@openhi/constructs 0.0.151 → 0.0.152

package/lib/rest-api-lambda.handler.mjs

@@ -23,7 +23,7 @@ import {
   createTenantOperation,
   createWorkspaceOperation,
   extractDenormalizedReferenceDisplay
-} from "./chunk-AWYZJFPL.mjs";
+} from "./chunk-CFJDATDK.mjs";
 import {
   buildMembershipUserProjectionItem,
   buildMembershipWorkspaceProjectionItem,

package/lib/seed-demo-data.handler.d.mts

@@ -1,6 +1,6 @@
 import { WorkflowDedupClient } from '@openhi/workflows';
 import { EventBridgeEvent } from 'aws-lambda';
-import { d as DemoDevUser } from './events-CMG8xanm.mjs';
+import { d as DemoDevUser } from './events-DTgo2dcW.mjs';
 import { O as OpenHiContext } from './openhi-context-CaBH8SFo.mjs';
 import '@openhi/types';
 
@@ -68,6 +68,19 @@ interface SeedDemoDataDependencies {
  * put is keyed by a deterministic stable id so re-runs after
  * dedup-TTL expiry upsert the same records.
  *
+ * Self-healing-on-every-deploy contract: every individual upsert
+ * across all three phases is wrapped via {@link tryRun}. A single
+ * item's failure (transient AWS error, write-time constraint
+ * violation, etc.) is collected into a per-call accumulator and
+ * does not skip the remaining items in its phase. After all phases
+ * run, collected failures are aggregate-thrown as a single error so
+ * EventBridge still routes the workflow into its failure-detection
+ * path (DLQ + CloudWatch alarm) and the outer `runSeedDemoData`
+ * records `markFailed` on the dedup row. Because every put is keyed
+ * by a deterministic stable id, the next deploy re-attempts every
+ * item — failed items eventually heal, successful items overwrite
+ * themselves with the same body.
+ *
  * Exported so the seeder test file can exercise it directly against
  * a mocked DynamoControlService; the production handler reaches it
  * through {@link SeedDemoDataDependencies.seedDemoGraph}.

package/lib/seed-demo-data.handler.d.ts

@@ -1,6 +1,6 @@
 import { WorkflowDedupClient } from '@openhi/workflows';
 import { EventBridgeEvent } from 'aws-lambda';
-import { d as DemoDevUser } from './events-CMG8xanm.js';
+import { d as DemoDevUser } from './events-DTgo2dcW.js';
 import { O as OpenHiContext } from './openhi-context-CaBH8SFo.js';
 import '@openhi/types';
 
@@ -68,6 +68,19 @@ interface SeedDemoDataDependencies {
  * put is keyed by a deterministic stable id so re-runs after
  * dedup-TTL expiry upsert the same records.
  *
+ * Self-healing-on-every-deploy contract: every individual upsert
+ * across all three phases is wrapped via {@link tryRun}. A single
+ * item's failure (transient AWS error, write-time constraint
+ * violation, etc.) is collected into a per-call accumulator and
+ * does not skip the remaining items in its phase. After all phases
+ * run, collected failures are aggregate-thrown as a single error so
+ * EventBridge still routes the workflow into its failure-detection
+ * path (DLQ + CloudWatch alarm) and the outer `runSeedDemoData`
+ * records `markFailed` on the dedup row. Because every put is keyed
+ * by a deterministic stable id, the next deploy re-attempts every
+ * item — failed items eventually heal, successful items overwrite
+ * themselves with the same body.
+ *
  * Exported so the seeder test file can exercise it directly against
  * a mocked DynamoControlService; the production handler reaches it
  * through {@link SeedDemoDataDependencies.seedDemoGraph}.

package/lib/seed-demo-data.handler.js

@@ -723,11 +723,15 @@ var import_workflows2 = __toESM(require_lib());
 // src/workflows/control-plane/seed-demo-data/events.ts
 var import_types = require("@openhi/types");
 var import_workflows = __toESM(require_lib());
+
+// src/data/operations/control/membership-constraints/platform-scope-tenant-id.ts
+var PLATFORM_SCOPE_TENANT_ID = "platform";
+
+// src/workflows/control-plane/seed-demo-data/events.ts
 var SEED_DEMO_DATA_CONSUMER_NAME = "seed-demo-data";
 var DEMO_URN_SYSTEM = "urn:openhi:demo";
 var OPENHI_RESOURCE_URN_SYSTEM = "http://openhi.org/";
 var DEMO_PERIOD = { start: "2026-01-01T00:00:00Z" };
-var PLATFORM_SCOPE_TENANT_ID = "platform";
 var PLACEHOLDER_TENANT_ID = "placeholder-tenant-id";
 var PLACEHOLDER_WORKSPACE_ID = "placeholder-workspace-id";
 var DEV_USERS = [
@@ -3510,6 +3514,9 @@ function buildRoleAssignmentWorkspaceProjectionItem(input) {
 var TENANT_LANE_SK_PREFIX = "MEMBERSHIP#TENANT#";
 async function assertUserHasTenantMembershipOperation(params) {
   const { userId, tenantId, tableName } = params;
+  if (tenantId === PLATFORM_SCOPE_TENANT_ID) {
+    return;
+  }
   const service = getDynamoControlService(tableName);
   const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: TENANT_LANE_SK_PREFIX }).go();
   const matched = (result.data ?? []).some((row) => row.tenantId === tenantId);
@@ -5017,6 +5024,25 @@ var errorMessage = (err) => {
   }
   return String(err);
 };
+var tryRun = async (failures, phase, scope, resourceType, resourceId, fn) => {
+  try {
+    await fn();
+    return true;
+  } catch (err) {
+    failures.push({ phase, scope, resourceType, resourceId, error: err });
+    return false;
+  }
+};
+var aggregateFailureError = (failures) => {
+  const summary = failures.map(
+    (f) => `${f.phase} ${f.scope}/${f.resourceType}/${f.resourceId}: ${errorMessage(
+      f.error
+    )}`
+  ).join("; ");
+  return new Error(
+    `seed-demo-data: ${failures.length} item(s) failed across phases: ${summary}`
+  );
+};
 var idForRoleCode = (code) => {
   for (const key of Object.keys(import_types12.PLATFORM_ROLE_IDS)) {
     if (import_types12.PLATFORM_ROLE_CONCEPTS[key].code === code) {
@@ -5126,95 +5152,180 @@ var upsertUser = async (context, user, cognitoSub) => {
     lastUpdated: context.date ?? (/* @__PURE__ */ new Date()).toISOString()
   }).go();
 };
-var seedWorkspaceDataPlane = async (baseContext, group) => {
+var seedWorkspaceDataPlane = async (baseContext, group, failures) => {
   const workspaceContext = {
     ...baseContext,
     tenantId: group.tenantId,
     workspaceId: group.workspaceId
   };
+  const scope = `${group.tenantId}/${group.workspaceId}`;
   for (const patient of group.patients) {
-    await createPatientOperation({
-      context: workspaceContext,
-      body: patient
-    });
+    await tryRun(
+      failures,
+      "phase-3",
+      scope,
+      "Patient",
+      patient.id ?? "",
+      () => createPatientOperation({
+        context: workspaceContext,
+        body: patient
+      })
+    );
   }
   for (const practitioner of group.practitioners) {
-    await createPractitionerOperation({
-      context: workspaceContext,
-      body: practitioner
-    });
+    await tryRun(
+      failures,
+      "phase-3",
+      scope,
+      "Practitioner",
+      practitioner.id ?? "",
+      () => createPractitionerOperation({
+        context: workspaceContext,
+        body: practitioner
+      })
+    );
   }
   for (const observation of group.observations) {
-    await createObservationOperation({
-      context: workspaceContext,
-      body: observation
-    });
+    await tryRun(
+      failures,
+      "phase-3",
+      scope,
+      "Observation",
+      observation.id ?? "",
+      () => createObservationOperation({
+        context: workspaceContext,
+        body: observation
+      })
+    );
   }
   for (const encounter of group.encounters) {
-    await createEncounterOperation({
-      context: workspaceContext,
-      body: encounter
-    });
+    await tryRun(
+      failures,
+      "phase-3",
+      scope,
+      "Encounter",
+      encounter.id ?? "",
+      () => createEncounterOperation({
+        context: workspaceContext,
+        body: encounter
+      })
+    );
   }
   for (const account of group.accounts) {
-    await createAccountOperation({
-      context: workspaceContext,
-      body: account
-    });
+    await tryRun(
+      failures,
+      "phase-3",
+      scope,
+      "Account",
+      account.id ?? "",
+      () => createAccountOperation({
+        context: workspaceContext,
+        body: account
+      })
+    );
   }
 };
 var seedDemoGraph = async (params) => {
   const { baseContext, devUsers, cognito } = params;
+  const failures = [];
   for (const spec of DEMO_TENANT_SPECS) {
     const tenantContext = {
       ...baseContext,
       tenantId: spec.tenantId
     };
-    await createTenantOperation({
-      context: tenantContext,
-      body: { id: spec.tenantId, resource: tenantResourceBody(spec) }
-    });
-    for (const workspace of spec.workspaces) {
-      await createWorkspaceOperation({
+    await tryRun(
+      failures,
+      "phase-1",
+      spec.tenantId,
+      "Tenant",
+      spec.tenantId,
+      () => createTenantOperation({
         context: tenantContext,
-        body: {
-          id: workspace.id,
-          resource: workspaceResourceBody(spec, workspace)
-        }
-      });
+        body: { id: spec.tenantId, resource: tenantResourceBody(spec) }
+      })
+    );
+    for (const workspace of spec.workspaces) {
+      await tryRun(
+        failures,
+        "phase-1",
+        spec.tenantId,
+        "Workspace",
+        workspace.id,
+        () => createWorkspaceOperation({
+          context: tenantContext,
+          body: {
+            id: workspace.id,
+            resource: workspaceResourceBody(spec, workspace)
+          }
+        })
+      );
     }
   }
   for (const user of devUsers) {
-    const cognitoSub = await cognito.ensureUser(user.email);
-    await upsertUser(baseContext, user, cognitoSub);
+    let cognitoSub;
+    try {
+      cognitoSub = await cognito.ensureUser(user.email);
+    } catch (err) {
+      failures.push({
+        phase: "phase-2",
+        scope: user.id,
+        resourceType: "CognitoUser",
+        resourceId: user.email,
+        error: err
+      });
+      continue;
+    }
+    await tryRun(
+      failures,
+      "phase-2",
+      user.id,
+      "User",
+      user.id,
+      () => upsertUser(baseContext, user, cognitoSub)
+    );
     for (const spec of DEMO_TENANT_SPECS) {
       const tenantContext = {
         ...baseContext,
         tenantId: spec.tenantId
       };
+      const userScope = `${user.id}@${spec.tenantId}`;
       const membershipId = demoMembershipId(user.id, spec.tenantId);
-      await createMembershipOperation({
-        context: tenantContext,
-        body: {
-          id: membershipId,
-          resource: membershipResourceBody(spec, user, membershipId)
-        }
-      });
-      for (const roleCode of demoRolesForUserInTenant(user, spec.tenantId)) {
-        const raId = demoRoleAssignmentId(user.id, spec.tenantId, roleCode);
-        await createRoleAssignmentOperation({
+      await tryRun(
+        failures,
+        "phase-2",
+        userScope,
+        "Membership",
+        membershipId,
+        () => createMembershipOperation({
           context: tenantContext,
           body: {
-            id: raId,
-            resource: roleAssignmentResourceBody(
-              spec.scenario,
-              spec.tenantId,
-              user,
-              roleCode,
-              raId
-            )
+            id: membershipId,
+            resource: membershipResourceBody(spec, user, membershipId)
           }
-        });
+        })
+      );
+      for (const roleCode of demoRolesForUserInTenant(user, spec.tenantId)) {
+        const raId = demoRoleAssignmentId(user.id, spec.tenantId, roleCode);
+        await tryRun(
+          failures,
+          "phase-2",
+          userScope,
+          "RoleAssignment",
+          raId,
+          () => createRoleAssignmentOperation({
+            context: tenantContext,
+            body: {
+              id: raId,
+              resource: roleAssignmentResourceBody(
+                spec.scenario,
+                spec.tenantId,
+                user,
+                roleCode,
+                raId
+              )
+            }
+          })
+        );
       }
     }
     const platformContext = {
@@ -5227,22 +5338,42 @@ var seedDemoGraph = async (params) => {
       PLATFORM_SCOPE_TENANT_ID,
       platformRoleCode
     );
-    await createRoleAssignmentOperation({
-      context: platformContext,
-      body: {
-        id: platformRaId,
-        resource: roleAssignmentResourceBody(
-          "platform",
-          PLATFORM_SCOPE_TENANT_ID,
-          user,
-          platformRoleCode,
-          platformRaId
-        )
-      }
-    });
+    await tryRun(
+      failures,
+      "phase-2",
+      `${user.id}@${PLATFORM_SCOPE_TENANT_ID}`,
+      "RoleAssignment",
+      platformRaId,
+      () => createRoleAssignmentOperation({
+        context: platformContext,
+        body: {
+          id: platformRaId,
+          resource: roleAssignmentResourceBody(
+            "platform",
+            PLATFORM_SCOPE_TENANT_ID,
+            user,
+            platformRoleCode,
+            platformRaId
+          )
+        }
+      })
+    );
   }
   for (const group of DEMO_DATA_PLANE_FIXTURES) {
-    await seedWorkspaceDataPlane(baseContext, group);
+    try {
+      await seedWorkspaceDataPlane(baseContext, group, failures);
+    } catch (err) {
+      failures.push({
+        phase: "phase-3",
+        scope: `${group.tenantId}/${group.workspaceId}`,
+        resourceType: "Workspace",
+        resourceId: group.workspaceId,
+        error: err
+      });
+    }
+  }
+  if (failures.length > 0) {
+    throw aggregateFailureError(failures);
   }
 };
 var runSeedDemoData = async (event, deps, devUsers) => {