@openhi/constructs 0.0.160 → 0.0.161

package/lib/rest-api-lambda.handler.mjs

@@ -3,7 +3,14 @@ import {
 } from "./chunk-2O3CXY2C.mjs";
 import {
   createRoleOperation
-} from "./chunk-ZWSGM6PZ.mjs";
+} from "./chunk-SD7J3N3C.mjs";
+import {
+  countMembershipsByUserOperation,
+  listTenantsOperation,
+  listWorkspacesOperation,
+  membershipListByWorkspaceOperation,
+  roleAssignmentListByWorkspaceOperation
+} from "./chunk-Q64MOYJ7.mjs";
 import {
   createAccountOperation,
   createAppointmentOperation,
@@ -19,27 +26,37 @@ import {
   createPractitionerOperation,
   createProcedureOperation,
   getRoleByIdOperation
-} from "./chunk-EFB5OFM7.mjs";
+} from "./chunk-P3NFCKTZ.mjs";
 import {
-  listMembershipsOperation,
   listPractitionerRolesOperation,
   listRoleAssignmentsOperation
-} from "./chunk-7BQHLC7U.mjs";
+} from "./chunk-P3CTZWC2.mjs";
+import {
+  listMembershipsOperation
+} from "./chunk-GJTPXJKD.mjs";
 import {
   createMembershipOperation,
   createRoleAssignmentOperation,
   createTenantOperation,
   createWorkspaceOperation,
   extractDenormalizedReferenceDisplay
-} from "./chunk-CFJDATDK.mjs";
+} from "./chunk-MLFMW5IF.mjs";
+import {
+  extractRoleLevel,
+  publishMembershipDeleted,
+  publishRoleAssignmentDeleted,
+  publishWorkspaceDeleted
+} from "./chunk-BUAYVN3C.mjs";
 import {
-  buildMembershipUserProjectionItem,
   buildMembershipWorkspaceProjectionItem,
   buildRoleAssignmentUserProjectionItem,
   buildRoleAssignmentWorkspaceProjectionItem,
-  extractReferenceSlug,
-  extractReferenceSlug2
-} from "./chunk-HQ67J7BP.mjs";
+  extractReferenceSlug as extractReferenceSlug2
+} from "./chunk-5S6VFBLT.mjs";
+import {
+  buildMembershipUserProjectionItem,
+  extractReferenceSlug
+} from "./chunk-I6LUPJUY.mjs";
 import {
   executeMultiWrite
 } from "./chunk-QJDHVMKT.mjs";
@@ -48,11 +65,16 @@ import {
   deleteUserOperation,
   findUserBySubOperation,
   getUserByIdOperation,
-  listUsersOperation,
-  membershipListByUserOperation,
   switchUserTenantWorkspaceOperation,
   updateUserOperation
-} from "./chunk-AOSEKL7U.mjs";
+} from "./chunk-WOTU36P3.mjs";
+import {
+  listUsersOperation,
+  membershipListByUserOperation
+} from "./chunk-DWSWCUZR.mjs";
+import {
+  getDynamoDataService
+} from "./chunk-6BB4CRSS.mjs";
 import {
   batchGetWithRetry,
   buildUpdatedResourceWithAudit,
@@ -62,11 +84,10 @@ import {
   deleteDataEntityById,
   dispatchListMode,
   getDataEntityById,
-  getDynamoDataService,
   listDataEntitiesByWorkspace,
   mergeAuditIntoMeta,
   updateDataEntityById
-} from "./chunk-MVQWAIMC.mjs";
+} from "./chunk-O5VQWB6U.mjs";
 import {
   ConflictError,
   ForbiddenError,
@@ -77,8 +98,9 @@ import {
 import {
   SHARD_COUNT,
   getDynamoControlService
-} from "./chunk-VZCPGQXA.mjs";
+} from "./chunk-EUIP2U5F.mjs";
 import "./chunk-TRY7JGWO.mjs";
+import "./chunk-KMEWULMX.mjs";
 import "./chunk-LZOMFHX3.mjs";
 
 // src/data/lambda/rest-api-lambda.handler.ts
@@ -1052,7 +1074,7 @@ function sendInvalidSummary400(res, diagnostics) {
 }
 async function handleListRoute(opts) {
   const { req, res, basePath, listOperation, errorLogContext } = opts;
-  const ctx = req.openhiContext;
+  const ctx = opts.context ?? req.openhiContext;
   const parsed = parseSearchSubsetting(req, res);
   if ("errorResponse" in parsed) return parsed.errorResponse;
   try {
@@ -1732,6 +1754,14 @@ async function deleteMembershipOperation(params) {
     });
   }
   await executeMultiWrite({ service, triples });
+  await publishMembershipDeleted(context, {
+    membershipId: id,
+    tenantId: context.tenantId,
+    ...userIdFromResource !== void 0 && { userId: userIdFromResource },
+    ...workspaceIdFromResource !== void 0 && {
+      workspaceId: workspaceIdFromResource
+    }
+  });
 }
 
 // src/data/rest-api/routes/control/membership/membership-delete-route.ts
@@ -1783,14 +1813,154 @@ async function getMembershipByIdRoute(req, res) {
   }
 }
 
+// src/data/rest-api/routes/control/cross-cutting-route-helpers.ts
+function sendInvalidQuery400(res, diagnostics) {
+  return res.status(400).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "invalid", diagnostics }]
+  });
+}
+function resolveTenantScopeOverride(req, res, context) {
+  const raw = (req.query ?? {}).tenant;
+  if (raw === void 0) {
+    return { ok: true, context };
+  }
+  if (typeof raw !== "string" || raw.length === 0) {
+    return {
+      ok: false,
+      response: sendInvalidQuery400(
+        res,
+        "Query parameter `tenant` must be a non-empty string."
+      )
+    };
+  }
+  return { ok: true, context: { ...context, tenantId: raw } };
+}
+function sendForbidden403(res, diagnostics) {
+  return res.status(403).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "forbidden", diagnostics }]
+  });
+}
+var COMMON_KEYS = ["cursor", "limit", "order"];
+function parseCommonListQuery(req, res, options = {}) {
+  const q = req.query ?? {};
+  const allowedKeys = /* @__PURE__ */ new Set([
+    ...COMMON_KEYS,
+    ...options.extraKeys ?? []
+  ]);
+  const extra = Object.keys(q).filter((k) => !allowedKeys.has(k));
+  if (extra.length > 0) {
+    return {
+      ok: false,
+      response: sendInvalidQuery400(
+        res,
+        `Unsupported query parameter${extra.length === 1 ? "" : "s"}: ${extra.join(", ")}.`
+      )
+    };
+  }
+  const rawCursor = q.cursor;
+  let cursor = null;
+  if (rawCursor !== void 0) {
+    if (typeof rawCursor !== "string") {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `cursor` must be a string."
+        )
+      };
+    }
+    cursor = rawCursor;
+  }
+  const rawLimit = q.limit;
+  let limit;
+  if (rawLimit !== void 0) {
+    if (typeof rawLimit !== "string" || rawLimit.length === 0) {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `limit` must be a positive integer."
+        )
+      };
+    }
+    const parsed = Number(rawLimit);
+    if (!Number.isInteger(parsed) || parsed <= 0) {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          "Query parameter `limit` must be a positive integer."
+        )
+      };
+    }
+    limit = parsed;
+  }
+  const rawOrder = q.order;
+  let order;
+  if (rawOrder !== void 0) {
+    if (rawOrder !== "asc" && rawOrder !== "desc") {
+      return {
+        ok: false,
+        response: sendInvalidQuery400(
+          res,
+          'Query parameter `order` must be one of "asc", "desc".'
+        )
+      };
+    }
+    order = rawOrder;
+  }
+  const value = order === void 0 ? limit === void 0 ? { cursor } : { cursor, limit } : limit === void 0 ? { cursor, order } : { cursor, limit, order };
+  return { ok: true, value };
+}
+function buildPaginationLinks(opts) {
+  const links = [
+    { relation: "self", url: composeUrl(opts.basePath, opts.query) }
+  ];
+  if (opts.nextCursor !== null && opts.nextCursor.length > 0) {
+    const nextQuery = { ...opts.query };
+    nextQuery.cursor = opts.nextCursor;
+    links.push({
+      relation: "next",
+      url: composeUrl(opts.basePath, nextQuery)
+    });
+  }
+  return links;
+}
+function composeUrl(basePath, query) {
+  const usp = new URLSearchParams();
+  for (const [key, value] of Object.entries(query)) {
+    if (value === void 0 || value === null) {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      for (const v of value) {
+        if (v !== void 0 && v !== null) {
+          usp.append(key, String(v));
+        }
+      }
+    } else {
+      usp.append(key, String(value));
+    }
+  }
+  const qs = usp.toString();
+  return qs.length === 0 ? basePath : `${basePath}?${qs}`;
+}
+
 // src/data/rest-api/routes/control/membership/membership-list-route.ts
 async function listMembershipsRoute(req, res) {
+  const scope = resolveTenantScopeOverride(req, res, req.openhiContext);
+  if (!scope.ok) {
+    return scope.response;
+  }
   return handleListRoute({
     req,
     res,
     basePath: BASE_PATH.MEMBERSHIP,
     listOperation: listMembershipsOperation,
-    errorLogContext: "GET /Membership list error:"
+    errorLogContext: "GET /Membership list error:",
+    context: scope.context
   });
 }
 
@@ -2277,6 +2447,18 @@ async function deleteRoleAssignmentOperation(params) {
     });
   }
   await executeMultiWrite({ service, triples });
+  await publishRoleAssignmentDeleted(context, {
+    roleAssignmentId: id,
+    tenantId: context.tenantId,
+    ...userIdFromResource !== void 0 && { userId: userIdFromResource },
+    ...workspaceIdFromResource !== void 0 && {
+      workspaceId: workspaceIdFromResource
+    },
+    ...roleIdFromResource !== void 0 && { roleId: roleIdFromResource },
+    ...extractRoleLevel(parsed) !== void 0 && {
+      roleLevel: extractRoleLevel(parsed)
+    }
+  });
 }
 
 // src/data/rest-api/routes/control/roleassignment/roleassignment-delete-route.ts
@@ -2631,42 +2813,6 @@ async function getTenantByIdRoute(req, res) {
   }
 }
 
-// src/data/operations/control/tenant/tenant-list-operation.ts
-var SK7 = "CURRENT";
-async function listTenantsOperation(params) {
-  const { tableName, mode = "full" } = params;
-  const service = getDynamoControlService(tableName);
-  const shardResults = await Promise.all(
-    Array.from(
-      { length: SHARD_COUNT },
-      (_, shard) => service.entities.tenant.query.gsi1({ gsi1Shard: String(shard) }).go()
-    )
-  );
-  return dispatchListMode(
-    mode,
-    shardResults,
-    {
-      hydrate: (orderedIds) => batchGetWithRetry(
-        service.entities.tenant,
-        orderedIds.map((id) => ({ tenantId: id, sk: SK7 }))
-      ),
-      getId: (item) => item.id,
-      buildEntry: (id, item) => ({
-        id,
-        resource: {
-          resourceType: "Tenant",
-          id,
-          ...JSON.parse(item.resource)
-        }
-      }),
-      buildSummaryEntry: (id, parsed) => ({
-        id,
-        resource: { resourceType: "Tenant", id, ...parsed }
-      })
-    }
-  );
-}
-
 // src/data/rest-api/routes/control/tenant/tenant-list-route.ts
 async function listTenantsRoute(req, res) {
   return handleListRoute({
@@ -2678,6 +2824,179 @@ async function listTenantsRoute(req, res) {
   });
 }
 
+// src/data/operations/control/tenant/tenant-users-operation.ts
+var USER_SK = "CURRENT";
+function extractEmail(user) {
+  const telecom = user.telecom;
+  if (!Array.isArray(telecom)) {
+    return null;
+  }
+  for (const entry of telecom) {
+    if (entry.system === "email" && typeof entry.value === "string" && entry.value.length > 0) {
+      return entry.value;
+    }
+  }
+  return null;
+}
+function extractDisplayName(user) {
+  const name = user.name;
+  if (!Array.isArray(name) || name.length === 0) {
+    return null;
+  }
+  const first = name[0];
+  if (typeof first.text === "string" && first.text.trim().length > 0) {
+    return first.text.trim();
+  }
+  const given = Array.isArray(first.given) ? first.given.filter((g) => typeof g === "string").join(" ").trim() : "";
+  const family = typeof first.family === "string" ? first.family : "";
+  const composed = `${given} ${family}`.trim();
+  return composed.length > 0 ? composed : null;
+}
+function extractReferenceDisplay(resource, fieldName) {
+  const field = resource[fieldName];
+  if (!field || typeof field !== "object") {
+    return null;
+  }
+  const display = field.display;
+  if (typeof display !== "string") {
+    return null;
+  }
+  const trimmed = display.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function ensureAccumulator(byUser, userId) {
+  let acc = byUser.get(userId);
+  if (!acc) {
+    acc = { tenantRole: null, workspaces: /* @__PURE__ */ new Map() };
+    byUser.set(userId, acc);
+  }
+  return acc;
+}
+async function tenantUsersOperation(params) {
+  const { context, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const [memberships, roleAssignments, workspaces] = await Promise.all([
+    listMembershipsOperation({ context, tableName }),
+    listRoleAssignmentsOperation({ context, tableName }),
+    listWorkspacesOperation({ context, tableName })
+  ]);
+  const workspaceNames = /* @__PURE__ */ new Map();
+  for (const entry of workspaces.entries) {
+    const resource = entry.resource;
+    const name = typeof resource.name === "string" && resource.name.trim().length > 0 ? resource.name.trim() : null;
+    workspaceNames.set(entry.id, name);
+  }
+  const byUser = /* @__PURE__ */ new Map();
+  for (const entry of memberships.entries) {
+    const resource = entry.resource;
+    const userId = extractReferenceSlug(resource, "user");
+    if (userId === void 0) {
+      continue;
+    }
+    const acc = ensureAccumulator(byUser, userId);
+    const workspaceId = extractReferenceSlug(resource, "workspace");
+    if (workspaceId !== void 0 && !acc.workspaces.has(workspaceId)) {
+      acc.workspaces.set(workspaceId, { workspaceId, role: null });
+    }
+  }
+  for (const entry of roleAssignments.entries) {
+    const resource = entry.resource;
+    const userId = extractReferenceSlug(resource, "user");
+    const roleId = extractReferenceSlug(resource, "role");
+    if (userId === void 0 || roleId === void 0) {
+      continue;
+    }
+    const acc = ensureAccumulator(byUser, userId);
+    const role = {
+      roleId,
+      roleName: extractReferenceDisplay(resource, "role")
+    };
+    const workspaceId = extractReferenceSlug(resource, "workspace");
+    if (workspaceId === void 0) {
+      acc.tenantRole = role;
+    } else {
+      const existing = acc.workspaces.get(workspaceId);
+      if (existing) {
+        existing.role = role;
+      } else {
+        acc.workspaces.set(workspaceId, { workspaceId, role });
+      }
+    }
+  }
+  const userIds = Array.from(byUser.keys());
+  const userRows = userIds.length === 0 ? [] : await batchGetWithRetry(
+    service.entities.user,
+    userIds.map((id) => ({ id, sk: USER_SK }))
+  );
+  const usersById = /* @__PURE__ */ new Map();
+  for (const row of userRows) {
+    try {
+      usersById.set(
+        row.id,
+        JSON.parse(row.resource)
+      );
+    } catch {
+    }
+  }
+  const entries = userIds.map((userId) => {
+    const acc = byUser.get(userId);
+    const user = usersById.get(userId);
+    const workspaceEntries = Array.from(
+      acc.workspaces.values()
+    ).map((ws) => ({
+      workspaceId: ws.workspaceId,
+      workspaceName: workspaceNames.get(ws.workspaceId) ?? null,
+      role: ws.role
+    }));
+    return {
+      resourceType: "TenantUser",
+      userId,
+      displayName: user ? extractDisplayName(user) : null,
+      email: user ? extractEmail(user) : null,
+      tenantRole: acc.tenantRole,
+      workspaces: workspaceEntries
+    };
+  });
+  return { entries };
+}
+
+// src/data/rest-api/routes/control/tenant/tenant-list-users-route.ts
+async function listTenantUsersRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return sendForbidden403(
+      res,
+      "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+    );
+  }
+  const tenantId = String(req.params.id);
+  if (tenantId.length === 0) {
+    return sendForbidden403(res, "Tenant id is required.");
+  }
+  const parsed = parseCommonListQuery(req, res);
+  if (!parsed.ok) {
+    return parsed.response;
+  }
+  const scopedContext = { ...ctx, tenantId };
+  try {
+    const result = await tenantUsersOperation({ context: scopedContext });
+    const basePath = `${BASE_PATH.TENANT}/${tenantId}/users`;
+    const entries = result.entries.map((entry) => ({
+      fullUrl: `${BASE_PATH.USER}/${entry.userId}`,
+      resource: entry
+    }));
+    return res.json({
+      resourceType: "Bundle",
+      type: "searchset",
+      total: entries.length,
+      link: [{ relation: "self", url: basePath }],
+      entry: entries
+    });
+  } catch (err) {
+    return sendOperationOutcome500(res, err, "GET /Tenant/:id/users error:");
+  }
+}
+
 // src/data/operations/control/tenant/tenant-update-operation.ts
 import { extractSummary as extractSummary4 } from "@openhi/types";
 async function updateTenantOperation(params) {
@@ -2745,6 +3064,7 @@ async function updateTenantRoute(req, res) {
 // src/data/rest-api/routes/control/tenant/tenant.ts
 var router6 = express6.Router();
 router6.get("/", listTenantsRoute);
+router6.get("/:id/users", listTenantUsersRoute);
 router6.get("/:id", getTenantByIdRoute);
 router6.post("/", createTenantRoute);
 router6.put("/:id", updateTenantRoute);
@@ -2892,125 +3212,6 @@ async function configurationListByWorkspaceOperation(params) {
   return { items, cursor: result.cursor ?? null };
 }
 
-// src/data/rest-api/routes/control/cross-cutting-route-helpers.ts
-function sendInvalidQuery400(res, diagnostics) {
-  return res.status(400).json({
-    resourceType: "OperationOutcome",
-    issue: [{ severity: "error", code: "invalid", diagnostics }]
-  });
-}
-function sendForbidden403(res, diagnostics) {
-  return res.status(403).json({
-    resourceType: "OperationOutcome",
-    issue: [{ severity: "error", code: "forbidden", diagnostics }]
-  });
-}
-var COMMON_KEYS = ["cursor", "limit", "order"];
-function parseCommonListQuery(req, res, options = {}) {
-  const q = req.query ?? {};
-  const allowedKeys = /* @__PURE__ */ new Set([
-    ...COMMON_KEYS,
-    ...options.extraKeys ?? []
-  ]);
-  const extra = Object.keys(q).filter((k) => !allowedKeys.has(k));
-  if (extra.length > 0) {
-    return {
-      ok: false,
-      response: sendInvalidQuery400(
-        res,
-        `Unsupported query parameter${extra.length === 1 ? "" : "s"}: ${extra.join(", ")}.`
-      )
-    };
-  }
-  const rawCursor = q.cursor;
-  let cursor = null;
-  if (rawCursor !== void 0) {
-    if (typeof rawCursor !== "string") {
-      return {
-        ok: false,
-        response: sendInvalidQuery400(
-          res,
-          "Query parameter `cursor` must be a string."
-        )
-      };
-    }
-    cursor = rawCursor;
-  }
-  const rawLimit = q.limit;
-  let limit;
-  if (rawLimit !== void 0) {
-    if (typeof rawLimit !== "string" || rawLimit.length === 0) {
-      return {
-        ok: false,
-        response: sendInvalidQuery400(
-          res,
-          "Query parameter `limit` must be a positive integer."
-        )
-      };
-    }
-    const parsed = Number(rawLimit);
-    if (!Number.isInteger(parsed) || parsed <= 0) {
-      return {
-        ok: false,
-        response: sendInvalidQuery400(
-          res,
-          "Query parameter `limit` must be a positive integer."
-        )
-      };
-    }
-    limit = parsed;
-  }
-  const rawOrder = q.order;
-  let order;
-  if (rawOrder !== void 0) {
-    if (rawOrder !== "asc" && rawOrder !== "desc") {
-      return {
-        ok: false,
-        response: sendInvalidQuery400(
-          res,
-          'Query parameter `order` must be one of "asc", "desc".'
-        )
-      };
-    }
-    order = rawOrder;
-  }
-  const value = order === void 0 ? limit === void 0 ? { cursor } : { cursor, limit } : limit === void 0 ? { cursor, order } : { cursor, limit, order };
-  return { ok: true, value };
-}
-function buildPaginationLinks(opts) {
-  const links = [
-    { relation: "self", url: composeUrl(opts.basePath, opts.query) }
-  ];
-  if (opts.nextCursor !== null && opts.nextCursor.length > 0) {
-    const nextQuery = { ...opts.query };
-    nextQuery.cursor = opts.nextCursor;
-    links.push({
-      relation: "next",
-      url: composeUrl(opts.basePath, nextQuery)
-    });
-  }
-  return links;
-}
-function composeUrl(basePath, query) {
-  const usp = new URLSearchParams();
-  for (const [key, value] of Object.entries(query)) {
-    if (value === void 0 || value === null) {
-      continue;
-    }
-    if (Array.isArray(value)) {
-      for (const v of value) {
-        if (v !== void 0 && v !== null) {
-          usp.append(key, String(v));
-        }
-      }
-    } else {
-      usp.append(key, String(value));
-    }
-  }
-  const qs = usp.toString();
-  return qs.length === 0 ? basePath : `${basePath}?${qs}`;
-}
-
 // src/data/rest-api/routes/control/projection-bundle-helpers.ts
 var EXT_BASE = "https://openhi.org/fhir/StructureDefinition";
 function parseProjectionSummary(summary) {
@@ -3267,41 +3468,6 @@ async function listUserConfigurationsRoute(req, res) {
   }
 }
 
-// src/data/operations/control/membership/membership-list-by-workspace-operation.ts
-async function membershipListByWorkspaceOperation(params) {
-  const {
-    tenantId,
-    workspaceId,
-    cursor = null,
-    limit,
-    order,
-    tableName
-  } = params;
-  const service = getDynamoControlService(tableName);
-  const goOptions = {
-    cursor
-  };
-  if (limit !== void 0) {
-    goOptions.limit = limit;
-  }
-  if (order !== void 0) {
-    goOptions.order = order;
-  }
-  const result = await service.entities.membershipWorkspaceProjection.query.record({ tenantId, workspaceId }).begins({ sk: "MEMBERSHIP#" }).go(goOptions);
-  const items = (result.data ?? []).map((row) => ({
-    tenantId: row.tenantId,
-    workspaceId: row.workspaceId,
-    sk: row.sk,
-    userId: row.userId,
-    membershipId: row.membershipId,
-    summary: row.summary,
-    vid: row.vid,
-    lastUpdated: row.lastUpdated,
-    denormalizedUserName: row.denormalizedUserName
-  }));
-  return { items, cursor: result.cursor ?? null };
-}
-
 // src/data/rest-api/routes/control/user/user-list-memberships-route.ts
 var ALLOWED_MODES = [
   "all",
@@ -3325,7 +3491,7 @@ async function listUserMembershipsRoute(req, res) {
     );
   }
   const parsed = parseCommonListQuery(req, res, {
-    extraKeys: ["mode", "tenantId"]
+    extraKeys: ["mode", "tenantId", "_summary"]
   });
   if (!parsed.ok) {
     return parsed.response;
@@ -3358,6 +3524,33 @@ async function listUserMembershipsRoute(req, res) {
       'Query parameter `tenantId` is required when `mode === "workspaceInTenant"`.'
     );
   }
+  const rawSummary = req.query._summary;
+  if (rawSummary !== void 0) {
+    if (rawSummary !== "count") {
+      return sendInvalidQuery400(
+        res,
+        'Query parameter `_summary` must be "count" on this endpoint.'
+      );
+    }
+    try {
+      const total = await countMembershipsByUserOperation({
+        userId,
+        mode,
+        tenantId
+      });
+      return res.json({
+        resourceType: "Bundle",
+        type: "searchset",
+        total
+      });
+    } catch (err) {
+      return sendOperationOutcome500(
+        res,
+        err,
+        "GET /User/:id/Membership count error:"
+      );
+    }
+  }
   try {
     const result = await membershipListByUserOperation({
       userId,
@@ -3454,51 +3647,6 @@ async function roleAssignmentListByUserOperation(params) {
   return { items, cursor: result.cursor ?? null };
 }
 
-// src/data/operations/control/roleassignment/roleassignment-list-by-workspace-operation.ts
-function buildSkPrefix2(roleId) {
-  if (roleId === void 0 || roleId.length === 0) {
-    return "ROLEASSIGNMENT#";
-  }
-  return `ROLEASSIGNMENT#${roleId}#`;
-}
-async function roleAssignmentListByWorkspaceOperation(params) {
-  const {
-    tenantId,
-    workspaceId,
-    roleId,
-    cursor = null,
-    limit,
-    order,
-    tableName
-  } = params;
-  const service = getDynamoControlService(tableName);
-  const skPrefix = buildSkPrefix2(roleId);
-  const goOptions = {
-    cursor
-  };
-  if (limit !== void 0) {
-    goOptions.limit = limit;
-  }
-  if (order !== void 0) {
-    goOptions.order = order;
-  }
-  const result = await service.entities.roleAssignmentWorkspaceProjection.query.record({ tenantId, workspaceId }).begins({ sk: skPrefix }).go(goOptions);
-  const items = (result.data ?? []).map((row) => ({
-    tenantId: row.tenantId,
-    workspaceId: row.workspaceId,
-    sk: row.sk,
-    userId: row.userId,
-    roleId: row.roleId,
-    roleAssignmentId: row.roleAssignmentId,
-    summary: row.summary,
-    vid: row.vid,
-    lastUpdated: row.lastUpdated,
-    denormalizedUserName: row.denormalizedUserName,
-    denormalizedRoleName: row.denormalizedRoleName
-  }));
-  return { items, cursor: result.cursor ?? null };
-}
-
 // src/data/rest-api/routes/control/user/user-list-role-assignments-route.ts
 var ALLOWED_MODES2 = [
   "all",
@@ -4111,12 +4259,20 @@ async function deleteWorkspaceOperation(params) {
   const { context, id, tableName } = params;
   const { tenantId } = context;
   const service = getDynamoControlService(tableName);
+  const existing = await service.entities.workspace.get({ tenantId, id, sk: "CURRENT" }).go();
+  const workspaceExisted = existing.data !== null;
   await service.entities.workspace.delete({ tenantId, id, sk: "CURRENT" }).go();
   await deleteOrganizationOperation({
     context: { ...context, workspaceId: id },
     id,
     tableName
   });
+  if (workspaceExisted) {
+    await publishWorkspaceDeleted(context, {
+      workspaceId: id,
+      tenantId
+    });
+  }
 }
 
 // src/data/rest-api/routes/control/workspace/workspace-delete-route.ts
@@ -4382,51 +4538,19 @@ async function listWorkspaceRoleAssignmentsRoute(req, res) {
   }
 }
 
-// src/data/operations/control/workspace/workspace-list-operation.ts
-var SK8 = "CURRENT";
-async function listWorkspacesOperation(params) {
-  const { context, tableName, mode = "full" } = params;
-  const { tenantId } = context;
-  const service = getDynamoControlService(tableName);
-  const shardResults = await Promise.all(
-    Array.from(
-      { length: SHARD_COUNT },
-      (_, shard) => service.entities.workspace.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
-    )
-  );
-  return dispatchListMode(
-    mode,
-    shardResults,
-    {
-      hydrate: (orderedIds) => batchGetWithRetry(
-        service.entities.workspace,
-        orderedIds.map((id) => ({ tenantId, id, sk: SK8 }))
-      ),
-      getId: (item) => item.id,
-      buildEntry: (id, item) => ({
-        id,
-        resource: {
-          resourceType: "Workspace",
-          id,
-          ...JSON.parse(item.resource)
-        }
-      }),
-      buildSummaryEntry: (id, parsed) => ({
-        id,
-        resource: { resourceType: "Workspace", id, ...parsed }
-      })
-    }
-  );
-}
-
 // src/data/rest-api/routes/control/workspace/workspace-list-route.ts
 async function listWorkspacesRoute(req, res) {
+  const scope = resolveTenantScopeOverride(req, res, req.openhiContext);
+  if (!scope.ok) {
+    return scope.response;
+  }
   return handleListRoute({
     req,
     res,
     basePath: BASE_PATH.WORKSPACE,
     listOperation: listWorkspacesOperation,
-    errorLogContext: "GET /Workspace list error:"
+    errorLogContext: "GET /Workspace list error:",
+    context: scope.context
   });
 }