@openhi/constructs 0.0.114 → 0.0.116

package/lib/{chunk-NZRW7ROK.mjs → chunk-YYRWDEG4.mjs}

@@ -1,7 +1,7 @@
 import {
   batchGetWithRetry,
   dispatchListMode
-} from "./chunk-QMBJ4VHC.mjs";
+} from "./chunk-U7L7T4XU.mjs";
 import {
   ForbiddenError,
   NotFoundError,
@@ -304,4 +304,4 @@ export {
   idFromReference,
   switchUserTenantWorkspaceOperation
 };
-//# sourceMappingURL=chunk-NZRW7ROK.mjs.map
+//# sourceMappingURL=chunk-YYRWDEG4.mjs.map

package/lib/{chunk-KSFC72TT.mjs → chunk-ZHMHLK3S.mjs}

@@ -3,7 +3,7 @@ import {
   dispatchListMode,
   getDynamoDataService,
   listDataEntitiesByWorkspace
-} from "./chunk-QMBJ4VHC.mjs";
+} from "./chunk-U7L7T4XU.mjs";
 import {
   SHARD_COUNT,
   getDynamoControlService
@@ -93,4 +93,4 @@ export {
   listMembershipsOperation,
   listRoleAssignmentsOperation
 };
-//# sourceMappingURL=chunk-KSFC72TT.mjs.map
+//# sourceMappingURL=chunk-ZHMHLK3S.mjs.map

package/lib/{events-DPodvl07.d.mts → events-CMG8xanm.d.mts}

@@ -37,10 +37,9 @@ declare const DEMO_PERIOD: {
  * `"platform"` literal is a reserved value that never matches a real
  * Tenant id and signals "this RA scopes across all tenants".
  *
- * Renaming this constant is a wire-format break — the IAM grant in
- * `seed-demo-data-lambda.ts` enumerates exact-match `LeadingKeys`
- * computed from this value, and the in-band records written under it
- * become unreachable if the sentinel changes.
+ * Renaming this constant is a wire-format break — the handler emits
+ * RoleAssignment records keyed on this value, and the in-band records
+ * written under it become unreachable if the sentinel changes.
  */
 declare const PLATFORM_SCOPE_TENANT_ID = "platform";
 /** Placeholder Tenant id seeded by the workflow as the dev-user `currentTenant`. */
@@ -81,8 +80,8 @@ interface DemoWorkspaceSpec {
     readonly name: string;
     /**
      * Role suffix used in the demo URN value (`<scenario>:<roleSuffix>`).
-     * Mirrors seed-fixtures' role suffix convention: `workspace` for
-     * single-workspace tenants, `workspace-<sub>` for the mixed tenant.
+     * `workspace` for single-workspace tenants, `workspace-<sub>` for the
+     * mixed tenant.
      */
     readonly roleSuffix: string;
 }
@@ -95,8 +94,7 @@ interface DemoTenantSpec {
     /**
      * Scenario slug — `placeholder`, `demo-wound-care`, `demo-primary-care`,
      * `demo-mixed`. The placeholder tenant's slug is `placeholder`; the
-     * three demo tenants mirror seed-fixtures' `fixture-*` slugs renamed
-     * to `demo-*`.
+     * three demo tenants use `demo-*` slugs.
      */
     readonly scenario: string;
     /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
@@ -131,8 +129,6 @@ declare const demoMembershipId: (devUserId: string, tenantId: string) => string;
 declare const demoRoleAssignmentId: (devUserId: string, tenantId: string, roleCode: PlatformRoleCode) => string;
 /**
  * Demo-scenario FHIR `Identifier` entry — `urn:openhi:demo:<scenario>:<role>`.
- * Mirrors the `urn:openhi:fixture:<scenario>:<role>` pattern from
- * `@openhi/seed-fixtures/src/urn.ts`, renamed to the `demo` namespace.
  */
 declare const demoScenarioIdentifier: (scenario: string, roleSuffix: string) => {
     system: string;
@@ -161,47 +157,5 @@ declare const openhiResourceIdentifier: (params: {
  * is no per-(user, tenant) variance to drive from.
  */
 declare const demoRolesForUserInTenant: (_user: DemoDevUser, _tenantId: string) => ReadonlyArray<PlatformRoleCode>;
-/**
- * DynamoDB single-table partition-key builders. The IAM grant in
- * `seed-demo-data-lambda.ts` uses these to enumerate exact-match
- * `dynamodb:LeadingKeys` values; the entity definitions in
- * `data/dynamo/entities/control/` own the canonical key templates.
- *
- * These builders MUST emit the keys ElectroDB actually writes — not
- * the entity definition's pretty template. None of the control-plane
- * entities sets `casing: "none"` on the base-table PK template, so
- * ElectroDB applies its default lowercase casing at runtime: the
- * entity's `ROLE#ID#${id}` becomes `role#id#<id>` on the wire. A
- * builder that returns the uppercase template form produces a
- * silently-broken IAM grant (every PutItem denied with "no
- * identity-based policy allows" because the request's leading-key
- * never matches a policy value).
- */
-declare const rolePartitionKey: (roleId: string) => string;
-declare const demoTenantPartitionKey: (tenantId: string) => string;
-declare const demoWorkspacePartitionKey: (tenantId: string, workspaceId: string) => string;
-declare const demoMembershipPartitionKey: (tenantId: string, membershipId: string) => string;
-declare const demoRoleAssignmentPartitionKey: (tenantId: string, roleAssignmentId: string) => string;
-/** User entity PK template — `USER#ID#<id>` → `user#id#<id>` on the wire. */
-declare const demoUserPartitionKey: (userId: string) => string;
-/**
- * Tenant + Workspace PKs the workflow writes on every fire: the 4
- * tenant PKs (placeholder + 3 demo) plus their workspaces (1 + 1 + 1 + 2 = 5).
- */
-declare const demoBasePartitionKeys: () => ReadonlyArray<string>;
-/**
- * Membership + RoleAssignment + User PKs the workflow writes per dev
- * user. Empty when `devUsers` is empty (used by tests). The list
- * mirrors the handler's iteration order so the IAM grant covers every
- * write the handler can make.
- *
- * Per dev user the function emits:
- *   - one User PK,
- *   - per tenant in {@link DEMO_TENANT_SPECS}: one Membership PK plus
- *     one `tenant-admin` RoleAssignment PK,
- *   - one platform-scoped `system-admin` RoleAssignment PK keyed by
- *     {@link PLATFORM_SCOPE_TENANT_ID}.
- */
-declare const demoDevUserPartitionKeys: (devUsers: ReadonlyArray<DemoDevUser>) => ReadonlyArray<string>;
 
-export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoBasePartitionKeys as i, demoDevUserPartitionKeys as j, demoMembershipId as k, demoMembershipPartitionKey as l, demoRoleAssignmentId as m, demoRoleAssignmentPartitionKey as n, demoRolesForUserInTenant as o, demoScenarioIdentifier as p, demoTenantPartitionKey as q, demoUserPartitionKey as r, demoWorkspacePartitionKey as s, openhiResourceIdentifier as t, rolePartitionKey as u };
+export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoMembershipId as i, demoRoleAssignmentId as j, demoRolesForUserInTenant as k, demoScenarioIdentifier as l, openhiResourceIdentifier as o };

package/lib/{events-DPodvl07.d.ts → events-CMG8xanm.d.ts}

@@ -37,10 +37,9 @@ declare const DEMO_PERIOD: {
  * `"platform"` literal is a reserved value that never matches a real
  * Tenant id and signals "this RA scopes across all tenants".
  *
- * Renaming this constant is a wire-format break — the IAM grant in
- * `seed-demo-data-lambda.ts` enumerates exact-match `LeadingKeys`
- * computed from this value, and the in-band records written under it
- * become unreachable if the sentinel changes.
+ * Renaming this constant is a wire-format break — the handler emits
+ * RoleAssignment records keyed on this value, and the in-band records
+ * written under it become unreachable if the sentinel changes.
  */
 declare const PLATFORM_SCOPE_TENANT_ID = "platform";
 /** Placeholder Tenant id seeded by the workflow as the dev-user `currentTenant`. */
@@ -81,8 +80,8 @@ interface DemoWorkspaceSpec {
     readonly name: string;
     /**
      * Role suffix used in the demo URN value (`<scenario>:<roleSuffix>`).
-     * Mirrors seed-fixtures' role suffix convention: `workspace` for
-     * single-workspace tenants, `workspace-<sub>` for the mixed tenant.
+     * `workspace` for single-workspace tenants, `workspace-<sub>` for the
+     * mixed tenant.
      */
     readonly roleSuffix: string;
 }
@@ -95,8 +94,7 @@ interface DemoTenantSpec {
     /**
      * Scenario slug — `placeholder`, `demo-wound-care`, `demo-primary-care`,
      * `demo-mixed`. The placeholder tenant's slug is `placeholder`; the
-     * three demo tenants mirror seed-fixtures' `fixture-*` slugs renamed
-     * to `demo-*`.
+     * three demo tenants use `demo-*` slugs.
      */
     readonly scenario: string;
     /** Stable id (DynamoDB record id; also drives the canonical OHI URN). */
@@ -131,8 +129,6 @@ declare const demoMembershipId: (devUserId: string, tenantId: string) => string;
 declare const demoRoleAssignmentId: (devUserId: string, tenantId: string, roleCode: PlatformRoleCode) => string;
 /**
  * Demo-scenario FHIR `Identifier` entry — `urn:openhi:demo:<scenario>:<role>`.
- * Mirrors the `urn:openhi:fixture:<scenario>:<role>` pattern from
- * `@openhi/seed-fixtures/src/urn.ts`, renamed to the `demo` namespace.
  */
 declare const demoScenarioIdentifier: (scenario: string, roleSuffix: string) => {
     system: string;
@@ -161,47 +157,5 @@ declare const openhiResourceIdentifier: (params: {
  * is no per-(user, tenant) variance to drive from.
  */
 declare const demoRolesForUserInTenant: (_user: DemoDevUser, _tenantId: string) => ReadonlyArray<PlatformRoleCode>;
-/**
- * DynamoDB single-table partition-key builders. The IAM grant in
- * `seed-demo-data-lambda.ts` uses these to enumerate exact-match
- * `dynamodb:LeadingKeys` values; the entity definitions in
- * `data/dynamo/entities/control/` own the canonical key templates.
- *
- * These builders MUST emit the keys ElectroDB actually writes — not
- * the entity definition's pretty template. None of the control-plane
- * entities sets `casing: "none"` on the base-table PK template, so
- * ElectroDB applies its default lowercase casing at runtime: the
- * entity's `ROLE#ID#${id}` becomes `role#id#<id>` on the wire. A
- * builder that returns the uppercase template form produces a
- * silently-broken IAM grant (every PutItem denied with "no
- * identity-based policy allows" because the request's leading-key
- * never matches a policy value).
- */
-declare const rolePartitionKey: (roleId: string) => string;
-declare const demoTenantPartitionKey: (tenantId: string) => string;
-declare const demoWorkspacePartitionKey: (tenantId: string, workspaceId: string) => string;
-declare const demoMembershipPartitionKey: (tenantId: string, membershipId: string) => string;
-declare const demoRoleAssignmentPartitionKey: (tenantId: string, roleAssignmentId: string) => string;
-/** User entity PK template — `USER#ID#<id>` → `user#id#<id>` on the wire. */
-declare const demoUserPartitionKey: (userId: string) => string;
-/**
- * Tenant + Workspace PKs the workflow writes on every fire: the 4
- * tenant PKs (placeholder + 3 demo) plus their workspaces (1 + 1 + 1 + 2 = 5).
- */
-declare const demoBasePartitionKeys: () => ReadonlyArray<string>;
-/**
- * Membership + RoleAssignment + User PKs the workflow writes per dev
- * user. Empty when `devUsers` is empty (used by tests). The list
- * mirrors the handler's iteration order so the IAM grant covers every
- * write the handler can make.
- *
- * Per dev user the function emits:
- *   - one User PK,
- *   - per tenant in {@link DEMO_TENANT_SPECS}: one Membership PK plus
- *     one `tenant-admin` RoleAssignment PK,
- *   - one platform-scoped `system-admin` RoleAssignment PK keyed by
- *     {@link PLATFORM_SCOPE_TENANT_ID}.
- */
-declare const demoDevUserPartitionKeys: (devUsers: ReadonlyArray<DemoDevUser>) => ReadonlyArray<string>;
 
-export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoBasePartitionKeys as i, demoDevUserPartitionKeys as j, demoMembershipId as k, demoMembershipPartitionKey as l, demoRoleAssignmentId as m, demoRoleAssignmentPartitionKey as n, demoRolesForUserInTenant as o, demoScenarioIdentifier as p, demoTenantPartitionKey as q, demoUserPartitionKey as r, demoWorkspacePartitionKey as s, openhiResourceIdentifier as t, rolePartitionKey as u };
+export { DEMO_PERIOD as D, OPENHI_RESOURCE_URN_SYSTEM as O, PLACEHOLDER_TENANT_ID as P, SEED_DEMO_DATA_CONSUMER_NAME as S, DEMO_TENANT_SPECS as a, DEMO_URN_SYSTEM as b, DEV_USERS as c, type DemoDevUser as d, type DemoTenantSpec as e, type DemoWorkspaceSpec as f, PLACEHOLDER_WORKSPACE_ID as g, PLATFORM_SCOPE_TENANT_ID as h, demoMembershipId as i, demoRoleAssignmentId as j, demoRolesForUserInTenant as k, demoScenarioIdentifier as l, openhiResourceIdentifier as o };