@openhi/constructs 0.0.159 → 0.0.161

package/lib/rest-api-lambda.handler.js

@@ -5,6 +5,9 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -27,6 +30,727 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// ../workflows/lib/envelope-version.js
+var require_envelope_version = __commonJS({
+  "../workflows/lib/envelope-version.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ENVELOPE_VERSION = void 0;
+    exports2.isSupportedEnvelopeVersion = isSupportedEnvelopeVersion;
+    exports2.ENVELOPE_VERSION = "1.0";
+    var ENVELOPE_VERSION_PATTERN = /^\d+\.\d+$/;
+    var MIN_SUPPORTED_MAJOR = 1;
+    var MAX_SUPPORTED_MAJOR = 1;
+    function isSupportedEnvelopeVersion(version) {
+      if (!ENVELOPE_VERSION_PATTERN.test(version)) {
+        return false;
+      }
+      const major = Number.parseInt(version.split(".")[0], 10);
+      return major >= MIN_SUPPORTED_MAJOR && major <= MAX_SUPPORTED_MAJOR;
+    }
+  }
+});
+
+// ../workflows/lib/envelope.js
+var require_envelope = __commonJS({
+  "../workflows/lib/envelope.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.MissingActorContextError = void 0;
+    exports2.isWorkflowUserActor = isWorkflowUserActor;
+    exports2.isWorkflowSystemActor = isWorkflowSystemActor;
+    exports2.workflowUserActorFromClaims = workflowUserActorFromClaims;
+    function isWorkflowUserActor(actor) {
+      return actor.ohi_uid !== void 0;
+    }
+    function isWorkflowSystemActor(actor) {
+      return actor.system !== void 0;
+    }
+    function workflowUserActorFromClaims(claims) {
+      if (claims.ohi_tid === void 0 || claims.ohi_wid === void 0) {
+        throw new MissingActorContextError("workflowUserActorFromClaims: ohi_tid and ohi_wid are required on the workflow user-actor; the caller's JWT is missing one or both. Use a system-actor for pre-provisioning bootstrap workflows.");
+      }
+      return {
+        ohi_tid: claims.ohi_tid,
+        ohi_wid: claims.ohi_wid,
+        ohi_uid: claims.ohi_uid,
+        ohi_uname: claims.ohi_uname
+      };
+    }
+    var MissingActorContextError = class extends Error {
+      /** @param message - human-readable description of the missing claim. */
+      constructor(message) {
+        super(message);
+        this.name = "MissingActorContextError";
+      }
+    };
+    exports2.MissingActorContextError = MissingActorContextError;
+  }
+});
+
+// ../workflows/lib/sources.js
+var require_sources = __commonJS({
+  "../workflows/lib/sources.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = void 0;
+    exports2.OPENHI_CONTROL_SOURCE = "openhi.control";
+    exports2.OPENHI_DATA_SOURCE = "openhi.data";
+    exports2.OPENHI_OPS_SOURCE = "openhi.ops";
+    exports2.DEFAULT_BUS_NAME_BY_SOURCE = {
+      [exports2.OPENHI_CONTROL_SOURCE]: "openhi-control-event-bus",
+      [exports2.OPENHI_DATA_SOURCE]: "openhi-data-event-bus",
+      [exports2.OPENHI_OPS_SOURCE]: "openhi-ops-event-bus"
+    };
+  }
+});
+
+// ../workflows/lib/detail-types/registry.js
+var require_registry = __commonJS({
+  "../workflows/lib/detail-types/registry.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.InvalidDetailTypeRegistrationError = void 0;
+    exports2.defineDetailType = defineDetailType;
+    exports2.isWellFormedDetailType = isWellFormedDetailType;
+    function defineDetailType(entry) {
+      if (!isWellFormedDetailType(entry.detailType)) {
+        throw new InvalidDetailTypeRegistrationError(`Detail-type "${entry.detailType}" does not match the platform-wide format <area>.<event>.v<integer>. See TR-016 \xA7Open Items #2.`);
+      }
+      return entry;
+    }
+    var DETAIL_TYPE_PATTERN = /^[a-z0-9]+(?:-[a-z0-9]+)*\.[a-z0-9]+(?:-[a-z0-9]+)*\.v\d+$/;
+    function isWellFormedDetailType(detailType) {
+      return DETAIL_TYPE_PATTERN.test(detailType);
+    }
+    var InvalidDetailTypeRegistrationError = class extends Error {
+      /** @param message - human-readable description of the violation. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidDetailTypeRegistrationError";
+      }
+    };
+    exports2.InvalidDetailTypeRegistrationError = InvalidDetailTypeRegistrationError;
+  }
+});
+
+// ../workflows/lib/detail-types/control-plane.js
+var require_control_plane = __commonJS({
+  "../workflows/lib/detail-types/control-plane.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ControlPlaneWorkspaceDeletedV1 = exports2.ControlPlaneWorkspaceCreatedV1 = exports2.ControlPlaneRoleAssignmentDeletedV1 = exports2.ControlPlaneRoleAssignmentCreatedV1 = exports2.ControlPlaneMembershipDeletedV1 = exports2.ControlPlaneMembershipCreatedV1 = exports2.ControlPlaneRenameFailedV1 = exports2.ControlPlaneRenameCompleteV1 = exports2.ControlPlaneRenameV1 = exports2.RENAMABLE_ENTITY_TYPE = exports2.ControlPlaneOwningDeleteFailedV1 = exports2.ControlPlaneOwningDeleteCompleteV1 = exports2.ControlPlaneOwningDeleteV1 = exports2.OWNING_ENTITY_TYPE = void 0;
+    var sources_1 = require_sources();
+    var registry_1 = require_registry();
+    exports2.OWNING_ENTITY_TYPE = {
+      Workspace: "Workspace",
+      User: "User"
+    };
+    exports2.ControlPlaneOwningDeleteV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.owning-delete.v1",
+      source: sources_1.OPENHI_DATA_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneOwningDeleteCompleteV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.owning-delete-complete.v1",
+      source: sources_1.OPENHI_OPS_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneOwningDeleteFailedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.owning-delete-failed.v1",
+      source: sources_1.OPENHI_OPS_SOURCE,
+      dedupRequired: true
+    });
+    exports2.RENAMABLE_ENTITY_TYPE = {
+      Tenant: "Tenant",
+      User: "User",
+      Role: "Role"
+    };
+    exports2.ControlPlaneRenameV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.rename.v1",
+      source: sources_1.OPENHI_DATA_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneRenameCompleteV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.rename-complete.v1",
+      source: sources_1.OPENHI_OPS_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneRenameFailedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.rename-failed.v1",
+      source: sources_1.OPENHI_OPS_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneMembershipCreatedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.membership-created.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneMembershipDeletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.membership-deleted.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneRoleAssignmentCreatedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.role-assignment-created.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneRoleAssignmentDeletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.role-assignment-deleted.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneWorkspaceCreatedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.workspace-created.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneWorkspaceDeletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.workspace-deleted.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+  }
+});
+
+// ../workflows/lib/detail-types/platform.js
+var require_platform = __commonJS({
+  "../workflows/lib/detail-types/platform.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = void 0;
+    var sources_1 = require_sources();
+    var registry_1 = require_registry();
+    exports2.PlatformDeploymentCompletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.deployment-completed.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.PlatformSystemDataSeededV1 = (0, registry_1.defineDetailType)({
+      detailType: "platform.system-data-seeded.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+  }
+});
+
+// ../workflows/lib/detail-types/index.js
+var require_detail_types = __commonJS({
+  "../workflows/lib/detail-types/index.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports2 && exports2.__exportStar || function(m, exports3) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports3, p)) __createBinding(exports3, m, p);
+    };
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    __exportStar(require_control_plane(), exports2);
+    __exportStar(require_platform(), exports2);
+    __exportStar(require_registry(), exports2);
+  }
+});
+
+// ../workflows/lib/publisher.js
+var require_publisher = __commonJS({
+  "../workflows/lib/publisher.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowPublishError = void 0;
+    exports2.workflowsClient = workflowsClient;
+    exports2.publishWorkflowEvent = publishWorkflowEvent2;
+    var node_crypto_1 = require("crypto");
+    var client_eventbridge_1 = require("@aws-sdk/client-eventbridge");
+    var envelope_version_1 = require_envelope_version();
+    var sources_1 = require_sources();
+    function workflowsClient(bridge, options = {}) {
+      return {
+        publish: (entry, payload, ctx) => publishWorkflowEvent2(bridge, entry, payload, ctx, options)
+      };
+    }
+    async function publishWorkflowEvent2(bridge, entry, payload, ctx, options = {}) {
+      const eventIdGenerator = options.eventIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const correlationIdGenerator = options.correlationIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
+      const now = options.now ?? (() => /* @__PURE__ */ new Date());
+      const envelope = {
+        eventId: eventIdGenerator(),
+        attempt: 1,
+        correlationId: ctx.correlationId ?? correlationIdGenerator(),
+        causationId: ctx.causationId ?? null,
+        actor: ctx.actor,
+        occurredAt: now().toISOString(),
+        envelopeVersion: envelope_version_1.ENVELOPE_VERSION,
+        payload
+      };
+      const busName = options.busNameByPlane?.[entry.source] ?? sources_1.DEFAULT_BUS_NAME_BY_SOURCE[entry.source];
+      const result = await bridge.send(new client_eventbridge_1.PutEventsCommand({
+        Entries: [
+          {
+            EventBusName: busName,
+            Source: entry.source,
+            DetailType: entry.detailType,
+            Detail: JSON.stringify(envelope)
+          }
+        ]
+      }));
+      if ((result.FailedEntryCount ?? 0) > 0) {
+        const first = result.Entries?.[0];
+        throw new WorkflowPublishError(`EventBridge rejected ${entry.detailType} publish on bus ${busName}: ${first?.ErrorCode ?? "unknown"} \u2014 ${first?.ErrorMessage ?? "no error message"}`);
+      }
+      return { eventId: envelope.eventId };
+    }
+    var WorkflowPublishError = class extends Error {
+      /** @param message - human-readable description of the failed publish. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowPublishError";
+      }
+    };
+    exports2.WorkflowPublishError = WorkflowPublishError;
+  }
+});
+
+// ../workflows/lib/consumer.js
+var require_consumer = __commonJS({
+  "../workflows/lib/consumer.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = void 0;
+    exports2.parseWorkflowEvent = parseWorkflowEvent;
+    var envelope_version_1 = require_envelope_version();
+    function parseWorkflowEvent(event, expected) {
+      if (event.source !== expected.source) {
+        throw new InvalidWorkflowEventError(`EventBridge source "${event.source}" does not match expected detail-type's source "${expected.source}".`);
+      }
+      if (event["detail-type"] !== expected.detailType) {
+        throw new InvalidWorkflowEventError(`EventBridge detail-type "${event["detail-type"]}" does not match expected "${expected.detailType}".`);
+      }
+      const candidate = asEnvelopeCandidate(event.detail);
+      if (!(0, envelope_version_1.isSupportedEnvelopeVersion)(candidate.envelopeVersion)) {
+        throw new UnsupportedEnvelopeVersionError(`Envelope version "${candidate.envelopeVersion}" is outside the SDK's supported range.`);
+      }
+      const envelope = {
+        eventId: candidate.eventId,
+        attempt: candidate.attempt,
+        correlationId: candidate.correlationId,
+        causationId: candidate.causationId,
+        actor: candidate.actor,
+        occurredAt: candidate.occurredAt,
+        envelopeVersion: candidate.envelopeVersion,
+        payload: candidate.payload
+      };
+      return {
+        envelope,
+        dedupKey: { eventId: envelope.eventId, attempt: envelope.attempt }
+      };
+    }
+    function asEnvelopeCandidate(detail) {
+      if (detail === null || typeof detail !== "object") {
+        throw new InvalidWorkflowEventError("EventBridge detail is not a non-null object.");
+      }
+      const obj = detail;
+      assertString(obj, "eventId");
+      assertPositiveInteger(obj, "attempt");
+      assertString(obj, "correlationId");
+      assertCausationId(obj);
+      assertActor(obj);
+      assertString(obj, "occurredAt");
+      assertString(obj, "envelopeVersion");
+      if (!("payload" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: payload.");
+      }
+      return obj;
+    }
+    function assertString(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "string" || value.length === 0) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a non-empty string.`);
+      }
+    }
+    function assertPositiveInteger(obj, field) {
+      const value = obj[field];
+      if (typeof value !== "number" || !Number.isInteger(value) || value < 1) {
+        throw new InvalidWorkflowEventError(`Envelope field "${field}" must be a 1-indexed integer.`);
+      }
+    }
+    function assertCausationId(obj) {
+      if (!("causationId" in obj)) {
+        throw new InvalidWorkflowEventError("Envelope is missing required field: causationId.");
+      }
+      const value = obj.causationId;
+      if (value !== null && (typeof value !== "string" || value.length === 0)) {
+        throw new InvalidWorkflowEventError('Envelope field "causationId" must be a non-empty string or null.');
+      }
+    }
+    function assertActor(obj) {
+      const actor = obj.actor;
+      if (actor === null || typeof actor !== "object") {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be an object.');
+      }
+      const actorObj = actor;
+      const isUserActor = typeof actorObj.ohi_uid === "string" && typeof actorObj.ohi_uname === "string" && typeof actorObj.ohi_tid === "string" && typeof actorObj.ohi_wid === "string";
+      const isSystemActor = typeof actorObj.system === "string";
+      if (!isUserActor && !isSystemActor) {
+        throw new InvalidWorkflowEventError('Envelope field "actor" must be either a user-actor (ohi_tid, ohi_wid, ohi_uid, ohi_uname) or a system-actor ({ system: string }).');
+      }
+    }
+    var InvalidWorkflowEventError = class extends Error {
+      /** @param message - human-readable description of the validation failure. */
+      constructor(message) {
+        super(message);
+        this.name = "InvalidWorkflowEventError";
+      }
+    };
+    exports2.InvalidWorkflowEventError = InvalidWorkflowEventError;
+    var UnsupportedEnvelopeVersionError = class extends Error {
+      /** @param message - human-readable description of the unsupported version. */
+      constructor(message) {
+        super(message);
+        this.name = "UnsupportedEnvelopeVersionError";
+      }
+    };
+    exports2.UnsupportedEnvelopeVersionError = UnsupportedEnvelopeVersionError;
+  }
+});
+
+// ../workflows/lib/dedup/env.js
+var require_env = __commonJS({
+  "../workflows/lib/dedup/env.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = void 0;
+    exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = "OPENHI_WORKFLOW_DEDUP_TABLE_NAME";
+    exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = 14 * 24 * 60 * 60;
+    exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = 64;
+  }
+});
+
+// ../workflows/lib/dedup/workflow-dedup-client.js
+var require_workflow_dedup_client = __commonJS({
+  "../workflows/lib/dedup/workflow-dedup-client.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.WorkflowDedupInvalidInputError = exports2.WorkflowDedupTableNameMissingError = void 0;
+    exports2.workflowDedupClient = workflowDedupClient;
+    exports2.recordIfAbsent = recordIfAbsent;
+    exports2.markFailed = markFailed;
+    exports2.encodeSortKey = encodeSortKey;
+    var client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
+    var env_1 = require_env();
+    function workflowDedupClient(dynamodb, options = {}) {
+      return {
+        recordIfAbsent: (input) => recordIfAbsent(dynamodb, input, options),
+        markFailed: (input) => markFailed(dynamodb, input, options)
+      };
+    }
+    async function recordIfAbsent(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      const ttlSeconds = input.ttlSeconds ?? options.defaultTtlSeconds ?? env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+      if (!Number.isInteger(ttlSeconds) || ttlSeconds <= 0) {
+        throw new WorkflowDedupInvalidInputError(`ttlSeconds must be a positive integer; got ${ttlSeconds}.`);
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      const expiresAt = Math.floor(now.getTime() / 1e3) + ttlSeconds;
+      try {
+        await dynamodb.send(new client_dynamodb_1.PutItemCommand({
+          TableName: tableName,
+          Item: {
+            consumerName: { S: input.consumerName },
+            sk: { S: sk },
+            eventId: { S: input.eventId },
+            attempt: { N: String(input.attempt) },
+            recordedAt: { S: now.toISOString() },
+            expiresAt: { N: String(expiresAt) }
+          },
+          ConditionExpression: "attribute_not_exists(consumerName) AND attribute_not_exists(sk)"
+        }));
+        return { recorded: true };
+      } catch (err) {
+        if (err instanceof client_dynamodb_1.ConditionalCheckFailedException) {
+          return { recorded: false, alreadyProcessed: true };
+        }
+        throw err;
+      }
+    }
+    async function markFailed(dynamodb, input, options = {}) {
+      assertConsumerName(input.consumerName);
+      assertPositiveInteger(input.attempt, "attempt");
+      if (input.reason.length === 0) {
+        throw new WorkflowDedupInvalidInputError("reason must be non-empty.");
+      }
+      const tableName = resolveTableName(options.tableName);
+      const now = (options.now ?? defaultNow)();
+      const sk = encodeSortKey(input.eventId, input.attempt);
+      await dynamodb.send(new client_dynamodb_1.UpdateItemCommand({
+        TableName: tableName,
+        Key: {
+          consumerName: { S: input.consumerName },
+          sk: { S: sk }
+        },
+        UpdateExpression: "SET #failed = :failed, #failureReason = :reason, #failedAt = :failedAt",
+        ExpressionAttributeNames: {
+          "#failed": "failed",
+          "#failureReason": "failureReason",
+          "#failedAt": "failedAt"
+        },
+        ExpressionAttributeValues: {
+          ":failed": { BOOL: true },
+          ":reason": { S: input.reason },
+          ":failedAt": { S: now.toISOString() }
+        }
+      }));
+    }
+    function encodeSortKey(eventId, attempt) {
+      if (eventId.length === 0) {
+        throw new WorkflowDedupInvalidInputError("eventId must be non-empty.");
+      }
+      return `${eventId}#${attempt}`;
+    }
+    function resolveTableName(explicit) {
+      const name = explicit ?? process.env[env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR];
+      if (!name) {
+        throw new WorkflowDedupTableNameMissingError(`Workflow dedup table name not set. Pass options.tableName or set ${env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR}.`);
+      }
+      return name;
+    }
+    function assertConsumerName(consumerName) {
+      if (consumerName.length === 0) {
+        throw new WorkflowDedupInvalidInputError("consumerName must be non-empty.");
+      }
+      if (consumerName.length > env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {
+        throw new WorkflowDedupInvalidInputError(`consumerName must be \u2264${env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`);
+      }
+      if (/\s/.test(consumerName)) {
+        throw new WorkflowDedupInvalidInputError("consumerName must not contain whitespace.");
+      }
+    }
+    function assertPositiveInteger(value, field) {
+      if (!Number.isInteger(value) || value < 1) {
+        throw new WorkflowDedupInvalidInputError(`${field} must be a 1-indexed integer; got ${value}.`);
+      }
+    }
+    function defaultNow() {
+      return /* @__PURE__ */ new Date();
+    }
+    var WorkflowDedupTableNameMissingError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupTableNameMissingError";
+      }
+    };
+    exports2.WorkflowDedupTableNameMissingError = WorkflowDedupTableNameMissingError;
+    var WorkflowDedupInvalidInputError = class extends Error {
+      /** @param message - human-readable description. */
+      constructor(message) {
+        super(message);
+        this.name = "WorkflowDedupInvalidInputError";
+      }
+    };
+    exports2.WorkflowDedupInvalidInputError = WorkflowDedupInvalidInputError;
+  }
+});
+
+// ../workflows/lib/dedup/index.js
+var require_dedup = __commonJS({
+  "../workflows/lib/dedup/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = void 0;
+    var env_1 = require_env();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return env_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    var workflow_dedup_client_1 = require_workflow_dedup_client();
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return workflow_dedup_client_1.workflowDedupClient;
+    } });
+  }
+});
+
+// ../workflows/lib/index.js
+var require_lib = __commonJS({
+  "../workflows/lib/index.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.RENAMABLE_ENTITY_TYPE = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.OWNING_ENTITY_TYPE = exports2.InvalidDetailTypeRegistrationError = exports2.ControlPlaneWorkspaceDeletedV1 = exports2.ControlPlaneWorkspaceCreatedV1 = exports2.ControlPlaneRoleAssignmentDeletedV1 = exports2.ControlPlaneRoleAssignmentCreatedV1 = exports2.ControlPlaneRenameV1 = exports2.ControlPlaneRenameFailedV1 = exports2.ControlPlaneRenameCompleteV1 = exports2.ControlPlaneOwningDeleteV1 = exports2.ControlPlaneOwningDeleteFailedV1 = exports2.ControlPlaneOwningDeleteCompleteV1 = exports2.ControlPlaneMembershipDeletedV1 = exports2.ControlPlaneMembershipCreatedV1 = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
+    var envelope_version_1 = require_envelope_version();
+    Object.defineProperty(exports2, "ENVELOPE_VERSION", { enumerable: true, get: function() {
+      return envelope_version_1.ENVELOPE_VERSION;
+    } });
+    Object.defineProperty(exports2, "isSupportedEnvelopeVersion", { enumerable: true, get: function() {
+      return envelope_version_1.isSupportedEnvelopeVersion;
+    } });
+    var envelope_1 = require_envelope();
+    Object.defineProperty(exports2, "MissingActorContextError", { enumerable: true, get: function() {
+      return envelope_1.MissingActorContextError;
+    } });
+    Object.defineProperty(exports2, "isWorkflowSystemActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowSystemActor;
+    } });
+    Object.defineProperty(exports2, "isWorkflowUserActor", { enumerable: true, get: function() {
+      return envelope_1.isWorkflowUserActor;
+    } });
+    Object.defineProperty(exports2, "workflowUserActorFromClaims", { enumerable: true, get: function() {
+      return envelope_1.workflowUserActorFromClaims;
+    } });
+    var sources_1 = require_sources();
+    Object.defineProperty(exports2, "DEFAULT_BUS_NAME_BY_SOURCE", { enumerable: true, get: function() {
+      return sources_1.DEFAULT_BUS_NAME_BY_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_CONTROL_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_CONTROL_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_DATA_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_DATA_SOURCE;
+    } });
+    Object.defineProperty(exports2, "OPENHI_OPS_SOURCE", { enumerable: true, get: function() {
+      return sources_1.OPENHI_OPS_SOURCE;
+    } });
+    var detail_types_1 = require_detail_types();
+    Object.defineProperty(exports2, "ControlPlaneMembershipCreatedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneMembershipCreatedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneMembershipDeletedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneMembershipDeletedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneOwningDeleteCompleteV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneOwningDeleteCompleteV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneOwningDeleteFailedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneOwningDeleteFailedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneOwningDeleteV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneOwningDeleteV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRenameCompleteV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRenameCompleteV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRenameFailedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRenameFailedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRenameV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRenameV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRoleAssignmentCreatedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRoleAssignmentCreatedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRoleAssignmentDeletedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRoleAssignmentDeletedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneWorkspaceCreatedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneWorkspaceCreatedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneWorkspaceDeletedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneWorkspaceDeletedV1;
+    } });
+    Object.defineProperty(exports2, "InvalidDetailTypeRegistrationError", { enumerable: true, get: function() {
+      return detail_types_1.InvalidDetailTypeRegistrationError;
+    } });
+    Object.defineProperty(exports2, "OWNING_ENTITY_TYPE", { enumerable: true, get: function() {
+      return detail_types_1.OWNING_ENTITY_TYPE;
+    } });
+    Object.defineProperty(exports2, "PlatformDeploymentCompletedV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformDeploymentCompletedV1;
+    } });
+    Object.defineProperty(exports2, "PlatformSystemDataSeededV1", { enumerable: true, get: function() {
+      return detail_types_1.PlatformSystemDataSeededV1;
+    } });
+    Object.defineProperty(exports2, "RENAMABLE_ENTITY_TYPE", { enumerable: true, get: function() {
+      return detail_types_1.RENAMABLE_ENTITY_TYPE;
+    } });
+    Object.defineProperty(exports2, "defineDetailType", { enumerable: true, get: function() {
+      return detail_types_1.defineDetailType;
+    } });
+    Object.defineProperty(exports2, "isWellFormedDetailType", { enumerable: true, get: function() {
+      return detail_types_1.isWellFormedDetailType;
+    } });
+    var publisher_1 = require_publisher();
+    Object.defineProperty(exports2, "WorkflowPublishError", { enumerable: true, get: function() {
+      return publisher_1.WorkflowPublishError;
+    } });
+    Object.defineProperty(exports2, "publishWorkflowEvent", { enumerable: true, get: function() {
+      return publisher_1.publishWorkflowEvent;
+    } });
+    Object.defineProperty(exports2, "workflowsClient", { enumerable: true, get: function() {
+      return publisher_1.workflowsClient;
+    } });
+    var consumer_1 = require_consumer();
+    Object.defineProperty(exports2, "InvalidWorkflowEventError", { enumerable: true, get: function() {
+      return consumer_1.InvalidWorkflowEventError;
+    } });
+    Object.defineProperty(exports2, "UnsupportedEnvelopeVersionError", { enumerable: true, get: function() {
+      return consumer_1.UnsupportedEnvelopeVersionError;
+    } });
+    Object.defineProperty(exports2, "parseWorkflowEvent", { enumerable: true, get: function() {
+      return consumer_1.parseWorkflowEvent;
+    } });
+    var dedup_1 = require_dedup();
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH;
+    } });
+    Object.defineProperty(exports2, "WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR", { enumerable: true, get: function() {
+      return dedup_1.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupInvalidInputError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupInvalidInputError;
+    } });
+    Object.defineProperty(exports2, "WorkflowDedupTableNameMissingError", { enumerable: true, get: function() {
+      return dedup_1.WorkflowDedupTableNameMissingError;
+    } });
+    Object.defineProperty(exports2, "encodeSortKey", { enumerable: true, get: function() {
+      return dedup_1.encodeSortKey;
+    } });
+    Object.defineProperty(exports2, "markFailed", { enumerable: true, get: function() {
+      return dedup_1.markFailed;
+    } });
+    Object.defineProperty(exports2, "recordIfAbsent", { enumerable: true, get: function() {
+      return dedup_1.recordIfAbsent;
+    } });
+    Object.defineProperty(exports2, "workflowDedupClient", { enumerable: true, get: function() {
+      return dedup_1.workflowDedupClient;
+    } });
+  }
+});
+
 // src/data/lambda/rest-api-lambda.handler.ts
 var rest_api_lambda_handler_exports = {};
 __export(rest_api_lambda_handler_exports, {
@@ -1675,6 +2399,24 @@ var TenantEntity = new import_electrodb11.Entity({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of tenant-scoped Memberships
+     * (users) in this tenant. Maintained by the counter-maintenance
+     * consumer via atomic ADD; absent/0 until first event or reconciliation.
+     */
+    usersInTenant: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of Workspaces in this tenant.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    workspacesInTenant: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -1779,6 +2521,26 @@ var UserEntity = new import_electrodb12.Entity({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of tenant-scoped Memberships
+     * (tenants) this user belongs to. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    tenantsForUser: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * Memberships (workspaces) this user belongs to. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    workspacesForUser: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -1923,6 +2685,36 @@ var WorkspaceEntity = new import_electrodb13.Entity({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * Memberships (users) in this workspace. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    usersInWorkspace: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * RoleAssignments classified as admin-tier in this workspace.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    adminUsersInWorkspace: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * RoleAssignments classified as non-admin in this workspace.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    normalUsersInWorkspace: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -3240,7 +4032,7 @@ function sendInvalidSummary400(res, diagnostics) {
 }
 async function handleListRoute(opts) {
   const { req, res, basePath, listOperation, errorLogContext } = opts;
-  const ctx = req.openhiContext;
+  const ctx = opts.context ?? req.openhiContext;
   const parsed = parseSearchSubsetting(req, res);
   if ("errorResponse" in parsed) return parsed.errorResponse;
   try {
@@ -4933,6 +5725,76 @@ function buildMembershipWorkspaceProjectionItem(input) {
   };
 }
 
+// src/data/operations/control/control-event-publisher.ts
+var import_client_eventbridge = require("@aws-sdk/client-eventbridge");
+var import_workflows = __toESM(require_lib());
+var CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+var cachedClient;
+function getClient() {
+  if (!cachedClient) {
+    cachedClient = new import_client_eventbridge.EventBridgeClient({
+      region: process.env.AWS_REGION ?? "us-east-1"
+    });
+  }
+  return cachedClient;
+}
+function actorFromContext(context) {
+  return {
+    ohi_tid: context.tenantId,
+    ohi_wid: context.workspaceId,
+    ohi_uid: context.actorId,
+    ohi_uname: context.actorName
+  };
+}
+async function publishControlEvent(entry, payload, context) {
+  const busName = process.env[CONTROL_EVENT_BUS_NAME_ENV_VAR];
+  if (!busName) {
+    return;
+  }
+  try {
+    await (0, import_workflows.publishWorkflowEvent)(
+      getClient(),
+      entry,
+      payload,
+      { actor: actorFromContext(context) },
+      { busNameByPlane: { [import_workflows.OPENHI_CONTROL_SOURCE]: busName } }
+    );
+  } catch (err) {
+    console.error(`control-event publish failed for ${entry.detailType}:`, err);
+  }
+}
+async function publishMembershipCreated(context, detail) {
+  await publishControlEvent(import_workflows.ControlPlaneMembershipCreatedV1, detail, context);
+}
+async function publishMembershipDeleted(context, detail) {
+  await publishControlEvent(import_workflows.ControlPlaneMembershipDeletedV1, detail, context);
+}
+async function publishRoleAssignmentCreated(context, detail) {
+  await publishControlEvent(
+    import_workflows.ControlPlaneRoleAssignmentCreatedV1,
+    detail,
+    context
+  );
+}
+async function publishRoleAssignmentDeleted(context, detail) {
+  await publishControlEvent(
+    import_workflows.ControlPlaneRoleAssignmentDeletedV1,
+    detail,
+    context
+  );
+}
+async function publishWorkspaceCreated(context, detail) {
+  await publishControlEvent(import_workflows.ControlPlaneWorkspaceCreatedV1, detail, context);
+}
+async function publishWorkspaceDeleted(context, detail) {
+  await publishControlEvent(import_workflows.ControlPlaneWorkspaceDeletedV1, detail, context);
+}
+function extractRoleLevel(resource) {
+  const code = resource?.code;
+  const first = code?.coding?.[0]?.code;
+  return typeof first === "string" && first.length > 0 ? first : void 0;
+}
+
 // src/data/operations/control/denormalized-display-names.ts
 function extractDenormalizedReferenceDisplay(resource, fieldName) {
   const field = resource[fieldName];
@@ -5060,6 +5922,14 @@ async function createMembershipOperation(params) {
     });
   }
   await executeMultiWrite({ service, triples });
+  await publishMembershipCreated(context, {
+    membershipId: id,
+    tenantId: context.tenantId,
+    ...userIdFromResource !== void 0 && { userId: userIdFromResource },
+    ...workspaceIdFromResource !== void 0 && {
+      workspaceId: workspaceIdFromResource
+    }
+  });
   return {
     id,
     resource,
@@ -5186,6 +6056,14 @@ async function deleteMembershipOperation(params) {
     });
   }
   await executeMultiWrite({ service, triples });
+  await publishMembershipDeleted(context, {
+    membershipId: id,
+    tenantId: context.tenantId,
+    ...userIdFromResource !== void 0 && { userId: userIdFromResource },
+    ...workspaceIdFromResource !== void 0 && {
+      workspaceId: workspaceIdFromResource
+    }
+  });
 }
 
 // src/data/rest-api/routes/control/membership/membership-delete-route.ts
@@ -5270,69 +6148,209 @@ async function listMembershipsOperation(params) {
   });
 }
 
-// src/data/rest-api/routes/control/membership/membership-list-route.ts
-async function listMembershipsRoute(req, res) {
-  return handleListRoute({
-    req,
-    res,
-    basePath: BASE_PATH.MEMBERSHIP,
-    listOperation: listMembershipsOperation,
-    errorLogContext: "GET /Membership list error:"
+// src/data/rest-api/routes/control/cross-cutting-route-helpers.ts
+function sendInvalidQuery400(res, diagnostics) {
+  return res.status(400).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "invalid", diagnostics }]
   });
 }
-
-// src/data/operations/control/membership/membership-update-operation.ts
-var import_types9 = require("@openhi/types");
-async function updateMembershipOperation(params) {
-  const { context, id, body, tableName } = params;
-  const service = getDynamoControlService(tableName);
-  const existing = await service.entities.membership.get({ tenantId: context.tenantId, id, sk: "CURRENT" }).go();
-  if (!existing.data) {
-    throw new NotFoundError(`Membership not found: ${id}`);
+function resolveTenantScopeOverride(req, res, context) {
+  const raw = (req.query ?? {}).tenant;
+  if (raw === void 0) {
+    return { ok: true, context };
   }
-  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
-  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
-  const vid = `${Date.now()}`;
-  const resource = { resourceType: "Membership", id, ...parsedResource };
-  let linkedDataIdentityRef;
-  try {
-    const ext = (0, import_types9.assertLinkedDataIdentityCardinality)(
-      resource
-    );
-    linkedDataIdentityRef = ext?.valueReference?.reference;
-  } catch (e) {
-    if (e instanceof import_types9.LinkedDataIdentityCardinalityError) {
-      throw new ValidationError(e.message, { cause: e });
-    }
-    throw e;
+  if (typeof raw !== "string" || raw.length === 0) {
+    return {
+      ok: false,
+      response: sendInvalidQuery400(
+        res,
+        "Query parameter `tenant` must be a non-empty string."
+      )
+    };
   }
-  const resourceRecord = resource;
-  const denormalizedTenantName = extractDenormalizedReferenceDisplay(
-    resourceRecord,
-    "tenant"
-  );
-  const denormalizedUserName = extractDenormalizedReferenceDisplay(
-    resourceRecord,
-    "user"
-  );
-  const denormalizedWorkspaceName = extractDenormalizedReferenceDisplay(
-    resourceRecord,
-    "workspace"
-  );
-  const summary = JSON.stringify((0, import_types9.extractSummary)(resource));
-  const userIdFromResource = extractReferenceSlug(resourceRecord, "user");
-  const workspaceIdFromResource = extractReferenceSlug(
-    resourceRecord,
-    "workspace"
-  );
-  const userProjectionItem = userIdFromResource !== void 0 ? buildMembershipUserProjectionItem({
-    tenantId: context.tenantId,
-    userId: userIdFromResource,
-    workspaceId: workspaceIdFromResource,
-    membershipId: id,
-    summary,
-    vid,
-    lastUpdated,
+  return { ok: true, context: { ...context, tenantId: raw } };
+}
+function sendForbidden403(res, diagnostics) {
+  return res.status(403).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "forbidden", diagnostics }]
+  });
+}
+var COMMON_KEYS = ["cursor", "limit", "order"];
+function parseCommonListQuery(req, res, options = {}) {
+  const q = req.query ?? {};
+  const allowedKeys = /* @__PURE__ */ new Set([
+    ...COMMON_KEYS,
+    ...options.extraKeys ?? []
+  ]);
+  const extra = Object.keys(q).filter((k) => !allowedKeys.has(k));
+  if (extra.length > 0) {
+    return {
+      ok: false,
+      response: sendInvalidQuery400(
+        res,
+        `Unsupported query parameter${extra.length === 1 ? "" : "s"}: ${extra.join(", ")}.`
+      )
+    };
+  }
+  const rawCursor = q.cursor;
+  let cursor = null;
+  if (rawCursor !== void 0) {
+    if (typeof rawCursor !== "string") {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `cursor` must be a string."
+        )
+      };
+    }
+    cursor = rawCursor;
+  }
+  const rawLimit = q.limit;
+  let limit;
+  if (rawLimit !== void 0) {
+    if (typeof rawLimit !== "string" || rawLimit.length === 0) {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `limit` must be a positive integer."
+        )
+      };
+    }
+    const parsed = Number(rawLimit);
+    if (!Number.isInteger(parsed) || parsed <= 0) {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `limit` must be a positive integer."
+        )
+      };
+    }
+    limit = parsed;
+  }
+  const rawOrder = q.order;
+  let order;
+  if (rawOrder !== void 0) {
+    if (rawOrder !== "asc" && rawOrder !== "desc") {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          'Query parameter `order` must be one of "asc", "desc".'
+        )
+      };
+    }
+    order = rawOrder;
+  }
+  const value = order === void 0 ? limit === void 0 ? { cursor } : { cursor, limit } : limit === void 0 ? { cursor, order } : { cursor, limit, order };
+  return { ok: true, value };
+}
+function buildPaginationLinks(opts) {
+  const links = [
+    { relation: "self", url: composeUrl(opts.basePath, opts.query) }
+  ];
+  if (opts.nextCursor !== null && opts.nextCursor.length > 0) {
+    const nextQuery = { ...opts.query };
+    nextQuery.cursor = opts.nextCursor;
+    links.push({
+      relation: "next",
+      url: composeUrl(opts.basePath, nextQuery)
+    });
+  }
+  return links;
+}
+function composeUrl(basePath, query) {
+  const usp = new URLSearchParams();
+  for (const [key, value] of Object.entries(query)) {
+    if (value === void 0 || value === null) {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      for (const v of value) {
+        if (v !== void 0 && v !== null) {
+          usp.append(key, String(v));
+        }
+      }
+    } else {
+      usp.append(key, String(value));
+    }
+  }
+  const qs = usp.toString();
+  return qs.length === 0 ? basePath : `${basePath}?${qs}`;
+}
+
+// src/data/rest-api/routes/control/membership/membership-list-route.ts
+async function listMembershipsRoute(req, res) {
+  const scope = resolveTenantScopeOverride(req, res, req.openhiContext);
+  if (!scope.ok) {
+    return scope.response;
+  }
+  return handleListRoute({
+    req,
+    res,
+    basePath: BASE_PATH.MEMBERSHIP,
+    listOperation: listMembershipsOperation,
+    errorLogContext: "GET /Membership list error:",
+    context: scope.context
+  });
+}
+
+// src/data/operations/control/membership/membership-update-operation.ts
+var import_types9 = require("@openhi/types");
+async function updateMembershipOperation(params) {
+  const { context, id, body, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const existing = await service.entities.membership.get({ tenantId: context.tenantId, id, sk: "CURRENT" }).go();
+  if (!existing.data) {
+    throw new NotFoundError(`Membership not found: ${id}`);
+  }
+  const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
+  const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = `${Date.now()}`;
+  const resource = { resourceType: "Membership", id, ...parsedResource };
+  let linkedDataIdentityRef;
+  try {
+    const ext = (0, import_types9.assertLinkedDataIdentityCardinality)(
+      resource
+    );
+    linkedDataIdentityRef = ext?.valueReference?.reference;
+  } catch (e) {
+    if (e instanceof import_types9.LinkedDataIdentityCardinalityError) {
+      throw new ValidationError(e.message, { cause: e });
+    }
+    throw e;
+  }
+  const resourceRecord = resource;
+  const denormalizedTenantName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "tenant"
+  );
+  const denormalizedUserName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "user"
+  );
+  const denormalizedWorkspaceName = extractDenormalizedReferenceDisplay(
+    resourceRecord,
+    "workspace"
+  );
+  const summary = JSON.stringify((0, import_types9.extractSummary)(resource));
+  const userIdFromResource = extractReferenceSlug(resourceRecord, "user");
+  const workspaceIdFromResource = extractReferenceSlug(
+    resourceRecord,
+    "workspace"
+  );
+  const userProjectionItem = userIdFromResource !== void 0 ? buildMembershipUserProjectionItem({
+    tenantId: context.tenantId,
+    userId: userIdFromResource,
+    workspaceId: workspaceIdFromResource,
+    membershipId: id,
+    summary,
+    vid,
+    lastUpdated,
     denormalizedTenantName,
     denormalizedUserName,
     denormalizedWorkspaceName
@@ -5902,6 +6920,18 @@ async function createRoleAssignmentOperation(params) {
     });
   }
   await executeMultiWrite({ service, triples });
+  await publishRoleAssignmentCreated(context, {
+    roleAssignmentId: id,
+    tenantId: context.tenantId,
+    ...userIdFromResource !== void 0 && { userId: userIdFromResource },
+    ...workspaceIdFromResource !== void 0 && {
+      workspaceId: workspaceIdFromResource
+    },
+    ...roleIdFromResource !== void 0 && { roleId: roleIdFromResource },
+    ...extractRoleLevel(resourceRecord) !== void 0 && {
+      roleLevel: extractRoleLevel(resourceRecord)
+    }
+  });
   return {
     id,
     resource,
@@ -6029,6 +7059,18 @@ async function deleteRoleAssignmentOperation(params) {
     });
   }
   await executeMultiWrite({ service, triples });
+  await publishRoleAssignmentDeleted(context, {
+    roleAssignmentId: id,
+    tenantId: context.tenantId,
+    ...userIdFromResource !== void 0 && { userId: userIdFromResource },
+    ...workspaceIdFromResource !== void 0 && {
+      workspaceId: workspaceIdFromResource
+    },
+    ...roleIdFromResource !== void 0 && { roleId: roleIdFromResource },
+    ...extractRoleLevel(parsed) !== void 0 && {
+      roleLevel: extractRoleLevel(parsed)
+    }
+  });
 }
 
 // src/data/rest-api/routes/control/roleassignment/roleassignment-delete-route.ts
@@ -6440,6 +7482,9 @@ async function getTenantByIdRoute(req, res) {
 
 // src/data/operations/control/tenant/tenant-list-operation.ts
 var SK9 = "CURRENT";
+function counterValue(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
 async function listTenantsOperation(params) {
   const { tableName, mode = "full" } = params;
   const service = getDynamoControlService(tableName);
@@ -6449,40 +7494,278 @@ async function listTenantsOperation(params) {
       (_, shard) => service.entities.tenant.query.gsi1({ gsi1Shard: String(shard) }).go()
     )
   );
-  return dispatchListMode(
-    mode,
-    shardResults,
-    {
-      hydrate: (orderedIds) => batchGetWithRetry(
-        service.entities.tenant,
-        orderedIds.map((id) => ({ tenantId: id, sk: SK9 }))
-      ),
-      getId: (item) => item.id,
-      buildEntry: (id, item) => ({
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.tenant,
+      orderedIds.map((id) => ({ tenantId: id, sk: SK9 }))
+    ),
+    getId: (item) => item.id,
+    // FULL mode (admin list default): read the ADR-028 counters off the
+    // canonical record hydrated by BatchGet and expose them as
+    // `resource.counts`. Missing counters render as 0.
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "Tenant",
         id,
-        resource: {
-          resourceType: "Tenant",
-          id,
-          ...JSON.parse(item.resource)
+        ...JSON.parse(item.resource),
+        counts: {
+          usersInTenant: counterValue(item.usersInTenant),
+          workspacesInTenant: counterValue(item.workspacesInTenant)
         }
-      }),
-      buildSummaryEntry: (id, parsed) => ({
+      }
+    }),
+    // SUMMARY mode reads only the GSI1 `summary` projection, which does
+    // not carry the counters; surface zeros so the shape stays uniform.
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: {
+        resourceType: "Tenant",
         id,
-        resource: { resourceType: "Tenant", id, ...parsed }
-      })
+        ...parsed,
+        counts: { usersInTenant: 0, workspacesInTenant: 0 }
+      }
+    })
+  });
+}
+
+// src/data/rest-api/routes/control/tenant/tenant-list-route.ts
+async function listTenantsRoute(req, res) {
+  return handleListRoute({
+    req,
+    res,
+    basePath: BASE_PATH.TENANT,
+    listOperation: listTenantsOperation,
+    errorLogContext: "GET /Tenant list error:"
+  });
+}
+
+// src/data/operations/control/workspace/workspace-list-operation.ts
+var SK10 = "CURRENT";
+function counterValue2(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
+async function listWorkspacesOperation(params) {
+  const { context, tableName, mode = "full" } = params;
+  const { tenantId } = context;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.workspace.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.workspace,
+      orderedIds.map((id) => ({ tenantId, id, sk: SK10 }))
+    ),
+    getId: (item) => item.id,
+    // FULL mode (admin list default): read the ADR-028 counters off the
+    // canonical record hydrated by BatchGet and expose them as
+    // `resource.counts`. Missing counters render as 0.
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "Workspace",
+        id,
+        ...JSON.parse(item.resource),
+        counts: {
+          usersInWorkspace: counterValue2(item.usersInWorkspace),
+          adminUsersInWorkspace: counterValue2(item.adminUsersInWorkspace),
+          normalUsersInWorkspace: counterValue2(item.normalUsersInWorkspace)
+        }
+      }
+    }),
+    // SUMMARY mode reads only the GSI1 `summary` projection (no
+    // counters); surface zeros so the shape stays uniform.
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: {
+        resourceType: "Workspace",
+        id,
+        ...parsed,
+        counts: {
+          usersInWorkspace: 0,
+          adminUsersInWorkspace: 0,
+          normalUsersInWorkspace: 0
+        }
+      }
+    })
+  });
+}
+
+// src/data/operations/control/tenant/tenant-users-operation.ts
+var USER_SK = "CURRENT";
+function extractEmail(user) {
+  const telecom = user.telecom;
+  if (!Array.isArray(telecom)) {
+    return null;
+  }
+  for (const entry of telecom) {
+    if (entry.system === "email" && typeof entry.value === "string" && entry.value.length > 0) {
+      return entry.value;
+    }
+  }
+  return null;
+}
+function extractDisplayName(user) {
+  const name = user.name;
+  if (!Array.isArray(name) || name.length === 0) {
+    return null;
+  }
+  const first = name[0];
+  if (typeof first.text === "string" && first.text.trim().length > 0) {
+    return first.text.trim();
+  }
+  const given = Array.isArray(first.given) ? first.given.filter((g) => typeof g === "string").join(" ").trim() : "";
+  const family = typeof first.family === "string" ? first.family : "";
+  const composed = `${given} ${family}`.trim();
+  return composed.length > 0 ? composed : null;
+}
+function extractReferenceDisplay(resource, fieldName) {
+  const field = resource[fieldName];
+  if (!field || typeof field !== "object") {
+    return null;
+  }
+  const display = field.display;
+  if (typeof display !== "string") {
+    return null;
+  }
+  const trimmed = display.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function ensureAccumulator(byUser, userId) {
+  let acc = byUser.get(userId);
+  if (!acc) {
+    acc = { tenantRole: null, workspaces: /* @__PURE__ */ new Map() };
+    byUser.set(userId, acc);
+  }
+  return acc;
+}
+async function tenantUsersOperation(params) {
+  const { context, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const [memberships, roleAssignments, workspaces] = await Promise.all([
+    listMembershipsOperation({ context, tableName }),
+    listRoleAssignmentsOperation({ context, tableName }),
+    listWorkspacesOperation({ context, tableName })
+  ]);
+  const workspaceNames = /* @__PURE__ */ new Map();
+  for (const entry of workspaces.entries) {
+    const resource = entry.resource;
+    const name = typeof resource.name === "string" && resource.name.trim().length > 0 ? resource.name.trim() : null;
+    workspaceNames.set(entry.id, name);
+  }
+  const byUser = /* @__PURE__ */ new Map();
+  for (const entry of memberships.entries) {
+    const resource = entry.resource;
+    const userId = extractReferenceSlug(resource, "user");
+    if (userId === void 0) {
+      continue;
+    }
+    const acc = ensureAccumulator(byUser, userId);
+    const workspaceId = extractReferenceSlug(resource, "workspace");
+    if (workspaceId !== void 0 && !acc.workspaces.has(workspaceId)) {
+      acc.workspaces.set(workspaceId, { workspaceId, role: null });
+    }
+  }
+  for (const entry of roleAssignments.entries) {
+    const resource = entry.resource;
+    const userId = extractReferenceSlug(resource, "user");
+    const roleId = extractReferenceSlug(resource, "role");
+    if (userId === void 0 || roleId === void 0) {
+      continue;
     }
+    const acc = ensureAccumulator(byUser, userId);
+    const role = {
+      roleId,
+      roleName: extractReferenceDisplay(resource, "role")
+    };
+    const workspaceId = extractReferenceSlug(resource, "workspace");
+    if (workspaceId === void 0) {
+      acc.tenantRole = role;
+    } else {
+      const existing = acc.workspaces.get(workspaceId);
+      if (existing) {
+        existing.role = role;
+      } else {
+        acc.workspaces.set(workspaceId, { workspaceId, role });
+      }
+    }
+  }
+  const userIds = Array.from(byUser.keys());
+  const userRows = userIds.length === 0 ? [] : await batchGetWithRetry(
+    service.entities.user,
+    userIds.map((id) => ({ id, sk: USER_SK }))
   );
+  const usersById = /* @__PURE__ */ new Map();
+  for (const row of userRows) {
+    try {
+      usersById.set(
+        row.id,
+        JSON.parse(row.resource)
+      );
+    } catch {
+    }
+  }
+  const entries = userIds.map((userId) => {
+    const acc = byUser.get(userId);
+    const user = usersById.get(userId);
+    const workspaceEntries = Array.from(
+      acc.workspaces.values()
+    ).map((ws) => ({
+      workspaceId: ws.workspaceId,
+      workspaceName: workspaceNames.get(ws.workspaceId) ?? null,
+      role: ws.role
+    }));
+    return {
+      resourceType: "TenantUser",
+      userId,
+      displayName: user ? extractDisplayName(user) : null,
+      email: user ? extractEmail(user) : null,
+      tenantRole: acc.tenantRole,
+      workspaces: workspaceEntries
+    };
+  });
+  return { entries };
 }
 
-// src/data/rest-api/routes/control/tenant/tenant-list-route.ts
-async function listTenantsRoute(req, res) {
-  return handleListRoute({
-    req,
-    res,
-    basePath: BASE_PATH.TENANT,
-    listOperation: listTenantsOperation,
-    errorLogContext: "GET /Tenant list error:"
-  });
+// src/data/rest-api/routes/control/tenant/tenant-list-users-route.ts
+async function listTenantUsersRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return sendForbidden403(
+      res,
+      "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+    );
+  }
+  const tenantId = String(req.params.id);
+  if (tenantId.length === 0) {
+    return sendForbidden403(res, "Tenant id is required.");
+  }
+  const parsed = parseCommonListQuery(req, res);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const scopedContext = { ...ctx, tenantId };
+  try {
+    const result = await tenantUsersOperation({ context: scopedContext });
+    const basePath = `${BASE_PATH.TENANT}/${tenantId}/users`;
+    const entries = result.entries.map((entry) => ({
+      fullUrl: `${BASE_PATH.USER}/${entry.userId}`,
+      resource: entry
+    }));
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: [{ relation: "self", url: basePath }],
+      entry: entries
+    });
+  } catch (err) {
+    return sendOperationOutcome500(res, err, "GET /Tenant/:id/users error:");
+  }
 }
 
 // src/data/operations/control/tenant/tenant-update-operation.ts
@@ -6552,6 +7835,7 @@ async function updateTenantRoute(req, res) {
 // src/data/rest-api/routes/control/tenant/tenant.ts
 var router6 = import_express6.default.Router();
 router6.get("/", listTenantsRoute);
+router6.get("/:id/users", listTenantUsersRoute);
 router6.get("/:id", getTenantByIdRoute);
 router6.post("/", createTenantRoute);
 router6.put("/:id", updateTenantRoute);
@@ -6747,125 +8031,6 @@ async function configurationListByWorkspaceOperation(params) {
   return { items, cursor: result.cursor ?? null };
 }
 
-// src/data/rest-api/routes/control/cross-cutting-route-helpers.ts
-function sendInvalidQuery400(res, diagnostics) {
-  return res.status(400).json({
-    resourceType: "OperationOutcome",
-    issue: [{ severity: "error", code: "invalid", diagnostics }]
-  });
-}
-function sendForbidden403(res, diagnostics) {
-  return res.status(403).json({
-    resourceType: "OperationOutcome",
-    issue: [{ severity: "error", code: "forbidden", diagnostics }]
-  });
-}
-var COMMON_KEYS = ["cursor", "limit", "order"];
-function parseCommonListQuery(req, res, options = {}) {
-  const q = req.query ?? {};
-  const allowedKeys = /* @__PURE__ */ new Set([
-    ...COMMON_KEYS,
-    ...options.extraKeys ?? []
-  ]);
-  const extra = Object.keys(q).filter((k) => !allowedKeys.has(k));
-  if (extra.length > 0) {
-    return {
-      ok: false,
-      response: sendInvalidQuery400(
-        res,
-        `Unsupported query parameter${extra.length === 1 ? "" : "s"}: ${extra.join(", ")}.`
-      )
-    };
-  }
-  const rawCursor = q.cursor;
-  let cursor = null;
-  if (rawCursor !== void 0) {
-    if (typeof rawCursor !== "string") {
-      return {
-        ok: false,
-        response: sendInvalidQuery400(
-          res,
-          "Query parameter `cursor` must be a string."
-        )
-      };
-    }
-    cursor = rawCursor;
-  }
-  const rawLimit = q.limit;
-  let limit;
-  if (rawLimit !== void 0) {
-    if (typeof rawLimit !== "string" || rawLimit.length === 0) {
-      return {
-        ok: false,
-        response: sendInvalidQuery400(
-          res,
-          "Query parameter `limit` must be a positive integer."
-        )
-      };
-    }
-    const parsed = Number(rawLimit);
-    if (!Number.isInteger(parsed) || parsed <= 0) {
-      return {
-        ok: false,
-        response: sendInvalidQuery400(
-          res,
-          "Query parameter `limit` must be a positive integer."
-        )
-      };
-    }
-    limit = parsed;
-  }
-  const rawOrder = q.order;
-  let order;
-  if (rawOrder !== void 0) {
-    if (rawOrder !== "asc" && rawOrder !== "desc") {
-      return {
-        ok: false,
-        response: sendInvalidQuery400(
-          res,
-          'Query parameter `order` must be one of "asc", "desc".'
-        )
-      };
-    }
-    order = rawOrder;
-  }
-  const value = order === void 0 ? limit === void 0 ? { cursor } : { cursor, limit } : limit === void 0 ? { cursor, order } : { cursor, limit, order };
-  return { ok: true, value };
-}
-function buildPaginationLinks(opts) {
-  const links = [
-    { relation: "self", url: composeUrl(opts.basePath, opts.query) }
-  ];
-  if (opts.nextCursor !== null && opts.nextCursor.length > 0) {
-    const nextQuery = { ...opts.query };
-    nextQuery.cursor = opts.nextCursor;
-    links.push({
-      relation: "next",
-      url: composeUrl(opts.basePath, nextQuery)
-    });
-  }
-  return links;
-}
-function composeUrl(basePath, query) {
-  const usp = new URLSearchParams();
-  for (const [key, value] of Object.entries(query)) {
-    if (value === void 0 || value === null) {
-      continue;
-    }
-    if (Array.isArray(value)) {
-      for (const v of value) {
-        if (v !== void 0 && v !== null) {
-          usp.append(key, String(v));
-        }
-      }
-    } else {
-      usp.append(key, String(value));
-    }
-  }
-  const qs = usp.toString();
-  return qs.length === 0 ? basePath : `${basePath}?${qs}`;
-}
-
 // src/data/rest-api/routes/control/projection-bundle-helpers.ts
 var EXT_BASE = "https://openhi.org/fhir/StructureDefinition";
 function parseProjectionSummary(summary) {
@@ -7181,6 +8346,20 @@ async function membershipListByUserOperation(params) {
   return { items, cursor: result.cursor ?? null };
 }
 
+// src/data/operations/control/membership/membership-count-by-user-operation.ts
+async function countMembershipsByUserOperation(params) {
+  const { userId, mode = "all", tenantId, tableName } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'countMembershipsByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix(mode, tenantId);
+  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go({ pages: "all", attributes: ["membershipId"] });
+  return (result.data ?? []).length;
+}
+
 // src/data/operations/control/membership/membership-list-by-workspace-operation.ts
 async function membershipListByWorkspaceOperation(params) {
   const {
@@ -7239,7 +8418,7 @@ async function listUserMembershipsRoute(req, res) {
     );
   }
   const parsed = parseCommonListQuery(req, res, {
-    extraKeys: ["mode", "tenantId"]
+    extraKeys: ["mode", "tenantId", "_summary"]
   });
   if (!parsed.ok) {
     return parsed.response;
@@ -7272,6 +8451,33 @@ async function listUserMembershipsRoute(req, res) {
       'Query parameter `tenantId` is required when `mode === "workspaceInTenant"`.'
     );
   }
+  const rawSummary = req.query._summary;
+  if (rawSummary !== void 0) {
+    if (rawSummary !== "count") {
+      return sendInvalidQuery400(
+        res,
+        'Query parameter `_summary` must be "count" on this endpoint.'
+      );
+    }
+    try {
+      const total = await countMembershipsByUserOperation({
+        userId,
+        mode,
+        tenantId
+      });
+      return res.json({
+        resourceType: "Bundle",
+        type: "searchset",
+        total
+      });
+    } catch (err) {
+      return sendOperationOutcome500(
+        res,
+        err,
+        "GET /User/:id/Membership count error:"
+      );
+    }
+  }
   try {
     const result = await membershipListByUserOperation({
       userId,
@@ -7504,7 +8710,10 @@ async function listUserRoleAssignmentsRoute(req, res) {
 }
 
 // src/data/operations/control/user/user-list-operation.ts
-var SK10 = "CURRENT";
+var SK11 = "CURRENT";
+function counterValue3(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
 async function listUsersOperation(params) {
   const { tableName, mode = "full" } = params;
   const service = getDynamoControlService(tableName);
@@ -7517,20 +8726,34 @@ async function listUsersOperation(params) {
   return dispatchListMode(mode, shardResults, {
     hydrate: (orderedIds) => batchGetWithRetry(
       service.entities.user,
-      orderedIds.map((id) => ({ id, sk: SK10 }))
+      orderedIds.map((id) => ({ id, sk: SK11 }))
     ),
     getId: (item) => item.id,
+    // FULL mode (admin list default): read the ADR-028 counters off the
+    // canonical record hydrated by BatchGet and expose them as
+    // `resource.counts`. Missing counters render as 0.
     buildEntry: (id, item) => ({
       id,
       resource: {
         resourceType: "User",
         id,
-        ...JSON.parse(item.resource)
+        ...JSON.parse(item.resource),
+        counts: {
+          tenantsForUser: counterValue3(item.tenantsForUser),
+          workspacesForUser: counterValue3(item.workspacesForUser)
+        }
       }
     }),
+    // SUMMARY mode reads only the GSI1 `summary` projection (no
+    // counters); surface zeros so the shape stays uniform.
     buildSummaryEntry: (id, parsed) => ({
       id,
-      resource: { resourceType: "User", id, ...parsed }
+      resource: {
+        resourceType: "User",
+        id,
+        ...parsed,
+        counts: { tenantsForUser: 0, workspacesForUser: 0 }
+      }
     })
   });
 }
@@ -7687,7 +8910,7 @@ function idFromReference(reference, prefix) {
 }
 
 // src/data/operations/control/user/user-switch-tenant-workspace-operation.ts
-var SK11 = "CURRENT";
+var SK12 = "CURRENT";
 async function switchUserTenantWorkspaceOperation(params) {
   const { cognitoSub, tenantReference, workspaceReference, tableName } = params;
   const tenantId = idFromReference(tenantReference, "Tenant/");
@@ -7748,7 +8971,7 @@ async function switchUserTenantWorkspaceOperation(params) {
     (0, import_types20.extractSummary)(updatedResource)
   );
   const service = getDynamoControlService(tableName);
-  await service.entities.user.patch({ id: user.id, sk: SK11 }).set({
+  await service.entities.user.patch({ id: user.id, sk: SK12 }).set({
     resource: JSON.stringify(updatedResource),
     summary,
     vid,
@@ -8227,6 +9450,10 @@ async function createWorkspaceOperation(params) {
     workspaceName,
     tableName
   });
+  await publishWorkspaceCreated(context, {
+    workspaceId: id,
+    tenantId
+  });
   return { id, resource, meta: { lastUpdated, versionId: vid } };
 }
 
@@ -8275,12 +9502,20 @@ async function deleteWorkspaceOperation(params) {
   const { context, id, tableName } = params;
   const { tenantId } = context;
   const service = getDynamoControlService(tableName);
+  const existing = await service.entities.workspace.get({ tenantId, id, sk: "CURRENT" }).go();
+  const workspaceExisted = existing.data !== null;
   await service.entities.workspace.delete({ tenantId, id, sk: "CURRENT" }).go();
   await deleteOrganizationOperation({
     context: { ...context, workspaceId: id },
     id,
     tableName
   });
+  if (workspaceExisted) {
+    await publishWorkspaceDeleted(context, {
+      workspaceId: id,
+      tenantId
+    });
+  }
 }
 
 // src/data/rest-api/routes/control/workspace/workspace-delete-route.ts
@@ -8546,51 +9781,19 @@ async function listWorkspaceRoleAssignmentsRoute(req, res) {
   }
 }
 
-// src/data/operations/control/workspace/workspace-list-operation.ts
-var SK12 = "CURRENT";
-async function listWorkspacesOperation(params) {
-  const { context, tableName, mode = "full" } = params;
-  const { tenantId } = context;
-  const service = getDynamoControlService(tableName);
-  const shardResults = await Promise.all(
-    Array.from(
-      { length: SHARD_COUNT },
-      (_, shard) => service.entities.workspace.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
-    )
-  );
-  return dispatchListMode(
-    mode,
-    shardResults,
-    {
-      hydrate: (orderedIds) => batchGetWithRetry(
-        service.entities.workspace,
-        orderedIds.map((id) => ({ tenantId, id, sk: SK12 }))
-      ),
-      getId: (item) => item.id,
-      buildEntry: (id, item) => ({
-        id,
-        resource: {
-          resourceType: "Workspace",
-          id,
-          ...JSON.parse(item.resource)
-        }
-      }),
-      buildSummaryEntry: (id, parsed) => ({
-        id,
-        resource: { resourceType: "Workspace", id, ...parsed }
-      })
-    }
-  );
-}
-
 // src/data/rest-api/routes/control/workspace/workspace-list-route.ts
 async function listWorkspacesRoute(req, res) {
+  const scope = resolveTenantScopeOverride(req, res, req.openhiContext);
+  if (!scope.ok) {
+    return scope.response;
+  }
   return handleListRoute({
     req,
     res,
     basePath: BASE_PATH.WORKSPACE,
     listOperation: listWorkspacesOperation,
-    errorLogContext: "GET /Workspace list error:"
+    errorLogContext: "GET /Workspace list error:",
+    context: scope.context
   });
 }