@openhi/constructs 0.0.177 → 0.0.179

package/lib/rest-api-lambda.handler.js

@@ -3578,7 +3578,7 @@ async function deleteDataEntityById(entity, tenantId, workspaceId, id) {
 }
 var BATCH_GET_MAX_ATTEMPTS = 3;
 var BATCH_GET_BASE_BACKOFF_MS = 50;
-async function batchGetWithRetry(entity, keys) {
+async function batchGetWithRetry(entity, keys, options) {
   if (keys.length === 0) return [];
   const collected = [];
   let pending = keys;
@@ -3590,7 +3590,7 @@ async function batchGetWithRetry(entity, keys) {
       );
     }
     attempt++;
-    const result = await entity.get(pending).go();
+    const result = await entity.get(pending).go(options?.consistent ? { consistent: true } : void 0);
     collected.push(...result.data);
     const unprocessed = result.unprocessed ?? [];
     if (unprocessed.length === 0) break;
@@ -7153,9 +7153,15 @@ async function listRoleAssignmentsOperation(params) {
     )
   );
   return dispatchListMode(mode, shardResults, {
+    // Strongly-consistent BatchGet on the base table so a role change is
+    // reflected immediately by the read-back the admin-console dropdowns
+    // issue right after their PUT/POST. Without it the eventually-consistent
+    // hydration can return the *previous* role, making the dropdown appear
+    // to revert (#1347).
     hydrate: (orderedIds) => batchGetWithRetry(
       service.entities.roleAssignment,
-      orderedIds.map((id) => ({ tenantId, id, sk: SK8 }))
+      orderedIds.map((id) => ({ tenantId, id, sk: SK8 })),
+      { consistent: true }
     ),
     getId: (item) => item.id,
     buildEntry: (id, item) => ({
@@ -7543,6 +7549,76 @@ async function listTenantsRoute(req, res) {
   });
 }
 
+// src/data/operations/control/roleassignment/roleassignment-list-by-user-operation.ts
+function buildSkPrefix(mode) {
+  switch (mode) {
+    case "tenant":
+      return "ROLEASSIGNMENT#TENANT#";
+    case "workspace":
+    case "workspaceInTenant":
+      return "ROLEASSIGNMENT#WORKSPACE#";
+    case "all":
+    default:
+      return "ROLEASSIGNMENT#";
+  }
+}
+async function roleAssignmentListByUserOperation(params) {
+  const {
+    userId,
+    mode = "all",
+    tenantId,
+    workspaceId,
+    cursor = null,
+    limit,
+    order,
+    consistent,
+    tableName
+  } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'roleAssignmentListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix(mode);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  if (consistent) {
+    goOptions.consistent = true;
+  }
+  const baseQuery = service.entities.roleAssignmentUserProjection.query.record({ userId }).begins({ sk: skPrefix });
+  const filteredQuery = mode === "workspaceInTenant" ? baseQuery.where((attr, op) => {
+    const tenantClause = op.eq(attr.tenantId, tenantId);
+    if (workspaceId === void 0 || workspaceId.length === 0) {
+      return tenantClause;
+    }
+    return `${tenantClause} AND ${op.eq(attr.workspaceId, workspaceId)}`;
+  }) : baseQuery;
+  const result = await filteredQuery.go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    userId: row.userId,
+    sk: row.sk,
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    roleId: row.roleId,
+    roleAssignmentId: row.roleAssignmentId,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated,
+    denormalizedTenantName: row.denormalizedTenantName,
+    denormalizedUserName: row.denormalizedUserName,
+    denormalizedRoleName: row.denormalizedRoleName
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
+
 // src/data/operations/control/workspace/workspace-list-operation.ts
 var SK10 = "CURRENT";
 function counterValue2(value) {
@@ -7626,18 +7702,6 @@ function extractDisplayName(user) {
   const composed = `${given} ${family}`.trim();
   return composed.length > 0 ? composed : null;
 }
-function extractReferenceDisplay(resource, fieldName) {
-  const field = resource[fieldName];
-  if (!field || typeof field !== "object") {
-    return null;
-  }
-  const display = field.display;
-  if (typeof display !== "string") {
-    return null;
-  }
-  const trimmed = display.trim();
-  return trimmed.length > 0 ? trimmed : null;
-}
 function ensureAccumulator(byUser, userId) {
   let acc = byUser.get(userId);
   if (!acc) {
@@ -7649,9 +7713,8 @@ function ensureAccumulator(byUser, userId) {
 async function tenantUsersOperation(params) {
   const { context, tableName } = params;
   const service = getDynamoControlService(tableName);
-  const [memberships, roleAssignments, workspaces] = await Promise.all([
+  const [memberships, workspaces] = await Promise.all([
     listMembershipsOperation({ context, tableName }),
-    listRoleAssignmentsOperation({ context, tableName }),
     listWorkspacesOperation({ context, tableName })
   ]);
   const workspaceNames = /* @__PURE__ */ new Map();
@@ -7673,34 +7736,46 @@ async function tenantUsersOperation(params) {
       acc.workspaces.set(workspaceId, { workspaceId, role: null });
     }
   }
-  for (const entry of roleAssignments.entries) {
-    const resource = entry.resource;
-    const userId = extractReferenceSlug(resource, "user");
-    const roleId = extractReferenceSlug(resource, "role");
-    if (userId === void 0 || roleId === void 0) {
-      continue;
-    }
+  const membershipUserIds = Array.from(byUser.keys());
+  const projectionPages = await Promise.all(
+    membershipUserIds.map(
+      (userId) => roleAssignmentListByUserOperation({
+        userId,
+        mode: "all",
+        consistent: true,
+        tableName
+      })
+    )
+  );
+  projectionPages.forEach((page, index) => {
+    const userId = membershipUserIds[index];
     const acc = ensureAccumulator(byUser, userId);
-    const role = {
-      roleId,
-      roleName: extractReferenceDisplay(resource, "role")
-    };
-    const workspaceId = extractReferenceSlug(resource, "workspace");
-    if (workspaceId === void 0) {
-      acc.tenantRole = role;
-    } else {
-      const existing = acc.workspaces.get(workspaceId);
-      if (existing) {
-        existing.role = role;
+    for (const row of page.items) {
+      if (row.tenantId !== context.tenantId) {
+        continue;
+      }
+      const role = {
+        roleId: row.roleId,
+        roleName: row.denormalizedRoleName ?? null
+      };
+      const workspaceId = row.workspaceId;
+      if (workspaceId === void 0 || workspaceId.length === 0) {
+        acc.tenantRole = role;
       } else {
-        acc.workspaces.set(workspaceId, { workspaceId, role });
+        const existing = acc.workspaces.get(workspaceId);
+        if (existing) {
+          existing.role = role;
+        } else {
+          acc.workspaces.set(workspaceId, { workspaceId, role });
+        }
       }
     }
-  }
+  });
   const userIds = Array.from(byUser.keys());
   const userRows = userIds.length === 0 ? [] : await batchGetWithRetry(
     service.entities.user,
-    userIds.map((id) => ({ id, sk: USER_SK }))
+    userIds.map((id) => ({ id, sk: USER_SK })),
+    { consistent: true }
   );
   const usersById = /* @__PURE__ */ new Map();
   for (const row of userRows) {
@@ -7847,8 +7922,240 @@ router6.delete("/:id", deleteTenantRoute);
 // src/data/rest-api/routes/control/user/user.ts
 var import_express7 = __toESM(require("express"));
 
-// src/data/operations/control/user/user-create-operation.ts
+// src/data/operations/control/user/user-admin-set-context-operation.ts
 var import_types18 = require("@openhi/types");
+
+// src/data/operations/control/user/user-get-by-id-operation.ts
+async function getUserByIdOperation(params) {
+  const { id, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const response = await service.entities.user.get({ id, sk: "CURRENT" }).go();
+  const item = response.data;
+  if (!item) {
+    throw new NotFoundError(`User not found: ${id}`);
+  }
+  const parsedResource = JSON.parse(item.resource);
+  return {
+    id,
+    resource: { resourceType: "User", id, ...parsedResource }
+  };
+}
+
+// src/data/operations/fhir-reference.ts
+function idFromReference(reference, prefix) {
+  if (!reference || !reference.startsWith(prefix)) {
+    return void 0;
+  }
+  const id = reference.slice(prefix.length);
+  return id.length > 0 ? id : void 0;
+}
+
+// src/data/operations/control/membership/membership-list-by-user-operation.ts
+function buildSkPrefix2(mode, tenantId) {
+  switch (mode) {
+    case "tenant":
+      return "MEMBERSHIP#TENANT#";
+    case "workspace":
+      return "MEMBERSHIP#WORKSPACE#";
+    case "workspaceInTenant":
+      return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;
+    case "all":
+    default:
+      return "MEMBERSHIP#";
+  }
+}
+async function membershipListByUserOperation(params) {
+  const {
+    userId,
+    mode = "all",
+    tenantId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'membershipListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix2(mode, tenantId);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go(goOptions);
+  const items = (result.data ?? []).map(
+    (row) => ({
+      userId: row.userId,
+      sk: row.sk,
+      tenantId: row.tenantId,
+      workspaceId: row.workspaceId,
+      membershipId: row.membershipId,
+      summary: row.summary,
+      vid: row.vid,
+      lastUpdated: row.lastUpdated,
+      denormalizedTenantName: row.denormalizedTenantName,
+      denormalizedUserName: row.denormalizedUserName,
+      denormalizedWorkspaceName: row.denormalizedWorkspaceName
+    })
+  );
+  return { items, cursor: result.cursor ?? null };
+}
+
+// src/data/operations/control/user/user-admin-set-context-operation.ts
+var SK11 = "CURRENT";
+async function adminSetUserContextOperation(params) {
+  const {
+    context,
+    targetUserId,
+    tenantReference,
+    workspaceReference,
+    tableName
+  } = params;
+  const tenantId = idFromReference(tenantReference, "Tenant/");
+  if (!tenantId) {
+    throw new ValidationError(
+      "tenant.reference must be a 'Tenant/<id>' reference."
+    );
+  }
+  const workspaceId = idFromReference(workspaceReference, "Workspace/");
+  if (!workspaceId) {
+    throw new ValidationError(
+      "workspace.reference must be a 'Workspace/<id>' reference."
+    );
+  }
+  const target = await getUserByIdOperation({
+    context,
+    id: targetUserId,
+    tableName
+  });
+  const projection = await membershipListByUserOperation({
+    userId: targetUserId,
+    mode: "workspaceInTenant",
+    tenantId,
+    tableName
+  });
+  const hasMembership = projection.items.some(
+    (row) => row.workspaceId === workspaceId
+  );
+  if (!hasMembership) {
+    throw new ForbiddenError(
+      `User is not a member of Workspace/${workspaceId} in Tenant/${tenantId}.`
+    );
+  }
+  const updatedResource = {
+    ...target.resource,
+    resourceType: "User",
+    id: targetUserId,
+    currentTenant: { reference: `Tenant/${tenantId}` },
+    currentWorkspace: { reference: `Workspace/${workspaceId}` }
+  };
+  const lastUpdated = (params.now ? params.now() : /* @__PURE__ */ new Date()).toISOString();
+  const vid = `${Date.now()}`;
+  const summary = JSON.stringify(
+    (0, import_types18.extractSummary)(updatedResource)
+  );
+  const service = getDynamoControlService(tableName);
+  await service.entities.user.patch({ id: targetUserId, sk: SK11 }).set({
+    resource: JSON.stringify(updatedResource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id: targetUserId,
+    resource: updatedResource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+
+// src/data/rest-api/routes/control/user/user-admin-set-context-route.ts
+async function userAdminSetContextRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return res.status(403).json({
+      resourceType: "OperationOutcome",
+      issue: [
+        {
+          severity: "error",
+          code: "forbidden",
+          diagnostics: "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+        }
+      ]
+    });
+  }
+  const targetUserId = String(req.params.id);
+  const bodyResult = requireJsonBody(req, res);
+  if ("errorResponse" in bodyResult) {
+    return bodyResult.errorResponse;
+  }
+  const body = bodyResult.body;
+  const tenantReference = body.tenant?.reference;
+  const workspaceReference = body.workspace?.reference;
+  if (typeof tenantReference !== "string" || tenantReference === "") {
+    return sendInvalid(
+      res,
+      "Body must include `tenant.reference` (e.g. 'Tenant/<id>')."
+    );
+  }
+  if (typeof workspaceReference !== "string" || workspaceReference === "") {
+    return sendInvalid(
+      res,
+      "Body must include `workspace.reference` (e.g. 'Workspace/<id>')."
+    );
+  }
+  try {
+    const result = await adminSetUserContextOperation({
+      context: ctx,
+      targetUserId,
+      tenantReference,
+      workspaceReference
+    });
+    res.setHeader("Cache-Control", "no-store");
+    return res.status(200).json(result.resource);
+  } catch (err) {
+    if (err instanceof ValidationError) {
+      return sendInvalid(res, err.message);
+    }
+    if (err instanceof ForbiddenError) {
+      return res.status(403).json({
+        resourceType: "OperationOutcome",
+        issue: [
+          { severity: "error", code: "forbidden", diagnostics: err.message }
+        ]
+      });
+    }
+    if (err instanceof NotFoundError) {
+      return res.status(404).json({
+        resourceType: "OperationOutcome",
+        issue: [
+          { severity: "error", code: "not-found", diagnostics: err.message }
+        ]
+      });
+    }
+    return sendOperationOutcome500(
+      res,
+      err,
+      "POST /User/:id/$set-context error:"
+    );
+  }
+}
+function sendInvalid(res, diagnostics) {
+  return res.status(400).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "invalid", diagnostics }]
+  });
+}
+
+// src/data/operations/control/user/user-create-operation.ts
+var import_types19 = require("@openhi/types");
 var import_ulid5 = require("ulid");
 async function createUserOperation(params) {
   const { context, body, tableName } = params;
@@ -7858,7 +8165,7 @@ async function createUserOperation(params) {
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
   const resource = { resourceType: "User", id, ...parsedResource };
-  const summary = JSON.stringify((0, import_types18.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types19.extractSummary)(resource));
   await service.entities.user.put({
     id,
     resource: JSON.stringify(resource),
@@ -7925,22 +8232,6 @@ async function deleteUserRoute(req, res) {
   }
 }
 
-// src/data/operations/control/user/user-get-by-id-operation.ts
-async function getUserByIdOperation(params) {
-  const { id, tableName } = params;
-  const service = getDynamoControlService(tableName);
-  const response = await service.entities.user.get({ id, sk: "CURRENT" }).go();
-  const item = response.data;
-  if (!item) {
-    throw new NotFoundError(`User not found: ${id}`);
-  }
-  const parsedResource = JSON.parse(item.resource);
-  return {
-    id,
-    resource: { resourceType: "User", id, ...parsedResource }
-  };
-}
-
 // src/data/rest-api/routes/control/user/user-get-by-id-route.ts
 async function getUserByIdRoute(req, res) {
   const id = String(req.params.id);
@@ -8291,65 +8582,6 @@ async function listUserConfigurationsRoute(req, res) {
   }
 }
 
-// src/data/operations/control/membership/membership-list-by-user-operation.ts
-function buildSkPrefix(mode, tenantId) {
-  switch (mode) {
-    case "tenant":
-      return "MEMBERSHIP#TENANT#";
-    case "workspace":
-      return "MEMBERSHIP#WORKSPACE#";
-    case "workspaceInTenant":
-      return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;
-    case "all":
-    default:
-      return "MEMBERSHIP#";
-  }
-}
-async function membershipListByUserOperation(params) {
-  const {
-    userId,
-    mode = "all",
-    tenantId,
-    cursor = null,
-    limit,
-    order,
-    tableName
-  } = params;
-  if (mode === "workspaceInTenant" && !tenantId) {
-    throw new Error(
-      'membershipListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
-    );
-  }
-  const service = getDynamoControlService(tableName);
-  const skPrefix = buildSkPrefix(mode, tenantId);
-  const goOptions = {
-    cursor
-  };
-  if (limit !== void 0) {
-    goOptions.limit = limit;
-  }
-  if (order !== void 0) {
-    goOptions.order = order;
-  }
-  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go(goOptions);
-  const items = (result.data ?? []).map(
-    (row) => ({
-      userId: row.userId,
-      sk: row.sk,
-      tenantId: row.tenantId,
-      workspaceId: row.workspaceId,
-      membershipId: row.membershipId,
-      summary: row.summary,
-      vid: row.vid,
-      lastUpdated: row.lastUpdated,
-      denormalizedTenantName: row.denormalizedTenantName,
-      denormalizedUserName: row.denormalizedUserName,
-      denormalizedWorkspaceName: row.denormalizedWorkspaceName
-    })
-  );
-  return { items, cursor: result.cursor ?? null };
-}
-
 // src/data/operations/control/membership/membership-count-by-user-operation.ts
 async function countMembershipsByUserOperation(params) {
   const { userId, mode = "all", tenantId, tableName } = params;
@@ -8359,7 +8591,7 @@ async function countMembershipsByUserOperation(params) {
     );
   }
   const service = getDynamoControlService(tableName);
-  const skPrefix = buildSkPrefix(mode, tenantId);
+  const skPrefix = buildSkPrefix2(mode, tenantId);
   const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go({ pages: "all", attributes: ["membershipId"] });
   return (result.data ?? []).length;
 }
@@ -8512,72 +8744,6 @@ async function listUserMembershipsRoute(req, res) {
   }
 }
 
-// src/data/operations/control/roleassignment/roleassignment-list-by-user-operation.ts
-function buildSkPrefix2(mode) {
-  switch (mode) {
-    case "tenant":
-      return "ROLEASSIGNMENT#TENANT#";
-    case "workspace":
-    case "workspaceInTenant":
-      return "ROLEASSIGNMENT#WORKSPACE#";
-    case "all":
-    default:
-      return "ROLEASSIGNMENT#";
-  }
-}
-async function roleAssignmentListByUserOperation(params) {
-  const {
-    userId,
-    mode = "all",
-    tenantId,
-    workspaceId,
-    cursor = null,
-    limit,
-    order,
-    tableName
-  } = params;
-  if (mode === "workspaceInTenant" && !tenantId) {
-    throw new Error(
-      'roleAssignmentListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
-    );
-  }
-  const service = getDynamoControlService(tableName);
-  const skPrefix = buildSkPrefix2(mode);
-  const goOptions = {
-    cursor
-  };
-  if (limit !== void 0) {
-    goOptions.limit = limit;
-  }
-  if (order !== void 0) {
-    goOptions.order = order;
-  }
-  const baseQuery = service.entities.roleAssignmentUserProjection.query.record({ userId }).begins({ sk: skPrefix });
-  const filteredQuery = mode === "workspaceInTenant" ? baseQuery.where((attr, op) => {
-    const tenantClause = op.eq(attr.tenantId, tenantId);
-    if (workspaceId === void 0 || workspaceId.length === 0) {
-      return tenantClause;
-    }
-    return `${tenantClause} AND ${op.eq(attr.workspaceId, workspaceId)}`;
-  }) : baseQuery;
-  const result = await filteredQuery.go(goOptions);
-  const items = (result.data ?? []).map((row) => ({
-    userId: row.userId,
-    sk: row.sk,
-    tenantId: row.tenantId,
-    workspaceId: row.workspaceId,
-    roleId: row.roleId,
-    roleAssignmentId: row.roleAssignmentId,
-    summary: row.summary,
-    vid: row.vid,
-    lastUpdated: row.lastUpdated,
-    denormalizedTenantName: row.denormalizedTenantName,
-    denormalizedUserName: row.denormalizedUserName,
-    denormalizedRoleName: row.denormalizedRoleName
-  }));
-  return { items, cursor: result.cursor ?? null };
-}
-
 // src/data/operations/control/roleassignment/roleassignment-list-by-workspace-operation.ts
 function buildSkPrefix3(roleId) {
   if (roleId === void 0 || roleId.length === 0) {
@@ -8714,7 +8880,7 @@ async function listUserRoleAssignmentsRoute(req, res) {
 }
 
 // src/data/operations/control/user/user-list-operation.ts
-var SK11 = "CURRENT";
+var SK12 = "CURRENT";
 function counterValue3(value) {
   return typeof value === "number" && Number.isFinite(value) ? value : 0;
 }
@@ -8730,7 +8896,7 @@ async function listUsersOperation(params) {
   return dispatchListMode(mode, shardResults, {
     hydrate: (orderedIds) => batchGetWithRetry(
       service.entities.user,
-      orderedIds.map((id) => ({ id, sk: SK11 }))
+      orderedIds.map((id) => ({ id, sk: SK12 }))
     ),
     getId: (item) => item.id,
     // FULL mode (admin list default): read the ADR-028 counters off the
@@ -8774,7 +8940,7 @@ async function listUsersRoute(req, res) {
 }
 
 // src/data/operations/control/user/user-update-operation.ts
-var import_types19 = require("@openhi/types");
+var import_types20 = require("@openhi/types");
 async function updateUserOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -8786,7 +8952,7 @@ async function updateUserOperation(params) {
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
   const resource = { resourceType: "User", id, ...parsedResource };
-  const summary = JSON.stringify((0, import_types19.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types20.extractSummary)(resource));
   await service.entities.user.put({
     id,
     resource: JSON.stringify(resource),
@@ -8848,6 +9014,7 @@ router7.get("/:id", getUserByIdRoute);
 router7.post("/", createUserRoute);
 router7.put("/:id", updateUserRoute);
 router7.delete("/:id", deleteUserRoute);
+router7.post("/:id/$set-context", userAdminSetContextRoute);
 router7.get("/:id/Membership", listUserMembershipsRoute);
 router7.get("/:id/RoleAssignment", listUserRoleAssignmentsRoute);
 router7.get("/:id/Configuration", listUserConfigurationsRoute);
@@ -8893,7 +9060,7 @@ async function findUserBySubOperation(params) {
 }
 
 // src/data/operations/control/user/user-switch-tenant-workspace-operation.ts
-var import_types20 = require("@openhi/types");
+var import_types21 = require("@openhi/types");
 
 // src/data/operations/control/user/user-resource-helpers.ts
 function parseUserResource(resource) {
@@ -8904,17 +9071,8 @@ function parseUserResource(resource) {
   }
 }
 
-// src/data/operations/fhir-reference.ts
-function idFromReference(reference, prefix) {
-  if (!reference || !reference.startsWith(prefix)) {
-    return void 0;
-  }
-  const id = reference.slice(prefix.length);
-  return id.length > 0 ? id : void 0;
-}
-
 // src/data/operations/control/user/user-switch-tenant-workspace-operation.ts
-var SK12 = "CURRENT";
+var SK13 = "CURRENT";
 async function switchUserTenantWorkspaceOperation(params) {
   const { cognitoSub, tenantReference, workspaceReference, tableName } = params;
   const tenantId = idFromReference(tenantReference, "Tenant/");
@@ -8972,10 +9130,10 @@ async function switchUserTenantWorkspaceOperation(params) {
   const lastUpdated = (params.now ? params.now() : /* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
   const summary = JSON.stringify(
-    (0, import_types20.extractSummary)(updatedResource)
+    (0, import_types21.extractSummary)(updatedResource)
   );
   const service = getDynamoControlService(tableName);
-  await service.entities.user.patch({ id: user.id, sk: SK12 }).set({
+  await service.entities.user.patch({ id: user.id, sk: SK13 }).set({
     resource: JSON.stringify(updatedResource),
     summary,
     vid,
@@ -9330,13 +9488,13 @@ async function userSwitchRoute(req, res) {
   const tenantReference = body.tenant?.reference;
   const workspaceReference = body.workspace?.reference;
   if (typeof tenantReference !== "string" || tenantReference === "") {
-    return sendInvalid(
+    return sendInvalid2(
       res,
       "Body must include `tenant.reference` (e.g. 'Tenant/<id>')."
     );
   }
   if (typeof workspaceReference !== "string" || workspaceReference === "") {
-    return sendInvalid(
+    return sendInvalid2(
       res,
       "Body must include `workspace.reference` (e.g. 'Workspace/<id>')."
     );
@@ -9351,7 +9509,7 @@ async function userSwitchRoute(req, res) {
     return res.status(200).json(result.resource);
   } catch (err) {
     if (err instanceof ValidationError) {
-      return sendInvalid(res, err.message);
+      return sendInvalid2(res, err.message);
     }
     if (err instanceof ForbiddenError) {
       return res.status(403).json({
@@ -9372,7 +9530,7 @@ async function userSwitchRoute(req, res) {
     return sendOperationOutcome500(res, err, "POST /User/$switch error:");
   }
 }
-function sendInvalid(res, diagnostics) {
+function sendInvalid2(res, diagnostics) {
   return res.status(400).json({
     resourceType: "OperationOutcome",
     issue: [{ severity: "error", code: "invalid", diagnostics }]
@@ -9388,7 +9546,7 @@ router8.post("/$switch", userSwitchRoute);
 var import_express9 = __toESM(require("express"));
 
 // src/data/operations/control/workspace/workspace-create-operation.ts
-var import_types21 = require("@openhi/types");
+var import_types22 = require("@openhi/types");
 var import_ulid6 = require("ulid");
 
 // src/data/operations/data/organization/organization-provision-for-workspace-operation.ts
@@ -9439,7 +9597,7 @@ async function createWorkspaceOperation(params) {
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const resource = { resourceType: "Workspace", id, ...parsedResource };
-  const summary = JSON.stringify((0, import_types21.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types22.extractSummary)(resource));
   await service.entities.workspace.put({
     tenantId,
     id,
@@ -9803,7 +9961,7 @@ async function listWorkspacesRoute(req, res) {
 }
 
 // src/data/operations/control/workspace/workspace-update-operation.ts
-var import_types22 = require("@openhi/types");
+var import_types23 = require("@openhi/types");
 async function updateWorkspaceOperation(params) {
   const { context, id, body, tableName } = params;
   const { tenantId } = context;
@@ -9822,7 +9980,7 @@ async function updateWorkspaceOperation(params) {
     resourceType: "Workspace",
     id
   };
-  const summary = JSON.stringify((0, import_types22.extractSummary)(updated));
+  const summary = JSON.stringify((0, import_types23.extractSummary)(updated));
   await service.entities.workspace.patch({ tenantId, id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), summary, vid, lastUpdated }).go();
   return { id, resource: updated, meta: { lastUpdated, versionId: vid } };
 }
@@ -10964,6 +11122,16 @@ function jsonbPathToStringShape(jsonbPath) {
   if (arrayOfScalars) {
     return { kind: "array-of-scalars", field: arrayOfScalars[1] };
   }
+  const arrayOfArrays = /^\$\.([A-Za-z_][A-Za-z0-9_]*)\[\*\]\.([A-Za-z_][A-Za-z0-9_]*)\[\*\]$/.exec(
+    jsonbPath
+  );
+  if (arrayOfArrays) {
+    return {
+      kind: "array-of-arrays",
+      field: arrayOfArrays[1],
+      subfield: arrayOfArrays[2]
+    };
+  }
   const arrayOfObjs = /^\$\.([A-Za-z_][A-Za-z0-9_]*)\[\*\]\.([A-Za-z_][A-Za-z0-9_]*)$/.exec(
     jsonbPath
   );
@@ -10975,7 +11143,7 @@ function jsonbPathToStringShape(jsonbPath) {
     };
   }
   throw new Error(
-    `String predicate cannot translate JSONPath "${jsonbPath}". Supported shapes: "$.field", "$.field[*]", "$.field[*].subfield".`
+    `String predicate cannot translate JSONPath "${jsonbPath}". Supported shapes: "$.field", "$.field[*]", "$.field[*].subfield", "$.field[*].subfield[*]".`
   );
 }
 function escapeLikePattern(value) {
@@ -11008,6 +11176,13 @@ function buildIlikeExtractSql(shape, paramName) {
         `jsonb_array_elements(resource->'${shape.field}') AS s_obj(obj)`,
         `WHERE s_obj.obj->>'${shape.subfield}' ILIKE :${paramName})`
       ].join(" ");
+    case "array-of-arrays":
+      return [
+        "EXISTS (SELECT 1 FROM",
+        `jsonb_array_elements(resource->'${shape.field}') AS s_obj(obj),`,
+        `jsonb_array_elements_text(s_obj.obj->'${shape.subfield}') AS s_elem(text_val)`,
+        `WHERE s_elem.text_val ILIKE :${paramName})`
+      ].join(" ");
   }
 }
 function emitStringPredicate(opts) {
@@ -11280,12 +11455,23 @@ async function genericSearchOperation(params) {
     ...combined.params
   ];
   const rows = await runner.query(sql, queryParams);
-  const entries = rows.map((row) => ({
-    id: row.id,
-    resource: { ...row.resource, id: row.id }
-  }));
+  const entries = rows.map((row) => {
+    const parsed = parseResourceColumn(row.resource);
+    const bodyId = typeof parsed.id === "string" ? parsed.id : void 0;
+    const id = bodyId ?? row.id;
+    return {
+      id,
+      resource: { ...parsed, id }
+    };
+  });
   return { entries, total: entries.length };
 }
+function parseResourceColumn(raw) {
+  if (typeof raw === "string") {
+    return JSON.parse(raw);
+  }
+  return raw;
+}
 
 // src/data/search/registry/allergyintolerance-search-parameters.ts
 var ALLERGYINTOLERANCE_SEARCH_PARAMETERS = [
@@ -11886,7 +12072,7 @@ var PATIENT_SEARCH_PARAMETERS = [
   {
     code: "given",
     type: "string",
-    jsonbPath: "$.name[*].given",
+    jsonbPath: "$.name[*].given[*]",
     modifiers: ["exact", "contains", "missing", "not"]
   },
   { code: "active", type: "token", jsonbPath: "$.active" },
@@ -11936,7 +12122,7 @@ var PRACTITIONER_SEARCH_PARAMETERS = [
   {
     code: "given",
     type: "string",
-    jsonbPath: "$.name[*].given",
+    jsonbPath: "$.name[*].given[*]",
     modifiers: ["exact", "contains", "missing", "not"]
   },
   { code: "active", type: "token", jsonbPath: "$.active" },