@openhi/constructs 0.0.146 → 0.0.147

package/lib/index.mjs

@@ -3631,16 +3631,25 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   }
   /**
    * Grants the Pre Token Generation Lambda read-only access on the data
-   * store table and its GSIs. The Lambda only needs:
+   * store table and its GSIs. The Lambda needs:
    * - `Query` on GSI2 to resolve a User by Cognito `sub`
-   * - `GetItem` on the base table for direct User reads
+   * - `GetItem` on the base table for direct User reads (canonical row hydration
+   *   after the GSI2 hit, per #1175)
+   * - `BatchGetItem` on the base table for ElectroDB `batchGetWithRetry`
+   *   hydration used by `listMembershipsOperation` and
+   *   `listRoleAssignmentsOperation` when resolving the
+   *   `ohi_organization_roles` / `ohi_platform_roles` claims
    *
    * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
    * falls into the absent-claims path; repair belongs in a separate backfill.
    */
   grantPreTokenGenerationPermissions() {
     const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    const dynamoActions = [
+      "dynamodb:GetItem",
+      "dynamodb:Query",
+      "dynamodb:BatchGetItem"
+    ];
     dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
     this.preTokenGenerationLambda.addToRolePolicy(
       new PolicyStatement7({