@openhi/constructs 0.0.110 → 0.0.112

package/lib/rest-api-lambda.handler.mjs

@@ -1,33 +1,46 @@
+import {
+  buildSchemaBootstrapStatements
+} from "./chunk-2O3CXY2C.mjs";
 import {
   createRoleOperation
-} from "./chunk-AJ3G3THO.mjs";
+} from "./chunk-KO64HPWQ.mjs";
 import {
   getRoleByIdOperation
-} from "./chunk-7FUAMZOF.mjs";
+} from "./chunk-53OHXLIL.mjs";
 import {
   listMembershipsOperation,
   listPractitionerRolesOperation,
   listRoleAssignmentsOperation
-} from "./chunk-BB5MK4L3.mjs";
+} from "./chunk-KSFC72TT.mjs";
 import {
   createMembershipOperation,
   createRoleAssignmentOperation,
   createTenantOperation,
-  createWorkspaceOperation
-} from "./chunk-MULKGFIJ.mjs";
+  createWorkspaceOperation,
+  extractDenormalizedReferenceDisplay
+} from "./chunk-GBDIGTNV.mjs";
+import {
+  buildMembershipUserProjectionItem,
+  buildMembershipWorkspaceProjectionItem,
+  buildRoleAssignmentUserProjectionItem,
+  buildRoleAssignmentWorkspaceProjectionItem,
+  extractReferenceSlug,
+  extractReferenceSlug2
+} from "./chunk-HQ67J7BP.mjs";
+import {
+  executeMultiWrite
+} from "./chunk-QJDHVMKT.mjs";
 import {
   createUserOperation,
   deleteUserOperation,
   findUserBySubOperation,
   getUserByIdOperation,
   listUsersOperation,
+  membershipListByUserOperation,
   switchUserTenantWorkspaceOperation,
   updateUserOperation
-} from "./chunk-2TPJ6HOF.mjs";
+} from "./chunk-NZRW7ROK.mjs";
 import {
-  ForbiddenError,
-  NotFoundError,
-  ValidationError,
   batchGetWithRetry,
   buildUpdatedResourceWithAudit,
   compressResource,
@@ -35,17 +48,23 @@ import {
   decompressResource,
   deleteDataEntityById,
   dispatchListMode,
-  domainErrorToHttpStatus,
   getDataEntityById,
   getDynamoDataService,
   listDataEntitiesByWorkspace,
   mergeAuditIntoMeta,
   updateDataEntityById
-} from "./chunk-IS4VQRI4.mjs";
+} from "./chunk-QMBJ4VHC.mjs";
+import {
+  ForbiddenError,
+  NotFoundError,
+  ValidationError,
+  domainErrorToHttpStatus
+} from "./chunk-FYHBHHWK.mjs";
 import {
   SHARD_COUNT,
   getDynamoControlService
-} from "./chunk-QR5JVSCF.mjs";
+} from "./chunk-6NBGYGFL.mjs";
+import "./chunk-TRY7JGWO.mjs";
 import "./chunk-LZOMFHX3.mjs";
 
 // src/data/lambda/rest-api-lambda.handler.ts
@@ -116,6 +135,81 @@ function openHiContextMiddleware(req, res, next) {
 // src/data/rest-api/routes/control/configuration/configuration.ts
 import express from "express";
 
+// src/data/operations/control/configuration/configuration-user-projection.ts
+import { normalizeLabel } from "@openhi/types";
+var MISSING_NAME_SENTINEL = "-";
+var ABSENT_USER_SENTINEL = "-";
+function buildConfigurationUserProjectionSk(params) {
+  const normalizedConfigName = typeof params.key === "string" && params.key.length > 0 ? normalizeLabel(params.key) : MISSING_NAME_SENTINEL;
+  const safeNormalized = normalizedConfigName.length > 0 ? normalizedConfigName : MISSING_NAME_SENTINEL;
+  return `CONFIGURATION#${safeNormalized}#${params.configurationId}`;
+}
+function buildConfigurationUserProjectionItem(input) {
+  if (!input.userId || input.userId.length === 0 || input.userId === ABSENT_USER_SENTINEL) {
+    return void 0;
+  }
+  if (!input.configurationId || input.configurationId.length === 0) {
+    return void 0;
+  }
+  const sk = buildConfigurationUserProjectionSk({
+    key: input.key,
+    configurationId: input.configurationId
+  });
+  return {
+    userId: input.userId,
+    sk,
+    tenantId: input.tenantId,
+    configurationId: input.configurationId,
+    scope: "user",
+    displayName: input.key,
+    summary: input.summary,
+    vid: input.vid,
+    lastUpdated: input.lastUpdated
+  };
+}
+function isUserScopedConfiguration(userId) {
+  return typeof userId === "string" && userId.length > 0 && userId !== ABSENT_USER_SENTINEL;
+}
+
+// src/data/operations/control/configuration/configuration-workspace-projection.ts
+import { normalizeLabel as normalizeLabel2 } from "@openhi/types";
+var MISSING_NAME_SENTINEL2 = "-";
+var ABSENT_WORKSPACE_SENTINEL = "-";
+var ABSENT_USER_SENTINEL2 = "-";
+function buildConfigurationWorkspaceProjectionSk(params) {
+  const normalizedConfigName = typeof params.key === "string" && params.key.length > 0 ? normalizeLabel2(params.key) : MISSING_NAME_SENTINEL2;
+  const safeNormalized = normalizedConfigName.length > 0 ? normalizedConfigName : MISSING_NAME_SENTINEL2;
+  return `CONFIGURATION#${safeNormalized}#${params.configurationId}`;
+}
+function buildConfigurationWorkspaceProjectionItem(input) {
+  if (!input.workspaceId || input.workspaceId.length === 0 || input.workspaceId === ABSENT_WORKSPACE_SENTINEL) {
+    return void 0;
+  }
+  if (!input.configurationId || input.configurationId.length === 0) {
+    return void 0;
+  }
+  const sk = buildConfigurationWorkspaceProjectionSk({
+    key: input.key,
+    configurationId: input.configurationId
+  });
+  return {
+    tenantId: input.tenantId,
+    workspaceId: input.workspaceId,
+    sk,
+    configurationId: input.configurationId,
+    scope: "workspace",
+    displayName: input.key,
+    summary: input.summary,
+    vid: input.vid,
+    lastUpdated: input.lastUpdated
+  };
+}
+function isWorkspaceScopedConfiguration(params) {
+  const workspaceIsReal = typeof params.workspaceId === "string" && params.workspaceId.length > 0 && params.workspaceId !== ABSENT_WORKSPACE_SENTINEL;
+  const userIsAbsent = typeof params.userId !== "string" || params.userId.length === 0 || params.userId === ABSENT_USER_SENTINEL2;
+  return workspaceIsReal && userIsAbsent;
+}
+
 // src/data/operations/control/configuration/configuration-create-operation.ts
 var SK = "CURRENT";
 async function createConfigurationOperation(params) {
@@ -144,7 +238,28 @@ async function createConfigurationOperation(params) {
     roleId
   });
   const service = getDynamoControlService(tableName);
-  await service.entities.configuration.put({
+  const userProjectionItem = isUserScopedConfiguration(userId) ? buildConfigurationUserProjectionItem({
+    tenantId,
+    userId,
+    configurationId: id,
+    key,
+    summary,
+    vid,
+    lastUpdated
+  }) : void 0;
+  const workspaceProjectionItem = isWorkspaceScopedConfiguration({
+    workspaceId,
+    userId
+  }) ? buildConfigurationWorkspaceProjectionItem({
+    tenantId,
+    workspaceId,
+    configurationId: id,
+    key,
+    summary,
+    vid,
+    lastUpdated
+  }) : void 0;
+  const canonicalItem = {
     tenantId,
     workspaceId,
     userId,
@@ -156,7 +271,25 @@ async function createConfigurationOperation(params) {
     vid,
     lastUpdated,
     sk: SK
-  }).go();
+  };
+  const triples = [
+    { entity: "configuration", action: "put", item: canonicalItem }
+  ];
+  if (userProjectionItem) {
+    triples.push({
+      entity: "configurationUserProjection",
+      action: "put",
+      item: userProjectionItem
+    });
+  }
+  if (workspaceProjectionItem) {
+    triples.push({
+      entity: "configurationWorkspaceProjection",
+      action: "put",
+      item: workspaceProjectionItem
+    });
+  }
+  await executeMultiWrite({ service, triples });
   const resource = typeof resourcePayload === "object" ? resourcePayload : JSON.parse(resourceStr);
   return {
     id,
@@ -461,7 +594,7 @@ async function deleteConfigurationOperation(params) {
   const { tenantId, workspaceId, actorId, roleId: ctxRoleId } = context;
   const roleId = ctxRoleId ?? "-";
   const service = getDynamoControlService(tableName);
-  await service.entities.configuration.delete({
+  const existing = await service.entities.configuration.get({
     tenantId,
     workspaceId,
     userId: actorId,
@@ -469,6 +602,81 @@ async function deleteConfigurationOperation(params) {
     key: id,
     sk: SK2
   }).go();
+  if (!existing.data) {
+    return;
+  }
+  const canonicalUserId = existing.data.userId;
+  const canonicalWorkspaceId = existing.data.workspaceId;
+  const canonicalKey = existing.data.key;
+  const canonicalId = existing.data.id;
+  const userProjectionItem = isUserScopedConfiguration(canonicalUserId) ? buildConfigurationUserProjectionItem({
+    tenantId: existing.data.tenantId,
+    userId: canonicalUserId,
+    configurationId: canonicalId,
+    key: canonicalKey,
+    // The placeholder summary / vid / lastUpdated values are
+    // unused by the delete path — ElectroDB only needs the
+    // composite key fields (`userId` + `sk`) to issue the
+    // DeleteItem. Supplying them keeps the entity-validation
+    // pass happy on a `put`-shaped item if the helper ever
+    // rejects a sparse delete payload.
+    summary: "",
+    vid: "",
+    lastUpdated: ""
+  }) : void 0;
+  const workspaceProjectionItem = isWorkspaceScopedConfiguration({
+    workspaceId: canonicalWorkspaceId,
+    userId: canonicalUserId
+  }) ? buildConfigurationWorkspaceProjectionItem({
+    tenantId: existing.data.tenantId,
+    workspaceId: canonicalWorkspaceId,
+    configurationId: canonicalId,
+    key: canonicalKey,
+    // The placeholder summary / vid / lastUpdated values are
+    // unused by the delete path — ElectroDB only needs the
+    // composite key fields (`tenantId` + `workspaceId` + `sk`) to
+    // issue the DeleteItem. Supplying them keeps entity-validation
+    // happy if the helper ever rejects a sparse delete payload.
+    summary: "",
+    vid: "",
+    lastUpdated: ""
+  }) : void 0;
+  const triples = [
+    {
+      entity: "configuration",
+      action: "delete",
+      item: {
+        tenantId,
+        workspaceId,
+        userId: actorId,
+        roleId,
+        key: id,
+        sk: SK2
+      }
+    }
+  ];
+  if (userProjectionItem) {
+    triples.push({
+      entity: "configurationUserProjection",
+      action: "delete",
+      item: {
+        userId: userProjectionItem.userId,
+        sk: userProjectionItem.sk
+      }
+    });
+  }
+  if (workspaceProjectionItem) {
+    triples.push({
+      entity: "configurationWorkspaceProjection",
+      action: "delete",
+      item: {
+        tenantId: workspaceProjectionItem.tenantId,
+        workspaceId: workspaceProjectionItem.workspaceId,
+        sk: workspaceProjectionItem.sk
+      }
+    });
+  }
+  await executeMultiWrite({ service, triples });
 }
 
 // src/data/rest-api/routes/control/configuration/configuration-delete-route.ts
@@ -947,6 +1155,47 @@ async function updateConfigurationOperation(params) {
     lastUpdated,
     vid: nextVid
   }).go();
+  const canonicalUserId = existing.data.userId;
+  const canonicalWorkspaceId = existing.data.workspaceId;
+  const userProjectionItem = isUserScopedConfiguration(canonicalUserId) ? buildConfigurationUserProjectionItem({
+    tenantId,
+    userId: canonicalUserId,
+    configurationId: existing.data.id,
+    key: existing.data.key,
+    summary,
+    vid: nextVid,
+    lastUpdated
+  }) : void 0;
+  const workspaceProjectionItem = isWorkspaceScopedConfiguration({
+    workspaceId: canonicalWorkspaceId,
+    userId: canonicalUserId
+  }) ? buildConfigurationWorkspaceProjectionItem({
+    tenantId,
+    workspaceId: canonicalWorkspaceId,
+    configurationId: existing.data.id,
+    key: existing.data.key,
+    summary,
+    vid: nextVid,
+    lastUpdated
+  }) : void 0;
+  const refreshTriples = [];
+  if (userProjectionItem) {
+    refreshTriples.push({
+      entity: "configurationUserProjection",
+      action: "put",
+      item: userProjectionItem
+    });
+  }
+  if (workspaceProjectionItem) {
+    refreshTriples.push({
+      entity: "configurationWorkspaceProjection",
+      action: "put",
+      item: workspaceProjectionItem
+    });
+  }
+  if (refreshTriples.length > 0) {
+    await executeMultiWrite({ service, triples: refreshTriples });
+  }
   const parsedResource = typeof resourcePayload === "object" ? resourcePayload : JSON.parse(resourceStr);
   return {
     id: existing.data.id,
@@ -1381,7 +1630,78 @@ async function createMembershipRoute(req, res) {
 async function deleteMembershipOperation(params) {
   const { context, id, tableName } = params;
   const service = getDynamoControlService(tableName);
-  await service.entities.membership.delete({ tenantId: context.tenantId, id, sk: "CURRENT" }).go();
+  const existing = await service.entities.membership.get({ tenantId: context.tenantId, id, sk: "CURRENT" }).go();
+  if (!existing.data) {
+    return;
+  }
+  let parsed;
+  try {
+    parsed = typeof existing.data.resource === "string" ? JSON.parse(existing.data.resource) : void 0;
+  } catch {
+    parsed = void 0;
+  }
+  const userIdFromResource = parsed !== void 0 ? extractReferenceSlug(parsed, "user") : void 0;
+  const workspaceIdFromResource = parsed !== void 0 ? extractReferenceSlug(parsed, "workspace") : void 0;
+  const userProjectionItem = userIdFromResource !== void 0 ? buildMembershipUserProjectionItem({
+    tenantId: context.tenantId,
+    userId: userIdFromResource,
+    workspaceId: workspaceIdFromResource,
+    membershipId: id,
+    // The placeholder summary / vid / lastUpdated values are
+    // unused by the delete path — ElectroDB only needs the
+    // composite key fields (`userId` + `sk`) to issue the
+    // DeleteItem. Supplying them keeps the entity-validation
+    // pass happy on a `put`-shaped item if the helper ever
+    // rejects a sparse delete payload.
+    summary: "",
+    vid: "",
+    lastUpdated: "",
+    denormalizedTenantName: existing.data.denormalizedTenantName,
+    denormalizedUserName: existing.data.denormalizedUserName,
+    // The canonical row does not carry a workspace display name
+    // (TR-024 § Open Item #4); the SK builder falls back to the
+    // missing-name sentinel for the workspace-lane shape.
+    denormalizedWorkspaceName: void 0
+  }) : void 0;
+  const workspaceProjectionItem = userIdFromResource !== void 0 && workspaceIdFromResource !== void 0 ? buildMembershipWorkspaceProjectionItem({
+    tenantId: context.tenantId,
+    workspaceId: workspaceIdFromResource,
+    userId: userIdFromResource,
+    membershipId: id,
+    summary: "",
+    vid: "",
+    lastUpdated: "",
+    denormalizedUserName: existing.data.denormalizedUserName
+  }) : void 0;
+  const triples = [
+    {
+      entity: "membership",
+      action: "delete",
+      item: { tenantId: context.tenantId, id, sk: "CURRENT" }
+    }
+  ];
+  if (userProjectionItem) {
+    triples.push({
+      entity: "membershipUserProjection",
+      action: "delete",
+      item: {
+        userId: userProjectionItem.userId,
+        sk: userProjectionItem.sk
+      }
+    });
+  }
+  if (workspaceProjectionItem) {
+    triples.push({
+      entity: "membershipWorkspaceProjection",
+      action: "delete",
+      item: {
+        tenantId: workspaceProjectionItem.tenantId,
+        workspaceId: workspaceProjectionItem.workspaceId,
+        sk: workspaceProjectionItem.sk
+      }
+    });
+  }
+  await executeMultiWrite({ service, triples });
 }
 
 // src/data/rest-api/routes/control/membership/membership-delete-route.ts
@@ -1473,16 +1793,76 @@ async function updateMembershipOperation(params) {
     }
     throw e;
   }
+  const resourceRecord = resource;
+  const denormalizedTenantName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "tenant"
+  );
+  const denormalizedUserName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "user"
+  );
+  const denormalizedWorkspaceName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "workspace"
+  );
   const summary = JSON.stringify(extractSummary(resource));
-  await service.entities.membership.put({
+  const userIdFromResource = extractReferenceSlug(resourceRecord, "user");
+  const workspaceIdFromResource = extractReferenceSlug(
+    resourceRecord,
+    "workspace"
+  );
+  const userProjectionItem = userIdFromResource !== void 0 ? buildMembershipUserProjectionItem({
+    tenantId: context.tenantId,
+    userId: userIdFromResource,
+    workspaceId: workspaceIdFromResource,
+    membershipId: id,
+    summary,
+    vid,
+    lastUpdated,
+    denormalizedTenantName,
+    denormalizedUserName,
+    denormalizedWorkspaceName
+  }) : void 0;
+  const workspaceProjectionItem = userIdFromResource !== void 0 && workspaceIdFromResource !== void 0 ? buildMembershipWorkspaceProjectionItem({
+    tenantId: context.tenantId,
+    workspaceId: workspaceIdFromResource,
+    userId: userIdFromResource,
+    membershipId: id,
+    summary,
+    vid,
+    lastUpdated,
+    denormalizedUserName
+  }) : void 0;
+  const canonicalItem = {
     tenantId: context.tenantId,
     id,
     resource: JSON.stringify(resource),
     summary,
     vid,
     lastUpdated,
-    linkedDataIdentityRef
-  }).go();
+    linkedDataIdentityRef,
+    denormalizedTenantName,
+    denormalizedUserName
+  };
+  const triples = [
+    { entity: "membership", action: "put", item: canonicalItem }
+  ];
+  if (userProjectionItem) {
+    triples.push({
+      entity: "membershipUserProjection",
+      action: "put",
+      item: userProjectionItem
+    });
+  }
+  if (workspaceProjectionItem) {
+    triples.push({
+      entity: "membershipWorkspaceProjection",
+      action: "put",
+      item: workspaceProjectionItem
+    });
+  }
+  await executeMultiWrite({ service, triples });
   return {
     id,
     resource,
@@ -1778,7 +2158,79 @@ async function createRoleAssignmentRoute(req, res) {
 async function deleteRoleAssignmentOperation(params) {
   const { context, id, tableName } = params;
   const service = getDynamoControlService(tableName);
-  await service.entities.roleAssignment.delete({ tenantId: context.tenantId, id, sk: "CURRENT" }).go();
+  const existing = await service.entities.roleAssignment.get({ tenantId: context.tenantId, id, sk: "CURRENT" }).go();
+  if (!existing.data) {
+    return;
+  }
+  let parsed;
+  try {
+    parsed = typeof existing.data.resource === "string" ? JSON.parse(existing.data.resource) : void 0;
+  } catch {
+    parsed = void 0;
+  }
+  const userIdFromResource = parsed !== void 0 ? extractReferenceSlug2(parsed, "user") : void 0;
+  const roleIdFromResource = parsed !== void 0 ? extractReferenceSlug2(parsed, "role") : void 0;
+  const workspaceIdFromResource = parsed !== void 0 ? extractReferenceSlug2(parsed, "workspace") : void 0;
+  const userProjectionItem = userIdFromResource !== void 0 && roleIdFromResource !== void 0 ? buildRoleAssignmentUserProjectionItem({
+    tenantId: context.tenantId,
+    userId: userIdFromResource,
+    workspaceId: workspaceIdFromResource,
+    roleId: roleIdFromResource,
+    roleAssignmentId: id,
+    // The placeholder summary / vid / lastUpdated values are
+    // unused by the delete path — ElectroDB only needs the
+    // composite key fields (`userId` + `sk`) to issue the
+    // DeleteItem. Supplying them keeps the entity-validation
+    // pass happy on a `put`-shaped item if the helper ever
+    // rejects a sparse delete payload.
+    summary: "",
+    vid: "",
+    lastUpdated: "",
+    denormalizedTenantName: existing.data.denormalizedTenantName,
+    denormalizedUserName: existing.data.denormalizedUserName,
+    denormalizedRoleName: existing.data.denormalizedRoleName
+  }) : void 0;
+  const workspaceProjectionItem = userIdFromResource !== void 0 && roleIdFromResource !== void 0 && workspaceIdFromResource !== void 0 ? buildRoleAssignmentWorkspaceProjectionItem({
+    tenantId: context.tenantId,
+    workspaceId: workspaceIdFromResource,
+    userId: userIdFromResource,
+    roleId: roleIdFromResource,
+    roleAssignmentId: id,
+    summary: "",
+    vid: "",
+    lastUpdated: "",
+    denormalizedUserName: existing.data.denormalizedUserName,
+    denormalizedRoleName: existing.data.denormalizedRoleName
+  }) : void 0;
+  const triples = [
+    {
+      entity: "roleAssignment",
+      action: "delete",
+      item: { tenantId: context.tenantId, id, sk: "CURRENT" }
+    }
+  ];
+  if (userProjectionItem) {
+    triples.push({
+      entity: "roleAssignmentUserProjection",
+      action: "delete",
+      item: {
+        userId: userProjectionItem.userId,
+        sk: userProjectionItem.sk
+      }
+    });
+  }
+  if (workspaceProjectionItem) {
+    triples.push({
+      entity: "roleAssignmentWorkspaceProjection",
+      action: "delete",
+      item: {
+        tenantId: workspaceProjectionItem.tenantId,
+        workspaceId: workspaceProjectionItem.workspaceId,
+        sk: workspaceProjectionItem.sk
+      }
+    });
+  }
+  await executeMultiWrite({ service, triples });
 }
 
 // src/data/rest-api/routes/control/roleassignment/roleassignment-delete-route.ts
@@ -1870,15 +2322,80 @@ async function updateRoleAssignmentOperation(params) {
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
   const resource = { resourceType: "RoleAssignment", id, ...parsedResource };
+  const resourceRecord = resource;
+  const denormalizedTenantName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "tenant"
+  );
+  const denormalizedUserName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "user"
+  );
+  const denormalizedRoleName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "role"
+  );
   const summary = JSON.stringify(extractSummary3(resource));
-  await service.entities.roleAssignment.put({
+  const userIdFromResource = extractReferenceSlug2(resourceRecord, "user");
+  const roleIdFromResource = extractReferenceSlug2(resourceRecord, "role");
+  const workspaceIdFromResource = extractReferenceSlug2(
+    resourceRecord,
+    "workspace"
+  );
+  const userProjectionItem = userIdFromResource !== void 0 && roleIdFromResource !== void 0 ? buildRoleAssignmentUserProjectionItem({
+    tenantId: context.tenantId,
+    userId: userIdFromResource,
+    workspaceId: workspaceIdFromResource,
+    roleId: roleIdFromResource,
+    roleAssignmentId: id,
+    summary,
+    vid,
+    lastUpdated,
+    denormalizedTenantName,
+    denormalizedUserName,
+    denormalizedRoleName
+  }) : void 0;
+  const workspaceProjectionItem = userIdFromResource !== void 0 && roleIdFromResource !== void 0 && workspaceIdFromResource !== void 0 ? buildRoleAssignmentWorkspaceProjectionItem({
+    tenantId: context.tenantId,
+    workspaceId: workspaceIdFromResource,
+    userId: userIdFromResource,
+    roleId: roleIdFromResource,
+    roleAssignmentId: id,
+    summary,
+    vid,
+    lastUpdated,
+    denormalizedUserName,
+    denormalizedRoleName
+  }) : void 0;
+  const canonicalItem = {
     tenantId: context.tenantId,
     id,
     resource: JSON.stringify(resource),
     summary,
     vid,
-    lastUpdated
-  }).go();
+    lastUpdated,
+    denormalizedTenantName,
+    denormalizedUserName,
+    denormalizedRoleName
+  };
+  const triples = [
+    { entity: "roleAssignment", action: "put", item: canonicalItem }
+  ];
+  if (userProjectionItem) {
+    triples.push({
+      entity: "roleAssignmentUserProjection",
+      action: "put",
+      item: userProjectionItem
+    });
+  }
+  if (workspaceProjectionItem) {
+    triples.push({
+      entity: "roleAssignmentWorkspaceProjection",
+      action: "put",
+      item: workspaceProjectionItem
+    });
+  }
+  await executeMultiWrite({ service, triples });
   return {
     id,
     resource,
@@ -2233,67 +2750,830 @@ async function getUserByIdRoute(req, res) {
   }
 }
 
-// src/data/rest-api/routes/control/user/user-list-route.ts
-async function listUsersRoute(req, res) {
-  return handleListRoute({
-    req,
-    res,
-    basePath: BASE_PATH.USER,
-    listOperation: listUsersOperation,
-    errorLogContext: "GET /User list error:"
-  });
+// src/data/operations/control/configuration/configuration-list-by-user-operation.ts
+async function configurationListByUserOperation(params) {
+  const { userId, cursor = null, limit, order, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.configurationUserProjection.query.record({ userId }).begins({ sk: "CONFIGURATION#" }).go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    userId: row.userId,
+    sk: row.sk,
+    tenantId: row.tenantId,
+    configurationId: row.configurationId,
+    scope: "user",
+    displayName: row.displayName,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated
+  }));
+  return { items, cursor: result.cursor ?? null };
 }
 
-// src/data/rest-api/routes/control/user/user-update-route.ts
-async function updateUserRoute(req, res) {
-  const bodyResult = requireJsonBody(req, res);
-  if ("errorResponse" in bodyResult) return bodyResult.errorResponse;
-  const id = String(req.params.id);
-  const ctx = req.openhiContext;
-  const body = bodyResult.body;
-  try {
-    const result = await updateUserOperation({
-      context: ctx,
-      id,
-      body: {
-        resource: body?.resource
-      }
-    });
-    return res.json({ ...result.resource, meta: result.meta });
-  } catch (err) {
-    const status = domainErrorToHttpStatus(err);
-    if (status === 404) {
-      return res.status(404).json({
-        resourceType: "OperationOutcome",
-        issue: [
-          {
-            severity: "error",
-            code: "not-found",
-            diagnostics: err instanceof NotFoundError ? err.message : `User ${id} not found`
-          }
-        ]
-      });
+// src/data/operations/control/configuration/configuration-list-by-workspace-operation.ts
+async function configurationListByWorkspaceOperation(params) {
+  const {
+    tenantId,
+    workspaceId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  const service = getDynamoControlService(tableName);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.configurationWorkspaceProjection.query.record({ tenantId, workspaceId }).begins({ sk: "CONFIGURATION#" }).go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    sk: row.sk,
+    configurationId: row.configurationId,
+    scope: "workspace",
+    displayName: row.displayName,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
+
+// src/data/rest-api/routes/control/cross-cutting-route-helpers.ts
+function sendInvalidQuery400(res, diagnostics) {
+  return res.status(400).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "invalid", diagnostics }]
+  });
+}
+function sendForbidden403(res, diagnostics) {
+  return res.status(403).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "forbidden", diagnostics }]
+  });
+}
+var COMMON_KEYS = ["cursor", "limit", "order"];
+function parseCommonListQuery(req, res, options = {}) {
+  const q = req.query ?? {};
+  const allowedKeys = /* @__PURE__ */ new Set([
+    ...COMMON_KEYS,
+    ...options.extraKeys ?? []
+  ]);
+  const extra = Object.keys(q).filter((k) => !allowedKeys.has(k));
+  if (extra.length > 0) {
+    return {
+      ok: false,
+      response: sendInvalidQuery400(
+        res,
+        `Unsupported query parameter${extra.length === 1 ? "" : "s"}: ${extra.join(", ")}.`
+      )
+    };
+  }
+  const rawCursor = q.cursor;
+  let cursor = null;
+  if (rawCursor !== void 0) {
+    if (typeof rawCursor !== "string") {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `cursor` must be a string."
+        )
+      };
     }
-    console.error("PUT User error:", err);
-    return res.status(500).json({
-      resourceType: "OperationOutcome",
-      issue: [
-        { severity: "error", code: "exception", diagnostics: String(err) }
-      ]
+    cursor = rawCursor;
+  }
+  const rawLimit = q.limit;
+  let limit;
+  if (rawLimit !== void 0) {
+    if (typeof rawLimit !== "string" || rawLimit.length === 0) {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `limit` must be a positive integer."
+        )
+      };
+    }
+    const parsed = Number(rawLimit);
+    if (!Number.isInteger(parsed) || parsed <= 0) {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `limit` must be a positive integer."
+        )
+      };
+    }
+    limit = parsed;
+  }
+  const rawOrder = q.order;
+  let order;
+  if (rawOrder !== void 0) {
+    if (rawOrder !== "asc" && rawOrder !== "desc") {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          'Query parameter `order` must be one of "asc", "desc".'
+        )
+      };
+    }
+    order = rawOrder;
+  }
+  const value = order === void 0 ? limit === void 0 ? { cursor } : { cursor, limit } : limit === void 0 ? { cursor, order } : { cursor, limit, order };
+  return { ok: true, value };
+}
+function buildPaginationLinks(opts) {
+  const links = [
+    { relation: "self", url: composeUrl(opts.basePath, opts.query) }
+  ];
+  if (opts.nextCursor !== null && opts.nextCursor.length > 0) {
+    const nextQuery = { ...opts.query };
+    nextQuery.cursor = opts.nextCursor;
+    links.push({
+      relation: "next",
+      url: composeUrl(opts.basePath, nextQuery)
     });
   }
+  return links;
+}
+function composeUrl(basePath, query) {
+  const usp = new URLSearchParams();
+  for (const [key, value] of Object.entries(query)) {
+    if (value === void 0 || value === null) {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      for (const v of value) {
+        if (v !== void 0 && v !== null) {
+          usp.append(key, String(v));
+        }
+      }
+    } else {
+      usp.append(key, String(value));
+    }
+  }
+  const qs = usp.toString();
+  return qs.length === 0 ? basePath : `${basePath}?${qs}`;
 }
 
-// src/data/rest-api/routes/control/user/user.ts
-var router6 = express6.Router();
-router6.get("/", listUsersRoute);
-router6.get("/:id", getUserByIdRoute);
-router6.post("/", createUserRoute);
-router6.put("/:id", updateUserRoute);
-router6.delete("/:id", deleteUserRoute);
-
-// src/data/rest-api/routes/control/user/user-operations.ts
-import express7 from "express";
+// src/data/rest-api/routes/control/projection-bundle-helpers.ts
+var EXT_BASE = "https://openhi.org/fhir/StructureDefinition";
+function parseProjectionSummary(summary) {
+  if (typeof summary !== "string" || summary.length === 0) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(summary);
+    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+      return parsed;
+    }
+  } catch {
+  }
+  return {};
+}
+function maybeStringExt(url, value) {
+  if (typeof value !== "string" || value.length === 0) {
+    return void 0;
+  }
+  return { url, valueString: value };
+}
+function buildMembershipUserProjectionEntryResource(row) {
+  const extensions = [
+    { url: `${EXT_BASE}/projection-tenant-id`, valueString: row.tenantId }
+  ];
+  const workspaceExt = maybeStringExt(
+    `${EXT_BASE}/projection-workspace-id`,
+    row.workspaceId
+  );
+  if (workspaceExt) {
+    extensions.push(workspaceExt);
+  }
+  const tenantNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-tenant-name`,
+    row.denormalizedTenantName
+  );
+  if (tenantNameExt) {
+    extensions.push(tenantNameExt);
+  }
+  const userNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-user-name`,
+    row.denormalizedUserName
+  );
+  if (userNameExt) {
+    extensions.push(userNameExt);
+  }
+  const workspaceNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-workspace-name`,
+    row.denormalizedWorkspaceName
+  );
+  if (workspaceNameExt) {
+    extensions.push(workspaceNameExt);
+  }
+  return {
+    resourceType: "Membership",
+    id: row.membershipId,
+    ...parseProjectionSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: extensions
+  };
+}
+function buildMembershipWorkspaceProjectionEntryResource(row) {
+  const extensions = [
+    { url: `${EXT_BASE}/projection-tenant-id`, valueString: row.tenantId },
+    {
+      url: `${EXT_BASE}/projection-workspace-id`,
+      valueString: row.workspaceId
+    }
+  ];
+  const userNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-user-name`,
+    row.denormalizedUserName
+  );
+  if (userNameExt) {
+    extensions.push(userNameExt);
+  }
+  return {
+    resourceType: "Membership",
+    id: row.membershipId,
+    ...parseProjectionSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: extensions
+  };
+}
+function buildRoleAssignmentUserProjectionEntryResource(row) {
+  const extensions = [
+    { url: `${EXT_BASE}/projection-tenant-id`, valueString: row.tenantId }
+  ];
+  const workspaceExt = maybeStringExt(
+    `${EXT_BASE}/projection-workspace-id`,
+    row.workspaceId
+  );
+  if (workspaceExt) {
+    extensions.push(workspaceExt);
+  }
+  extensions.push({
+    url: `${EXT_BASE}/projection-role-id`,
+    valueString: row.roleId
+  });
+  const tenantNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-tenant-name`,
+    row.denormalizedTenantName
+  );
+  if (tenantNameExt) {
+    extensions.push(tenantNameExt);
+  }
+  const userNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-user-name`,
+    row.denormalizedUserName
+  );
+  if (userNameExt) {
+    extensions.push(userNameExt);
+  }
+  const roleNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-role-name`,
+    row.denormalizedRoleName
+  );
+  if (roleNameExt) {
+    extensions.push(roleNameExt);
+  }
+  return {
+    resourceType: "RoleAssignment",
+    id: row.roleAssignmentId,
+    ...parseProjectionSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: extensions
+  };
+}
+function buildRoleAssignmentWorkspaceProjectionEntryResource(row) {
+  const extensions = [
+    { url: `${EXT_BASE}/projection-tenant-id`, valueString: row.tenantId },
+    {
+      url: `${EXT_BASE}/projection-workspace-id`,
+      valueString: row.workspaceId
+    },
+    { url: `${EXT_BASE}/projection-role-id`, valueString: row.roleId }
+  ];
+  const userNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-user-name`,
+    row.denormalizedUserName
+  );
+  if (userNameExt) {
+    extensions.push(userNameExt);
+  }
+  const roleNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-denormalized-role-name`,
+    row.denormalizedRoleName
+  );
+  if (roleNameExt) {
+    extensions.push(roleNameExt);
+  }
+  return {
+    resourceType: "RoleAssignment",
+    id: row.roleAssignmentId,
+    ...parseProjectionSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: extensions
+  };
+}
+function buildConfigurationUserProjectionEntryResource(row) {
+  const extensions = [
+    { url: `${EXT_BASE}/projection-tenant-id`, valueString: row.tenantId },
+    { url: `${EXT_BASE}/projection-scope`, valueString: row.scope }
+  ];
+  const displayNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-display-name`,
+    row.displayName
+  );
+  if (displayNameExt) {
+    extensions.push(displayNameExt);
+  }
+  return {
+    resourceType: "Configuration",
+    id: row.configurationId,
+    ...parseProjectionSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: extensions
+  };
+}
+function buildConfigurationWorkspaceProjectionEntryResource(row) {
+  const extensions = [
+    { url: `${EXT_BASE}/projection-tenant-id`, valueString: row.tenantId },
+    {
+      url: `${EXT_BASE}/projection-workspace-id`,
+      valueString: row.workspaceId
+    },
+    { url: `${EXT_BASE}/projection-scope`, valueString: row.scope }
+  ];
+  const displayNameExt = maybeStringExt(
+    `${EXT_BASE}/projection-display-name`,
+    row.displayName
+  );
+  if (displayNameExt) {
+    extensions.push(displayNameExt);
+  }
+  return {
+    resourceType: "Configuration",
+    id: row.configurationId,
+    ...parseProjectionSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: extensions
+  };
+}
+
+// src/data/rest-api/routes/control/user/user-list-configurations-route.ts
+async function listUserConfigurationsRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return sendForbidden403(
+      res,
+      "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+    );
+  }
+  const userId = String(req.params.id);
+  if (userId !== ctx.actorId) {
+    return sendForbidden403(
+      res,
+      "Caller is not authorized to read Configurations for another User."
+    );
+  }
+  const parsed = parseCommonListQuery(req, res);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  try {
+    const result = await configurationListByUserOperation({
+      userId,
+      cursor: parsed.value.cursor,
+      ...parsed.value.limit !== void 0 && { limit: parsed.value.limit },
+      ...parsed.value.order !== void 0 && { order: parsed.value.order }
+    });
+    const basePath = `${BASE_PATH.USER}/${userId}/Configuration`;
+    const entries = result.items.map((row) => ({
+      fullUrl: `${BASE_PATH.CONFIGURATION}/${row.configurationId}`,
+      resource: buildConfigurationUserProjectionEntryResource(row)
+    }));
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: buildPaginationLinks({
+        basePath,
+        query: req.query,
+        nextCursor: result.cursor
+      }),
+      entry: entries
+    });
+  } catch (err) {
+    return sendOperationOutcome500(
+      res,
+      err,
+      "GET /User/:id/Configuration error:"
+    );
+  }
+}
+
+// src/data/operations/control/membership/membership-list-by-workspace-operation.ts
+async function membershipListByWorkspaceOperation(params) {
+  const {
+    tenantId,
+    workspaceId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  const service = getDynamoControlService(tableName);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.membershipWorkspaceProjection.query.record({ tenantId, workspaceId }).begins({ sk: "MEMBERSHIP#" }).go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    sk: row.sk,
+    userId: row.userId,
+    membershipId: row.membershipId,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated,
+    denormalizedUserName: row.denormalizedUserName
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
+
+// src/data/rest-api/routes/control/user/user-list-memberships-route.ts
+var ALLOWED_MODES = [
+  "all",
+  "tenant",
+  "workspace",
+  "workspaceInTenant"
+];
+async function listUserMembershipsRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return sendForbidden403(
+      res,
+      "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+    );
+  }
+  const userId = String(req.params.id);
+  if (userId !== ctx.actorId) {
+    return sendForbidden403(
+      res,
+      "Caller is not authorized to read Memberships for another User."
+    );
+  }
+  const parsed = parseCommonListQuery(req, res, {
+    extraKeys: ["mode", "tenantId"]
+  });
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const rawMode = req.query.mode;
+  let mode = "all";
+  if (rawMode !== void 0) {
+    if (typeof rawMode !== "string" || !ALLOWED_MODES.includes(rawMode)) {
+      return sendInvalidQuery400(
+        res,
+        `Query parameter \`mode\` must be one of: ${ALLOWED_MODES.join(", ")}.`
+      );
+    }
+    mode = rawMode;
+  }
+  const rawTenantId = req.query.tenantId;
+  let tenantId;
+  if (rawTenantId !== void 0) {
+    if (typeof rawTenantId !== "string" || rawTenantId.length === 0) {
+      return sendInvalidQuery400(
+        res,
+        "Query parameter `tenantId` must be a non-empty string."
+      );
+    }
+    tenantId = rawTenantId;
+  }
+  if (mode === "workspaceInTenant" && !tenantId) {
+    return sendInvalidQuery400(
+      res,
+      'Query parameter `tenantId` is required when `mode === "workspaceInTenant"`.'
+    );
+  }
+  try {
+    const result = await membershipListByUserOperation({
+      userId,
+      mode,
+      tenantId,
+      cursor: parsed.value.cursor,
+      ...parsed.value.limit !== void 0 && { limit: parsed.value.limit },
+      ...parsed.value.order !== void 0 && { order: parsed.value.order }
+    });
+    const basePath = `${BASE_PATH.USER}/${userId}/Membership`;
+    const entries = result.items.map((row) => ({
+      fullUrl: `${BASE_PATH.MEMBERSHIP}/${row.membershipId}`,
+      resource: buildMembershipUserProjectionEntryResource(row)
+    }));
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: buildPaginationLinks({
+        basePath,
+        query: req.query,
+        nextCursor: result.cursor
+      }),
+      entry: entries
+    });
+  } catch (err) {
+    return sendOperationOutcome500(res, err, "GET /User/:id/Membership error:");
+  }
+}
+
+// src/data/operations/control/roleassignment/roleassignment-list-by-user-operation.ts
+function buildSkPrefix(mode) {
+  switch (mode) {
+    case "tenant":
+      return "ROLEASSIGNMENT#TENANT#";
+    case "workspace":
+    case "workspaceInTenant":
+      return "ROLEASSIGNMENT#WORKSPACE#";
+    case "all":
+    default:
+      return "ROLEASSIGNMENT#";
+  }
+}
+async function roleAssignmentListByUserOperation(params) {
+  const {
+    userId,
+    mode = "all",
+    tenantId,
+    workspaceId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'roleAssignmentListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix(mode);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const baseQuery = service.entities.roleAssignmentUserProjection.query.record({ userId }).begins({ sk: skPrefix });
+  const filteredQuery = mode === "workspaceInTenant" ? baseQuery.where((attr, op) => {
+    const tenantClause = op.eq(attr.tenantId, tenantId);
+    if (workspaceId === void 0 || workspaceId.length === 0) {
+      return tenantClause;
+    }
+    return `${tenantClause} AND ${op.eq(attr.workspaceId, workspaceId)}`;
+  }) : baseQuery;
+  const result = await filteredQuery.go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    userId: row.userId,
+    sk: row.sk,
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    roleId: row.roleId,
+    roleAssignmentId: row.roleAssignmentId,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated,
+    denormalizedTenantName: row.denormalizedTenantName,
+    denormalizedUserName: row.denormalizedUserName,
+    denormalizedRoleName: row.denormalizedRoleName
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
+
+// src/data/operations/control/roleassignment/roleassignment-list-by-workspace-operation.ts
+function buildSkPrefix2(roleId) {
+  if (roleId === void 0 || roleId.length === 0) {
+    return "ROLEASSIGNMENT#";
+  }
+  return `ROLEASSIGNMENT#${roleId}#`;
+}
+async function roleAssignmentListByWorkspaceOperation(params) {
+  const {
+    tenantId,
+    workspaceId,
+    roleId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix2(roleId);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.roleAssignmentWorkspaceProjection.query.record({ tenantId, workspaceId }).begins({ sk: skPrefix }).go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    sk: row.sk,
+    userId: row.userId,
+    roleId: row.roleId,
+    roleAssignmentId: row.roleAssignmentId,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated,
+    denormalizedUserName: row.denormalizedUserName,
+    denormalizedRoleName: row.denormalizedRoleName
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
+
+// src/data/rest-api/routes/control/user/user-list-role-assignments-route.ts
+var ALLOWED_MODES2 = [
+  "all",
+  "tenant",
+  "workspace",
+  "workspaceInTenant"
+];
+async function listUserRoleAssignmentsRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return sendForbidden403(
+      res,
+      "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+    );
+  }
+  const userId = String(req.params.id);
+  if (userId !== ctx.actorId) {
+    return sendForbidden403(
+      res,
+      "Caller is not authorized to read RoleAssignments for another User."
+    );
+  }
+  const parsed = parseCommonListQuery(req, res, {
+    extraKeys: ["mode", "tenantId"]
+  });
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const rawMode = req.query.mode;
+  let mode = "all";
+  if (rawMode !== void 0) {
+    if (typeof rawMode !== "string" || !ALLOWED_MODES2.includes(rawMode)) {
+      return sendInvalidQuery400(
+        res,
+        `Query parameter \`mode\` must be one of: ${ALLOWED_MODES2.join(", ")}.`
+      );
+    }
+    mode = rawMode;
+  }
+  const rawTenantId = req.query.tenantId;
+  let tenantId;
+  if (rawTenantId !== void 0) {
+    if (typeof rawTenantId !== "string" || rawTenantId.length === 0) {
+      return sendInvalidQuery400(
+        res,
+        "Query parameter `tenantId` must be a non-empty string."
+      );
+    }
+    tenantId = rawTenantId;
+  }
+  if (mode === "workspaceInTenant" && !tenantId) {
+    return sendInvalidQuery400(
+      res,
+      'Query parameter `tenantId` is required when `mode === "workspaceInTenant"`.'
+    );
+  }
+  try {
+    const result = await roleAssignmentListByUserOperation({
+      userId,
+      mode,
+      tenantId,
+      cursor: parsed.value.cursor,
+      ...parsed.value.limit !== void 0 && { limit: parsed.value.limit },
+      ...parsed.value.order !== void 0 && { order: parsed.value.order }
+    });
+    const basePath = `${BASE_PATH.USER}/${userId}/RoleAssignment`;
+    const entries = result.items.map((row) => ({
+      fullUrl: `${BASE_PATH.ROLEASSIGNMENT}/${row.roleAssignmentId}`,
+      resource: buildRoleAssignmentUserProjectionEntryResource(row)
+    }));
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: buildPaginationLinks({
+        basePath,
+        query: req.query,
+        nextCursor: result.cursor
+      }),
+      entry: entries
+    });
+  } catch (err) {
+    return sendOperationOutcome500(
+      res,
+      err,
+      "GET /User/:id/RoleAssignment error:"
+    );
+  }
+}
+
+// src/data/rest-api/routes/control/user/user-list-route.ts
+async function listUsersRoute(req, res) {
+  return handleListRoute({
+    req,
+    res,
+    basePath: BASE_PATH.USER,
+    listOperation: listUsersOperation,
+    errorLogContext: "GET /User list error:"
+  });
+}
+
+// src/data/rest-api/routes/control/user/user-update-route.ts
+async function updateUserRoute(req, res) {
+  const bodyResult = requireJsonBody(req, res);
+  if ("errorResponse" in bodyResult) return bodyResult.errorResponse;
+  const id = String(req.params.id);
+  const ctx = req.openhiContext;
+  const body = bodyResult.body;
+  try {
+    const result = await updateUserOperation({
+      context: ctx,
+      id,
+      body: {
+        resource: body?.resource
+      }
+    });
+    return res.json({ ...result.resource, meta: result.meta });
+  } catch (err) {
+    const status = domainErrorToHttpStatus(err);
+    if (status === 404) {
+      return res.status(404).json({
+        resourceType: "OperationOutcome",
+        issue: [
+          {
+            severity: "error",
+            code: "not-found",
+            diagnostics: err instanceof NotFoundError ? err.message : `User ${id} not found`
+          }
+        ]
+      });
+    }
+    console.error("PUT User error:", err);
+    return res.status(500).json({
+      resourceType: "OperationOutcome",
+      issue: [
+        { severity: "error", code: "exception", diagnostics: String(err) }
+      ]
+    });
+  }
+}
+
+// src/data/rest-api/routes/control/user/user.ts
+var router6 = express6.Router();
+router6.get("/", listUsersRoute);
+router6.get("/:id", getUserByIdRoute);
+router6.post("/", createUserRoute);
+router6.put("/:id", updateUserRoute);
+router6.delete("/:id", deleteUserRoute);
+router6.get("/:id/Membership", listUserMembershipsRoute);
+router6.get("/:id/RoleAssignment", listUserRoleAssignmentsRoute);
+router6.get("/:id/Configuration", listUserConfigurationsRoute);
+
+// src/data/rest-api/routes/control/user/user-operations.ts
+import express7 from "express";
 
 // src/data/rest-api/routes/control/user/user-operation-helpers.ts
 import { getCurrentInvoke as getCurrentInvoke2 } from "@codegenie/serverless-express";
@@ -2309,15 +3589,22 @@ function getCognitoSubFromRequest(req) {
 }
 
 // src/data/rest-api/routes/control/user/user-current-route.ts
+var INCLUDE_TOKENS = [
+  "memberships",
+  "roleassignments",
+  "configurations"
+];
+var BOOTSTRAP_PROJECTION_PAGE_CAP = 100;
 async function userCurrentRoute(req, res) {
-  if (Object.keys(req.query ?? {}).length > 0) {
+  const includeResult = parseIncludeParam(req.query);
+  if (!includeResult.ok) {
     return res.status(400).json({
       resourceType: "OperationOutcome",
       issue: [
         {
           severity: "error",
           code: "invalid",
-          diagnostics: "GET /User/$current does not accept query parameters."
+          diagnostics: includeResult.diagnostics
         }
       ]
     });
@@ -2373,16 +3660,237 @@ async function userCurrentRoute(req, res) {
       });
     }
     const parsedResource = JSON.parse(found.resource);
-    res.setHeader("Cache-Control", "no-store");
-    return res.json({
+    const userResource = {
       resourceType: "User",
       id: found.id,
       ...parsedResource
+    };
+    res.setHeader("Cache-Control", "no-store");
+    const include = includeResult.include;
+    if (!include) {
+      return res.json(userResource);
+    }
+    const [memberships, roleAssignments, configurations] = await Promise.all([
+      include.memberships ? membershipListByUserOperation({
+        userId: found.id,
+        limit: BOOTSTRAP_PROJECTION_PAGE_CAP
+      }) : Promise.resolve({ items: [], cursor: null }),
+      include.roleAssignments ? roleAssignmentListByUserOperation({
+        userId: found.id,
+        limit: BOOTSTRAP_PROJECTION_PAGE_CAP
+      }) : Promise.resolve({ items: [], cursor: null }),
+      include.configurations ? configurationListByUserOperation({
+        userId: found.id,
+        limit: BOOTSTRAP_PROJECTION_PAGE_CAP
+      }) : Promise.resolve({ items: [], cursor: null })
+    ]);
+    const basePath = `${BASE_PATH.USER}/$current`;
+    const entries = [];
+    entries.push({
+      fullUrl: `${BASE_PATH.USER}/${found.id}`,
+      resource: userResource
+    });
+    for (const row of memberships.items) {
+      entries.push({
+        fullUrl: `${BASE_PATH.MEMBERSHIP}/${row.membershipId}`,
+        resource: buildMembershipEntryResource(row)
+      });
+    }
+    for (const row of roleAssignments.items) {
+      entries.push({
+        fullUrl: `${BASE_PATH.ROLEASSIGNMENT}/${row.roleAssignmentId}`,
+        resource: buildRoleAssignmentEntryResource(row)
+      });
+    }
+    for (const row of configurations.items) {
+      entries.push({
+        fullUrl: `${BASE_PATH.CONFIGURATION}/${row.configurationId}`,
+        resource: buildConfigurationEntryResource(row)
+      });
+    }
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: [{ relation: "self", url: basePath }],
+      entry: entries
     });
   } catch (err) {
     return sendOperationOutcome500(res, err, "GET /User/$current error:");
   }
 }
+function parseIncludeParam(query) {
+  const q = query ?? {};
+  const keys = Object.keys(q);
+  const extra = keys.filter((k) => k !== "include");
+  if (extra.length > 0) {
+    return {
+      ok: false,
+      diagnostics: "GET /User/$current only accepts the optional `?include=` query parameter."
+    };
+  }
+  if (keys.length === 0) {
+    return { ok: true, include: void 0 };
+  }
+  const raw = q.include;
+  if (typeof raw !== "string") {
+    return {
+      ok: false,
+      diagnostics: "GET /User/$current: `include` query parameter must be a comma-separated string."
+    };
+  }
+  const trimmed = raw.trim();
+  if (trimmed.length === 0) {
+    return {
+      ok: false,
+      diagnostics: "GET /User/$current: `include` query parameter must not be empty."
+    };
+  }
+  const tokens = trimmed.split(",").map((t) => t.trim().toLowerCase()).filter((t) => t.length > 0);
+  const include = {
+    memberships: false,
+    roleAssignments: false,
+    configurations: false
+  };
+  const allowed = INCLUDE_TOKENS;
+  const mutable = {
+    ...include
+  };
+  for (const token of tokens) {
+    if (!allowed.includes(token)) {
+      return {
+        ok: false,
+        diagnostics: `GET /User/$current: unknown \`include\` token \`${token}\`. Allowed: ${INCLUDE_TOKENS.join(", ")}.`
+      };
+    }
+    const t = token;
+    if (t === "memberships") {
+      mutable.memberships = true;
+    } else if (t === "roleassignments") {
+      mutable.roleAssignments = true;
+    } else if (t === "configurations") {
+      mutable.configurations = true;
+    }
+  }
+  return { ok: true, include: mutable };
+}
+function parseSummary(summary) {
+  if (typeof summary !== "string" || summary.length === 0) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(summary);
+    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+      return parsed;
+    }
+  } catch {
+  }
+  return {};
+}
+function buildMembershipEntryResource(row) {
+  return {
+    resourceType: "Membership",
+    id: row.membershipId,
+    ...parseSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: [
+      {
+        url: "https://openhi.org/fhir/StructureDefinition/projection-tenant-id",
+        valueString: row.tenantId
+      },
+      ...row.workspaceId ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-workspace-id",
+          valueString: row.workspaceId
+        }
+      ] : [],
+      ...row.denormalizedTenantName ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-denormalized-tenant-name",
+          valueString: row.denormalizedTenantName
+        }
+      ] : [],
+      ...row.denormalizedUserName ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-denormalized-user-name",
+          valueString: row.denormalizedUserName
+        }
+      ] : [],
+      ...row.denormalizedWorkspaceName ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-denormalized-workspace-name",
+          valueString: row.denormalizedWorkspaceName
+        }
+      ] : []
+    ]
+  };
+}
+function buildRoleAssignmentEntryResource(row) {
+  return {
+    resourceType: "RoleAssignment",
+    id: row.roleAssignmentId,
+    ...parseSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: [
+      {
+        url: "https://openhi.org/fhir/StructureDefinition/projection-tenant-id",
+        valueString: row.tenantId
+      },
+      ...row.workspaceId ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-workspace-id",
+          valueString: row.workspaceId
+        }
+      ] : [],
+      {
+        url: "https://openhi.org/fhir/StructureDefinition/projection-role-id",
+        valueString: row.roleId
+      },
+      ...row.denormalizedTenantName ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-denormalized-tenant-name",
+          valueString: row.denormalizedTenantName
+        }
+      ] : [],
+      ...row.denormalizedUserName ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-denormalized-user-name",
+          valueString: row.denormalizedUserName
+        }
+      ] : [],
+      ...row.denormalizedRoleName ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-denormalized-role-name",
+          valueString: row.denormalizedRoleName
+        }
+      ] : []
+    ]
+  };
+}
+function buildConfigurationEntryResource(row) {
+  return {
+    resourceType: "Configuration",
+    id: row.configurationId,
+    ...parseSummary(row.summary),
+    meta: { versionId: row.vid, lastUpdated: row.lastUpdated },
+    extension: [
+      {
+        url: "https://openhi.org/fhir/StructureDefinition/projection-tenant-id",
+        valueString: row.tenantId
+      },
+      {
+        url: "https://openhi.org/fhir/StructureDefinition/projection-scope",
+        valueString: row.scope
+      },
+      ...row.displayName ? [
+        {
+          url: "https://openhi.org/fhir/StructureDefinition/projection-display-name",
+          valueString: row.displayName
+        }
+      ] : []
+    ]
+  };
+}
 function hasNonEmptyBody(body) {
   if (body == null) {
     return false;
@@ -2597,6 +4105,204 @@ async function getWorkspaceByIdRoute(req, res) {
   }
 }
 
+// src/data/rest-api/routes/control/workspace/workspace-list-configurations-route.ts
+async function listWorkspaceConfigurationsRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return sendForbidden403(
+      res,
+      "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+    );
+  }
+  const workspaceId = String(req.params.id);
+  const tenantId = ctx.tenantId;
+  const parsed = parseCommonListQuery(req, res);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  try {
+    const memberCheck = await membershipListByUserOperation({
+      userId: ctx.actorId,
+      mode: "workspaceInTenant",
+      tenantId
+    });
+    const hasMembership = memberCheck.items.some(
+      (row) => row.workspaceId === workspaceId
+    );
+    if (!hasMembership) {
+      return sendForbidden403(
+        res,
+        `Caller is not a member of Workspace/${workspaceId} in Tenant/${tenantId}.`
+      );
+    }
+    const result = await configurationListByWorkspaceOperation({
+      tenantId,
+      workspaceId,
+      cursor: parsed.value.cursor,
+      ...parsed.value.limit !== void 0 && { limit: parsed.value.limit },
+      ...parsed.value.order !== void 0 && { order: parsed.value.order }
+    });
+    const basePath = `${BASE_PATH.WORKSPACE}/${workspaceId}/Configuration`;
+    const entries = result.items.map((row) => ({
+      fullUrl: `${BASE_PATH.CONFIGURATION}/${row.configurationId}`,
+      resource: buildConfigurationWorkspaceProjectionEntryResource(row)
+    }));
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: buildPaginationLinks({
+        basePath,
+        query: req.query,
+        nextCursor: result.cursor
+      }),
+      entry: entries
+    });
+  } catch (err) {
+    return sendOperationOutcome500(
+      res,
+      err,
+      "GET /Workspace/:id/Configuration error:"
+    );
+  }
+}
+
+// src/data/rest-api/routes/control/workspace/workspace-list-memberships-route.ts
+async function listWorkspaceMembershipsRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return sendForbidden403(
+      res,
+      "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+    );
+  }
+  const workspaceId = String(req.params.id);
+  const tenantId = ctx.tenantId;
+  const parsed = parseCommonListQuery(req, res);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  try {
+    const memberCheck = await membershipListByUserOperation({
+      userId: ctx.actorId,
+      mode: "workspaceInTenant",
+      tenantId
+    });
+    const hasMembership = memberCheck.items.some(
+      (row) => row.workspaceId === workspaceId
+    );
+    if (!hasMembership) {
+      return sendForbidden403(
+        res,
+        `Caller is not a member of Workspace/${workspaceId} in Tenant/${tenantId}.`
+      );
+    }
+    const result = await membershipListByWorkspaceOperation({
+      tenantId,
+      workspaceId,
+      cursor: parsed.value.cursor,
+      ...parsed.value.limit !== void 0 && { limit: parsed.value.limit },
+      ...parsed.value.order !== void 0 && { order: parsed.value.order }
+    });
+    const basePath = `${BASE_PATH.WORKSPACE}/${workspaceId}/Membership`;
+    const entries = result.items.map((row) => ({
+      fullUrl: `${BASE_PATH.MEMBERSHIP}/${row.membershipId}`,
+      resource: buildMembershipWorkspaceProjectionEntryResource(row)
+    }));
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: buildPaginationLinks({
+        basePath,
+        query: req.query,
+        nextCursor: result.cursor
+      }),
+      entry: entries
+    });
+  } catch (err) {
+    return sendOperationOutcome500(
+      res,
+      err,
+      "GET /Workspace/:id/Membership error:"
+    );
+  }
+}
+
+// src/data/rest-api/routes/control/workspace/workspace-list-role-assignments-route.ts
+async function listWorkspaceRoleAssignmentsRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return sendForbidden403(
+      res,
+      "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+    );
+  }
+  const workspaceId = String(req.params.id);
+  const tenantId = ctx.tenantId;
+  const parsed = parseCommonListQuery(req, res, { extraKeys: ["roleId"] });
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const rawRoleId = req.query.roleId;
+  let roleId;
+  if (rawRoleId !== void 0) {
+    if (typeof rawRoleId !== "string" || rawRoleId.length === 0) {
+      return sendInvalidQuery400(
+        res,
+        "Query parameter `roleId` must be a non-empty string."
+      );
+    }
+    roleId = rawRoleId;
+  }
+  try {
+    const memberCheck = await membershipListByUserOperation({
+      userId: ctx.actorId,
+      mode: "workspaceInTenant",
+      tenantId
+    });
+    const hasMembership = memberCheck.items.some(
+      (row) => row.workspaceId === workspaceId
+    );
+    if (!hasMembership) {
+      return sendForbidden403(
+        res,
+        `Caller is not a member of Workspace/${workspaceId} in Tenant/${tenantId}.`
+      );
+    }
+    const result = await roleAssignmentListByWorkspaceOperation({
+      tenantId,
+      workspaceId,
+      roleId,
+      cursor: parsed.value.cursor,
+      ...parsed.value.limit !== void 0 && { limit: parsed.value.limit },
+      ...parsed.value.order !== void 0 && { order: parsed.value.order }
+    });
+    const basePath = `${BASE_PATH.WORKSPACE}/${workspaceId}/RoleAssignment`;
+    const entries = result.items.map((row) => ({
+      fullUrl: `${BASE_PATH.ROLEASSIGNMENT}/${row.roleAssignmentId}`,
+      resource: buildRoleAssignmentWorkspaceProjectionEntryResource(row)
+    }));
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: buildPaginationLinks({
+        basePath,
+        query: req.query,
+        nextCursor: result.cursor
+      }),
+      entry: entries
+    });
+  } catch (err) {
+    return sendOperationOutcome500(
+      res,
+      err,
+      "GET /Workspace/:id/RoleAssignment error:"
+    );
+  }
+}
+
 // src/data/operations/control/workspace/workspace-list-operation.ts
 var SK8 = "CURRENT";
 async function listWorkspacesOperation(params) {
@@ -2717,6 +4423,9 @@ router8.get("/:id", getWorkspaceByIdRoute);
 router8.post("/", createWorkspaceRoute);
 router8.put("/:id", updateWorkspaceRoute);
 router8.delete("/:id", deleteWorkspaceRoute);
+router8.get("/:id/Membership", listWorkspaceMembershipsRoute);
+router8.get("/:id/RoleAssignment", listWorkspaceRoleAssignmentsRoute);
+router8.get("/:id/Configuration", listWorkspaceConfigurationsRoute);
 
 // src/data/rest-api/routes/data/account/account.ts
 import express9 from "express";
@@ -3727,6 +5436,7 @@ var DataApiPostgresQueryRunner = class {
     this.schema = options.schema;
   }
   async query(sql, params) {
+    await this.ensureSchemaBootstrapped();
     const out = await this.client.send(
       new ExecuteStatementCommand({
         resourceArn: this.clusterArn,
@@ -3752,6 +5462,42 @@ var DataApiPostgresQueryRunner = class {
     }
     return JSON.parse(out.formattedRecords);
   }
+  /**
+   * Run `CREATE SCHEMA / CREATE TABLE / CREATE INDEX` idempotent DDL once per
+   * runner instance. The replication Lambda's cold start does the same thing
+   * (data-store-postgres-replication.handler) but in a fresh environment with
+   * no DynamoDB writes yet the read path can be the first thing that touches
+   * the cluster — without this, every search returns
+   * `relation "<schema>.resources" does not exist` until something has been
+   * written. Memoized so subsequent queries on a warm container don't pay the
+   * DDL cost; resets the promise on failure so the next call retries.
+   *
+   * Data API's `ExecuteStatement` accepts only a single SQL statement per
+   * call, so each DDL statement from `buildSchemaBootstrapStatements` is
+   * issued individually. `IF NOT EXISTS` on every statement makes this safe
+   * to race across concurrent containers.
+   */
+  async ensureSchemaBootstrapped() {
+    if (!this.bootstrapPromise) {
+      this.bootstrapPromise = this.runBootstrap().catch((err) => {
+        this.bootstrapPromise = void 0;
+        throw err;
+      });
+    }
+    return this.bootstrapPromise;
+  }
+  async runBootstrap() {
+    for (const statement of buildSchemaBootstrapStatements(this.schema)) {
+      await this.client.send(
+        new ExecuteStatementCommand({
+          resourceArn: this.clusterArn,
+          secretArn: this.secretArn,
+          database: this.database,
+          sql: statement
+        })
+      );
+    }
+  }
 };
 function qualifyResourcesTable(sql, schema) {
   return sql.replace(