@openhi/constructs 0.0.146 → 0.0.148

package/lib/index.d.mts

@@ -1645,9 +1645,14 @@ declare class OpenHiAuthService extends OpenHiService {
     protected createUserPool(): IUserPool;
     /**
      * Grants the Pre Token Generation Lambda read-only access on the data
-     * store table and its GSIs. The Lambda only needs:
+     * store table and its GSIs. The Lambda needs:
      * - `Query` on GSI2 to resolve a User by Cognito `sub`
-     * - `GetItem` on the base table for direct User reads
+     * - `GetItem` on the base table for direct User reads (canonical row hydration
+     *   after the GSI2 hit, per #1175)
+     * - `BatchGetItem` on the base table for ElectroDB `batchGetWithRetry`
+     *   hydration used by `listMembershipsOperation` and
+     *   `listRoleAssignmentsOperation` when resolving the
+     *   `ohi_organization_roles` / `ohi_platform_roles` claims
      *
      * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
      * falls into the absent-claims path; repair belongs in a separate backfill.

package/lib/index.d.ts

@@ -2311,9 +2311,14 @@ declare class OpenHiAuthService extends OpenHiService {
     protected createUserPool(): IUserPool;
     /**
      * Grants the Pre Token Generation Lambda read-only access on the data
-     * store table and its GSIs. The Lambda only needs:
+     * store table and its GSIs. The Lambda needs:
      * - `Query` on GSI2 to resolve a User by Cognito `sub`
-     * - `GetItem` on the base table for direct User reads
+     * - `GetItem` on the base table for direct User reads (canonical row hydration
+     *   after the GSI2 hit, per #1175)
+     * - `BatchGetItem` on the base table for ElectroDB `batchGetWithRetry`
+     *   hydration used by `listMembershipsOperation` and
+     *   `listRoleAssignmentsOperation` when resolving the
+     *   `ohi_organization_roles` / `ohi_platform_roles` claims
      *
      * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
      * falls into the absent-claims path; repair belongs in a separate backfill.

package/lib/index.js

@@ -7860,16 +7860,25 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
   }
   /**
    * Grants the Pre Token Generation Lambda read-only access on the data
-   * store table and its GSIs. The Lambda only needs:
+   * store table and its GSIs. The Lambda needs:
    * - `Query` on GSI2 to resolve a User by Cognito `sub`
-   * - `GetItem` on the base table for direct User reads
+   * - `GetItem` on the base table for direct User reads (canonical row hydration
+   *   after the GSI2 hit, per #1175)
+   * - `BatchGetItem` on the base table for ElectroDB `batchGetWithRetry`
+   *   hydration used by `listMembershipsOperation` and
+   *   `listRoleAssignmentsOperation` when resolving the
+   *   `ohi_organization_roles` / `ohi_platform_roles` claims
    *
    * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
    * falls into the absent-claims path; repair belongs in a separate backfill.
    */
   grantPreTokenGenerationPermissions() {
     const dataStoreTable = this.dataStoreTable();
-    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    const dynamoActions = [
+      "dynamodb:GetItem",
+      "dynamodb:Query",
+      "dynamodb:BatchGetItem"
+    ];
     dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
     this.preTokenGenerationLambda.addToRolePolicy(
       new import_aws_iam7.PolicyStatement({