@openhi/constructs 0.0.160 → 0.0.161

package/lib/seed-demo-data.handler.js

@@ -139,7 +139,7 @@ var require_control_plane = __commonJS({
   "../workflows/lib/detail-types/control-plane.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.ControlPlaneRenameFailedV1 = exports2.ControlPlaneRenameCompleteV1 = exports2.ControlPlaneRenameV1 = exports2.RENAMABLE_ENTITY_TYPE = exports2.ControlPlaneOwningDeleteFailedV1 = exports2.ControlPlaneOwningDeleteCompleteV1 = exports2.ControlPlaneOwningDeleteV1 = exports2.OWNING_ENTITY_TYPE = void 0;
+    exports2.ControlPlaneWorkspaceDeletedV1 = exports2.ControlPlaneWorkspaceCreatedV1 = exports2.ControlPlaneRoleAssignmentDeletedV1 = exports2.ControlPlaneRoleAssignmentCreatedV1 = exports2.ControlPlaneMembershipDeletedV1 = exports2.ControlPlaneMembershipCreatedV1 = exports2.ControlPlaneRenameFailedV1 = exports2.ControlPlaneRenameCompleteV1 = exports2.ControlPlaneRenameV1 = exports2.RENAMABLE_ENTITY_TYPE = exports2.ControlPlaneOwningDeleteFailedV1 = exports2.ControlPlaneOwningDeleteCompleteV1 = exports2.ControlPlaneOwningDeleteV1 = exports2.OWNING_ENTITY_TYPE = void 0;
     var sources_1 = require_sources();
     var registry_1 = require_registry();
     exports2.OWNING_ENTITY_TYPE = {
@@ -181,6 +181,36 @@ var require_control_plane = __commonJS({
       source: sources_1.OPENHI_OPS_SOURCE,
       dedupRequired: true
     });
+    exports2.ControlPlaneMembershipCreatedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.membership-created.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneMembershipDeletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.membership-deleted.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneRoleAssignmentCreatedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.role-assignment-created.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneRoleAssignmentDeletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.role-assignment-deleted.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneWorkspaceCreatedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.workspace-created.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
+    exports2.ControlPlaneWorkspaceDeletedV1 = (0, registry_1.defineDetailType)({
+      detailType: "control-plane.workspace-deleted.v1",
+      source: sources_1.OPENHI_CONTROL_SOURCE,
+      dedupRequired: true
+    });
   }
 });
 
@@ -239,17 +269,17 @@ var require_publisher = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.WorkflowPublishError = void 0;
     exports2.workflowsClient = workflowsClient;
-    exports2.publishWorkflowEvent = publishWorkflowEvent;
+    exports2.publishWorkflowEvent = publishWorkflowEvent2;
     var node_crypto_1 = require("crypto");
     var client_eventbridge_1 = require("@aws-sdk/client-eventbridge");
     var envelope_version_1 = require_envelope_version();
     var sources_1 = require_sources();
     function workflowsClient(bridge, options = {}) {
       return {
-        publish: (entry, payload, ctx) => publishWorkflowEvent(bridge, entry, payload, ctx, options)
+        publish: (entry, payload, ctx) => publishWorkflowEvent2(bridge, entry, payload, ctx, options)
       };
     }
-    async function publishWorkflowEvent(bridge, entry, payload, ctx, options = {}) {
+    async function publishWorkflowEvent2(bridge, entry, payload, ctx, options = {}) {
       const eventIdGenerator = options.eventIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
       const correlationIdGenerator = options.correlationIdGenerator ?? (() => (0, node_crypto_1.randomUUID)());
       const now = options.now ?? (() => /* @__PURE__ */ new Date());
@@ -578,7 +608,7 @@ var require_lib = __commonJS({
   "../workflows/lib/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.RENAMABLE_ENTITY_TYPE = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.OWNING_ENTITY_TYPE = exports2.InvalidDetailTypeRegistrationError = exports2.ControlPlaneRenameV1 = exports2.ControlPlaneRenameFailedV1 = exports2.ControlPlaneRenameCompleteV1 = exports2.ControlPlaneOwningDeleteV1 = exports2.ControlPlaneOwningDeleteFailedV1 = exports2.ControlPlaneOwningDeleteCompleteV1 = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
+    exports2.workflowDedupClient = exports2.recordIfAbsent = exports2.markFailed = exports2.encodeSortKey = exports2.WorkflowDedupTableNameMissingError = exports2.WorkflowDedupInvalidInputError = exports2.WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR = exports2.WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = exports2.WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = exports2.parseWorkflowEvent = exports2.UnsupportedEnvelopeVersionError = exports2.InvalidWorkflowEventError = exports2.workflowsClient = exports2.publishWorkflowEvent = exports2.WorkflowPublishError = exports2.isWellFormedDetailType = exports2.defineDetailType = exports2.RENAMABLE_ENTITY_TYPE = exports2.PlatformSystemDataSeededV1 = exports2.PlatformDeploymentCompletedV1 = exports2.OWNING_ENTITY_TYPE = exports2.InvalidDetailTypeRegistrationError = exports2.ControlPlaneWorkspaceDeletedV1 = exports2.ControlPlaneWorkspaceCreatedV1 = exports2.ControlPlaneRoleAssignmentDeletedV1 = exports2.ControlPlaneRoleAssignmentCreatedV1 = exports2.ControlPlaneRenameV1 = exports2.ControlPlaneRenameFailedV1 = exports2.ControlPlaneRenameCompleteV1 = exports2.ControlPlaneOwningDeleteV1 = exports2.ControlPlaneOwningDeleteFailedV1 = exports2.ControlPlaneOwningDeleteCompleteV1 = exports2.ControlPlaneMembershipDeletedV1 = exports2.ControlPlaneMembershipCreatedV1 = exports2.OPENHI_OPS_SOURCE = exports2.OPENHI_DATA_SOURCE = exports2.OPENHI_CONTROL_SOURCE = exports2.DEFAULT_BUS_NAME_BY_SOURCE = exports2.workflowUserActorFromClaims = exports2.isWorkflowUserActor = exports2.isWorkflowSystemActor = exports2.MissingActorContextError = exports2.isSupportedEnvelopeVersion = exports2.ENVELOPE_VERSION = void 0;
     var envelope_version_1 = require_envelope_version();
     Object.defineProperty(exports2, "ENVELOPE_VERSION", { enumerable: true, get: function() {
       return envelope_version_1.ENVELOPE_VERSION;
@@ -613,6 +643,12 @@ var require_lib = __commonJS({
       return sources_1.OPENHI_OPS_SOURCE;
     } });
     var detail_types_1 = require_detail_types();
+    Object.defineProperty(exports2, "ControlPlaneMembershipCreatedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneMembershipCreatedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneMembershipDeletedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneMembershipDeletedV1;
+    } });
     Object.defineProperty(exports2, "ControlPlaneOwningDeleteCompleteV1", { enumerable: true, get: function() {
       return detail_types_1.ControlPlaneOwningDeleteCompleteV1;
     } });
@@ -631,6 +667,18 @@ var require_lib = __commonJS({
     Object.defineProperty(exports2, "ControlPlaneRenameV1", { enumerable: true, get: function() {
       return detail_types_1.ControlPlaneRenameV1;
     } });
+    Object.defineProperty(exports2, "ControlPlaneRoleAssignmentCreatedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRoleAssignmentCreatedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneRoleAssignmentDeletedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneRoleAssignmentDeletedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneWorkspaceCreatedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneWorkspaceCreatedV1;
+    } });
+    Object.defineProperty(exports2, "ControlPlaneWorkspaceDeletedV1", { enumerable: true, get: function() {
+      return detail_types_1.ControlPlaneWorkspaceDeletedV1;
+    } });
     Object.defineProperty(exports2, "InvalidDetailTypeRegistrationError", { enumerable: true, get: function() {
       return detail_types_1.InvalidDetailTypeRegistrationError;
     } });
@@ -721,7 +769,7 @@ var import_client_cognito_identity_provider = require("@aws-sdk/client-cognito-i
 var import_client_dynamodb2 = require("@aws-sdk/client-dynamodb");
 var import_client_ssm = require("@aws-sdk/client-ssm");
 var import_types12 = require("@openhi/types");
-var import_workflows2 = __toESM(require_lib());
+var import_workflows3 = __toESM(require_lib());
 
 // src/workflows/control-plane/seed-demo-data/events.ts
 var import_types = require("@openhi/types");
@@ -5897,6 +5945,24 @@ var TenantEntity = new import_electrodb11.Entity({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of tenant-scoped Memberships
+     * (users) in this tenant. Maintained by the counter-maintenance
+     * consumer via atomic ADD; absent/0 until first event or reconciliation.
+     */
+    usersInTenant: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of Workspaces in this tenant.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    workspacesInTenant: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -6001,6 +6067,26 @@ var UserEntity = new import_electrodb12.Entity({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of tenant-scoped Memberships
+     * (tenants) this user belongs to. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    tenantsForUser: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * Memberships (workspaces) this user belongs to. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    workspacesForUser: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -6145,6 +6231,36 @@ var WorkspaceEntity = new import_electrodb13.Entity({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * Memberships (users) in this workspace. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    usersInWorkspace: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * RoleAssignments classified as admin-tier in this workspace.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    adminUsersInWorkspace: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * RoleAssignments classified as non-admin in this workspace.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    normalUsersInWorkspace: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -6372,6 +6488,63 @@ function buildMembershipWorkspaceProjectionItem(input) {
   };
 }
 
+// src/data/operations/control/control-event-publisher.ts
+var import_client_eventbridge = require("@aws-sdk/client-eventbridge");
+var import_workflows2 = __toESM(require_lib());
+var CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+var cachedClient;
+function getClient() {
+  if (!cachedClient) {
+    cachedClient = new import_client_eventbridge.EventBridgeClient({
+      region: process.env.AWS_REGION ?? "us-east-1"
+    });
+  }
+  return cachedClient;
+}
+function actorFromContext(context) {
+  return {
+    ohi_tid: context.tenantId,
+    ohi_wid: context.workspaceId,
+    ohi_uid: context.actorId,
+    ohi_uname: context.actorName
+  };
+}
+async function publishControlEvent(entry, payload, context) {
+  const busName = process.env[CONTROL_EVENT_BUS_NAME_ENV_VAR];
+  if (!busName) {
+    return;
+  }
+  try {
+    await (0, import_workflows2.publishWorkflowEvent)(
+      getClient(),
+      entry,
+      payload,
+      { actor: actorFromContext(context) },
+      { busNameByPlane: { [import_workflows2.OPENHI_CONTROL_SOURCE]: busName } }
+    );
+  } catch (err) {
+    console.error(`control-event publish failed for ${entry.detailType}:`, err);
+  }
+}
+async function publishMembershipCreated(context, detail) {
+  await publishControlEvent(import_workflows2.ControlPlaneMembershipCreatedV1, detail, context);
+}
+async function publishRoleAssignmentCreated(context, detail) {
+  await publishControlEvent(
+    import_workflows2.ControlPlaneRoleAssignmentCreatedV1,
+    detail,
+    context
+  );
+}
+async function publishWorkspaceCreated(context, detail) {
+  await publishControlEvent(import_workflows2.ControlPlaneWorkspaceCreatedV1, detail, context);
+}
+function extractRoleLevel(resource) {
+  const code = resource?.code;
+  const first = code?.coding?.[0]?.code;
+  return typeof first === "string" && first.length > 0 ? first : void 0;
+}
+
 // src/data/operations/control/denormalized-display-names.ts
 function extractDenormalizedReferenceDisplay(resource, fieldName) {
   const field = resource[fieldName];
@@ -6605,6 +6778,14 @@ async function createMembershipOperation(params) {
     });
   }
   await executeMultiWrite({ service, triples });
+  await publishMembershipCreated(context, {
+    membershipId: id,
+    tenantId: context.tenantId,
+    ...userIdFromResource !== void 0 && { userId: userIdFromResource },
+    ...workspaceIdFromResource !== void 0 && {
+      workspaceId: workspaceIdFromResource
+    }
+  });
   return {
     id,
     resource,
@@ -6846,6 +7027,18 @@ async function createRoleAssignmentOperation(params) {
     });
   }
   await executeMultiWrite({ service, triples });
+  await publishRoleAssignmentCreated(context, {
+    roleAssignmentId: id,
+    tenantId: context.tenantId,
+    ...userIdFromResource !== void 0 && { userId: userIdFromResource },
+    ...workspaceIdFromResource !== void 0 && {
+      workspaceId: workspaceIdFromResource
+    },
+    ...roleIdFromResource !== void 0 && { roleId: roleIdFromResource },
+    ...extractRoleLevel(resourceRecord) !== void 0 && {
+      roleLevel: extractRoleLevel(resourceRecord)
+    }
+  });
   return {
     id,
     resource,
@@ -8057,6 +8250,10 @@ async function createWorkspaceOperation(params) {
     workspaceName,
     tableName
   });
+  await publishWorkspaceCreated(context, {
+    workspaceId: id,
+    tenantId
+  });
   return { id, resource, meta: { lastUpdated, versionId: vid } };
 }
 
@@ -8996,7 +9193,7 @@ var seedDemoGraph = async (params) => {
   }
 };
 var runSeedDemoData = async (event, deps, devUsers) => {
-  const parsed = (0, import_workflows2.parseWorkflowEvent)(event, import_workflows.PlatformSystemDataSeededV1);
+  const parsed = (0, import_workflows3.parseWorkflowEvent)(event, import_workflows.PlatformSystemDataSeededV1);
   const recordResult = await deps.dedupClient.recordIfAbsent({
     consumerName: SEED_DEMO_DATA_CONSUMER_NAME,
     eventId: parsed.dedupKey.eventId,
@@ -9167,7 +9364,7 @@ var productionDependencies = () => {
   const dynamodb = new import_client_dynamodb2.DynamoDBClient({});
   const cognito = productionCognitoProvisioner();
   return {
-    dedupClient: (0, import_workflows2.workflowDedupClient)(dynamodb),
+    dedupClient: (0, import_workflows3.workflowDedupClient)(dynamodb),
     verifyRoles: verifySystemRolesExist,
     seedDemoGraph,
     cognito