@openhi/constructs 0.0.178 → 0.0.179

package/lib/rest-api-lambda.handler.mjs

@@ -5,12 +5,10 @@ import {
   createRoleOperation
 } from "./chunk-SD7J3N3C.mjs";
 import {
-  countMembershipsByUserOperation,
-  listTenantsOperation,
-  listWorkspacesOperation,
-  membershipListByWorkspaceOperation,
-  roleAssignmentListByWorkspaceOperation
-} from "./chunk-JUSVETWK.mjs";
+  deleteOrganizationOperation,
+  deleteTenantOperation,
+  deleteWorkspaceOperation
+} from "./chunk-VQY57NOV.mjs";
 import {
   createAccountOperation,
   createAppointmentOperation,
@@ -26,26 +24,32 @@ import {
   createPractitionerOperation,
   createProcedureOperation,
   getRoleByIdOperation
-} from "./chunk-XNUCKVSE.mjs";
+} from "./chunk-7GMTHOYF.mjs";
+import {
+  countMembershipsByUserOperation,
+  listTenantsOperation,
+  listWorkspacesOperation,
+  membershipListByWorkspaceOperation,
+  roleAssignmentListByWorkspaceOperation
+} from "./chunk-4LQR32D2.mjs";
 import {
   listPractitionerRolesOperation,
   listRoleAssignmentsOperation
-} from "./chunk-GG2WD6TA.mjs";
+} from "./chunk-JJ3AQ6G5.mjs";
 import {
   listMembershipsOperation
-} from "./chunk-EBB4RNUG.mjs";
+} from "./chunk-PIQISEGW.mjs";
 import {
   createMembershipOperation,
   createRoleAssignmentOperation,
   createTenantOperation,
   createWorkspaceOperation,
   extractDenormalizedReferenceDisplay
-} from "./chunk-Z4PZSLYY.mjs";
+} from "./chunk-3M4QTQH6.mjs";
 import {
   extractRoleLevel,
   publishMembershipDeleted,
-  publishRoleAssignmentDeleted,
-  publishWorkspaceDeleted
+  publishRoleAssignmentDeleted
 } from "./chunk-BUAYVN3C.mjs";
 import {
   buildMembershipWorkspaceProjectionItem,
@@ -61,17 +65,14 @@ import {
   executeMultiWrite
 } from "./chunk-QJDHVMKT.mjs";
 import {
+  adminSetUserContextOperation,
   createUserOperation,
   deleteUserOperation,
   findUserBySubOperation,
   getUserByIdOperation,
   switchUserTenantWorkspaceOperation,
   updateUserOperation
-} from "./chunk-Y4RGUAM2.mjs";
-import {
-  listUsersOperation,
-  membershipListByUserOperation
-} from "./chunk-6HGSR3TG.mjs";
+} from "./chunk-V6KLFEHC.mjs";
 import {
   getDynamoDataService
 } from "./chunk-6BB4CRSS.mjs";
@@ -83,9 +84,11 @@ import {
   dispatchListMode,
   getDataEntityById,
   listDataEntitiesByWorkspace,
+  listUsersOperation,
+  membershipListByUserOperation,
   mergeAuditIntoMeta,
   updateDataEntityById
-} from "./chunk-FDBBTNCI.mjs";
+} from "./chunk-Q4KQD2NB.mjs";
 import {
   compressResource,
   decompressResource
@@ -2744,13 +2747,6 @@ async function createTenantRoute(req, res) {
   }
 }
 
-// src/data/operations/control/tenant/tenant-delete-operation.ts
-async function deleteTenantOperation(params) {
-  const { id, tableName } = params;
-  const service = getDynamoControlService(tableName);
-  await service.entities.tenant.delete({ tenantId: id, sk: "CURRENT" }).go();
-}
-
 // src/data/rest-api/routes/control/tenant/tenant-delete-route.ts
 async function deleteTenantRoute(req, res) {
   const id = String(req.params.id);
@@ -2826,6 +2822,76 @@ async function listTenantsRoute(req, res) {
   });
 }
 
+// src/data/operations/control/roleassignment/roleassignment-list-by-user-operation.ts
+function buildSkPrefix(mode) {
+  switch (mode) {
+    case "tenant":
+      return "ROLEASSIGNMENT#TENANT#";
+    case "workspace":
+    case "workspaceInTenant":
+      return "ROLEASSIGNMENT#WORKSPACE#";
+    case "all":
+    default:
+      return "ROLEASSIGNMENT#";
+  }
+}
+async function roleAssignmentListByUserOperation(params) {
+  const {
+    userId,
+    mode = "all",
+    tenantId,
+    workspaceId,
+    cursor = null,
+    limit,
+    order,
+    consistent,
+    tableName
+  } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'roleAssignmentListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix(mode);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  if (consistent) {
+    goOptions.consistent = true;
+  }
+  const baseQuery = service.entities.roleAssignmentUserProjection.query.record({ userId }).begins({ sk: skPrefix });
+  const filteredQuery = mode === "workspaceInTenant" ? baseQuery.where((attr, op) => {
+    const tenantClause = op.eq(attr.tenantId, tenantId);
+    if (workspaceId === void 0 || workspaceId.length === 0) {
+      return tenantClause;
+    }
+    return `${tenantClause} AND ${op.eq(attr.workspaceId, workspaceId)}`;
+  }) : baseQuery;
+  const result = await filteredQuery.go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    userId: row.userId,
+    sk: row.sk,
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    roleId: row.roleId,
+    roleAssignmentId: row.roleAssignmentId,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated,
+    denormalizedTenantName: row.denormalizedTenantName,
+    denormalizedUserName: row.denormalizedUserName,
+    denormalizedRoleName: row.denormalizedRoleName
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
+
 // src/data/operations/control/tenant/tenant-users-operation.ts
 var USER_SK = "CURRENT";
 function extractEmail(user) {
@@ -2854,18 +2920,6 @@ function extractDisplayName(user) {
   const composed = `${given} ${family}`.trim();
   return composed.length > 0 ? composed : null;
 }
-function extractReferenceDisplay(resource, fieldName) {
-  const field = resource[fieldName];
-  if (!field || typeof field !== "object") {
-    return null;
-  }
-  const display = field.display;
-  if (typeof display !== "string") {
-    return null;
-  }
-  const trimmed = display.trim();
-  return trimmed.length > 0 ? trimmed : null;
-}
 function ensureAccumulator(byUser, userId) {
   let acc = byUser.get(userId);
   if (!acc) {
@@ -2877,9 +2931,8 @@ function ensureAccumulator(byUser, userId) {
 async function tenantUsersOperation(params) {
   const { context, tableName } = params;
   const service = getDynamoControlService(tableName);
-  const [memberships, roleAssignments, workspaces] = await Promise.all([
+  const [memberships, workspaces] = await Promise.all([
     listMembershipsOperation({ context, tableName }),
-    listRoleAssignmentsOperation({ context, tableName }),
     listWorkspacesOperation({ context, tableName })
   ]);
   const workspaceNames = /* @__PURE__ */ new Map();
@@ -2901,34 +2954,46 @@ async function tenantUsersOperation(params) {
       acc.workspaces.set(workspaceId, { workspaceId, role: null });
     }
   }
-  for (const entry of roleAssignments.entries) {
-    const resource = entry.resource;
-    const userId = extractReferenceSlug(resource, "user");
-    const roleId = extractReferenceSlug(resource, "role");
-    if (userId === void 0 || roleId === void 0) {
-      continue;
-    }
+  const membershipUserIds = Array.from(byUser.keys());
+  const projectionPages = await Promise.all(
+    membershipUserIds.map(
+      (userId) => roleAssignmentListByUserOperation({
+        userId,
+        mode: "all",
+        consistent: true,
+        tableName
+      })
+    )
+  );
+  projectionPages.forEach((page, index) => {
+    const userId = membershipUserIds[index];
     const acc = ensureAccumulator(byUser, userId);
-    const role = {
-      roleId,
-      roleName: extractReferenceDisplay(resource, "role")
-    };
-    const workspaceId = extractReferenceSlug(resource, "workspace");
-    if (workspaceId === void 0) {
-      acc.tenantRole = role;
-    } else {
-      const existing = acc.workspaces.get(workspaceId);
-      if (existing) {
-        existing.role = role;
+    for (const row of page.items) {
+      if (row.tenantId !== context.tenantId) {
+        continue;
+      }
+      const role = {
+        roleId: row.roleId,
+        roleName: row.denormalizedRoleName ?? null
+      };
+      const workspaceId = row.workspaceId;
+      if (workspaceId === void 0 || workspaceId.length === 0) {
+        acc.tenantRole = role;
       } else {
-        acc.workspaces.set(workspaceId, { workspaceId, role });
+        const existing = acc.workspaces.get(workspaceId);
+        if (existing) {
+          existing.role = role;
+        } else {
+          acc.workspaces.set(workspaceId, { workspaceId, role });
+        }
       }
     }
-  }
+  });
   const userIds = Array.from(byUser.keys());
   const userRows = userIds.length === 0 ? [] : await batchGetWithRetry(
     service.entities.user,
-    userIds.map((id) => ({ id, sk: USER_SK }))
+    userIds.map((id) => ({ id, sk: USER_SK })),
+    { consistent: true }
   );
   const usersById = /* @__PURE__ */ new Map();
   for (const row of userRows) {
@@ -3075,6 +3140,84 @@ router6.delete("/:id", deleteTenantRoute);
 // src/data/rest-api/routes/control/user/user.ts
 import express7 from "express";
 
+// src/data/rest-api/routes/control/user/user-admin-set-context-route.ts
+async function userAdminSetContextRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return res.status(403).json({
+      resourceType: "OperationOutcome",
+      issue: [
+        {
+          severity: "error",
+          code: "forbidden",
+          diagnostics: "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+        }
+      ]
+    });
+  }
+  const targetUserId = String(req.params.id);
+  const bodyResult = requireJsonBody(req, res);
+  if ("errorResponse" in bodyResult) {
+    return bodyResult.errorResponse;
+  }
+  const body = bodyResult.body;
+  const tenantReference = body.tenant?.reference;
+  const workspaceReference = body.workspace?.reference;
+  if (typeof tenantReference !== "string" || tenantReference === "") {
+    return sendInvalid(
+      res,
+      "Body must include `tenant.reference` (e.g. 'Tenant/<id>')."
+    );
+  }
+  if (typeof workspaceReference !== "string" || workspaceReference === "") {
+    return sendInvalid(
+      res,
+      "Body must include `workspace.reference` (e.g. 'Workspace/<id>')."
+    );
+  }
+  try {
+    const result = await adminSetUserContextOperation({
+      context: ctx,
+      targetUserId,
+      tenantReference,
+      workspaceReference
+    });
+    res.setHeader("Cache-Control", "no-store");
+    return res.status(200).json(result.resource);
+  } catch (err) {
+    if (err instanceof ValidationError) {
+      return sendInvalid(res, err.message);
+    }
+    if (err instanceof ForbiddenError) {
+      return res.status(403).json({
+        resourceType: "OperationOutcome",
+        issue: [
+          { severity: "error", code: "forbidden", diagnostics: err.message }
+        ]
+      });
+    }
+    if (err instanceof NotFoundError) {
+      return res.status(404).json({
+        resourceType: "OperationOutcome",
+        issue: [
+          { severity: "error", code: "not-found", diagnostics: err.message }
+        ]
+      });
+    }
+    return sendOperationOutcome500(
+      res,
+      err,
+      "POST /User/:id/$set-context error:"
+    );
+  }
+}
+function sendInvalid(res, diagnostics) {
+  return res.status(400).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "invalid", diagnostics }]
+  });
+}
+
 // src/data/rest-api/routes/control/user/user-create-route.ts
 async function createUserRoute(req, res) {
   const bodyResult = requireJsonBody(req, res);
@@ -3583,72 +3726,6 @@ async function listUserMembershipsRoute(req, res) {
   }
 }
 
-// src/data/operations/control/roleassignment/roleassignment-list-by-user-operation.ts
-function buildSkPrefix(mode) {
-  switch (mode) {
-    case "tenant":
-      return "ROLEASSIGNMENT#TENANT#";
-    case "workspace":
-    case "workspaceInTenant":
-      return "ROLEASSIGNMENT#WORKSPACE#";
-    case "all":
-    default:
-      return "ROLEASSIGNMENT#";
-  }
-}
-async function roleAssignmentListByUserOperation(params) {
-  const {
-    userId,
-    mode = "all",
-    tenantId,
-    workspaceId,
-    cursor = null,
-    limit,
-    order,
-    tableName
-  } = params;
-  if (mode === "workspaceInTenant" && !tenantId) {
-    throw new Error(
-      'roleAssignmentListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
-    );
-  }
-  const service = getDynamoControlService(tableName);
-  const skPrefix = buildSkPrefix(mode);
-  const goOptions = {
-    cursor
-  };
-  if (limit !== void 0) {
-    goOptions.limit = limit;
-  }
-  if (order !== void 0) {
-    goOptions.order = order;
-  }
-  const baseQuery = service.entities.roleAssignmentUserProjection.query.record({ userId }).begins({ sk: skPrefix });
-  const filteredQuery = mode === "workspaceInTenant" ? baseQuery.where((attr, op) => {
-    const tenantClause = op.eq(attr.tenantId, tenantId);
-    if (workspaceId === void 0 || workspaceId.length === 0) {
-      return tenantClause;
-    }
-    return `${tenantClause} AND ${op.eq(attr.workspaceId, workspaceId)}`;
-  }) : baseQuery;
-  const result = await filteredQuery.go(goOptions);
-  const items = (result.data ?? []).map((row) => ({
-    userId: row.userId,
-    sk: row.sk,
-    tenantId: row.tenantId,
-    workspaceId: row.workspaceId,
-    roleId: row.roleId,
-    roleAssignmentId: row.roleAssignmentId,
-    summary: row.summary,
-    vid: row.vid,
-    lastUpdated: row.lastUpdated,
-    denormalizedTenantName: row.denormalizedTenantName,
-    denormalizedUserName: row.denormalizedUserName,
-    denormalizedRoleName: row.denormalizedRoleName
-  }));
-  return { items, cursor: result.cursor ?? null };
-}
-
 // src/data/rest-api/routes/control/user/user-list-role-assignments-route.ts
 var ALLOWED_MODES2 = [
   "all",
@@ -3797,6 +3874,7 @@ router7.get("/:id", getUserByIdRoute);
 router7.post("/", createUserRoute);
 router7.put("/:id", updateUserRoute);
 router7.delete("/:id", deleteUserRoute);
+router7.post("/:id/$set-context", userAdminSetContextRoute);
 router7.get("/:id/Membership", listUserMembershipsRoute);
 router7.get("/:id/RoleAssignment", listUserRoleAssignmentsRoute);
 router7.get("/:id/Configuration", listUserConfigurationsRoute);
@@ -4159,13 +4237,13 @@ async function userSwitchRoute(req, res) {
   const tenantReference = body.tenant?.reference;
   const workspaceReference = body.workspace?.reference;
   if (typeof tenantReference !== "string" || tenantReference === "") {
-    return sendInvalid(
+    return sendInvalid2(
       res,
       "Body must include `tenant.reference` (e.g. 'Tenant/<id>')."
     );
   }
   if (typeof workspaceReference !== "string" || workspaceReference === "") {
-    return sendInvalid(
+    return sendInvalid2(
       res,
       "Body must include `workspace.reference` (e.g. 'Workspace/<id>')."
     );
@@ -4180,7 +4258,7 @@ async function userSwitchRoute(req, res) {
     return res.status(200).json(result.resource);
   } catch (err) {
     if (err instanceof ValidationError) {
-      return sendInvalid(res, err.message);
+      return sendInvalid2(res, err.message);
     }
     if (err instanceof ForbiddenError) {
       return res.status(403).json({
@@ -4201,7 +4279,7 @@ async function userSwitchRoute(req, res) {
     return sendOperationOutcome500(res, err, "POST /User/$switch error:");
   }
 }
-function sendInvalid(res, diagnostics) {
+function sendInvalid2(res, diagnostics) {
   return res.status(400).json({
     resourceType: "OperationOutcome",
     issue: [{ severity: "error", code: "invalid", diagnostics }]
@@ -4243,40 +4321,6 @@ async function createWorkspaceRoute(req, res) {
   }
 }
 
-// src/data/operations/data/organization/organization-delete-operation.ts
-async function deleteOrganizationOperation(params) {
-  const { context, id, tableName } = params;
-  const { tenantId, workspaceId } = context;
-  const service = getDynamoDataService(tableName);
-  await deleteDataEntityById(
-    service.entities.organization,
-    tenantId,
-    workspaceId,
-    id
-  );
-}
-
-// src/data/operations/control/workspace/workspace-delete-operation.ts
-async function deleteWorkspaceOperation(params) {
-  const { context, id, tableName } = params;
-  const { tenantId } = context;
-  const service = getDynamoControlService(tableName);
-  const existing = await service.entities.workspace.get({ tenantId, id, sk: "CURRENT" }).go();
-  const workspaceExisted = existing.data !== null;
-  await service.entities.workspace.delete({ tenantId, id, sk: "CURRENT" }).go();
-  await deleteOrganizationOperation({
-    context: { ...context, workspaceId: id },
-    id,
-    tableName
-  });
-  if (workspaceExisted) {
-    await publishWorkspaceDeleted(context, {
-      workspaceId: id,
-      tenantId
-    });
-  }
-}
-
 // src/data/rest-api/routes/control/workspace/workspace-delete-route.ts
 async function deleteWorkspaceRoute(req, res) {
   const id = String(req.params.id);