@openhi/constructs 0.0.117 → 0.0.119

package/lib/seed-demo-data.handler.js

@@ -3162,6 +3162,19 @@ function extractDenormalizedReferenceDisplay(resource, fieldName) {
   return trimmed.length > 0 ? trimmed : void 0;
 }
 
+// src/data/operations/control/membership-constraints/assert-workspace-in-tenant-operation.ts
+async function assertWorkspaceInTenantOperation(params) {
+  const { tenantId, workspaceId, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const { data: item } = await service.entities.workspace.get({ tenantId, id: workspaceId, sk: "CURRENT" }).go();
+  if (!item) {
+    throw new ConflictError(
+      `Workspace ${workspaceId} does not belong to tenant ${tenantId}; the workspace must be created in the referenced tenant before this resource can reference it.`,
+      { details: { tenantId, workspaceId } }
+    );
+  }
+}
+
 // src/data/operations/control/multi-write-operation.ts
 var TRANSACT_WRITE_ITEM_LIMIT = 100;
 async function executeMultiWrite(params) {
@@ -3308,6 +3321,15 @@ async function createMembershipOperation(params) {
     resourceRecord,
     "workspace"
   );
+  if (workspaceIdFromResource !== void 0) {
+    const tenantIdFromResource = extractReferenceSlug(resourceRecord, "tenant");
+    const referencedTenantId = tenantIdFromResource ?? context.tenantId;
+    await assertWorkspaceInTenantOperation({
+      tenantId: referencedTenantId,
+      workspaceId: workspaceIdFromResource,
+      tableName
+    });
+  }
   const userProjectionItem = userIdFromResource !== void 0 ? buildMembershipUserProjectionItem({
     tenantId: context.tenantId,
     userId: userIdFromResource,
@@ -3483,6 +3505,21 @@ function buildRoleAssignmentWorkspaceProjectionItem(input) {
   };
 }
 
+// src/data/operations/control/membership-constraints/assert-user-has-tenant-membership-operation.ts
+var TENANT_LANE_SK_PREFIX = "MEMBERSHIP#TENANT#";
+async function assertUserHasTenantMembershipOperation(params) {
+  const { userId, tenantId, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: TENANT_LANE_SK_PREFIX }).go();
+  const matched = (result.data ?? []).some((row) => row.tenantId === tenantId);
+  if (!matched) {
+    throw new ConflictError(
+      `User ${userId} has no tenant-level Membership in tenant ${tenantId}; a Membership must exist before a RoleAssignment can be created.`,
+      { details: { userId, tenantId } }
+    );
+  }
+}
+
 // src/data/operations/control/roleassignment/roleassignment-create-operation.ts
 async function createRoleAssignmentOperation(params) {
   const { context, body, tableName } = params;
@@ -3512,6 +3549,22 @@ async function createRoleAssignmentOperation(params) {
     resourceRecord,
     "workspace"
   );
+  if (userIdFromResource !== void 0) {
+    const tenantIdFromResource = extractReferenceSlug2(resourceRecord, "tenant");
+    const referencedTenantId = tenantIdFromResource ?? context.tenantId;
+    await assertUserHasTenantMembershipOperation({
+      userId: userIdFromResource,
+      tenantId: referencedTenantId,
+      tableName
+    });
+    if (workspaceIdFromResource !== void 0) {
+      await assertWorkspaceInTenantOperation({
+        tenantId: referencedTenantId,
+        workspaceId: workspaceIdFromResource,
+        tableName
+      });
+    }
+  }
   const userProjectionItem = userIdFromResource !== void 0 && roleIdFromResource !== void 0 ? buildRoleAssignmentUserProjectionItem({
     tenantId: context.tenantId,
     userId: userIdFromResource,