@openhi/constructs 0.0.160 → 0.0.162

package/lib/chunk-BUAYVN3C.mjs

@@ -0,0 +1,87 @@
+import {
+  require_lib
+} from "./chunk-KMEWULMX.mjs";
+import {
+  __toESM
+} from "./chunk-LZOMFHX3.mjs";
+
+// src/data/operations/control/control-event-publisher.ts
+var import_workflows = __toESM(require_lib());
+import { EventBridgeClient } from "@aws-sdk/client-eventbridge";
+var CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+var cachedClient;
+function getClient() {
+  if (!cachedClient) {
+    cachedClient = new EventBridgeClient({
+      region: process.env.AWS_REGION ?? "us-east-1"
+    });
+  }
+  return cachedClient;
+}
+function actorFromContext(context) {
+  return {
+    ohi_tid: context.tenantId,
+    ohi_wid: context.workspaceId,
+    ohi_uid: context.actorId,
+    ohi_uname: context.actorName
+  };
+}
+async function publishControlEvent(entry, payload, context) {
+  const busName = process.env[CONTROL_EVENT_BUS_NAME_ENV_VAR];
+  if (!busName) {
+    return;
+  }
+  try {
+    await (0, import_workflows.publishWorkflowEvent)(
+      getClient(),
+      entry,
+      payload,
+      { actor: actorFromContext(context) },
+      { busNameByPlane: { [import_workflows.OPENHI_CONTROL_SOURCE]: busName } }
+    );
+  } catch (err) {
+    console.error(`control-event publish failed for ${entry.detailType}:`, err);
+  }
+}
+async function publishMembershipCreated(context, detail) {
+  await publishControlEvent(import_workflows.ControlPlaneMembershipCreatedV1, detail, context);
+}
+async function publishMembershipDeleted(context, detail) {
+  await publishControlEvent(import_workflows.ControlPlaneMembershipDeletedV1, detail, context);
+}
+async function publishRoleAssignmentCreated(context, detail) {
+  await publishControlEvent(
+    import_workflows.ControlPlaneRoleAssignmentCreatedV1,
+    detail,
+    context
+  );
+}
+async function publishRoleAssignmentDeleted(context, detail) {
+  await publishControlEvent(
+    import_workflows.ControlPlaneRoleAssignmentDeletedV1,
+    detail,
+    context
+  );
+}
+async function publishWorkspaceCreated(context, detail) {
+  await publishControlEvent(import_workflows.ControlPlaneWorkspaceCreatedV1, detail, context);
+}
+async function publishWorkspaceDeleted(context, detail) {
+  await publishControlEvent(import_workflows.ControlPlaneWorkspaceDeletedV1, detail, context);
+}
+function extractRoleLevel(resource) {
+  const code = resource?.code;
+  const first = code?.coding?.[0]?.code;
+  return typeof first === "string" && first.length > 0 ? first : void 0;
+}
+
+export {
+  publishMembershipCreated,
+  publishMembershipDeleted,
+  publishRoleAssignmentCreated,
+  publishRoleAssignmentDeleted,
+  publishWorkspaceCreated,
+  publishWorkspaceDeleted,
+  extractRoleLevel
+};
+//# sourceMappingURL=chunk-BUAYVN3C.mjs.map

package/lib/chunk-BUAYVN3C.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/data/operations/control/control-event-publisher.ts"],"sourcesContent":["import { EventBridgeClient } from \"@aws-sdk/client-eventbridge\";\nimport {\n  ControlPlaneMembershipCreatedV1,\n  ControlPlaneMembershipDeletedV1,\n  ControlPlaneRoleAssignmentCreatedV1,\n  ControlPlaneRoleAssignmentDeletedV1,\n  ControlPlaneWorkspaceCreatedV1,\n  ControlPlaneWorkspaceDeletedV1,\n  OPENHI_CONTROL_SOURCE,\n  publishWorkflowEvent,\n  type ControlPlaneMembershipChangedV1Detail,\n  type ControlPlaneRoleAssignmentChangedV1Detail,\n  type ControlPlaneWorkspaceChangedV1Detail,\n  type WorkflowActor,\n  type WorkflowDetailTypeEntry,\n} from \"@openhi/workflows\";\nimport { OpenHiContext } from \"../../openhi-context\";\n\n/**\n * Env var carrying the name of the control event bus the REST API Lambda\n * publishes control-plane domain events to. Set by\n * {@link RestApiLambda} from the deterministic `ControlEventBus` name.\n * When unset (seed / import / unit-test contexts) the publisher is a no-op,\n * so operations stay usable outside the Lambda and the counter backfill in\n * the reconciliation job (#1319) repairs any rows created without an event.\n */\nexport const CONTROL_EVENT_BUS_NAME_ENV_VAR = \"CONTROL_EVENT_BUS_NAME\";\n\nlet cachedClient: EventBridgeClient | undefined;\n\nfunction getClient(): EventBridgeClient {\n  if (!cachedClient) {\n    cachedClient = new EventBridgeClient({\n      region: process.env.AWS_REGION ?? \"us-east-1\",\n    });\n  }\n  return cachedClient;\n}\n\nfunction actorFromContext(context: OpenHiContext): WorkflowActor {\n  return {\n    ohi_tid: context.tenantId,\n    ohi_wid: context.workspaceId,\n    ohi_uid: context.actorId,\n    ohi_uname: context.actorName,\n  };\n}\n\n/**\n * Publish one control-plane domain event to the control event bus.\n *\n * Best-effort by contract (ADR-028): the canonical multi-write has already\n * committed by the time this runs, the counters it feeds are eventually\n * consistent, and the reconciliation job (#1319) is the correctness backstop.\n * A publish failure is therefore logged and swallowed so it never fails the\n * operation (which would 500 a request whose data write already succeeded).\n * When `CONTROL_EVENT_BUS_NAME` is unset the publish is skipped entirely.\n */\nasync function publishControlEvent<TDetail>(\n  entry: WorkflowDetailTypeEntry<TDetail>,\n  payload: TDetail,\n  context: OpenHiContext,\n): Promise<void> {\n  const busName = process.env[CONTROL_EVENT_BUS_NAME_ENV_VAR];\n  if (!busName) {\n    return;\n  }\n  try {\n    await publishWorkflowEvent(\n      getClient(),\n      entry,\n      payload,\n      { actor: actorFromContext(context) },\n      { busNameByPlane: { [OPENHI_CONTROL_SOURCE]: busName } },\n    );\n  } catch (err) {\n    console.error(`control-event publish failed for ${entry.detailType}:`, err);\n  }\n}\n\n/** Publish `control-plane.membership-created.v1`. */\nexport async function publishMembershipCreated(\n  context: OpenHiContext,\n  detail: ControlPlaneMembershipChangedV1Detail,\n): Promise<void> {\n  await publishControlEvent(ControlPlaneMembershipCreatedV1, detail, context);\n}\n\n/** Publish `control-plane.membership-deleted.v1`. */\nexport async function publishMembershipDeleted(\n  context: OpenHiContext,\n  detail: ControlPlaneMembershipChangedV1Detail,\n): Promise<void> {\n  await publishControlEvent(ControlPlaneMembershipDeletedV1, detail, context);\n}\n\n/** Publish `control-plane.role-assignment-created.v1`. */\nexport async function publishRoleAssignmentCreated(\n  context: OpenHiContext,\n  detail: ControlPlaneRoleAssignmentChangedV1Detail,\n): Promise<void> {\n  await publishControlEvent(\n    ControlPlaneRoleAssignmentCreatedV1,\n    detail,\n    context,\n  );\n}\n\n/** Publish `control-plane.role-assignment-deleted.v1`. */\nexport async function publishRoleAssignmentDeleted(\n  context: OpenHiContext,\n  detail: ControlPlaneRoleAssignmentChangedV1Detail,\n): Promise<void> {\n  await publishControlEvent(\n    ControlPlaneRoleAssignmentDeletedV1,\n    detail,\n    context,\n  );\n}\n\n/** Publish `control-plane.workspace-created.v1`. */\nexport async function publishWorkspaceCreated(\n  context: OpenHiContext,\n  detail: ControlPlaneWorkspaceChangedV1Detail,\n): Promise<void> {\n  await publishControlEvent(ControlPlaneWorkspaceCreatedV1, detail, context);\n}\n\n/** Publish `control-plane.workspace-deleted.v1`. */\nexport async function publishWorkspaceDeleted(\n  context: OpenHiContext,\n  detail: ControlPlaneWorkspaceChangedV1Detail,\n): Promise<void> {\n  await publishControlEvent(ControlPlaneWorkspaceDeletedV1, detail, context);\n}\n\n/**\n * Extract the ADR-019 organization-role level / type from a RoleAssignment\n * resource so the counter-maintenance consumer can classify a workspace-scoped\n * assignment as admin vs normal without re-reading the Role record. Reads the\n * slim `PractitionerRole.code` coding per ADR-019 §1.2; returns `undefined`\n * when no code is present.\n */\nexport function extractRoleLevel(\n  resource: Record<string, unknown> | undefined,\n): string | undefined {\n  const code = resource?.code as\n    | { coding?: Array<{ code?: unknown }> }\n    | undefined;\n  const first = code?.coding?.[0]?.code;\n  return typeof first === \"string\" && first.length > 0 ? first : undefined;\n}\n"],"mappings":";;;;;;;;AACA,uBAcO;AAfP,SAAS,yBAAyB;AA0B3B,IAAM,iCAAiC;AAE9C,IAAI;AAEJ,SAAS,YAA+B;AACtC,MAAI,CAAC,cAAc;AACjB,mBAAe,IAAI,kBAAkB;AAAA,MACnC,QAAQ,QAAQ,IAAI,cAAc;AAAA,IACpC,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,SAAuC;AAC/D,SAAO;AAAA,IACL,SAAS,QAAQ;AAAA,IACjB,SAAS,QAAQ;AAAA,IACjB,SAAS,QAAQ;AAAA,IACjB,WAAW,QAAQ;AAAA,EACrB;AACF;AAYA,eAAe,oBACb,OACA,SACA,SACe;AACf,QAAM,UAAU,QAAQ,IAAI,8BAA8B;AAC1D,MAAI,CAAC,SAAS;AACZ;AAAA,EACF;AACA,MAAI;AACF,cAAM;AAAA,MACJ,UAAU;AAAA,MACV;AAAA,MACA;AAAA,MACA,EAAE,OAAO,iBAAiB,OAAO,EAAE;AAAA,MACnC,EAAE,gBAAgB,EAAE,CAAC,sCAAqB,GAAG,QAAQ,EAAE;AAAA,IACzD;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,oCAAoC,MAAM,UAAU,KAAK,GAAG;AAAA,EAC5E;AACF;AAGA,eAAsB,yBACpB,SACA,QACe;AACf,QAAM,oBAAoB,kDAAiC,QAAQ,OAAO;AAC5E;AAGA,eAAsB,yBACpB,SACA,QACe;AACf,QAAM,oBAAoB,kDAAiC,QAAQ,OAAO;AAC5E;AAGA,eAAsB,6BACpB,SACA,QACe;AACf,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAGA,eAAsB,6BACpB,SACA,QACe;AACf,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAGA,eAAsB,wBACpB,SACA,QACe;AACf,QAAM,oBAAoB,iDAAgC,QAAQ,OAAO;AAC3E;AAGA,eAAsB,wBACpB,SACA,QACe;AACf,QAAM,oBAAoB,iDAAgC,QAAQ,OAAO;AAC3E;AASO,SAAS,iBACd,UACoB;AACpB,QAAM,OAAO,UAAU;AAGvB,QAAM,QAAQ,MAAM,SAAS,CAAC,GAAG;AACjC,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS,IAAI,QAAQ;AACjE;","names":[]}

package/lib/{chunk-23PUSHBV.mjs → chunk-D2Y6DDOC.mjs}

@@ -1,6 +1,6 @@
 import {
   require_lib
-} from "./chunk-ZM4GDHHC.mjs";
+} from "./chunk-KMEWULMX.mjs";
 import {
   __toESM
 } from "./chunk-LZOMFHX3.mjs";
@@ -21,4 +21,4 @@ export {
   RENAME_CASCADE_OPS_EVENT_BUS_ENV_VAR,
   import_workflows
 };
-//# sourceMappingURL=chunk-23PUSHBV.mjs.map
+//# sourceMappingURL=chunk-D2Y6DDOC.mjs.map

package/lib/chunk-DWSWCUZR.mjs

@@ -0,0 +1,123 @@
+import {
+  batchGetWithRetry,
+  dispatchListMode
+} from "./chunk-O5VQWB6U.mjs";
+import {
+  SHARD_COUNT,
+  getDynamoControlService
+} from "./chunk-EUIP2U5F.mjs";
+
+// src/data/operations/control/user/user-list-operation.ts
+var SK = "CURRENT";
+function counterValue(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
+async function listUsersOperation(params) {
+  const { tableName, mode = "full" } = params;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.user,
+      orderedIds.map((id) => ({ id, sk: SK }))
+    ),
+    getId: (item) => item.id,
+    // FULL mode (admin list default): read the ADR-028 counters off the
+    // canonical record hydrated by BatchGet and expose them as
+    // `resource.counts`. Missing counters render as 0.
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "User",
+        id,
+        ...JSON.parse(item.resource),
+        counts: {
+          tenantsForUser: counterValue(item.tenantsForUser),
+          workspacesForUser: counterValue(item.workspacesForUser)
+        }
+      }
+    }),
+    // SUMMARY mode reads only the GSI1 `summary` projection (no
+    // counters); surface zeros so the shape stays uniform.
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: {
+        resourceType: "User",
+        id,
+        ...parsed,
+        counts: { tenantsForUser: 0, workspacesForUser: 0 }
+      }
+    })
+  });
+}
+
+// src/data/operations/control/membership/membership-list-by-user-operation.ts
+function buildSkPrefix(mode, tenantId) {
+  switch (mode) {
+    case "tenant":
+      return "MEMBERSHIP#TENANT#";
+    case "workspace":
+      return "MEMBERSHIP#WORKSPACE#";
+    case "workspaceInTenant":
+      return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;
+    case "all":
+    default:
+      return "MEMBERSHIP#";
+  }
+}
+async function membershipListByUserOperation(params) {
+  const {
+    userId,
+    mode = "all",
+    tenantId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'membershipListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix(mode, tenantId);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go(goOptions);
+  const items = (result.data ?? []).map(
+    (row) => ({
+      userId: row.userId,
+      sk: row.sk,
+      tenantId: row.tenantId,
+      workspaceId: row.workspaceId,
+      membershipId: row.membershipId,
+      summary: row.summary,
+      vid: row.vid,
+      lastUpdated: row.lastUpdated,
+      denormalizedTenantName: row.denormalizedTenantName,
+      denormalizedUserName: row.denormalizedUserName,
+      denormalizedWorkspaceName: row.denormalizedWorkspaceName
+    })
+  );
+  return { items, cursor: result.cursor ?? null };
+}
+
+export {
+  buildSkPrefix,
+  membershipListByUserOperation,
+  listUsersOperation
+};
+//# sourceMappingURL=chunk-DWSWCUZR.mjs.map

package/lib/chunk-DWSWCUZR.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/data/operations/control/user/user-list-operation.ts","../src/data/operations/control/membership/membership-list-by-user-operation.ts"],"sourcesContent":["import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport {\n  batchGetWithRetry,\n  dispatchListMode,\n  type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface UserListParams {\n  context: OpenHiContext;\n  tableName?: string;\n  /** #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. */\n  mode?: ListOperationMode;\n}\n\n/**\n * ADR-028 denormalized counter shape surfaced on a User list entry's\n * `resource.counts`. Missing counters render as `0`.\n */\nexport interface UserCounts {\n  tenantsForUser: number;\n  workspacesForUser: number;\n}\n\nexport interface UserListResult {\n  entries: Array<{\n    id: string;\n    resource: {\n      resourceType: string;\n      id: string;\n      counts: UserCounts;\n      [key: string]: unknown;\n    };\n  }>;\n  total: number;\n}\n\n/** Coerce a possibly-absent counter attribute to a non-negative number (default 0). */\nfunction counterValue(value: unknown): number {\n  return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/**\n * Lists Users via GSI1 (sharded). `mode` (default `\"full\"`) selects between BatchGet hydration,\n * summary-only (parse `summary` JSON projected on GSI1), or count-only (skip both). See\n * `dispatchListMode` in data-operations-common for the canonical mode contract.\n */\nexport async function listUsersOperation(\n  params: UserListParams,\n): Promise<UserListResult> {\n  const { tableName, mode = \"full\" } = params;\n  const service = getDynamoControlService(tableName);\n\n  const shardResults = await Promise.all(\n    Array.from({ length: SHARD_COUNT }, (_, shard) =>\n      service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go(),\n    ),\n  );\n\n  return dispatchListMode<\n    {\n      id: string;\n      resource: string;\n      tenantsForUser?: number;\n      workspacesForUser?: number;\n    },\n    UserListResult[\"entries\"][number]\n  >(mode, shardResults, {\n    hydrate: (orderedIds) =>\n      batchGetWithRetry(\n        service.entities.user,\n        orderedIds.map((id) => ({ id, sk: SK })),\n      ) as Promise<\n        Array<{\n          id: string;\n          resource: string;\n          tenantsForUser?: number;\n          workspacesForUser?: number;\n        }>\n      >,\n    getId: (item) => item.id,\n    // FULL mode (admin list default): read the ADR-028 counters off the\n    // canonical record hydrated by BatchGet and expose them as\n    // `resource.counts`. Missing counters render as 0.\n    buildEntry: (id, item) => ({\n      id,\n      resource: {\n        resourceType: \"User\",\n        id,\n        ...(JSON.parse(item.resource) as Record<string, unknown>),\n        counts: {\n          tenantsForUser: counterValue(item.tenantsForUser),\n          workspacesForUser: counterValue(item.workspacesForUser),\n        },\n      },\n    }),\n    // SUMMARY mode reads only the GSI1 `summary` projection (no\n    // counters); surface zeros so the shape stays uniform.\n    buildSummaryEntry: (id, parsed) => ({\n      id,\n      resource: {\n        resourceType: \"User\",\n        id,\n        ...parsed,\n        counts: { tenantsForUser: 0, workspacesForUser: 0 },\n      },\n    }),\n  });\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/**\n * Filter modes for {@link membershipListByUserOperation}.\n *\n * Maps directly to the ADR-018 sub-lane discriminator in the user-projection\n * SK (`MEMBERSHIP#TENANT#…` vs `MEMBERSHIP#WORKSPACE#…`):\n *\n * - `\"all\"` — `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')`.\n *   Returns both lanes interleaved in raw SK order.\n * - `\"tenant\"` — `SK begins_with 'MEMBERSHIP#TENANT#'`. Pattern #3 only.\n * - `\"workspace\"` — `SK begins_with 'MEMBERSHIP#WORKSPACE#'`. Pattern #4\n *   across every tenant.\n * - `\"workspaceInTenant\"` — `SK begins_with 'MEMBERSHIP#WORKSPACE#TID#<tenantId>#'`.\n *   Pattern #4 narrowed to one tenant. Requires `tenantId`.\n */\nexport type MembershipListByUserMode =\n  | \"all\"\n  | \"tenant\"\n  | \"workspace\"\n  | \"workspaceInTenant\";\n\n/** Inputs accepted by {@link membershipListByUserOperation}. */\nexport interface MembershipListByUserParams {\n  readonly userId: string;\n  /** Filter mode — see {@link MembershipListByUserMode}. Defaults to `\"all\"`. */\n  readonly mode?: MembershipListByUserMode;\n  /** Required only when `mode === \"workspaceInTenant\"`. */\n  readonly tenantId?: string;\n  /** ElectroDB cursor from a prior page. Forwarded to `.go({ cursor })`. */\n  readonly cursor?: string | null;\n  /** Per-page item limit forwarded to `.go({ limit })`. */\n  readonly limit?: number;\n  /** Sort order forwarded to `.go({ order })`. Defaults to ElectroDB's `\"asc\"`. */\n  readonly order?: \"asc\" | \"desc\";\n  /** Optional table-name override; resolved via env when omitted. */\n  readonly tableName?: string;\n}\n\n/** One projection-row payload as returned to a consumer. */\nexport interface MembershipUserProjectionEntry {\n  readonly userId: string;\n  readonly sk: string;\n  readonly tenantId: string;\n  readonly workspaceId?: string;\n  readonly membershipId: string;\n  readonly summary: string;\n  readonly vid: string;\n  readonly lastUpdated: string;\n  readonly denormalizedTenantName?: string;\n  readonly denormalizedUserName?: string;\n  readonly denormalizedWorkspaceName?: string;\n}\n\n/** Page returned by {@link membershipListByUserOperation}. */\nexport interface MembershipListByUserResult {\n  readonly items: Array<MembershipUserProjectionEntry>;\n  /** ElectroDB cursor for the next page, or `null` when exhausted. */\n  readonly cursor: string | null;\n}\n\n/**\n * Compose the SK prefix for a given filter mode. Centralizing the\n * prefix string here keeps the SK grammar (owned by\n * `membership-user-projection.ts`) the single source of truth for the\n * lane discriminators — this function reads them, it does not invent them.\n */\nexport function buildSkPrefix(\n  mode: MembershipListByUserMode,\n  tenantId: string | undefined,\n): string {\n  switch (mode) {\n    case \"tenant\":\n      return \"MEMBERSHIP#TENANT#\";\n    case \"workspace\":\n      return \"MEMBERSHIP#WORKSPACE#\";\n    case \"workspaceInTenant\":\n      // Pattern-#4 SK places `<tenantId>` directly after the\n      // `MEMBERSHIP#WORKSPACE#TID#` segment so a `begins_with` filter\n      // narrows the workspace lane to a single tenant.\n      return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;\n    case \"all\":\n    default:\n      return \"MEMBERSHIP#\";\n  }\n}\n\n/**\n * List Memberships for a user via the ADR-018 user-partition projection\n * (no GSI hop).\n *\n * Reads `MembershipUserProjectionEntity` rows under `PK = USER#ID#<userId>`\n * with an `SK begins_with` filter selected by `mode`:\n *\n * | Mode | SK begins_with | Covers |\n * |---|---|---|\n * | `all` (default) | `MEMBERSHIP#` | patterns #3 + #4 interleaved |\n * | `tenant` | `MEMBERSHIP#TENANT#` | pattern #3 only |\n * | `workspace` | `MEMBERSHIP#WORKSPACE#` | pattern #4 only, across tenants |\n * | `workspaceInTenant` | `MEMBERSHIP#WORKSPACE#TID#<tenantId>#` | pattern #4 in one tenant |\n *\n * Returns the projection rows verbatim (`summary`, `vid`, `lastUpdated`\n * plus the projection-discriminating fields) — full canonical-resource\n * hydration is opt-in for callers via\n * `MembershipEntity.get({ tenantId, id: membershipId })`. Pagination\n * mirrors ElectroDB's native `.go({ cursor })` shape; the returned\n * `cursor` is opaque to callers.\n *\n * @see ADR-018 § Access Pattern Coverage (patterns #3 and #4)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar)\n */\nexport async function membershipListByUserOperation(\n  params: MembershipListByUserParams,\n): Promise<MembershipListByUserResult> {\n  const {\n    userId,\n    mode = \"all\",\n    tenantId,\n    cursor = null,\n    limit,\n    order,\n    tableName,\n  } = params;\n\n  if (mode === \"workspaceInTenant\" && !tenantId) {\n    throw new Error(\n      'membershipListByUserOperation: tenantId is required when mode === \"workspaceInTenant\"',\n    );\n  }\n\n  const service = getDynamoControlService(tableName);\n  const skPrefix = buildSkPrefix(mode, tenantId);\n\n  const goOptions: {\n    cursor?: string | null;\n    limit?: number;\n    order?: \"asc\" | \"desc\";\n  } = {\n    cursor,\n  };\n  if (limit !== undefined) {\n    goOptions.limit = limit;\n  }\n  if (order !== undefined) {\n    goOptions.order = order;\n  }\n\n  const result = await service.entities.membershipUserProjection.query\n    .record({ userId })\n    .begins({ sk: skPrefix })\n    .go(goOptions);\n\n  const items: Array<MembershipUserProjectionEntry> = (result.data ?? []).map(\n    (row) => ({\n      userId: row.userId,\n      sk: row.sk,\n      tenantId: row.tenantId,\n      workspaceId: row.workspaceId,\n      membershipId: row.membershipId,\n      summary: row.summary,\n      vid: row.vid,\n      lastUpdated: row.lastUpdated,\n      denormalizedTenantName: row.denormalizedTenantName,\n      denormalizedUserName: row.denormalizedUserName,\n      denormalizedWorkspaceName: row.denormalizedWorkspaceName,\n    }),\n  );\n\n  return { items, cursor: result.cursor ?? null };\n}\n"],"mappings":";;;;;;;;;;AASA,IAAM,KAAK;AAgCX,SAAS,aAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAOA,eAAsB,mBACpB,QACyB;AACzB,QAAM,EAAE,WAAW,OAAO,OAAO,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,KAAK,MAAM,KAAK,EAAE,WAAW,OAAO,KAAK,EAAE,CAAC,EAAE,GAAG;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,iBAQL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAI,GAAG,EAAE;AAAA,IACzC;AAAA,IAQF,OAAO,CAAC,SAAS,KAAK;AAAA;AAAA;AAAA;AAAA,IAItB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,QAC5B,QAAQ;AAAA,UACN,gBAAgB,aAAa,KAAK,cAAc;AAAA,UAChD,mBAAmB,aAAa,KAAK,iBAAiB;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AAAA;AAAA;AAAA,IAGA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAG;AAAA,QACH,QAAQ,EAAE,gBAAgB,GAAG,mBAAmB,EAAE;AAAA,MACpD;AAAA,IACF;AAAA,EACF,CAAC;AACH;;;AC5CO,SAAS,cACd,MACA,UACQ;AACR,UAAQ,MAAM;AAAA,IACZ,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAIH,aAAO,4BAA4B,QAAQ;AAAA,IAC7C,KAAK;AAAA,IACL;AACE,aAAO;AAAA,EACX;AACF;AA0BA,eAAsB,8BACpB,QACqC;AACrC,QAAM;AAAA,IACJ;AAAA,IACA,OAAO;AAAA,IACP;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,MAAI,SAAS,uBAAuB,CAAC,UAAU;AAC7C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,wBAAwB,SAAS;AACjD,QAAM,WAAW,cAAc,MAAM,QAAQ;AAE7C,QAAM,YAIF;AAAA,IACF;AAAA,EACF;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AAEA,QAAM,SAAS,MAAM,QAAQ,SAAS,yBAAyB,MAC5D,OAAO,EAAE,OAAO,CAAC,EACjB,OAAO,EAAE,IAAI,SAAS,CAAC,EACvB,GAAG,SAAS;AAEf,QAAM,SAA+C,OAAO,QAAQ,CAAC,GAAG;AAAA,IACtE,CAAC,SAAS;AAAA,MACR,QAAQ,IAAI;AAAA,MACZ,IAAI,IAAI;AAAA,MACR,UAAU,IAAI;AAAA,MACd,aAAa,IAAI;AAAA,MACjB,cAAc,IAAI;AAAA,MAClB,SAAS,IAAI;AAAA,MACb,KAAK,IAAI;AAAA,MACT,aAAa,IAAI;AAAA,MACjB,wBAAwB,IAAI;AAAA,MAC5B,sBAAsB,IAAI;AAAA,MAC1B,2BAA2B,IAAI;AAAA,IACjC;AAAA,EACF;AAEA,SAAO,EAAE,OAAO,QAAQ,OAAO,UAAU,KAAK;AAChD;","names":[]}

package/lib/{chunk-VZCPGQXA.mjs → chunk-EUIP2U5F.mjs}

@@ -1436,6 +1436,24 @@ var TenantEntity = new Entity11({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of tenant-scoped Memberships
+     * (users) in this tenant. Maintained by the counter-maintenance
+     * consumer via atomic ADD; absent/0 until first event or reconciliation.
+     */
+    usersInTenant: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of Workspaces in this tenant.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    workspacesInTenant: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -1540,6 +1558,26 @@ var UserEntity = new Entity12({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of tenant-scoped Memberships
+     * (tenants) this user belongs to. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    tenantsForUser: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * Memberships (workspaces) this user belongs to. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    workspacesForUser: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -1684,6 +1722,36 @@ var WorkspaceEntity = new Entity13({
       type: "string",
       required: true
     },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * Memberships (users) in this workspace. Maintained by the
+     * counter-maintenance consumer via atomic ADD; absent/0 until first
+     * event or reconciliation.
+     */
+    usersInWorkspace: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * RoleAssignments classified as admin-tier in this workspace.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    adminUsersInWorkspace: {
+      type: "number",
+      required: false
+    },
+    /**
+     * ADR-028 denormalized counter — number of workspace-scoped
+     * RoleAssignments classified as non-admin in this workspace.
+     * Maintained by the counter-maintenance consumer via atomic ADD;
+     * absent/0 until first event or reconciliation.
+     */
+    normalUsersInWorkspace: {
+      type: "number",
+      required: false
+    },
     gsi1Shard: gsi1ShardAttribute,
     /** Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. */
     gsi1sk: gsi1skAttribute,
@@ -1801,4 +1869,4 @@ export {
   computeShard,
   getDynamoControlService
 };
-//# sourceMappingURL=chunk-VZCPGQXA.mjs.map
+//# sourceMappingURL=chunk-EUIP2U5F.mjs.map