@openhi/constructs 0.0.169 → 0.0.171

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (56) hide show
  1. package/lib/{chunk-DWSWCUZR.mjs → chunk-6HGSR3TG.mjs} +2 -2
  2. package/lib/chunk-APVVG7BO.mjs +61 -0
  3. package/lib/chunk-APVVG7BO.mjs.map +1 -0
  4. package/lib/{chunk-KA3OMP3X.mjs → chunk-AWAWCRWW.mjs} +10 -4
  5. package/lib/chunk-AWAWCRWW.mjs.map +1 -0
  6. package/lib/{chunk-ZODGX37H.mjs → chunk-E2OWEBBH.mjs} +3 -3
  7. package/lib/{chunk-GJTPXJKD.mjs → chunk-EBB4RNUG.mjs} +2 -2
  8. package/lib/{chunk-O5VQWB6U.mjs → chunk-FDBBTNCI.mjs} +5 -61
  9. package/lib/chunk-FDBBTNCI.mjs.map +1 -0
  10. package/lib/{chunk-P3CTZWC2.mjs → chunk-GG2WD6TA.mjs} +2 -2
  11. package/lib/{chunk-Q64MOYJ7.mjs → chunk-JUSVETWK.mjs} +3 -3
  12. package/lib/{chunk-ZXPA6W3G.mjs → chunk-RC7HHZR6.mjs} +3 -3
  13. package/lib/chunk-RC7HHZR6.mjs.map +1 -0
  14. package/lib/{chunk-2O3CXY2C.mjs → chunk-XJ5SRUGN.mjs} +2 -2
  15. package/lib/{chunk-2O3CXY2C.mjs.map → chunk-XJ5SRUGN.mjs.map} +1 -1
  16. package/lib/{chunk-P3NFCKTZ.mjs → chunk-XNUCKVSE.mjs} +2 -2
  17. package/lib/{chunk-WFTDH2NM.mjs → chunk-Y4RGUAM2.mjs} +2 -2
  18. package/lib/{chunk-XHG4SODS.mjs → chunk-Z4PZSLYY.mjs} +2 -2
  19. package/lib/counter-reconciliation.handler.mjs +5 -4
  20. package/lib/counter-reconciliation.handler.mjs.map +1 -1
  21. package/lib/data-store-postgres-replication.handler.js +48 -10
  22. package/lib/data-store-postgres-replication.handler.js.map +1 -1
  23. package/lib/data-store-postgres-replication.handler.mjs +16 -11
  24. package/lib/data-store-postgres-replication.handler.mjs.map +1 -1
  25. package/lib/firehose-archive-transform.handler.d.mts +2 -1
  26. package/lib/firehose-archive-transform.handler.d.ts +2 -1
  27. package/lib/firehose-archive-transform.handler.js +44 -4
  28. package/lib/firehose-archive-transform.handler.js.map +1 -1
  29. package/lib/firehose-archive-transform.handler.mjs +5 -2
  30. package/lib/index.d.mts +6 -2
  31. package/lib/index.d.ts +6 -2
  32. package/lib/index.js +23 -4
  33. package/lib/index.js.map +1 -1
  34. package/lib/index.mjs +27 -7
  35. package/lib/index.mjs.map +1 -1
  36. package/lib/pre-token-generation.handler.mjs +6 -5
  37. package/lib/pre-token-generation.handler.mjs.map +1 -1
  38. package/lib/provision-default-workspace.handler.mjs +5 -4
  39. package/lib/provision-default-workspace.handler.mjs.map +1 -1
  40. package/lib/rest-api-lambda.handler.js +1 -1
  41. package/lib/rest-api-lambda.handler.js.map +1 -1
  42. package/lib/rest-api-lambda.handler.mjs +14 -12
  43. package/lib/rest-api-lambda.handler.mjs.map +1 -1
  44. package/lib/seed-demo-data.handler.mjs +5 -4
  45. package/package.json +1 -1
  46. package/lib/chunk-KA3OMP3X.mjs.map +0 -1
  47. package/lib/chunk-O5VQWB6U.mjs.map +0 -1
  48. package/lib/chunk-ZXPA6W3G.mjs.map +0 -1
  49. /package/lib/{chunk-DWSWCUZR.mjs.map → chunk-6HGSR3TG.mjs.map} +0 -0
  50. /package/lib/{chunk-ZODGX37H.mjs.map → chunk-E2OWEBBH.mjs.map} +0 -0
  51. /package/lib/{chunk-GJTPXJKD.mjs.map → chunk-EBB4RNUG.mjs.map} +0 -0
  52. /package/lib/{chunk-P3CTZWC2.mjs.map → chunk-GG2WD6TA.mjs.map} +0 -0
  53. /package/lib/{chunk-Q64MOYJ7.mjs.map → chunk-JUSVETWK.mjs.map} +0 -0
  54. /package/lib/{chunk-P3NFCKTZ.mjs.map → chunk-XNUCKVSE.mjs.map} +0 -0
  55. /package/lib/{chunk-WFTDH2NM.mjs.map → chunk-Y4RGUAM2.mjs.map} +0 -0
  56. /package/lib/{chunk-XHG4SODS.mjs.map → chunk-Z4PZSLYY.mjs.map} +0 -0
package/lib/data-store-postgres-replication.handler.mjs CHANGED
@@ -1,15 +1,18 @@
1
1
  import {
2
2
  parseCurrentResourceKeys,
3
3
  shouldDropAsGlobalTableReplicationRecord
4
- } from "./chunk-KA3OMP3X.mjs";
4
+ } from "./chunk-AWAWCRWW.mjs";
5
5
  import {
6
6
  dynamodbImageToPlain
7
- } from "./chunk-ZXPA6W3G.mjs";
7
+ } from "./chunk-RC7HHZR6.mjs";
8
8
  import {
9
9
  buildResourceSoftDeleteSql,
10
10
  buildResourceUpsertSql,
11
11
  ensureSchemaBootstrap
12
- } from "./chunk-2O3CXY2C.mjs";
12
+ } from "./chunk-XJ5SRUGN.mjs";
13
+ import {
14
+ decompressResource
15
+ } from "./chunk-APVVG7BO.mjs";
13
16
  import "./chunk-KMEWULMX.mjs";
14
17
  import "./chunk-LZOMFHX3.mjs";
15
18
 
@@ -124,7 +127,7 @@ function decodeKinesisRecord(record) {
124
127
  const json = Buffer.from(record.kinesis.data, "base64").toString("utf8");
125
128
  return JSON.parse(json);
126
129
  }
127
- function deriveLastUpdated(resource, approximateCreationEpochSec) {
130
+ function deriveLastUpdated(resource, approximateCreationEpochMs) {
128
131
  if (resource && typeof resource === "object") {
129
132
  const meta = resource.meta;
130
133
  const lu = meta?.lastUpdated;
@@ -135,8 +138,8 @@ function deriveLastUpdated(resource, approximateCreationEpochSec) {
135
138
  }
136
139
  }
137
140
  }
138
- if (typeof approximateCreationEpochSec === "number" && Number.isFinite(approximateCreationEpochSec)) {
139
- return new Date(approximateCreationEpochSec * 1e3);
141
+ if (typeof approximateCreationEpochMs === "number" && Number.isFinite(approximateCreationEpochMs)) {
142
+ return new Date(approximateCreationEpochMs);
140
143
  }
141
144
  return /* @__PURE__ */ new Date();
142
145
  }
@@ -154,7 +157,7 @@ function buildWriteIntent(change, awsRegion) {
154
157
  return { kind: "drop" };
155
158
  }
156
159
  const plain = dynamodbImageToPlain(image);
157
- const approxEpochSec = change.dynamodb?.ApproximateCreationDateTime;
160
+ const approxEpochMs = change.dynamodb?.ApproximateCreationDateTime;
158
161
  if (isRemove) {
159
162
  return {
160
163
  kind: "delete",
@@ -164,16 +167,18 @@ function buildWriteIntent(change, awsRegion) {
164
167
  resourceType: keys.resourceType,
165
168
  resourceId: keys.resourceId,
166
169
  version: keys.version,
167
- deletedAt: deriveLastUpdated(void 0, approxEpochSec)
170
+ deletedAt: deriveLastUpdated(void 0, approxEpochMs)
168
171
  }
169
172
  };
170
173
  }
171
174
  if (typeof plain.resource !== "string") {
172
175
  return { kind: "drop" };
173
176
  }
177
+ let resourceJson;
174
178
  let resourceObj;
175
179
  try {
176
- resourceObj = JSON.parse(plain.resource);
180
+ resourceJson = decompressResource(plain.resource);
181
+ resourceObj = JSON.parse(resourceJson);
177
182
  } catch {
178
183
  return { kind: "drop" };
179
184
  }
@@ -185,8 +190,8 @@ function buildWriteIntent(change, awsRegion) {
185
190
  resourceType: keys.resourceType,
186
191
  resourceId: keys.resourceId,
187
192
  version: keys.version,
188
- lastUpdated: deriveLastUpdated(resourceObj, approxEpochSec),
189
- resourceJson: plain.resource
193
+ lastUpdated: deriveLastUpdated(resourceObj, approxEpochMs),
194
+ resourceJson
190
195
  }
191
196
  };
192
197
  }
package/lib/data-store-postgres-replication.handler.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/components/postgres/data-store-postgres-replication.handler.ts"],"sourcesContent":["import {\n GetSecretValueCommand,\n SecretsManagerClient,\n} from \"@aws-sdk/client-secrets-manager\";\nimport type {\n KinesisStreamBatchResponse,\n KinesisStreamEvent,\n KinesisStreamRecord,\n} from \"aws-lambda\";\nimport { Pool } from \"pg\";\nimport {\n buildResourceSoftDeleteSql,\n buildResourceUpsertSql,\n ensureSchemaBootstrap,\n} from \"./data-store-postgres-schema\";\nimport {\n type DynamoDbStreamKinesisRecord,\n dynamodbImageToPlain,\n} from \"../dynamodb/dynamodb-stream-record\";\nimport {\n parseCurrentResourceKeys,\n shouldDropAsGlobalTableReplicationRecord,\n} from \"../dynamodb/firehose-archive-transform.handler\";\n\n/**\n * Postgres replication consumer for the data store change Kinesis stream\n * (ADR 2026-04-17-01, phase 1). Reads the same stream that feeds the\n * Firehose-to-S3 archive and projects each current FHIR resource into the\n * `resources` JSONB table on the Aurora Serverless v2 cluster provisioned by\n * {@link DataStorePostgresReplica}. This phase implements replication only;\n * no read-side query routing is wired up here.\n */\n\nconst REQUIRED_ENV_VARS = [\n \"OPENHI_PG_HOST\",\n \"OPENHI_PG_PORT\",\n \"OPENHI_PG_DATABASE\",\n \"OPENHI_PG_SCHEMA\",\n] as const;\n\ntype RequiredEnvVar = (typeof REQUIRED_ENV_VARS)[number];\n\ninterface PostgresConnectionConfig {\n host: string;\n port: number;\n database: string;\n schema: string;\n user: string;\n password: string;\n ssl: boolean;\n}\n\ninterface SecretsManagerCredentials {\n username: string;\n password: string;\n}\n\nlet cachedConfig: PostgresConnectionConfig | undefined;\nlet pool: Pool | undefined;\nlet bootstrapPromise: Promise<void> | undefined;\nlet secretsClient: SecretsManagerClient | undefined;\n\nfunction readEnv(name: RequiredEnvVar): string {\n const v = process.env[name]?.trim();\n if (!v) {\n throw new Error(\n `Missing required environment variable for postgres replication: ${name}`,\n );\n }\n return v;\n}\n\nasync function loadConfig(): Promise<PostgresConnectionConfig> {\n if (cachedConfig) {\n return cachedConfig;\n }\n const host = readEnv(\"OPENHI_PG_HOST\");\n const port = Number.parseInt(readEnv(\"OPENHI_PG_PORT\"), 10);\n const database = readEnv(\"OPENHI_PG_DATABASE\");\n const schema = readEnv(\"OPENHI_PG_SCHEMA\");\n\n // Test/integration setups can supply user/password directly via env to skip\n // the Secrets Manager round-trip. Production always goes through the secret.\n const directUser = process.env.OPENHI_PG_USER?.trim();\n const directPassword = process.env.OPENHI_PG_PASSWORD;\n if (directUser && directPassword !== undefined) {\n cachedConfig = {\n host,\n port,\n database,\n schema,\n user: directUser,\n password: directPassword,\n ssl: process.env.OPENHI_PG_SSL?.trim() === \"true\",\n };\n return cachedConfig;\n }\n\n const secretArn = process.env.OPENHI_PG_SECRET_ARN?.trim();\n if (!secretArn) {\n throw new Error(\n \"Either OPENHI_PG_SECRET_ARN or both OPENHI_PG_USER and OPENHI_PG_PASSWORD must be set\",\n );\n }\n if (!secretsClient) {\n secretsClient = new SecretsManagerClient({});\n }\n const out = await secretsClient.send(\n new GetSecretValueCommand({ SecretId: secretArn }),\n );\n if (!out.SecretString) {\n throw new Error(\n `Secret ${secretArn} returned no SecretString; binary secrets are not supported`,\n );\n }\n const parsed = JSON.parse(out.SecretString) as SecretsManagerCredentials;\n cachedConfig = {\n host,\n port,\n database,\n schema,\n user: parsed.username,\n password: parsed.password,\n ssl: true,\n };\n return cachedConfig;\n}\n\nasync function getPool(): Promise<Pool> {\n if (pool) {\n return pool;\n }\n const cfg = await loadConfig();\n pool = new Pool({\n host: cfg.host,\n port: cfg.port,\n database: cfg.database,\n user: cfg.user,\n password: cfg.password,\n ssl: cfg.ssl ? { rejectUnauthorized: false } : false,\n max: 2,\n idleTimeoutMillis: 60_000,\n connectionTimeoutMillis: 10_000,\n });\n return pool;\n}\n\nasync function ensureBootstrapped(): Promise<void> {\n if (!bootstrapPromise) {\n bootstrapPromise = (async () => {\n const cfg = await loadConfig();\n const p = await getPool();\n await ensureSchemaBootstrap(p, cfg.schema);\n })().catch((err) => {\n // Reset so a subsequent invocation retries the bootstrap on a fresh\n // container; otherwise a transient failure during cold start would\n // poison every record forever.\n bootstrapPromise = undefined;\n throw err;\n });\n }\n return bootstrapPromise;\n}\n\n/**\n * Reset module-scoped caches. Test-only helper; do not invoke from production\n * code paths. Exposed so unit and integration tests can run multiple\n * scenarios within a single Jest worker without leaking state across cases.\n */\nexport function __resetReplicationModuleStateForTests(): void {\n cachedConfig = undefined;\n pool = undefined;\n bootstrapPromise = undefined;\n secretsClient = undefined;\n}\n\nfunction decodeKinesisRecord(\n record: KinesisStreamRecord,\n): DynamoDbStreamKinesisRecord {\n const json = Buffer.from(record.kinesis.data, \"base64\").toString(\"utf8\");\n return JSON.parse(json) as DynamoDbStreamKinesisRecord;\n}\n\nfunction deriveLastUpdated(\n resource: unknown,\n approximateCreationEpochSec: number | undefined,\n): Date {\n if (resource && typeof resource === \"object\") {\n const meta = (resource as { meta?: { lastUpdated?: unknown } }).meta;\n const lu = meta?.lastUpdated;\n if (typeof lu === \"string\") {\n const parsed = new Date(lu);\n if (!Number.isNaN(parsed.getTime())) {\n return parsed;\n }\n }\n }\n if (\n typeof approximateCreationEpochSec === \"number\" &&\n Number.isFinite(approximateCreationEpochSec)\n ) {\n return new Date(approximateCreationEpochSec * 1000);\n }\n return new Date();\n}\n\ninterface UpsertParams {\n tenantId: string;\n workspaceId: string;\n resourceType: string;\n resourceId: string;\n version: string;\n lastUpdated: Date;\n resourceJson: string;\n}\n\ninterface SoftDeleteParams {\n tenantId: string;\n workspaceId: string;\n resourceType: string;\n resourceId: string;\n version: string;\n deletedAt: Date;\n}\n\ntype WriteIntent =\n | { kind: \"upsert\"; params: UpsertParams }\n | { kind: \"delete\"; params: SoftDeleteParams }\n | { kind: \"drop\" };\n\n/**\n * Translate a single Kinesis-wrapped DynamoDB stream record into a write\n * intent against the `resources` table. Returns `drop` for replica-side\n * global-table records, non-CURRENT items, and any record whose resource\n * payload cannot be decoded as JSON.\n */\nexport function buildWriteIntent(\n change: DynamoDbStreamKinesisRecord,\n awsRegion: string,\n): WriteIntent {\n if (shouldDropAsGlobalTableReplicationRecord(change, awsRegion)) {\n return { kind: \"drop\" };\n }\n const keys = parseCurrentResourceKeys(change);\n if (!keys) {\n return { kind: \"drop\" };\n }\n\n const isRemove = change.eventName === \"REMOVE\";\n const image = isRemove\n ? change.dynamodb?.OldImage\n : change.dynamodb?.NewImage;\n if (!image) {\n return { kind: \"drop\" };\n }\n\n const plain = dynamodbImageToPlain(image);\n const approxEpochSec = change.dynamodb?.ApproximateCreationDateTime;\n\n if (isRemove) {\n return {\n kind: \"delete\",\n params: {\n tenantId: keys.tenantId,\n workspaceId: keys.workspaceId,\n resourceType: keys.resourceType,\n resourceId: keys.resourceId,\n version: keys.version,\n deletedAt: deriveLastUpdated(undefined, approxEpochSec),\n },\n };\n }\n\n if (typeof plain.resource !== \"string\") {\n return { kind: \"drop\" };\n }\n let resourceObj: unknown;\n try {\n resourceObj = JSON.parse(plain.resource);\n } catch {\n return { kind: \"drop\" };\n }\n\n return {\n kind: \"upsert\",\n params: {\n tenantId: keys.tenantId,\n workspaceId: keys.workspaceId,\n resourceType: keys.resourceType,\n resourceId: keys.resourceId,\n version: keys.version,\n lastUpdated: deriveLastUpdated(resourceObj, approxEpochSec),\n resourceJson: plain.resource,\n },\n };\n}\n\ninterface PgQueryable {\n query: (\n text: string,\n values?: ReadonlyArray<unknown>,\n ) => Promise<unknown> | unknown;\n}\n\n/**\n * Execute a write intent against an open Postgres connection or pool. Pure\n * SQL dispatch — extracted from the handler so unit tests can drive it with a\n * mock client and integration tests can drive it with a real pool.\n */\nexport async function applyWriteIntent(\n client: PgQueryable,\n schemaName: string,\n intent: WriteIntent,\n): Promise<void> {\n if (intent.kind === \"drop\") {\n return;\n }\n if (intent.kind === \"upsert\") {\n const p = intent.params;\n await Promise.resolve(\n client.query(buildResourceUpsertSql(schemaName), [\n p.tenantId,\n p.workspaceId,\n p.resourceType,\n p.resourceId,\n p.version,\n p.lastUpdated,\n p.resourceJson,\n ]),\n );\n return;\n }\n const p = intent.params;\n await Promise.resolve(\n client.query(buildResourceSoftDeleteSql(schemaName), [\n p.tenantId,\n p.workspaceId,\n p.resourceType,\n p.resourceId,\n p.version,\n p.deletedAt,\n ]),\n );\n}\n\nexport async function handler(\n event: KinesisStreamEvent,\n): Promise<KinesisStreamBatchResponse> {\n const awsRegion = process.env.AWS_REGION ?? \"\";\n const batchItemFailures: Array<{ itemIdentifier: string }> = [];\n\n await ensureBootstrapped();\n const cfg = await loadConfig();\n const p = await getPool();\n\n for (const record of event.Records) {\n try {\n const change = decodeKinesisRecord(record);\n const intent = buildWriteIntent(change, awsRegion);\n await applyWriteIntent(p, cfg.schema, intent);\n } catch (err) {\n // eslint-disable-next-line no-console\n console.error(\n \"postgres replication record failed\",\n record.kinesis.sequenceNumber,\n err,\n );\n batchItemFailures.push({\n itemIdentifier: record.kinesis.sequenceNumber,\n });\n }\n }\n\n return { batchItemFailures };\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAMP,SAAS,YAAY;AAgDrB,IAAI;AACJ,IAAI;AACJ,IAAI;AACJ,IAAI;AAEJ,SAAS,QAAQ,MAA8B;AAC7C,QAAM,IAAI,QAAQ,IAAI,IAAI,GAAG,KAAK;AAClC,MAAI,CAAC,GAAG;AACN,UAAM,IAAI;AAAA,MACR,mEAAmE,IAAI;AAAA,IACzE;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAe,aAAgD;AAC7D,MAAI,cAAc;AAChB,WAAO;AAAA,EACT;AACA,QAAM,OAAO,QAAQ,gBAAgB;AACrC,QAAM,OAAO,OAAO,SAAS,QAAQ,gBAAgB,GAAG,EAAE;AAC1D,QAAM,WAAW,QAAQ,oBAAoB;AAC7C,QAAM,SAAS,QAAQ,kBAAkB;AAIzC,QAAM,aAAa,QAAQ,IAAI,gBAAgB,KAAK;AACpD,QAAM,iBAAiB,QAAQ,IAAI;AACnC,MAAI,cAAc,mBAAmB,QAAW;AAC9C,mBAAe;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,MAAM;AAAA,MACN,UAAU;AAAA,MACV,KAAK,QAAQ,IAAI,eAAe,KAAK,MAAM;AAAA,IAC7C;AACA,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,QAAQ,IAAI,sBAAsB,KAAK;AACzD,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,CAAC,eAAe;AAClB,oBAAgB,IAAI,qBAAqB,CAAC,CAAC;AAAA,EAC7C;AACA,QAAM,MAAM,MAAM,cAAc;AAAA,IAC9B,IAAI,sBAAsB,EAAE,UAAU,UAAU,CAAC;AAAA,EACnD;AACA,MAAI,CAAC,IAAI,cAAc;AACrB,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IACrB;AAAA,EACF;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,YAAY;AAC1C,iBAAe;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,MAAM,OAAO;AAAA,IACb,UAAU,OAAO;AAAA,IACjB,KAAK;AAAA,EACP;AACA,SAAO;AACT;AAEA,eAAe,UAAyB;AACtC,MAAI,MAAM;AACR,WAAO;AAAA,EACT;AACA,QAAM,MAAM,MAAM,WAAW;AAC7B,SAAO,IAAI,KAAK;AAAA,IACd,MAAM,IAAI;AAAA,IACV,MAAM,IAAI;AAAA,IACV,UAAU,IAAI;AAAA,IACd,MAAM,IAAI;AAAA,IACV,UAAU,IAAI;AAAA,IACd,KAAK,IAAI,MAAM,EAAE,oBAAoB,MAAM,IAAI;AAAA,IAC/C,KAAK;AAAA,IACL,mBAAmB;AAAA,IACnB,yBAAyB;AAAA,EAC3B,CAAC;AACD,SAAO;AACT;AAEA,eAAe,qBAAoC;AACjD,MAAI,CAAC,kBAAkB;AACrB,wBAAoB,YAAY;AAC9B,YAAM,MAAM,MAAM,WAAW;AAC7B,YAAM,IAAI,MAAM,QAAQ;AACxB,YAAM,sBAAsB,GAAG,IAAI,MAAM;AAAA,IAC3C,GAAG,EAAE,MAAM,CAAC,QAAQ;AAIlB,yBAAmB;AACnB,YAAM;AAAA,IACR,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAOO,SAAS,wCAA8C;AAC5D,iBAAe;AACf,SAAO;AACP,qBAAmB;AACnB,kBAAgB;AAClB;AAEA,SAAS,oBACP,QAC6B;AAC7B,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ,MAAM,QAAQ,EAAE,SAAS,MAAM;AACvE,SAAO,KAAK,MAAM,IAAI;AACxB;AAEA,SAAS,kBACP,UACA,6BACM;AACN,MAAI,YAAY,OAAO,aAAa,UAAU;AAC5C,UAAM,OAAQ,SAAkD;AAChE,UAAM,KAAK,MAAM;AACjB,QAAI,OAAO,OAAO,UAAU;AAC1B,YAAM,SAAS,IAAI,KAAK,EAAE;AAC1B,UAAI,CAAC,OAAO,MAAM,OAAO,QAAQ,CAAC,GAAG;AACnC,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACA,MACE,OAAO,gCAAgC,YACvC,OAAO,SAAS,2BAA2B,GAC3C;AACA,WAAO,IAAI,KAAK,8BAA8B,GAAI;AAAA,EACpD;AACA,SAAO,oBAAI,KAAK;AAClB;AAgCO,SAAS,iBACd,QACA,WACa;AACb,MAAI,yCAAyC,QAAQ,SAAS,GAAG;AAC/D,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AACA,QAAM,OAAO,yBAAyB,MAAM;AAC5C,MAAI,CAAC,MAAM;AACT,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,OAAO,cAAc;AACtC,QAAM,QAAQ,WACV,OAAO,UAAU,WACjB,OAAO,UAAU;AACrB,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AAEA,QAAM,QAAQ,qBAAqB,KAAK;AACxC,QAAM,iBAAiB,OAAO,UAAU;AAExC,MAAI,UAAU;AACZ,WAAO;AAAA,MACL,MAAM;AAAA,MACN,QAAQ;AAAA,QACN,UAAU,KAAK;AAAA,QACf,aAAa,KAAK;AAAA,QAClB,cAAc,KAAK;AAAA,QACnB,YAAY,KAAK;AAAA,QACjB,SAAS,KAAK;AAAA,QACd,WAAW,kBAAkB,QAAW,cAAc;AAAA,MACxD;AAAA,IACF;AAAA,EACF;AAEA,MAAI,OAAO,MAAM,aAAa,UAAU;AACtC,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AACA,MAAI;AACJ,MAAI;AACF,kBAAc,KAAK,MAAM,MAAM,QAAQ;AAAA,EACzC,QAAQ;AACN,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,QAAQ;AAAA,MACN,UAAU,KAAK;AAAA,MACf,aAAa,KAAK;AAAA,MAClB,cAAc,KAAK;AAAA,MACnB,YAAY,KAAK;AAAA,MACjB,SAAS,KAAK;AAAA,MACd,aAAa,kBAAkB,aAAa,cAAc;AAAA,MAC1D,cAAc,MAAM;AAAA,IACtB;AAAA,EACF;AACF;AAcA,eAAsB,iBACpB,QACA,YACA,QACe;AACf,MAAI,OAAO,SAAS,QAAQ;AAC1B;AAAA,EACF;AACA,MAAI,OAAO,SAAS,UAAU;AAC5B,UAAMA,KAAI,OAAO;AACjB,UAAM,QAAQ;AAAA,MACZ,OAAO,MAAM,uBAAuB,UAAU,GAAG;AAAA,QAC/CA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,MACJ,CAAC;AAAA,IACH;AACA;AAAA,EACF;AACA,QAAM,IAAI,OAAO;AACjB,QAAM,QAAQ;AAAA,IACZ,OAAO,MAAM,2BAA2B,UAAU,GAAG;AAAA,MACnD,EAAE;AAAA,MACF,EAAE;AAAA,MACF,EAAE;AAAA,MACF,EAAE;AAAA,MACF,EAAE;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAAA,EACH;AACF;AAEA,eAAsB,QACpB,OACqC;AACrC,QAAM,YAAY,QAAQ,IAAI,cAAc;AAC5C,QAAM,oBAAuD,CAAC;AAE9D,QAAM,mBAAmB;AACzB,QAAM,MAAM,MAAM,WAAW;AAC7B,QAAM,IAAI,MAAM,QAAQ;AAExB,aAAW,UAAU,MAAM,SAAS;AAClC,QAAI;AACF,YAAM,SAAS,oBAAoB,MAAM;AACzC,YAAM,SAAS,iBAAiB,QAAQ,SAAS;AACjD,YAAM,iBAAiB,GAAG,IAAI,QAAQ,MAAM;AAAA,IAC9C,SAAS,KAAK;AAEZ,cAAQ;AAAA,QACN;AAAA,QACA,OAAO,QAAQ;AAAA,QACf;AAAA,MACF;AACA,wBAAkB,KAAK;AAAA,QACrB,gBAAgB,OAAO,QAAQ;AAAA,MACjC,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO,EAAE,kBAAkB;AAC7B;","names":["p"]}
1
+ {"version":3,"sources":["../src/components/postgres/data-store-postgres-replication.handler.ts"],"sourcesContent":["import {\n GetSecretValueCommand,\n SecretsManagerClient,\n} from \"@aws-sdk/client-secrets-manager\";\nimport type {\n KinesisStreamBatchResponse,\n KinesisStreamEvent,\n KinesisStreamRecord,\n} from \"aws-lambda\";\nimport { Pool } from \"pg\";\nimport {\n buildResourceSoftDeleteSql,\n buildResourceUpsertSql,\n ensureSchemaBootstrap,\n} from \"./data-store-postgres-schema\";\nimport { decompressResource } from \"../../lib/compression\";\nimport {\n type DynamoDbStreamKinesisRecord,\n dynamodbImageToPlain,\n} from \"../dynamodb/dynamodb-stream-record\";\nimport {\n parseCurrentResourceKeys,\n shouldDropAsGlobalTableReplicationRecord,\n} from \"../dynamodb/firehose-archive-transform.handler\";\n\n/**\n * Postgres replication consumer for the data store change Kinesis stream\n * (ADR 2026-04-17-01, phase 1). Reads the same stream that feeds the\n * Firehose-to-S3 archive and projects each current FHIR resource into the\n * `resources` JSONB table on the Aurora Serverless v2 cluster provisioned by\n * {@link DataStorePostgresReplica}. This phase implements replication only;\n * no read-side query routing is wired up here.\n */\n\nconst REQUIRED_ENV_VARS = [\n \"OPENHI_PG_HOST\",\n \"OPENHI_PG_PORT\",\n \"OPENHI_PG_DATABASE\",\n \"OPENHI_PG_SCHEMA\",\n] as const;\n\ntype RequiredEnvVar = (typeof REQUIRED_ENV_VARS)[number];\n\ninterface PostgresConnectionConfig {\n host: string;\n port: number;\n database: string;\n schema: string;\n user: string;\n password: string;\n ssl: boolean;\n}\n\ninterface SecretsManagerCredentials {\n username: string;\n password: string;\n}\n\nlet cachedConfig: PostgresConnectionConfig | undefined;\nlet pool: Pool | undefined;\nlet bootstrapPromise: Promise<void> | undefined;\nlet secretsClient: SecretsManagerClient | undefined;\n\nfunction readEnv(name: RequiredEnvVar): string {\n const v = process.env[name]?.trim();\n if (!v) {\n throw new Error(\n `Missing required environment variable for postgres replication: ${name}`,\n );\n }\n return v;\n}\n\nasync function loadConfig(): Promise<PostgresConnectionConfig> {\n if (cachedConfig) {\n return cachedConfig;\n }\n const host = readEnv(\"OPENHI_PG_HOST\");\n const port = Number.parseInt(readEnv(\"OPENHI_PG_PORT\"), 10);\n const database = readEnv(\"OPENHI_PG_DATABASE\");\n const schema = readEnv(\"OPENHI_PG_SCHEMA\");\n\n // Test/integration setups can supply user/password directly via env to skip\n // the Secrets Manager round-trip. Production always goes through the secret.\n const directUser = process.env.OPENHI_PG_USER?.trim();\n const directPassword = process.env.OPENHI_PG_PASSWORD;\n if (directUser && directPassword !== undefined) {\n cachedConfig = {\n host,\n port,\n database,\n schema,\n user: directUser,\n password: directPassword,\n ssl: process.env.OPENHI_PG_SSL?.trim() === \"true\",\n };\n return cachedConfig;\n }\n\n const secretArn = process.env.OPENHI_PG_SECRET_ARN?.trim();\n if (!secretArn) {\n throw new Error(\n \"Either OPENHI_PG_SECRET_ARN or both OPENHI_PG_USER and OPENHI_PG_PASSWORD must be set\",\n );\n }\n if (!secretsClient) {\n secretsClient = new SecretsManagerClient({});\n }\n const out = await secretsClient.send(\n new GetSecretValueCommand({ SecretId: secretArn }),\n );\n if (!out.SecretString) {\n throw new Error(\n `Secret ${secretArn} returned no SecretString; binary secrets are not supported`,\n );\n }\n const parsed = JSON.parse(out.SecretString) as SecretsManagerCredentials;\n cachedConfig = {\n host,\n port,\n database,\n schema,\n user: parsed.username,\n password: parsed.password,\n ssl: true,\n };\n return cachedConfig;\n}\n\nasync function getPool(): Promise<Pool> {\n if (pool) {\n return pool;\n }\n const cfg = await loadConfig();\n pool = new Pool({\n host: cfg.host,\n port: cfg.port,\n database: cfg.database,\n user: cfg.user,\n password: cfg.password,\n ssl: cfg.ssl ? { rejectUnauthorized: false } : false,\n max: 2,\n idleTimeoutMillis: 60_000,\n connectionTimeoutMillis: 10_000,\n });\n return pool;\n}\n\nasync function ensureBootstrapped(): Promise<void> {\n if (!bootstrapPromise) {\n bootstrapPromise = (async () => {\n const cfg = await loadConfig();\n const p = await getPool();\n await ensureSchemaBootstrap(p, cfg.schema);\n })().catch((err) => {\n // Reset so a subsequent invocation retries the bootstrap on a fresh\n // container; otherwise a transient failure during cold start would\n // poison every record forever.\n bootstrapPromise = undefined;\n throw err;\n });\n }\n return bootstrapPromise;\n}\n\n/**\n * Reset module-scoped caches. Test-only helper; do not invoke from production\n * code paths. Exposed so unit and integration tests can run multiple\n * scenarios within a single Jest worker without leaking state across cases.\n */\nexport function __resetReplicationModuleStateForTests(): void {\n cachedConfig = undefined;\n pool = undefined;\n bootstrapPromise = undefined;\n secretsClient = undefined;\n}\n\nfunction decodeKinesisRecord(\n record: KinesisStreamRecord,\n): DynamoDbStreamKinesisRecord {\n const json = Buffer.from(record.kinesis.data, \"base64\").toString(\"utf8\");\n return JSON.parse(json) as DynamoDbStreamKinesisRecord;\n}\n\nfunction deriveLastUpdated(\n resource: unknown,\n approximateCreationEpochMs: number | undefined,\n): Date {\n if (resource && typeof resource === \"object\") {\n const meta = (resource as { meta?: { lastUpdated?: unknown } }).meta;\n const lu = meta?.lastUpdated;\n if (typeof lu === \"string\") {\n const parsed = new Date(lu);\n if (!Number.isNaN(parsed.getTime())) {\n return parsed;\n }\n }\n }\n if (\n typeof approximateCreationEpochMs === \"number\" &&\n Number.isFinite(approximateCreationEpochMs)\n ) {\n // The Kinesis Data Streams for DynamoDB pipe emits\n // `ApproximateCreationDateTime` in **milliseconds** — NOT seconds\n // (despite the DynamoDB Streams API of the same name being in\n // seconds). Pass the value directly to `Date`; multiplying by 1000\n // overshoots into the year-58000+ range.\n return new Date(approximateCreationEpochMs);\n }\n return new Date();\n}\n\ninterface UpsertParams {\n tenantId: string;\n workspaceId: string;\n resourceType: string;\n resourceId: string;\n version: string;\n lastUpdated: Date;\n resourceJson: string;\n}\n\ninterface SoftDeleteParams {\n tenantId: string;\n workspaceId: string;\n resourceType: string;\n resourceId: string;\n version: string;\n deletedAt: Date;\n}\n\ntype WriteIntent =\n | { kind: \"upsert\"; params: UpsertParams }\n | { kind: \"delete\"; params: SoftDeleteParams }\n | { kind: \"drop\" };\n\n/**\n * Translate a single Kinesis-wrapped DynamoDB stream record into a write\n * intent against the `resources` table. Returns `drop` for replica-side\n * global-table records, non-CURRENT items, and any record whose resource\n * payload cannot be decoded as JSON.\n */\nexport function buildWriteIntent(\n change: DynamoDbStreamKinesisRecord,\n awsRegion: string,\n): WriteIntent {\n if (shouldDropAsGlobalTableReplicationRecord(change, awsRegion)) {\n return { kind: \"drop\" };\n }\n const keys = parseCurrentResourceKeys(change);\n if (!keys) {\n return { kind: \"drop\" };\n }\n\n const isRemove = change.eventName === \"REMOVE\";\n const image = isRemove\n ? change.dynamodb?.OldImage\n : change.dynamodb?.NewImage;\n if (!image) {\n return { kind: \"drop\" };\n }\n\n const plain = dynamodbImageToPlain(image);\n const approxEpochMs = change.dynamodb?.ApproximateCreationDateTime;\n\n if (isRemove) {\n return {\n kind: \"delete\",\n params: {\n tenantId: keys.tenantId,\n workspaceId: keys.workspaceId,\n resourceType: keys.resourceType,\n resourceId: keys.resourceId,\n version: keys.version,\n deletedAt: deriveLastUpdated(undefined, approxEpochMs),\n },\n };\n }\n\n if (typeof plain.resource !== \"string\") {\n return { kind: \"drop\" };\n }\n // The DynamoDB `resource` attribute carries a gzip envelope\n // (`{ v, algo, payload }`) when the write went through the data-operations\n // layer. Decompress before parsing so the JSONB column holds the raw FHIR\n // resource — otherwise JSONB path queries (`resource->>'resourceType'`,\n // GIN-anchored search params) see envelope keys (`v`, `algo`, `payload`)\n // instead of FHIR fields. `decompressResource` accepts uncompressed JSON\n // as a pass-through, so this is safe for legacy/raw inputs too.\n let resourceJson: string;\n let resourceObj: unknown;\n try {\n resourceJson = decompressResource(plain.resource);\n resourceObj = JSON.parse(resourceJson);\n } catch {\n return { kind: \"drop\" };\n }\n\n return {\n kind: \"upsert\",\n params: {\n tenantId: keys.tenantId,\n workspaceId: keys.workspaceId,\n resourceType: keys.resourceType,\n resourceId: keys.resourceId,\n version: keys.version,\n lastUpdated: deriveLastUpdated(resourceObj, approxEpochMs),\n resourceJson,\n },\n };\n}\n\ninterface PgQueryable {\n query: (\n text: string,\n values?: ReadonlyArray<unknown>,\n ) => Promise<unknown> | unknown;\n}\n\n/**\n * Execute a write intent against an open Postgres connection or pool. Pure\n * SQL dispatch — extracted from the handler so unit tests can drive it with a\n * mock client and integration tests can drive it with a real pool.\n */\nexport async function applyWriteIntent(\n client: PgQueryable,\n schemaName: string,\n intent: WriteIntent,\n): Promise<void> {\n if (intent.kind === \"drop\") {\n return;\n }\n if (intent.kind === \"upsert\") {\n const p = intent.params;\n await Promise.resolve(\n client.query(buildResourceUpsertSql(schemaName), [\n p.tenantId,\n p.workspaceId,\n p.resourceType,\n p.resourceId,\n p.version,\n p.lastUpdated,\n p.resourceJson,\n ]),\n );\n return;\n }\n const p = intent.params;\n await Promise.resolve(\n client.query(buildResourceSoftDeleteSql(schemaName), [\n p.tenantId,\n p.workspaceId,\n p.resourceType,\n p.resourceId,\n p.version,\n p.deletedAt,\n ]),\n );\n}\n\nexport async function handler(\n event: KinesisStreamEvent,\n): Promise<KinesisStreamBatchResponse> {\n const awsRegion = process.env.AWS_REGION ?? \"\";\n const batchItemFailures: Array<{ itemIdentifier: string }> = [];\n\n await ensureBootstrapped();\n const cfg = await loadConfig();\n const p = await getPool();\n\n for (const record of event.Records) {\n try {\n const change = decodeKinesisRecord(record);\n const intent = buildWriteIntent(change, awsRegion);\n await applyWriteIntent(p, cfg.schema, intent);\n } catch (err) {\n // eslint-disable-next-line no-console\n console.error(\n \"postgres replication record failed\",\n record.kinesis.sequenceNumber,\n err,\n );\n batchItemFailures.push({\n itemIdentifier: record.kinesis.sequenceNumber,\n });\n }\n }\n\n return { batchItemFailures };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAMP,SAAS,YAAY;AAiDrB,IAAI;AACJ,IAAI;AACJ,IAAI;AACJ,IAAI;AAEJ,SAAS,QAAQ,MAA8B;AAC7C,QAAM,IAAI,QAAQ,IAAI,IAAI,GAAG,KAAK;AAClC,MAAI,CAAC,GAAG;AACN,UAAM,IAAI;AAAA,MACR,mEAAmE,IAAI;AAAA,IACzE;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAe,aAAgD;AAC7D,MAAI,cAAc;AAChB,WAAO;AAAA,EACT;AACA,QAAM,OAAO,QAAQ,gBAAgB;AACrC,QAAM,OAAO,OAAO,SAAS,QAAQ,gBAAgB,GAAG,EAAE;AAC1D,QAAM,WAAW,QAAQ,oBAAoB;AAC7C,QAAM,SAAS,QAAQ,kBAAkB;AAIzC,QAAM,aAAa,QAAQ,IAAI,gBAAgB,KAAK;AACpD,QAAM,iBAAiB,QAAQ,IAAI;AACnC,MAAI,cAAc,mBAAmB,QAAW;AAC9C,mBAAe;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,MAAM;AAAA,MACN,UAAU;AAAA,MACV,KAAK,QAAQ,IAAI,eAAe,KAAK,MAAM;AAAA,IAC7C;AACA,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,QAAQ,IAAI,sBAAsB,KAAK;AACzD,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI,CAAC,eAAe;AAClB,oBAAgB,IAAI,qBAAqB,CAAC,CAAC;AAAA,EAC7C;AACA,QAAM,MAAM,MAAM,cAAc;AAAA,IAC9B,IAAI,sBAAsB,EAAE,UAAU,UAAU,CAAC;AAAA,EACnD;AACA,MAAI,CAAC,IAAI,cAAc;AACrB,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IACrB;AAAA,EACF;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,YAAY;AAC1C,iBAAe;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,MAAM,OAAO;AAAA,IACb,UAAU,OAAO;AAAA,IACjB,KAAK;AAAA,EACP;AACA,SAAO;AACT;AAEA,eAAe,UAAyB;AACtC,MAAI,MAAM;AACR,WAAO;AAAA,EACT;AACA,QAAM,MAAM,MAAM,WAAW;AAC7B,SAAO,IAAI,KAAK;AAAA,IACd,MAAM,IAAI;AAAA,IACV,MAAM,IAAI;AAAA,IACV,UAAU,IAAI;AAAA,IACd,MAAM,IAAI;AAAA,IACV,UAAU,IAAI;AAAA,IACd,KAAK,IAAI,MAAM,EAAE,oBAAoB,MAAM,IAAI;AAAA,IAC/C,KAAK;AAAA,IACL,mBAAmB;AAAA,IACnB,yBAAyB;AAAA,EAC3B,CAAC;AACD,SAAO;AACT;AAEA,eAAe,qBAAoC;AACjD,MAAI,CAAC,kBAAkB;AACrB,wBAAoB,YAAY;AAC9B,YAAM,MAAM,MAAM,WAAW;AAC7B,YAAM,IAAI,MAAM,QAAQ;AACxB,YAAM,sBAAsB,GAAG,IAAI,MAAM;AAAA,IAC3C,GAAG,EAAE,MAAM,CAAC,QAAQ;AAIlB,yBAAmB;AACnB,YAAM;AAAA,IACR,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAOO,SAAS,wCAA8C;AAC5D,iBAAe;AACf,SAAO;AACP,qBAAmB;AACnB,kBAAgB;AAClB;AAEA,SAAS,oBACP,QAC6B;AAC7B,QAAM,OAAO,OAAO,KAAK,OAAO,QAAQ,MAAM,QAAQ,EAAE,SAAS,MAAM;AACvE,SAAO,KAAK,MAAM,IAAI;AACxB;AAEA,SAAS,kBACP,UACA,4BACM;AACN,MAAI,YAAY,OAAO,aAAa,UAAU;AAC5C,UAAM,OAAQ,SAAkD;AAChE,UAAM,KAAK,MAAM;AACjB,QAAI,OAAO,OAAO,UAAU;AAC1B,YAAM,SAAS,IAAI,KAAK,EAAE;AAC1B,UAAI,CAAC,OAAO,MAAM,OAAO,QAAQ,CAAC,GAAG;AACnC,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACA,MACE,OAAO,+BAA+B,YACtC,OAAO,SAAS,0BAA0B,GAC1C;AAMA,WAAO,IAAI,KAAK,0BAA0B;AAAA,EAC5C;AACA,SAAO,oBAAI,KAAK;AAClB;AAgCO,SAAS,iBACd,QACA,WACa;AACb,MAAI,yCAAyC,QAAQ,SAAS,GAAG;AAC/D,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AACA,QAAM,OAAO,yBAAyB,MAAM;AAC5C,MAAI,CAAC,MAAM;AACT,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,OAAO,cAAc;AACtC,QAAM,QAAQ,WACV,OAAO,UAAU,WACjB,OAAO,UAAU;AACrB,MAAI,CAAC,OAAO;AACV,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AAEA,QAAM,QAAQ,qBAAqB,KAAK;AACxC,QAAM,gBAAgB,OAAO,UAAU;AAEvC,MAAI,UAAU;AACZ,WAAO;AAAA,MACL,MAAM;AAAA,MACN,QAAQ;AAAA,QACN,UAAU,KAAK;AAAA,QACf,aAAa,KAAK;AAAA,QAClB,cAAc,KAAK;AAAA,QACnB,YAAY,KAAK;AAAA,QACjB,SAAS,KAAK;AAAA,QACd,WAAW,kBAAkB,QAAW,aAAa;AAAA,MACvD;AAAA,IACF;AAAA,EACF;AAEA,MAAI,OAAO,MAAM,aAAa,UAAU;AACtC,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AAQA,MAAI;AACJ,MAAI;AACJ,MAAI;AACF,mBAAe,mBAAmB,MAAM,QAAQ;AAChD,kBAAc,KAAK,MAAM,YAAY;AAAA,EACvC,QAAQ;AACN,WAAO,EAAE,MAAM,OAAO;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,QAAQ;AAAA,MACN,UAAU,KAAK;AAAA,MACf,aAAa,KAAK;AAAA,MAClB,cAAc,KAAK;AAAA,MACnB,YAAY,KAAK;AAAA,MACjB,SAAS,KAAK;AAAA,MACd,aAAa,kBAAkB,aAAa,aAAa;AAAA,MACzD;AAAA,IACF;AAAA,EACF;AACF;AAcA,eAAsB,iBACpB,QACA,YACA,QACe;AACf,MAAI,OAAO,SAAS,QAAQ;AAC1B;AAAA,EACF;AACA,MAAI,OAAO,SAAS,UAAU;AAC5B,UAAMA,KAAI,OAAO;AACjB,UAAM,QAAQ;AAAA,MACZ,OAAO,MAAM,uBAAuB,UAAU,GAAG;AAAA,QAC/CA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,QACFA,GAAE;AAAA,MACJ,CAAC;AAAA,IACH;AACA;AAAA,EACF;AACA,QAAM,IAAI,OAAO;AACjB,QAAM,QAAQ;AAAA,IACZ,OAAO,MAAM,2BAA2B,UAAU,GAAG;AAAA,MACnD,EAAE;AAAA,MACF,EAAE;AAAA,MACF,EAAE;AAAA,MACF,EAAE;AAAA,MACF,EAAE;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAAA,EACH;AACF;AAEA,eAAsB,QACpB,OACqC;AACrC,QAAM,YAAY,QAAQ,IAAI,cAAc;AAC5C,QAAM,oBAAuD,CAAC;AAE9D,QAAM,mBAAmB;AACzB,QAAM,MAAM,MAAM,WAAW;AAC7B,QAAM,IAAI,MAAM,QAAQ;AAExB,aAAW,UAAU,MAAM,SAAS;AAClC,QAAI;AACF,YAAM,SAAS,oBAAoB,MAAM;AACzC,YAAM,SAAS,iBAAiB,QAAQ,SAAS;AACjD,YAAM,iBAAiB,GAAG,IAAI,QAAQ,MAAM;AAAA,IAC9C,SAAS,KAAK;AAEZ,cAAQ;AAAA,QACN;AAAA,QACA,OAAO,QAAQ;AAAA,QACf;AAAA,MACF;AACA,wBAAkB,KAAK;AAAA,QACrB,gBAAgB,OAAO,QAAQ;AAAA,MACjC,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO,EAAE,kBAAkB;AAC7B;","names":["p"]}
package/lib/firehose-archive-transform.handler.d.mts CHANGED
@@ -29,6 +29,7 @@ declare function parseCurrentResourceKeys(record: DynamoDbStreamKinesisRecord):
29
29
  resourceId: string;
30
30
  version: string;
31
31
  } | null;
32
+ declare function buildArchivePayload(record: DynamoDbStreamKinesisRecord, keys: ReturnType<typeof parseCurrentResourceKeys>): Record<string, unknown>;
32
33
  declare function handler(event: FirehoseTransformationEvent): Promise<FirehoseTransformationResult>;
33
34
 
34
- export { DynamoDbStreamKinesisRecord, handler, parseCurrentResourceKeys, shouldDropAsGlobalTableReplicationRecord };
35
+ export { DynamoDbStreamKinesisRecord, buildArchivePayload, handler, parseCurrentResourceKeys, shouldDropAsGlobalTableReplicationRecord };
package/lib/firehose-archive-transform.handler.d.ts CHANGED
@@ -29,6 +29,7 @@ declare function parseCurrentResourceKeys(record: DynamoDbStreamKinesisRecord):
29
29
  resourceId: string;
30
30
  version: string;
31
31
  } | null;
32
+ declare function buildArchivePayload(record: DynamoDbStreamKinesisRecord, keys: ReturnType<typeof parseCurrentResourceKeys>): Record<string, unknown>;
32
33
  declare function handler(event: FirehoseTransformationEvent): Promise<FirehoseTransformationResult>;
33
34
 
34
- export { DynamoDbStreamKinesisRecord, handler, parseCurrentResourceKeys, shouldDropAsGlobalTableReplicationRecord };
35
+ export { DynamoDbStreamKinesisRecord, buildArchivePayload, handler, parseCurrentResourceKeys, shouldDropAsGlobalTableReplicationRecord };
package/lib/firehose-archive-transform.handler.js CHANGED
@@ -754,6 +754,7 @@ var require_lib = __commonJS({
754
754
  // src/components/dynamodb/firehose-archive-transform.handler.ts
755
755
  var firehose_archive_transform_handler_exports = {};
756
756
  __export(firehose_archive_transform_handler_exports, {
757
+ buildArchivePayload: () => buildArchivePayload,
757
758
  handler: () => handler,
758
759
  parseCurrentResourceKeys: () => parseCurrentResourceKeys,
759
760
  shouldDropAsGlobalTableReplicationRecord: () => shouldDropAsGlobalTableReplicationRecord
@@ -853,7 +854,7 @@ function buildFhirCurrentResourceChangeDetail(record, keys) {
853
854
  const rawName = record.eventName;
854
855
  const changeType = rawName === "INSERT" || rawName === "MODIFY" || rawName === "REMOVE" ? rawName : "MODIFY";
855
856
  const seq = record.dynamodb?.SequenceNumber;
856
- const approxEpochSec = record.dynamodb?.ApproximateCreationDateTime;
857
+ const approxEpochMs = record.dynamodb?.ApproximateCreationDateTime;
857
858
  const newPlain = plainImage(
858
859
  record.dynamodb?.NewImage
859
860
  );
@@ -879,11 +880,47 @@ function buildFhirCurrentResourceChangeDetail(record, keys) {
879
880
  resourceId: keys.resourceId,
880
881
  resourceVersion: keys.version,
881
882
  ...typeof seq === "string" && seq.length > 0 ? { streamSequenceNumber: seq } : {},
882
- ...typeof approxEpochSec === "number" && Number.isFinite(approxEpochSec) ? { approximateCreationEpochSec: approxEpochSec } : {},
883
+ ...typeof approxEpochMs === "number" && Number.isFinite(approxEpochMs) ? { approximateCreationEpochMs: approxEpochMs } : {},
883
884
  ...changedAttributeNames ? { changedAttributeNames } : {}
884
885
  };
885
886
  }
886
887
 
888
+ // src/lib/compression.ts
889
+ var import_node_zlib = require("zlib");
890
+ var COMPRESSION_ALGOS = {
891
+ NONE: "none",
892
+ GZIP: "gzip",
893
+ BROTLI: "brotli",
894
+ DEFLATE: "deflate"
895
+ };
896
+ function isEnvelope(obj) {
897
+ return typeof obj === "object" && obj !== null && "v" in obj && "algo" in obj && "payload" in obj && typeof obj.payload === "string";
898
+ }
899
+ function decompressResource(compressedOrRaw) {
900
+ try {
901
+ const parsed = JSON.parse(compressedOrRaw);
902
+ if (isEnvelope(parsed)) {
903
+ if (parsed.algo === COMPRESSION_ALGOS.GZIP) {
904
+ const buf = Buffer.from(parsed.payload, "base64");
905
+ return (0, import_node_zlib.gunzipSync)(buf).toString("utf-8");
906
+ }
907
+ if (parsed.algo === COMPRESSION_ALGOS.NONE) {
908
+ return parsed.payload;
909
+ }
910
+ return parsed.payload;
911
+ }
912
+ } catch {
913
+ }
914
+ try {
915
+ const buf = Buffer.from(compressedOrRaw, "base64");
916
+ if (buf.length >= 2 && buf[0] === 31 && buf[1] === 139) {
917
+ return (0, import_node_zlib.gunzipSync)(buf).toString("utf-8");
918
+ }
919
+ } catch {
920
+ }
921
+ return compressedOrRaw;
922
+ }
923
+
887
924
  // src/components/dynamodb/firehose-archive-transform.handler.ts
888
925
  var PK_PATTERN = /^TID#(?<tenantId>[^#]+)#WID#(?<workspaceId>[^#]+)#RT#(?<resourceType>[^#]+)#ID#(?<resourceId>.+)$/i;
889
926
  var CURRENT_SK_PATTERN = /^(CURRENT|\$[A-Za-z0-9_-]+_[0-9]+#sk_current)$/i;
@@ -968,7 +1005,7 @@ function extractFhirResourceTypeFromImage(plain) {
968
1005
  return void 0;
969
1006
  }
970
1007
  try {
971
- const parsed = JSON.parse(resourceStr);
1008
+ const parsed = JSON.parse(decompressResource(resourceStr));
972
1009
  if (typeof parsed.resourceType === "string" && parsed.resourceType !== "") {
973
1010
  return parsed.resourceType;
974
1011
  }
@@ -989,7 +1026,9 @@ function buildArchivePayload(record, keys) {
989
1026
  const resourcePlain = resourceImage ? dynamodbImageToPlain(resourceImage) : {};
990
1027
  if (typeof resourcePlain.resource === "string") {
991
1028
  try {
992
- resourcePlain.resource = JSON.parse(resourcePlain.resource);
1029
+ resourcePlain.resource = JSON.parse(
1030
+ decompressResource(resourcePlain.resource)
1031
+ );
993
1032
  } catch {
994
1033
  }
995
1034
  }
@@ -1183,6 +1222,7 @@ async function handler(event) {
1183
1222
  }
1184
1223
  // Annotate the CommonJS export names for ESM import in node:
1185
1224
  0 && (module.exports = {
1225
+ buildArchivePayload,
1186
1226
  handler,
1187
1227
  parseCurrentResourceKeys,
1188
1228
  shouldDropAsGlobalTableReplicationRecord