@openhi/constructs 0.0.178 → 0.0.179

package/lib/seed-demo-data.handler.js

@@ -6634,19 +6634,349 @@ var ConflictError = class extends DomainError {
   }
 };
 
-// src/data/operations/control/membership/membership-create-operation.ts
-var import_types5 = require("@openhi/types");
-var import_ulid = require("ulid");
+// src/data/operations/control/counters/counter-apply-operation.ts
+var COUNTER_TARGET = {
+  Tenant: "Tenant",
+  Workspace: "Workspace",
+  User: "User"
+};
 
-// src/data/operations/control/membership/membership-user-projection.ts
+// src/data/operations/control/counters/role-admin-classification.ts
+function isAdminRoleAssignment(input) {
+  if (codeIsAdminTier(input.roleLevel)) {
+    return true;
+  }
+  if (idMatchesAdmin(input.roleId)) {
+    return true;
+  }
+  return false;
+}
+function codeIsAdminTier(roleLevel) {
+  if (typeof roleLevel !== "string" || roleLevel.length === 0) {
+    return false;
+  }
+  const lower = roleLevel.toLowerCase();
+  return lower === "admin" || lower.endsWith("admin");
+}
+function idMatchesAdmin(roleId) {
+  if (typeof roleId !== "string" || roleId.length === 0) {
+    return false;
+  }
+  return roleId.toLowerCase().includes("admin");
+}
+
+// src/data/operations/control/control-event-publisher.ts
+var import_client_eventbridge = require("@aws-sdk/client-eventbridge");
+var import_workflows2 = __toESM(require_lib());
+var CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
+var cachedClient;
+function getClient() {
+  if (!cachedClient) {
+    cachedClient = new import_client_eventbridge.EventBridgeClient({
+      region: process.env.AWS_REGION ?? "us-east-1"
+    });
+  }
+  return cachedClient;
+}
+function actorFromContext(context) {
+  return {
+    ohi_tid: context.tenantId,
+    ohi_wid: context.workspaceId,
+    ohi_uid: context.actorId,
+    ohi_uname: context.actorName
+  };
+}
+async function publishControlEvent(entry, payload, context) {
+  const busName = process.env[CONTROL_EVENT_BUS_NAME_ENV_VAR];
+  if (!busName) {
+    return;
+  }
+  try {
+    await (0, import_workflows2.publishWorkflowEvent)(
+      getClient(),
+      entry,
+      payload,
+      { actor: actorFromContext(context) },
+      { busNameByPlane: { [import_workflows2.OPENHI_CONTROL_SOURCE]: busName } }
+    );
+  } catch (err) {
+    console.error(`control-event publish failed for ${entry.detailType}:`, err);
+  }
+}
+async function publishMembershipCreated(context, detail) {
+  await publishControlEvent(import_workflows2.ControlPlaneMembershipCreatedV1, detail, context);
+}
+async function publishRoleAssignmentCreated(context, detail) {
+  await publishControlEvent(
+    import_workflows2.ControlPlaneRoleAssignmentCreatedV1,
+    detail,
+    context
+  );
+}
+async function publishWorkspaceCreated(context, detail) {
+  await publishControlEvent(import_workflows2.ControlPlaneWorkspaceCreatedV1, detail, context);
+}
+function extractRoleLevel(resource) {
+  const code = resource?.code;
+  const first = code?.coding?.[0]?.code;
+  return typeof first === "string" && first.length > 0 ? first : void 0;
+}
+
+// src/data/operations/control/membership/membership-list-by-user-operation.ts
+function buildSkPrefix(mode, tenantId) {
+  switch (mode) {
+    case "tenant":
+      return "MEMBERSHIP#TENANT#";
+    case "workspace":
+      return "MEMBERSHIP#WORKSPACE#";
+    case "workspaceInTenant":
+      return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;
+    case "all":
+    default:
+      return "MEMBERSHIP#";
+  }
+}
+
+// src/data/operations/control/membership/membership-count-by-user-operation.ts
+async function countMembershipsByUserOperation(params) {
+  const { userId, mode = "all", tenantId, tableName } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'countMembershipsByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix(mode, tenantId);
+  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go({ pages: "all", attributes: ["membershipId"] });
+  return (result.data ?? []).length;
+}
+
+// src/data/operations/control/membership/membership-list-by-workspace-operation.ts
+async function membershipListByWorkspaceOperation(params) {
+  const {
+    tenantId,
+    workspaceId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  const service = getDynamoControlService(tableName);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.membershipWorkspaceProjection.query.record({ tenantId, workspaceId }).begins({ sk: "MEMBERSHIP#" }).go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    sk: row.sk,
+    userId: row.userId,
+    membershipId: row.membershipId,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated,
+    denormalizedUserName: row.denormalizedUserName
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
+
+// src/data/operations/data-operations-common.ts
 var import_types3 = require("@openhi/types");
+
+// src/lib/compression.ts
+var import_node_zlib = require("zlib");
+var ENVELOPE_VERSION = 1;
+var COMPRESSION_ALGOS = {
+  NONE: "none",
+  GZIP: "gzip",
+  BROTLI: "brotli",
+  DEFLATE: "deflate"
+};
+function compressResource(jsonString, options) {
+  const algo = options?.algo ?? COMPRESSION_ALGOS.GZIP;
+  if (algo === COMPRESSION_ALGOS.NONE) {
+    const envelope2 = {
+      v: ENVELOPE_VERSION,
+      algo: COMPRESSION_ALGOS.NONE,
+      payload: jsonString
+    };
+    return JSON.stringify(envelope2);
+  }
+  const buf = Buffer.from(jsonString, "utf-8");
+  const payload = (0, import_node_zlib.gzipSync)(buf).toString("base64");
+  const envelope = {
+    v: ENVELOPE_VERSION,
+    algo: COMPRESSION_ALGOS.GZIP,
+    payload
+  };
+  return JSON.stringify(envelope);
+}
+
+// src/data/audit-meta.ts
+var OPENHI_EXT = "http://openhi.org/fhir/StructureDefinition";
+function mergeAuditIntoMeta(meta, audit) {
+  const existing = meta ?? {};
+  const ext = [
+    ...Array.isArray(existing.extension) ? existing.extension : []
+  ];
+  const byUrl = new Map(ext.map((e) => [e.url, e]));
+  function set(url, value, type) {
+    if (value == null) return;
+    byUrl.set(url, { url, [type]: value });
+  }
+  set(`${OPENHI_EXT}/created-date`, audit.createdDate, "valueDateTime");
+  set(`${OPENHI_EXT}/created-by-id`, audit.createdById, "valueString");
+  set(`${OPENHI_EXT}/created-by-name`, audit.createdByName, "valueString");
+  set(`${OPENHI_EXT}/modified-date`, audit.modifiedDate, "valueDateTime");
+  set(`${OPENHI_EXT}/modified-by-id`, audit.modifiedById, "valueString");
+  set(`${OPENHI_EXT}/modified-by-name`, audit.modifiedByName, "valueString");
+  set(`${OPENHI_EXT}/deleted-date`, audit.deletedDate, "valueDateTime");
+  set(`${OPENHI_EXT}/deleted-by-id`, audit.deletedById, "valueString");
+  set(`${OPENHI_EXT}/deleted-by-name`, audit.deletedByName, "valueString");
+  return { ...existing, extension: Array.from(byUrl.values()) };
+}
+
+// src/data/operations/data-operations-common.ts
+var DATA_ENTITY_SK = "CURRENT";
+var BATCH_GET_MAX_ATTEMPTS = 3;
+var BATCH_GET_BASE_BACKOFF_MS = 50;
+async function batchGetWithRetry(entity, keys, options) {
+  if (keys.length === 0) return [];
+  const collected = [];
+  let pending = keys;
+  let attempt = 0;
+  while (pending.length > 0) {
+    if (attempt > 0) {
+      await new Promise(
+        (resolve) => setTimeout(resolve, BATCH_GET_BASE_BACKOFF_MS * 2 ** (attempt - 1))
+      );
+    }
+    attempt++;
+    const result = await entity.get(pending).go(options?.consistent ? { consistent: true } : void 0);
+    collected.push(...result.data);
+    const unprocessed = result.unprocessed ?? [];
+    if (unprocessed.length === 0) break;
+    if (attempt >= BATCH_GET_MAX_ATTEMPTS) {
+      throw new Error(
+        `BatchGet exhausted retries: ${unprocessed.length} key(s) still unprocessed after ${BATCH_GET_MAX_ATTEMPTS} attempt(s)`
+      );
+    }
+    pending = unprocessed;
+  }
+  return collected;
+}
+async function dispatchListMode(mode, shardResults, hooks) {
+  if (mode === "count") {
+    let total = 0;
+    for (const shardResult of shardResults) {
+      total += (shardResult.data ?? []).length;
+    }
+    return { entries: [], total };
+  }
+  if (mode === "summary") {
+    const entries2 = [];
+    for (const shardResult of shardResults) {
+      for (const item of shardResult.data ?? []) {
+        if (typeof item.summary !== "string") continue;
+        let parsed;
+        try {
+          parsed = JSON.parse(item.summary);
+        } catch {
+          continue;
+        }
+        entries2.push(hooks.buildSummaryEntry(item.id, parsed));
+      }
+    }
+    return { entries: entries2, total: entries2.length };
+  }
+  const orderedIds = [];
+  for (const shardResult of shardResults) {
+    for (const item of shardResult.data ?? []) {
+      orderedIds.push(item.id);
+    }
+  }
+  if (orderedIds.length === 0) return { entries: [], total: 0 };
+  const items = await hooks.hydrate(orderedIds);
+  const byId = new Map(items.map((item) => [hooks.getId(item), item]));
+  const entries = [];
+  for (const id of orderedIds) {
+    const item = byId.get(id);
+    if (!item) continue;
+    entries.push(hooks.buildEntry(id, item));
+  }
+  return { entries, total: entries.length };
+}
+async function createDataEntityRecord(entity, tenantId, workspaceId, id, resourceWithAudit, fallbackDate) {
+  const lastUpdated = resourceWithAudit.meta?.lastUpdated ?? fallbackDate ?? (/* @__PURE__ */ new Date()).toISOString();
+  const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
+  const resourceLike = resourceWithAudit;
+  const summary = JSON.stringify((0, import_types3.extractSummary)(resourceLike));
+  const gsi1sk = (0, import_types3.extractSortKey)(resourceLike);
+  await entity.put({
+    sk: DATA_ENTITY_SK,
+    tenantId,
+    workspaceId,
+    id,
+    resource: compressResource(JSON.stringify(resourceWithAudit)),
+    summary,
+    vid,
+    lastUpdated,
+    gsi1sk
+  }).go();
+  return {
+    id,
+    resource: resourceWithAudit
+  };
+}
+
+// src/data/operations/control/membership/membership-list-operation.ts
+var SK = "CURRENT";
+async function listMembershipsOperation(params) {
+  const { context, tableName, mode = "full" } = params;
+  const tenantId = context.tenantId;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.membership.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.membership,
+      orderedIds.map((id) => ({ tenantId, id, sk: SK }))
+    ),
+    getId: (item) => item.id,
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "Membership",
+        id,
+        ...JSON.parse(item.resource)
+      }
+    }),
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: { resourceType: "Membership", id, ...parsed }
+    })
+  });
+}
+
+// src/data/operations/control/membership/membership-user-projection.ts
+var import_types4 = require("@openhi/types");
 var MISSING_NAME_SENTINEL = "-";
 function buildMembershipUserProjectionSkTenantLane(params) {
-  const normalizedTenantName = typeof params.denormalizedTenantName === "string" && params.denormalizedTenantName.length > 0 ? (0, import_types3.normalizeLabel)(params.denormalizedTenantName) : MISSING_NAME_SENTINEL;
+  const normalizedTenantName = typeof params.denormalizedTenantName === "string" && params.denormalizedTenantName.length > 0 ? (0, import_types4.normalizeLabel)(params.denormalizedTenantName) : MISSING_NAME_SENTINEL;
   return `MEMBERSHIP#TENANT#${normalizedTenantName}#TID#${params.tenantId}#${params.membershipId}`;
 }
 function buildMembershipUserProjectionSkWorkspaceLane(params) {
-  const normalizedWorkspaceName = typeof params.denormalizedWorkspaceName === "string" && params.denormalizedWorkspaceName.length > 0 ? (0, import_types3.normalizeLabel)(params.denormalizedWorkspaceName) : MISSING_NAME_SENTINEL;
+  const normalizedWorkspaceName = typeof params.denormalizedWorkspaceName === "string" && params.denormalizedWorkspaceName.length > 0 ? (0, import_types4.normalizeLabel)(params.denormalizedWorkspaceName) : MISSING_NAME_SENTINEL;
   return `MEMBERSHIP#WORKSPACE#TID#${params.tenantId}#${normalizedWorkspaceName}#WID#${params.workspaceId}#${params.membershipId}`;
 }
 function buildMembershipUserProjectionItem(input) {
@@ -6692,11 +7022,454 @@ function extractReferenceSlug(resource, fieldName) {
   return tail.length > 0 ? tail : void 0;
 }
 
+// src/data/operations/control/roleassignment/roleassignment-list-by-workspace-operation.ts
+function buildSkPrefix2(roleId) {
+  if (roleId === void 0 || roleId.length === 0) {
+    return "ROLEASSIGNMENT#";
+  }
+  return `ROLEASSIGNMENT#${roleId}#`;
+}
+async function roleAssignmentListByWorkspaceOperation(params) {
+  const {
+    tenantId,
+    workspaceId,
+    roleId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix2(roleId);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.roleAssignmentWorkspaceProjection.query.record({ tenantId, workspaceId }).begins({ sk: skPrefix }).go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    sk: row.sk,
+    userId: row.userId,
+    roleId: row.roleId,
+    roleAssignmentId: row.roleAssignmentId,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated,
+    denormalizedUserName: row.denormalizedUserName,
+    denormalizedRoleName: row.denormalizedRoleName
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
+
+// src/data/operations/control/workspace/workspace-list-operation.ts
+var SK2 = "CURRENT";
+function counterValue(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
+async function listWorkspacesOperation(params) {
+  const { context, tableName, mode = "full" } = params;
+  const { tenantId } = context;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.workspace.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.workspace,
+      orderedIds.map((id) => ({ tenantId, id, sk: SK2 }))
+    ),
+    getId: (item) => item.id,
+    // FULL mode (admin list default): read the ADR-028 counters off the
+    // canonical record hydrated by BatchGet and expose them as
+    // `resource.counts`. Missing counters render as 0.
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "Workspace",
+        id,
+        ...JSON.parse(item.resource),
+        counts: {
+          usersInWorkspace: counterValue(item.usersInWorkspace),
+          adminUsersInWorkspace: counterValue(item.adminUsersInWorkspace),
+          normalUsersInWorkspace: counterValue(item.normalUsersInWorkspace)
+        }
+      }
+    }),
+    // SUMMARY mode reads only the GSI1 `summary` projection (no
+    // counters); surface zeros so the shape stays uniform.
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: {
+        resourceType: "Workspace",
+        id,
+        ...parsed,
+        counts: {
+          usersInWorkspace: 0,
+          adminUsersInWorkspace: 0,
+          normalUsersInWorkspace: 0
+        }
+      }
+    })
+  });
+}
+
+// src/data/operations/control/counters/counter-reconcile-operation.ts
+function counterValue2(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
+function reconcileContext(tenantId) {
+  return {
+    tenantId,
+    workspaceId: "",
+    date: (/* @__PURE__ */ new Date()).toISOString(),
+    actorId: "counter-reconciliation",
+    actorName: "Counter Reconciliation Job",
+    actorType: "internal-system",
+    source: "step-function"
+  };
+}
+async function reconcileTenantCountersOperation(params) {
+  const { tenantId, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const context = reconcileContext(tenantId);
+  const workspacesResult = await listWorkspacesOperation({
+    context,
+    tableName,
+    mode: "count"
+  });
+  const workspacesInTenant = workspacesResult.total;
+  const memberships = await listMembershipsOperation({
+    context,
+    tableName,
+    mode: "full"
+  });
+  let usersInTenant = 0;
+  for (const entry of memberships.entries) {
+    const workspaceSlug = extractReferenceSlug(entry.resource, "workspace");
+    if (workspaceSlug === void 0) {
+      usersInTenant += 1;
+    }
+  }
+  const current = await service.entities.tenant.get({ tenantId, sk: "CURRENT" }).go();
+  const drift = [];
+  const recomputed = {
+    usersInTenant,
+    workspacesInTenant
+  };
+  for (const counter of Object.keys(recomputed)) {
+    const oldValue = counterValue2(current.data?.[counter]);
+    const newValue = recomputed[counter];
+    if (oldValue !== newValue) {
+      drift.push({
+        target: COUNTER_TARGET.Tenant,
+        id: tenantId,
+        counter,
+        old: oldValue,
+        new: newValue
+      });
+    }
+  }
+  if (drift.length > 0) {
+    await service.entities.tenant.patch({ tenantId, sk: "CURRENT" }).set(recomputed).go();
+  }
+  return { drift };
+}
+async function reconcileWorkspaceCountersOperation(params) {
+  const { tenantId, workspaceId, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  let usersInWorkspace = 0;
+  let membershipCursor = null;
+  do {
+    const page = await membershipListByWorkspaceOperation({
+      tenantId,
+      workspaceId,
+      cursor: membershipCursor,
+      tableName
+    });
+    usersInWorkspace += page.items.length;
+    membershipCursor = page.cursor;
+  } while (membershipCursor !== null);
+  let adminUsersInWorkspace = 0;
+  let normalUsersInWorkspace = 0;
+  let roleAssignmentCursor = null;
+  do {
+    const page = await roleAssignmentListByWorkspaceOperation({
+      tenantId,
+      workspaceId,
+      cursor: roleAssignmentCursor,
+      tableName
+    });
+    for (const item of page.items) {
+      const roleLevel = await readRoleLevel(
+        service,
+        tenantId,
+        item.roleAssignmentId
+      );
+      if (isAdminRoleAssignment({ roleLevel, roleId: item.roleId })) {
+        adminUsersInWorkspace += 1;
+      } else {
+        normalUsersInWorkspace += 1;
+      }
+    }
+    roleAssignmentCursor = page.cursor;
+  } while (roleAssignmentCursor !== null);
+  const current = await service.entities.workspace.get({ tenantId, id: workspaceId, sk: "CURRENT" }).go();
+  const drift = [];
+  const recomputed = {
+    usersInWorkspace,
+    adminUsersInWorkspace,
+    normalUsersInWorkspace
+  };
+  for (const counter of Object.keys(recomputed)) {
+    const oldValue = counterValue2(current.data?.[counter]);
+    const newValue = recomputed[counter];
+    if (oldValue !== newValue) {
+      drift.push({
+        target: COUNTER_TARGET.Workspace,
+        id: workspaceId,
+        tenantId,
+        counter,
+        old: oldValue,
+        new: newValue
+      });
+    }
+  }
+  if (drift.length > 0) {
+    await service.entities.workspace.patch({ tenantId, id: workspaceId, sk: "CURRENT" }).set(recomputed).go();
+  }
+  return { drift };
+}
+async function reconcileUserCountersOperation(params) {
+  const { userId, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const tenantsForUser = await countMembershipsByUserOperation({
+    userId,
+    mode: "tenant",
+    tableName
+  });
+  const workspacesForUser = await countMembershipsByUserOperation({
+    userId,
+    mode: "workspace",
+    tableName
+  });
+  const current = await service.entities.user.get({ id: userId, sk: "CURRENT" }).go();
+  const drift = [];
+  const recomputed = {
+    tenantsForUser,
+    workspacesForUser
+  };
+  for (const counter of Object.keys(recomputed)) {
+    const oldValue = counterValue2(current.data?.[counter]);
+    const newValue = recomputed[counter];
+    if (oldValue !== newValue) {
+      drift.push({
+        target: COUNTER_TARGET.User,
+        id: userId,
+        counter,
+        old: oldValue,
+        new: newValue
+      });
+    }
+  }
+  if (drift.length > 0) {
+    await service.entities.user.patch({ id: userId, sk: "CURRENT" }).set(recomputed).go();
+  }
+  return { drift };
+}
+async function readRoleLevel(service, tenantId, roleAssignmentId) {
+  const response = await service.entities.roleAssignment.get({ tenantId, id: roleAssignmentId, sk: "CURRENT" }).go();
+  if (!response.data) {
+    return void 0;
+  }
+  const resource = JSON.parse(response.data.resource);
+  return extractRoleLevel(resource);
+}
+
+// src/data/operations/control/tenant/tenant-list-operation.ts
+var SK3 = "CURRENT";
+function counterValue3(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
+async function listTenantsOperation(params) {
+  const { tableName, mode = "full" } = params;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.tenant.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.tenant,
+      orderedIds.map((id) => ({ tenantId: id, sk: SK3 }))
+    ),
+    getId: (item) => item.id,
+    // FULL mode (admin list default): read the ADR-028 counters off the
+    // canonical record hydrated by BatchGet and expose them as
+    // `resource.counts`. Missing counters render as 0.
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "Tenant",
+        id,
+        ...JSON.parse(item.resource),
+        counts: {
+          usersInTenant: counterValue3(item.usersInTenant),
+          workspacesInTenant: counterValue3(item.workspacesInTenant)
+        }
+      }
+    }),
+    // SUMMARY mode reads only the GSI1 `summary` projection, which does
+    // not carry the counters; surface zeros so the shape stays uniform.
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: {
+        resourceType: "Tenant",
+        id,
+        ...parsed,
+        counts: { usersInTenant: 0, workspacesInTenant: 0 }
+      }
+    })
+  });
+}
+
+// src/data/operations/control/user/user-list-operation.ts
+var SK4 = "CURRENT";
+function counterValue4(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : 0;
+}
+async function listUsersOperation(params) {
+  const { tableName, mode = "full" } = params;
+  const service = getDynamoControlService(tableName);
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  return dispatchListMode(mode, shardResults, {
+    hydrate: (orderedIds) => batchGetWithRetry(
+      service.entities.user,
+      orderedIds.map((id) => ({ id, sk: SK4 }))
+    ),
+    getId: (item) => item.id,
+    // FULL mode (admin list default): read the ADR-028 counters off the
+    // canonical record hydrated by BatchGet and expose them as
+    // `resource.counts`. Missing counters render as 0.
+    buildEntry: (id, item) => ({
+      id,
+      resource: {
+        resourceType: "User",
+        id,
+        ...JSON.parse(item.resource),
+        counts: {
+          tenantsForUser: counterValue4(item.tenantsForUser),
+          workspacesForUser: counterValue4(item.workspacesForUser)
+        }
+      }
+    }),
+    // SUMMARY mode reads only the GSI1 `summary` projection (no
+    // counters); surface zeros so the shape stays uniform.
+    buildSummaryEntry: (id, parsed) => ({
+      id,
+      resource: {
+        resourceType: "User",
+        id,
+        ...parsed,
+        counts: { tenantsForUser: 0, workspacesForUser: 0 }
+      }
+    })
+  });
+}
+
+// src/data/operations/control/counters/counter-reconcile-driver.ts
+function driverContext(tenantId) {
+  return {
+    tenantId,
+    workspaceId: "",
+    date: (/* @__PURE__ */ new Date()).toISOString(),
+    actorId: "counter-reconciliation",
+    actorName: "Counter Reconciliation Job",
+    actorType: "internal-system",
+    source: "step-function"
+  };
+}
+async function reconcileAllCountersOperation(params = {}) {
+  const { tableName } = params;
+  const drift = [];
+  let tenantsScanned = 0;
+  let workspacesScanned = 0;
+  let usersScanned = 0;
+  const tenants = await listTenantsOperation({
+    context: driverContext(""),
+    tableName,
+    mode: "summary"
+  });
+  for (const tenant of tenants.entries) {
+    tenantsScanned += 1;
+    const tenantResult = await reconcileTenantCountersOperation({
+      tenantId: tenant.id,
+      tableName
+    });
+    drift.push(...tenantResult.drift);
+    const workspaces = await listWorkspacesOperation({
+      context: driverContext(tenant.id),
+      tableName,
+      mode: "summary"
+    });
+    for (const workspace of workspaces.entries) {
+      workspacesScanned += 1;
+      const workspaceResult = await reconcileWorkspaceCountersOperation({
+        tenantId: tenant.id,
+        workspaceId: workspace.id,
+        tableName
+      });
+      drift.push(...workspaceResult.drift);
+    }
+  }
+  const users = await listUsersOperation({
+    context: driverContext(""),
+    tableName,
+    mode: "summary"
+  });
+  for (const user of users.entries) {
+    usersScanned += 1;
+    const userResult = await reconcileUserCountersOperation({
+      userId: user.id,
+      tableName
+    });
+    drift.push(...userResult.drift);
+  }
+  return {
+    drift,
+    scanned: {
+      tenants: tenantsScanned,
+      workspaces: workspacesScanned,
+      users: usersScanned
+    },
+    countersCorrected: drift.length
+  };
+}
+
+// src/data/operations/control/membership/membership-create-operation.ts
+var import_types6 = require("@openhi/types");
+var import_ulid = require("ulid");
+
 // src/data/operations/control/membership/membership-workspace-projection.ts
-var import_types4 = require("@openhi/types");
+var import_types5 = require("@openhi/types");
 var MISSING_NAME_SENTINEL2 = "-";
 function buildMembershipWorkspaceProjectionSk(params) {
-  const normalizedUserName = typeof params.denormalizedUserName === "string" && params.denormalizedUserName.length > 0 ? (0, import_types4.normalizeLabel)(params.denormalizedUserName) : MISSING_NAME_SENTINEL2;
+  const normalizedUserName = typeof params.denormalizedUserName === "string" && params.denormalizedUserName.length > 0 ? (0, import_types5.normalizeLabel)(params.denormalizedUserName) : MISSING_NAME_SENTINEL2;
   return `MEMBERSHIP#${normalizedUserName}#USER#${params.userId}#${params.membershipId}`;
 }
 function buildMembershipWorkspaceProjectionItem(input) {
@@ -6724,63 +7497,6 @@ function buildMembershipWorkspaceProjectionItem(input) {
   };
 }
 
-// src/data/operations/control/control-event-publisher.ts
-var import_client_eventbridge = require("@aws-sdk/client-eventbridge");
-var import_workflows2 = __toESM(require_lib());
-var CONTROL_EVENT_BUS_NAME_ENV_VAR = "CONTROL_EVENT_BUS_NAME";
-var cachedClient;
-function getClient() {
-  if (!cachedClient) {
-    cachedClient = new import_client_eventbridge.EventBridgeClient({
-      region: process.env.AWS_REGION ?? "us-east-1"
-    });
-  }
-  return cachedClient;
-}
-function actorFromContext(context) {
-  return {
-    ohi_tid: context.tenantId,
-    ohi_wid: context.workspaceId,
-    ohi_uid: context.actorId,
-    ohi_uname: context.actorName
-  };
-}
-async function publishControlEvent(entry, payload, context) {
-  const busName = process.env[CONTROL_EVENT_BUS_NAME_ENV_VAR];
-  if (!busName) {
-    return;
-  }
-  try {
-    await (0, import_workflows2.publishWorkflowEvent)(
-      getClient(),
-      entry,
-      payload,
-      { actor: actorFromContext(context) },
-      { busNameByPlane: { [import_workflows2.OPENHI_CONTROL_SOURCE]: busName } }
-    );
-  } catch (err) {
-    console.error(`control-event publish failed for ${entry.detailType}:`, err);
-  }
-}
-async function publishMembershipCreated(context, detail) {
-  await publishControlEvent(import_workflows2.ControlPlaneMembershipCreatedV1, detail, context);
-}
-async function publishRoleAssignmentCreated(context, detail) {
-  await publishControlEvent(
-    import_workflows2.ControlPlaneRoleAssignmentCreatedV1,
-    detail,
-    context
-  );
-}
-async function publishWorkspaceCreated(context, detail) {
-  await publishControlEvent(import_workflows2.ControlPlaneWorkspaceCreatedV1, detail, context);
-}
-function extractRoleLevel(resource) {
-  const code = resource?.code;
-  const first = code?.coding?.[0]?.code;
-  return typeof first === "string" && first.length > 0 ? first : void 0;
-}
-
 // src/data/operations/control/denormalized-display-names.ts
 function extractDenormalizedReferenceDisplay(resource, fieldName) {
   const field = resource[fieldName];
@@ -6925,12 +7641,12 @@ async function createMembershipOperation(params) {
   const resource = { resourceType: "Membership", id, ...parsedResource };
   let linkedDataIdentityRef;
   try {
-    const ext = (0, import_types5.assertLinkedDataIdentityCardinality)(
+    const ext = (0, import_types6.assertLinkedDataIdentityCardinality)(
       resource
     );
     linkedDataIdentityRef = ext?.valueReference?.reference;
   } catch (e) {
-    if (e instanceof import_types5.LinkedDataIdentityCardinalityError) {
+    if (e instanceof import_types6.LinkedDataIdentityCardinalityError) {
       throw new ValidationError(e.message, { cause: e });
     }
     throw e;
@@ -6948,7 +7664,7 @@ async function createMembershipOperation(params) {
     resourceRecord,
     "workspace"
   );
-  const summary = JSON.stringify((0, import_types5.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types6.extractSummary)(resource));
   const userIdFromResource = extractReferenceSlug(resourceRecord, "user");
   const workspaceIdFromResource = extractReferenceSlug(
     resourceRecord,
@@ -7046,18 +7762,18 @@ async function getRoleByIdOperation(params) {
 }
 
 // src/data/operations/control/roleassignment/roleassignment-create-operation.ts
-var import_types8 = require("@openhi/types");
+var import_types9 = require("@openhi/types");
 var import_ulid2 = require("ulid");
 
 // src/data/operations/control/roleassignment/roleassignment-user-projection.ts
-var import_types6 = require("@openhi/types");
+var import_types7 = require("@openhi/types");
 var MISSING_NAME_SENTINEL3 = "-";
 function buildRoleAssignmentUserProjectionSkTenantLane(params) {
-  const normalizedRoleName = typeof params.denormalizedRoleName === "string" && params.denormalizedRoleName.length > 0 ? (0, import_types6.normalizeLabel)(params.denormalizedRoleName) : MISSING_NAME_SENTINEL3;
+  const normalizedRoleName = typeof params.denormalizedRoleName === "string" && params.denormalizedRoleName.length > 0 ? (0, import_types7.normalizeLabel)(params.denormalizedRoleName) : MISSING_NAME_SENTINEL3;
   return `ROLEASSIGNMENT#TENANT#${normalizedRoleName}#${params.roleId}#TID#${params.tenantId}#${params.roleAssignmentId}`;
 }
 function buildRoleAssignmentUserProjectionSkWorkspaceLane(params) {
-  const normalizedRoleName = typeof params.denormalizedRoleName === "string" && params.denormalizedRoleName.length > 0 ? (0, import_types6.normalizeLabel)(params.denormalizedRoleName) : MISSING_NAME_SENTINEL3;
+  const normalizedRoleName = typeof params.denormalizedRoleName === "string" && params.denormalizedRoleName.length > 0 ? (0, import_types7.normalizeLabel)(params.denormalizedRoleName) : MISSING_NAME_SENTINEL3;
   return `ROLEASSIGNMENT#WORKSPACE#${normalizedRoleName}#${params.roleId}#TID#${params.tenantId}#WID#${params.workspaceId}#${params.roleAssignmentId}`;
 }
 function buildRoleAssignmentUserProjectionItem(input) {
@@ -7110,10 +7826,10 @@ function extractReferenceSlug2(resource, fieldName) {
 }
 
 // src/data/operations/control/roleassignment/roleassignment-workspace-projection.ts
-var import_types7 = require("@openhi/types");
+var import_types8 = require("@openhi/types");
 var MISSING_NAME_SENTINEL4 = "-";
 function buildRoleAssignmentWorkspaceProjectionSk(params) {
-  const normalizedUserName = typeof params.denormalizedUserName === "string" && params.denormalizedUserName.length > 0 ? (0, import_types7.normalizeLabel)(params.denormalizedUserName) : MISSING_NAME_SENTINEL4;
+  const normalizedUserName = typeof params.denormalizedUserName === "string" && params.denormalizedUserName.length > 0 ? (0, import_types8.normalizeLabel)(params.denormalizedUserName) : MISSING_NAME_SENTINEL4;
   return `ROLEASSIGNMENT#${params.roleId}#${normalizedUserName}#USER#${params.userId}#${params.roleAssignmentId}`;
 }
 function buildRoleAssignmentWorkspaceProjectionItem(input) {
@@ -7187,7 +7903,7 @@ async function createRoleAssignmentOperation(params) {
     resourceRecord,
     "role"
   );
-  const summary = JSON.stringify((0, import_types8.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types9.extractSummary)(resource));
   const userIdFromResource = extractReferenceSlug2(resourceRecord, "user");
   const roleIdFromResource = extractReferenceSlug2(resourceRecord, "role");
   const workspaceIdFromResource = extractReferenceSlug2(
@@ -7284,7 +8000,7 @@ async function createRoleAssignmentOperation(params) {
 }
 
 // src/data/operations/control/tenant/tenant-create-operation.ts
-var import_types9 = require("@openhi/types");
+var import_types10 = require("@openhi/types");
 var import_ulid3 = require("ulid");
 async function createTenantOperation(params) {
   const { context, body, tableName } = params;
@@ -7294,7 +8010,7 @@ async function createTenantOperation(params) {
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const resource = { resourceType: "Tenant", id, ...parsedResource };
-  const summary = JSON.stringify((0, import_types9.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types10.extractSummary)(resource));
   await service.entities.tenant.put({
     tenantId: id,
     id,
@@ -8344,87 +9060,6 @@ function getDynamoDataService(tableName) {
   };
 }
 
-// src/data/operations/data-operations-common.ts
-var import_types10 = require("@openhi/types");
-
-// src/lib/compression.ts
-var import_node_zlib = require("zlib");
-var ENVELOPE_VERSION = 1;
-var COMPRESSION_ALGOS = {
-  NONE: "none",
-  GZIP: "gzip",
-  BROTLI: "brotli",
-  DEFLATE: "deflate"
-};
-function compressResource(jsonString, options) {
-  const algo = options?.algo ?? COMPRESSION_ALGOS.GZIP;
-  if (algo === COMPRESSION_ALGOS.NONE) {
-    const envelope2 = {
-      v: ENVELOPE_VERSION,
-      algo: COMPRESSION_ALGOS.NONE,
-      payload: jsonString
-    };
-    return JSON.stringify(envelope2);
-  }
-  const buf = Buffer.from(jsonString, "utf-8");
-  const payload = (0, import_node_zlib.gzipSync)(buf).toString("base64");
-  const envelope = {
-    v: ENVELOPE_VERSION,
-    algo: COMPRESSION_ALGOS.GZIP,
-    payload
-  };
-  return JSON.stringify(envelope);
-}
-
-// src/data/audit-meta.ts
-var OPENHI_EXT = "http://openhi.org/fhir/StructureDefinition";
-function mergeAuditIntoMeta(meta, audit) {
-  const existing = meta ?? {};
-  const ext = [
-    ...Array.isArray(existing.extension) ? existing.extension : []
-  ];
-  const byUrl = new Map(ext.map((e) => [e.url, e]));
-  function set(url, value, type) {
-    if (value == null) return;
-    byUrl.set(url, { url, [type]: value });
-  }
-  set(`${OPENHI_EXT}/created-date`, audit.createdDate, "valueDateTime");
-  set(`${OPENHI_EXT}/created-by-id`, audit.createdById, "valueString");
-  set(`${OPENHI_EXT}/created-by-name`, audit.createdByName, "valueString");
-  set(`${OPENHI_EXT}/modified-date`, audit.modifiedDate, "valueDateTime");
-  set(`${OPENHI_EXT}/modified-by-id`, audit.modifiedById, "valueString");
-  set(`${OPENHI_EXT}/modified-by-name`, audit.modifiedByName, "valueString");
-  set(`${OPENHI_EXT}/deleted-date`, audit.deletedDate, "valueDateTime");
-  set(`${OPENHI_EXT}/deleted-by-id`, audit.deletedById, "valueString");
-  set(`${OPENHI_EXT}/deleted-by-name`, audit.deletedByName, "valueString");
-  return { ...existing, extension: Array.from(byUrl.values()) };
-}
-
-// src/data/operations/data-operations-common.ts
-var DATA_ENTITY_SK = "CURRENT";
-async function createDataEntityRecord(entity, tenantId, workspaceId, id, resourceWithAudit, fallbackDate) {
-  const lastUpdated = resourceWithAudit.meta?.lastUpdated ?? fallbackDate ?? (/* @__PURE__ */ new Date()).toISOString();
-  const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
-  const resourceLike = resourceWithAudit;
-  const summary = JSON.stringify((0, import_types10.extractSummary)(resourceLike));
-  const gsi1sk = (0, import_types10.extractSortKey)(resourceLike);
-  await entity.put({
-    sk: DATA_ENTITY_SK,
-    tenantId,
-    workspaceId,
-    id,
-    resource: compressResource(JSON.stringify(resourceWithAudit)),
-    summary,
-    vid,
-    lastUpdated,
-    gsi1sk
-  }).go();
-  return {
-    id,
-    resource: resourceWithAudit
-  };
-}
-
 // src/data/operations/data/organization/organization-provision-for-workspace-operation.ts
 async function provisionOrganizationForWorkspaceOperation(params) {
   const { context, workspaceId, workspaceName, tableName } = params;
@@ -9479,7 +10114,13 @@ var seedWorkspaceDataPlane = async (baseContext, group, failures) => {
   }
 };
 var seedDemoGraph = async (params) => {
-  const { baseContext, devUsers, cognito, onSiteTesters = [] } = params;
+  const {
+    baseContext,
+    devUsers,
+    cognito,
+    onSiteTesters = [],
+    reconcileCounters = () => reconcileAllCountersOperation({})
+  } = params;
   const failures = [];
   for (const spec of [...DEMO_TENANT_SPECS, ...ON_SITE_UAT_TENANT_SPECS]) {
     const tenantContext = {
@@ -9653,6 +10294,11 @@ var seedDemoGraph = async (params) => {
       tester.role
     );
   }
+  try {
+    await reconcileCounters();
+  } catch (err) {
+    console.error("seed-demo-data: counter reconciliation failed:", err);
+  }
   for (const group of DEMO_DATA_PLANE_FIXTURES) {
     try {
       await seedWorkspaceDataPlane(baseContext, group, failures);