npm - @openhi/constructs - Versions diffs - 0.0.178 → 0.0.180 - Mend

@openhi/constructs 0.0.178 → 0.0.180

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/lib/{chunk-Z4PZSLYY.mjs → chunk-3M4QTQH6.mjs} +2 -2
package/lib/{chunk-JUSVETWK.mjs → chunk-4LQR32D2.mjs} +38 -40
package/lib/{chunk-JUSVETWK.mjs.map → chunk-4LQR32D2.mjs.map} +1 -1
package/lib/{chunk-XNUCKVSE.mjs → chunk-7GMTHOYF.mjs} +2 -2
package/lib/{chunk-E2OWEBBH.mjs → chunk-DIVYB6GD.mjs} +18 -4
package/lib/chunk-DIVYB6GD.mjs.map +1 -0
package/lib/chunk-F2LY4TEI.mjs +272 -0
package/lib/chunk-F2LY4TEI.mjs.map +1 -0
package/lib/{chunk-GG2WD6TA.mjs → chunk-JJ3AQ6G5.mjs} +9 -3
package/lib/{chunk-GG2WD6TA.mjs.map → chunk-JJ3AQ6G5.mjs.map} +1 -1
package/lib/{chunk-EBB4RNUG.mjs → chunk-PIQISEGW.mjs} +2 -2
package/lib/{chunk-FDBBTNCI.mjs → chunk-Q4KQD2NB.mjs} +117 -5
package/lib/chunk-Q4KQD2NB.mjs.map +1 -0
package/lib/{chunk-Y4RGUAM2.mjs → chunk-V6KLFEHC.mjs} +105 -34
package/lib/chunk-V6KLFEHC.mjs.map +1 -0
package/lib/chunk-VQY57NOV.mjs +60 -0
package/lib/chunk-VQY57NOV.mjs.map +1 -0
package/lib/counter-maintenance.handler.mjs +4 -4
package/lib/counter-reconciliation.handler.js +2 -2
package/lib/counter-reconciliation.handler.js.map +1 -1
package/lib/counter-reconciliation.handler.mjs +9 -267
package/lib/counter-reconciliation.handler.mjs.map +1 -1
package/lib/index.d.mts +117 -2
package/lib/index.d.ts +117 -2
package/lib/index.js +6454 -6243
package/lib/index.js.map +1 -1
package/lib/index.mjs +106 -4
package/lib/index.mjs.map +1 -1
package/lib/pre-token-generation.handler.js +28 -19
package/lib/pre-token-generation.handler.js.map +1 -1
package/lib/pre-token-generation.handler.mjs +4 -5
package/lib/pre-token-generation.handler.mjs.map +1 -1
package/lib/provision-default-workspace.handler.js +22 -19
package/lib/provision-default-workspace.handler.js.map +1 -1
package/lib/provision-default-workspace.handler.mjs +3 -4
package/lib/provision-default-workspace.handler.mjs.map +1 -1
package/lib/rest-api-lambda.handler.js +367 -208
package/lib/rest-api-lambda.handler.js.map +1 -1
package/lib/rest-api-lambda.handler.mjs +210 -165
package/lib/rest-api-lambda.handler.mjs.map +1 -1
package/lib/seed-demo-data.handler.d.mts +19 -0
package/lib/seed-demo-data.handler.d.ts +19 -0
package/lib/seed-demo-data.handler.js +805 -159
package/lib/seed-demo-data.handler.js.map +1 -1
package/lib/seed-demo-data.handler.mjs +8 -4
package/package.json +1 -1
package/lib/chunk-6HGSR3TG.mjs +0 -123
package/lib/chunk-6HGSR3TG.mjs.map +0 -1
package/lib/chunk-E2OWEBBH.mjs.map +0 -1
package/lib/chunk-FDBBTNCI.mjs.map +0 -1
package/lib/chunk-Y4RGUAM2.mjs.map +0 -1
/package/lib/{chunk-Z4PZSLYY.mjs.map → chunk-3M4QTQH6.mjs.map} +0 -0
/package/lib/{chunk-XNUCKVSE.mjs.map → chunk-7GMTHOYF.mjs.map} +0 -0
/package/lib/{chunk-EBB4RNUG.mjs.map → chunk-PIQISEGW.mjs.map} +0 -0

package/lib/rest-api-lambda.handler.js CHANGED Viewed

@@ -3578,7 +3578,7 @@ async function deleteDataEntityById(entity, tenantId, workspaceId, id) {
 }
 var BATCH_GET_MAX_ATTEMPTS = 3;
 var BATCH_GET_BASE_BACKOFF_MS = 50;
-async function batchGetWithRetry(entity, keys) {
+async function batchGetWithRetry(entity, keys, options) {
   if (keys.length === 0) return [];
   const collected = [];
   let pending = keys;
@@ -3590,7 +3590,7 @@ async function batchGetWithRetry(entity, keys) {
       );
     }
     attempt++;
-    const result = await entity.get(pending).go();
+    const result = await entity.get(pending).go(options?.consistent ? { consistent: true } : void 0);
     collected.push(...result.data);
     const unprocessed = result.unprocessed ?? [];
     if (unprocessed.length === 0) break;
@@ -7153,9 +7153,15 @@ async function listRoleAssignmentsOperation(params) {
     )
   );
   return dispatchListMode(mode, shardResults, {
+    // Strongly-consistent BatchGet on the base table so a role change is
+    // reflected immediately by the read-back the admin-console dropdowns
+    // issue right after their PUT/POST. Without it the eventually-consistent
+    // hydration can return the *previous* role, making the dropdown appear
+    // to revert (#1347).
     hydrate: (orderedIds) => batchGetWithRetry(
       service.entities.roleAssignment,
-      orderedIds.map((id) => ({ tenantId, id, sk: SK8 }))
+      orderedIds.map((id) => ({ tenantId, id, sk: SK8 })),
+      { consistent: true }
     ),
     getId: (item) => item.id,
     buildEntry: (id, item) => ({
@@ -7543,6 +7549,76 @@ async function listTenantsRoute(req, res) {
   });
 }
+// src/data/operations/control/roleassignment/roleassignment-list-by-user-operation.ts
+function buildSkPrefix(mode) {
+  switch (mode) {
+    case "tenant":
+      return "ROLEASSIGNMENT#TENANT#";
+    case "workspace":
+    case "workspaceInTenant":
+      return "ROLEASSIGNMENT#WORKSPACE#";
+    case "all":
+    default:
+      return "ROLEASSIGNMENT#";
+  }
+}
+async function roleAssignmentListByUserOperation(params) {
+  const {
+    userId,
+    mode = "all",
+    tenantId,
+    workspaceId,
+    cursor = null,
+    limit,
+    order,
+    consistent,
+    tableName
+  } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'roleAssignmentListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix(mode);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  if (consistent) {
+    goOptions.consistent = true;
+  }
+  const baseQuery = service.entities.roleAssignmentUserProjection.query.record({ userId }).begins({ sk: skPrefix });
+  const filteredQuery = mode === "workspaceInTenant" ? baseQuery.where((attr, op) => {
+    const tenantClause = op.eq(attr.tenantId, tenantId);
+    if (workspaceId === void 0 || workspaceId.length === 0) {
+      return tenantClause;
+    }
+    return `${tenantClause} AND ${op.eq(attr.workspaceId, workspaceId)}`;
+  }) : baseQuery;
+  const result = await filteredQuery.go(goOptions);
+  const items = (result.data ?? []).map((row) => ({
+    userId: row.userId,
+    sk: row.sk,
+    tenantId: row.tenantId,
+    workspaceId: row.workspaceId,
+    roleId: row.roleId,
+    roleAssignmentId: row.roleAssignmentId,
+    summary: row.summary,
+    vid: row.vid,
+    lastUpdated: row.lastUpdated,
+    denormalizedTenantName: row.denormalizedTenantName,
+    denormalizedUserName: row.denormalizedUserName,
+    denormalizedRoleName: row.denormalizedRoleName
+  }));
+  return { items, cursor: result.cursor ?? null };
+}
 // src/data/operations/control/workspace/workspace-list-operation.ts
 var SK10 = "CURRENT";
 function counterValue2(value) {
@@ -7626,18 +7702,6 @@ function extractDisplayName(user) {
   const composed = `${given} ${family}`.trim();
   return composed.length > 0 ? composed : null;
 }
-function extractReferenceDisplay(resource, fieldName) {
-  const field = resource[fieldName];
-  if (!field || typeof field !== "object") {
-    return null;
-  }
-  const display = field.display;
-  if (typeof display !== "string") {
-    return null;
-  }
-  const trimmed = display.trim();
-  return trimmed.length > 0 ? trimmed : null;
-}
 function ensureAccumulator(byUser, userId) {
   let acc = byUser.get(userId);
   if (!acc) {
@@ -7649,9 +7713,8 @@ function ensureAccumulator(byUser, userId) {
 async function tenantUsersOperation(params) {
   const { context, tableName } = params;
   const service = getDynamoControlService(tableName);
-  const [memberships, roleAssignments, workspaces] = await Promise.all([
+  const [memberships, workspaces] = await Promise.all([
     listMembershipsOperation({ context, tableName }),
-    listRoleAssignmentsOperation({ context, tableName }),
     listWorkspacesOperation({ context, tableName })
   ]);
   const workspaceNames = /* @__PURE__ */ new Map();
@@ -7673,34 +7736,46 @@ async function tenantUsersOperation(params) {
       acc.workspaces.set(workspaceId, { workspaceId, role: null });
     }
   }
-  for (const entry of roleAssignments.entries) {
-    const resource = entry.resource;
-    const userId = extractReferenceSlug(resource, "user");
-    const roleId = extractReferenceSlug(resource, "role");
-    if (userId === void 0 || roleId === void 0) {
-      continue;
-    }
+  const membershipUserIds = Array.from(byUser.keys());
+  const projectionPages = await Promise.all(
+    membershipUserIds.map(
+      (userId) => roleAssignmentListByUserOperation({
+        userId,
+        mode: "all",
+        consistent: true,
+        tableName
+      })
+    )
+  );
+  projectionPages.forEach((page, index) => {
+    const userId = membershipUserIds[index];
     const acc = ensureAccumulator(byUser, userId);
-    const role = {
-      roleId,
-      roleName: extractReferenceDisplay(resource, "role")
-    };
-    const workspaceId = extractReferenceSlug(resource, "workspace");
-    if (workspaceId === void 0) {
-      acc.tenantRole = role;
-    } else {
-      const existing = acc.workspaces.get(workspaceId);
-      if (existing) {
-        existing.role = role;
+    for (const row of page.items) {
+      if (row.tenantId !== context.tenantId) {
+        continue;
+      }
+      const role = {
+        roleId: row.roleId,
+        roleName: row.denormalizedRoleName ?? null
+      };
+      const workspaceId = row.workspaceId;
+      if (workspaceId === void 0 || workspaceId.length === 0) {
+        acc.tenantRole = role;
       } else {
-        acc.workspaces.set(workspaceId, { workspaceId, role });
+        const existing = acc.workspaces.get(workspaceId);
+        if (existing) {
+          existing.role = role;
+        } else {
+          acc.workspaces.set(workspaceId, { workspaceId, role });
+        }
       }
     }
-  }
+  });
   const userIds = Array.from(byUser.keys());
   const userRows = userIds.length === 0 ? [] : await batchGetWithRetry(
     service.entities.user,
-    userIds.map((id) => ({ id, sk: USER_SK }))
+    userIds.map((id) => ({ id, sk: USER_SK })),
+    { consistent: true }
   );
   const usersById = /* @__PURE__ */ new Map();
   for (const row of userRows) {
@@ -7847,8 +7922,240 @@ router6.delete("/:id", deleteTenantRoute);
 // src/data/rest-api/routes/control/user/user.ts
 var import_express7 = __toESM(require("express"));
-// src/data/operations/control/user/user-create-operation.ts
+// src/data/operations/control/user/user-admin-set-context-operation.ts
 var import_types18 = require("@openhi/types");
+// src/data/operations/control/user/user-get-by-id-operation.ts
+async function getUserByIdOperation(params) {
+  const { id, tableName } = params;
+  const service = getDynamoControlService(tableName);
+  const response = await service.entities.user.get({ id, sk: "CURRENT" }).go();
+  const item = response.data;
+  if (!item) {
+    throw new NotFoundError(`User not found: ${id}`);
+  }
+  const parsedResource = JSON.parse(item.resource);
+  return {
+    id,
+    resource: { resourceType: "User", id, ...parsedResource }
+  };
+}
+// src/data/operations/fhir-reference.ts
+function idFromReference(reference, prefix) {
+  if (!reference || !reference.startsWith(prefix)) {
+    return void 0;
+  }
+  const id = reference.slice(prefix.length);
+  return id.length > 0 ? id : void 0;
+}
+// src/data/operations/control/membership/membership-list-by-user-operation.ts
+function buildSkPrefix2(mode, tenantId) {
+  switch (mode) {
+    case "tenant":
+      return "MEMBERSHIP#TENANT#";
+    case "workspace":
+      return "MEMBERSHIP#WORKSPACE#";
+    case "workspaceInTenant":
+      return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;
+    case "all":
+    default:
+      return "MEMBERSHIP#";
+  }
+}
+async function membershipListByUserOperation(params) {
+  const {
+    userId,
+    mode = "all",
+    tenantId,
+    cursor = null,
+    limit,
+    order,
+    tableName
+  } = params;
+  if (mode === "workspaceInTenant" && !tenantId) {
+    throw new Error(
+      'membershipListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
+    );
+  }
+  const service = getDynamoControlService(tableName);
+  const skPrefix = buildSkPrefix2(mode, tenantId);
+  const goOptions = {
+    cursor
+  };
+  if (limit !== void 0) {
+    goOptions.limit = limit;
+  }
+  if (order !== void 0) {
+    goOptions.order = order;
+  }
+  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go(goOptions);
+  const items = (result.data ?? []).map(
+    (row) => ({
+      userId: row.userId,
+      sk: row.sk,
+      tenantId: row.tenantId,
+      workspaceId: row.workspaceId,
+      membershipId: row.membershipId,
+      summary: row.summary,
+      vid: row.vid,
+      lastUpdated: row.lastUpdated,
+      denormalizedTenantName: row.denormalizedTenantName,
+      denormalizedUserName: row.denormalizedUserName,
+      denormalizedWorkspaceName: row.denormalizedWorkspaceName
+    })
+  );
+  return { items, cursor: result.cursor ?? null };
+}
+// src/data/operations/control/user/user-admin-set-context-operation.ts
+var SK11 = "CURRENT";
+async function adminSetUserContextOperation(params) {
+  const {
+    context,
+    targetUserId,
+    tenantReference,
+    workspaceReference,
+    tableName
+  } = params;
+  const tenantId = idFromReference(tenantReference, "Tenant/");
+  if (!tenantId) {
+    throw new ValidationError(
+      "tenant.reference must be a 'Tenant/<id>' reference."
+    );
+  }
+  const workspaceId = idFromReference(workspaceReference, "Workspace/");
+  if (!workspaceId) {
+    throw new ValidationError(
+      "workspace.reference must be a 'Workspace/<id>' reference."
+    );
+  }
+  const target = await getUserByIdOperation({
+    context,
+    id: targetUserId,
+    tableName
+  });
+  const projection = await membershipListByUserOperation({
+    userId: targetUserId,
+    mode: "workspaceInTenant",
+    tenantId,
+    tableName
+  });
+  const hasMembership = projection.items.some(
+    (row) => row.workspaceId === workspaceId
+  );
+  if (!hasMembership) {
+    throw new ForbiddenError(
+      `User is not a member of Workspace/${workspaceId} in Tenant/${tenantId}.`
+    );
+  }
+  const updatedResource = {
+    ...target.resource,
+    resourceType: "User",
+    id: targetUserId,
+    currentTenant: { reference: `Tenant/${tenantId}` },
+    currentWorkspace: { reference: `Workspace/${workspaceId}` }
+  };
+  const lastUpdated = (params.now ? params.now() : /* @__PURE__ */ new Date()).toISOString();
+  const vid = `${Date.now()}`;
+  const summary = JSON.stringify(
+    (0, import_types18.extractSummary)(updatedResource)
+  );
+  const service = getDynamoControlService(tableName);
+  await service.entities.user.patch({ id: targetUserId, sk: SK11 }).set({
+    resource: JSON.stringify(updatedResource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
+  return {
+    id: targetUserId,
+    resource: updatedResource,
+    meta: { lastUpdated, versionId: vid }
+  };
+}
+// src/data/rest-api/routes/control/user/user-admin-set-context-route.ts
+async function userAdminSetContextRoute(req, res) {
+  const ctx = req.openhiContext;
+  if (!ctx) {
+    return res.status(403).json({
+      resourceType: "OperationOutcome",
+      issue: [
+        {
+          severity: "error",
+          code: "forbidden",
+          diagnostics: "Missing or invalid OpenHI JWT claims (tenant, workspace, or audit context)."
+        }
+      ]
+    });
+  }
+  const targetUserId = String(req.params.id);
+  const bodyResult = requireJsonBody(req, res);
+  if ("errorResponse" in bodyResult) {
+    return bodyResult.errorResponse;
+  }
+  const body = bodyResult.body;
+  const tenantReference = body.tenant?.reference;
+  const workspaceReference = body.workspace?.reference;
+  if (typeof tenantReference !== "string" || tenantReference === "") {
+    return sendInvalid(
+      res,
+      "Body must include `tenant.reference` (e.g. 'Tenant/<id>')."
+    );
+  }
+  if (typeof workspaceReference !== "string" || workspaceReference === "") {
+    return sendInvalid(
+      res,
+      "Body must include `workspace.reference` (e.g. 'Workspace/<id>')."
+    );
+  }
+  try {
+    const result = await adminSetUserContextOperation({
+      context: ctx,
+      targetUserId,
+      tenantReference,
+      workspaceReference
+    });
+    res.setHeader("Cache-Control", "no-store");
+    return res.status(200).json(result.resource);
+  } catch (err) {
+    if (err instanceof ValidationError) {
+      return sendInvalid(res, err.message);
+    }
+    if (err instanceof ForbiddenError) {
+      return res.status(403).json({
+        resourceType: "OperationOutcome",
+        issue: [
+          { severity: "error", code: "forbidden", diagnostics: err.message }
+        ]
+      });
+    }
+    if (err instanceof NotFoundError) {
+      return res.status(404).json({
+        resourceType: "OperationOutcome",
+        issue: [
+          { severity: "error", code: "not-found", diagnostics: err.message }
+        ]
+      });
+    }
+    return sendOperationOutcome500(
+      res,
+      err,
+      "POST /User/:id/$set-context error:"
+    );
+  }
+}
+function sendInvalid(res, diagnostics) {
+  return res.status(400).json({
+    resourceType: "OperationOutcome",
+    issue: [{ severity: "error", code: "invalid", diagnostics }]
+  });
+}
+// src/data/operations/control/user/user-create-operation.ts
+var import_types19 = require("@openhi/types");
 var import_ulid5 = require("ulid");
 async function createUserOperation(params) {
   const { context, body, tableName } = params;
@@ -7858,7 +8165,7 @@ async function createUserOperation(params) {
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
   const resource = { resourceType: "User", id, ...parsedResource };
-  const summary = JSON.stringify((0, import_types18.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types19.extractSummary)(resource));
   await service.entities.user.put({
     id,
     resource: JSON.stringify(resource),
@@ -7925,22 +8232,6 @@ async function deleteUserRoute(req, res) {
   }
 }
-// src/data/operations/control/user/user-get-by-id-operation.ts
-async function getUserByIdOperation(params) {
-  const { id, tableName } = params;
-  const service = getDynamoControlService(tableName);
-  const response = await service.entities.user.get({ id, sk: "CURRENT" }).go();
-  const item = response.data;
-  if (!item) {
-    throw new NotFoundError(`User not found: ${id}`);
-  }
-  const parsedResource = JSON.parse(item.resource);
-  return {
-    id,
-    resource: { resourceType: "User", id, ...parsedResource }
-  };
-}
 // src/data/rest-api/routes/control/user/user-get-by-id-route.ts
 async function getUserByIdRoute(req, res) {
   const id = String(req.params.id);
@@ -8291,65 +8582,6 @@ async function listUserConfigurationsRoute(req, res) {
   }
 }
-// src/data/operations/control/membership/membership-list-by-user-operation.ts
-function buildSkPrefix(mode, tenantId) {
-  switch (mode) {
-    case "tenant":
-      return "MEMBERSHIP#TENANT#";
-    case "workspace":
-      return "MEMBERSHIP#WORKSPACE#";
-    case "workspaceInTenant":
-      return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;
-    case "all":
-    default:
-      return "MEMBERSHIP#";
-  }
-}
-async function membershipListByUserOperation(params) {
-  const {
-    userId,
-    mode = "all",
-    tenantId,
-    cursor = null,
-    limit,
-    order,
-    tableName
-  } = params;
-  if (mode === "workspaceInTenant" && !tenantId) {
-    throw new Error(
-      'membershipListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
-    );
-  }
-  const service = getDynamoControlService(tableName);
-  const skPrefix = buildSkPrefix(mode, tenantId);
-  const goOptions = {
-    cursor
-  };
-  if (limit !== void 0) {
-    goOptions.limit = limit;
-  }
-  if (order !== void 0) {
-    goOptions.order = order;
-  }
-  const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go(goOptions);
-  const items = (result.data ?? []).map(
-    (row) => ({
-      userId: row.userId,
-      sk: row.sk,
-      tenantId: row.tenantId,
-      workspaceId: row.workspaceId,
-      membershipId: row.membershipId,
-      summary: row.summary,
-      vid: row.vid,
-      lastUpdated: row.lastUpdated,
-      denormalizedTenantName: row.denormalizedTenantName,
-      denormalizedUserName: row.denormalizedUserName,
-      denormalizedWorkspaceName: row.denormalizedWorkspaceName
-    })
-  );
-  return { items, cursor: result.cursor ?? null };
-}
 // src/data/operations/control/membership/membership-count-by-user-operation.ts
 async function countMembershipsByUserOperation(params) {
   const { userId, mode = "all", tenantId, tableName } = params;
@@ -8359,7 +8591,7 @@ async function countMembershipsByUserOperation(params) {
     );
   }
   const service = getDynamoControlService(tableName);
-  const skPrefix = buildSkPrefix(mode, tenantId);
+  const skPrefix = buildSkPrefix2(mode, tenantId);
   const result = await service.entities.membershipUserProjection.query.record({ userId }).begins({ sk: skPrefix }).go({ pages: "all", attributes: ["membershipId"] });
   return (result.data ?? []).length;
 }
@@ -8512,72 +8744,6 @@ async function listUserMembershipsRoute(req, res) {
   }
 }
-// src/data/operations/control/roleassignment/roleassignment-list-by-user-operation.ts
-function buildSkPrefix2(mode) {
-  switch (mode) {
-    case "tenant":
-      return "ROLEASSIGNMENT#TENANT#";
-    case "workspace":
-    case "workspaceInTenant":
-      return "ROLEASSIGNMENT#WORKSPACE#";
-    case "all":
-    default:
-      return "ROLEASSIGNMENT#";
-  }
-}
-async function roleAssignmentListByUserOperation(params) {
-  const {
-    userId,
-    mode = "all",
-    tenantId,
-    workspaceId,
-    cursor = null,
-    limit,
-    order,
-    tableName
-  } = params;
-  if (mode === "workspaceInTenant" && !tenantId) {
-    throw new Error(
-      'roleAssignmentListByUserOperation: tenantId is required when mode === "workspaceInTenant"'
-    );
-  }
-  const service = getDynamoControlService(tableName);
-  const skPrefix = buildSkPrefix2(mode);
-  const goOptions = {
-    cursor
-  };
-  if (limit !== void 0) {
-    goOptions.limit = limit;
-  }
-  if (order !== void 0) {
-    goOptions.order = order;
-  }
-  const baseQuery = service.entities.roleAssignmentUserProjection.query.record({ userId }).begins({ sk: skPrefix });
-  const filteredQuery = mode === "workspaceInTenant" ? baseQuery.where((attr, op) => {
-    const tenantClause = op.eq(attr.tenantId, tenantId);
-    if (workspaceId === void 0 || workspaceId.length === 0) {
-      return tenantClause;
-    }
-    return `${tenantClause} AND ${op.eq(attr.workspaceId, workspaceId)}`;
-  }) : baseQuery;
-  const result = await filteredQuery.go(goOptions);
-  const items = (result.data ?? []).map((row) => ({
-    userId: row.userId,
-    sk: row.sk,
-    tenantId: row.tenantId,
-    workspaceId: row.workspaceId,
-    roleId: row.roleId,
-    roleAssignmentId: row.roleAssignmentId,
-    summary: row.summary,
-    vid: row.vid,
-    lastUpdated: row.lastUpdated,
-    denormalizedTenantName: row.denormalizedTenantName,
-    denormalizedUserName: row.denormalizedUserName,
-    denormalizedRoleName: row.denormalizedRoleName
-  }));
-  return { items, cursor: result.cursor ?? null };
-}
 // src/data/operations/control/roleassignment/roleassignment-list-by-workspace-operation.ts
 function buildSkPrefix3(roleId) {
   if (roleId === void 0 || roleId.length === 0) {
@@ -8714,7 +8880,7 @@ async function listUserRoleAssignmentsRoute(req, res) {
 }
 // src/data/operations/control/user/user-list-operation.ts
-var SK11 = "CURRENT";
+var SK12 = "CURRENT";
 function counterValue3(value) {
   return typeof value === "number" && Number.isFinite(value) ? value : 0;
 }
@@ -8730,7 +8896,7 @@ async function listUsersOperation(params) {
   return dispatchListMode(mode, shardResults, {
     hydrate: (orderedIds) => batchGetWithRetry(
       service.entities.user,
-      orderedIds.map((id) => ({ id, sk: SK11 }))
+      orderedIds.map((id) => ({ id, sk: SK12 }))
     ),
     getId: (item) => item.id,
     // FULL mode (admin list default): read the ADR-028 counters off the
@@ -8774,7 +8940,7 @@ async function listUsersRoute(req, res) {
 }
 // src/data/operations/control/user/user-update-operation.ts
-var import_types19 = require("@openhi/types");
+var import_types20 = require("@openhi/types");
 async function updateUserOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -8786,7 +8952,7 @@ async function updateUserOperation(params) {
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
   const resource = { resourceType: "User", id, ...parsedResource };
-  const summary = JSON.stringify((0, import_types19.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types20.extractSummary)(resource));
   await service.entities.user.put({
     id,
     resource: JSON.stringify(resource),
@@ -8848,6 +9014,7 @@ router7.get("/:id", getUserByIdRoute);
 router7.post("/", createUserRoute);
 router7.put("/:id", updateUserRoute);
 router7.delete("/:id", deleteUserRoute);
+router7.post("/:id/$set-context", userAdminSetContextRoute);
 router7.get("/:id/Membership", listUserMembershipsRoute);
 router7.get("/:id/RoleAssignment", listUserRoleAssignmentsRoute);
 router7.get("/:id/Configuration", listUserConfigurationsRoute);
@@ -8893,7 +9060,7 @@ async function findUserBySubOperation(params) {
 }
 // src/data/operations/control/user/user-switch-tenant-workspace-operation.ts
-var import_types20 = require("@openhi/types");
+var import_types21 = require("@openhi/types");
 // src/data/operations/control/user/user-resource-helpers.ts
 function parseUserResource(resource) {
@@ -8904,17 +9071,8 @@ function parseUserResource(resource) {
   }
 }
-// src/data/operations/fhir-reference.ts
-function idFromReference(reference, prefix) {
-  if (!reference || !reference.startsWith(prefix)) {
-    return void 0;
-  }
-  const id = reference.slice(prefix.length);
-  return id.length > 0 ? id : void 0;
-}
 // src/data/operations/control/user/user-switch-tenant-workspace-operation.ts
-var SK12 = "CURRENT";
+var SK13 = "CURRENT";
 async function switchUserTenantWorkspaceOperation(params) {
   const { cognitoSub, tenantReference, workspaceReference, tableName } = params;
   const tenantId = idFromReference(tenantReference, "Tenant/");
@@ -8972,10 +9130,10 @@ async function switchUserTenantWorkspaceOperation(params) {
   const lastUpdated = (params.now ? params.now() : /* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
   const summary = JSON.stringify(
-    (0, import_types20.extractSummary)(updatedResource)
+    (0, import_types21.extractSummary)(updatedResource)
   );
   const service = getDynamoControlService(tableName);
-  await service.entities.user.patch({ id: user.id, sk: SK12 }).set({
+  await service.entities.user.patch({ id: user.id, sk: SK13 }).set({
     resource: JSON.stringify(updatedResource),
     summary,
     vid,
@@ -9330,13 +9488,13 @@ async function userSwitchRoute(req, res) {
   const tenantReference = body.tenant?.reference;
   const workspaceReference = body.workspace?.reference;
   if (typeof tenantReference !== "string" || tenantReference === "") {
-    return sendInvalid(
+    return sendInvalid2(
       res,
       "Body must include `tenant.reference` (e.g. 'Tenant/<id>')."
     );
   }
   if (typeof workspaceReference !== "string" || workspaceReference === "") {
-    return sendInvalid(
+    return sendInvalid2(
       res,
       "Body must include `workspace.reference` (e.g. 'Workspace/<id>')."
     );
@@ -9351,7 +9509,7 @@ async function userSwitchRoute(req, res) {
     return res.status(200).json(result.resource);
   } catch (err) {
     if (err instanceof ValidationError) {
-      return sendInvalid(res, err.message);
+      return sendInvalid2(res, err.message);
     }
     if (err instanceof ForbiddenError) {
       return res.status(403).json({
@@ -9372,7 +9530,7 @@ async function userSwitchRoute(req, res) {
     return sendOperationOutcome500(res, err, "POST /User/$switch error:");
   }
 }
-function sendInvalid(res, diagnostics) {
+function sendInvalid2(res, diagnostics) {
   return res.status(400).json({
     resourceType: "OperationOutcome",
     issue: [{ severity: "error", code: "invalid", diagnostics }]
@@ -9388,7 +9546,7 @@ router8.post("/$switch", userSwitchRoute);
 var import_express9 = __toESM(require("express"));
 // src/data/operations/control/workspace/workspace-create-operation.ts
-var import_types21 = require("@openhi/types");
+var import_types22 = require("@openhi/types");
 var import_ulid6 = require("ulid");
 // src/data/operations/data/organization/organization-provision-for-workspace-operation.ts
@@ -9439,7 +9597,7 @@ async function createWorkspaceOperation(params) {
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const resource = { resourceType: "Workspace", id, ...parsedResource };
-  const summary = JSON.stringify((0, import_types21.extractSummary)(resource));
+  const summary = JSON.stringify((0, import_types22.extractSummary)(resource));
   await service.entities.workspace.put({
     tenantId,
     id,
@@ -9803,7 +9961,7 @@ async function listWorkspacesRoute(req, res) {
 }
 // src/data/operations/control/workspace/workspace-update-operation.ts
-var import_types22 = require("@openhi/types");
+var import_types23 = require("@openhi/types");
 async function updateWorkspaceOperation(params) {
   const { context, id, body, tableName } = params;
   const { tenantId } = context;
@@ -9822,7 +9980,7 @@ async function updateWorkspaceOperation(params) {
     resourceType: "Workspace",
     id
   };
-  const summary = JSON.stringify((0, import_types22.extractSummary)(updated));
+  const summary = JSON.stringify((0, import_types23.extractSummary)(updated));
   await service.entities.workspace.patch({ tenantId, id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), summary, vid, lastUpdated }).go();
   return { id, resource: updated, meta: { lastUpdated, versionId: vid } };
 }
@@ -11250,7 +11408,8 @@ function combineSearchPredicates(opts) {
     if (fragmentSqls.length === 1) {
       groupSqls.push(fragmentSqls[0]);
     } else {
-      groupSqls.push(`(${fragmentSqls.join(" OR ")})`);
+      const joiner = registered.type === "date" ? " AND " : " OR ";
+      groupSqls.push(`(${fragmentSqls.join(joiner)})`);
     }
   }
   if (groupSqls.length === 0) {