService.entities
+  entities: dataPlaneService.entities,
+  transaction: dataPlaneService.transaction
 };
 
 // src/data/operations/data-operations-common.ts
-var import_types6 = require("@openhi/types");
+var import_types10 = require("@openhi/types");
 
 // src/lib/compression.ts
 var import_node_zlib = require("zlib");
@@ -4646,7 +5703,7 @@ var SeedDemoDataLambda = class extends import_constructs11.Construct {
         [SEED_DEMO_DATA_USER_POOL_ID_ENV_VAR]: props.userPool.userPoolId
       }
     });
-    const roleReadKeys = Object.values(import_types9.PLATFORM_ROLE_IDS).map(rolePartitionKey);
+    const roleReadKeys = Object.values(import_types13.PLATFORM_ROLE_IDS).map(rolePartitionKey);
     this.lambda.addToRolePolicy(
       new import_aws_iam3.PolicyStatement({
         effect: import_aws_iam3.Effect.ALLOW,
@@ -4735,7 +5792,7 @@ var SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
 // src/workflows/control-plane/seed-system-data/seed-system-data-lambda.ts
 var import_node_fs8 = __toESM(require("fs"));
 var import_node_path8 = __toESM(require("path"));
-var import_types10 = require("@openhi/types");
+var import_types14 = require("@openhi/types");
 var import_aws_cdk_lib13 = require("aws-cdk-lib");
 var import_aws_events7 = require("aws-cdk-lib/aws-events");
 var import_aws_events_targets3 = require("aws-cdk-lib/aws-events-targets");
@@ -4764,7 +5821,7 @@ var SeedSystemDataLambda = class extends import_constructs13.Construct {
         [SEED_SYSTEM_DATA_CONTROL_BUS_ENV_VAR]: props.controlEventBus.eventBusName
       }
     });
-    const roleArns = Object.values(import_types10.PLATFORM_ROLE_IDS).map(
+    const roleArns = Object.values(import_types14.PLATFORM_ROLE_IDS).map(
       (id) => `role#id#${id}`
     );
     this.lambda.addToRolePolicy(
@@ -5715,6 +6772,507 @@ var _OpenHiGraphqlService = class _OpenHiGraphqlService extends OpenHiService {
 };
 _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
+
+// src/workflows/control-plane/owning-delete-cascade/events.ts
+var import_workflows5 = __toESM(require_lib2());
+var OWNING_DELETE_CASCADE_CONSUMER_NAME = "owning-delete-cascade";
+var OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY = 8;
+var OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES = 15;
+var OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR = "OWNING_DELETE_OPS_EVENT_BUS_NAME";
+
+// src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-lambdas.ts
+var import_node_fs12 = __toESM(require("fs"));
+var import_node_path12 = __toESM(require("path"));
+var import_aws_cdk_lib15 = require("aws-cdk-lib");
+var import_aws_iam8 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda12 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs12 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs19 = require("constructs");
+function resolveHandlerEntry12(dirname, handlerName) {
+  const sameDir = import_node_path12.default.join(dirname, handlerName);
+  if (import_node_fs12.default.existsSync(sameDir)) {
+    return { entry: sameDir, handler: "handler" };
+  }
+  const libDir = import_node_path12.default.join(dirname, "..", "..", "..", "..", "lib", handlerName);
+  return { entry: libDir, handler: "handler" };
+}
+var OwningDeleteCascadeLambdas = class extends import_constructs19.Construct {
+  constructor(scope, props) {
+    super(scope, "owning-delete-cascade-lambdas");
+    const listResolved = resolveHandlerEntry12(
+      __dirname,
+      "list-chunks.handler.js"
+    );
+    this.listChunks = new import_aws_lambda_nodejs12.NodejsFunction(this, "list-chunks-handler", {
+      entry: listResolved.entry,
+      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib15.Duration.minutes(1),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(this.listChunks, "dynamodb:Query");
+    const deleteResolved = resolveHandlerEntry12(
+      __dirname,
+      "delete-chunk.handler.js"
+    );
+    this.deleteChunk = new import_aws_lambda_nodejs12.NodejsFunction(this, "delete-chunk-handler", {
+      entry: deleteResolved.entry,
+      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib15.Duration.minutes(1),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.deleteChunk,
+      "dynamodb:DeleteItem",
+      "dynamodb:UpdateItem",
+      "dynamodb:PutItem"
+    );
+    const finalizeResolved = resolveHandlerEntry12(
+      __dirname,
+      "finalize.handler.js"
+    );
+    this.finalize = new import_aws_lambda_nodejs12.NodejsFunction(this, "finalize-handler", {
+      entry: finalizeResolved.entry,
+      runtime: import_aws_lambda12.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib15.Duration.minutes(1),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName,
+        [OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
+      }
+    });
+    props.dataStoreTable.grant(this.finalize, "dynamodb:DeleteItem");
+    this.finalize.addToRolePolicy(
+      new import_aws_iam8.PolicyStatement({
+        effect: import_aws_iam8.Effect.ALLOW,
+        actions: ["events:PutEvents"],
+        resources: [props.opsEventBus.eventBusArn]
+      })
+    );
+  }
+};
+
+// src/workflows/control-plane/owning-delete-cascade/owning-delete-cascade-workflow.ts
+var import_aws_cdk_lib16 = require("aws-cdk-lib");
+var import_aws_events9 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets5 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_stepfunctions = require("aws-cdk-lib/aws-stepfunctions");
+var import_aws_stepfunctions_tasks = require("aws-cdk-lib/aws-stepfunctions-tasks");
+var import_constructs20 = require("constructs");
+var OwningDeleteCascadeWorkflow = class extends import_constructs20.Construct {
+  constructor(scope, props) {
+    super(scope, "owning-delete-cascade-workflow");
+    this.lambdas = new OwningDeleteCascadeLambdas(this, {
+      dataStoreTable: props.dataStoreTable,
+      opsEventBus: props.opsEventBus
+    });
+    const concurrency = props.cascadeMapConcurrency ?? OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY;
+    const initState = new import_aws_stepfunctions.Pass(this, "init-state", {
+      parameters: {
+        "ownerType.$": "$.detail.payload.ownerType",
+        "ownerId.$": "$.detail.payload.ownerId",
+        "tenantId.$": "$.detail.payload.tenantId",
+        cursors: {},
+        projectionsRemoved: 0,
+        chunkCount: 0,
+        // Used by the finalize step to compute `durationMs`.
+        "startedAt.$": "$$.Execution.StartTime",
+        // Propagate envelope identity for ADR-016 causation chaining.
+        "eventId.$": "$.detail.eventId",
+        "correlationId.$": "$.detail.correlationId",
+        "causationId.$": "$.detail.eventId"
+      }
+    });
+    const listChunks = new import_aws_stepfunctions_tasks.LambdaInvoke(this, "list-chunks", {
+      lambdaFunction: this.lambdas.listChunks,
+      resultPath: "$.listResult",
+      retryOnServiceExceptions: true
+    });
+    const updateAfterList = new import_aws_stepfunctions.Pass(this, "update-after-list", {
+      parameters: {
+        "ownerType.$": "$.ownerType",
+        "ownerId.$": "$.ownerId",
+        "tenantId.$": "$.tenantId",
+        "cursors.$": "$.listResult.Payload.cursors",
+        "projectionsRemoved.$": "$.listResult.Payload.projectionsRemoved",
+        "chunkCount.$": "$.listResult.Payload.chunkCount",
+        "exhausted.$": "$.listResult.Payload.exhausted",
+        "chunks.$": "$.listResult.Payload.chunks",
+        "startedAt.$": "$.startedAt",
+        "eventId.$": "$.eventId",
+        "correlationId.$": "$.correlationId",
+        "causationId.$": "$.causationId"
+      }
+    });
+    const rewriteChunks = new import_aws_stepfunctions.CustomState(this, "rewrite-chunks", {
+      stateJson: {
+        Type: "Map",
+        ItemsPath: "$.chunks",
+        MaxConcurrency: concurrency,
+        ResultPath: "$.rewriteResults",
+        ItemSelector: {
+          // The handler receives `CascadeChunkInput` verbatim from the
+          // `listChunks` output, no additional wrapping.
+          "ownerType.$": "$$.Map.Item.Value.ownerType",
+          "ownerId.$": "$$.Map.Item.Value.ownerId",
+          "tenantId.$": "$$.Map.Item.Value.tenantId",
+          "rows.$": "$$.Map.Item.Value.rows",
+          "chunkToken.$": "$$.Map.Item.Value.chunkToken"
+        },
+        ItemProcessor: {
+          ProcessorConfig: {
+            // Inline mode (NOT Distributed). Per TR-022 Choice 2A.
+            Mode: "INLINE"
+          },
+          StartAt: "DeleteChunk",
+          States: {
+            DeleteChunk: {
+              Type: "Task",
+              Resource: "arn:aws:states:::lambda:invoke",
+              Parameters: {
+                FunctionName: this.lambdas.deleteChunk.functionArn,
+                "Payload.$": "$"
+              },
+              Retry: [
+                {
+                  ErrorEquals: [
+                    "DynamoDB.ProvisionedThroughputExceededException",
+                    "DynamoDB.ThrottlingException",
+                    "DynamoDB.TransactionConflictException",
+                    "Lambda.ServiceException",
+                    "Lambda.AWSLambdaException",
+                    "Lambda.SdkClientException"
+                  ],
+                  IntervalSeconds: 1,
+                  MaxAttempts: 3,
+                  BackoffRate: 2,
+                  MaxDelaySeconds: 30
+                }
+              ],
+              Catch: [
+                {
+                  // Replay path: the rows in this chunk are already
+                  // gone. Treat as a no-op success so the outer loop
+                  // keeps draining the partition.
+                  ErrorEquals: ["DynamoDB.TransactionCanceledException"],
+                  Next: "ChunkAlreadyDeleted"
+                }
+              ],
+              End: true
+            },
+            ChunkAlreadyDeleted: {
+              Type: "Succeed"
+            }
+          }
+        }
+      }
+    });
+    const interPageWait = new import_aws_stepfunctions.Wait(this, "inter-page-wait", {
+      time: import_aws_stepfunctions.WaitTime.duration(import_aws_cdk_lib16.Duration.seconds(0))
+    });
+    const isExhausted = new import_aws_stepfunctions.Choice(this, "is-exhausted");
+    const finalize = new import_aws_stepfunctions_tasks.LambdaInvoke(this, "finalize", {
+      lambdaFunction: this.lambdas.finalize,
+      payload: import_aws_stepfunctions.TaskInput.fromObject({
+        "ownerType.$": "$.ownerType",
+        "ownerId.$": "$.ownerId",
+        "tenantId.$": "$.tenantId",
+        "projectionsRemoved.$": "$.projectionsRemoved",
+        "chunkCount.$": "$.chunkCount",
+        "startedAt.$": "$.startedAt",
+        "eventId.$": "$.eventId",
+        "correlationId.$": "$.correlationId",
+        "causationId.$": "$.causationId"
+      }),
+      resultPath: "$.finalizeResult",
+      retryOnServiceExceptions: true
+    });
+    const success = new import_aws_stepfunctions.Succeed(this, "success");
+    const definition = initState.next(listChunks).next(updateAfterList).next(rewriteChunks).next(interPageWait).next(
+      isExhausted.when(
+        import_aws_stepfunctions.Condition.booleanEquals("$.exhausted", true),
+        finalize.next(success)
+      ).otherwise(listChunks)
+    );
+    this.stateMachine = new import_aws_stepfunctions.StateMachine(this, "state-machine", {
+      definitionBody: import_aws_stepfunctions.DefinitionBody.fromChainable(definition),
+      // Long timeout because real-world cascades can run minutes when
+      // a workspace has thousands of members. The stuck-cascade alarm
+      // fires at 15 minutes; the state machine itself does not abort.
+      timeout: import_aws_cdk_lib16.Duration.hours(2)
+    });
+    this.rule = new import_aws_events9.Rule(this, "rule", {
+      eventBus: props.dataEventBus,
+      eventPattern: {
+        source: [import_workflows5.OPENHI_DATA_SOURCE],
+        detailType: [import_workflows5.ControlPlaneOwningDeleteV1.detailType]
+      },
+      targets: [
+        new import_aws_events_targets5.SfnStateMachine(this.stateMachine, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib16.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
+
+// src/workflows/control-plane/rename-cascade/events.ts
+var import_workflows6 = __toESM(require_lib2());
+var RENAME_CASCADE_CONSUMER_NAME = "rename-cascade";
+var RENAME_CASCADE_DEFAULT_CONCURRENCY = 10;
+var RENAME_CASCADE_FAILED_THRESHOLD = 0;
+var RENAME_CASCADE_SLOW_THRESHOLD_SECONDS = 300;
+var RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR = "RENAME_CASCADE_OPS_EVENT_BUS_NAME";
+
+// src/workflows/control-plane/rename-cascade/rename-cascade-lambdas.ts
+var import_node_fs13 = __toESM(require("fs"));
+var import_node_path13 = __toESM(require("path"));
+var import_aws_cdk_lib17 = require("aws-cdk-lib");
+var import_aws_iam9 = require("aws-cdk-lib/aws-iam");
+var import_aws_lambda13 = require("aws-cdk-lib/aws-lambda");
+var import_aws_lambda_nodejs13 = require("aws-cdk-lib/aws-lambda-nodejs");
+var import_constructs21 = require("constructs");
+function resolveHandlerEntry13(dirname, handlerName) {
+  const sameDir = import_node_path13.default.join(dirname, handlerName);
+  if (import_node_fs13.default.existsSync(sameDir)) {
+    return { entry: sameDir, handler: "handler" };
+  }
+  const libDir = import_node_path13.default.join(dirname, "..", "..", "..", "..", "lib", handlerName);
+  return { entry: libDir, handler: "handler" };
+}
+var RenameCascadeLambdas = class extends import_constructs21.Construct {
+  constructor(scope, props) {
+    super(scope, "rename-cascade-lambdas");
+    const listResolved = resolveHandlerEntry13(
+      __dirname,
+      "rename-list-targets.handler.js"
+    );
+    this.listTargets = new import_aws_lambda_nodejs13.NodejsFunction(this, "list-targets-handler", {
+      entry: listResolved.entry,
+      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(this.listTargets, "dynamodb:Query");
+    const rewriteResolved = resolveHandlerEntry13(
+      __dirname,
+      "rename-rewrite-chunk.handler.js"
+    );
+    this.rewriteChunk = new import_aws_lambda_nodejs13.NodejsFunction(this, "rewrite-chunk-handler", {
+      entry: rewriteResolved.entry,
+      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
+      environment: {
+        DYNAMO_TABLE_NAME: props.dataStoreTable.tableName
+      }
+    });
+    props.dataStoreTable.grant(
+      this.rewriteChunk,
+      "dynamodb:DeleteItem",
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem"
+    );
+    const finalizeResolved = resolveHandlerEntry13(
+      __dirname,
+      "rename-finalize.handler.js"
+    );
+    this.finalize = new import_aws_lambda_nodejs13.NodejsFunction(this, "finalize-handler", {
+      entry: finalizeResolved.entry,
+      runtime: import_aws_lambda13.Runtime.NODEJS_LATEST,
+      memorySize: 512,
+      timeout: import_aws_cdk_lib17.Duration.minutes(1),
+      environment: {
+        [RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR]: props.opsEventBus.eventBusName
+      }
+    });
+    this.finalize.addToRolePolicy(
+      new import_aws_iam9.PolicyStatement({
+        effect: import_aws_iam9.Effect.ALLOW,
+        actions: ["events:PutEvents"],
+        resources: [props.opsEventBus.eventBusArn]
+      })
+    );
+  }
+};
+
+// src/workflows/control-plane/rename-cascade/rename-cascade-workflow.ts
+var import_aws_cdk_lib18 = require("aws-cdk-lib");
+var import_aws_events10 = require("aws-cdk-lib/aws-events");
+var import_aws_events_targets6 = require("aws-cdk-lib/aws-events-targets");
+var import_aws_stepfunctions2 = require("aws-cdk-lib/aws-stepfunctions");
+var import_aws_stepfunctions_tasks2 = require("aws-cdk-lib/aws-stepfunctions-tasks");
+var import_constructs22 = require("constructs");
+var RenameCascadeWorkflow = class extends import_constructs22.Construct {
+  constructor(scope, props) {
+    super(scope, "rename-cascade-workflow");
+    this.lambdas = new RenameCascadeLambdas(this, {
+      dataStoreTable: props.dataStoreTable,
+      opsEventBus: props.opsEventBus
+    });
+    const concurrency = props.cascadeMapConcurrency ?? RENAME_CASCADE_DEFAULT_CONCURRENCY;
+    const initState = new import_aws_stepfunctions2.Pass(this, "init-state", {
+      parameters: {
+        "entityType.$": "$.detail.payload.entityType",
+        "entityId.$": "$.detail.payload.entityId",
+        "tenantId.$": "$.detail.payload.tenantId",
+        "oldName.$": "$.detail.payload.oldName",
+        "newName.$": "$.detail.payload.newName",
+        "oldNormalizedName.$": "$.detail.payload.oldNormalizedName",
+        "newNormalizedName.$": "$.detail.payload.newNormalizedName",
+        cursors: {},
+        itemsRewritten: 0,
+        chunkCount: 0,
+        "startedAt.$": "$$.Execution.StartTime",
+        "eventId.$": "$.detail.eventId",
+        "correlationId.$": "$.detail.correlationId",
+        "causationId.$": "$.detail.eventId"
+      }
+    });
+    const listTargets = new import_aws_stepfunctions_tasks2.LambdaInvoke(this, "list-targets", {
+      lambdaFunction: this.lambdas.listTargets,
+      resultPath: "$.listResult",
+      retryOnServiceExceptions: true
+    });
+    const updateAfterList = new import_aws_stepfunctions2.Pass(this, "update-after-list", {
+      parameters: {
+        "entityType.$": "$.entityType",
+        "entityId.$": "$.entityId",
+        "tenantId.$": "$.tenantId",
+        "oldName.$": "$.oldName",
+        "newName.$": "$.newName",
+        "oldNormalizedName.$": "$.oldNormalizedName",
+        "newNormalizedName.$": "$.newNormalizedName",
+        "cursors.$": "$.listResult.Payload.cursors",
+        "itemsRewritten.$": "$.listResult.Payload.itemsRewritten",
+        "chunkCount.$": "$.listResult.Payload.chunkCount",
+        "exhausted.$": "$.listResult.Payload.exhausted",
+        "chunks.$": "$.listResult.Payload.chunks",
+        "startedAt.$": "$.startedAt",
+        "eventId.$": "$.eventId",
+        "correlationId.$": "$.correlationId",
+        "causationId.$": "$.causationId"
+      }
+    });
+    const rewriteChunks = new import_aws_stepfunctions2.CustomState(this, "rewrite-chunks", {
+      stateJson: {
+        Type: "Map",
+        ItemsPath: "$.chunks",
+        MaxConcurrency: concurrency,
+        ResultPath: "$.rewriteResults",
+        ItemSelector: {
+          "entityType.$": "$$.Map.Item.Value.entityType",
+          "entityId.$": "$$.Map.Item.Value.entityId",
+          "tenantId.$": "$$.Map.Item.Value.tenantId",
+          "targets.$": "$$.Map.Item.Value.targets",
+          "chunkToken.$": "$$.Map.Item.Value.chunkToken"
+        },
+        ItemProcessor: {
+          ProcessorConfig: {
+            // DISTRIBUTED mode — per TR-023 (NOT INLINE; that is
+            // TR-022's territory).
+            Mode: "DISTRIBUTED",
+            ExecutionType: "STANDARD"
+          },
+          StartAt: "RewriteChunk",
+          States: {
+            RewriteChunk: {
+              Type: "Task",
+              Resource: "arn:aws:states:::lambda:invoke",
+              Parameters: {
+                FunctionName: this.lambdas.rewriteChunk.functionArn,
+                "Payload.$": "$"
+              },
+              Retry: [
+                {
+                  ErrorEquals: [
+                    "DynamoDB.ProvisionedThroughputExceededException",
+                    "DynamoDB.ThrottlingException",
+                    "DynamoDB.TransactionConflictException",
+                    "Lambda.ServiceException",
+                    "Lambda.AWSLambdaException",
+                    "Lambda.SdkClientException"
+                  ],
+                  IntervalSeconds: 1,
+                  MaxAttempts: 5,
+                  BackoffRate: 2,
+                  MaxDelaySeconds: 30
+                }
+              ],
+              Catch: [
+                {
+                  // Replay path: the rewrite race "lost to a later
+                  // write" per TR-023 idempotency. Treat as a no-op
+                  // success so the outer loop keeps draining the page.
+                  ErrorEquals: ["DynamoDB.TransactionCanceledException"],
+                  Next: "ChunkAlreadyRewritten"
+                }
+              ],
+              End: true
+            },
+            ChunkAlreadyRewritten: {
+              Type: "Succeed"
+            }
+          }
+        }
+      }
+    });
+    const isExhausted = new import_aws_stepfunctions2.Choice(this, "is-exhausted");
+    const finalize = new import_aws_stepfunctions_tasks2.LambdaInvoke(this, "finalize", {
+      lambdaFunction: this.lambdas.finalize,
+      payload: import_aws_stepfunctions2.TaskInput.fromObject({
+        "entityType.$": "$.entityType",
+        "entityId.$": "$.entityId",
+        "tenantId.$": "$.tenantId",
+        "newName.$": "$.newName",
+        "itemsRewritten.$": "$.itemsRewritten",
+        "chunkCount.$": "$.chunkCount",
+        "startedAt.$": "$.startedAt",
+        "eventId.$": "$.eventId",
+        "correlationId.$": "$.correlationId",
+        "causationId.$": "$.causationId"
+      }),
+      resultPath: "$.finalizeResult",
+      retryOnServiceExceptions: true
+    });
+    const success = new import_aws_stepfunctions2.Succeed(this, "success");
+    const definition = initState.next(listTargets).next(updateAfterList).next(rewriteChunks).next(
+      isExhausted.when(
+        import_aws_stepfunctions2.Condition.booleanEquals("$.exhausted", true),
+        finalize.next(success)
+      ).otherwise(listTargets)
+    );
+    this.stateMachine = new import_aws_stepfunctions2.StateMachine(this, "state-machine", {
+      definitionBody: import_aws_stepfunctions2.DefinitionBody.fromChainable(definition),
+      // Long timeout — large renames may rewrite thousands of rows;
+      // the `CascadeSlow` alarm fires at 300s p99 but the state
+      // machine itself does not abort.
+      timeout: import_aws_cdk_lib18.Duration.hours(2)
+    });
+    this.rule = new import_aws_events10.Rule(this, "rule", {
+      eventBus: props.dataEventBus,
+      eventPattern: {
+        source: [import_workflows6.OPENHI_DATA_SOURCE],
+        detailType: [import_workflows6.ControlPlaneRenameV1.detailType]
+      },
+      targets: [
+        new import_aws_events_targets6.SfnStateMachine(this.stateMachine, {
+          retryAttempts: 2,
+          maxEventAge: import_aws_cdk_lib18.Duration.hours(2)
+        })
+      ]
+    });
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BRIDGED_STATUSES,
@@ -5728,6 +7286,12 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   CognitoUserPoolDomain,
   CognitoUserPoolKmsKey,
   ControlEventBus,
+  ControlPlaneOwningDeleteCompleteV1,
+  ControlPlaneOwningDeleteFailedV1,
+  ControlPlaneOwningDeleteV1,
+  ControlPlaneRenameCompleteV1,
+  ControlPlaneRenameFailedV1,
+  ControlPlaneRenameV1,
   DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES,
   DATA_STORE_CHANGE_DETAIL_TYPE,
   DATA_STORE_CHANGE_EVENT_SOURCE,
@@ -5747,6 +7311,11 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   OPENHI_TAG_SUFFIX_REPO_NAME,
   OPENHI_TAG_SUFFIX_SERVICE_TYPE,
   OPENHI_TAG_SUFFIX_STAGE_TYPE,
+  OWNING_DELETE_CASCADE_CONSUMER_NAME,
+  OWNING_DELETE_CASCADE_DEFAULT_CONCURRENCY,
+  OWNING_DELETE_CASCADE_STUCK_THRESHOLD_MINUTES,
+  OWNING_DELETE_OPS_EVENT_BUS_ENV_VAR,
+  OWNING_ENTITY_TYPE,
   OpenHiApp,
   OpenHiAuthService,
   OpenHiDataService,
@@ -5757,6 +7326,8 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   OpenHiService,
   OpenHiStage,
   OpsEventBus,
+  OwningDeleteCascadeLambdas,
+  OwningDeleteCascadeWorkflow,
   PLACEHOLDER_TENANT_ID,
   PLACEHOLDER_WORKSPACE_ID,
   PLATFORM_DEPLOY_BRIDGE_ACTOR_SYSTEM,
@@ -5772,7 +7343,15 @@ var OpenHiGraphqlService = _OpenHiGraphqlService;
   PostConfirmationLambda,
   PreTokenGenerationLambda,
   ProvisionDefaultWorkspaceLambda,
+  RENAMABLE_ENTITY_TYPE,
+  RENAME_CASCADE_CONSUMER_NAME,
+  RENAME_CASCADE_DEFAULT_CONCURRENCY,
+  RENAME_CASCADE_FAILED_THRESHOLD,
+  RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR,
+  RENAME_CASCADE_SLOW_THRESHOLD_SECONDS,
   REST_API_BASE_URL_SSM_NAME,
+  RenameCascadeLambdas,
+  RenameCascadeWorkflow,
   RootGraphqlApi,
   RootHostedZone,
   RootHttpApi,