@openhi/constructs 0.0.117 → 0.0.119

package/lib/{chunk-QWWLM452.mjs → chunk-7WDX6GPO.mjs}

@@ -15,6 +15,7 @@ import {
   getDynamoDataService
 } from "./chunk-U7L7T4XU.mjs";
 import {
+  ConflictError,
   ValidationError
 } from "./chunk-FYHBHHWK.mjs";
 import {
@@ -42,6 +43,19 @@ function extractDenormalizedReferenceDisplay(resource, fieldName) {
   return trimmed.length > 0 ? trimmed : void 0;
 }
 
+// src/data/operations/control/membership-constraints/assert-workspace-in-tenant-operation.ts
+async function assertWorkspaceInTenantOperation(params) {
+  const { tenantId, workspaceId, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const { data: item } = await service.entities.workspace.get({ tenantId, id: workspaceId, sk: "CURRENT" }).go();
+  if (!item) {
+    throw new ConflictError(
+      `Workspace ${workspaceId} does not belong to tenant ${tenantId}; the workspace must be created in the referenced tenant before this resource can reference it.`,
+      { details: { tenantId, workspaceId } }
+    );
+  }
+}
+
 // src/data/operations/control/membership/membership-create-operation.ts
 async function createMembershipOperation(params) {
   const { context, body, tableName } = params;
@@ -82,6 +96,15 @@ async function createMembershipOperation(params) {
     resourceRecord,
     "workspace"
   );
+  if (workspaceIdFromResource !== void 0) {
+    const tenantIdFromResource = extractReferenceSlug(resourceRecord, "tenant");
+    const referencedTenantId = tenantIdFromResource ?? context.tenantId;
+    await assertWorkspaceInTenantOperation({
+      tenantId: referencedTenantId,
+      workspaceId: workspaceIdFromResource,
+      tableName
+    });
+  }
   const userProjectionItem = userIdFromResource !== void 0 ? buildMembershipUserProjectionItem({
     tenantId: context.tenantId,
     userId: userIdFromResource,
@@ -142,6 +165,23 @@ async function createMembershipOperation(params) {
 
 // src/data/operations/control/roleassignment/roleassignment-create-operation.ts
 import { extractSummary as extractSummary2 } from "@openhi/types";
+
+// src/data/operations/control/membership-constraints/assert-user-has-tenant-membership-operation.ts
+var TENANT_LANE_SK_PREFIX = "MEMBERSHIP#TENANT#";
+async function assertUserHasTenantMembershipOperation(params) {
+  const { userId, tenantId, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: TENANT_LANE_SK_PREFIX }).go();
+  const matched = (result.data ?? []).some((row) => row.tenantId === tenantId);
+  if (!matched) {
+    throw new ConflictError(
+      `User ${userId} has no tenant-level Membership in tenant ${tenantId}; a Membership must exist before a RoleAssignment can be created.`,
+      { details: { userId, tenantId } }
+    );
+  }
+}
+
+// src/data/operations/control/roleassignment/roleassignment-create-operation.ts
 async function createRoleAssignmentOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -170,6 +210,22 @@ async function createRoleAssignmentOperation(params) {
     resourceRecord,
     "workspace"
   );
+  if (userIdFromResource !== void 0) {
+    const tenantIdFromResource = extractReferenceSlug2(resourceRecord, "tenant");
+    const referencedTenantId = tenantIdFromResource ?? context.tenantId;
+    await assertUserHasTenantMembershipOperation({
+      userId: userIdFromResource,
+      tenantId: referencedTenantId,
+      tableName
+    });
+    if (workspaceIdFromResource !== void 0) {
+      await assertWorkspaceInTenantOperation({
+        tenantId: referencedTenantId,
+        workspaceId: workspaceIdFromResource,
+        tableName
+      });
+    }
+  }
   const userProjectionItem = userIdFromResource !== void 0 && roleIdFromResource !== void 0 ? buildRoleAssignmentUserProjectionItem({
     tenantId: context.tenantId,
     userId: userIdFromResource,
@@ -330,4 +386,4 @@ export {
   createTenantOperation,
   createWorkspaceOperation
 };
-//# sourceMappingURL=chunk-QWWLM452.mjs.map
+//# sourceMappingURL=chunk-7WDX6GPO.mjs.map

package/lib/chunk-7WDX6GPO.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/data/operations/control/membership/membership-create-operation.ts","../src/data/operations/control/denormalized-display-names.ts","../src/data/operations/control/membership-constraints/assert-workspace-in-tenant-operation.ts","../src/data/operations/control/roleassignment/roleassignment-create-operation.ts","../src/data/operations/control/membership-constraints/assert-user-has-tenant-membership-operation.ts","../src/data/operations/control/tenant/tenant-create-operation.ts","../src/data/operations/control/workspace/workspace-create-operation.ts","../src/data/operations/data/organization/organization-provision-for-workspace-operation.ts"],"sourcesContent":["import {\n  assertLinkedDataIdentityCardinality,\n  extractSummary,\n  type Extension,\n  type FhirResourceLike,\n  LinkedDataIdentityCardinalityError,\n} from \"@openhi/types\";\nimport {\n  buildMembershipUserProjectionItem,\n  extractReferenceSlug,\n} from \"./membership-user-projection\";\nimport { buildMembershipWorkspaceProjectionItem } from \"./membership-workspace-projection\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { ValidationError } from \"../../../errors\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport { extractDenormalizedReferenceDisplay } from \"../denormalized-display-names\";\nimport { assertWorkspaceInTenantOperation } from \"../membership-constraints/assert-workspace-in-tenant-operation\";\nimport {\n  executeMultiWrite,\n  type MultiWriteTriple,\n} from \"../multi-write-operation\";\n\nexport interface MembershipCreateParams {\n  context: OpenHiContext;\n  body: { id?: string; resource?: Record<string, unknown> | string };\n  tableName?: string;\n}\n\nexport interface MembershipCreateResult {\n  id: string;\n  resource: { resourceType: string; id: string; [key: string]: unknown };\n  meta: { lastUpdated: string; versionId: string };\n}\n\nexport async function createMembershipOperation(\n  params: MembershipCreateParams,\n): Promise<MembershipCreateResult> {\n  const { context, body, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `membership-${Date.now()}`;\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const lastUpdated = context.date ?? new Date().toISOString();\n  const vid = `1`;\n\n  const resource = { resourceType: \"Membership\", id, ...parsedResource };\n\n  let linkedDataIdentityRef: string | undefined;\n  try {\n    const ext = assertLinkedDataIdentityCardinality(\n      resource as { extension?: Array<Extension> },\n    );\n    linkedDataIdentityRef = ext?.valueReference?.reference;\n  } catch (e) {\n    if (e instanceof LinkedDataIdentityCardinalityError) {\n      throw new ValidationError(e.message, { cause: e });\n    }\n    throw e;\n  }\n\n  // TR-024 denormalized display-name attributes. The authoritative\n  // write-time source per TR-024 rule 2 is the canonical Tenant / User\n  // record's `displayName`. Until the carrier-record-lookup pass lands\n  // (#1010 follow-up), the foundational fallback (#1009) reads the\n  // FHIR Reference.display values supplied on the resource so the\n  // adjacency-list projection writer here can compose SKs from\n  // top-level attributes.\n  const resourceRecord = resource as Record<string, unknown>;\n  const denormalizedTenantName = extractDenormalizedReferenceDisplay(\n    resourceRecord,\n    \"tenant\",\n  );\n  const denormalizedUserName = extractDenormalizedReferenceDisplay(\n    resourceRecord,\n    \"user\",\n  );\n  const denormalizedWorkspaceName = extractDenormalizedReferenceDisplay(\n    resourceRecord,\n    \"workspace\",\n  );\n\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  // ADR-018 patterns #2 / #3 / #4 — user- and workspace-partition\n  // projection rows. The projection's discriminating fields come from\n  // the same FHIR Reference shape the canonical row reads, so the\n  // canonical and projection writes always agree on the underlying\n  // user / workspace identifiers. Missing identifiers (no user\n  // reference at all) skip the user-projection; tenant-scoped\n  // Memberships (no workspaceId) skip the workspace-projection — the\n  // canonical row still lands either way.\n  const userIdFromResource = extractReferenceSlug(resourceRecord, \"user\");\n  const workspaceIdFromResource = extractReferenceSlug(\n    resourceRecord,\n    \"workspace\",\n  );\n\n  // ADR 2026-03-13-02 § 2 Consequences/Negative — when the resource\n  // names a workspace, that workspace must belong to the referenced\n  // tenant. Prefer the resource's `tenant.reference` (the issue's\n  // \"referenced tenant\" wording) and fall back to the context tenant\n  // when the body omits the reference. The check fires before any\n  // write so the constraint is enforced atomically with respect to\n  // the canonical row.\n  if (workspaceIdFromResource !== undefined) {\n    const tenantIdFromResource = extractReferenceSlug(resourceRecord, \"tenant\");\n    const referencedTenantId = tenantIdFromResource ?? context.tenantId;\n    await assertWorkspaceInTenantOperation({\n      tenantId: referencedTenantId,\n      workspaceId: workspaceIdFromResource,\n      tableName,\n    });\n  }\n\n  const userProjectionItem =\n    userIdFromResource !== undefined\n      ? buildMembershipUserProjectionItem({\n          tenantId: context.tenantId,\n          userId: userIdFromResource,\n          workspaceId: workspaceIdFromResource,\n          membershipId: id,\n          summary,\n          vid,\n          lastUpdated,\n          denormalizedTenantName,\n          denormalizedUserName,\n          denormalizedWorkspaceName,\n        })\n      : undefined;\n\n  const workspaceProjectionItem =\n    userIdFromResource !== undefined && workspaceIdFromResource !== undefined\n      ? buildMembershipWorkspaceProjectionItem({\n          tenantId: context.tenantId,\n          workspaceId: workspaceIdFromResource,\n          userId: userIdFromResource,\n          membershipId: id,\n          summary,\n          vid,\n          lastUpdated,\n          denormalizedUserName,\n        })\n      : undefined;\n\n  const canonicalItem = {\n    tenantId: context.tenantId,\n    id,\n    resource: JSON.stringify(resource),\n    summary,\n    vid,\n    lastUpdated,\n    linkedDataIdentityRef,\n    denormalizedTenantName,\n    denormalizedUserName,\n  };\n\n  const triples: Array<MultiWriteTriple> = [\n    { entity: \"membership\", action: \"put\", item: canonicalItem },\n  ];\n  if (userProjectionItem) {\n    triples.push({\n      entity: \"membershipUserProjection\",\n      action: \"put\",\n      item: userProjectionItem as unknown as Record<string, unknown>,\n    });\n  }\n  if (workspaceProjectionItem) {\n    triples.push({\n      entity: \"membershipWorkspaceProjection\",\n      action: \"put\",\n      item: workspaceProjectionItem as unknown as Record<string, unknown>,\n    });\n  }\n\n  await executeMultiWrite({ service, triples });\n\n  return {\n    id,\n    resource,\n    meta: { lastUpdated, versionId: vid },\n  };\n}\n","/**\n * Helpers that capture denormalized display-name attributes from an\n * incoming FHIR Reference on Membership and RoleAssignment resources.\n *\n * **Foundational implementation for TR-024.** ADR-018 § Implementation\n * Notes and TR-024 § Recommendation pin the authoritative write-time\n * source as the carrier entity's canonical `displayName` — i.e. the\n * operations layer reads the canonical Tenant / User / Role record\n * by id and copies its display name into the relationship's\n * `denormalized<CarrierEntity>Name` field on the same\n * `TransactWriteItems`. That contract is owned by the operations-layer\n * multi-write helper filed as #1010.\n *\n * This module is the **foundational fallback** that issue #1009 uses\n * before #1010 lands: it reads the display string a client already\n * supplies on the resource's `Reference.display` field. The fallback\n * keeps Membership / RoleAssignment write paths populating the new\n * top-level attributes today (so adjacency-list projection writers\n * downstream can rely on them) while letting #1010 own the canonical-\n * row lookup without re-plumbing the write paths.\n *\n * @see TR-024 — Denormalized display-name attributes\n * @see ADR-018 § Implementation Notes\n */\n\n/**\n * Returns the trimmed display string from `resource[fieldName].display`\n * when present and non-empty; otherwise returns `undefined`. Used by the\n * Membership and RoleAssignment create / update operations to populate\n * top-level `denormalized<CarrierEntity>Name` attributes from incoming\n * FHIR Reference fields.\n *\n * Field name maps to the FHIR field on the resource:\n * - `Membership.tenant` → `\"tenant\"`\n * - `Membership.user` → `\"user\"`\n * - `RoleAssignment.tenant` → `\"tenant\"`\n * - `RoleAssignment.user` → `\"user\"`\n * - `RoleAssignment.role` → `\"role\"`\n *\n * Guards against malformed payloads (non-object `field`, non-string\n * `display`, empty strings after trim) so a single bad write never\n * blocks an entity put — matching the same defensive posture\n * `gsi1skAttribute` takes for the `resource` JSON parse.\n */\nexport function extractDenormalizedReferenceDisplay(\n  resource: Record<string, unknown>,\n  fieldName: string,\n): string | undefined {\n  const field = resource[fieldName];\n  if (!field || typeof field !== \"object\") {\n    return undefined;\n  }\n  const display = (field as { display?: unknown }).display;\n  if (typeof display !== \"string\") {\n    return undefined;\n  }\n  const trimmed = display.trim();\n  return trimmed.length > 0 ? trimmed : undefined;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { ConflictError } from \"../../../errors\";\n\n/** Inputs to {@link assertWorkspaceInTenantOperation}. */\nexport interface AssertWorkspaceInTenantParams {\n  /** Tenant the workspace must belong to. */\n  readonly tenantId: string;\n  /** Workspace id that must exist under `tenantId`. */\n  readonly workspaceId: string;\n  /** Optional table-name override; resolved via env when omitted. */\n  readonly tableName?: string;\n}\n\n/**\n * Throws {@link ConflictError} when no `Workspace` with id `workspaceId`\n * exists under `tenantId`.\n *\n * Implementation: a single base-table `get` against the Workspace entity\n * (`PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK = CURRENT`). The\n * workspace's tenant is encoded into the PK by construction, so a hit\n * *is* the constraint check — there is no separate `managingOrganization`\n * comparison required.\n *\n * @see ADR 2026-03-13-02 § 2 — Consequences/Negative\n */\nexport async function assertWorkspaceInTenantOperation(\n  params: AssertWorkspaceInTenantParams,\n): Promise<void> {\n  const { tenantId, workspaceId, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const { data: item } = await service.entities.workspace\n    .get({ tenantId, id: workspaceId, sk: \"CURRENT\" })\n    .go();\n\n  if (!item) {\n    throw new ConflictError(\n      `Workspace ${workspaceId} does not belong to tenant ${tenantId}; the workspace must be created in the referenced tenant before this resource can reference it.`,\n      { details: { tenantId, workspaceId } },\n    );\n  }\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport {\n  buildRoleAssignmentUserProjectionItem,\n  extractReferenceSlug,\n} from \"./roleassignment-user-projection\";\nimport { buildRoleAssignmentWorkspaceProjectionItem } from \"./roleassignment-workspace-projection\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport { extractDenormalizedReferenceDisplay } from \"../denormalized-display-names\";\nimport { assertUserHasTenantMembershipOperation } from \"../membership-constraints/assert-user-has-tenant-membership-operation\";\nimport { assertWorkspaceInTenantOperation } from \"../membership-constraints/assert-workspace-in-tenant-operation\";\nimport {\n  executeMultiWrite,\n  type MultiWriteTriple,\n} from \"../multi-write-operation\";\n\nexport interface RoleAssignmentCreateParams {\n  context: OpenHiContext;\n  body: { id?: string; resource?: Record<string, unknown> | string };\n  tableName?: string;\n}\n\nexport interface RoleAssignmentCreateResult {\n  id: string;\n  resource: { resourceType: string; id: string; [key: string]: unknown };\n  meta: { lastUpdated: string; versionId: string };\n}\n\nexport async function createRoleAssignmentOperation(\n  params: RoleAssignmentCreateParams,\n): Promise<RoleAssignmentCreateResult> {\n  const { context, body, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `roleassignment-${Date.now()}`;\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const lastUpdated = context.date ?? new Date().toISOString();\n  const vid = `1`;\n\n  const resource = { resourceType: \"RoleAssignment\", id, ...parsedResource };\n\n  // TR-024 denormalized display-name attributes. The authoritative\n  // write-time source per TR-024 rule 2 is the canonical Tenant / User /\n  // Role record's `displayName`. Until the carrier-record-lookup pass\n  // lands (#1010 follow-up), the foundational fallback (#1009) reads\n  // the FHIR Reference.display values supplied on the resource so the\n  // adjacency-list projection writer here can compose SKs from\n  // top-level attributes.\n  const resourceRecord = resource as Record<string, unknown>;\n  const denormalizedTenantName = extractDenormalizedReferenceDisplay(\n    resourceRecord,\n    \"tenant\",\n  );\n  const denormalizedUserName = extractDenormalizedReferenceDisplay(\n    resourceRecord,\n    \"user\",\n  );\n  const denormalizedRoleName = extractDenormalizedReferenceDisplay(\n    resourceRecord,\n    \"role\",\n  );\n\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  // ADR-018 patterns #5 / #9 — user- and workspace-partition projection\n  // rows. The projection's discriminating fields come from the same\n  // FHIR Reference shape the canonical row reads, so the canonical and\n  // projection writes always agree on the underlying user / role /\n  // workspace identifiers. Missing user or role references skip the\n  // user-projection; tenant-scoped RoleAssignments (no workspaceId)\n  // skip the workspace-projection — the canonical row still lands\n  // either way.\n  const userIdFromResource = extractReferenceSlug(resourceRecord, \"user\");\n  const roleIdFromResource = extractReferenceSlug(resourceRecord, \"role\");\n  const workspaceIdFromResource = extractReferenceSlug(\n    resourceRecord,\n    \"workspace\",\n  );\n\n  // ADR 2026-03-13-02 § 2 Consequences/Negative — a RoleAssignment may\n  // only be created when the referenced user already holds a\n  // tenant-level Membership in the referenced tenant, and (when\n  // workspace-scoped) that workspace must belong to the same tenant.\n  // Prefer the resource's `tenant.reference` (the issue's \"referenced\n  // tenant\" wording) and fall back to the context tenant when the\n  // body omits the reference. Constraints fire before any write so\n  // the rejection is atomic with respect to the canonical row.\n  if (userIdFromResource !== undefined) {\n    const tenantIdFromResource = extractReferenceSlug(resourceRecord, \"tenant\");\n    const referencedTenantId = tenantIdFromResource ?? context.tenantId;\n    await assertUserHasTenantMembershipOperation({\n      userId: userIdFromResource,\n      tenantId: referencedTenantId,\n      tableName,\n    });\n    if (workspaceIdFromResource !== undefined) {\n      await assertWorkspaceInTenantOperation({\n        tenantId: referencedTenantId,\n        workspaceId: workspaceIdFromResource,\n        tableName,\n      });\n    }\n  }\n\n  const userProjectionItem =\n    userIdFromResource !== undefined && roleIdFromResource !== undefined\n      ? buildRoleAssignmentUserProjectionItem({\n          tenantId: context.tenantId,\n          userId: userIdFromResource,\n          workspaceId: workspaceIdFromResource,\n          roleId: roleIdFromResource,\n          roleAssignmentId: id,\n          summary,\n          vid,\n          lastUpdated,\n          denormalizedTenantName,\n          denormalizedUserName,\n          denormalizedRoleName,\n        })\n      : undefined;\n\n  const workspaceProjectionItem =\n    userIdFromResource !== undefined &&\n    roleIdFromResource !== undefined &&\n    workspaceIdFromResource !== undefined\n      ? buildRoleAssignmentWorkspaceProjectionItem({\n          tenantId: context.tenantId,\n          workspaceId: workspaceIdFromResource,\n          userId: userIdFromResource,\n          roleId: roleIdFromResource,\n          roleAssignmentId: id,\n          summary,\n          vid,\n          lastUpdated,\n          denormalizedUserName,\n          denormalizedRoleName,\n        })\n      : undefined;\n\n  const canonicalItem = {\n    tenantId: context.tenantId,\n    id,\n    resource: JSON.stringify(resource),\n    summary,\n    vid,\n    lastUpdated,\n    denormalizedTenantName,\n    denormalizedUserName,\n    denormalizedRoleName,\n  };\n\n  const triples: Array<MultiWriteTriple> = [\n    { entity: \"roleAssignment\", action: \"put\", item: canonicalItem },\n  ];\n  if (userProjectionItem) {\n    triples.push({\n      entity: \"roleAssignmentUserProjection\",\n      action: \"put\",\n      item: userProjectionItem as unknown as Record<string, unknown>,\n    });\n  }\n  if (workspaceProjectionItem) {\n    triples.push({\n      entity: \"roleAssignmentWorkspaceProjection\",\n      action: \"put\",\n      item: workspaceProjectionItem as unknown as Record<string, unknown>,\n    });\n  }\n\n  await executeMultiWrite({ service, triples });\n\n  return {\n    id,\n    resource,\n    meta: { lastUpdated, versionId: vid },\n  };\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { ConflictError } from \"../../../errors\";\n\n/**\n * SK prefix for the tenant-level Membership sub-lane (ADR-018 pattern #3).\n *\n * Tenant-level Memberships project under the user partition with\n * `SK = MEMBERSHIP#TENANT#<normalizedTenantName>#TID#<tenantId>#<membershipId>`.\n * Because the `<tenantId>` segment appears *after* `<normalizedTenantName>`,\n * a `begins_with` filter cannot narrow to a single tenant — we read every\n * tenant-lane row for the user and filter on the projection-row's\n * `tenantId` attribute in memory.\n */\nconst TENANT_LANE_SK_PREFIX = \"MEMBERSHIP#TENANT#\";\n\n/** Inputs to {@link assertUserHasTenantMembershipOperation}. */\nexport interface AssertUserHasTenantMembershipParams {\n  /** The user that must already be a member of `tenantId`. */\n  readonly userId: string;\n  /** The tenant the user must hold a tenant-level Membership in. */\n  readonly tenantId: string;\n  /** Optional table-name override; resolved via env when omitted. */\n  readonly tableName?: string;\n}\n\n/**\n * Throws {@link ConflictError} when `userId` has no tenant-level\n * `Membership` in `tenantId`.\n *\n * Implementation: queries the ADR-018 user-partition projection\n * (`MembershipUserProjectionEntity`) under\n * `PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#TENANT#'` — a single\n * strongly-consistent base-table query with no GSI hop — and filters the\n * returned rows for `tenantId` in memory.\n *\n * The filter cannot be expressed as an additional `begins_with` because\n * the projection SK encodes `<normalizedTenantName>` *before* `<tenantId>`\n * (`MEMBERSHIP#TENANT#<normalizedTenantName>#TID#<tenantId>#<id>`). The\n * scan cost is bounded by the user's tenant-membership fan-out, which is\n * small by construction.\n *\n * @see ADR 2026-03-13-02 § 2 — Consequences/Negative\n * @see ADR-018 § Access Pattern Coverage (pattern #3)\n */\nexport async function assertUserHasTenantMembershipOperation(\n  params: AssertUserHasTenantMembershipParams,\n): Promise<void> {\n  const { userId, tenantId, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const result = await service.entities.membershipUserProjection.query\n    .record({ userId })\n    .begins({ sk: TENANT_LANE_SK_PREFIX })\n    .go();\n\n  const matched = (result.data ?? []).some((row) => row.tenantId === tenantId);\n  if (!matched) {\n    throw new ConflictError(\n      `User ${userId} has no tenant-level Membership in tenant ${tenantId}; a Membership must exist before a RoleAssignment can be created.`,\n      { details: { userId, tenantId } },\n    );\n  }\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\n\nexport interface CreateTenantParams {\n  context: OpenHiContext;\n  body: {\n    id?: string;\n    resource?: Record<string, unknown> | string;\n  };\n  tableName?: string;\n}\n\nexport interface CreateTenantResult {\n  id: string;\n  resource: Record<string, unknown>;\n  meta: { lastUpdated: string; versionId: string };\n}\n\n/**\n * Creates a Tenant. Generates an id if not provided.\n */\nexport async function createTenantOperation(\n  params: CreateTenantParams,\n): Promise<CreateTenantResult> {\n  const { context, body, tableName } = params;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `tenant-${Date.now()}`;\n  const lastUpdated = context.date;\n  const vid =\n    lastUpdated.replace(/[-:T.Z]/g, \"\").slice(0, 12) || Date.now().toString(36);\n\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const resource = { resourceType: \"Tenant\", id, ...parsedResource };\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  await service.entities.tenant\n    .put({\n      tenantId: id,\n      id,\n      resource: JSON.stringify(resource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  return { id, resource, meta: { lastUpdated, versionId: vid } };\n}\n","import { extractSummary, type FhirResourceLike } from \"@openhi/types\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport { provisionOrganizationForWorkspaceOperation } from \"../../data/organization/organization-provision-for-workspace-operation\";\n\nexport interface CreateWorkspaceParams {\n  context: OpenHiContext;\n  body: {\n    id?: string;\n    resource?: Record<string, unknown> | string;\n  };\n  tableName?: string;\n}\n\nexport interface CreateWorkspaceResult {\n  id: string;\n  resource: Record<string, unknown>;\n  meta: { lastUpdated: string; versionId: string };\n}\n\n/**\n * Creates a Workspace scoped to the context tenant. Generates an id if not provided.\n */\nexport async function createWorkspaceOperation(\n  params: CreateWorkspaceParams,\n): Promise<CreateWorkspaceResult> {\n  const { context, body, tableName } = params;\n  const { tenantId } = context;\n  const service = getDynamoControlService(tableName);\n\n  const id = body.id ?? `workspace-${Date.now()}`;\n  const lastUpdated = context.date;\n  const vid =\n    lastUpdated.replace(/[-:T.Z]/g, \"\").slice(0, 12) || Date.now().toString(36);\n\n  const parsedResource =\n    typeof body.resource === \"string\"\n      ? (JSON.parse(body.resource) as Record<string, unknown>)\n      : (body.resource ?? {});\n\n  const resource = { resourceType: \"Workspace\", id, ...parsedResource };\n  const summary = JSON.stringify(extractSummary(resource as FhirResourceLike));\n\n  await service.entities.workspace\n    .put({\n      tenantId,\n      id,\n      resource: JSON.stringify(resource),\n      summary,\n      vid,\n      lastUpdated,\n    })\n    .go();\n\n  const workspaceName =\n    typeof parsedResource.name === \"string\" ? parsedResource.name : undefined;\n  await provisionOrganizationForWorkspaceOperation({\n    context,\n    workspaceId: id,\n    workspaceName,\n    tableName,\n  });\n\n  return { id, resource, meta: { lastUpdated, versionId: vid } };\n}\n","import type { Organization, Reference } from \"@openhi/types\";\nimport { getDynamoDataService } from \"../../../dynamo/dynamo-data-service\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport {\n  createDataEntityRecord,\n  DATA_ENTITY_SK,\n  type SingleResourceResult,\n} from \"../../data-operations-common\";\n\n/**\n * Provision the slim, id-share Organization that represents a Workspace on the data plane.\n *\n * - `Organization.id === workspaceId` (id-share with the Workspace).\n * - `name` is populated from the Workspace's name when provided.\n * - `partOf` is populated when the Workspace's Tenant has an Organization (id-share at the\n *   tenant level: `Tenant.id === TenantOrganization.id`). Tenant-level provisioning is out of\n *   scope for #1001 — the lookup returns `undefined` until Tenant Organizations exist.\n *\n * Idempotent: re-running with the same params overwrites the same PK with the same payload.\n *\n * @see https://github.com/codedrifters/openhi/issues/1001\n */\nexport interface ProvisionOrganizationForWorkspaceParams {\n  context: OpenHiContext;\n  /** Workspace id; the provisioned Organization's id equals this value. */\n  workspaceId: string;\n  /** Name to record on the Organization. Derived from the Workspace's `name` by the caller. */\n  workspaceName?: string;\n  /** Optional table name override; resolved by data service from DYNAMO_TABLE_NAME when omitted. */\n  tableName?: string;\n}\n\nexport type ProvisionOrganizationForWorkspaceResult =\n  SingleResourceResult<Organization>;\n\nexport async function provisionOrganizationForWorkspaceOperation(\n  params: ProvisionOrganizationForWorkspaceParams,\n): Promise<ProvisionOrganizationForWorkspaceResult> {\n  const { context, workspaceId, workspaceName, tableName } = params;\n  const { tenantId, date } = context;\n  const service = getDynamoDataService(tableName);\n\n  const partOf = await resolveTenantOrganizationReference(service, tenantId);\n\n  const resource: Organization = {\n    resourceType: \"Organization\",\n    id: workspaceId,\n    ...(workspaceName !== undefined && workspaceName !== \"\"\n      ? { name: workspaceName }\n      : {}),\n    ...(partOf !== undefined ? { partOf } : {}),\n    meta: {\n      lastUpdated: date,\n      versionId: \"1\",\n    },\n  };\n\n  return createDataEntityRecord<Organization>(\n    service.entities.organization as Parameters<\n      typeof createDataEntityRecord\n    >[0],\n    tenantId,\n    workspaceId,\n    workspaceId,\n    resource,\n    date,\n  );\n}\n\n/**\n * Resolve the Tenant's Organization reference for `Organization.partOf`. Returns `undefined`\n * when the Tenant has no Organization yet (the default until Tenant Organization provisioning\n * is wired up in a follow-up).\n *\n * Lookup convention: the Tenant's Organization is stored at\n * `(tenantId, workspaceId=tenantId, id=tenantId)` — a self-scope key that mirrors the\n * Workspace id-share pattern one level up. This scoping convention will be ratified by the\n * Tenant Organization provisioning issue; the OrganizationEntity comment notes strict\n * isolation requires both `tenantId` and `workspaceId`, so the self-scope is the\n * simplest deterministic location.\n */\nasync function resolveTenantOrganizationReference(\n  service: ReturnType<typeof getDynamoDataService>,\n  tenantId: string,\n): Promise<Reference | undefined> {\n  const result = await (\n    service.entities.organization as {\n      get(params: {\n        tenantId: string;\n        workspaceId: string;\n        id: string;\n        sk: string;\n      }): { go(): Promise<{ data: unknown }> };\n    }\n  )\n    .get({\n      tenantId,\n      workspaceId: tenantId,\n      id: tenantId,\n      sk: DATA_ENTITY_SK,\n    })\n    .go();\n\n  if (result.data === null || result.data === undefined) {\n    return undefined;\n  }\n\n  return { reference: `Organization/${tenantId}` };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EAGA;AAAA,OACK;;;ACsCA,SAAS,oCACd,UACA,WACoB;AACpB,QAAM,QAAQ,SAAS,SAAS;AAChC,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AACA,QAAM,UAAW,MAAgC;AACjD,MAAI,OAAO,YAAY,UAAU;AAC/B,WAAO;AAAA,EACT;AACA,QAAM,UAAU,QAAQ,KAAK;AAC7B,SAAO,QAAQ,SAAS,IAAI,UAAU;AACxC;;;ACjCA,eAAsB,iCACpB,QACe;AACf,QAAM,EAAE,UAAU,aAAa,UAAU,IAAI;AAC7C,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,EAAE,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,UAC3C,IAAI,EAAE,UAAU,IAAI,aAAa,IAAI,UAAU,CAAC,EAChD,GAAG;AAEN,MAAI,CAAC,MAAM;AACT,UAAM,IAAI;AAAA,MACR,aAAa,WAAW,8BAA8B,QAAQ;AAAA,MAC9D,EAAE,SAAS,EAAE,UAAU,YAAY,EAAE;AAAA,IACvC;AAAA,EACF;AACF;;;AFPA,eAAsB,0BACpB,QACiC;AACjC,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,cAAc,KAAK,IAAI,CAAC;AAC9C,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,cAAc,QAAQ,SAAQ,oBAAI,KAAK,GAAE,YAAY;AAC3D,QAAM,MAAM;AAEZ,QAAM,WAAW,EAAE,cAAc,cAAc,IAAI,GAAG,eAAe;AAErE,MAAI;AACJ,MAAI;AACF,UAAM,MAAM;AAAA,MACV;AAAA,IACF;AACA,4BAAwB,KAAK,gBAAgB;AAAA,EAC/C,SAAS,GAAG;AACV,QAAI,aAAa,oCAAoC;AACnD,YAAM,IAAI,gBAAgB,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;AAAA,IACnD;AACA,UAAM;AAAA,EACR;AASA,QAAM,iBAAiB;AACvB,QAAM,yBAAyB;AAAA,IAC7B;AAAA,IACA;AAAA,EACF;AACA,QAAM,uBAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,EACF;AACA,QAAM,4BAA4B;AAAA,IAChC;AAAA,IACA;AAAA,EACF;AAEA,QAAM,UAAU,KAAK,UAAU,eAAe,QAA4B,CAAC;AAU3E,QAAM,qBAAqB,qBAAqB,gBAAgB,MAAM;AACtE,QAAM,0BAA0B;AAAA,IAC9B;AAAA,IACA;AAAA,EACF;AASA,MAAI,4BAA4B,QAAW;AACzC,UAAM,uBAAuB,qBAAqB,gBAAgB,QAAQ;AAC1E,UAAM,qBAAqB,wBAAwB,QAAQ;AAC3D,UAAM,iCAAiC;AAAA,MACrC,UAAU;AAAA,MACV,aAAa;AAAA,MACb;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,qBACJ,uBAAuB,SACnB,kCAAkC;AAAA,IAChC,UAAU,QAAQ;AAAA,IAClB,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,cAAc;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,IACD;AAEN,QAAM,0BACJ,uBAAuB,UAAa,4BAA4B,SAC5D,uCAAuC;AAAA,IACrC,UAAU,QAAQ;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,cAAc;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,IACD;AAEN,QAAM,gBAAgB;AAAA,IACpB,UAAU,QAAQ;AAAA,IAClB;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,UAAmC;AAAA,IACvC,EAAE,QAAQ,cAAc,QAAQ,OAAO,MAAM,cAAc;AAAA,EAC7D;AACA,MAAI,oBAAoB;AACtB,YAAQ,KAAK;AAAA,MACX,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AACA,MAAI,yBAAyB;AAC3B,YAAQ,KAAK;AAAA,MACX,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,QAAM,kBAAkB,EAAE,SAAS,QAAQ,CAAC;AAE5C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM,EAAE,aAAa,WAAW,IAAI;AAAA,EACtC;AACF;;;AGzLA,SAAS,kBAAAA,uBAA6C;;;ACatD,IAAM,wBAAwB;AA+B9B,eAAsB,uCACpB,QACe;AACf,QAAM,EAAE,QAAQ,UAAU,UAAU,IAAI;AACxC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,SAAS,MAAM,QAAQ,SAAS,yBAAyB,MAC5D,OAAO,EAAE,OAAO,CAAC,EACjB,OAAO,EAAE,IAAI,sBAAsB,CAAC,EACpC,GAAG;AAEN,QAAM,WAAW,OAAO,QAAQ,CAAC,GAAG,KAAK,CAAC,QAAQ,IAAI,aAAa,QAAQ;AAC3E,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI;AAAA,MACR,QAAQ,MAAM,6CAA6C,QAAQ;AAAA,MACnE,EAAE,SAAS,EAAE,QAAQ,SAAS,EAAE;AAAA,IAClC;AAAA,EACF;AACF;;;ADlCA,eAAsB,8BACpB,QACqC;AACrC,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,kBAAkB,KAAK,IAAI,CAAC;AAClD,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,cAAc,QAAQ,SAAQ,oBAAI,KAAK,GAAE,YAAY;AAC3D,QAAM,MAAM;AAEZ,QAAM,WAAW,EAAE,cAAc,kBAAkB,IAAI,GAAG,eAAe;AASzE,QAAM,iBAAiB;AACvB,QAAM,yBAAyB;AAAA,IAC7B;AAAA,IACA;AAAA,EACF;AACA,QAAM,uBAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,EACF;AACA,QAAM,uBAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,EACF;AAEA,QAAM,UAAU,KAAK,UAAUC,gBAAe,QAA4B,CAAC;AAU3E,QAAM,qBAAqBC,sBAAqB,gBAAgB,MAAM;AACtE,QAAM,qBAAqBA,sBAAqB,gBAAgB,MAAM;AACtE,QAAM,0BAA0BA;AAAA,IAC9B;AAAA,IACA;AAAA,EACF;AAUA,MAAI,uBAAuB,QAAW;AACpC,UAAM,uBAAuBA,sBAAqB,gBAAgB,QAAQ;AAC1E,UAAM,qBAAqB,wBAAwB,QAAQ;AAC3D,UAAM,uCAAuC;AAAA,MAC3C,QAAQ;AAAA,MACR,UAAU;AAAA,MACV;AAAA,IACF,CAAC;AACD,QAAI,4BAA4B,QAAW;AACzC,YAAM,iCAAiC;AAAA,QACrC,UAAU;AAAA,QACV,aAAa;AAAA,QACb;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,qBACJ,uBAAuB,UAAa,uBAAuB,SACvD,sCAAsC;AAAA,IACpC,UAAU,QAAQ;AAAA,IAClB,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,kBAAkB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,IACD;AAEN,QAAM,0BACJ,uBAAuB,UACvB,uBAAuB,UACvB,4BAA4B,SACxB,2CAA2C;AAAA,IACzC,UAAU,QAAQ;AAAA,IAClB,aAAa;AAAA,IACb,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,kBAAkB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,IACD;AAEN,QAAM,gBAAgB;AAAA,IACpB,UAAU,QAAQ;AAAA,IAClB;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,QAAM,UAAmC;AAAA,IACvC,EAAE,QAAQ,kBAAkB,QAAQ,OAAO,MAAM,cAAc;AAAA,EACjE;AACA,MAAI,oBAAoB;AACtB,YAAQ,KAAK;AAAA,MACX,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AACA,MAAI,yBAAyB;AAC3B,YAAQ,KAAK;AAAA,MACX,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAEA,QAAM,kBAAkB,EAAE,SAAS,QAAQ,CAAC;AAE5C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,MAAM,EAAE,aAAa,WAAW,IAAI;AAAA,EACtC;AACF;;;AEpLA,SAAS,kBAAAC,uBAA6C;AAsBtD,eAAsB,sBACpB,QAC6B;AAC7B,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,UAAU,KAAK,IAAI,CAAC;AAC1C,QAAM,cAAc,QAAQ;AAC5B,QAAM,MACJ,YAAY,QAAQ,YAAY,EAAE,EAAE,MAAM,GAAG,EAAE,KAAK,KAAK,IAAI,EAAE,SAAS,EAAE;AAE5E,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,WAAW,EAAE,cAAc,UAAU,IAAI,GAAG,eAAe;AACjE,QAAM,UAAU,KAAK,UAAUC,gBAAe,QAA4B,CAAC;AAE3E,QAAM,QAAQ,SAAS,OACpB,IAAI;AAAA,IACH,UAAU;AAAA,IACV;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,SAAO,EAAE,IAAI,UAAU,MAAM,EAAE,aAAa,WAAW,IAAI,EAAE;AAC/D;;;ACrDA,SAAS,kBAAAC,uBAA6C;;;ACmCtD,eAAsB,2CACpB,QACkD;AAClD,QAAM,EAAE,SAAS,aAAa,eAAe,UAAU,IAAI;AAC3D,QAAM,EAAE,UAAU,KAAK,IAAI;AAC3B,QAAM,UAAU,qBAAqB,SAAS;AAE9C,QAAM,SAAS,MAAM,mCAAmC,SAAS,QAAQ;AAEzE,QAAM,WAAyB;AAAA,IAC7B,cAAc;AAAA,IACd,IAAI;AAAA,IACJ,GAAI,kBAAkB,UAAa,kBAAkB,KACjD,EAAE,MAAM,cAAc,IACtB,CAAC;AAAA,IACL,GAAI,WAAW,SAAY,EAAE,OAAO,IAAI,CAAC;AAAA,IACzC,MAAM;AAAA,MACJ,aAAa;AAAA,MACb,WAAW;AAAA,IACb;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ,SAAS;AAAA,IAGjB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAcA,eAAe,mCACb,SACA,UACgC;AAChC,QAAM,SAAS,MACb,QAAQ,SAAS,aAShB,IAAI;AAAA,IACH;AAAA,IACA,aAAa;AAAA,IACb,IAAI;AAAA,IACJ,IAAI;AAAA,EACN,CAAC,EACA,GAAG;AAEN,MAAI,OAAO,SAAS,QAAQ,OAAO,SAAS,QAAW;AACrD,WAAO;AAAA,EACT;AAEA,SAAO,EAAE,WAAW,gBAAgB,QAAQ,GAAG;AACjD;;;ADrFA,eAAsB,yBACpB,QACgC;AAChC,QAAM,EAAE,SAAS,MAAM,UAAU,IAAI;AACrC,QAAM,EAAE,SAAS,IAAI;AACrB,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,KAAK,KAAK,MAAM,aAAa,KAAK,IAAI,CAAC;AAC7C,QAAM,cAAc,QAAQ;AAC5B,QAAM,MACJ,YAAY,QAAQ,YAAY,EAAE,EAAE,MAAM,GAAG,EAAE,KAAK,KAAK,IAAI,EAAE,SAAS,EAAE;AAE5E,QAAM,iBACJ,OAAO,KAAK,aAAa,WACpB,KAAK,MAAM,KAAK,QAAQ,IACxB,KAAK,YAAY,CAAC;AAEzB,QAAM,WAAW,EAAE,cAAc,aAAa,IAAI,GAAG,eAAe;AACpE,QAAM,UAAU,KAAK,UAAUC,gBAAe,QAA4B,CAAC;AAE3E,QAAM,QAAQ,SAAS,UACpB,IAAI;AAAA,IACH;AAAA,IACA;AAAA,IACA,UAAU,KAAK,UAAU,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,GAAG;AAEN,QAAM,gBACJ,OAAO,eAAe,SAAS,WAAW,eAAe,OAAO;AAClE,QAAM,2CAA2C;AAAA,IAC/C;AAAA,IACA,aAAa;AAAA,IACb;AAAA,IACA;AAAA,EACF,CAAC;AAED,SAAO,EAAE,IAAI,UAAU,MAAM,EAAE,aAAa,WAAW,IAAI,EAAE;AAC/D;","names":["extractSummary","extractSummary","extractReferenceSlug","extractSummary","extractSummary","extractSummary","extractSummary"]}

package/lib/{chunk-AJQUWHFK.mjs → chunk-WXS3PUHR.mjs}

@@ -14,7 +14,7 @@ import {
   createRoleAssignmentOperation,
   createTenantOperation,
   createWorkspaceOperation
-} from "./chunk-QWWLM452.mjs";
+} from "./chunk-7WDX6GPO.mjs";
 import {
   NotFoundError
 } from "./chunk-FYHBHHWK.mjs";
@@ -932,4 +932,4 @@ export {
   productionCognitoProvisioner,
   handler
 };
-//# sourceMappingURL=chunk-AJQUWHFK.mjs.map
+//# sourceMappingURL=chunk-WXS3PUHR.mjs.map

package/lib/index.d.mts

@@ -343,6 +343,15 @@ declare abstract class OpenHiService extends Stack {
      * Short hash unique to the environment and branch combination.
      */
     readonly branchHash: string;
+    /**
+     * Branch hash computed against {@link defaultReleaseBranch} rather than
+     * {@link branchName}. On the release branch this equals {@link branchHash};
+     * on every other branch it identifies the namespace the release-branch
+     * deploy of this service writes to. Use when looking up SSM parameters
+     * that only the release-branch stack publishes (e.g. shared static-hosting
+     * bucket ARN).
+     */
+    readonly releaseBranchHash: string;
     /**
      * Short hash unique to the specific stack/service.
      */
@@ -1007,6 +1016,12 @@ declare class DiscoverableStringParameter extends StringParameter {
  * Props for the StaticContent construct.
  */
 interface StaticContentProps {
+    /**
+     * Destination bucket the content is uploaded to. Callers resolve this
+     * reference themselves so the construct doesn't need to know whether the
+     * bucket was created in the same stack or imported across branches.
+     */
+    readonly bucket: IBucket;
     /**
      * Absolute path to directory containing content for the website.
      */
@@ -1031,21 +1046,14 @@ interface StaticContentProps {
      * `<sub-domain>.<full-domain>`.
      */
     readonly fullDomain: string;
-    /**
-     * Service type used to look up the static-hosting bucket ARN via
-     * DiscoverableStringParameter.
-     *
-     * @default STATIC_HOSTING_SERVICE_TYPE ("website")
-     */
-    readonly serviceType?: string;
 }
 /**
- * Static content uploader: deploys a local directory to the static-hosting
+ * Static content uploader: deploys a local directory to a static-hosting
  * S3 bucket under `<sub-domain>.<full-domain>/<dest>` so each branch
- * deploys to its own prefix without clobbering siblings. The bucket ARN is
- * looked up via DiscoverableStringParameter so the uploader can run on a
- * feature-branch stack while the bucket itself was provisioned by the
- * release-branch service stack.
+ * deploys to its own prefix without clobbering siblings. The destination
+ * bucket is supplied by the caller, which lets the same construct run in
+ * both same-stack (release-branch) and cross-stack/cross-branch
+ * (feature-branch) contexts.
  */
 declare class StaticContent extends Construct {
     constructor(scope: Construct, id: string, props: StaticContentProps);
@@ -1956,6 +1964,17 @@ interface OpenHiWebsiteServiceProps extends OpenHiServiceProps {
      * @default - true on release branch, false otherwise
      */
     readonly createHostingInfrastructure?: boolean;
+    /**
+     * Whether to create the `StaticContent` uploader. Set to `false` to skip
+     * it entirely on every branch — used as a one-shot bootstrap toggle while
+     * the release-branch deploy of this service first creates the static-hosting
+     * bucket and writes `STATIC_HOSTING_BUCKET_ARN` to SSM. Once that
+     * parameter exists, flip back to `true` so feature-branch deploys can read
+     * it and upload content under their per-branch sub-domain folder.
+     *
+     * @default true
+     */
+    readonly createStaticContent?: boolean;
 }
 /**
  * SSM parameter name suffix for the website's full domain
@@ -2012,16 +2031,23 @@ declare class OpenHiWebsiteService extends OpenHiService {
      */
     readonly staticHosting?: StaticHosting;
     /**
-     * The content uploader, always created.
+     * The content uploader. Created on every deploy unless
+     * {@link OpenHiWebsiteServiceProps.createStaticContent} is `false`, in
+     * which case the property is `undefined` and the stack ships no
+     * `BucketDeployment`. Used during release-branch bootstrap, before the
+     * shared static-hosting bucket has been written to SSM for the first time.
      */
-    readonly staticContent: StaticContent;
+    readonly staticContent?: StaticContent;
     constructor(ohEnv: OpenHiEnvironment, props: OpenHiWebsiteServiceProps);
     /**
      * Validates that config required for the website stack is present.
      */
     protected validateConfig(props: OpenHiWebsiteServiceProps): void;
     /**
-     * Looks up the child hosted zone published by the Global service.
+     * Imports the website's hosted zone from config attributes (no SSM lookup).
+     * The website attaches DNS records here on the release-branch deploy and
+     * the same zone is imported on feature-branch deploys for any sub-domain
+     * routing.
      * Override to customize.
      */
     protected createHostedZone(): IHostedZone;
@@ -2052,8 +2078,23 @@ declare class OpenHiWebsiteService extends OpenHiService {
      * Creates the StaticContent uploader. Always created so feature-branch
      * deploys can publish content to their own sub-domain folder against the
      * release-branch bucket.
+     *
+     * The destination bucket is resolved here so the construct never has to
+     * branch on release-vs-feature: on the release branch we pass the
+     * just-created {@link staticHosting} bucket directly (no SSM round-trip
+     * within a single stack); on every other branch we look up the bucket
+     * ARN published by the release-branch deploy, addressed against
+     * {@link OpenHiService.releaseBranchHash}.
      */
     protected createStaticContent(): StaticContent;
+    /**
+     * Returns an {@link IBucket} pointing at the static-hosting bucket the
+     * uploader writes to. On the release-branch deploy this is the bucket
+     * just provisioned by {@link staticHosting}; on every other deploy it's
+     * imported from the bucket ARN the release-branch deploy publishes to
+     * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+     */
+    protected resolveStaticHostingBucket(): IBucket;
 }
 
 interface OwningDeleteCascadeLambdasProps {

package/lib/index.d.ts

@@ -980,6 +980,15 @@ declare abstract class OpenHiService extends Stack {
      * Short hash unique to the environment and branch combination.
      */
     readonly branchHash: string;
+    /**
+     * Branch hash computed against {@link defaultReleaseBranch} rather than
+     * {@link branchName}. On the release branch this equals {@link branchHash};
+     * on every other branch it identifies the namespace the release-branch
+     * deploy of this service writes to. Use when looking up SSM parameters
+     * that only the release-branch stack publishes (e.g. shared static-hosting
+     * bucket ARN).
+     */
+    readonly releaseBranchHash: string;
     /**
      * Short hash unique to the specific stack/service.
      */
@@ -1644,6 +1653,12 @@ declare class DiscoverableStringParameter extends StringParameter {
  * Props for the StaticContent construct.
  */
 interface StaticContentProps {
+    /**
+     * Destination bucket the content is uploaded to. Callers resolve this
+     * reference themselves so the construct doesn't need to know whether the
+     * bucket was created in the same stack or imported across branches.
+     */
+    readonly bucket: IBucket;
     /**
      * Absolute path to directory containing content for the website.
      */
@@ -1668,21 +1683,14 @@ interface StaticContentProps {
      * `<sub-domain>.<full-domain>`.
      */
     readonly fullDomain: string;
-    /**
-     * Service type used to look up the static-hosting bucket ARN via
-     * DiscoverableStringParameter.
-     *
-     * @default STATIC_HOSTING_SERVICE_TYPE ("website")
-     */
-    readonly serviceType?: string;
 }
 /**
- * Static content uploader: deploys a local directory to the static-hosting
+ * Static content uploader: deploys a local directory to a static-hosting
  * S3 bucket under `<sub-domain>.<full-domain>/<dest>` so each branch
- * deploys to its own prefix without clobbering siblings. The bucket ARN is
- * looked up via DiscoverableStringParameter so the uploader can run on a
- * feature-branch stack while the bucket itself was provisioned by the
- * release-branch service stack.
+ * deploys to its own prefix without clobbering siblings. The destination
+ * bucket is supplied by the caller, which lets the same construct run in
+ * both same-stack (release-branch) and cross-stack/cross-branch
+ * (feature-branch) contexts.
  */
 declare class StaticContent extends Construct {
     constructor(scope: Construct, id: string, props: StaticContentProps);
@@ -2593,6 +2601,17 @@ interface OpenHiWebsiteServiceProps extends OpenHiServiceProps {
      * @default - true on release branch, false otherwise
      */
     readonly createHostingInfrastructure?: boolean;
+    /**
+     * Whether to create the `StaticContent` uploader. Set to `false` to skip
+     * it entirely on every branch — used as a one-shot bootstrap toggle while
+     * the release-branch deploy of this service first creates the static-hosting
+     * bucket and writes `STATIC_HOSTING_BUCKET_ARN` to SSM. Once that
+     * parameter exists, flip back to `true` so feature-branch deploys can read
+     * it and upload content under their per-branch sub-domain folder.
+     *
+     * @default true
+     */
+    readonly createStaticContent?: boolean;
 }
 /**
  * SSM parameter name suffix for the website's full domain
@@ -2649,16 +2668,23 @@ declare class OpenHiWebsiteService extends OpenHiService {
      */
     readonly staticHosting?: StaticHosting;
     /**
-     * The content uploader, always created.
+     * The content uploader. Created on every deploy unless
+     * {@link OpenHiWebsiteServiceProps.createStaticContent} is `false`, in
+     * which case the property is `undefined` and the stack ships no
+     * `BucketDeployment`. Used during release-branch bootstrap, before the
+     * shared static-hosting bucket has been written to SSM for the first time.
      */
-    readonly staticContent: StaticContent;
+    readonly staticContent?: StaticContent;
     constructor(ohEnv: OpenHiEnvironment, props: OpenHiWebsiteServiceProps);
     /**
      * Validates that config required for the website stack is present.
      */
     protected validateConfig(props: OpenHiWebsiteServiceProps): void;
     /**
-     * Looks up the child hosted zone published by the Global service.
+     * Imports the website's hosted zone from config attributes (no SSM lookup).
+     * The website attaches DNS records here on the release-branch deploy and
+     * the same zone is imported on feature-branch deploys for any sub-domain
+     * routing.
      * Override to customize.
      */
     protected createHostedZone(): IHostedZone;
@@ -2689,8 +2715,23 @@ declare class OpenHiWebsiteService extends OpenHiService {
      * Creates the StaticContent uploader. Always created so feature-branch
      * deploys can publish content to their own sub-domain folder against the
      * release-branch bucket.
+     *
+     * The destination bucket is resolved here so the construct never has to
+     * branch on release-vs-feature: on the release branch we pass the
+     * just-created {@link staticHosting} bucket directly (no SSM round-trip
+     * within a single stack); on every other branch we look up the bucket
+     * ARN published by the release-branch deploy, addressed against
+     * {@link OpenHiService.releaseBranchHash}.
      */
     protected createStaticContent(): StaticContent;
+    /**
+     * Returns an {@link IBucket} pointing at the static-hosting bucket the
+     * uploader writes to. On the release-branch deploy this is the bucket
+     * just provisioned by {@link staticHosting}; on every other deploy it's
+     * imported from the bucket ARN the release-branch deploy publishes to
+     * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+     */
+    protected resolveStaticHostingBucket(): IBucket;
 }
 
 interface OwningDeleteCascadeLambdasProps {

package/lib/index.js

@@ -1127,6 +1127,16 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
       ),
       6
     );
+    const releaseBranchHash = (0, import_utils.hashString)(
+      [
+        appName,
+        ohEnv.deploymentTargetRole,
+        account,
+        region,
+        defaultReleaseBranch
+      ].join("-"),
+      6
+    );
     const stackHash = (0, import_utils.hashString)(
       [
         appName,
@@ -1157,6 +1167,7 @@ var OpenHiService = class extends import_aws_cdk_lib4.Stack {
     this.branchName = branchName;
     this.environmentHash = environmentHash;
     this.branchHash = branchHash;
+    this.releaseBranchHash = releaseBranchHash;
     this.stackHash = stackHash;
     this.node.setContext(
       `availability-zones:account=${account}:region=${region}`,
@@ -2286,10 +2297,31 @@ var RootHostedZone = class extends import_constructs7.Construct {
 };
 
 // src/components/static-hosting/static-content.ts
-var import_aws_s32 = require("aws-cdk-lib/aws-s3");
 var import_aws_s3_deployment = require("aws-cdk-lib/aws-s3-deployment");
 var import_change_case2 = require("change-case");
-var import_constructs9 = require("constructs");
+var import_constructs8 = require("constructs");
+var StaticContent = class extends import_constructs8.Construct {
+  constructor(scope, id, props) {
+    super(scope, id);
+    const stack = OpenHiService.of(scope);
+    const {
+      bucket,
+      contentSourceDirectory,
+      contentDestinationDirectory = "/",
+      subDomain = stack.branchName,
+      fullDomain
+    } = props;
+    const keyPrefix = [(0, import_change_case2.paramCase)(subDomain), fullDomain].join(".");
+    const isTestEnv = process.env.JEST_WORKER_ID !== void 0;
+    const sources = isTestEnv ? [] : [import_aws_s3_deployment.Source.asset(contentSourceDirectory)];
+    new import_aws_s3_deployment.BucketDeployment(this, "deploy", {
+      sources,
+      destinationBucket: bucket,
+      retainOnDelete: false,
+      destinationKeyPrefix: `${keyPrefix}${contentDestinationDirectory}`
+    });
+  }
+};
 
 // src/components/static-hosting/static-hosting.ts
 var fs6 = __toESM(require("fs"));
@@ -2303,9 +2335,9 @@ var import_aws_logs = require("aws-cdk-lib/aws-logs");
 var import_aws_route532 = require("aws-cdk-lib/aws-route53");
 var import_aws_route53_targets = require("aws-cdk-lib/aws-route53-targets");
 var import_aws_s3 = require("aws-cdk-lib/aws-s3");
-var import_constructs8 = require("constructs");
+var import_constructs9 = require("constructs");
 var STATIC_HOSTING_SERVICE_TYPE = "website";
-var _StaticHosting = class _StaticHosting extends import_constructs8.Construct {
+var _StaticHosting = class _StaticHosting extends import_constructs9.Construct {
   constructor(scope, id, props = {}) {
     super(scope, id);
     const stack = OpenHiService.of(scope);
@@ -2441,35 +2473,6 @@ _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_DOMAIN = "STATIC_HOSTING_DISTRIBUTION
 _StaticHosting.SSM_PARAM_NAME_DISTRIBUTION_ID = "STATIC_HOSTING_DISTRIBUTION_ID";
 var StaticHosting = _StaticHosting;
 
-// src/components/static-hosting/static-content.ts
-var StaticContent = class extends import_constructs9.Construct {
-  constructor(scope, id, props) {
-    super(scope, id);
-    const stack = OpenHiService.of(scope);
-    const {
-      contentSourceDirectory,
-      contentDestinationDirectory = "/",
-      subDomain = stack.branchName,
-      fullDomain,
-      serviceType = STATIC_HOSTING_SERVICE_TYPE
-    } = props;
-    const keyPrefix = [(0, import_change_case2.paramCase)(subDomain), fullDomain].join(".");
-    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
-      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
-      serviceType
-    });
-    const bucket = import_aws_s32.Bucket.fromBucketArn(this, "bucket", bucketArn);
-    const isTestEnv = process.env.JEST_WORKER_ID !== void 0;
-    const sources = isTestEnv ? [] : [import_aws_s3_deployment.Source.asset(contentSourceDirectory)];
-    new import_aws_s3_deployment.BucketDeployment(this, "deploy", {
-      sources,
-      destinationBucket: bucket,
-      retainOnDelete: false,
-      destinationKeyPrefix: `${keyPrefix}${contentDestinationDirectory}`
-    });
-  }
-};
-
 // src/services/open-hi-auth-service.ts
 var import_aws_cognito4 = require("aws-cdk-lib/aws-cognito");
 var import_aws_iam6 = require("aws-cdk-lib/aws-iam");
@@ -7180,6 +7183,7 @@ _OpenHiGraphqlService.SERVICE_TYPE = "graphql-api";
 var OpenHiGraphqlService = _OpenHiGraphqlService;
 
 // src/services/open-hi-website-service.ts
+var import_aws_s32 = require("aws-cdk-lib/aws-s3");
 var SSM_PARAM_NAME_FULL_DOMAIN = "WEBSITE_FULL_DOMAIN";
 var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
   /**
@@ -7250,7 +7254,9 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
       });
       this.createFullDomainParameter();
     }
-    this.staticContent = this.createStaticContent();
+    if (props.createStaticContent !== false) {
+      this.staticContent = this.createStaticContent();
+    }
   }
   /**
    * Validates that config required for the website stack is present.
@@ -7263,14 +7269,21 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
     if (!config.zoneName) {
       throw new Error("Zone name is required");
     }
+    if (!config.hostedZoneId) {
+      throw new Error("Hosted zone ID is required to import the website zone");
+    }
   }
   /**
-   * Looks up the child hosted zone published by the Global service.
+   * Imports the website's hosted zone from config attributes (no SSM lookup).
+   * The website attaches DNS records here on the release-branch deploy and
+   * the same zone is imported on feature-branch deploys for any sub-domain
+   * routing.
    * Override to customize.
    */
   createHostedZone() {
-    return OpenHiGlobalService.childHostedZoneFromConstruct(this, {
-      zoneName: this.config.zoneName
+    return OpenHiGlobalService.rootHostedZoneFromConstruct(this, {
+      zoneName: this.config.zoneName,
+      hostedZoneId: this.config.hostedZoneId
     });
   }
   /**
@@ -7317,15 +7330,40 @@ var _OpenHiWebsiteService = class _OpenHiWebsiteService extends OpenHiService {
    * Creates the StaticContent uploader. Always created so feature-branch
    * deploys can publish content to their own sub-domain folder against the
    * release-branch bucket.
+   *
+   * The destination bucket is resolved here so the construct never has to
+   * branch on release-vs-feature: on the release branch we pass the
+   * just-created {@link staticHosting} bucket directly (no SSM round-trip
+   * within a single stack); on every other branch we look up the bucket
+   * ARN published by the release-branch deploy, addressed against
+   * {@link OpenHiService.releaseBranchHash}.
    */
   createStaticContent() {
     const { contentSourceDirectory, contentDestinationDirectory } = this.props;
     return new StaticContent(this, "static-content", {
+      bucket: this.resolveStaticHostingBucket(),
       contentSourceDirectory,
       contentDestinationDirectory,
-      fullDomain: this.fullDomain,
-      serviceType: _OpenHiWebsiteService.SERVICE_TYPE
+      fullDomain: this.fullDomain
+    });
+  }
+  /**
+   * Returns an {@link IBucket} pointing at the static-hosting bucket the
+   * uploader writes to. On the release-branch deploy this is the bucket
+   * just provisioned by {@link staticHosting}; on every other deploy it's
+   * imported from the bucket ARN the release-branch deploy publishes to
+   * SSM, addressed against {@link OpenHiService.releaseBranchHash}.
+   */
+  resolveStaticHostingBucket() {
+    if (this.staticHosting) {
+      return this.staticHosting.bucket;
+    }
+    const bucketArn = DiscoverableStringParameter.valueForLookupName(this, {
+      ssmParamName: StaticHosting.SSM_PARAM_NAME_BUCKET_ARN,
+      serviceType: _OpenHiWebsiteService.SERVICE_TYPE,
+      branchHash: this.releaseBranchHash
     });
+    return import_aws_s32.Bucket.fromBucketArn(this, "shared-bucket", bucketArn);
   }
 };
 _OpenHiWebsiteService.SERVICE_TYPE = "website";