npm - @openhi/constructs - Versions diffs - 0.0.189 → 0.0.190 - Mend

@openhi/constructs 0.0.189 → 0.0.190

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/lib/counter-reconciliation.handler.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../workflows/src/envelope-version.ts","../../workflows/src/envelope.ts","../../workflows/src/sources.ts","../../workflows/src/detail-types/registry.ts","../../workflows/src/detail-types/control-plane.ts","../../workflows/src/detail-types/platform.ts","../../workflows/src/detail-types/index.ts","../../workflows/src/publisher.ts","../../workflows/src/consumer.ts","../../workflows/src/dedup/env.ts","../../workflows/src/dedup/workflow-dedup-client.ts","../../workflows/src/dedup/index.ts","../../workflows/src/index.ts","../src/workflows/control-plane/counter-reconciliation/counter-reconciliation.handler.ts","../src/data/dynamo/dynamo-control-service.ts","../src/data/dynamo/dynamo-client.ts","../src/data/dynamo/entities/control/configuration-entity.ts","../src/data/dynamo/entities/control/control-entity-common.ts","../src/data/dynamo/shard.ts","../src/data/dynamo/entities/control/configuration-user-projection-entity.ts","../src/data/dynamo/entities/control/configuration-workspace-projection-entity.ts","../src/data/dynamo/entities/control/membership-entity.ts","../src/data/dynamo/entities/control/membership-user-projection-entity.ts","../src/data/dynamo/entities/control/membership-workspace-projection-entity.ts","../src/data/dynamo/entities/control/role-entity.ts","../src/data/dynamo/entities/control/roleassignment-entity.ts","../src/data/dynamo/entities/control/roleassignment-user-projection-entity.ts","../src/data/dynamo/entities/control/roleassignment-workspace-projection-entity.ts","../src/data/dynamo/entities/control/tenant-entity.ts","../src/data/dynamo/entities/control/user-entity.ts","../src/data/dynamo/entities/control/workspace-entity.ts","../src/data/operations/control/counters/counter-apply-operation.ts","../src/data/operations/control/counters/role-admin-classification.ts","../src/data/operations/control/control-event-publisher.ts","../src/data/operations/control/membership/membership-list-by-user-operation.ts","../src/data/operations/control/membership/membership-count-by-user-operation.ts","../src/data/operations/control/membership/membership-list-by-workspace-operation.ts","../src/data/operations/data-operations-common.ts","../src/lib/compression.ts","../src/data/operations/control/membership/membership-list-operation.ts","../src/data/operations/control/membership/membership-user-projection.ts","../src/data/operations/control/roleassignment/roleassignment-list-by-workspace-operation.ts","../src/data/operations/control/workspace/workspace-list-operation.ts","../src/data/operations/control/counters/counter-reconcile-operation.ts","../src/data/operations/control/tenant/tenant-list-operation.ts","../src/data/operations/control/user/user-list-operation.ts","../src/data/operations/control/counters/counter-reconcile-driver.ts"],"sourcesContent":["/*\n Envelope version pinned by the publisher SDK on every emitted envelope.\n \n Shape is `\"<major>.<minor>\"` per TR-016 §Open Items #3 (P1).\n * Additive optional fields bump the minor; breaking changes bump the\n * major and require a documented overlap window in the consumer SDK.\n /\nexport const ENVELOPE_VERSION = \"1.0\";\n\nconst ENVELOPE_VERSION_PATTERN = /^\\d+\\.\\d+$/;\n\n/\n Lowest envelope major version this SDK's consumer parser accepts.\n \n Bump this when a deprecated major reaches end-of-life and the\n * overlap window closes.\n /\nconst MIN_SUPPORTED_MAJOR = 1;\n\n/\n Highest envelope major version this SDK's consumer parser accepts.\n \n Bump this in lockstep with `ENVELOPE_VERSION` whenever a new major\n * ships; the consumer always supports its own publish major.\n /\nconst MAX_SUPPORTED_MAJOR = 1;\n\n/\n Return `true` when `version` is shaped `<major>.<minor>` and its\n * major lies within `[MIN_SUPPORTED_MAJOR, MAX_SUPPORTED_MAJOR]`.\n /\nexport function isSupportedEnvelopeVersion(version: string): boolean {\n if (!ENVELOPE_VERSION_PATTERN.test(version)) {\n return false;\n }\n const major = Number.parseInt(version.split(\".\")[0], 10);\n return major >= MIN_SUPPORTED_MAJOR && major <= MAX_SUPPORTED_MAJOR;\n}\n","import type { OhiJwtClaims } from \"@openhi/types\";\n\n/\n Discriminated-union actor field per ADR-016 §Decision #3.\n \n User-initiated workflows project the four ADR-014 JWT claims (with\n * `ohi_tid` / `ohi_wid` required — a workflow event without a tenant\n * + workspace context belongs to the `system` variant); bootstrap\n * workflows run before a User exists and carry the bootstrap-role\n * name instead. The `system` value is free-form pending the\n * onboarding-bootstrap IAM role TR (TR-016 §Open Items #4).\n /\nexport type WorkflowActor = WorkflowUserActor \| WorkflowSystemActor;\n\n/* User-actor variant — required projection of the ADR-014 JWT claims. /\nexport interface WorkflowUserActor {\n readonly ohi_tid: string;\n readonly ohi_wid: string;\n readonly ohi_uid: string;\n readonly ohi_uname: string;\n}\n\n/* Bootstrap-actor variant — carries the bootstrap-role name. /\nexport interface WorkflowSystemActor {\n readonly system: string;\n}\n\n/\n Type guard for the user-actor variant.\n /\nexport function isWorkflowUserActor(\n actor: WorkflowActor,\n): actor is WorkflowUserActor {\n return (actor as WorkflowUserActor).ohi_uid !== undefined;\n}\n\n/\n Type guard for the system-actor variant.\n /\nexport function isWorkflowSystemActor(\n actor: WorkflowActor,\n): actor is WorkflowSystemActor {\n return (actor as WorkflowSystemActor).system !== undefined;\n}\n\n/\n Standard workflow event envelope per ADR-016 §Decision #3 / TR-016.\n \n The generic `TPayload` parameter narrows the per-workflow payload.\n \n Field naming note: the payload lives under `payload` (not `detail`)\n * deliberately. EventBridge's outer event already has its own `detail`\n * field that carries this whole envelope; nesting another `detail`\n * inside it produced double-`detail` paths in rule patterns\n * (`detail.detail.<x>`) that consistently bit consumers writing\n * filters. The unambiguous name is worth the rename.\n /\nexport interface WorkflowEvent<TPayload = Record<string, unknown>> {\n /* Per-event UUID. Dedup keys on `(eventId, attempt)`. /\n readonly eventId: string;\n /* 1-indexed delivery attempt. /\n readonly attempt: number;\n /* Originating cross-plane chain identifier. /\n readonly correlationId: string;\n /* Immediate predecessor event id, or null for a chain origin. /\n readonly causationId: string \| null;\n /* Discriminated actor — JWT-claim projection or bootstrap-role marker. /\n readonly actor: WorkflowActor;\n /* ISO-8601 timestamp marking when the envelope was constructed. /\n readonly occurredAt: string;\n /* Semver-shaped envelope version (e.g. `\"1.0\"`). /\n readonly envelopeVersion: string;\n /* Per-workflow payload narrowed by the generic parameter. /\n readonly payload: TPayload;\n}\n\n/\n Promote a raw `OhiJwtClaims` projection to a fully-required\n * `WorkflowUserActor`.\n \n Throws `MissingActorContextError` when `ohi_tid` or `ohi_wid` is\n * absent — those claims are optional on the JWT but required on the\n * workflow user-actor.\n /\nexport function workflowUserActorFromClaims(\n claims: OhiJwtClaims,\n): WorkflowUserActor {\n if (claims.ohi_tid === undefined \|\| claims.ohi_wid === undefined) {\n throw new MissingActorContextError(\n \"workflowUserActorFromClaims: ohi_tid and ohi_wid are required on the workflow user-actor; the caller's JWT is missing one or both. Use a system-actor for pre-provisioning bootstrap workflows.\",\n );\n }\n return {\n ohi_tid: claims.ohi_tid,\n ohi_wid: claims.ohi_wid,\n ohi_uid: claims.ohi_uid,\n ohi_uname: claims.ohi_uname,\n };\n}\n\n/* Thrown when JWT claims lack a field required by the workflow user-actor. /\nexport class MissingActorContextError extends Error {\n /* @param message - human-readable description of the missing claim. /\n constructor(message: string) {\n super(message);\n this.name = \"MissingActorContextError\";\n }\n}\n","/\n Per-bus `Source` constants for the three OpenHI EventBridge buses.\n \n Every workflow event carries one of these values in its EventBridge\n * `Source` field. Bus selection follows ADR-016 §Decision #1.\n \n @see https://github.com/codedrifters/openhi-planning/blob/main/docs/src/content/docs/requirements/architectural-decisions/ADR-016-workflow-boundary-strategy.md\n /\n\n/* Source for control-plane workflow events (Tenant / Workspace / User / Membership / Role / RoleAssignment / Configuration). /\nexport const OPENHI_CONTROL_SOURCE = \"openhi.control\" as const;\n\n/* Source for data-plane workflow events (committed writes to the FHIR data store). /\nexport const OPENHI_DATA_SOURCE = \"openhi.data\" as const;\n\n/* Source for ops-plane workflow events (platform telemetry, deployments, build events). /\nexport const OPENHI_OPS_SOURCE = \"openhi.ops\" as const;\n\n/\n Discriminated union over the three OpenHI EventBridge sources.\n \n A publisher that passes any other string for the EventBridge `Source`\n * field is rejected at compile time.\n /\nexport type OpenHiSource =\n \| typeof OPENHI_CONTROL_SOURCE\n \| typeof OPENHI_DATA_SOURCE\n \| typeof OPENHI_OPS_SOURCE;\n\n/\n Default EventBridge bus name for each OpenHI source.\n \n Deployments may override per-source via\n * `PublisherOptions.busNameByPlane`.\n /\nexport const DEFAULT_BUS_NAME_BY_SOURCE: Record<OpenHiSource, string> = {\n [OPENHI_CONTROL_SOURCE]: \"openhi-control-event-bus\",\n [OPENHI_DATA_SOURCE]: \"openhi-data-event-bus\",\n [OPENHI_OPS_SOURCE]: \"openhi-ops-event-bus\",\n};\n","import type { OpenHiSource } from \"../sources\";\n\n/\n One entry in the workflow detail-type registry.\n \n Each registered detail-type binds a typed `detail` payload to:\n * - the EventBridge `Source` (and therefore the bus) it ships on,\n * - the `detail-type` string consumers subscribe to,\n * - per-event metadata (`crossPlane`, `dedupRequired`) read by\n * downstream tooling (AsyncAPI generator, placement matrix).\n \n The `_detail` property is a phantom marker type only — never\n * read, never written, never instantiated. It carries the\n * compile-time TDetail through the entry so callers of\n * `publishWorkflowEvent` / `parseWorkflowEvent` see the typed\n * payload at the call site.\n /\nexport interface WorkflowDetailTypeEntry<TDetail> {\n /* Versioned detail-type string, e.g. `tenant.onboarded.v1`. /\n readonly detailType: string;\n /* The bus this detail-type ships on (compile-time enforced). /\n readonly source: OpenHiSource;\n /* Phantom marker carrying the payload shape. /\n readonly _detail?: TDetail;\n /* Marks events that cross plane boundaries (placement-matrix metadata). /\n readonly crossPlane?: boolean;\n /* Marks events that retryable consumers MUST dedupe on. /\n readonly dedupRequired?: boolean;\n}\n\n/\n Declare a registry entry with type inference.\n \n Call sites:\n \n ```ts\n * export const TenantOnboardedV1 = defineDetailType<TenantOnboardedV1Detail>({\n * detailType: \"tenant.onboarded.v1\",\n * source: OPENHI_CONTROL_SOURCE,\n * dedupRequired: true,\n * });\n * ```\n \n Detail-type strings follow `<area>.<event>.<version>` (TR-016 §Open\n * Items #2). The conformance regex below is the platform-wide format.\n /\nexport function defineDetailType<TDetail>(\n entry: Omit<WorkflowDetailTypeEntry<TDetail>, \"_detail\">,\n): WorkflowDetailTypeEntry<TDetail> {\n if (!isWellFormedDetailType(entry.detailType)) {\n throw new InvalidDetailTypeRegistrationError(\n `Detail-type \"${entry.detailType}\" does not match the platform-wide format <area>.<event>.v<integer>. See TR-016 §Open Items #2.`,\n );\n }\n return entry;\n}\n\n/\n Pattern enforced on every registered detail-type:\n * `<area>.<event>.v<integer>` where each segment is lowercase\n * alphanumeric with optional dashes.\n \n Multi-level areas (e.g. `fhir.audit-event.recorded.v1`) are\n * intentionally not yet allowed; TR-016 §Open Items #2 defers that.\n /\nconst DETAIL_TYPE_PATTERN =\n /^[a-z0-9]+(?:-[a-z0-9]+)\\.[a-z0-9]+(?:-[a-z0-9]+)\\.v\\d+$/;\n\n/* Return `true` when `detailType` matches the platform-wide format. /\nexport function isWellFormedDetailType(detailType: string): boolean {\n return DETAIL_TYPE_PATTERN.test(detailType);\n}\n\n/* Thrown by `defineDetailType` when the supplied string violates the format. /\nexport class InvalidDetailTypeRegistrationError extends Error {\n /* @param message - human-readable description of the violation. /\n constructor(message: string) {\n super(message);\n this.name = \"InvalidDetailTypeRegistrationError\";\n }\n}\n","import {\n OPENHI_CONTROL_SOURCE,\n OPENHI_DATA_SOURCE,\n OPENHI_OPS_SOURCE,\n} from \"../sources\";\nimport { defineDetailType } from \"./registry\";\n\n/\n Owning-entity types covered by the TR-022 hard-delete cascade.\n * The cascade pipeline today targets {@link OWNING_ENTITY_TYPE.Workspace}\n * and {@link OWNING_ENTITY_TYPE.User} — the two owning entities whose\n * deletion orphans adjacency-list projections under their partition.\n * Tenant hard-delete is intentionally out of scope (it cascades a much\n * wider graph and is handled outside this pipeline).\n /\nexport const OWNING_ENTITY_TYPE = {\n Workspace: \"Workspace\",\n User: \"User\",\n} as const;\n/* Union of the values of {@link OWNING_ENTITY_TYPE}. /\nexport type OwningEntityType =\n (typeof OWNING_ENTITY_TYPE)[keyof typeof OWNING_ENTITY_TYPE];\n\n/\n Payload (`detail.payload`) of `control-plane.owning-delete.v1` —\n * published on the `openhi.data` data event bus when the Firehose\n * transform Lambda observes a stream record showing\n * `lifecycleState: active → deleting` on a canonical Workspace or\n * User record. The owning-delete cascade state machine subscribes to\n * this detail-type.\n \n The full EventBridge `detail` carries this payload nested inside a\n * `WorkflowEvent<ControlPlaneOwningDeleteV1Detail>` envelope per\n * ADR-016 standard envelope shape — `eventId`, `attempt`,\n * `correlationId`, `causationId`, `actor`, `occurredAt` live on the\n * envelope, not on this payload.\n \n @see .state/adr-018-implementation-guide.md section 4 (TR-022 Hard-Delete-Cascade Contract)\n /\nexport interface ControlPlaneOwningDeleteV1Detail {\n readonly ownerType: OwningEntityType;\n readonly ownerId: string;\n /* Present for Workspace owners; absent for User (cross-tenant identity). /\n readonly tenantId?: string;\n}\n\n/\n Registry entry for `control-plane.owning-delete.v1`.\n \n The platform-wide detail-type format\n * (`<area>.<event>.v<integer>` enforced by `isWellFormedDetailType`)\n * does not allow the bare `ControlPlaneOwningDelete` shape the\n * ADR-018 implementation guide pseudocode uses; the registered string\n * is the format-compliant equivalent. The EventBridge rule pattern on\n * the cascade state machine matches this exact string.\n \n `dedupRequired: true` — the cascade state machine MUST dedupe on\n * `(eventId, attempt)` via `WorkflowDedupClient` so EventBridge retries\n * (which the data event bus delivers at-least-once) never start two\n * concurrent cascades on the same owning entity.\n /\nexport const ControlPlaneOwningDeleteV1 =\n defineDetailType<ControlPlaneOwningDeleteV1Detail>({\n detailType: \"control-plane.owning-delete.v1\",\n source: OPENHI_DATA_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload of `control-plane.owning-delete-complete.v1` — terminal\n * event published on the `openhi.ops` ops event bus when the cascade\n * state machine has successfully deleted every child projection and\n * the canonical owning record itself. Observability sinks subscribe\n * to this event to confirm cascade completion and emit metrics.\n \n @see .state/adr-018-implementation-guide.md section 4 (Terminal events on EventBridge)\n /\nexport interface ControlPlaneOwningDeleteCompleteV1Detail {\n readonly ownerType: OwningEntityType;\n readonly ownerId: string;\n readonly tenantId?: string;\n /* Number of `TransactWriteItems` chunks the cascade issued. /\n readonly chunkCount: number;\n /* Total number of projection rows removed by the cascade. /\n readonly projectionsRemoved: number;\n /* Wall-clock duration of the cascade, in milliseconds. /\n readonly durationMs: number;\n /* ISO-8601 UTC timestamp of cascade completion. /\n readonly completedAt: string;\n}\n\n/* Registry entry for `control-plane.owning-delete-complete.v1`. /\nexport const ControlPlaneOwningDeleteCompleteV1 =\n defineDetailType<ControlPlaneOwningDeleteCompleteV1Detail>({\n detailType: \"control-plane.owning-delete-complete.v1\",\n source: OPENHI_OPS_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload of `control-plane.owning-delete-failed.v1` — terminal event\n * published on the `openhi.ops` ops event bus when the cascade state\n * machine fails irrecoverably. The canonical owning record is left at\n * `lifecycleState = \"deleted-failed\"` for operator-driven recovery;\n * alerting subscribers fan out to oncall.\n \n @see .state/adr-018-implementation-guide.md section 4 (Terminal events on EventBridge)\n /\nexport interface ControlPlaneOwningDeleteFailedV1Detail {\n readonly ownerType: OwningEntityType;\n readonly ownerId: string;\n readonly tenantId?: string;\n /* Step Functions execution ARN — operators dereference for root cause. /\n readonly executionArn: string;\n readonly chunkCount: number;\n /* Last opaque cursor the state machine successfully processed, or null. /\n readonly lastProcessedCursor: string \| null;\n /* Short failure cause string from the Step Functions Catch block. /\n readonly failureCause: string;\n readonly failedAt: string;\n}\n\n/* Registry entry for `control-plane.owning-delete-failed.v1`. /\nexport const ControlPlaneOwningDeleteFailedV1 =\n defineDetailType<ControlPlaneOwningDeleteFailedV1Detail>({\n detailType: \"control-plane.owning-delete-failed.v1\",\n source: OPENHI_OPS_SOURCE,\n dedupRequired: true,\n });\n\n/\n Renamable entity types covered by the TR-023 rename cascade.\n \n Per ADR-018 only the three carrier entities whose display name is\n * denormalized onto Membership / RoleAssignment projections trigger a\n * cascade — Tenant, User, Role. A Workspace rename is intentionally\n * not in scope: Workspace's display name is denormalized onto the\n * Membership user-projection workspace sub-lane, but TR-024 § Open Item\n * #4 defers a formal Workspace-rename cascade — the SK falls back to a\n * sentinel until a future TR commits the contract.\n /\nexport const RENAMABLE_ENTITY_TYPE = {\n Tenant: \"Tenant\",\n User: \"User\",\n Role: \"Role\",\n} as const;\n/* Union of the values of {@link RENAMABLE_ENTITY_TYPE}. /\nexport type RenamableEntityType =\n (typeof RENAMABLE_ENTITY_TYPE)[keyof typeof RENAMABLE_ENTITY_TYPE];\n\n/\n Payload (`detail.payload`) of `control-plane.rename.v1` — published\n * on the `openhi.data` data event bus when the Firehose transform\n * Lambda observes a stream record showing a display-name change on a\n * canonical Tenant, User, or Role record. The rename-cascade state\n * machine subscribes to this detail-type.\n \n The full EventBridge `detail` carries this payload nested inside a\n * `WorkflowEvent<ControlPlaneRenameV1Detail>` envelope per ADR-016\n * standard envelope shape — `eventId`, `attempt`, `correlationId`,\n * `causationId`, `actor`, `occurredAt` live on the envelope, not on\n * this payload.\n \n The platform-wide detail-type format\n * (`<area>.<event>.v<integer>` enforced by `isWellFormedDetailType`)\n * does not allow the bare `ControlPlaneRename` shape the ADR-018\n * implementation guide pseudocode uses; the registered string is the\n * format-compliant equivalent (mirroring the\n * `control-plane.owning-delete.v1` naming).\n \n @see .state/adr-018-implementation-guide.md section 5 (TR-023 Rename-Cascade Consumer Contract)\n /\nexport interface ControlPlaneRenameV1Detail {\n readonly entityType: RenamableEntityType;\n readonly entityId: string;\n /* Present for User and Role; absent for Tenant (Tenant is the partition root). /\n readonly tenantId?: string;\n readonly oldName: string;\n readonly newName: string;\n /* Pre-computed via `extractLabel` so consumers do not re-normalize. /\n readonly oldNormalizedName: string;\n readonly newNormalizedName: string;\n}\n\n/\n Registry entry for `control-plane.rename.v1`.\n \n `dedupRequired: true` — the cascade state machine MUST dedupe on\n * `(eventId, attempt)` via `WorkflowDedupClient` so EventBridge retries\n * (which the data event bus delivers at-least-once) never start two\n * concurrent cascades on the same rename.\n /\nexport const ControlPlaneRenameV1 =\n defineDetailType<ControlPlaneRenameV1Detail>({\n detailType: \"control-plane.rename.v1\",\n source: OPENHI_DATA_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload of `control-plane.rename-complete.v1` — terminal event\n * published on the `openhi.ops` ops event bus when the cascade state\n * machine has successfully rewritten every affected projection row.\n * UI clients subscribe so they can refresh stale list views.\n \n @see .state/adr-018-implementation-guide.md section 5\n /\nexport interface ControlPlaneRenameCompleteV1Detail {\n readonly entityType: RenamableEntityType;\n readonly entityId: string;\n readonly tenantId?: string;\n readonly newName: string;\n /* Number of `TransactWriteItems` chunks the cascade issued. /\n readonly chunkCount: number;\n /* Total number of projection rows rewritten by the cascade. /\n readonly itemsRewritten: number;\n /* Wall-clock duration of the cascade, in milliseconds. /\n readonly durationMs: number;\n /* ISO-8601 UTC timestamp of cascade completion. /\n readonly completedAt: string;\n}\n\n/* Registry entry for `control-plane.rename-complete.v1`. /\nexport const ControlPlaneRenameCompleteV1 =\n defineDetailType<ControlPlaneRenameCompleteV1Detail>({\n detailType: \"control-plane.rename-complete.v1\",\n source: OPENHI_OPS_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload of `control-plane.rename-failed.v1` — terminal event\n * published on the `openhi.ops` ops event bus when the cascade state\n * machine fails irrecoverably. Alerting subscribers fan out to oncall.\n \n @see .state/adr-018-implementation-guide.md section 5\n /\nexport interface ControlPlaneRenameFailedV1Detail {\n readonly entityType: RenamableEntityType;\n readonly entityId: string;\n readonly tenantId?: string;\n /* Step Functions execution ARN — operators dereference for root cause. /\n readonly executionArn: string;\n readonly chunkCount: number;\n /* Short failure cause string from the Step Functions Catch block. /\n readonly failureCause: string;\n readonly failedAt: string;\n}\n\n/* Registry entry for `control-plane.rename-failed.v1`. /\nexport const ControlPlaneRenameFailedV1 =\n defineDetailType<ControlPlaneRenameFailedV1Detail>({\n detailType: \"control-plane.rename-failed.v1\",\n source: OPENHI_OPS_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload (`detail.payload`) of `control-plane.membership-created.v1` /\n * `control-plane.membership-deleted.v1` — published on the `openhi.control`\n * control event bus by the Membership create / delete operations on their\n * success path. The ADR-028 counter-maintenance consumer subscribes to these\n * detail-types and applies atomic ADD increments / decrements to the\n * denormalized counters on the canonical Tenant / Workspace / User records.\n \n The scope discriminator is the same `workspaceId`-set/unset distinction\n * ADR-018 uses to choose the membership projection sub-lane:\n * - `workspaceId` absent → a tenant-scoped membership (user ↔ tenant):\n * drives `Tenant.usersInTenant` and `User.tenantsForUser`.\n * - `workspaceId` present → a workspace-scoped membership (user ↔ workspace):\n * drives `Workspace.usersInWorkspace` and `User.workspacesForUser`.\n \n Carries enough context (`tenantId`, `userId`, optional `workspaceId`,\n * `membershipId`) for the consumer to adjust the right counter without an\n * extra read.\n \n @see ADR-028 — Denormalized Control-Plane Membership Counters\n /\nexport interface ControlPlaneMembershipChangedV1Detail {\n readonly membershipId: string;\n readonly tenantId: string;\n /* User the membership links; absent only when the resource omitted the reference. /\n readonly userId?: string;\n /* Present for workspace-scoped memberships; absent for tenant-scoped. /\n readonly workspaceId?: string;\n}\n\n/\n Registry entry for `control-plane.membership-created.v1`.\n \n `dedupRequired: true` — the counter-maintenance consumer MUST dedupe on\n * `(eventId, attempt)` via `WorkflowDedupClient` because the control bus\n * delivers at-least-once and an atomic `ADD` is not idempotent; a replayed\n * event would otherwise double-count.\n /\nexport const ControlPlaneMembershipCreatedV1 =\n defineDetailType<ControlPlaneMembershipChangedV1Detail>({\n detailType: \"control-plane.membership-created.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/* Registry entry for `control-plane.membership-deleted.v1`. /\nexport const ControlPlaneMembershipDeletedV1 =\n defineDetailType<ControlPlaneMembershipChangedV1Detail>({\n detailType: \"control-plane.membership-deleted.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload (`detail.payload`) of `control-plane.role-assignment-created.v1` /\n * `control-plane.role-assignment-deleted.v1` — published on the `openhi.control`\n * control event bus by the RoleAssignment create / delete operations on their\n * success path. The ADR-028 counter-maintenance consumer uses the role level /\n * type carried here to classify a workspace-scoped assignment as admin vs\n * normal and adjust `Workspace.adminUsersInWorkspace` /\n * `Workspace.normalUsersInWorkspace` without re-reading the Role record.\n \n Carries `tenantId`, `userId`, optional `workspaceId`, `roleId`, the\n * `roleAssignmentId`, and `roleLevel` (the ADR-019 organization-role code /\n * level extracted from the resource at publish time).\n \n @see ADR-028 — Denormalized Control-Plane Membership Counters\n * @see ADR-019 — Organization Role Vocabulary\n /\nexport interface ControlPlaneRoleAssignmentChangedV1Detail {\n readonly roleAssignmentId: string;\n readonly tenantId: string;\n readonly userId?: string;\n /* Present for workspace-scoped assignments; absent for tenant-level. /\n readonly workspaceId?: string;\n readonly roleId?: string;\n /\n The role level / type (ADR-019 organization-role code) the consumer uses\n * to classify the assignment as admin vs normal. Absent when the resource\n * carried no extractable role code.\n /\n readonly roleLevel?: string;\n}\n\n/* Registry entry for `control-plane.role-assignment-created.v1`. /\nexport const ControlPlaneRoleAssignmentCreatedV1 =\n defineDetailType<ControlPlaneRoleAssignmentChangedV1Detail>({\n detailType: \"control-plane.role-assignment-created.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/* Registry entry for `control-plane.role-assignment-deleted.v1`. /\nexport const ControlPlaneRoleAssignmentDeletedV1 =\n defineDetailType<ControlPlaneRoleAssignmentChangedV1Detail>({\n detailType: \"control-plane.role-assignment-deleted.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload (`detail.payload`) of `control-plane.workspace-created.v1` /\n * `control-plane.workspace-deleted.v1` — published on the `openhi.control`\n * control event bus by the Workspace create / delete operations on their\n * success path. The ADR-028 counter-maintenance consumer subscribes to these\n * detail-types and applies an atomic ADD increment / decrement to\n * `Tenant.workspacesInTenant`.\n \n Workspace lifecycle is the one counter driver that the Membership /\n * RoleAssignment publish set (#1317) does not cover — `workspacesInTenant`\n * is driven by workspace creation / deletion, not by relationship changes.\n \n @see ADR-028 — Denormalized Control-Plane Membership Counters (Open Item #1)\n /\nexport interface ControlPlaneWorkspaceChangedV1Detail {\n readonly workspaceId: string;\n readonly tenantId: string;\n}\n\n/\n Registry entry for `control-plane.workspace-created.v1`.\n \n `dedupRequired: true` — the counter-maintenance consumer MUST dedupe on\n * `(eventId, attempt)` via `WorkflowDedupClient` because the control bus\n * delivers at-least-once and an atomic `ADD` is not idempotent; a replayed\n * event would otherwise double-count.\n /\nexport const ControlPlaneWorkspaceCreatedV1 =\n defineDetailType<ControlPlaneWorkspaceChangedV1Detail>({\n detailType: \"control-plane.workspace-created.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/* Registry entry for `control-plane.workspace-deleted.v1`. /\nexport const ControlPlaneWorkspaceDeletedV1 =\n defineDetailType<ControlPlaneWorkspaceChangedV1Detail>({\n detailType: \"control-plane.workspace-deleted.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n","import { OPENHI_CONTROL_SOURCE } from \"../sources\";\nimport { defineDetailType } from \"./registry\";\n\n/\n `detail` payload for `platform.deployment-completed.v1`.\n \n Projected by the platform-deploy bridge from a CloudFormation\n * `Stack Status Change` event (`CREATE_COMPLETE` / `UPDATE_COMPLETE`)\n * on a tagged OpenHI platform stack. Downstream control-plane\n * workflows (e.g. seed-system-roles, seed-demo-data) subscribe\n * to this detail-type on the control event bus.\n /\nexport interface PlatformDeploymentCompletedV1Detail {\n /* CloudFormation stack name (`AWS::CloudFormation::Stack` `StackName`). /\n readonly stackName: string;\n /* Full CloudFormation stack ARN. /\n readonly stackId: string;\n /* AWS region the stack deployed into (e.g. `us-east-1`). /\n readonly region: string;\n /* 12-digit AWS account id the stack deployed into. /\n readonly accountId: string;\n /* Terminal stack status that triggered the bridge. /\n readonly status: \"CREATE_COMPLETE\" \| \"UPDATE_COMPLETE\";\n /* Free-form reason text from CloudFormation; absent on most events. /\n readonly statusReason?: string;\n /\n Projected subset of stack tags. The bridge resolves tags via\n * `cloudformation:DescribeStacks` because the source EventBridge\n * event omits them.\n /\n readonly stackTags: ReadonlyArray<{\n readonly key: string;\n readonly value: string;\n }>;\n /* ISO-8601 timestamp from the source EventBridge `time` field. /\n readonly cloudformationEventTime: string;\n}\n\n/\n Registry entry for `platform.deployment-completed.v1`.\n \n Published on the control event bus (`OPENHI_CONTROL_SOURCE`) per\n * the workflow placement matrix (codedrifters/openhi#953 row 4):\n * the AWS-native source is the ops-plane default bus, but the bridge\n * republishes onto the control bus because the downstream consumers\n * are control-plane workflows.\n \n `dedupRequired: true` — at-least-once redelivery from EventBridge\n * means retryable consumers MUST dedupe on `(eventId, attempt)` via\n * `WorkflowDedupClient`.\n /\nexport const PlatformDeploymentCompletedV1 =\n defineDetailType<PlatformDeploymentCompletedV1Detail>({\n detailType: \"platform.deployment-completed.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/\n `detail` payload for `platform.system-data-seeded.v1`.\n \n Published by the `seed-system-data` workflow after it has\n * idempotently re-asserted every platform-singleton control-plane\n * record (today: the three canonical Roles; future: additional system\n * data) on the back of a `platform.deployment-completed.v1` event.\n \n Downstream control-plane workflows that depend on the\n * platform-singleton records existing — `seed-demo-data`, for\n * example — subscribe to this detail-type instead of the raw\n * deploy-completion event so the dependency is enforced by a\n * happens-before edge rather than by EventBridge retry timing.\n /\nexport interface PlatformSystemDataSeededV1Detail {\n /\n EventBridge `eventId` of the originating\n * `platform.deployment-completed.v1` event that triggered the\n * system-data seeding. Propagated for correlation in logs and\n * downstream causation chains.\n /\n readonly sourceEventId: string;\n /\n Full CloudFormation stack ARN of the deploy that triggered the\n * system-data seeding. Mirrors the field on the originating\n * `PlatformDeploymentCompletedV1Detail`; downstream consumers can\n * filter by stack-id prefix without re-reading the source event.\n /\n readonly sourceStackId: string;\n /\n Number of platform-singleton records re-asserted on this run.\n * Useful for sanity checks and observability — divergence between\n * deploys signals either a generator-emitted catalog change or a\n * partial-failure recovery from the replay tooling.\n /\n readonly seededRecordCount: number;\n}\n\n/\n Registry entry for `platform.system-data-seeded.v1`.\n \n Published onto the control event bus (`OPENHI_CONTROL_SOURCE`).\n * `dedupRequired: true` — downstream consumers MUST dedup on\n * `(eventId, attempt)` via `WorkflowDedupClient`, same as every other\n * retryable consumer.\n /\nexport const PlatformSystemDataSeededV1 =\n defineDetailType<PlatformSystemDataSeededV1Detail>({\n detailType: \"platform.system-data-seeded.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n","export from \"./control-plane\";\nexport * from \"./platform\";\nexport * from \"./registry\";\n","import { randomUUID } from \"node:crypto\";\nimport {\n EventBridgeClient,\n PutEventsCommand,\n} from \"@aws-sdk/client-eventbridge\";\n\nimport type { WorkflowDetailTypeEntry } from \"./detail-types/registry\";\nimport type { WorkflowActor, WorkflowEvent } from \"./envelope\";\nimport { ENVELOPE_VERSION } from \"./envelope-version\";\nimport { DEFAULT_BUS_NAME_BY_SOURCE, type OpenHiSource } from \"./sources\";\n\n/*\n Caller-supplied envelope context the publisher consumes.\n \n The actor is required on every publish — pre-provisioning bootstrap\n * workflows pass a `{ system: <role-name> }` actor.\n \n `correlationId` and `causationId` propagate from an upstream event\n * when this publisher is consuming-then-publishing; pass them through\n * verbatim from the inbound envelope's fields. Both are optional;\n * when omitted the publisher treats the publish as a chain origin\n * (`correlationId` = fresh UUID, `causationId` = null).\n /\nexport interface PublishContext {\n readonly actor: WorkflowActor;\n readonly correlationId?: string;\n readonly causationId?: string \| null;\n}\n\n/\n Per-call output of a successful publish.\n /\nexport interface PublishResult {\n readonly eventId: string;\n}\n\n/\n Publisher overrides applied to every call against a single client.\n \n `eventIdGenerator`, `correlationIdGenerator`, and `now` are\n * test-only seams; production callers omit them and the publisher\n * uses `crypto.randomUUID()` and `new Date()`.\n /\nexport interface PublisherOptions {\n /* Override the default bus name for one or more sources. /\n readonly busNameByPlane?: Partial<Record<OpenHiSource, string>>;\n /* Test seam — supply a deterministic UUID generator for `eventId`. /\n readonly eventIdGenerator?: () => string;\n /* Test seam — supply a deterministic UUID generator for new `correlationId` values. /\n readonly correlationIdGenerator?: () => string;\n /* Test seam — supply a deterministic clock for `occurredAt`. /\n readonly now?: () => Date;\n}\n\n/\n Tree-shaped publisher client per ADR-016 Recommendation.\n \n The `publish` primitive accepts any registered detail-type and\n * returns a typed `PublishResult`. Downstream tree shaping\n * (`client.<bus>.<area>.<event>.publish(payload, ctx)`) is built from\n * the detail-type registry once entries are registered; until then,\n * callers invoke `client.publish(entry, payload, ctx)` directly.\n /\nexport interface WorkflowsClient {\n /\n Construct a workflow envelope around `payload` and publish it to\n * the EventBridge bus configured for `entry.source`.\n /\n publish<TPayload>(\n entry: WorkflowDetailTypeEntry<TPayload>,\n payload: TPayload,\n ctx: PublishContext,\n ): Promise<PublishResult>;\n}\n\n/\n Factory that returns a `WorkflowsClient` bound to a single\n * `EventBridgeClient`.\n /\nexport function workflowsClient(\n bridge: EventBridgeClient,\n options: PublisherOptions = {},\n): WorkflowsClient {\n return {\n publish: (entry, payload, ctx) =>\n publishWorkflowEvent(bridge, entry, payload, ctx, options),\n };\n}\n\n/\n Construct a workflow envelope and publish it via\n * `EventBridge.PutEvents`.\n \n Exposed as a stand-alone function for callers that prefer the\n * primitive over the `WorkflowsClient` indirection.\n /\nexport async function publishWorkflowEvent<TPayload>(\n bridge: EventBridgeClient,\n entry: WorkflowDetailTypeEntry<TPayload>,\n payload: TPayload,\n ctx: PublishContext,\n options: PublisherOptions = {},\n): Promise<PublishResult> {\n const eventIdGenerator = options.eventIdGenerator ?? (() => randomUUID());\n const correlationIdGenerator =\n options.correlationIdGenerator ?? (() => randomUUID());\n const now = options.now ?? (() => new Date());\n\n const envelope: WorkflowEvent<TPayload> = {\n eventId: eventIdGenerator(),\n attempt: 1,\n correlationId: ctx.correlationId ?? correlationIdGenerator(),\n causationId: ctx.causationId ?? null,\n actor: ctx.actor,\n occurredAt: now().toISOString(),\n envelopeVersion: ENVELOPE_VERSION,\n payload,\n };\n\n const busName =\n options.busNameByPlane?.[entry.source] ??\n DEFAULT_BUS_NAME_BY_SOURCE[entry.source];\n\n const result = await bridge.send(\n new PutEventsCommand({\n Entries: [\n {\n EventBusName: busName,\n Source: entry.source,\n DetailType: entry.detailType,\n Detail: JSON.stringify(envelope),\n },\n ],\n }),\n );\n\n if ((result.FailedEntryCount ?? 0) > 0) {\n const first = result.Entries?.[0];\n throw new WorkflowPublishError(\n `EventBridge rejected ${entry.detailType} publish on bus ${busName}: ${first?.ErrorCode ?? \"unknown\"} — ${first?.ErrorMessage ?? \"no error message\"}`,\n );\n }\n\n return { eventId: envelope.eventId };\n}\n\n/* Thrown when EventBridge rejects a `PutEvents` entry. /\nexport class WorkflowPublishError extends Error {\n /* @param message - human-readable description of the failed publish. /\n constructor(message: string) {\n super(message);\n this.name = \"WorkflowPublishError\";\n }\n}\n","import type { WorkflowDetailTypeEntry } from \"./detail-types/registry\";\nimport type { WorkflowEvent } from \"./envelope\";\nimport { isSupportedEnvelopeVersion } from \"./envelope-version\";\n\n/\n Structural shape of the EventBridge event objects this SDK's\n * consumer parses.\n \n Matches `@types/aws-lambda`'s `EventBridgeEvent<string, unknown>`\n * by structural compatibility without requiring callers to import\n * that types package — consumers may pass either an\n * `EventBridgeEvent` from `aws-lambda` or any record-shaped object\n * carrying the same keys.\n /\nexport interface EventBridgeEventLike {\n readonly source: string;\n readonly \"detail-type\": string;\n readonly detail: unknown;\n}\n\n/\n The `(eventId, attempt)` tuple every retryable consumer hands to\n * the `WorkflowDedupTable` client.\n /\nexport interface DedupKey {\n readonly eventId: string;\n readonly attempt: number;\n}\n\n/\n Output of `parseWorkflowEvent` — the validated envelope plus the\n * dedup tuple.\n /\nexport interface ParsedWorkflowEvent<TPayload> {\n readonly envelope: WorkflowEvent<TPayload>;\n readonly dedupKey: DedupKey;\n}\n\n/\n Parse an EventBridge event into a typed envelope and surface the\n * `(eventId, attempt)` tuple the dedup-table client consumes.\n \n Validates:\n * - `event.source` matches `expected.source`\n * - `event[\"detail-type\"]` matches `expected.detailType`\n * - the envelope's `envelopeVersion` is within the SDK's supported range\n * - every required envelope field is present and well-shaped\n /\nexport function parseWorkflowEvent<TPayload>(\n event: EventBridgeEventLike,\n expected: WorkflowDetailTypeEntry<TPayload>,\n): ParsedWorkflowEvent<TPayload> {\n if (event.source !== expected.source) {\n throw new InvalidWorkflowEventError(\n `EventBridge source \"${event.source}\" does not match expected detail-type's source \"${expected.source}\".`,\n );\n }\n\n if (event[\"detail-type\"] !== expected.detailType) {\n throw new InvalidWorkflowEventError(\n `EventBridge detail-type \"${event[\"detail-type\"]}\" does not match expected \"${expected.detailType}\".`,\n );\n }\n\n const candidate = asEnvelopeCandidate(event.detail);\n\n if (!isSupportedEnvelopeVersion(candidate.envelopeVersion)) {\n throw new UnsupportedEnvelopeVersionError(\n `Envelope version \"${candidate.envelopeVersion}\" is outside the SDK's supported range.`,\n );\n }\n\n const envelope: WorkflowEvent<TPayload> = {\n eventId: candidate.eventId,\n attempt: candidate.attempt,\n correlationId: candidate.correlationId,\n causationId: candidate.causationId,\n actor: candidate.actor,\n occurredAt: candidate.occurredAt,\n envelopeVersion: candidate.envelopeVersion,\n payload: candidate.payload as TPayload,\n };\n\n return {\n envelope,\n dedupKey: { eventId: envelope.eventId, attempt: envelope.attempt },\n };\n}\n\n/\n Validate that the EventBridge `detail` (which carries the workflow\n * envelope) has every required field with a plausible type. Returns a\n * typed `WorkflowEvent<unknown>` so the caller can narrow `payload`\n * once routing has succeeded.\n /\nfunction asEnvelopeCandidate(detail: unknown): WorkflowEvent<unknown> {\n if (detail === null \|\| typeof detail !== \"object\") {\n throw new InvalidWorkflowEventError(\n \"EventBridge detail is not a non-null object.\",\n );\n }\n\n const obj = detail as Record<string, unknown>;\n\n assertString(obj, \"eventId\");\n assertPositiveInteger(obj, \"attempt\");\n assertString(obj, \"correlationId\");\n assertCausationId(obj);\n assertActor(obj);\n assertString(obj, \"occurredAt\");\n assertString(obj, \"envelopeVersion\");\n\n if (!(\"payload\" in obj)) {\n throw new InvalidWorkflowEventError(\n \"Envelope is missing required field: payload.\",\n );\n }\n\n return obj as unknown as WorkflowEvent<unknown>;\n}\n\nfunction assertString(\n obj: Record<string, unknown>,\n field: string,\n): asserts obj is Record<string, unknown> & Record<typeof field, string> {\n const value = obj[field];\n if (typeof value !== \"string\" \|\| value.length === 0) {\n throw new InvalidWorkflowEventError(\n `Envelope field \"${field}\" must be a non-empty string.`,\n );\n }\n}\n\nfunction assertPositiveInteger(\n obj: Record<string, unknown>,\n field: string,\n): void {\n const value = obj[field];\n if (typeof value !== \"number\" \|\| !Number.isInteger(value) \|\| value < 1) {\n throw new InvalidWorkflowEventError(\n `Envelope field \"${field}\" must be a 1-indexed integer.`,\n );\n }\n}\n\nfunction assertCausationId(obj: Record<string, unknown>): void {\n if (!(\"causationId\" in obj)) {\n throw new InvalidWorkflowEventError(\n \"Envelope is missing required field: causationId.\",\n );\n }\n const value = obj.causationId;\n if (value !== null && (typeof value !== \"string\" \|\| value.length === 0)) {\n throw new InvalidWorkflowEventError(\n 'Envelope field \"causationId\" must be a non-empty string or null.',\n );\n }\n}\n\nfunction assertActor(obj: Record<string, unknown>): void {\n const actor = obj.actor;\n if (actor === null \|\| typeof actor !== \"object\") {\n throw new InvalidWorkflowEventError(\n 'Envelope field \"actor\" must be an object.',\n );\n }\n const actorObj = actor as Record<string, unknown>;\n const isUserActor =\n typeof actorObj.ohi_uid === \"string\" &&\n typeof actorObj.ohi_uname === \"string\" &&\n typeof actorObj.ohi_tid === \"string\" &&\n typeof actorObj.ohi_wid === \"string\";\n const isSystemActor = typeof actorObj.system === \"string\";\n if (!isUserActor && !isSystemActor) {\n throw new InvalidWorkflowEventError(\n 'Envelope field \"actor\" must be either a user-actor (ohi_tid, ohi_wid, ohi_uid, ohi_uname) or a system-actor ({ system: string }).',\n );\n }\n}\n\n/* Thrown when the event does not match the expected detail-type entry. /\nexport class InvalidWorkflowEventError extends Error {\n /* @param message - human-readable description of the validation failure. /\n constructor(message: string) {\n super(message);\n this.name = \"InvalidWorkflowEventError\";\n }\n}\n\n/* Thrown when the envelope version is outside the SDK's supported range. /\nexport class UnsupportedEnvelopeVersionError extends Error {\n /* @param message - human-readable description of the unsupported version. /\n constructor(message: string) {\n super(message);\n this.name = \"UnsupportedEnvelopeVersionError\";\n }\n}\n","/\n Environment-variable name the construct's `grantConsumer` integration\n * injects into a consumer Lambda; the runtime `WorkflowDedupClient`\n * reads it to discover the shared dedup table without a prop or import.\n \n The constant is the single cross-package contract between\n * `@openhi/constructs` (which emits the env var) and `@openhi/workflows`\n * (which consumes it). Renaming or removing it is a breaking change.\n /\nexport const WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR =\n \"OPENHI_WORKFLOW_DEDUP_TABLE_NAME\";\n\n/* Default TTL for dedup rows: 14 days, expressed in seconds (per TR-015). /\nexport const WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = 14 24 * 60 * 60;\n\n/** Maximum length of a `consumerName` (per TR-015). /\nexport const WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = 64;\n","import {\n ConditionalCheckFailedException,\n DynamoDBClient,\n PutItemCommand,\n UpdateItemCommand,\n} from \"@aws-sdk/client-dynamodb\";\n\nimport {\n WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS,\n WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH,\n WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR,\n} from \"./env\";\n\n/\n Inputs to `recordIfAbsent`.\n \n `eventId` and `attempt` are the dedup tuple every retryable\n * consumer derives from the standard envelope (see `parseWorkflowEvent`\n * and the `DedupKey` type); call sites typically spread the dedupKey\n * directly alongside the consumer name.\n /\nexport interface RecordIfAbsentInput {\n /* Stable logical name of the consumer. At most 64 chars; no whitespace. /\n readonly consumerName: string;\n /* Per-event UUID from the standard envelope. /\n readonly eventId: string;\n /* 1-indexed delivery attempt from the standard envelope. /\n readonly attempt: number;\n /* Override the 14-day default TTL. Must be a positive integer. /\n readonly ttlSeconds?: number;\n}\n\n/\n Result shape per TR-015. `recorded` is true on first delivery and\n * false on a duplicate; on a duplicate `alreadyProcessed` is also\n * true so callers can pattern-match without re-checking the boolean.\n /\nexport type RecordIfAbsentResult =\n \| { readonly recorded: true }\n \| { readonly recorded: false; readonly alreadyProcessed: true };\n\n/\n Inputs to `markFailed`.\n \n Updates the existing dedup row with `failed: true`, `failureReason`,\n * `failedAt` so the replay tooling (TR-016 follow-up) can re-publish\n * the originating event with a fresh `attempt`.\n /\nexport interface MarkFailedInput {\n /* Stable logical name of the consumer. /\n readonly consumerName: string;\n /* Per-event UUID. /\n readonly eventId: string;\n /* 1-indexed delivery attempt. /\n readonly attempt: number;\n /* Short string describing why the consumer gave up. /\n readonly reason: string;\n}\n\n/\n Runtime SDK every retryable workflow consumer calls before\n * performing its side-effect. See TR-015 for the contract.\n /\nexport interface WorkflowDedupClient {\n /\n Conditionally record a dedup token for the supplied consumer name\n * and dedup tuple. See `RecordIfAbsentResult` for the return shape.\n /\n recordIfAbsent(input: RecordIfAbsentInput): Promise<RecordIfAbsentResult>;\n /\n Mark the existing dedup row as permanently failed. Fire-and-forget\n * semantics for the caller; unexpected DynamoDB errors propagate.\n /\n markFailed(input: MarkFailedInput): Promise<void>;\n}\n\n/* Options shared by the factory and the standalone primitives. /\nexport interface WorkflowDedupClientOptions {\n /\n Table name. Defaults to `process.env[WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR]`\n * (populated by the `WorkflowDedupTable` construct's `grantConsumer`).\n /\n readonly tableName?: string;\n /* Override the 14-day default TTL for every `recordIfAbsent` call. /\n readonly defaultTtlSeconds?: number;\n /* Test seam — deterministic clock for `recordedAt` / `expiresAt`. /\n readonly now?: () => Date;\n}\n\n/* Factory that returns a `WorkflowDedupClient` bound to a single DynamoDB client. /\nexport function workflowDedupClient(\n dynamodb: DynamoDBClient,\n options: WorkflowDedupClientOptions = {},\n): WorkflowDedupClient {\n return {\n recordIfAbsent: (input) => recordIfAbsent(dynamodb, input, options),\n markFailed: (input) => markFailed(dynamodb, input, options),\n };\n}\n\n/\n Standalone primitive — exposed for callers that prefer it over the\n * `WorkflowDedupClient` indirection.\n /\nexport async function recordIfAbsent(\n dynamodb: DynamoDBClient,\n input: RecordIfAbsentInput,\n options: WorkflowDedupClientOptions = {},\n): Promise<RecordIfAbsentResult> {\n assertConsumerName(input.consumerName);\n assertPositiveInteger(input.attempt, \"attempt\");\n const ttlSeconds =\n input.ttlSeconds ??\n options.defaultTtlSeconds ??\n WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;\n if (!Number.isInteger(ttlSeconds) \|\| ttlSeconds <= 0) {\n throw new WorkflowDedupInvalidInputError(\n `ttlSeconds must be a positive integer; got ${ttlSeconds}.`,\n );\n }\n\n const tableName = resolveTableName(options.tableName);\n const now = (options.now ?? defaultNow)();\n const sk = encodeSortKey(input.eventId, input.attempt);\n const expiresAt = Math.floor(now.getTime() / 1000) + ttlSeconds;\n\n try {\n await dynamodb.send(\n new PutItemCommand({\n TableName: tableName,\n Item: {\n consumerName: { S: input.consumerName },\n sk: { S: sk },\n eventId: { S: input.eventId },\n attempt: { N: String(input.attempt) },\n recordedAt: { S: now.toISOString() },\n expiresAt: { N: String(expiresAt) },\n },\n ConditionExpression:\n \"attribute_not_exists(consumerName) AND attribute_not_exists(sk)\",\n }),\n );\n return { recorded: true };\n } catch (err) {\n if (err instanceof ConditionalCheckFailedException) {\n return { recorded: false, alreadyProcessed: true };\n }\n throw err;\n }\n}\n\n/* Standalone primitive — flips `failed: true` on an existing dedup row. /\nexport async function markFailed(\n dynamodb: DynamoDBClient,\n input: MarkFailedInput,\n options: WorkflowDedupClientOptions = {},\n): Promise<void> {\n assertConsumerName(input.consumerName);\n assertPositiveInteger(input.attempt, \"attempt\");\n if (input.reason.length === 0) {\n throw new WorkflowDedupInvalidInputError(\"reason must be non-empty.\");\n }\n\n const tableName = resolveTableName(options.tableName);\n const now = (options.now ?? defaultNow)();\n const sk = encodeSortKey(input.eventId, input.attempt);\n\n await dynamodb.send(\n new UpdateItemCommand({\n TableName: tableName,\n Key: {\n consumerName: { S: input.consumerName },\n sk: { S: sk },\n },\n UpdateExpression:\n \"SET #failed = :failed, #failureReason = :reason, #failedAt = :failedAt\",\n ExpressionAttributeNames: {\n \"#failed\": \"failed\",\n \"#failureReason\": \"failureReason\",\n \"#failedAt\": \"failedAt\",\n },\n ExpressionAttributeValues: {\n \":failed\": { BOOL: true },\n \":reason\": { S: input.reason },\n \":failedAt\": { S: now.toISOString() },\n },\n }),\n );\n}\n\n/* Compose the composite sort key per the TR-015 encoding. /\nexport function encodeSortKey(eventId: string, attempt: number): string {\n if (eventId.length === 0) {\n throw new WorkflowDedupInvalidInputError(\"eventId must be non-empty.\");\n }\n return `${eventId}#${attempt}`;\n}\n\nfunction resolveTableName(explicit?: string): string {\n const name = explicit ?? process.env[WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR];\n if (!name) {\n throw new WorkflowDedupTableNameMissingError(\n `Workflow dedup table name not set. Pass options.tableName or set ${WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR}.`,\n );\n }\n return name;\n}\n\nfunction assertConsumerName(consumerName: string): void {\n if (consumerName.length === 0) {\n throw new WorkflowDedupInvalidInputError(\"consumerName must be non-empty.\");\n }\n if (consumerName.length > WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {\n throw new WorkflowDedupInvalidInputError(\n `consumerName must be ≤${WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`,\n );\n }\n if (/\\s/.test(consumerName)) {\n throw new WorkflowDedupInvalidInputError(\n \"consumerName must not contain whitespace.\",\n );\n }\n}\n\nfunction assertPositiveInteger(value: number, field: string): void {\n if (!Number.isInteger(value) \|\| value < 1) {\n throw new WorkflowDedupInvalidInputError(\n `${field} must be a 1-indexed integer; got ${value}.`,\n );\n }\n}\n\nfunction defaultNow(): Date {\n return new Date();\n}\n\n/* Thrown when the dedup table name cannot be resolved. /\nexport class WorkflowDedupTableNameMissingError extends Error {\n /* @param message - human-readable description. /\n constructor(message: string) {\n super(message);\n this.name = \"WorkflowDedupTableNameMissingError\";\n }\n}\n\n/* Thrown when an input violates a TR-015 invariant. /\nexport class WorkflowDedupInvalidInputError extends Error {\n /* @param message - human-readable description. /\n constructor(message: string) {\n super(message);\n this.name = \"WorkflowDedupInvalidInputError\";\n }\n}\n","export {\n WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS,\n WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH,\n WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR,\n} from \"./env\";\nexport {\n WorkflowDedupInvalidInputError,\n WorkflowDedupTableNameMissingError,\n encodeSortKey,\n markFailed,\n recordIfAbsent,\n workflowDedupClient,\n} from \"./workflow-dedup-client\";\nexport type {\n MarkFailedInput,\n RecordIfAbsentInput,\n RecordIfAbsentResult,\n WorkflowDedupClient,\n WorkflowDedupClientOptions,\n} from \"./workflow-dedup-client\";\n","export {\n ENVELOPE_VERSION,\n isSupportedEnvelopeVersion,\n} from \"./envelope-version\";\nexport {\n MissingActorContextError,\n isWorkflowSystemActor,\n isWorkflowUserActor,\n workflowUserActorFromClaims,\n} from \"./envelope\";\nexport type {\n WorkflowActor,\n WorkflowEvent,\n WorkflowSystemActor,\n WorkflowUserActor,\n} from \"./envelope\";\nexport {\n DEFAULT_BUS_NAME_BY_SOURCE,\n OPENHI_CONTROL_SOURCE,\n OPENHI_DATA_SOURCE,\n OPENHI_OPS_SOURCE,\n} from \"./sources\";\nexport type { OpenHiSource } from \"./sources\";\nexport {\n ControlPlaneMembershipCreatedV1,\n ControlPlaneMembershipDeletedV1,\n ControlPlaneOwningDeleteCompleteV1,\n ControlPlaneOwningDeleteFailedV1,\n ControlPlaneOwningDeleteV1,\n ControlPlaneRenameCompleteV1,\n ControlPlaneRenameFailedV1,\n ControlPlaneRenameV1,\n ControlPlaneRoleAssignmentCreatedV1,\n ControlPlaneRoleAssignmentDeletedV1,\n ControlPlaneWorkspaceCreatedV1,\n ControlPlaneWorkspaceDeletedV1,\n InvalidDetailTypeRegistrationError,\n OWNING_ENTITY_TYPE,\n PlatformDeploymentCompletedV1,\n PlatformSystemDataSeededV1,\n RENAMABLE_ENTITY_TYPE,\n defineDetailType,\n isWellFormedDetailType,\n} from \"./detail-types\";\nexport type {\n ControlPlaneMembershipChangedV1Detail,\n ControlPlaneOwningDeleteCompleteV1Detail,\n ControlPlaneOwningDeleteFailedV1Detail,\n ControlPlaneOwningDeleteV1Detail,\n ControlPlaneRenameCompleteV1Detail,\n ControlPlaneRenameFailedV1Detail,\n ControlPlaneRenameV1Detail,\n ControlPlaneRoleAssignmentChangedV1Detail,\n ControlPlaneWorkspaceChangedV1Detail,\n OwningEntityType,\n PlatformDeploymentCompletedV1Detail,\n PlatformSystemDataSeededV1Detail,\n RenamableEntityType,\n WorkflowDetailTypeEntry,\n} from \"./detail-types\";\nexport {\n WorkflowPublishError,\n publishWorkflowEvent,\n workflowsClient,\n} from \"./publisher\";\nexport type {\n PublishContext,\n PublishResult,\n PublisherOptions,\n WorkflowsClient,\n} from \"./publisher\";\nexport {\n InvalidWorkflowEventError,\n UnsupportedEnvelopeVersionError,\n parseWorkflowEvent,\n} from \"./consumer\";\nexport type {\n DedupKey,\n EventBridgeEventLike,\n ParsedWorkflowEvent,\n} from \"./consumer\";\nexport {\n WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS,\n WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH,\n WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR,\n WorkflowDedupInvalidInputError,\n WorkflowDedupTableNameMissingError,\n encodeSortKey,\n markFailed,\n recordIfAbsent,\n workflowDedupClient,\n} from \"./dedup\";\nexport type {\n MarkFailedInput,\n RecordIfAbsentInput,\n RecordIfAbsentResult,\n WorkflowDedupClient,\n WorkflowDedupClientOptions,\n} from \"./dedup\";\n","import {\n reconcileAllCountersOperation,\n type CounterReconcileReport,\n} from \"../../../data/operations/control/counters/counter-reconcile-driver\";\n\n/\n @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/counter-reconciliation/counter-reconciliation-handler.md\n \n ADR-028 counter-reconciliation job handler. Invoked on demand (manual\n * `aws lambda invoke`, an operator runbook, or a scheduled trigger) — not\n * an EventBridge consumer. Walks every canonical Tenant / Workspace /\n * User, recomputes the denormalized counters from canonical data, repairs\n * any drift with a `SET` write, and logs the per-counter old → new drift\n * report.\n \n Idempotent by construction: each per-target recompute writes the\n * absolute recomputed value, so a second run over unchanged data corrects\n * nothing and reports zero drift. That is why the job needs no dedup\n * circuit-breaker (unlike the event-driven counter-maintenance consumer,\n * whose atomic ADDs are not idempotent).\n /\n\n/* Dependency seam for tests; production wires the real driver. /\nexport interface CounterReconciliationDependencies {\n /\n Run the full reconciliation sweep. Defaults to\n * {@link reconcileAllCountersOperation}; tests inject a fake.\n /\n readonly reconcileAll: () => Promise<CounterReconcileReport>;\n}\n\n/\n Test-visible orchestrator. The production `handler` calls this with the\n * real driver; unit tests inject a fake. Returns the drift report so an\n * invoker (or test) can assert on what was corrected.\n /\nexport const runCounterReconciliation = async (\n deps: CounterReconciliationDependencies,\n): Promise<CounterReconcileReport> => {\n const report = await deps.reconcileAll();\n\n // Structured, loggable summary. One JSON line so a log query can pluck\n // the totals; the full per-counter drift list rides along for an audit.\n console.log(\n JSON.stringify({\n message: \"counter-reconciliation complete\",\n scanned: report.scanned,\n countersCorrected: report.countersCorrected,\n drift: report.drift,\n }),\n );\n\n return report;\n};\n\nconst productionDependencies = (): CounterReconciliationDependencies => ({\n reconcileAll: () => reconcileAllCountersOperation(),\n});\n\nexport const handler = async (): Promise<CounterReconcileReport> =>\n runCounterReconciliation(productionDependencies());\n","import { Service } from \"electrodb\";\nimport { defaultTableName, dynamoClient } from \"./dynamo-client\";\nimport { ConfigurationEntity } from \"./entities/control/configuration-entity\";\nimport { ConfigurationUserProjectionEntity } from \"./entities/control/configuration-user-projection-entity\";\nimport { ConfigurationWorkspaceProjectionEntity } from \"./entities/control/configuration-workspace-projection-entity\";\nimport { MembershipEntity } from \"./entities/control/membership-entity\";\nimport { MembershipUserProjectionEntity } from \"./entities/control/membership-user-projection-entity\";\nimport { MembershipWorkspaceProjectionEntity } from \"./entities/control/membership-workspace-projection-entity\";\nimport { RoleEntity } from \"./entities/control/role-entity\";\nimport { RoleAssignmentEntity } from \"./entities/control/roleassignment-entity\";\nimport { RoleAssignmentUserProjectionEntity } from \"./entities/control/roleassignment-user-projection-entity\";\nimport { RoleAssignmentWorkspaceProjectionEntity } from \"./entities/control/roleassignment-workspace-projection-entity\";\nimport { TenantEntity } from \"./entities/control/tenant-entity\";\nimport { UserEntity } from \"./entities/control/user-entity\";\nimport { WorkspaceEntity } from \"./entities/control/workspace-entity\";\n\n/\n Control-plane entities only (service \"control\"). Same table as data plane; use\n * DynamoDataService for data-plane entities.\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n * @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n /\n\nconst controlPlaneEntities = {\n configuration: ConfigurationEntity,\n configurationUserProjection: ConfigurationUserProjectionEntity,\n configurationWorkspaceProjection: ConfigurationWorkspaceProjectionEntity,\n membership: MembershipEntity,\n membershipUserProjection: MembershipUserProjectionEntity,\n membershipWorkspaceProjection: MembershipWorkspaceProjectionEntity,\n role: RoleEntity,\n roleAssignment: RoleAssignmentEntity,\n roleAssignmentUserProjection: RoleAssignmentUserProjectionEntity,\n roleAssignmentWorkspaceProjection: RoleAssignmentWorkspaceProjectionEntity,\n tenant: TenantEntity,\n user: UserEntity,\n workspace: WorkspaceEntity,\n};\n\nconst controlPlaneService = new Service(controlPlaneEntities, {\n table: defaultTableName,\n client: dynamoClient,\n});\n\n/\n Control-plane service: entities for configuration and control. Use with the\n * data store table (PK, SK, GSI1; UserEntity also uses GSI2).\n \n `transaction` exposes ElectroDB's `service.transaction.write` /\n * `service.transaction.get` builders so the operations-layer multi-write\n * helper (#1010, ADR-018) can compose `TransactWriteItems` across the\n * control-plane entities.\n /\nexport const DynamoControlService = {\n entities: controlPlaneService.entities,\n transaction: controlPlaneService.transaction,\n};\n\nexport type DynamoControlServiceType = typeof DynamoControlService;\n\n/\n Returns the control-plane service. Table name is resolved from tableName (optional override),\n * then DYNAMO_TABLE_NAME, then \"jesttesttable\".\n /\nexport function getDynamoControlService(\n tableName?: string,\n): DynamoControlServiceType {\n const resolved = tableName ?? defaultTableName;\n const service = new Service(controlPlaneEntities, {\n table: resolved,\n client: dynamoClient,\n });\n return {\n entities: service.entities,\n transaction: service.transaction,\n };\n}\n","import { DynamoDBClient } from \"@aws-sdk/client-dynamodb\";\n\n/\n DynamoDB table name for the data store. Set via DYNAMO_TABLE_NAME at runtime\n * (e.g. from Lambda env); defaults for local/test.\n /\nexport const defaultTableName =\n process.env.DYNAMO_TABLE_NAME ?? \"jesttesttable\";\n\n/\n DynamoDB client. When MOCK_DYNAMODB_ENDPOINT is set (e.g. local DynamoDB or\n * jest-dynalite), uses that endpoint with no SSL and region \"local\".\n /\nexport const dynamoClient = new DynamoDBClient({\n ...(process.env.MOCK_DYNAMODB_ENDPOINT && {\n endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,\n sslEnabled: false,\n region: \"local\",\n }),\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute } from \"./control-entity-common\";\n\n/\n Configuration data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Partially tenant-isolated, control plane. Cascade of scope\n * levels: resolution order user → workspace → tenant → baseline. Sentinels: tenantId \"BASELINE\" for\n * baseline tier; workspaceId/userId/roleId \"-\" for absent dimension.\n \n Key structure: PK = CONFIG#TID#<tenantId>#WID#<workspaceId>#UID#<userId>#RID#<roleId>,\n * SK = KEY#<key>#SK#<sk>. Uniqueness: one Configuration per (tenantId, workspaceId, userId, roleId, key).\n * Standard attributes and key-building conventions align with single-table design.\n \n GSI1 — Unified Sharded List per ADR-011: lists all Configuration entries in a tenant/workspace\n * across the four shards.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/entities/configuration.md\n * @see sites/www-docs/content/architecture/control-plane/configuration.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/entity-standards.md — Key-building conventions (keys built inside entity)\n /\nexport const ConfigurationEntity = new Entity({\n model: {\n entity: \"configuration\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key. \"CURRENT\" for current version; version history in S3. /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* Tenant scope. Use \"BASELINE\" when the config is baseline default (no tenant). /\n tenantId: {\n type: \"string\" as const,\n required: true,\n default: \"BASELINE\",\n },\n /* Workspace scope. Use \"-\" when absent. /\n workspaceId: {\n type: \"string\" as const,\n required: true,\n default: \"-\",\n },\n /* User scope. Use \"-\" when absent. /\n userId: {\n type: \"string\" as const,\n required: true,\n default: \"-\",\n },\n /* Role scope. Use \"-\" when absent. /\n roleId: {\n type: \"string\" as const,\n required: true,\n default: \"-\",\n },\n /* Config type (category), e.g. endpoints, branding, display. /\n key: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; logical id in URL and for the Configuration resource. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, key, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). Tracks current version; S3 history key. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n gsi1Shard: gsi1ShardAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"workspaceId\", \"userId\", \"roleId\"],\n template:\n \"CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"key\", \"sk\"],\n template: \"KEY#${key}#SK#${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a\n * (tenant, workspace) across the four shards. Use for \"list configs scoped to this tenant\"\n * (workspaceId = \"-\") or \"list configs scoped to this workspace\". Does not support\n * hierarchical resolution in one query; use base table GetItem in fallback order\n * (user → workspace → tenant → baseline) for that.\n * SK is `<key>#<id>` — Configuration's `key` is a required entity attribute (the\n * config category: endpoints, branding, display, …) and the natural sort/lookup\n * dimension. `casing: \"none\"` preserves the literal key value.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"tenantId\", \"workspaceId\", \"gsi1Shard\"],\n template:\n \"TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"key\", \"id\"],\n template: \"${key}#${id}\",\n },\n },\n },\n});\n","import { extractLabel, normalizeLabel } from \"@openhi/types\";\nimport { computeShard } from \"../../shard\";\n\n/\n Shared GSI1 shard attribute for control-plane entities.\n \n Control-plane entities (User, Tenant, Workspace, Membership, Role, RoleAssignment,\n * Configuration) use the same `TID#/WID#/RT#/SHARD#` PK shape on GSI1 as data-plane\n * FHIR resources per ADR-011. The shard index is derived deterministically from `id`\n * via `computeShard` so updates always land on the same shard. Stored as a string\n * because it appears as a literal segment in the GSI1 PK template; the underlying\n * value is 0..3.\n \n Not `required` because the value is derived via `watch`/`set`; ElectroDB's\n * required-field check runs before watch propagation, so callers must not fail\n * validation on a derived field.\n /\nexport const gsi1ShardAttribute = {\n type: \"string\" as const,\n watch: [\"id\"] as const,\n set: (_val?: string, item?: { id?: string }) => {\n if (typeof item?.id !== \"string\" \|\| item.id.length === 0) {\n return undefined;\n }\n return String(computeShard(item.id));\n },\n};\n\n/\n Shared GSI1 sort-key attribute for control-plane entities.\n \n Derives the GSI1SK value at write time from the entity's `resource` JSON\n * string, applying the same label-extraction strategy as the data plane\n * (DR-004 / `@openhi/types` `extractLabel`). When the resource carries a\n * natural label (Tenant.name, Workspace.name, Configuration.key, …) the\n * sort key is `<normalizedLabel>#<id>` so list endpoints sort alphabetically\n * and `BEGINS_WITH` queries serve prefix searches. When no label is\n * extractable, falls back to `<entity.lastUpdated>#<id>` for stable\n * reverse-chronological ordering.\n \n Falls back gracefully on malformed `resource` payloads — JSON parse\n * failures and missing fields both route to the lastUpdated fallback so a\n * single bad write never blocks an entity put. The entity-level\n * `lastUpdated` is preferred over `resource.meta.lastUpdated` so the\n * fallback uses the authoritative timestamp the entity write supplies.\n \n Not `required` because the value is derived via `watch`/`set`.\n /\nexport const gsi1skAttribute = {\n type: \"string\" as const,\n watch: [\"resource\", \"lastUpdated\", \"id\"] as const,\n set: (\n _val?: string,\n item?: { resource?: string; lastUpdated?: string; id?: string },\n ) => {\n const id = typeof item?.id === \"string\" ? item.id : \"\";\n const lastUpdated =\n typeof item?.lastUpdated === \"string\" ? item.lastUpdated : \"\";\n const fallback = `${lastUpdated}#${id}`;\n\n if (typeof item?.resource !== \"string\" \|\| item.resource.length === 0) {\n return fallback;\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(item.resource);\n } catch {\n return fallback;\n }\n if (!parsed \|\| typeof parsed !== \"object\") return fallback;\n const resourceType = (parsed as { resourceType?: unknown }).resourceType;\n if (typeof resourceType !== \"string\") return fallback;\n\n const label = extractLabel(parsed as Parameters<typeof extractLabel>[0]);\n return label !== undefined ? `${label}#${id}` : fallback;\n },\n};\n\n/\n Extract a roleId from a RoleAssignment resource payload. Looks first at\n * a flat top-level `roleId` string, then at a FHIR-style `role.reference`\n * (e.g. `Role/<id>`). Returns `undefined` when neither shape is present\n * or the field is malformed — callers fall back to the generic GSI1SK\n * derivation in that case so a single bad write never blocks an entity put.\n /\nfunction extractRoleId(resource: Record<string, unknown>): string \| undefined {\n const flat = resource.roleId;\n if (typeof flat === \"string\" && flat.length > 0) return flat;\n\n const role = resource.role;\n if (role && typeof role === \"object\") {\n const reference = (role as { reference?: unknown }).reference;\n if (typeof reference === \"string\" && reference.length > 0) {\n const slash = reference.lastIndexOf(\"/\");\n const tail = slash >= 0 ? reference.slice(slash + 1) : reference;\n if (tail.length > 0) return tail;\n }\n }\n return undefined;\n}\n\n/\n RoleAssignment-specific GSI1 sort-key attribute (ADR-018 pattern #8 —\n * \"users with a specific role in a tenant, sorted by user name\").\n \n Composes the canonical-row GSI1SK as the discriminator-first shape\n * `<roleId>#<normalizedUserName>#<id>` so a GSI1 query partitioned on\n * the tenant can `begins_with('<roleId>#')` to enumerate every user\n * assigned to a given role, sorted by user name.\n \n - `<roleId>` is read from a flat `resource.roleId` field, falling back\n * to the slug after the final `/` in `resource.role.reference` (the\n * FHIR Reference shape). Sorting on `roleId` rather than the role's\n * display name means a Role rename does not cascade onto this index\n * (TR-024 / ADR-018 § Implementation Notes).\n * - `<normalizedUserName>` is `normalizeLabel(denormalizedUserName)` —\n * the top-level denormalized field promoted in #1009 (TR-024 rule 3:\n * canonical-record symmetry).\n \n Falls back to `gsi1skAttribute`'s `<lastUpdated>#<id>` shape when\n * either component is missing or malformed, so pre-TR-024 rows and\n * malformed payloads still produce a valid sort key.\n \n Not `required` because the value is derived via `watch`/`set`.\n \n @see ADR-018 § Access Pattern Coverage — pattern #8\n * @see TR-024 — Denormalized display-name attributes\n /\nexport const roleAssignmentGsi1skAttribute = {\n type: \"string\" as const,\n watch: [\"resource\", \"denormalizedUserName\", \"lastUpdated\", \"id\"] as const,\n set: (\n _val?: string,\n item?: {\n resource?: string;\n denormalizedUserName?: string;\n lastUpdated?: string;\n id?: string;\n },\n ) => {\n const id = typeof item?.id === \"string\" ? item.id : \"\";\n const lastUpdated =\n typeof item?.lastUpdated === \"string\" ? item.lastUpdated : \"\";\n const fallback = `${lastUpdated}#${id}`;\n\n if (typeof item?.resource !== \"string\" \|\| item.resource.length === 0) {\n return fallback;\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(item.resource);\n } catch {\n return fallback;\n }\n if (!parsed \|\| typeof parsed !== \"object\") return fallback;\n\n const roleId = extractRoleId(parsed as Record<string, unknown>);\n if (roleId === undefined) return fallback;\n\n const denormalizedUserName =\n typeof item.denormalizedUserName === \"string\"\n ? item.denormalizedUserName\n : \"\";\n const normalizedUserName =\n denormalizedUserName.length > 0\n ? normalizeLabel(denormalizedUserName)\n : \"\";\n if (normalizedUserName.length === 0) return fallback;\n\n return `${roleId}#${normalizedUserName}#${id}`;\n },\n};\n\n/\n Membership-specific GSI1 sort-key attribute (ADR-018 pattern #1 —\n * \"users in a tenant, sorted by user name\").\n \n Composes the canonical-row GSI1SK as `<normalizedUserName>#<id>` so a\n * GSI1 query partitioned on the tenant range-scans by user-name prefix\n * and returns memberships sorted alphabetically by user name. No role\n * discriminator goes in front — pattern #1 is user-name-first.\n \n - `<normalizedUserName>` is `normalizeLabel(denormalizedUserName)` —\n * the top-level denormalized field promoted in #1009 (TR-024 rule 3:\n * canonical-record symmetry).\n \n Falls back to `gsi1skAttribute`'s `<lastUpdated>#<id>` shape when\n * `denormalizedUserName` is missing, so pre-TR-024 rows and malformed\n * payloads still produce a valid sort key.\n \n Not `required` because the value is derived via `watch`/`set`.\n \n @see ADR-018 § Access Pattern Coverage — pattern #1\n * @see TR-024 — Denormalized display-name attributes\n /\nexport const membershipGsi1skAttribute = {\n type: \"string\" as const,\n watch: [\"denormalizedUserName\", \"lastUpdated\", \"id\"] as const,\n set: (\n _val?: string,\n item?: {\n denormalizedUserName?: string;\n lastUpdated?: string;\n id?: string;\n },\n ) => {\n const id = typeof item?.id === \"string\" ? item.id : \"\";\n const lastUpdated =\n typeof item?.lastUpdated === \"string\" ? item.lastUpdated : \"\";\n const fallback = `${lastUpdated}#${id}`;\n\n const denormalizedUserName =\n typeof item?.denormalizedUserName === \"string\"\n ? item.denormalizedUserName\n : \"\";\n const normalizedUserName =\n denormalizedUserName.length > 0\n ? normalizeLabel(denormalizedUserName)\n : \"\";\n if (normalizedUserName.length === 0) {\n return fallback;\n }\n\n return `${normalizedUserName}#${id}`;\n },\n};\n","/\n Shard selection for the data-plane single-table GSI1 partitioning per ADR-011.\n \n GSI1's partition key embeds a `SHARD#<n>` segment with `n = computeShard(id)`.\n * The hash is deterministic so updates to the same resource id always land on\n * the same shard (no cross-shard migration on update); reads fan out to all\n * shards in parallel and merge by SK.\n \n @see sites/www-docs/content/architecture/adr/ — ADR-011 (single-table DynamoDB)\n /\n\n/* Number of shards in the GSI1 partition key. Fixed at 4 in v1; raising it later is a backfill, not a schema migration. /\nexport const SHARD_COUNT = 4;\n\n/\n Returns a deterministic shard index in [0, SHARD_COUNT) for the given resource id.\n \n Implementation: 32-bit FNV-1a over the UTF-16 code units of the id, modulo SHARD_COUNT.\n * The function is pure and stable; the same id always returns the same shard.\n \n ESLint's `no-bitwise` rule is disabled inside this function because FNV-1a is\n * defined in terms of XOR and unsigned-right-shift — the bitwise ops are the\n * algorithm, not an accidental logical-operator confusion.\n /\nexport function computeShard(id: string): number {\n / eslint-disable no-bitwise /\n let hash = 0x811c9dc5;\n for (let i = 0; i < id.length; i++) {\n hash ^= id.charCodeAt(i);\n hash = Math.imul(hash, 0x01000193);\n }\n return (hash >>> 0) % SHARD_COUNT;\n / eslint-enable no-bitwise /\n}\n","import { Entity } from \"electrodb\";\n\n/\n Configuration user-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection — pattern #10 (user-scope half).\n * For every user-scoped Configuration write the operations-layer\n * multi-write helper writes one projection row under the user partition\n * so the user-rooted access pattern #10 is served by a single\n * base-table `Query` with no GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #10 user-scope \| Configuration is user-scoped (`userId !== \"-\"`) \| `USER#ID#<userId>` \| `CONFIGURATION#<normalizedConfigName>#<configurationId>` \|\n \n `<normalizedConfigName>` derives from Configuration's `key` attribute\n * (the canonical name dimension — Configuration carries no `displayName`\n * per TR-024 § Open Item #5, so `key` is the natural sort source). The\n * SK shape is operation-owned: the operations-layer projection writer\n * composes the SK string via `buildConfigurationUserProjectionSk` and\n * supplies it on the `sk` attribute. This entity stores the SK verbatim —\n * no `watch`/derived computation here — so the SK grammar (and any\n * future revision) lives in one place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'CONFIGURATION#')` is\n * self-sufficient — no BatchGet hop to the canonical record), plus the\n * projection-discriminating fields (`configurationId`, `userId`,\n * `tenantId`, `scope`).\n \n Cross-tenant partition. Unlike Membership/RoleAssignment-workspace\n * partitions, the Configuration user-projection's PK carries no tenant\n * prefix — a user's user-scoped Configurations are cross-tenant by\n * design (a user may carry preferences that follow them across tenant\n * memberships). This mirrors the RoleAssignment user-projection partition.\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition `USER#ID#<userId>`; the\n * GSI1/GSI2 catalog is unchanged. Tenant-scoped Configurations\n * continue to use the canonical GSI1 path (ADR-011) unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#10 — user-scope half)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const ConfigurationUserProjectionEntity = new Entity({\n model: {\n entity: \"configurationUserProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n User partition discriminator. Renders as `USER#ID#<userId>` on the\n * base-table PK. Always required — the projection has no meaning\n * outside a user partition.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildConfigurationUserProjectionSk`. The entity stores\n * the value verbatim so the SK grammar (pattern #10 user-scope) is\n * owned by the operations layer, not duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /\n Configuration canonical-record id. Stored as a discriminating\n * field so consumers can hydrate the canonical row via the\n * Configuration get-by-id operation when the projection's `summary`\n * is insufficient.\n /\n configurationId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Tenant the Configuration is associated with. The canonical row\n * keys off `(tenantId, workspaceId, userId, roleId)`; the projection\n * carries `tenantId` so consumers reconstructing the canonical PK\n * have the tenant segment without a hop.\n /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Scope marker. Always `\"user\"` on this projection — recorded\n * explicitly so future scope-bearing projections (workspace,\n * tenant, role) can share filter semantics in a unified\n * cross-projection list query if one ever lands.\n /\n scope: {\n type: \"string\" as const,\n required: true,\n default: \"user\",\n },\n /\n Configuration's `key` attribute (config category, e.g. endpoints,\n * branding, display). Mirrored from the canonical row so consumers\n * reading the projection get the natural display label without a\n * BatchGet hop. Doubles as the source of `<normalizedConfigName>` in\n * the SK.\n /\n displayName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Summary projection (key display fields as JSON string) — mirrored\n * from the canonical Configuration row so user-partition queries do\n * not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical Configuration row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical Configuration row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n },\n indexes: {\n /\n Base table: PK = USER#ID#\\<userId\\>, SK = operation-supplied. A\n * single `Query(PK = USER#ID#<userId>, SK begins_with 'CONFIGURATION#')`\n * returns the user's user-scoped Configurations sorted by\n * `<normalizedConfigName>` (then `<configurationId>` as the\n * tiebreaker).\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"userId\"],\n template: \"USER#ID#${userId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n Configuration workspace-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection — pattern #10 (workspace-scope half).\n * For every workspace-scoped Configuration the operations-layer\n * multi-write helper writes one projection row under the workspace\n * partition so the workspace-rooted access pattern #10 is served by a\n * single base-table `Query` with no GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #10 workspace-scope \| Configuration is workspace-scoped (`workspaceId !== \"-\"`, `userId === \"-\"`) \| `TID#<tenantId>#WORKSPACE#ID#<workspaceId>` \| `CONFIGURATION#<normalizedConfigName>#<configurationId>` \|\n \n The PK co-locates with the canonical Workspace record\n * (`SK = CURRENT`) and the Membership / RoleAssignment workspace-\n * projections (patterns #2, #9), so an admin workspace dashboard can\n * hydrate workspace metadata + member projections + role-assignment\n * projections + workspace-scoped Configurations in a single `Query`.\n \n `<normalizedConfigName>` derives from Configuration's `key` attribute\n * (the canonical name dimension — Configuration carries no `displayName`\n * per TR-024 § Open Item #5, so `key` is the natural sort source). The\n * SK shape is operation-owned: the operations-layer projection writer\n * composes the SK string via `buildConfigurationWorkspaceProjectionSk`\n * and supplies it on the `sk` attribute. This entity stores the SK\n * verbatim — no `watch`/derived computation here — so the SK grammar\n * (and any future revision) lives in one place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'CONFIGURATION#')`\n * is self-sufficient — no BatchGet hop to the canonical record), plus\n * the projection-discriminating fields (`configurationId`, `workspaceId`,\n * `tenantId`, `scope`).\n \n Tenant-prefixed partition. Unlike the Configuration user-\n * projection (whose PK is `USER#ID#<userId>` with no tenant prefix —\n * a user's user-scoped Configurations are cross-tenant by design),\n * the workspace-projection PK carries the tenant prefix because\n * Workspaces are tenant-scoped per ADR-011. This mirrors the\n * Membership / RoleAssignment workspace-projection partitions.\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition\n * `TID#<tenantId>#WORKSPACE#ID#<workspaceId>`; the GSI1/GSI2 catalog\n * is unchanged. Tenant-scoped Configurations continue to use the\n * canonical GSI1 path (ADR-011) unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#10 — workspace-scope half)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const ConfigurationWorkspaceProjectionEntity = new Entity({\n model: {\n entity: \"configurationWorkspaceProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n Tenant the workspace belongs to. Renders as the leading segment\n * of the base-table PK. Always required — the workspace partition\n * is tenant-scoped per ADR-011.\n /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace partition discriminator. Renders as the trailing\n * segment of the base-table PK\n * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —\n * the projection has no meaning outside a workspace partition.\n /\n workspaceId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildConfigurationWorkspaceProjectionSk`. The entity\n * stores the value verbatim so the SK grammar (pattern #10\n * workspace-scope) is owned by the operations layer, not\n * duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /\n Configuration canonical-record id. Stored as a discriminating\n * field so consumers can hydrate the canonical row via the\n * Configuration get-by-id operation when the projection's `summary`\n * is insufficient.\n /\n configurationId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Scope marker. Always `\"workspace\"` on this projection — recorded\n * explicitly so future scope-bearing projections (user, tenant,\n * role) can share filter semantics in a unified cross-projection\n * list query if one ever lands.\n /\n scope: {\n type: \"string\" as const,\n required: true,\n default: \"workspace\",\n },\n /\n Configuration's `key` attribute (config category, e.g. endpoints,\n * branding, display). Mirrored from the canonical row so consumers\n * reading the projection get the natural display label without a\n * BatchGet hop. Doubles as the source of `<normalizedConfigName>`\n * in the SK.\n /\n displayName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Summary projection (key display fields as JSON string) — mirrored\n * from the canonical Configuration row so workspace-partition\n * queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical Configuration row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical Configuration row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n },\n indexes: {\n /\n Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,\n * SK = operation-supplied. A single\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'CONFIGURATION#')`\n * returns the workspace's workspace-scoped Configurations sorted by\n * `<normalizedConfigName>` (then `<configurationId>` as the\n * tiebreaker).\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"workspaceId\"],\n template: \"TID#${tenantId}#WORKSPACE#ID#${workspaceId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport {\n gsi1ShardAttribute,\n membershipGsi1skAttribute,\n} from \"./control-entity-common\";\n\n/\n Membership data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Tenant-isolated, control plane. Membership links a User\n * to a Tenant (and optionally a Workspace). One record per (tenantId, id).\n \n Key structure: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT.\n * Uniqueness: one Membership per (tenantId, id).\n \n GSI1 — Unified Sharded List per ADR-011: lists all Memberships in a tenant across the four\n * shards. Membership is tenant-scoped (not workspace-scoped), so the GSI1 PK uses `WID#-` as a\n * sentinel.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-02-control-plane-roles-and-user-tenant-workspace-linkage.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const MembershipEntity = new Entity({\n model: {\n entity: \"membership\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* Tenant in which the user has membership (required). /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; membership id. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full Membership resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n gsi1Shard: gsi1ShardAttribute,\n /\n Derived GSI1 sort key — `<normalizedUserName>#<id>` per ADR-018\n * pattern #1 so a GSI1 query partitioned on the tenant range-scans\n * by user-name prefix and returns memberships sorted by user name.\n * Falls back to `<lastUpdated>#<id>` when `denormalizedUserName`\n * is missing.\n /\n gsi1sk: membershipGsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized `linked-data-identity` Reference (e.g. `Practitioner/abc`).\n * Populated from the FHIR extension on the Membership resource at write\n * time so future GSIs can index data-plane identity lookups without\n * deserializing the full resource JSON. See ADR 2026-03-13-02 §6.\n /\n linkedDataIdentityRef: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked Tenant, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list projection SKs (pattern #3 — `MEMBERSHIP#TENANT#<normalizedTenantName>#…`)\n * can be composed from a top-level field instead of digging into the\n * `resource` JSON. Optional on the schema so pre-TR-024 rows do not\n * break; the operations-layer multi-write helper (#1010) makes the\n * field load-bearing at write time per TR-024 rule 2 (write-time\n * source = canonical Tenant.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedTenantName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked User, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list canonical-record GSI1SK (pattern #1 —\n * `<normalizedUserName>#<id>`) and workspace-projection SK (pattern #2)\n * can be composed from a top-level field. Optional on the schema so\n * pre-TR-024 rows do not break; the operations-layer multi-write helper\n * (#1010) makes the field load-bearing at write time per TR-024 rule 2\n * (write-time source = canonical User.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"id\"],\n template: \"TID#${tenantId}#MEMBERSHIP#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the\n * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.\n * SK is derived via `membershipGsi1skAttribute` — composes\n * `<normalizedUserName>#<id>` per ADR-018 pattern #1 (users in a\n * tenant, sorted by user name); falls back to `<lastUpdated>#<id>`\n * when `denormalizedUserName` is missing. `casing: \"none\"` preserves\n * the normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"tenantId\", \"gsi1Shard\"],\n template: \"TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n Membership user-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection. For every Membership write the\n * operations-layer multi-write helper writes one of two projection rows\n * under the user partition so the user-rooted access patterns #3 and #4\n * are served by a single base-table `Query` with no GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #3 — tenant sub-lane \| `workspaceId` absent \| `USER#ID#<userId>` \| `MEMBERSHIP#TENANT#<normalizedTenantName>#TID#<tenantId>#<id>` \|\n * \| #4 — workspace sub-lane \| `workspaceId` set \| `USER#ID#<userId>` \| `MEMBERSHIP#WORKSPACE#TID#<tenantId>#<normalizedWorkspaceName>#WID#<workspaceId>#<id>` \|\n \n Both shapes share the user-partition `PK = USER#ID#<userId>`. The SK\n * shape is operation-owned: the operations-layer projection writer\n * composes the SK string via the `buildMembershipUserProjectionSk`\n helpers and supplies it on the `sk` attribute. This entity stores the\n * SK verbatim — no `watch`/derived computation here — so the SK grammar\n * (and any future revision) lives in one place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')` is\n * self-sufficient — no BatchGet hop to the canonical record), plus the\n * projection-discriminating fields (`tenantId`, `userId`, `workspaceId?`,\n * `membershipId`) and TR-024 denormalized display names\n * (`denormalizedTenantName`, `denormalizedUserName`,\n * `denormalizedWorkspaceName?`).\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition `USER#ID#<userId>`; the\n * GSI1/GSI2 catalog is unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#3, #4)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const MembershipUserProjectionEntity = new Entity({\n model: {\n entity: \"membershipUserProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n User partition discriminator. Renders as `USER#ID#<userId>` on the\n * base-table PK. Always required — the projection has no meaning\n * outside a user partition.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildMembershipUserProjectionSk` helpers. The entity\n stores the value verbatim so the SK grammar (patterns #3 and #4)\n * is owned by the operations layer, not duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /* Tenant in which the membership applies. Always required. /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace the membership scopes to. Present iff the projection\n * row is a pattern-#4 workspace sub-lane row; absent for pattern-#3\n * tenant sub-lane rows.\n /\n workspaceId: {\n type: \"string\" as const,\n required: false,\n },\n /\n Membership canonical-record id. Stored as a discriminating field\n * so consumers can hydrate the canonical row via\n * `MembershipEntity.get({ tenantId, id: membershipId })` when the\n * projection's `summary` is insufficient.\n /\n membershipId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id,\n * displayName, status) — mirrored from the canonical Membership row\n * so user-partition queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical Membership row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical Membership row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n Denormalized Tenant display name — required to compose pattern-#3\n * SK (`MEMBERSHIP#TENANT#<normalizedTenantName>#…`). Optional on the\n * schema because pre-TR-024 rows may not carry a display name; the\n * operations layer falls back gracefully when missing.\n /\n denormalizedTenantName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized User display name — mirrored from the canonical\n * Membership row per TR-024 rule 3 (canonical-record symmetry).\n * Carried on the projection so consumers can render the user's\n * display name without a hop to the User record.\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized Workspace display name — required to compose\n * pattern-#4 SK (`MEMBERSHIP#WORKSPACE#TID#<tenantId>#<normalizedWorkspaceName>#…`).\n * Optional on the schema (TR-024 § Open Item #4 defers a formal\n * Workspace-rename cascade); the operations layer falls back to a\n * sentinel when missing so the SK still has a valid shape.\n /\n denormalizedWorkspaceName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /\n Base table: PK = USER#ID#\\<userId\\>, SK = operation-supplied.\n * Both pattern #3 and pattern #4 use this same index — the SK string\n * encodes the lane discriminator (`MEMBERSHIP#TENANT#…` vs\n * `MEMBERSHIP#WORKSPACE#…`) so a single\n * `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')`\n * returns both lanes interleaved.\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"userId\"],\n template: \"USER#ID#${userId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n Membership workspace-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection. For every workspace-scoped\n * Membership the operations-layer multi-write helper writes one\n * projection row under the workspace partition so the workspace-rooted\n * access pattern #2 is served by a single base-table `Query` with no\n * GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #2 — users in a workspace \| `workspaceId` set \| `TID#<tenantId>#WORKSPACE#ID#<workspaceId>` \| `MEMBERSHIP#<normalizedUserName>#USER#<userId>#<id>` \|\n \n The PK co-locates with the canonical Workspace record\n * (`SK = CURRENT`) so a single `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>)`\n * returns workspace metadata + every member projection in one round\n * trip. The SK shape is operation-owned: the operations-layer\n * projection writer composes the SK string via the\n * `buildMembershipWorkspaceProjectionSk` helper and supplies it on the\n * `sk` attribute. This entity stores the SK verbatim — no\n * `watch`/derived computation here — so the SK grammar lives in one\n * place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'MEMBERSHIP#')`\n * is self-sufficient — no BatchGet hop to the canonical record), plus\n * the projection-discriminating fields (`tenantId`, `workspaceId`,\n * `userId`, `membershipId`) and TR-024 denormalized user display name\n * (`denormalizedUserName`).\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition\n * `TID#<tenantId>#WORKSPACE#ID#<workspaceId>`; the GSI1/GSI2 catalog\n * is unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#2)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const MembershipWorkspaceProjectionEntity = new Entity({\n model: {\n entity: \"membershipWorkspaceProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n Tenant the workspace belongs to. Renders as the leading segment\n * of the base-table PK. Always required — the workspace partition\n * is tenant-scoped per ADR-011.\n /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace partition discriminator. Renders as the trailing\n * segment of the base-table PK\n * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —\n * the projection has no meaning outside a workspace partition.\n /\n workspaceId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildMembershipWorkspaceProjectionSk`. The entity\n * stores the value verbatim so the SK grammar (pattern #2) is\n * owned by the operations layer, not duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /\n User the membership links. Stored as a discriminating field so\n * consumers can hydrate the canonical User row via\n * `UserEntity.get({ id: userId, sk: \"CURRENT\" })` when the\n * projection's `summary` is insufficient.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Membership canonical-record id. Stored as a discriminating field\n * so consumers can hydrate the canonical row via\n * `MembershipEntity.get({ tenantId, id: membershipId })` when the\n * projection's `summary` is insufficient.\n /\n membershipId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id,\n * displayName, status) — mirrored from the canonical Membership row\n * so workspace-partition queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical Membership row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical Membership row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n Denormalized User display name — required to compose the\n * pattern-#2 SK (`MEMBERSHIP#<normalizedUserName>#…`). Optional on\n * the schema because pre-TR-024 rows may not carry a display name;\n * the operations layer falls back to a sentinel when missing so\n * the SK still has a valid shape. The TR-023 rename-cascade\n * pipeline rewrites the SK on a User rename.\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /\n Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,\n * SK = operation-supplied. Pattern #2 uses this index — the SK\n * encodes the entity-type prefix (`MEMBERSHIP#…`) so a\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'MEMBERSHIP#')`\n * returns every member projection for the workspace in normalized-\n * user-name sort order.\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"workspaceId\"],\n template: \"TID#${tenantId}#WORKSPACE#ID#${workspaceId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute, gsi1skAttribute } from \"./control-entity-common\";\n\n/\n Role data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Non-tenant-isolated, control plane. Role is a\n * platform-wide role catalog (e.g. tenant-admin, tenant-user, system-admin); not scoped by tenant.\n * RoleAssignment references Role to assign a role to a User in a Tenant/Workspace context.\n \n Key structure: PK = ROLE#ID#<id>, SK = CURRENT.\n * The ROLE# prefix prevents key collisions with other non-tenant-isolated entities (User, etc.)\n * sharing the same table (ADR 2026-03-11-01 — preferred pattern for all control plane entities).\n * Uniqueness: one Role per id.\n \n GSI1 — Unified Sharded List per ADR-011: lists all Roles across the four shards. Non-tenant-\n * isolated, so the PK uses `TID#-#WID#-` sentinels.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-02-control-plane-roles-and-user-tenant-workspace-linkage.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const RoleEntity = new Entity({\n model: {\n entity: \"role\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* FHIR Resource.id; role id. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full Role resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n gsi1Shard: gsi1ShardAttribute,\n /* Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. /\n gsi1sk: gsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"id\"],\n template: \"ROLE#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.\n * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.\n * SK is derived via `gsi1skAttribute` — uses the resource's natural label when\n * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: \"none\"` preserves the\n * normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"gsi1Shard\"],\n template: \"TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport {\n gsi1ShardAttribute,\n roleAssignmentGsi1skAttribute,\n} from \"./control-entity-common\";\n\n/\n RoleAssignment data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Tenant-isolated, control plane. RoleAssignment assigns\n * a Role to a User in a Tenant (and optionally Workspace) context.\n \n Key structure: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT.\n * Uniqueness: one RoleAssignment per (tenantId, id).\n \n GSI1 — Unified Sharded List per ADR-011: lists all RoleAssignments in a tenant across the four\n * shards. Tenant-scoped only (workspace context lives inside the resource), so the GSI1 PK uses\n * `WID#-` as a sentinel.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-02-control-plane-roles-and-user-tenant-workspace-linkage.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const RoleAssignmentEntity = new Entity({\n model: {\n entity: \"roleassignment\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* Tenant in which the role assignment applies (required). /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; role assignment id. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full RoleAssignment resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n gsi1Shard: gsi1ShardAttribute,\n /\n Derived GSI1 sort key — discriminator-first\n * `<roleId>#<normalizedUserName>#<id>` per ADR-018 pattern #8 so a\n * GSI1 query partitioned on the tenant can `begins_with('<roleId>#')`\n * to enumerate every user assigned to a given role, sorted by user\n * name. Falls back to `<lastUpdated>#<id>` when either component is\n * missing.\n /\n gsi1sk: roleAssignmentGsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked Tenant, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list user-projection SK (pattern #5 —\n * `ROLEASSIGNMENT#TENANT#<normalizedRoleName>#<roleId>#TID#<tenantId>#<id>`)\n * can be composed from a top-level field instead of digging into the\n * `resource` JSON. Optional on the schema so pre-TR-024 rows do not\n * break; the operations-layer multi-write helper (#1010) makes the\n * field load-bearing at write time per TR-024 rule 2 (write-time\n * source = canonical Tenant.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedTenantName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked User, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list canonical-record GSI1SK (pattern #8 —\n * `<roleId>#<normalizedUserName>#<id>`) and workspace-projection SK\n * (pattern #9) can be composed from a top-level field. Optional on\n * the schema so pre-TR-024 rows do not break; the operations-layer\n * multi-write helper (#1010) makes the field load-bearing at write\n * time per TR-024 rule 2 (write-time source = canonical\n * User.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked Role, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list user-projection SK (pattern #5 —\n * `ROLEASSIGNMENT#TENANT#<normalizedRoleName>#…`) can be composed from\n * a top-level field. Optional on the schema so pre-TR-024 rows do not\n * break; the operations-layer multi-write helper (#1010) makes the\n * field load-bearing at write time per TR-024 rule 2 (write-time\n * source = canonical Role.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedRoleName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"id\"],\n template: \"TID#${tenantId}#ROLEASSIGNMENT#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the\n * four shards. Tenant-scoped only, so `WID#-` is a sentinel.\n * SK is derived via `roleAssignmentGsi1skAttribute` — composes the\n * discriminator-first `<roleId>#<normalizedUserName>#<id>` shape per\n * ADR-018 pattern #8 (users with a specific role in a tenant, sorted\n * by user name); falls back to `<lastUpdated>#<id>` when either\n * component is missing. `casing: \"none\"` preserves the normalized\n * label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"tenantId\", \"gsi1Shard\"],\n template: \"TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n RoleAssignment user-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection. For every RoleAssignment write\n * the operations-layer multi-write helper writes one projection row\n * under the user partition so the user-rooted access pattern #5 is\n * served by a single base-table `Query` with no GSI hop. The SK encodes\n * a tenant-vs-workspace discriminator sub-prefix so both sub-lanes share\n * the user partition:\n \n \| Sub-lane \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| tenant-level \| `workspaceId` absent \| `USER#ID#<userId>` \| `ROLEASSIGNMENT#TENANT#<normalizedRoleName>#<roleId>#TID#<tenantId>#<id>` \|\n * \| workspace-level \| `workspaceId` set \| `USER#ID#<userId>` \| `ROLEASSIGNMENT#WORKSPACE#<normalizedRoleName>#<roleId>#TID#<tenantId>#WID#<workspaceId>#<id>` \|\n \n The SK shape is operation-owned: the operations-layer projection\n * writer composes the SK string via the\n * `buildRoleAssignmentUserProjectionSk` helpers and supplies it on the\n `sk` attribute. This entity stores the SK verbatim — no\n * `watch`/derived computation here — so the SK grammar (and any future\n * revision) lives in one place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'ROLEASSIGNMENT#')` is\n * self-sufficient — no BatchGet hop to the canonical record), plus the\n * projection-discriminating fields (`tenantId`, `roleId`,\n * `roleAssignmentId`, `userId`, `workspaceId?`) and TR-024 denormalized\n * display names (`denormalizedTenantName`, `denormalizedUserName`,\n * `denormalizedRoleName`).\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition `USER#ID#<userId>`; the\n * GSI1/GSI2 catalog is unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#5)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const RoleAssignmentUserProjectionEntity = new Entity({\n model: {\n entity: \"roleAssignmentUserProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n User partition discriminator. Renders as `USER#ID#<userId>` on the\n * base-table PK. Always required — the projection has no meaning\n * outside a user partition.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildRoleAssignmentUserProjectionSk` helpers. The\n entity stores the value verbatim so the SK grammar (tenant-lane\n * vs workspace-lane) is owned by the operations layer, not\n * duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /* Tenant in which the role assignment applies. Always required. /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace the role assignment scopes to. Present iff the\n * projection row is the workspace-level sub-lane; absent for\n * tenant-level sub-lane rows.\n /\n workspaceId: {\n type: \"string\" as const,\n required: false,\n },\n /\n Role the assignment grants. Stored as a discriminating field so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'ROLEASSIGNMENT#…')`\n * results carry the role id without a hop to the canonical row.\n /\n roleId: {\n type: \"string\" as const,\n required: true,\n },\n /\n RoleAssignment canonical-record id. Stored as a discriminating\n * field so consumers can hydrate the canonical row via\n * `RoleAssignmentEntity.get({ tenantId, id: roleAssignmentId })`\n * when the projection's `summary` is insufficient.\n /\n roleAssignmentId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id,\n * displayName, status) — mirrored from the canonical RoleAssignment\n * row so user-partition queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical RoleAssignment row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical RoleAssignment row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n Denormalized Tenant display name — mirrored from the canonical\n * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).\n * Optional on the schema because pre-TR-024 rows may not carry a\n * display name; the operations layer falls back gracefully when\n * missing.\n /\n denormalizedTenantName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized User display name — mirrored from the canonical\n * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).\n * Carried on the projection so consumers can render the user's\n * display name without a hop to the User record.\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized Role display name — required to compose the SK's\n * `<normalizedRoleName>` segment. Optional on the schema (pre-TR-024\n * rows fall back to a sentinel) but expected to be present at write\n * time per TR-024 rule 2 (write-time source =\n * canonical Role.displayName).\n /\n denormalizedRoleName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /\n Base table: PK = USER#ID#\\<userId\\>, SK = operation-supplied. Both\n * sub-lanes (tenant-level and workspace-level) use this same index —\n * the SK string encodes the lane discriminator\n * (`ROLEASSIGNMENT#TENANT#…` vs `ROLEASSIGNMENT#WORKSPACE#…`) so a\n * single `Query(PK = USER#ID#<userId>, SK begins_with 'ROLEASSIGNMENT#')`\n * returns both lanes interleaved.\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"userId\"],\n template: \"USER#ID#${userId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n RoleAssignment workspace-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection. For every workspace-scoped\n * RoleAssignment the operations-layer multi-write helper writes one\n * projection row under the workspace partition so the workspace-rooted\n * access pattern #9 is served by a single base-table `Query` with no\n * GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #9 — users with a specific role in a workspace \| `workspaceId` set \| `TID#<tenantId>#WORKSPACE#ID#<workspaceId>` \| `ROLEASSIGNMENT#<roleId>#<normalizedUserName>#USER#<userId>#<id>` \|\n \n The SK is discriminator-first on the raw `<roleId>` (mirroring the\n * canonical GSI1SK from pattern #8): role id discriminates first so a\n * `begins_with('ROLEASSIGNMENT#<roleId>#')` filter returns every user\n * assigned to that role in the workspace, sorted alphabetically by\n * normalized user name. Omitting the `<roleId>#` segment\n * (`begins_with('ROLEASSIGNMENT#')`) returns every role assignment in\n * the workspace interleaved.\n \n The PK co-locates with the canonical Workspace record (`SK = CURRENT`)\n * and the Membership workspace-projection rows (pattern #2) so a single\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>)` returns\n * workspace metadata + every member projection + every role-assignment\n * projection in one round trip — the admin workspace-dashboard read shape.\n \n The SK shape is operation-owned: the operations-layer projection\n * writer composes the SK string via the\n * `buildRoleAssignmentWorkspaceProjectionSk` helper and supplies it on\n * the `sk` attribute. This entity stores the SK verbatim — no\n * `watch`/derived computation here — so the SK grammar lives in one\n * place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'ROLEASSIGNMENT#')`\n * is self-sufficient — no BatchGet hop to the canonical record), plus\n * the projection-discriminating fields (`tenantId`, `workspaceId`,\n * `roleId`, `roleAssignmentId`, `userId`) and TR-024 denormalized\n * display names (`denormalizedUserName`, `denormalizedRoleName`).\n \n Rename-cascade interaction (TR-023, Phase 6). The SK uses the\n * raw `<roleId>` (rename-stable) for the discriminator and\n * `<normalizedUserName>` for the secondary sort. A Role rename does NOT\n * rewrite this SK; a User rename DOES (cascaded by the rename pipeline).\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition\n * `TID#<tenantId>#WORKSPACE#ID#<workspaceId>`; the GSI1/GSI2 catalog\n * is unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#9)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const RoleAssignmentWorkspaceProjectionEntity = new Entity({\n model: {\n entity: \"roleAssignmentWorkspaceProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n Tenant the workspace belongs to. Renders as the leading segment\n * of the base-table PK. Always required — the workspace partition\n * is tenant-scoped per ADR-011.\n /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace partition discriminator. Renders as the trailing\n * segment of the base-table PK\n * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —\n * the projection has no meaning outside a workspace partition.\n /\n workspaceId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildRoleAssignmentWorkspaceProjectionSk`. The entity\n * stores the value verbatim so the SK grammar (pattern #9) is\n * owned by the operations layer, not duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /\n User the role assignment grants the role to. Stored as a\n * discriminating field so consumers can hydrate the canonical User\n * row via `UserEntity.get({ id: userId, sk: \"CURRENT\" })` when the\n * projection's `summary` is insufficient.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Role the assignment grants. Stored as a discriminating field —\n * also rendered into the SK as the discriminator-first segment so\n * `begins_with('ROLEASSIGNMENT#<roleId>#')` filters one role.\n /\n roleId: {\n type: \"string\" as const,\n required: true,\n },\n /\n RoleAssignment canonical-record id. Stored as a discriminating\n * field so consumers can hydrate the canonical row via\n * `RoleAssignmentEntity.get({ tenantId, id: roleAssignmentId })`\n * when the projection's `summary` is insufficient.\n /\n roleAssignmentId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id,\n * displayName, status) — mirrored from the canonical RoleAssignment\n * row so workspace-partition queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical RoleAssignment row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical RoleAssignment row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n Denormalized User display name — required to compose the\n * pattern-#9 SK (`ROLEASSIGNMENT#<roleId>#<normalizedUserName>#…`).\n * Optional on the schema because pre-TR-024 rows may not carry a\n * display name; the operations layer falls back to a sentinel when\n * missing so the SK still has a valid shape. The TR-023 rename-\n * cascade pipeline rewrites the SK on a User rename.\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized Role display name — mirrored from the canonical\n * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).\n * Carried on the projection so consumers can render the role's\n * display name without a hop to the Role record. Not part of the\n * SK (pattern #9 sorts on `<normalizedUserName>`, not role name) —\n * a Role rename does NOT rewrite this SK.\n /\n denormalizedRoleName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /\n Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,\n * SK = operation-supplied. Pattern #9 uses this index — the SK\n * encodes the entity-type prefix and discriminator-first roleId\n * (`ROLEASSIGNMENT#<roleId>#…`) so\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'ROLEASSIGNMENT#<roleId>#')`\n * returns every user-assignment for that role in the workspace, sorted\n * by normalized user name.\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"workspaceId\"],\n template: \"TID#${tenantId}#WORKSPACE#ID#${workspaceId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute, gsi1skAttribute } from \"./control-entity-common\";\n\n/\n Tenant data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Tenant-isolated, control plane. Tenant IS the top scope;\n * the workspace dimension is not applicable and uses the sentinel `TENANT`. The tenant's own `id`\n * is stored as `tenantId` to drive the partition key.\n \n Key structure: PK = TENANT#ID#<tenantId>, SK = CURRENT.\n * Uniqueness: one Tenant per tenantId (id).\n \n GSI1 — Unified Sharded List per ADR-011: lists all Tenants across the four shards. Tenant has\n * no parent tenant or workspace, so the PK uses `TID#-#WID#-` sentinels.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-01-tenant-and-workspace-fhir-types-control-plane.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const TenantEntity = new Entity({\n model: {\n entity: \"tenant\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* The tenant's own id (= resource id). Drives the partition key. /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; logical id in URL. Equals tenantId. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full Tenant resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n ADR-028 denormalized counter — number of tenant-scoped Memberships\n * (users) in this tenant. Maintained by the counter-maintenance\n * consumer via atomic ADD; absent/0 until first event or reconciliation.\n /\n usersInTenant: {\n type: \"number\" as const,\n required: false,\n },\n /\n ADR-028 denormalized counter — number of Workspaces in this tenant.\n * Maintained by the counter-maintenance consumer via atomic ADD;\n * absent/0 until first event or reconciliation.\n /\n workspacesInTenant: {\n type: \"number\" as const,\n required: false,\n },\n gsi1Shard: gsi1ShardAttribute,\n /* Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. /\n gsi1sk: gsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\"],\n template: \"TENANT#ID#${tenantId}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.\n * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`\n * sentinels precede `RT#Tenant#SHARD#<n>`. SK is derived via `gsi1skAttribute` —\n * `<normalizedName>#<id>` when the resource carries a `name`, else `<lastUpdated>#<id>`\n * (DR-004). `casing: \"none\"` preserves the normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"gsi1Shard\"],\n template: \"TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute, gsi1skAttribute } from \"./control-entity-common\";\n\n/\n User data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Non-tenant-isolated, control plane. User is a\n * platform-wide identity; association with tenants and workspaces is through Membership and\n * RoleAssignment, not the User entity's own key.\n \n Key structure: PK = USER#ID#<id>, SK = CURRENT.\n * The USER# prefix prevents key collisions with other non-tenant-isolated entities (Role, etc.)\n * sharing the same table (ADR 2026-03-11-01 — preferred pattern for all control plane entities).\n * Uniqueness: one User per id.\n \n GSI1 — Unified Sharded List per ADR-011: lists all Users across the four shards. Non-tenant-\n * isolated, so the PK uses `TID#-#WID#-` sentinels.\n * GSI2 — Cognito sub-lookup per ADR-011: resolves a UserEntity from a Cognito `sub` claim\n * (`USER#SUB#<cognitoSub>` PK, `CURRENT` SK). The `cognitoSub` attribute is populated by the\n * Post Confirmation Lambda (Epic #765 / #770); kept optional here until that write path lands.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-11-01-user-type-definition-fhir-and-data-layer.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const UserEntity = new Entity({\n model: {\n entity: \"user\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* FHIR Resource.id; platform user id (ohi_uid). /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full User resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /\n Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the\n * Post Confirmation Lambda (#770) lands; required thereafter.\n /\n cognitoSub: {\n type: \"string\" as const,\n required: false,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n ADR-028 denormalized counter — number of tenant-scoped Memberships\n * (tenants) this user belongs to. Maintained by the\n * counter-maintenance consumer via atomic ADD; absent/0 until first\n * event or reconciliation.\n /\n tenantsForUser: {\n type: \"number\" as const,\n required: false,\n },\n /\n ADR-028 denormalized counter — number of workspace-scoped\n * Memberships (workspaces) this user belongs to. Maintained by the\n * counter-maintenance consumer via atomic ADD; absent/0 until first\n * event or reconciliation.\n /\n workspacesForUser: {\n type: \"number\" as const,\n required: false,\n },\n gsi1Shard: gsi1ShardAttribute,\n /* Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. /\n gsi1sk: gsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n /\n TR-022 / ADR-018 lifecycle state for the cascade pipeline.\n \n - `active` (or undefined) — normal, readable state.\n * - `deleting` — intermediate state set synchronously by the\n * hard-delete API entry point. The owning-delete cascade state\n * machine fans out from this transition (DynamoDB stream →\n * `control-plane.owning-delete.v1` → Step Functions). Readers MUST\n * short-circuit on `deleting` so partial cascades stay invisible.\n * - `deleted-failed` — terminal failure state set by the cascade\n * finalize Lambda when the cascade run fails irrecoverably.\n * Operators recover by re-running the cascade or by direct\n * intervention.\n \n The cascade finalize step deletes the canonical record conditional\n * on `lifecycleState = \"deleting\"`; on replay the conditional check\n * fails and the finalize step treats that as a no-op success.\n /\n lifecycleState: {\n type: [\"active\", \"deleting\", \"deleted-failed\"] as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"id\"],\n template: \"USER#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.\n * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.\n * SK is derived via `gsi1skAttribute` — uses the resource's natural label when\n * extractable (string `name`/`title` via introspection), else `<lastUpdated>#<id>`\n * (DR-004). `casing: \"none\"` preserves the normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"gsi1Shard\"],\n template: \"TID#-#WID#-#RT#User#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n\n /\n GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.\n * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are\n * not indexed.\n /\n gsi2: {\n index: \"GSI2\",\n condition: (attrs: { cognitoSub?: string }) =>\n typeof attrs.cognitoSub === \"string\" && attrs.cognitoSub.length > 0,\n pk: {\n field: \"GSI2PK\",\n casing: \"none\" as const,\n composite: [\"cognitoSub\"],\n template: \"USER#SUB#${cognitoSub}\",\n },\n sk: {\n field: \"GSI2SK\",\n casing: \"none\" as const,\n composite: [],\n template: \"CURRENT\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute, gsi1skAttribute } from \"./control-entity-common\";\n\n/\n Workspace data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Tenant-isolated, control plane. Each workspace belongs\n * to exactly one tenant; both tenantId and workspace id are in the partition key.\n \n Key structure: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT.\n * Uniqueness: one Workspace per (tenantId, id).\n \n GSI1 — Unified Sharded List per ADR-011: lists all Workspaces in a tenant across the four\n * shards. Workspace is itself the workspace identity, so the GSI1 PK uses `WID#-` as a sentinel.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-01-tenant-and-workspace-fhir-types-control-plane.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const WorkspaceEntity = new Entity({\n model: {\n entity: \"workspace\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* Tenant that contains this workspace (required). /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; logical id in URL. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full Workspace resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n ADR-028 denormalized counter — number of workspace-scoped\n * Memberships (users) in this workspace. Maintained by the\n * counter-maintenance consumer via atomic ADD; absent/0 until first\n * event or reconciliation.\n /\n usersInWorkspace: {\n type: \"number\" as const,\n required: false,\n },\n /\n ADR-028 denormalized counter — number of workspace-scoped\n * RoleAssignments classified as admin-tier in this workspace.\n * Maintained by the counter-maintenance consumer via atomic ADD;\n * absent/0 until first event or reconciliation.\n /\n adminUsersInWorkspace: {\n type: \"number\" as const,\n required: false,\n },\n /\n ADR-028 denormalized counter — number of workspace-scoped\n * RoleAssignments classified as non-admin in this workspace.\n * Maintained by the counter-maintenance consumer via atomic ADD;\n * absent/0 until first event or reconciliation.\n /\n normalUsersInWorkspace: {\n type: \"number\" as const,\n required: false,\n },\n gsi1Shard: gsi1ShardAttribute,\n /* Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. /\n gsi1sk: gsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n /\n TR-022 / ADR-018 lifecycle state for the cascade pipeline.\n \n - `active` (or undefined) — normal, readable state.\n * - `deleting` — intermediate state set synchronously by the\n * hard-delete API entry point. The owning-delete cascade state\n * machine fans out from this transition (DynamoDB stream →\n * `control-plane.owning-delete.v1` → Step Functions). Readers MUST\n * short-circuit on `deleting` so partial cascades stay invisible.\n * - `deleted-failed` — terminal failure state set by the cascade\n * finalize Lambda when the cascade run fails irrecoverably.\n * Operators recover by re-running the cascade or by direct\n * intervention.\n \n The cascade finalize step deletes the canonical record conditional\n * on `lifecycleState = \"deleting\"`; on replay the conditional check\n * fails and the finalize step treats that as a no-op success.\n /\n lifecycleState: {\n type: [\"active\", \"deleting\", \"deleted-failed\"] as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"id\"],\n template: \"TID#${tenantId}#WORKSPACE#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the\n * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.\n * SK is derived via `gsi1skAttribute` — `<normalizedName>#<id>` when the resource\n * carries a `name`, else `<lastUpdated>#<id>` (DR-004). `casing: \"none\"` preserves\n * the normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"tenantId\", \"gsi1Shard\"],\n template: \"TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import {\n getDynamoControlService,\n type DynamoControlServiceType,\n} from \"../../../dynamo/dynamo-control-service\";\n\n/\n ADR-028 atomic counter mutation against a canonical control-plane\n * record. Each call applies one concurrency-safe DynamoDB `ADD` delta\n * (`+1` on a relationship/lifecycle create, `-1` on delete) to a single\n * named counter attribute on the canonical Tenant / Workspace / User row.\n \n The mutation goes through ElectroDB's `patch(key).add({ counter })`,\n * which compiles to a DynamoDB `ADD` update expression — atomic, no\n * read-modify-write. `patch` also stamps an `attribute_exists` guard on\n * the partition key, so a counter is never written onto a phantom /\n * deleted canonical record. Using ElectroDB (rather than a raw\n * `UpdateItemCommand`) keeps the composite-key casing in lockstep with\n * the entity definitions.\n \n Floor guard contract (ADR-028 § Floor guard): a `-1` against an\n * absent / `0` counter is clamped to a no-op via a `.where(counter > 0)`\n * condition — when the condition fails ElectroDB throws and the\n * operation swallows it, returning `false`. The guard is a safety net,\n * not the source of truth: ADR-028's reconciliation job recomputes the\n * real value from canonical data and owns correctness.\n \n @see sites/www-docs/content/packages/@openhi/constructs/data/operations/control/counters/counter-apply-operation.md\n /\n\n/* Counter attribute names per ADR-028, grouped by the canonical record they live on. /\nexport const TENANT_COUNTERS = [\"usersInTenant\", \"workspacesInTenant\"] as const;\nexport const WORKSPACE_COUNTERS = [\n \"usersInWorkspace\",\n \"adminUsersInWorkspace\",\n \"normalUsersInWorkspace\",\n] as const;\nexport const USER_COUNTERS = [\"tenantsForUser\", \"workspacesForUser\"] as const;\n\nexport type TenantCounter = (typeof TENANT_COUNTERS)[number];\nexport type WorkspaceCounter = (typeof WORKSPACE_COUNTERS)[number];\nexport type UserCounter = (typeof USER_COUNTERS)[number];\n\n/* The `+1` (create) / `-1` (delete) delta direction. /\nexport type CounterDelta = 1 \| -1;\n\n/* Which canonical entity the counter lives on. /\nexport const COUNTER_TARGET = {\n Tenant: \"Tenant\",\n Workspace: \"Workspace\",\n User: \"User\",\n} as const;\nexport type CounterTarget =\n (typeof COUNTER_TARGET)[keyof typeof COUNTER_TARGET];\n\n/\n A resolved counter mutation: which canonical record (target + the\n * ElectroDB composite-key fields that identify it), the attribute, and\n * the delta. The router emits these; the operation applies them.\n /\nexport type CounterMutation =\n \| {\n readonly target: typeof COUNTER_TARGET.Tenant;\n readonly tenantId: string;\n readonly attribute: TenantCounter;\n readonly delta: CounterDelta;\n }\n \| {\n readonly target: typeof COUNTER_TARGET.Workspace;\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly attribute: WorkspaceCounter;\n readonly delta: CounterDelta;\n }\n \| {\n readonly target: typeof COUNTER_TARGET.User;\n readonly userId: string;\n readonly attribute: UserCounter;\n readonly delta: CounterDelta;\n };\n\nexport interface ApplyCounterDeltaParams {\n readonly mutation: CounterMutation;\n /* Table override (tests); defaults to `DYNAMO_TABLE_NAME`. /\n readonly tableName?: string;\n}\n\n/* Minimal shape of the ElectroDB patch builder this operation drives. /\ninterface PatchBuilder {\n add(attrs: Record<string, number>): {\n where(\n cb: (\n attr: Record<string, unknown>,\n op: { gt: (a: unknown, b: number) => string },\n ) => string,\n ): { go(): Promise<unknown> };\n go(): Promise<unknown>;\n };\n}\n\n/\n Apply one atomic counter delta. Increments are unconditional `ADD`s\n * (guarded only by `patch`'s implicit `attribute_exists` on the key);\n * decrements carry the floor guard so a `-1` against an absent / `0`\n * counter is a no-op. Returns `true` when the delta landed, `false`\n * when the floor guard clamped a decrement or the canonical record was\n * missing.\n /\nexport async function applyCounterDeltaOperation(\n params: ApplyCounterDeltaParams,\n): Promise<boolean> {\n const { mutation, tableName } = params;\n const service = getDynamoControlService(tableName);\n\n const patch = buildPatch(service, mutation);\n\n try {\n if (mutation.delta > 0) {\n // Unconditional atomic ADD. `patch` adds `attribute_exists(PK)`,\n // so a delete-before-create race is clamped rather than\n // resurrecting the record.\n await patch.add({ [mutation.attribute]: mutation.delta }).go();\n return true;\n }\n\n // Floor-guarded decrement: apply `-1` only when the counter exists\n // and is strictly positive.\n await patch\n .add({ [mutation.attribute]: mutation.delta })\n .where((attr, { gt }) => gt(attr[mutation.attribute], 0))\n .go();\n return true;\n } catch (err) {\n if (isConditionalCheckFailure(err)) {\n return false;\n }\n throw err;\n }\n}\n\n/* Select the entity + composite key for the mutation's target. /\nfunction buildPatch(\n service: DynamoControlServiceType,\n mutation: CounterMutation,\n): PatchBuilder {\n switch (mutation.target) {\n case COUNTER_TARGET.Tenant:\n return service.entities.tenant.patch({\n tenantId: mutation.tenantId,\n sk: \"CURRENT\",\n }) as unknown as PatchBuilder;\n case COUNTER_TARGET.Workspace:\n return service.entities.workspace.patch({\n tenantId: mutation.tenantId,\n id: mutation.workspaceId,\n sk: \"CURRENT\",\n }) as unknown as PatchBuilder;\n case COUNTER_TARGET.User:\n return service.entities.user.patch({\n id: mutation.userId,\n sk: \"CURRENT\",\n }) as unknown as PatchBuilder;\n }\n}\n\n/\n ElectroDB wraps a failed conditional check in its own error. Detect it\n * structurally so the floor guard / existence guard resolves to a\n * clamped no-op rather than propagating.\n /\nfunction isConditionalCheckFailure(err: unknown): boolean {\n if (typeof err !== \"object\" \|\| err === null) {\n return false;\n }\n const e = err as {\n name?: string;\n code?: string;\n message?: string;\n cause?: { name?: string };\n };\n if (\n e.name === \"ConditionalCheckFailedException\" \|\|\n e.code === \"ConditionalCheckFailedException\" \|\|\n e.cause?.name === \"ConditionalCheckFailedException\"\n ) {\n return true;\n }\n return typeof e.message === \"string\"\n ? e.message.includes(\"ConditionalCheckFailed\")\n : false;\n}\n","/\n ADR-028 admin-vs-normal classification for the workspace user breakdown.\n \n The counter-maintenance consumer counts every workspace-scoped\n * RoleAssignment into one of two buckets — `adminUsersInWorkspace` or\n * `normalUsersInWorkspace` — based on whether the assignment's role is\n * an admin-tier role. This module is the single documented predicate\n * that decision flows through so the rule lives in exactly one place.\n \n The signals come straight off the `control-plane.role-assignment-`\n event payload (no extra Role read): the ADR-019 organization-role\n * code carried as `roleLevel` (extracted from `PractitionerRole.code`\n * at publish time) and the `roleId` reference slug.\n \n Classification rule (per the #1318 brief against the ADR-019\n * vocabulary): an assignment is admin when either\n \n - its `roleLevel` code names an admin tier — it equals or ends with\n * `admin` (catches the data-plane organization role `billing-admin`\n * and the platform roles `tenant-admin` / `system-admin` when those\n * surface on the code), or\n * - its `roleId` matches `admin` (a defensive fallback for assignments\n * whose role code did not ride the event but whose stable role id\n * encodes the tier, e.g. `role-tenant-admin`).\n \n Everything else (including a missing roleLevel and roleId) classifies\n * as normal. Misclassification is self-correcting: ADR-028's\n * reconciliation job recomputes both buckets from canonical data and is\n * the authority on the true value.\n /\n\n/\n Returns `true` when a workspace-scoped RoleAssignment should count\n * toward `adminUsersInWorkspace`, `false` when it counts toward\n * `normalUsersInWorkspace`. See the module doc for the rule.\n /\nexport function isAdminRoleAssignment(input: {\n readonly roleLevel?: string;\n readonly roleId?: string;\n}): boolean {\n if (codeIsAdminTier(input.roleLevel)) {\n return true;\n }\n if (idMatchesAdmin(input.roleId)) {\n return true;\n }\n return false;\n}\n\n/\n An ADR-019 role code is admin-tier when it is exactly `admin` or ends\n * with the `-admin` / `admin` suffix (case-insensitive). Matches\n * `billing-admin`, `tenant-admin`, `system-admin`; rejects `biller`,\n * `scribe`, `practitioner`, etc.\n /\nfunction codeIsAdminTier(roleLevel: string \| undefined): boolean {\n if (typeof roleLevel !== \"string\" \|\| roleLevel.length === 0) {\n return false;\n }\n const lower = roleLevel.toLowerCase();\n return lower === \"admin\" \|\| lower.endsWith(\"admin\");\n}\n\n/\n Fallback signal — the stable role id slug encodes the tier even when\n * the role code did not ride the event. Matches any id containing the\n * substring `admin` (case-insensitive), e.g. `role-tenant-admin`.\n /\nfunction idMatchesAdmin(roleId: string \| undefined): boolean {\n if (typeof roleId !== \"string\" \|\| roleId.length === 0) {\n return false;\n }\n return roleId.toLowerCase().includes(\"admin\");\n}\n","import { EventBridgeClient } from \"@aws-sdk/client-eventbridge\";\nimport {\n ControlPlaneMembershipCreatedV1,\n ControlPlaneMembershipDeletedV1,\n ControlPlaneRoleAssignmentCreatedV1,\n ControlPlaneRoleAssignmentDeletedV1,\n ControlPlaneWorkspaceCreatedV1,\n ControlPlaneWorkspaceDeletedV1,\n OPENHI_CONTROL_SOURCE,\n publishWorkflowEvent,\n type ControlPlaneMembershipChangedV1Detail,\n type ControlPlaneRoleAssignmentChangedV1Detail,\n type ControlPlaneWorkspaceChangedV1Detail,\n type WorkflowActor,\n type WorkflowDetailTypeEntry,\n} from \"@openhi/workflows\";\nimport { OpenHiContext } from \"../../openhi-context\";\n\n/\n Env var carrying the name of the control event bus the REST API Lambda\n * publishes control-plane domain events to. Set by\n * {@link RestApiLambda} from the deterministic `ControlEventBus` name.\n * When unset (seed / import / unit-test contexts) the publisher is a no-op,\n * so operations stay usable outside the Lambda and the counter backfill in\n * the reconciliation job (#1319) repairs any rows created without an event.\n /\nexport const CONTROL_EVENT_BUS_NAME_ENV_VAR = \"CONTROL_EVENT_BUS_NAME\";\n\nlet cachedClient: EventBridgeClient \| undefined;\n\nfunction getClient(): EventBridgeClient {\n if (!cachedClient) {\n cachedClient = new EventBridgeClient({\n region: process.env.AWS_REGION ?? \"us-east-1\",\n });\n }\n return cachedClient;\n}\n\nfunction actorFromContext(context: OpenHiContext): WorkflowActor {\n return {\n ohi_tid: context.tenantId,\n ohi_wid: context.workspaceId,\n ohi_uid: context.actorId,\n ohi_uname: context.actorName,\n };\n}\n\n/\n Publish one control-plane domain event to the control event bus.\n \n Best-effort by contract (ADR-028): the canonical multi-write has already\n * committed by the time this runs, the counters it feeds are eventually\n * consistent, and the reconciliation job (#1319) is the correctness backstop.\n * A publish failure is therefore logged and swallowed so it never fails the\n * operation (which would 500 a request whose data write already succeeded).\n * When `CONTROL_EVENT_BUS_NAME` is unset the publish is skipped entirely.\n /\nasync function publishControlEvent<TDetail>(\n entry: WorkflowDetailTypeEntry<TDetail>,\n payload: TDetail,\n context: OpenHiContext,\n): Promise<void> {\n const busName = process.env[CONTROL_EVENT_BUS_NAME_ENV_VAR];\n if (!busName) {\n return;\n }\n try {\n await publishWorkflowEvent(\n getClient(),\n entry,\n payload,\n { actor: actorFromContext(context) },\n { busNameByPlane: { [OPENHI_CONTROL_SOURCE]: busName } },\n );\n } catch (err) {\n console.error(`control-event publish failed for ${entry.detailType}:`, err);\n }\n}\n\n/* Publish `control-plane.membership-created.v1`. /\nexport async function publishMembershipCreated(\n context: OpenHiContext,\n detail: ControlPlaneMembershipChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(ControlPlaneMembershipCreatedV1, detail, context);\n}\n\n/* Publish `control-plane.membership-deleted.v1`. /\nexport async function publishMembershipDeleted(\n context: OpenHiContext,\n detail: ControlPlaneMembershipChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(ControlPlaneMembershipDeletedV1, detail, context);\n}\n\n/* Publish `control-plane.role-assignment-created.v1`. /\nexport async function publishRoleAssignmentCreated(\n context: OpenHiContext,\n detail: ControlPlaneRoleAssignmentChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(\n ControlPlaneRoleAssignmentCreatedV1,\n detail,\n context,\n );\n}\n\n/* Publish `control-plane.role-assignment-deleted.v1`. /\nexport async function publishRoleAssignmentDeleted(\n context: OpenHiContext,\n detail: ControlPlaneRoleAssignmentChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(\n ControlPlaneRoleAssignmentDeletedV1,\n detail,\n context,\n );\n}\n\n/* Publish `control-plane.workspace-created.v1`. /\nexport async function publishWorkspaceCreated(\n context: OpenHiContext,\n detail: ControlPlaneWorkspaceChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(ControlPlaneWorkspaceCreatedV1, detail, context);\n}\n\n/* Publish `control-plane.workspace-deleted.v1`. /\nexport async function publishWorkspaceDeleted(\n context: OpenHiContext,\n detail: ControlPlaneWorkspaceChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(ControlPlaneWorkspaceDeletedV1, detail, context);\n}\n\n/\n Extract the ADR-019 organization-role level / type from a RoleAssignment\n * resource so the counter-maintenance consumer can classify a workspace-scoped\n * assignment as admin vs normal without re-reading the Role record. Reads the\n * slim `PractitionerRole.code` coding per ADR-019 §1.2; returns `undefined`\n * when no code is present.\n /\nexport function extractRoleLevel(\n resource: Record<string, unknown> \| undefined,\n): string \| undefined {\n const code = resource?.code as\n \| { coding?: Array<{ code?: unknown }> }\n \| undefined;\n const first = code?.coding?.[0]?.code;\n return typeof first === \"string\" && first.length > 0 ? first : undefined;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/\n Filter modes for {@link membershipListByUserOperation}.\n \n Maps directly to the ADR-018 sub-lane discriminator in the user-projection\n * SK (`MEMBERSHIP#TENANT#…` vs `MEMBERSHIP#WORKSPACE#…`):\n \n - `\"all\"` — `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')`.\n * Returns both lanes interleaved in raw SK order.\n * - `\"tenant\"` — `SK begins_with 'MEMBERSHIP#TENANT#'`. Pattern #3 only.\n * - `\"workspace\"` — `SK begins_with 'MEMBERSHIP#WORKSPACE#'`. Pattern #4\n * across every tenant.\n * - `\"workspaceInTenant\"` — `SK begins_with 'MEMBERSHIP#WORKSPACE#TID#<tenantId>#'`.\n * Pattern #4 narrowed to one tenant. Requires `tenantId`.\n /\nexport type MembershipListByUserMode =\n \| \"all\"\n \| \"tenant\"\n \| \"workspace\"\n \| \"workspaceInTenant\";\n\n/* Inputs accepted by {@link membershipListByUserOperation}. /\nexport interface MembershipListByUserParams {\n readonly userId: string;\n /* Filter mode — see {@link MembershipListByUserMode}. Defaults to `\"all\"`. /\n readonly mode?: MembershipListByUserMode;\n /* Required only when `mode === \"workspaceInTenant\"`. /\n readonly tenantId?: string;\n /* ElectroDB cursor from a prior page. Forwarded to `.go({ cursor })`. /\n readonly cursor?: string \| null;\n /* Per-page item limit forwarded to `.go({ limit })`. /\n readonly limit?: number;\n /* Sort order forwarded to `.go({ order })`. Defaults to ElectroDB's `\"asc\"`. /\n readonly order?: \"asc\" \| \"desc\";\n /* Optional table-name override; resolved via env when omitted. /\n readonly tableName?: string;\n}\n\n/* One projection-row payload as returned to a consumer. /\nexport interface MembershipUserProjectionEntry {\n readonly userId: string;\n readonly sk: string;\n readonly tenantId: string;\n readonly workspaceId?: string;\n readonly membershipId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedTenantName?: string;\n readonly denormalizedUserName?: string;\n readonly denormalizedWorkspaceName?: string;\n}\n\n/* Page returned by {@link membershipListByUserOperation}. /\nexport interface MembershipListByUserResult {\n readonly items: Array<MembershipUserProjectionEntry>;\n /* ElectroDB cursor for the next page, or `null` when exhausted. /\n readonly cursor: string \| null;\n}\n\n/\n Compose the SK prefix for a given filter mode. Centralizing the\n * prefix string here keeps the SK grammar (owned by\n * `membership-user-projection.ts`) the single source of truth for the\n * lane discriminators — this function reads them, it does not invent them.\n /\nexport function buildSkPrefix(\n mode: MembershipListByUserMode,\n tenantId: string \| undefined,\n): string {\n switch (mode) {\n case \"tenant\":\n return \"MEMBERSHIP#TENANT#\";\n case \"workspace\":\n return \"MEMBERSHIP#WORKSPACE#\";\n case \"workspaceInTenant\":\n // Pattern-#4 SK places `<tenantId>` directly after the\n // `MEMBERSHIP#WORKSPACE#TID#` segment so a `begins_with` filter\n // narrows the workspace lane to a single tenant.\n return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;\n case \"all\":\n default:\n return \"MEMBERSHIP#\";\n }\n}\n\n/\n List Memberships for a user via the ADR-018 user-partition projection\n * (no GSI hop).\n \n Reads `MembershipUserProjectionEntity` rows under `PK = USER#ID#<userId>`\n * with an `SK begins_with` filter selected by `mode`:\n \n \| Mode \| SK begins_with \| Covers \|\n * \|---\|---\|---\|\n * \| `all` (default) \| `MEMBERSHIP#` \| patterns #3 + #4 interleaved \|\n * \| `tenant` \| `MEMBERSHIP#TENANT#` \| pattern #3 only \|\n * \| `workspace` \| `MEMBERSHIP#WORKSPACE#` \| pattern #4 only, across tenants \|\n * \| `workspaceInTenant` \| `MEMBERSHIP#WORKSPACE#TID#<tenantId>#` \| pattern #4 in one tenant \|\n \n Returns the projection rows verbatim (`summary`, `vid`, `lastUpdated`\n * plus the projection-discriminating fields) — full canonical-resource\n * hydration is opt-in for callers via\n * `MembershipEntity.get({ tenantId, id: membershipId })`. Pagination\n * mirrors ElectroDB's native `.go({ cursor })` shape; the returned\n * `cursor` is opaque to callers.\n \n @see ADR-018 § Access Pattern Coverage (patterns #3 and #4)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar)\n /\nexport async function membershipListByUserOperation(\n params: MembershipListByUserParams,\n): Promise<MembershipListByUserResult> {\n const {\n userId,\n mode = \"all\",\n tenantId,\n cursor = null,\n limit,\n order,\n tableName,\n } = params;\n\n if (mode === \"workspaceInTenant\" && !tenantId) {\n throw new Error(\n 'membershipListByUserOperation: tenantId is required when mode === \"workspaceInTenant\"',\n );\n }\n\n const service = getDynamoControlService(tableName);\n const skPrefix = buildSkPrefix(mode, tenantId);\n\n const goOptions: {\n cursor?: string \| null;\n limit?: number;\n order?: \"asc\" \| \"desc\";\n } = {\n cursor,\n };\n if (limit !== undefined) {\n goOptions.limit = limit;\n }\n if (order !== undefined) {\n goOptions.order = order;\n }\n\n const result = await service.entities.membershipUserProjection.query\n .record({ userId })\n .begins({ sk: skPrefix })\n .go(goOptions);\n\n const items: Array<MembershipUserProjectionEntry> = (result.data ?? []).map(\n (row) => ({\n userId: row.userId,\n sk: row.sk,\n tenantId: row.tenantId,\n workspaceId: row.workspaceId,\n membershipId: row.membershipId,\n summary: row.summary,\n vid: row.vid,\n lastUpdated: row.lastUpdated,\n denormalizedTenantName: row.denormalizedTenantName,\n denormalizedUserName: row.denormalizedUserName,\n denormalizedWorkspaceName: row.denormalizedWorkspaceName,\n }),\n );\n\n return { items, cursor: result.cursor ?? null };\n}\n","import {\n buildSkPrefix,\n type MembershipListByUserMode,\n} from \"./membership-list-by-user-operation\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/* Inputs accepted by {@link countMembershipsByUserOperation}. /\nexport interface CountMembershipsByUserParams {\n readonly userId: string;\n /* Filter mode — see {@link MembershipListByUserMode}. Defaults to `\"all\"`. /\n readonly mode?: MembershipListByUserMode;\n /* Required only when `mode === \"workspaceInTenant\"`. /\n readonly tenantId?: string;\n /* Optional table-name override; resolved via env when omitted. /\n readonly tableName?: string;\n}\n\n/\n Count a user's Memberships via the ADR-018 user-partition projection, with the\n * same `SK begins_with` lane discriminator as {@link membershipListByUserOperation}.\n \n Pages through every matching projection row (`{ pages: \"all\" }`) projecting only\n * the `membershipId` key, and returns the row count. Backs\n * `GET /User/:id/Membership?_summary=count`.\n \n Note: the per-user counts (`tenantsForUser`, `workspacesForUser`) are also\n * maintained as denormalized counters on the User record per ADR-028; this\n * recompute-from-projection count is the FHIR `_summary=count` shape and the\n * authoritative source the counters are reconciled against.\n /\nexport async function countMembershipsByUserOperation(\n params: CountMembershipsByUserParams,\n): Promise<number> {\n const { userId, mode = \"all\", tenantId, tableName } = params;\n\n if (mode === \"workspaceInTenant\" && !tenantId) {\n throw new Error(\n 'countMembershipsByUserOperation: tenantId is required when mode === \"workspaceInTenant\"',\n );\n }\n\n const service = getDynamoControlService(tableName);\n const skPrefix = buildSkPrefix(mode, tenantId);\n\n const result = await service.entities.membershipUserProjection.query\n .record({ userId })\n .begins({ sk: skPrefix })\n .go({ pages: \"all\", attributes: [\"membershipId\"] });\n\n return (result.data ?? []).length;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/* Inputs accepted by {@link membershipListByWorkspaceOperation}. /\nexport interface MembershipListByWorkspaceParams {\n readonly tenantId: string;\n readonly workspaceId: string;\n /* ElectroDB cursor from a prior page. Forwarded to `.go({ cursor })`. /\n readonly cursor?: string \| null;\n /* Per-page item limit forwarded to `.go({ limit })`. /\n readonly limit?: number;\n /* Sort order forwarded to `.go({ order })`. Defaults to ElectroDB's `\"asc\"`. /\n readonly order?: \"asc\" \| \"desc\";\n /* Optional table-name override; resolved via env when omitted. /\n readonly tableName?: string;\n}\n\n/* One projection-row payload as returned to a consumer. /\nexport interface MembershipWorkspaceProjectionEntry {\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly sk: string;\n readonly userId: string;\n readonly membershipId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedUserName?: string;\n}\n\n/* Page returned by {@link membershipListByWorkspaceOperation}. /\nexport interface MembershipListByWorkspaceResult {\n readonly items: Array<MembershipWorkspaceProjectionEntry>;\n /* ElectroDB cursor for the next page, or `null` when exhausted. /\n readonly cursor: string \| null;\n}\n\n/\n List Memberships for a workspace via the ADR-018 workspace-partition\n * projection (no GSI hop).\n \n Reads `MembershipWorkspaceProjectionEntity` rows under\n * `PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>` with\n * `SK begins_with 'MEMBERSHIP#'`. The projection's SK shape\n * (`MEMBERSHIP#<normalizedUserName>#USER#<userId>#<membershipId>`) sorts\n * members alphabetically by user name within the workspace partition, so\n * the natural Query order is exactly what the access pattern expects —\n * no client-side sort.\n \n Returns the projection rows verbatim (`summary`, `vid`, `lastUpdated`\n * plus the projection-discriminating fields) — full canonical-resource\n * hydration is opt-in for callers via\n * `MembershipEntity.get({ tenantId, id: membershipId })`. Pagination\n * mirrors ElectroDB's native `.go({ cursor })` shape; the returned\n * `cursor` is opaque to callers.\n \n @see ADR-018 § Access Pattern Coverage (pattern #2)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar)\n /\nexport async function membershipListByWorkspaceOperation(\n params: MembershipListByWorkspaceParams,\n): Promise<MembershipListByWorkspaceResult> {\n const {\n tenantId,\n workspaceId,\n cursor = null,\n limit,\n order,\n tableName,\n } = params;\n\n const service = getDynamoControlService(tableName);\n\n const goOptions: {\n cursor?: string \| null;\n limit?: number;\n order?: \"asc\" \| \"desc\";\n } = {\n cursor,\n };\n if (limit !== undefined) {\n goOptions.limit = limit;\n }\n if (order !== undefined) {\n goOptions.order = order;\n }\n\n const result = await service.entities.membershipWorkspaceProjection.query\n .record({ tenantId, workspaceId })\n .begins({ sk: \"MEMBERSHIP#\" })\n .go(goOptions);\n\n const items: Array<MembershipWorkspaceProjectionEntry> = (\n result.data ?? []\n ).map((row) => ({\n tenantId: row.tenantId,\n workspaceId: row.workspaceId,\n sk: row.sk,\n userId: row.userId,\n membershipId: row.membershipId,\n summary: row.summary,\n vid: row.vid,\n lastUpdated: row.lastUpdated,\n denormalizedUserName: row.denormalizedUserName,\n }));\n\n return { items, cursor: result.cursor ?? null };\n}\n","import { extractSortKey, extractSummary } from \"@openhi/types\";\nimport type { Meta, FhirResourceLike } from \"@openhi/types\";\nimport { compressResource, decompressResource } from \"../../lib/compression\";\nimport { mergeAuditIntoMeta, type MetaWithExtensions } from \"../audit-meta\";\nimport { SHARD_COUNT } from \"../dynamo/shard\";\nimport { NotFoundError } from \"../errors\";\nimport type { OpenHiContext } from \"../openhi-context\";\n\n/\n Sort key for the current record version. Matches Dynamo record index SK default.\n * Use this in get/update/delete (and create where applicable) for data-plane entities.\n /\nexport const DATA_ENTITY_SK = \"CURRENT\" as const;\n\n/* Base params for data-entity operations: context and optional table override. /\nexport interface BaseDataEntityParams {\n context: OpenHiContext;\n /* Optional table name override; resolved by data service from DYNAMO_TABLE_NAME when omitted. /\n tableName?: string;\n}\n\n/* Params for get-by-id and delete (context + id + optional tableName). /\nexport interface GetByIdParams extends BaseDataEntityParams {\n id: string;\n}\n\n/\n Mode for list operations introduced by #853 to back FHIR `_summary` opt-ins.\n \n - `full` (default): GSI1 fan-out → BatchGet hydration → full FHIR resource per entry.\n * - `summary`: GSI1 fan-out only; the `summary` JSON projected onto GSI1 is parsed and used\n * as `resource` per entry. Skips BatchGet entirely — that's the cost win the FHIR spec\n * intends `_summary=true` to deliver.\n * - `count`: GSI1 fan-out only; entries are dropped, only `total` is populated. Routes\n * should pass `total` into `buildSearchsetBundle({ mode: \"count\", total })`.\n \n `_elements` is implemented at the route layer as `full` mode + post-hydration pruning,\n * since per-element pruning has to happen after decompression and is FHIR-spec-defined\n * (always retain root-level mandatories — see `prune-resource-by-elements.ts`).\n /\nexport type ListOperationMode = \"full\" \| \"summary\" \| \"count\";\n\n/* Params for list (context + optional tableName + optional mode for #853 `_summary`). /\nexport interface ListParams extends BaseDataEntityParams {\n /* Defaults to `\"full\"` (current behavior); routes pass other modes for `_summary` opt-ins. /\n mode?: ListOperationMode;\n}\n\n/* Result for create / get-by-id / update: single resource. /\nexport interface SingleResourceResult<T> {\n id: string;\n resource: T;\n}\n\n/* Entry shape for list results. /\nexport interface ListEntry<T> {\n id: string;\n resource: T;\n}\n\n/\n Result for list: entries array plus total count.\n \n - For `mode === \"full\"` and `mode === \"summary\"`, `total === entries.length`.\n * - For `mode === \"count\"`, `entries` is empty and `total` is the GSI1 fan-out count.\n \n Splitting `total` from `entries.length` lets count-mode routes report a true count\n * while skipping any per-entry work.\n /\nexport interface ListResult<T> {\n entries: Array<ListEntry<T>>;\n total: number;\n}\n\n/* Minimal entity shape for get (used by getDataEntityById). /\ninterface EntityWithGet {\n get(params: {\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }): { go(): Promise<{ data: { id: string; resource: string } \| null }> };\n}\n\n/* Minimal entity shape for delete (used by deleteDataEntityById). /\ninterface EntityWithDelete {\n delete(params: {\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }): { go(): Promise<unknown> };\n}\n\n/\n Minimal entity shape for list via GSI1 + BatchGet hydration (used by listDataEntitiesByWorkspace).\n * GSI1 is sharded per ADR-011, so listing fans out to each shard and concatenates ids; the\n * `resource` attribute is NOT projected onto GSI1 (per the summary projection in\n * `dynamo-db-data-store.ts`), so the second phase BatchGets the base table for full items.\n \n GSI1 INCLUDE projection (per `dynamo-db-data-store.ts`) carries `summary`, `vid`, `lastUpdated`,\n * `createdDate`, `modifiedDate`, `createdById`, `modifiedById` alongside the key attributes.\n * `summary` is what `mode: \"summary\"` returns to the caller without hitting the base table.\n /\ninterface DataEntityWithListAndBatchGet {\n query: {\n gsi1(params: {\n tenantId: string;\n workspaceId: string;\n gsi1Shard: string;\n }): {\n go(): Promise<{\n data: Array<{\n id: string;\n summary?: string;\n vid?: string;\n lastUpdated?: string;\n createdDate?: string;\n modifiedDate?: string;\n createdById?: string;\n modifiedById?: string;\n }> \| null;\n }>;\n };\n };\n get(\n keys: Array<{\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }>,\n ): {\n go(): Promise<{\n data: Array<{ id: string; resource: string }>;\n unprocessed: Array<{\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }>;\n }>;\n };\n}\n\n/* Minimal entity shape for put (used by createDataEntityRecord). /\ninterface EntityWithPut {\n put(attrs: {\n sk: string;\n tenantId: string;\n workspaceId: string;\n id: string;\n resource: string;\n summary: string;\n vid: string;\n lastUpdated: string;\n gsi1sk: string;\n }): { go(): Promise<unknown> };\n}\n\n/* Minimal entity shape for patch (used by updateDataEntityById). /\ninterface EntityWithPatch {\n get(params: {\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }): { go(): Promise<{ data: { id: string; resource: string } \| null }> };\n patch(params: {\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }): {\n set(attrs: {\n resource: string;\n summary: string;\n lastUpdated: string;\n gsi1sk: string;\n }): {\n go(): Promise<unknown>;\n };\n };\n}\n\n/\n Get a single data-entity record by id. Decompresses and parses resource; throws NotFoundError if missing.\n * Use from get-by-id operations with the appropriate entity and resource type.\n /\nexport async function getDataEntityById<T>(\n entity: EntityWithGet,\n tenantId: string,\n workspaceId: string,\n id: string,\n resourceLabel: string,\n): Promise<SingleResourceResult<T>> {\n const result = await entity\n .get({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })\n .go();\n\n if (!result.data) {\n throw new NotFoundError(`${resourceLabel} ${id} not found`, {\n details: { id },\n });\n }\n\n const parsed = JSON.parse(decompressResource(result.data.resource)) as T & {\n id?: string;\n };\n return {\n id: result.data.id,\n resource: { ...parsed, id: result.data.id } as T,\n };\n}\n\n/\n Delete a data-entity record by id. Idempotent (no-op if not found).\n * Use from delete operations with the appropriate entity.\n /\nexport async function deleteDataEntityById(\n entity: EntityWithDelete,\n tenantId: string,\n workspaceId: string,\n id: string,\n): Promise<void> {\n await entity\n .delete({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })\n .go();\n}\n\n/* Maximum total attempts (initial + retries) when hydrating list ids via BatchGet. /\nconst BATCH_GET_MAX_ATTEMPTS = 3;\n/* Base backoff in milliseconds applied to BatchGet retries; doubles each attempt. /\nconst BATCH_GET_BASE_BACKOFF_MS = 50;\n\n/* Minimal entity shape for BatchGet hydration on the base table; chunks of 100 are handled by ElectroDB. /\ninterface EntityWithBatchGet<TKey, TItem> {\n get(keys: TKey[]): {\n go(options?: {\n consistent?: boolean;\n }): Promise<{ data: TItem[]; unprocessed: TKey[] }>;\n };\n}\n\n/* Options accepted by {@link batchGetWithRetry}. /\nexport interface BatchGetWithRetryOptions {\n /\n Forwarded to DynamoDB as `ConsistentRead`. BatchGet reads the *base\n table*, which supports strongly-consistent reads, so list operations\n that must reflect a just-committed write (read-after-write) pass\n * `consistent: true`. Defaults to ElectroDB's eventually-consistent read.\n * @see #1347 — role-assignment dropdowns must reflect their own write\n /\n readonly consistent?: boolean;\n}\n\n/\n BatchGet wrapper that retries `UnprocessedKeys` with exponential backoff. ElectroDB chunks the\n * input keys into groups of 100 internally, but does not retry unprocessed keys — DynamoDB can\n * return some keys unprocessed under throttling or partial failure, and the caller must reissue\n * them. Throws after `BATCH_GET_MAX_ATTEMPTS` if any keys remain unprocessed; intended for list\n * hydration (#854) where partial results would silently truncate the response.\n \n Pass `{ consistent: true }` for read-after-write correctness — the base-table\n * BatchGet then reflects the latest committed write rather than a possibly-stale\n * eventually-consistent replica (#1347).\n /\nexport async function batchGetWithRetry<TKey, TItem>(\n entity: EntityWithBatchGet<TKey, TItem>,\n keys: TKey[],\n options?: BatchGetWithRetryOptions,\n): Promise<TItem[]> {\n if (keys.length === 0) return [];\n\n const collected: TItem[] = [];\n let pending = keys;\n let attempt = 0;\n\n while (pending.length > 0) {\n if (attempt > 0) {\n await new Promise((resolve) =>\n setTimeout(resolve, BATCH_GET_BASE_BACKOFF_MS 2 (attempt - 1)),\n );\n }\n attempt++;\n const result = await entity\n .get(pending)\n .go(options?.consistent ? { consistent: true } : undefined);\n collected.push(...result.data);\n const unprocessed = result.unprocessed ?? [];\n if (unprocessed.length === 0) break;\n if (attempt >= BATCH_GET_MAX_ATTEMPTS) {\n throw new Error(\n `BatchGet exhausted retries: ${unprocessed.length} key(s) still unprocessed after ${BATCH_GET_MAX_ATTEMPTS} attempt(s)`,\n );\n }\n pending = unprocessed;\n }\n\n return collected;\n}\n\n/ GSI1 index item shape — what a sharded `gsi1.query().go()` returns per row. /\nexport interface ShardedListIndexItem {\n id: string;\n summary?: string;\n}\n\n/* Hooks that adapt a generic mode-dispatching list to a specific entity's hydration and entry shape. /\nexport interface DispatchListModeHooks<TItem, TEntry> {\n /* Hydrate the base table for the given ids (typically `batchGetWithRetry(entity, keys)`). /\n hydrate: (orderedIds: string[]) => Promise<TItem[]>;\n /* Extract the canonical id from a hydrated item so it can be matched back to the GSI1 order. /\n getId: (item: TItem) => string;\n /* Build the result entry for `mode === \"full\"` from a hydrated base-table item. /\n buildEntry: (id: string, item: TItem) => TEntry;\n /* Build the result entry for `mode === \"summary\"` from the parsed GSI1 `summary` JSON. /\n buildSummaryEntry: (\n id: string,\n parsedSummary: Record<string, unknown>,\n ) => TEntry;\n}\n\n/\n Mode dispatcher shared by data-plane and control-plane list operations (#853).\n \n Given pre-fetched `shardResults` from a sharded GSI1 fan-out, returns either:\n * - `mode === \"count\"` — `{ entries: [], total }` where total is the sum of shard row counts.\n * - `mode === \"summary\"` — entries built from each shard row's parsed `summary` JSON; rows with\n * missing or unparseable `summary` are dropped.\n * - `mode === \"full\"` — calls `hydrate(orderedIds)` (typically a BatchGet) and builds entries\n * from hydrated items in per-shard GSI1 sort order; missing items are dropped.\n \n Lives here (alongside `listDataEntitiesByWorkspace`) because the same dispatch logic is needed\n * by every list operation that backs a FHIR list/search endpoint, including the seven\n * control-plane peers (User, Role, Tenant, Workspace, Membership, RoleAssignment, Configuration).\n /\nexport async function dispatchListMode<TItem, TEntry>(\n mode: ListOperationMode,\n shardResults: Array<{ data: Array<ShardedListIndexItem> \| null }>,\n hooks: DispatchListModeHooks<TItem, TEntry>,\n): Promise<{ entries: TEntry[]; total: number }> {\n if (mode === \"count\") {\n let total = 0;\n for (const shardResult of shardResults) {\n total += (shardResult.data ?? []).length;\n }\n return { entries: [], total };\n }\n\n if (mode === \"summary\") {\n const entries: TEntry[] = [];\n for (const shardResult of shardResults) {\n for (const item of shardResult.data ?? []) {\n if (typeof item.summary !== \"string\") continue;\n let parsed: Record<string, unknown>;\n try {\n parsed = JSON.parse(item.summary) as Record<string, unknown>;\n } catch {\n continue;\n }\n entries.push(hooks.buildSummaryEntry(item.id, parsed));\n }\n }\n return { entries, total: entries.length };\n }\n\n const orderedIds: string[] = [];\n for (const shardResult of shardResults) {\n for (const item of shardResult.data ?? []) {\n orderedIds.push(item.id);\n }\n }\n\n if (orderedIds.length === 0) return { entries: [], total: 0 };\n\n const items = await hooks.hydrate(orderedIds);\n const byId = new Map(items.map((item) => [hooks.getId(item), item]));\n\n const entries: TEntry[] = [];\n for (const id of orderedIds) {\n const item = byId.get(id);\n if (!item) continue;\n entries.push(hooks.buildEntry(id, item));\n }\n\n return { entries, total: entries.length };\n}\n\n/\n List data-entity records in a workspace via GSI1.\n \n `mode` (default `\"full\"`) selects the read shape — see `dispatchListMode`. The data-plane\n * binding here adds the four-shard fan-out (per ADR-011) and the BatchGet hydration with\n * decompression for `mode === \"full\"`. K-way merge by `gsi1sk` is intentionally NOT done here\n * — full server-side natural sort lands with the FHIR list-endpoint plumbing that adds\n * pagination tokens.\n /\nexport async function listDataEntitiesByWorkspace<T>(\n entity: DataEntityWithListAndBatchGet,\n tenantId: string,\n workspaceId: string,\n mode: ListOperationMode = \"full\",\n): Promise<ListResult<T>> {\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n entity.query\n .gsi1({ tenantId, workspaceId, gsi1Shard: String(shard) })\n .go(),\n ),\n );\n\n return dispatchListMode<{ id: string; resource: string }, ListEntry<T>>(\n mode,\n shardResults,\n {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n entity,\n orderedIds.map((id) => ({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })),\n ),\n getId: (item) => item.id,\n buildEntry: (id, item) => {\n const parsed = JSON.parse(decompressResource(item.resource)) as T & {\n id?: string;\n };\n return { id, resource: { ...parsed, id } as T };\n },\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: { ...parsed, id } as T,\n }),\n },\n );\n}\n\n/\n Create a data-entity record with put. Computes vid from lastUpdated (from resource meta or fallback).\n * Use from create operations (e.g. Practitioner, Encounter) that build the resource with audit in meta.\n /\nexport async function createDataEntityRecord<T>(\n entity: EntityWithPut,\n tenantId: string,\n workspaceId: string,\n id: string,\n resourceWithAudit: T & { meta?: { lastUpdated?: string } },\n fallbackDate: string,\n): Promise<SingleResourceResult<T>> {\n const lastUpdated =\n resourceWithAudit.meta?.lastUpdated ??\n fallbackDate ??\n new Date().toISOString();\n const vid =\n lastUpdated.replace(/[-:T.Z]/g, \"\").slice(0, 12) \|\| Date.now().toString(36);\n\n const resourceLike = resourceWithAudit as unknown as FhirResourceLike;\n const summary = JSON.stringify(extractSummary(resourceLike));\n const gsi1sk = extractSortKey(resourceLike);\n\n await entity\n .put({\n sk: DATA_ENTITY_SK,\n tenantId,\n workspaceId,\n id,\n resource: compressResource(JSON.stringify(resourceWithAudit)),\n summary,\n vid,\n lastUpdated,\n gsi1sk,\n })\n .go();\n\n return {\n id,\n resource: resourceWithAudit as T,\n };\n}\n\n/\n Build an updated resource with audit in meta for use with updateDataEntityById.\n * Parses existing resource string for existing meta, merges body with id/resourceType/meta (versionId \"2\"),\n * then merges modified audit (modifiedDate, modifiedById, modifiedByName) into meta.\n * Use from update operations (Patient, Encounter, Practitioner) to avoid duplicating this logic.\n /\nexport function buildUpdatedResourceWithAudit<T extends { meta?: Meta }>(\n body: T,\n id: string,\n date: string,\n actorId: string,\n actorName: string,\n existingResourceStr: string,\n resourceType: string,\n): {\n resource: T & { id: string; meta: MetaWithExtensions };\n lastUpdated: string;\n} {\n const existingMeta: MetaWithExtensions \| undefined = (\n JSON.parse(existingResourceStr) as { meta?: MetaWithExtensions }\n ).meta;\n\n const bodyWithMeta = body as T & { id?: string; meta?: Meta };\n const resourceWithVersion: T & { id: string; meta?: Meta } = {\n ...body,\n resourceType: resourceType as T[\"resourceType\"],\n id,\n meta: {\n ...(bodyWithMeta.meta ?? {}),\n lastUpdated: date,\n versionId: \"2\",\n },\n };\n\n const resourceWithAudit: T & { id: string; meta: MetaWithExtensions } = {\n ...resourceWithVersion,\n meta: mergeAuditIntoMeta(resourceWithVersion.meta ?? existingMeta, {\n modifiedDate: date,\n modifiedById: actorId,\n modifiedByName: actorName,\n }),\n };\n\n return {\n resource: resourceWithAudit,\n lastUpdated: date,\n };\n}\n\n/\n Update a data-entity record by id: get existing, throw if not found, then call builder with\n * decompressed existing resource string; builder returns \\{ resource, lastUpdated \\}; then patch.\n * Use from update operations with the appropriate entity and resource type.\n /\nexport async function updateDataEntityById<T>(\n entity: EntityWithPatch,\n tenantId: string,\n workspaceId: string,\n id: string,\n resourceLabel: string,\n context: OpenHiContext,\n buildPatched: (existingResourceStr: string) => {\n resource: unknown;\n lastUpdated: string;\n },\n): Promise<SingleResourceResult<T>> {\n const existing = await entity\n .get({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })\n .go();\n\n if (!existing.data) {\n throw new NotFoundError(`${resourceLabel} ${id} not found`, {\n details: { id },\n });\n }\n\n const existingStr = decompressResource(existing.data.resource);\n const { resource, lastUpdated } = buildPatched(existingStr);\n\n const resourceLike = resource as FhirResourceLike;\n const summary = JSON.stringify(extractSummary(resourceLike));\n const gsi1sk = extractSortKey(resourceLike);\n\n await entity\n .patch({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })\n .set({\n resource: compressResource(JSON.stringify(resource)),\n summary,\n lastUpdated,\n gsi1sk,\n })\n .go();\n\n return {\n id,\n resource: resource as T,\n };\n}\n","import { gzipSync, gunzipSync } from \"node:zlib\";\n\n/\n @see sites/www-docs/content/packages/@openhi/constructs/lib/compression.md\n /\n\n/* Envelope format version. See ADR 2026-02-15-02 (data layer compression). /\nconst ENVELOPE_VERSION = 1;\n\n/\n Compression algorithm identifiers supported by the envelope (string values).\n * Only algos that Node.js supports out of the box (zlib): gzip, brotli, deflate.\n * \"none\" = uncompressed payload. zstd was considered in the ADR but requires native addon/WASM.\n /\nexport const COMPRESSION_ALGOS = {\n NONE: \"none\",\n GZIP: \"gzip\",\n BROTLI: \"brotli\",\n DEFLATE: \"deflate\",\n} as const;\n\n/* Algorithm value for envelope `algo`; only gzip and none are implemented today. /\nexport type CompressionAlgo =\n (typeof COMPRESSION_ALGOS)[keyof typeof COMPRESSION_ALGOS];\n\n/* Stored value is a JSON string of this envelope. /\ninterface CompressionEnvelope {\n v: number;\n algo: string;\n payload: string;\n}\n\nfunction isEnvelope(obj: unknown): obj is CompressionEnvelope {\n return (\n typeof obj === \"object\" &&\n obj !== null &&\n \"v\" in obj &&\n \"algo\" in obj &&\n \"payload\" in obj &&\n typeof (obj as CompressionEnvelope).payload === \"string\"\n );\n}\n\n/\n Compresses a JSON string (e.g. serialized FHIR resource) for storage in DynamoDB.\n * Uses a versioned envelope: \\{ v, algo, payload \\} with gzip+base64 in payload.\n * Used by the data layer on write; see REST API docs (compression in data layer).\n * Optional compression: pass `{ algo: COMPRESSION_ALGOS.NONE }` to store in envelope without compressing.\n /\nexport function compressResource(\n jsonString: string,\n options?: { algo?: CompressionAlgo },\n): string {\n const algo = options?.algo ?? COMPRESSION_ALGOS.GZIP;\n if (algo === COMPRESSION_ALGOS.NONE) {\n const envelope: CompressionEnvelope = {\n v: ENVELOPE_VERSION,\n algo: COMPRESSION_ALGOS.NONE,\n payload: jsonString,\n };\n return JSON.stringify(envelope);\n }\n const buf = Buffer.from(jsonString, \"utf-8\");\n const payload = gzipSync(buf).toString(\"base64\");\n const envelope: CompressionEnvelope = {\n v: ENVELOPE_VERSION,\n algo: COMPRESSION_ALGOS.GZIP,\n payload,\n };\n return JSON.stringify(envelope);\n}\n\n/\n Decompresses a stored value: versioned envelope (v, algo, payload) or legacy gzip+base64 / raw.\n * If the value is not valid envelope JSON, falls back to legacy: try gzip magic on base64, else return as-is.\n /\nexport function decompressResource(compressedOrRaw: string): string {\n try {\n const parsed = JSON.parse(compressedOrRaw) as unknown;\n if (isEnvelope(parsed)) {\n if (parsed.algo === COMPRESSION_ALGOS.GZIP) {\n const buf = Buffer.from(parsed.payload, \"base64\");\n return gunzipSync(buf).toString(\"utf-8\");\n }\n if (parsed.algo === COMPRESSION_ALGOS.NONE) {\n return parsed.payload;\n }\n // Unknown algo: return payload as-is (safe fallback per ADR)\n return parsed.payload;\n }\n } catch {\n // Not valid envelope JSON — legacy path\n }\n\n // Legacy: pre-envelope gzip+base64 or raw\n try {\n const buf = Buffer.from(compressedOrRaw, \"base64\");\n if (buf.length >= 2 && buf[0] === 0x1f && buf[1] === 0x8b) {\n return gunzipSync(buf).toString(\"utf-8\");\n }\n } catch {\n // not base64 or gunzip failed\n }\n return compressedOrRaw;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport {\n batchGetWithRetry,\n dispatchListMode,\n type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface MembershipListParams {\n context: OpenHiContext;\n tableName?: string;\n /* #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. /\n mode?: ListOperationMode;\n}\n\nexport interface MembershipListResult {\n entries: Array<{\n id: string;\n resource: { resourceType: string; id: string; [key: string]: unknown };\n }>;\n total: number;\n}\n\n/\n Lists Memberships for the context tenant via GSI1 (sharded). See `dispatchListMode` for\n * the mode contract (#853).\n /\nexport async function listMembershipsOperation(\n params: MembershipListParams,\n): Promise<MembershipListResult> {\n const { context, tableName, mode = \"full\" } = params;\n const tenantId = context.tenantId;\n const service = getDynamoControlService(tableName);\n\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n service.entities.membership.query\n .gsi1({ tenantId, gsi1Shard: String(shard) })\n .go(),\n ),\n );\n\n return dispatchListMode<\n { id: string; resource: string },\n MembershipListResult[\"entries\"][number]\n >(mode, shardResults, {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n service.entities.membership,\n orderedIds.map((id) => ({ tenantId, id, sk: SK })),\n ) as Promise<Array<{ id: string; resource: string }>>,\n getId: (item) => item.id,\n buildEntry: (id, item) => ({\n id,\n resource: {\n resourceType: \"Membership\",\n id,\n ...(JSON.parse(item.resource) as Record<string, unknown>),\n },\n }),\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: { resourceType: \"Membership\", id, ...parsed },\n }),\n });\n}\n","/\n Membership user-projection composer.\n \n Owns the SK grammar for ADR-018 patterns #3 and #4 and assembles the\n * projection-row payloads consumed by the membership create / update /\n * delete operations. The {@link MembershipUserProjectionEntity} stores\n * the SK verbatim — the grammar lives here so the operations layer is\n * the single source of truth for projection-row shape (per\n * `.claude/rules/data-layer-layout.md`).\n \n SK grammar:\n \n - Pattern #3 (tenant sub-lane, `workspaceId` absent):\n * `MEMBERSHIP#TENANT#<normalizedTenantName>#TID#<tenantId>#<membershipId>`\n * - Pattern #4 (workspace sub-lane, `workspaceId` set):\n * `MEMBERSHIP#WORKSPACE#TID#<tenantId>#<normalizedWorkspaceName>#WID#<workspaceId>#<membershipId>`\n \n Both patterns share the user partition `PK = USER#ID#<userId>` so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')` returns\n * both lanes interleaved.\n \n @see ADR-018 § Access Pattern Coverage (patterns #3 and #4)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n /\n\nimport { normalizeLabel } from \"@openhi/types\";\n\n/\n Sentinel rendered into the SK when the source display name is missing\n * or empty. Keeps the SK shape stable so a `begins_with` prefix query\n * still matches the row; the rename-cascade pipeline (TR-023) will\n * rewrite the SK once the carrier display name lands. Matches the\n * `gsi1skAttribute` defensive posture — a missing source field never\n * produces a malformed key.\n /\nconst MISSING_NAME_SENTINEL = \"-\";\n\n/* Inputs to compose a Membership user-projection row. /\nexport interface MembershipUserProjectionInput {\n readonly tenantId: string;\n readonly userId: string;\n readonly workspaceId?: string;\n readonly membershipId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedTenantName?: string;\n readonly denormalizedUserName?: string;\n readonly denormalizedWorkspaceName?: string;\n}\n\n/* A projection-row payload ready for `multi-write` consumption. /\nexport interface MembershipUserProjectionItem {\n readonly userId: string;\n readonly sk: string;\n readonly tenantId: string;\n readonly workspaceId?: string;\n readonly membershipId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedTenantName?: string;\n readonly denormalizedUserName?: string;\n readonly denormalizedWorkspaceName?: string;\n}\n\n/\n Compose the SK for ADR-018 pattern #3 (tenant sub-lane). The\n * `<normalizedTenantName>` segment sorts memberships alphabetically by\n * tenant name within the user's partition. Missing `denormalizedTenantName`\n * falls back to {@link MISSING_NAME_SENTINEL} so the SK shape stays valid\n * pre-rename-cascade.\n /\nexport function buildMembershipUserProjectionSkTenantLane(params: {\n readonly tenantId: string;\n readonly membershipId: string;\n readonly denormalizedTenantName?: string;\n}): string {\n const normalizedTenantName =\n typeof params.denormalizedTenantName === \"string\" &&\n params.denormalizedTenantName.length > 0\n ? normalizeLabel(params.denormalizedTenantName)\n : MISSING_NAME_SENTINEL;\n return `MEMBERSHIP#TENANT#${normalizedTenantName}#TID#${params.tenantId}#${params.membershipId}`;\n}\n\n/\n Compose the SK for ADR-018 pattern #4 (workspace sub-lane). `tenantId`\n * appears before `<normalizedWorkspaceName>` so a\n * `begins_with('MEMBERSHIP#WORKSPACE#TID#<tenantId>#')` query filters\n * by one tenant. Missing `denormalizedWorkspaceName` falls back to\n * {@link MISSING_NAME_SENTINEL}.\n /\nexport function buildMembershipUserProjectionSkWorkspaceLane(params: {\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly membershipId: string;\n readonly denormalizedWorkspaceName?: string;\n}): string {\n const normalizedWorkspaceName =\n typeof params.denormalizedWorkspaceName === \"string\" &&\n params.denormalizedWorkspaceName.length > 0\n ? normalizeLabel(params.denormalizedWorkspaceName)\n : MISSING_NAME_SENTINEL;\n return `MEMBERSHIP#WORKSPACE#TID#${params.tenantId}#${normalizedWorkspaceName}#WID#${params.workspaceId}#${params.membershipId}`;\n}\n\n/\n Builds the projection item for the access lane implied by the input.\n * Pattern #3 when `workspaceId` is absent or empty; pattern #4 otherwise.\n * Returns `undefined` when `userId` is missing — a Membership without a\n * linked user cannot project onto the user partition.\n /\nexport function buildMembershipUserProjectionItem(\n input: MembershipUserProjectionInput,\n): MembershipUserProjectionItem \| undefined {\n if (!input.userId \|\| input.userId.length === 0) {\n return undefined;\n }\n const hasWorkspace =\n typeof input.workspaceId === \"string\" && input.workspaceId.length > 0;\n const sk = hasWorkspace\n ? buildMembershipUserProjectionSkWorkspaceLane({\n tenantId: input.tenantId,\n workspaceId: input.workspaceId as string,\n membershipId: input.membershipId,\n denormalizedWorkspaceName: input.denormalizedWorkspaceName,\n })\n : buildMembershipUserProjectionSkTenantLane({\n tenantId: input.tenantId,\n membershipId: input.membershipId,\n denormalizedTenantName: input.denormalizedTenantName,\n });\n return {\n userId: input.userId,\n sk,\n tenantId: input.tenantId,\n workspaceId: hasWorkspace ? input.workspaceId : undefined,\n membershipId: input.membershipId,\n summary: input.summary,\n vid: input.vid,\n lastUpdated: input.lastUpdated,\n denormalizedTenantName: input.denormalizedTenantName,\n denormalizedUserName: input.denormalizedUserName,\n denormalizedWorkspaceName: hasWorkspace\n ? input.denormalizedWorkspaceName\n : undefined,\n };\n}\n\n/\n Extracts a FHIR `Reference` slug — the segment after the final `/`.\n * Returns `undefined` when the reference is missing or malformed so\n * callers fall back gracefully (matches the defensive posture in\n * `extractRoleId` / `extractDenormalizedReferenceDisplay`).\n /\nexport function extractReferenceSlug(\n resource: Record<string, unknown>,\n fieldName: string,\n): string \| undefined {\n const field = resource[fieldName];\n if (!field \|\| typeof field !== \"object\") {\n return undefined;\n }\n const reference = (field as { reference?: unknown }).reference;\n if (typeof reference !== \"string\" \|\| reference.length === 0) {\n return undefined;\n }\n const slash = reference.lastIndexOf(\"/\");\n const tail = slash >= 0 ? reference.slice(slash + 1) : reference;\n return tail.length > 0 ? tail : undefined;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/* Inputs accepted by {@link roleAssignmentListByWorkspaceOperation}. /\nexport interface RoleAssignmentListByWorkspaceParams {\n readonly tenantId: string;\n readonly workspaceId: string;\n /\n Optional role discriminator. When supplied, narrows the listing to\n * users assigned to a single role via the discriminator-first\n * `begins_with('ROLEASSIGNMENT#<roleId>#')` prefix — the central read\n * pattern (#9 is \"users with role X in workspace Y\"). Omit to return\n * every role assignment in the workspace interleaved by `<roleId>`.\n /\n readonly roleId?: string;\n /* ElectroDB cursor from a prior page. Forwarded to `.go({ cursor })`. /\n readonly cursor?: string \| null;\n /* Per-page item limit forwarded to `.go({ limit })`. /\n readonly limit?: number;\n /* Sort order forwarded to `.go({ order })`. Defaults to ElectroDB's `\"asc\"`. /\n readonly order?: \"asc\" \| \"desc\";\n /* Optional table-name override; resolved via env when omitted. /\n readonly tableName?: string;\n}\n\n/* One projection-row payload as returned to a consumer. /\nexport interface RoleAssignmentWorkspaceProjectionEntry {\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly sk: string;\n readonly userId: string;\n readonly roleId: string;\n readonly roleAssignmentId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedUserName?: string;\n readonly denormalizedRoleName?: string;\n}\n\n/* Page returned by {@link roleAssignmentListByWorkspaceOperation}. /\nexport interface RoleAssignmentListByWorkspaceResult {\n readonly items: Array<RoleAssignmentWorkspaceProjectionEntry>;\n /* ElectroDB cursor for the next page, or `null` when exhausted. /\n readonly cursor: string \| null;\n}\n\n/\n Compose the SK prefix for the workspace-projection list. The\n * pattern-#9 SK is discriminator-first on the raw `<roleId>`\n * (`ROLEASSIGNMENT#<roleId>#<normalizedUserName>#USER#<userId>#<id>`)\n * so a `begins_with('ROLEASSIGNMENT#<roleId>#')` filter returns every\n * user assigned to that role in the workspace. The trailing `#` after\n * the role id is critical — without it `ROLEASSIGNMENT#role-1` would\n * also match `ROLEASSIGNMENT#role-10`, `role-100`, etc. Omitting the\n * `roleId` arg falls back to the wider `ROLEASSIGNMENT#` prefix.\n /\nfunction buildSkPrefix(roleId: string \| undefined): string {\n if (roleId === undefined \|\| roleId.length === 0) {\n return \"ROLEASSIGNMENT#\";\n }\n return `ROLEASSIGNMENT#${roleId}#`;\n}\n\n/\n List RoleAssignments for a workspace via the ADR-018 workspace-\n * partition projection (no GSI hop).\n \n Reads `RoleAssignmentWorkspaceProjectionEntity` rows under\n * `PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>` with an\n * `SK begins_with` filter:\n \n \| `roleId` arg \| SK begins_with \| Covers \|\n * \|---\|---\|---\|\n * \| omitted \| `ROLEASSIGNMENT#` \| Every role assignment in the workspace, interleaved by `<roleId>` \|\n * \| supplied \| `ROLEASSIGNMENT#<roleId>#` \| Pattern #9 — every user assigned to that role, sorted alphabetically by `<normalizedUserName>` \|\n \n The projection's SK shape\n * (`ROLEASSIGNMENT#<roleId>#<normalizedUserName>#USER#<userId>#<id>`)\n * is discriminator-first on the raw `<roleId>` (mirroring the canonical\n * GSI1SK from pattern #8) so the natural Query order is exactly what\n * the access pattern expects — no client-side sort. Tenant-scoped\n * RoleAssignments (no `workspaceId`) skip this projection entirely;\n * they live only in the user-projection's tenant sub-lane.\n \n Returns the projection rows verbatim (`summary`, `vid`, `lastUpdated`\n * plus the projection-discriminating fields) — full canonical-resource\n * hydration is opt-in for callers via\n * `RoleAssignmentEntity.get({ tenantId, id: roleAssignmentId })`.\n * Pagination mirrors ElectroDB's native `.go({ cursor })` shape; the\n * returned `cursor` is opaque to callers.\n \n @see ADR-018 § Access Pattern Coverage (pattern #9)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n /\nexport async function roleAssignmentListByWorkspaceOperation(\n params: RoleAssignmentListByWorkspaceParams,\n): Promise<RoleAssignmentListByWorkspaceResult> {\n const {\n tenantId,\n workspaceId,\n roleId,\n cursor = null,\n limit,\n order,\n tableName,\n } = params;\n\n const service = getDynamoControlService(tableName);\n const skPrefix = buildSkPrefix(roleId);\n\n const goOptions: {\n cursor?: string \| null;\n limit?: number;\n order?: \"asc\" \| \"desc\";\n } = {\n cursor,\n };\n if (limit !== undefined) {\n goOptions.limit = limit;\n }\n if (order !== undefined) {\n goOptions.order = order;\n }\n\n const result = await service.entities.roleAssignmentWorkspaceProjection.query\n .record({ tenantId, workspaceId })\n .begins({ sk: skPrefix })\n .go(goOptions);\n\n const items: Array<RoleAssignmentWorkspaceProjectionEntry> = (\n result.data ?? []\n ).map((row) => ({\n tenantId: row.tenantId,\n workspaceId: row.workspaceId,\n sk: row.sk,\n userId: row.userId,\n roleId: row.roleId,\n roleAssignmentId: row.roleAssignmentId,\n summary: row.summary,\n vid: row.vid,\n lastUpdated: row.lastUpdated,\n denormalizedUserName: row.denormalizedUserName,\n denormalizedRoleName: row.denormalizedRoleName,\n }));\n\n return { items, cursor: result.cursor ?? null };\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport {\n batchGetWithRetry,\n dispatchListMode,\n type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface ListWorkspacesParams {\n context: OpenHiContext;\n tableName?: string;\n /* #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. /\n mode?: ListOperationMode;\n}\n\n/\n ADR-028 denormalized counter shape surfaced on a Workspace list\n * entry's `resource.counts`. Missing counters render as `0`.\n /\nexport interface WorkspaceCounts {\n usersInWorkspace: number;\n adminUsersInWorkspace: number;\n normalUsersInWorkspace: number;\n}\n\nexport interface WorkspaceListEntry {\n id: string;\n resource: Record<string, unknown> & { counts: WorkspaceCounts };\n}\n\nexport interface ListWorkspacesResult {\n entries: WorkspaceListEntry[];\n total: number;\n}\n\n/* Coerce a possibly-absent counter attribute to a non-negative number (default 0). /\nfunction counterValue(value: unknown): number {\n return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/\n Lists all Workspaces for the context tenant via GSI1 (sharded). See `dispatchListMode` for\n * the mode contract (#853).\n /\nexport async function listWorkspacesOperation(\n params: ListWorkspacesParams,\n): Promise<ListWorkspacesResult> {\n const { context, tableName, mode = \"full\" } = params;\n const { tenantId } = context;\n const service = getDynamoControlService(tableName);\n\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n service.entities.workspace.query\n .gsi1({ tenantId, gsi1Shard: String(shard) })\n .go(),\n ),\n );\n\n return dispatchListMode<\n {\n id: string;\n resource: string;\n usersInWorkspace?: number;\n adminUsersInWorkspace?: number;\n normalUsersInWorkspace?: number;\n },\n WorkspaceListEntry\n >(mode, shardResults, {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n service.entities.workspace,\n orderedIds.map((id) => ({ tenantId, id, sk: SK })),\n ) as Promise<\n Array<{\n id: string;\n resource: string;\n usersInWorkspace?: number;\n adminUsersInWorkspace?: number;\n normalUsersInWorkspace?: number;\n }>\n >,\n getId: (item) => item.id,\n // FULL mode (admin list default): read the ADR-028 counters off the\n // canonical record hydrated by BatchGet and expose them as\n // `resource.counts`. Missing counters render as 0.\n buildEntry: (id, item) => ({\n id,\n resource: {\n resourceType: \"Workspace\",\n id,\n ...(JSON.parse(item.resource) as Record<string, unknown>),\n counts: {\n usersInWorkspace: counterValue(item.usersInWorkspace),\n adminUsersInWorkspace: counterValue(item.adminUsersInWorkspace),\n normalUsersInWorkspace: counterValue(item.normalUsersInWorkspace),\n },\n },\n }),\n // SUMMARY mode reads only the GSI1 `summary` projection (no\n // counters); surface zeros so the shape stays uniform.\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: {\n resourceType: \"Workspace\",\n id,\n ...parsed,\n counts: {\n usersInWorkspace: 0,\n adminUsersInWorkspace: 0,\n normalUsersInWorkspace: 0,\n },\n },\n }),\n });\n}\n","import {\n COUNTER_TARGET,\n type CounterTarget,\n type TenantCounter,\n type UserCounter,\n type WorkspaceCounter,\n} from \"./counter-apply-operation\";\nimport { isAdminRoleAssignment } from \"./role-admin-classification\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport { extractRoleLevel } from \"../control-event-publisher\";\nimport { countMembershipsByUserOperation } from \"../membership/membership-count-by-user-operation\";\nimport { membershipListByWorkspaceOperation } from \"../membership/membership-list-by-workspace-operation\";\nimport { listMembershipsOperation } from \"../membership/membership-list-operation\";\nimport { extractReferenceSlug } from \"../membership/membership-user-projection\";\nimport { roleAssignmentListByWorkspaceOperation } from \"../roleassignment/roleassignment-list-by-workspace-operation\";\nimport { listWorkspacesOperation } from \"../workspace/workspace-list-operation\";\n\n/\n ADR-028 counter reconciliation — recompute the denormalized\n * control-plane counters from canonical data and repair drift.\n \n The atomic-ADD path ({@link applyCounterDeltaOperation}) maintains the\n * counters incrementally off domain events, but events can be missed,\n * replayed, or arrive after a record was created without one (rows that\n * predate the counter work). This operation is the correctness backstop\n * ADR-028 names: it ignores the current counter value, recomputes the\n * true value from canonical records, and writes the absolute recomputed\n * value back with a DynamoDB `SET` (not `ADD`). A `SET` repairs both\n * directions of drift and backfills an absent / `0` attribute to its\n * correct value in one write.\n \n Counter semantics recomputed here MUST match {@link counterEventRouter}:\n \n - `Tenant.usersInTenant` = # tenant-scoped Memberships in the tenant\n * (membership with NO workspace reference).\n * - `Tenant.workspacesInTenant` = # Workspaces in the tenant.\n * - `Workspace.usersInWorkspace` = # workspace-scoped Memberships for the workspace.\n * - `Workspace.adminUsersInWorkspace` / `normalUsersInWorkspace` =\n * # workspace-scoped RoleAssignments for the workspace, bucketed by\n * {@link isAdminRoleAssignment} on the assignment's role level / role id.\n * - `User.tenantsForUser` = # tenant-scoped Memberships for the user.\n * - `User.workspacesForUser` = # workspace-scoped Memberships for the user.\n \n @see counter-apply-operation.ts — the incremental ADD path this reconciles against.\n * @see counter-event-router.ts — the event → counter semantics this mirrors.\n /\n\n/* One counter's old → new transition, recorded only when `old !== new`. /\nexport interface CounterDriftEntry {\n /* Which canonical entity the counter lives on. /\n readonly target: CounterTarget;\n /* Identity of the canonical record (tenantId for Tenant, workspaceId for Workspace, userId for User). /\n readonly id: string;\n /* Tenant the record belongs to (Workspace only; omitted for Tenant / User). /\n readonly tenantId?: string;\n /* The counter attribute name. /\n readonly counter: string;\n /* The value found on the record before reconciliation (0 when the attribute was absent). /\n readonly old: number;\n /* The recomputed-from-canonical value written back. /\n readonly new: number;\n}\n\n/* Result of reconciling one target record. /\nexport interface CounterReconcileResult {\n /* Every counter whose value changed (empty when the record was already correct). /\n readonly drift: Array<CounterDriftEntry>;\n}\n\n/* Coerce a possibly-absent counter attribute to a non-negative number (default 0). /\nfunction counterValue(value: unknown): number {\n return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/* Minimal actor context the underlying list operations need (they read only `tenantId`). /\nfunction reconcileContext(tenantId: string): OpenHiContext {\n return {\n tenantId,\n workspaceId: \"\",\n date: new Date().toISOString(),\n actorId: \"counter-reconciliation\",\n actorName: \"Counter Reconciliation Job\",\n actorType: \"internal-system\",\n source: \"step-function\",\n };\n}\n\n/\n Recompute and repair the two counters on one Tenant record.\n \n - `workspacesInTenant` is the workspace count from\n * {@link listWorkspacesOperation} (`mode: \"count\"`, GSI1 fan-out).\n * - `usersInTenant` is the number of tenant-scoped Memberships in the\n * tenant. Memberships have no tenant-partition projection, so this\n * enumerates the tenant's canonical Memberships via\n * {@link listMembershipsOperation} (`mode: \"full\"`) and counts the rows\n * whose `resource` carries no `workspace` reference — the same\n * tenant-vs-workspace discriminator the create path uses\n * ({@link extractReferenceSlug} on the `workspace` field).\n /\nexport async function reconcileTenantCountersOperation(params: {\n readonly tenantId: string;\n readonly tableName?: string;\n}): Promise<CounterReconcileResult> {\n const { tenantId, tableName } = params;\n const service = getDynamoControlService(tableName);\n const context = reconcileContext(tenantId);\n\n const workspacesResult = await listWorkspacesOperation({\n context,\n tableName,\n mode: \"count\",\n });\n const workspacesInTenant = workspacesResult.total;\n\n // Full enumeration of the tenant's canonical Memberships; discriminate\n // tenant-scoped (no workspace reference) from workspace-scoped by the\n // resource's `workspace` reference, mirroring the create path.\n const memberships = await listMembershipsOperation({\n context,\n tableName,\n mode: \"full\",\n });\n let usersInTenant = 0;\n for (const entry of memberships.entries) {\n const workspaceSlug = extractReferenceSlug(entry.resource, \"workspace\");\n if (workspaceSlug === undefined) {\n usersInTenant += 1;\n }\n }\n\n const current = await service.entities.tenant\n .get({ tenantId, sk: \"CURRENT\" })\n .go();\n\n const drift: Array<CounterDriftEntry> = [];\n const recomputed: Record<TenantCounter, number> = {\n usersInTenant,\n workspacesInTenant,\n };\n\n for (const counter of Object.keys(recomputed) as Array<TenantCounter>) {\n const oldValue = counterValue(current.data?.[counter]);\n const newValue = recomputed[counter];\n if (oldValue !== newValue) {\n drift.push({\n target: COUNTER_TARGET.Tenant,\n id: tenantId,\n counter,\n old: oldValue,\n new: newValue,\n });\n }\n }\n\n if (drift.length > 0) {\n await service.entities.tenant\n .patch({ tenantId, sk: \"CURRENT\" })\n .set(recomputed)\n .go();\n }\n\n return { drift };\n}\n\n/\n Recompute and repair the three counters on one Workspace record.\n \n - `usersInWorkspace` pages every workspace-scoped Membership via\n * {@link membershipListByWorkspaceOperation} (ADR-018 pattern #2).\n * - `adminUsersInWorkspace` / `normalUsersInWorkspace` page every\n * workspace-scoped RoleAssignment via\n * {@link roleAssignmentListByWorkspaceOperation} (pattern #9), then\n * classify each with {@link isAdminRoleAssignment}. The projection row\n * does not carry the ADR-019 role level (its `summary` is the\n * id/displayName/status projection), so each assignment's canonical\n * RoleAssignment resource is read to extract the role level via\n * {@link extractRoleLevel} — the same signal the create path publishes.\n * The projection's `roleId` is passed alongside as the fallback signal.\n /\nexport async function reconcileWorkspaceCountersOperation(params: {\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly tableName?: string;\n}): Promise<CounterReconcileResult> {\n const { tenantId, workspaceId, tableName } = params;\n const service = getDynamoControlService(tableName);\n\n // usersInWorkspace — page every workspace-scoped membership.\n let usersInWorkspace = 0;\n let membershipCursor: string \| null = null;\n do {\n const page = await membershipListByWorkspaceOperation({\n tenantId,\n workspaceId,\n cursor: membershipCursor,\n tableName,\n });\n usersInWorkspace += page.items.length;\n membershipCursor = page.cursor;\n } while (membershipCursor !== null);\n\n // admin/normal — page every workspace-scoped role assignment, then read\n // each canonical RoleAssignment to recover the role level for the\n // admin/normal split (the projection summary does not carry it).\n let adminUsersInWorkspace = 0;\n let normalUsersInWorkspace = 0;\n let roleAssignmentCursor: string \| null = null;\n do {\n const page = await roleAssignmentListByWorkspaceOperation({\n tenantId,\n workspaceId,\n cursor: roleAssignmentCursor,\n tableName,\n });\n for (const item of page.items) {\n const roleLevel = await readRoleLevel(\n service,\n tenantId,\n item.roleAssignmentId,\n );\n if (isAdminRoleAssignment({ roleLevel, roleId: item.roleId })) {\n adminUsersInWorkspace += 1;\n } else {\n normalUsersInWorkspace += 1;\n }\n }\n roleAssignmentCursor = page.cursor;\n } while (roleAssignmentCursor !== null);\n\n const current = await service.entities.workspace\n .get({ tenantId, id: workspaceId, sk: \"CURRENT\" })\n .go();\n\n const drift: Array<CounterDriftEntry> = [];\n const recomputed: Record<WorkspaceCounter, number> = {\n usersInWorkspace,\n adminUsersInWorkspace,\n normalUsersInWorkspace,\n };\n\n for (const counter of Object.keys(recomputed) as Array<WorkspaceCounter>) {\n const oldValue = counterValue(current.data?.[counter]);\n const newValue = recomputed[counter];\n if (oldValue !== newValue) {\n drift.push({\n target: COUNTER_TARGET.Workspace,\n id: workspaceId,\n tenantId,\n counter,\n old: oldValue,\n new: newValue,\n });\n }\n }\n\n if (drift.length > 0) {\n await service.entities.workspace\n .patch({ tenantId, id: workspaceId, sk: \"CURRENT\" })\n .set(recomputed)\n .go();\n }\n\n return { drift };\n}\n\n/\n Recompute and repair the two counters on one User record.\n \n Both derive from {@link countMembershipsByUserOperation} over the\n * ADR-018 user-partition projection lanes: `tenantsForUser` from the\n * `tenant` lane (pattern #3), `workspacesForUser` from the `workspace`\n * lane (pattern #4).\n /\nexport async function reconcileUserCountersOperation(params: {\n readonly userId: string;\n readonly tableName?: string;\n}): Promise<CounterReconcileResult> {\n const { userId, tableName } = params;\n const service = getDynamoControlService(tableName);\n\n const tenantsForUser = await countMembershipsByUserOperation({\n userId,\n mode: \"tenant\",\n tableName,\n });\n const workspacesForUser = await countMembershipsByUserOperation({\n userId,\n mode: \"workspace\",\n tableName,\n });\n\n const current = await service.entities.user\n .get({ id: userId, sk: \"CURRENT\" })\n .go();\n\n const drift: Array<CounterDriftEntry> = [];\n const recomputed: Record<UserCounter, number> = {\n tenantsForUser,\n workspacesForUser,\n };\n\n for (const counter of Object.keys(recomputed) as Array<UserCounter>) {\n const oldValue = counterValue(current.data?.[counter]);\n const newValue = recomputed[counter];\n if (oldValue !== newValue) {\n drift.push({\n target: COUNTER_TARGET.User,\n id: userId,\n counter,\n old: oldValue,\n new: newValue,\n });\n }\n }\n\n if (drift.length > 0) {\n await service.entities.user\n .patch({ id: userId, sk: \"CURRENT\" })\n .set(recomputed)\n .go();\n }\n\n return { drift };\n}\n\n/\n Read the ADR-019 role level off a canonical RoleAssignment so the\n * admin/normal split classifies the same way the create path published\n * it. Returns `undefined` when the record or its code is missing — the\n * classifier then falls back to the `roleId` signal.\n /\nasync function readRoleLevel(\n service: ReturnType<typeof getDynamoControlService>,\n tenantId: string,\n roleAssignmentId: string,\n): Promise<string \| undefined> {\n const response = await service.entities.roleAssignment\n .get({ tenantId, id: roleAssignmentId, sk: \"CURRENT\" })\n .go();\n if (!response.data) {\n return undefined;\n }\n const resource = JSON.parse(response.data.resource) as Record<\n string,\n unknown\n >;\n return extractRoleLevel(resource);\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport {\n batchGetWithRetry,\n dispatchListMode,\n type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface ListTenantsParams {\n context: OpenHiContext;\n tableName?: string;\n /* #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. /\n mode?: ListOperationMode;\n}\n\n/\n ADR-028 denormalized counter shape surfaced on a Tenant list entry's\n * `resource.counts`. Missing counters render as `0` so the admin console\n * never sees `undefined`.\n /\nexport interface TenantCounts {\n usersInTenant: number;\n workspacesInTenant: number;\n}\n\nexport interface TenantListEntry {\n id: string;\n resource: Record<string, unknown> & { counts: TenantCounts };\n}\n\nexport interface ListTenantsResult {\n entries: TenantListEntry[];\n total: number;\n}\n\n/* Coerce a possibly-absent counter attribute to a non-negative number (default 0). /\nfunction counterValue(value: unknown): number {\n return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/\n Lists all Tenants (platform-wide, no scope filter) via GSI1 (sharded). Tenant uses tenantId\n * as its identity (tenantId === id), so BatchGet keys reuse `id` as `tenantId`. See\n * `dispatchListMode` for the mode contract (#853).\n /\nexport async function listTenantsOperation(\n params: ListTenantsParams,\n): Promise<ListTenantsResult> {\n const { tableName, mode = \"full\" } = params;\n const service = getDynamoControlService(tableName);\n\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n service.entities.tenant.query.gsi1({ gsi1Shard: String(shard) }).go(),\n ),\n );\n\n return dispatchListMode<\n {\n id: string;\n resource: string;\n usersInTenant?: number;\n workspacesInTenant?: number;\n },\n TenantListEntry\n >(mode, shardResults, {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n service.entities.tenant,\n orderedIds.map((id) => ({ tenantId: id, sk: SK })),\n ) as Promise<\n Array<{\n id: string;\n resource: string;\n usersInTenant?: number;\n workspacesInTenant?: number;\n }>\n >,\n getId: (item) => item.id,\n // FULL mode (admin list default): read the ADR-028 counters off the\n // canonical record hydrated by BatchGet and expose them as\n // `resource.counts`. Missing counters render as 0.\n buildEntry: (id, item) => ({\n id,\n resource: {\n resourceType: \"Tenant\",\n id,\n ...(JSON.parse(item.resource) as Record<string, unknown>),\n counts: {\n usersInTenant: counterValue(item.usersInTenant),\n workspacesInTenant: counterValue(item.workspacesInTenant),\n },\n },\n }),\n // SUMMARY mode reads only the GSI1 `summary` projection, which does\n // not carry the counters; surface zeros so the shape stays uniform.\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: {\n resourceType: \"Tenant\",\n id,\n ...parsed,\n counts: { usersInTenant: 0, workspacesInTenant: 0 },\n },\n }),\n });\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport {\n batchGetWithRetry,\n dispatchListMode,\n type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface UserListParams {\n context: OpenHiContext;\n tableName?: string;\n /* #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. /\n mode?: ListOperationMode;\n}\n\n/\n ADR-028 denormalized counter shape surfaced on a User list entry's\n * `resource.counts`. Missing counters render as `0`.\n /\nexport interface UserCounts {\n tenantsForUser: number;\n workspacesForUser: number;\n}\n\nexport interface UserListResult {\n entries: Array<{\n id: string;\n resource: {\n resourceType: string;\n id: string;\n counts: UserCounts;\n [key: string]: unknown;\n };\n }>;\n total: number;\n}\n\n/* Coerce a possibly-absent counter attribute to a non-negative number (default 0). /\nfunction counterValue(value: unknown): number {\n return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/\n Lists Users via GSI1 (sharded). `mode` (default `\"full\"`) selects between BatchGet hydration,\n * summary-only (parse `summary` JSON projected on GSI1), or count-only (skip both). See\n * `dispatchListMode` in data-operations-common for the canonical mode contract.\n /\nexport async function listUsersOperation(\n params: UserListParams,\n): Promise<UserListResult> {\n const { tableName, mode = \"full\" } = params;\n const service = getDynamoControlService(tableName);\n\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go(),\n ),\n );\n\n return dispatchListMode<\n {\n id: string;\n resource: string;\n tenantsForUser?: number;\n workspacesForUser?: number;\n },\n UserListResult[\"entries\"][number]\n >(mode, shardResults, {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n service.entities.user,\n orderedIds.map((id) => ({ id, sk: SK })),\n ) as Promise<\n Array<{\n id: string;\n resource: string;\n tenantsForUser?: number;\n workspacesForUser?: number;\n }>\n >,\n getId: (item) => item.id,\n // FULL mode (admin list default): read the ADR-028 counters off the\n // canonical record hydrated by BatchGet and expose them as\n // `resource.counts`. Missing counters render as 0.\n buildEntry: (id, item) => ({\n id,\n resource: {\n resourceType: \"User\",\n id,\n ...(JSON.parse(item.resource) as Record<string, unknown>),\n counts: {\n tenantsForUser: counterValue(item.tenantsForUser),\n workspacesForUser: counterValue(item.workspacesForUser),\n },\n },\n }),\n // SUMMARY mode reads only the GSI1 `summary` projection (no\n // counters); surface zeros so the shape stays uniform.\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: {\n resourceType: \"User\",\n id,\n ...parsed,\n counts: { tenantsForUser: 0, workspacesForUser: 0 },\n },\n }),\n });\n}\n","import {\n type CounterDriftEntry,\n reconcileTenantCountersOperation,\n reconcileUserCountersOperation,\n reconcileWorkspaceCountersOperation,\n} from \"./counter-reconcile-operation\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport { listTenantsOperation } from \"../tenant/tenant-list-operation\";\nimport { listUsersOperation } from \"../user/user-list-operation\";\nimport { listWorkspacesOperation } from \"../workspace/workspace-list-operation\";\n\n/\n ADR-028 counter-reconciliation driver — walks every canonical Tenant,\n * Workspace, and User, reconciles each record's denormalized counters\n * against canonical data, and accumulates a single drift report.\n \n Enumeration reuses the existing GSI1-sharded list operations\n * (`summary` mode — ids only, no per-record BatchGet hydration):\n \n - All Tenants via {@link listTenantsOperation}.\n * - Per tenant, all Workspaces in that tenant via\n * {@link listWorkspacesOperation} (the workspace GSI1 partition is\n * tenant-scoped).\n * - All Users via {@link listUsersOperation}.\n \n Each record is then handed to the matching per-target recompute\n * ({@link reconcileTenantCountersOperation},\n * {@link reconcileWorkspaceCountersOperation},\n * {@link reconcileUserCountersOperation}), which owns the SET-back repair\n * and returns the per-counter old → new drift it corrected.\n \n @see counter-reconcile-operation.ts — the per-target recompute + repair.\n /\n\n/* Totals summarizing one reconciliation run, alongside the per-counter drift list. /\nexport interface CounterReconcileReport {\n /* Every counter that changed across every record, in walk order. /\n readonly drift: Array<CounterDriftEntry>;\n /* How many canonical records of each kind were scanned. /\n readonly scanned: {\n readonly tenants: number;\n readonly workspaces: number;\n readonly users: number;\n };\n /* Total number of individual counters corrected (== `drift.length`). /\n readonly countersCorrected: number;\n}\n\n/* Minimal actor context the list operations need (they read only `tenantId`). /\nfunction driverContext(tenantId: string): OpenHiContext {\n return {\n tenantId,\n workspaceId: \"\",\n date: new Date().toISOString(),\n actorId: \"counter-reconciliation\",\n actorName: \"Counter Reconciliation Job\",\n actorType: \"internal-system\",\n source: \"step-function\",\n };\n}\n\n/\n Run a full reconciliation sweep across every Tenant, Workspace, and\n * User. Returns the accumulated drift report; the per-target operations\n * have already written the repairs by the time this resolves.\n */\nexport async function reconcileAllCountersOperation(\n params: {\n readonly tableName?: string;\n } = {},\n): Promise<CounterReconcileReport> {\n const { tableName } = params;\n const drift: Array<CounterDriftEntry> = [];\n let tenantsScanned = 0;\n let workspacesScanned = 0;\n let usersScanned = 0;\n\n // Tenants (and, per tenant, the tenant's workspaces).\n const tenants = await listTenantsOperation({\n context: driverContext(\"\"),\n tableName,\n mode: \"summary\",\n });\n for (const tenant of tenants.entries) {\n tenantsScanned += 1;\n const tenantResult = await reconcileTenantCountersOperation({\n tenantId: tenant.id,\n tableName,\n });\n drift.push(...tenantResult.drift);\n\n const workspaces = await listWorkspacesOperation({\n context: driverContext(tenant.id),\n tableName,\n mode: \"summary\",\n });\n for (const workspace of workspaces.entries) {\n workspacesScanned += 1;\n const workspaceResult = await reconcileWorkspaceCountersOperation({\n tenantId: tenant.id,\n workspaceId: workspace.id,\n tableName,\n });\n drift.push(...workspaceResult.drift);\n }\n }\n\n // Users (platform-wide, no tenant scope).\n const users = await listUsersOperation({\n context: driverContext(\"\"),\n tableName,\n mode: \"summary\",\n });\n for (const user of users.entries) {\n usersScanned += 1;\n const userResult = await reconcileUserCountersOperation({\n userId: user.id,\n tableName,\n });\n drift.push(...userResult.drift);\n }\n\n return {\n drift,\n scanned: {\n tenants: tenantsScanned,\n workspaces: workspacesScanned,\n users: usersScanned,\n },\n countersCorrected: drift.length,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BA,IAAAA,SAAA,6BAAA;AAxBa,IAAAA,SAAA,mBAAmB;AAEhC,QAAM,2BAA2B;AAQjC,QAAM,sBAAsB;AAQ5B,QAAM,sBAAsB;AAM5B,aAAgB,2BAA2B,SAAe;AACxD,UAAI,CAAC,yBAAyB,KAAK,OAAO,GAAG;AAC3C,eAAO;MACT;AACA,YAAM,QAAQ,OAAO,SAAS,QAAQ,MAAM,GAAG,EAAE,CAAC,GAAG,EAAE;AACvD,aAAO,SAAS,uBAAuB,SAAS;IAClD;;;;;;;;;;ACPA,IAAAC,SAAA,sBAAA;AASA,IAAAA,SAAA,wBAAA;AA6CA,IAAAA,SAAA,8BAAA;AAtDA,aAAgB,oBACd,OAAoB;AAEpB,aAAQ,MAA4B,YAAY;IAClD;AAKA,aAAgB,sBACd,OAAoB;AAEpB,aAAQ,MAA8B,WAAW;IACnD;AAyCA,aAAgB,4BACd,QAAoB;AAEpB,UAAI,OAAO,YAAY,UAAa,OAAO,YAAY,QAAW;AAChE,cAAM,IAAI,yBACR,iMAAiM;MAErM;AACA,aAAO;QACL,SAAS,OAAO;QAChB,SAAS,OAAO;QAChB,SAAS,OAAO;QAChB,WAAW,OAAO;;IAEtB;AAGA,QAAa,2BAAb,cAA8C,MAAK;;MAEjD,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,2BAAA;;;;;;;;;;AC3Fa,IAAAC,SAAA,wBAAwB;AAGxB,IAAAA,SAAA,qBAAqB;AAGrB,IAAAA,SAAA,oBAAoB;AAmBpB,IAAAA,SAAA,6BAA2D;MACtE,CAACA,SAAA,qBAAqB,GAAG;MACzB,CAACA,SAAA,kBAAkB,GAAG;MACtB,CAACA,SAAA,iBAAiB,GAAG;;;;;;;;;;;ACQvB,IAAAC,SAAA,mBAAA;AAuBA,IAAAA,SAAA,yBAAA;AAvBA,aAAgB,iBACd,OAAwD;AAExD,UAAI,CAAC,uBAAuB,MAAM,UAAU,GAAG;AAC7C,cAAM,IAAI,mCACR,gBAAgB,MAAM,UAAU,oGAAiG;MAErI;AACA,aAAO;IACT;AAUA,QAAM,sBACJ;AAGF,aAAgB,uBAAuB,YAAkB;AACvD,aAAO,oBAAoB,KAAK,UAAU;IAC5C;AAGA,QAAa,qCAAb,cAAwD,MAAK;;MAE3D,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,qCAAA;;;;;;;;;;AC1EA,QAAA,YAAA;AAKA,QAAA,aAAA;AAUa,IAAAC,SAAA,qBAAqB;MAChC,WAAW;MACX,MAAM;;AA4CK,IAAAA,SAAA,8BACX,GAAA,WAAA,kBAAmD;MACjD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AA0BU,IAAAA,SAAA,sCACX,GAAA,WAAA,kBAA2D;MACzD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AA0BU,IAAAA,SAAA,oCACX,GAAA,WAAA,kBAAyD;MACvD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAaU,IAAAA,SAAA,wBAAwB;MACnC,QAAQ;MACR,MAAM;MACN,MAAM;;AAgDK,IAAAA,SAAA,wBACX,GAAA,WAAA,kBAA6C;MAC3C,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AA0BU,IAAAA,SAAA,gCACX,GAAA,WAAA,kBAAqD;MACnD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAsBU,IAAAA,SAAA,8BACX,GAAA,WAAA,kBAAmD;MACjD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAwCU,IAAAA,SAAA,mCACX,GAAA,WAAA,kBAAwD;MACtD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAGU,IAAAA,SAAA,mCACX,GAAA,WAAA,kBAAwD;MACtD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAkCU,IAAAA,SAAA,uCACX,GAAA,WAAA,kBAA4D;MAC1D,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAGU,IAAAA,SAAA,uCACX,GAAA,WAAA,kBAA4D;MAC1D,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AA6BU,IAAAA,SAAA,kCACX,GAAA,WAAA,kBAAuD;MACrD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAGU,IAAAA,SAAA,kCACX,GAAA,WAAA,kBAAuD;MACrD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;;;;;;;;;;AC7YH,QAAA,YAAA;AACA,QAAA,aAAA;AAkDa,IAAAC,SAAA,iCACX,GAAA,WAAA,kBAAsD;MACpD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAgDU,IAAAA,SAAA,8BACX,GAAA,WAAA,kBAAmD;MACjD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;;;;;;;;;;;;;;;;;;;;;;;;;AC7GH,iBAAA,yBAAAC,QAAA;AACA,iBAAA,oBAAAA,QAAA;AACA,iBAAA,oBAAAA,QAAA;;;;;;;;;;AC6EA,IAAAC,SAAA,kBAAA;AAiBA,IAAAA,SAAA,uBAAAC;AAhGA,QAAA,gBAAA,QAAA,QAAA;AACA,QAAA,uBAAA,QAAA,6BAAA;AAOA,QAAA,qBAAA;AACA,QAAA,YAAA;AAsEA,aAAgB,gBACd,QACA,UAA4B,CAAA,GAAE;AAE9B,aAAO;QACL,SAAS,CAAC,OAAO,SAAS,QACxBA,sBAAqB,QAAQ,OAAO,SAAS,KAAK,OAAO;;IAE/D;AASO,mBAAeA,sBACpB,QACA,OACA,SACA,KACA,UAA4B,CAAA,GAAE;AAE9B,YAAM,mBAAmB,QAAQ,qBAAqB,OAAM,GAAA,cAAA,YAAU;AACtE,YAAM,yBACJ,QAAQ,2BAA2B,OAAM,GAAA,cAAA,YAAU;AACrD,YAAM,MAAM,QAAQ,QAAQ,MAAM,oBAAI,KAAI;AAE1C,YAAM,WAAoC;QACxC,SAAS,iBAAgB;QACzB,SAAS;QACT,eAAe,IAAI,iBAAiB,uBAAsB;QAC1D,aAAa,IAAI,eAAe;QAChC,OAAO,IAAI;QACX,YAAY,IAAG,EAAG,YAAW;QAC7B,iBAAiB,mBAAA;QACjB;;AAGF,YAAM,UACJ,QAAQ,iBAAiB,MAAM,MAAM,KACrC,UAAA,2BAA2B,MAAM,MAAM;AAEzC,YAAM,SAAS,MAAM,OAAO,KAC1B,IAAI,qBAAA,iBAAiB;QACnB,SAAS;UACP;YACE,cAAc;YACd,QAAQ,MAAM;YACd,YAAY,MAAM;YAClB,QAAQ,KAAK,UAAU,QAAQ;;;OAGpC,CAAC;AAGJ,WAAK,OAAO,oBAAoB,KAAK,GAAG;AACtC,cAAM,QAAQ,OAAO,UAAU,CAAC;AAChC,cAAM,IAAI,qBACR,wBAAwB,MAAM,UAAU,mBAAmB,OAAO,KAAK,OAAO,aAAa,SAAS,WAAM,OAAO,gBAAgB,kBAAkB,EAAE;MAEzJ;AAEA,aAAO,EAAE,SAAS,SAAS,QAAO;IACpC;AAGA,QAAa,uBAAb,cAA0C,MAAK;;MAE7C,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAD,SAAA,uBAAA;;;;;;;;;;ACnGA,IAAAE,SAAA,qBAAA;AA9CA,QAAA,qBAAA;AA8CA,aAAgB,mBACd,OACA,UAA2C;AAE3C,UAAI,MAAM,WAAW,SAAS,QAAQ;AACpC,cAAM,IAAI,0BACR,uBAAuB,MAAM,MAAM,mDAAmD,SAAS,MAAM,IAAI;MAE7G;AAEA,UAAI,MAAM,aAAa,MAAM,SAAS,YAAY;AAChD,cAAM,IAAI,0BACR,4BAA4B,MAAM,aAAa,CAAC,8BAA8B,SAAS,UAAU,IAAI;MAEzG;AAEA,YAAM,YAAY,oBAAoB,MAAM,MAAM;AAElD,UAAI,EAAC,GAAA,mBAAA,4BAA2B,UAAU,eAAe,GAAG;AAC1D,cAAM,IAAI,gCACR,qBAAqB,UAAU,eAAe,yCAAyC;MAE3F;AAEA,YAAM,WAAoC;QACxC,SAAS,UAAU;QACnB,SAAS,UAAU;QACnB,eAAe,UAAU;QACzB,aAAa,UAAU;QACvB,OAAO,UAAU;QACjB,YAAY,UAAU;QACtB,iBAAiB,UAAU;QAC3B,SAAS,UAAU;;AAGrB,aAAO;QACL;QACA,UAAU,EAAE,SAAS,SAAS,SAAS,SAAS,SAAS,QAAO;;IAEpE;AAQA,aAAS,oBAAoB,QAAe;AAC1C,UAAI,WAAW,QAAQ,OAAO,WAAW,UAAU;AACjD,cAAM,IAAI,0BACR,8CAA8C;MAElD;AAEA,YAAM,MAAM;AAEZ,mBAAa,KAAK,SAAS;AAC3B,4BAAsB,KAAK,SAAS;AACpC,mBAAa,KAAK,eAAe;AACjC,wBAAkB,GAAG;AACrB,kBAAY,GAAG;AACf,mBAAa,KAAK,YAAY;AAC9B,mBAAa,KAAK,iBAAiB;AAEnC,UAAI,EAAE,aAAa,MAAM;AACvB,cAAM,IAAI,0BACR,8CAA8C;MAElD;AAEA,aAAO;IACT;AAEA,aAAS,aACP,KACA,OAAa;AAEb,YAAM,QAAQ,IAAI,KAAK;AACvB,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,GAAG;AACnD,cAAM,IAAI,0BACR,mBAAmB,KAAK,+BAA+B;MAE3D;IACF;AAEA,aAAS,sBACP,KACA,OAAa;AAEb,YAAM,QAAQ,IAAI,KAAK;AACvB,UAAI,OAAO,UAAU,YAAY,CAAC,OAAO,UAAU,KAAK,KAAK,QAAQ,GAAG;AACtE,cAAM,IAAI,0BACR,mBAAmB,KAAK,gCAAgC;MAE5D;IACF;AAEA,aAAS,kBAAkB,KAA4B;AACrD,UAAI,EAAE,iBAAiB,MAAM;AAC3B,cAAM,IAAI,0BACR,kDAAkD;MAEtD;AACA,YAAM,QAAQ,IAAI;AAClB,UAAI,UAAU,SAAS,OAAO,UAAU,YAAY,MAAM,WAAW,IAAI;AACvE,cAAM,IAAI,0BACR,kEAAkE;MAEtE;IACF;AAEA,aAAS,YAAY,KAA4B;AAC/C,YAAM,QAAQ,IAAI;AAClB,UAAI,UAAU,QAAQ,OAAO,UAAU,UAAU;AAC/C,cAAM,IAAI,0BACR,2CAA2C;MAE/C;AACA,YAAM,WAAW;AACjB,YAAM,cACJ,OAAO,SAAS,YAAY,YAC5B,OAAO,SAAS,cAAc,YAC9B,OAAO,SAAS,YAAY,YAC5B,OAAO,SAAS,YAAY;AAC9B,YAAM,gBAAgB,OAAO,SAAS,WAAW;AACjD,UAAI,CAAC,eAAe,CAAC,eAAe;AAClC,cAAM,IAAI,0BACR,mIAAmI;MAEvI;IACF;AAGA,QAAa,4BAAb,cAA+C,MAAK;;MAElD,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,4BAAA;AASA,QAAa,kCAAb,cAAqD,MAAK;;MAExD,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,kCAAA;;;;;;;;;;ACrLa,IAAAC,SAAA,oCACX;AAGW,IAAAA,SAAA,qCAAqC,KAAK,KAAK,KAAK;AAGpD,IAAAA,SAAA,0CAA0C;;;;;;;;;;AC0EvD,IAAAC,SAAA,sBAAA;AAcA,IAAAA,SAAA,iBAAA;AAgDA,IAAAA,SAAA,aAAA;AAuCA,IAAAA,SAAA,gBAAA;AA/LA,QAAA,oBAAA,QAAA,0BAAA;AAOA,QAAA,QAAA;AAmFA,aAAgB,oBACd,UACA,UAAsC,CAAA,GAAE;AAExC,aAAO;QACL,gBAAgB,CAAC,UAAU,eAAe,UAAU,OAAO,OAAO;QAClE,YAAY,CAAC,UAAU,WAAW,UAAU,OAAO,OAAO;;IAE9D;AAMO,mBAAe,eACpB,UACA,OACA,UAAsC,CAAA,GAAE;AAExC,yBAAmB,MAAM,YAAY;AACrC,4BAAsB,MAAM,SAAS,SAAS;AAC9C,YAAM,aACJ,MAAM,cACN,QAAQ,qBACR,MAAA;AACF,UAAI,CAAC,OAAO,UAAU,UAAU,KAAK,cAAc,GAAG;AACpD,cAAM,IAAI,+BACR,8CAA8C,UAAU,GAAG;MAE/D;AAEA,YAAM,YAAY,iBAAiB,QAAQ,SAAS;AACpD,YAAM,OAAO,QAAQ,OAAO,YAAW;AACvC,YAAM,KAAK,cAAc,MAAM,SAAS,MAAM,OAAO;AACrD,YAAM,YAAY,KAAK,MAAM,IAAI,QAAO,IAAK,GAAI,IAAI;AAErD,UAAI;AACF,cAAM,SAAS,KACb,IAAI,kBAAA,eAAe;UACjB,WAAW;UACX,MAAM;YACJ,cAAc,EAAE,GAAG,MAAM,aAAY;YACrC,IAAI,EAAE,GAAG,GAAE;YACX,SAAS,EAAE,GAAG,MAAM,QAAO;YAC3B,SAAS,EAAE,GAAG,OAAO,MAAM,OAAO,EAAC;YACnC,YAAY,EAAE,GAAG,IAAI,YAAW,EAAE;YAClC,WAAW,EAAE,GAAG,OAAO,SAAS,EAAC;;UAEnC,qBACE;SACH,CAAC;AAEJ,eAAO,EAAE,UAAU,KAAI;MACzB,SAAS,KAAK;AACZ,YAAI,eAAe,kBAAA,iCAAiC;AAClD,iBAAO,EAAE,UAAU,OAAO,kBAAkB,KAAI;QAClD;AACA,cAAM;MACR;IACF;AAGO,mBAAe,WACpB,UACA,OACA,UAAsC,CAAA,GAAE;AAExC,yBAAmB,MAAM,YAAY;AACrC,4BAAsB,MAAM,SAAS,SAAS;AAC9C,UAAI,MAAM,OAAO,WAAW,GAAG;AAC7B,cAAM,IAAI,+BAA+B,2BAA2B;MACtE;AAEA,YAAM,YAAY,iBAAiB,QAAQ,SAAS;AACpD,YAAM,OAAO,QAAQ,OAAO,YAAW;AACvC,YAAM,KAAK,cAAc,MAAM,SAAS,MAAM,OAAO;AAErD,YAAM,SAAS,KACb,IAAI,kBAAA,kBAAkB;QACpB,WAAW;QACX,KAAK;UACH,cAAc,EAAE,GAAG,MAAM,aAAY;UACrC,IAAI,EAAE,GAAG,GAAE;;QAEb,kBACE;QACF,0BAA0B;UACxB,WAAW;UACX,kBAAkB;UAClB,aAAa;;QAEf,2BAA2B;UACzB,WAAW,EAAE,MAAM,KAAI;UACvB,WAAW,EAAE,GAAG,MAAM,OAAM;UAC5B,aAAa,EAAE,GAAG,IAAI,YAAW,EAAE;;OAEtC,CAAC;IAEN;AAGA,aAAgB,cAAc,SAAiB,SAAe;AAC5D,UAAI,QAAQ,WAAW,GAAG;AACxB,cAAM,IAAI,+BAA+B,4BAA4B;MACvE;AACA,aAAO,GAAG,OAAO,IAAI,OAAO;IAC9B;AAEA,aAAS,iBAAiB,UAAiB;AACzC,YAAM,OAAO,YAAY,QAAQ,IAAI,MAAA,iCAAiC;AACtE,UAAI,CAAC,MAAM;AACT,cAAM,IAAI,mCACR,oEAAoE,MAAA,iCAAiC,GAAG;MAE5G;AACA,aAAO;IACT;AAEA,aAAS,mBAAmB,cAAoB;AAC9C,UAAI,aAAa,WAAW,GAAG;AAC7B,cAAM,IAAI,+BAA+B,iCAAiC;MAC5E;AACA,UAAI,aAAa,SAAS,MAAA,yCAAyC;AACjE,cAAM,IAAI,+BACR,8BAAyB,MAAA,uCAAuC,eAAe,aAAa,MAAM,GAAG;MAEzG;AACA,UAAI,KAAK,KAAK,YAAY,GAAG;AAC3B,cAAM,IAAI,+BACR,2CAA2C;MAE/C;IACF;AAEA,aAAS,sBAAsB,OAAe,OAAa;AACzD,UAAI,CAAC,OAAO,UAAU,KAAK,KAAK,QAAQ,GAAG;AACzC,cAAM,IAAI,+BACR,GAAG,KAAK,qCAAqC,KAAK,GAAG;MAEzD;IACF;AAEA,aAAS,aAAU;AACjB,aAAO,oBAAI,KAAI;IACjB;AAGA,QAAa,qCAAb,cAAwD,MAAK;;MAE3D,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,qCAAA;AASA,QAAa,iCAAb,cAAoD,MAAK;;MAEvD,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,iCAAA;;;;;;;;;;ACtPA,QAAA,QAAA;AACE,WAAA,eAAAC,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,MAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,2CAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,MAAA;IAAuC,EAAA,CAAA;AACvC,WAAA,eAAAA,UAAA,qCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,MAAA;IAAiC,EAAA,CAAA;AAEnC,QAAA,0BAAA;AACE,WAAA,eAAAA,UAAA,kCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAA8B,EAAA,CAAA;AAC9B,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,iBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAa,EAAA,CAAA;AACb,WAAA,eAAAA,UAAA,cAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAU,EAAA,CAAA;AACV,WAAA,eAAAA,UAAA,kBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAc,EAAA,CAAA;AACd,WAAA,eAAAA,UAAA,uBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAmB,EAAA,CAAA;;;;;;;;;;ACXrB,QAAA,qBAAA;AACE,WAAA,eAAAC,UAAA,oBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,mBAAA;IAAgB,EAAA,CAAA;AAChB,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,mBAAA;IAA0B,EAAA,CAAA;AAE5B,QAAA,aAAA;AACE,WAAA,eAAAA,UAAA,4BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAwB,EAAA,CAAA;AACxB,WAAA,eAAAA,UAAA,yBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAqB,EAAA,CAAA;AACrB,WAAA,eAAAA,UAAA,uBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAmB,EAAA,CAAA;AACnB,WAAA,eAAAA,UAAA,+BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAA2B,EAAA,CAAA;AAQ7B,QAAA,YAAA;AACE,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,UAAA;IAA0B,EAAA,CAAA;AAC1B,WAAA,eAAAA,UAAA,yBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,UAAA;IAAqB,EAAA,CAAA;AACrB,WAAA,eAAAA,UAAA,sBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,UAAA;IAAkB,EAAA,CAAA;AAClB,WAAA,eAAAA,UAAA,qBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,UAAA;IAAiB,EAAA,CAAA;AAGnB,QAAA,iBAAA;AACE,WAAA,eAAAA,UAAA,mCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA+B,EAAA,CAAA;AAC/B,WAAA,eAAAA,UAAA,mCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA+B,EAAA,CAAA;AAC/B,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,oCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAgC,EAAA,CAAA;AAChC,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA0B,EAAA,CAAA;AAC1B,WAAA,eAAAA,UAAA,gCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA4B,EAAA,CAAA;AAC5B,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA0B,EAAA,CAAA;AAC1B,WAAA,eAAAA,UAAA,wBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAoB,EAAA,CAAA;AACpB,WAAA,eAAAA,UAAA,uCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAmC,EAAA,CAAA;AACnC,WAAA,eAAAA,UAAA,uCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAmC,EAAA,CAAA;AACnC,WAAA,eAAAA,UAAA,kCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA8B,EAAA,CAAA;AAC9B,WAAA,eAAAA,UAAA,kCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA8B,EAAA,CAAA;AAC9B,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,sBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAkB,EAAA,CAAA;AAClB,WAAA,eAAAA,UAAA,iCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA6B,EAAA,CAAA;AAC7B,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA0B,EAAA,CAAA;AAC1B,WAAA,eAAAA,UAAA,yBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAqB,EAAA,CAAA;AACrB,WAAA,eAAAA,UAAA,oBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAgB,EAAA,CAAA;AAChB,WAAA,eAAAA,UAAA,0BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAsB,EAAA,CAAA;AAkBxB,QAAA,cAAA;AACE,WAAA,eAAAA,UAAA,wBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,YAAA;IAAoB,EAAA,CAAA;AACpB,WAAA,eAAAA,UAAA,wBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,YAAA;IAAoB,EAAA,CAAA;AACpB,WAAA,eAAAA,UAAA,mBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,YAAA;IAAe,EAAA,CAAA;AAQjB,QAAA,aAAA;AACE,WAAA,eAAAA,UAAA,6BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAyB,EAAA,CAAA;AACzB,WAAA,eAAAA,UAAA,mCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAA+B,EAAA,CAAA;AAC/B,WAAA,eAAAA,UAAA,sBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAkB,EAAA,CAAA;AAOpB,QAAA,UAAA;AACE,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,2CAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAuC,EAAA,CAAA;AACvC,WAAA,eAAAA,UAAA,qCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAiC,EAAA,CAAA;AACjC,WAAA,eAAAA,UAAA,kCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAA8B,EAAA,CAAA;AAC9B,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,iBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAa,EAAA,CAAA;AACb,WAAA,eAAAA,UAAA,cAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAU,EAAA,CAAA;AACV,WAAA,eAAAA,UAAA,kBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAc,EAAA,CAAA;AACd,WAAA,eAAAA,UAAA,uBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAmB,EAAA,CAAA;;;;;AC1FrB;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,qBAAwB;;;ACAxB,6BAA+B;AAMxB,IAAM,mBACX,QAAQ,IAAI,qBAAqB;AAM5B,IAAM,eAAe,IAAI,sCAAe;AAAA,EAC7C,GAAI,QAAQ,IAAI,0BAA0B;AAAA,IACxC,UAAU,QAAQ,IAAI;AAAA,IACtB,YAAY;AAAA,IACZ,QAAQ;AAAA,EACV;AACF,CAAC;;;ACnBD,uBAAuB;;;ACAvB,mBAA6C;;;ACYtC,IAAM,cAAc;AAYpB,SAAS,aAAa,IAAoB;AAE/C,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,GAAG,QAAQ,KAAK;AAClC,YAAQ,GAAG,WAAW,CAAC;AACvB,WAAO,KAAK,KAAK,MAAM,QAAU;AAAA,EACnC;AACA,UAAQ,SAAS,KAAK;AAExB;;;ADhBO,IAAM,qBAAqB;AAAA,EAChC,MAAM;AAAA,EACN,OAAO,CAAC,IAAI;AAAA,EACZ,KAAK,CAAC,MAAe,SAA2B;AAC9C,QAAI,OAAO,MAAM,OAAO,YAAY,KAAK,GAAG,WAAW,GAAG;AACxD,aAAO;AAAA,IACT;AACA,WAAO,OAAO,aAAa,KAAK,EAAE,CAAC;AAAA,EACrC;AACF;AAsBO,IAAM,kBAAkB;AAAA,EAC7B,MAAM;AAAA,EACN,OAAO,CAAC,YAAY,eAAe,IAAI;AAAA,EACvC,KAAK,CACH,MACA,SACG;AACH,UAAM,KAAK,OAAO,MAAM,OAAO,WAAW,KAAK,KAAK;AACpD,UAAM,cACJ,OAAO,MAAM,gBAAgB,WAAW,KAAK,cAAc;AAC7D,UAAM,WAAW,GAAG,WAAW,IAAI,EAAE;AAErC,QAAI,OAAO,MAAM,aAAa,YAAY,KAAK,SAAS,WAAW,GAAG;AACpE,aAAO;AAAA,IACT;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,KAAK,QAAQ;AAAA,IACnC,QAAQ;AACN,aAAO;AAAA,IACT;AACA,QAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;AAClD,UAAM,eAAgB,OAAsC;AAC5D,QAAI,OAAO,iBAAiB,SAAU,QAAO;AAE7C,UAAM,YAAQ,2BAAa,MAA4C;AACvE,WAAO,UAAU,SAAY,GAAG,KAAK,IAAI,EAAE,KAAK;AAAA,EAClD;AACF;AASA,SAAS,cAAc,UAAuD;AAC5E,QAAM,OAAO,SAAS;AACtB,MAAI,OAAO,SAAS,YAAY,KAAK,SAAS,EAAG,QAAO;AAExD,QAAM,OAAO,SAAS;AACtB,MAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,UAAM,YAAa,KAAiC;AACpD,QAAI,OAAO,cAAc,YAAY,UAAU,SAAS,GAAG;AACzD,YAAM,QAAQ,UAAU,YAAY,GAAG;AACvC,YAAM,OAAO,SAAS,IAAI,UAAU,MAAM,QAAQ,CAAC,IAAI;AACvD,UAAI,KAAK,SAAS,EAAG,QAAO;AAAA,IAC9B;AAAA,EACF;AACA,SAAO;AACT;AA6BO,IAAM,gCAAgC;AAAA,EAC3C,MAAM;AAAA,EACN,OAAO,CAAC,YAAY,wBAAwB,eAAe,IAAI;AAAA,EAC/D,KAAK,CACH,MACA,SAMG;AACH,UAAM,KAAK,OAAO,MAAM,OAAO,WAAW,KAAK,KAAK;AACpD,UAAM,cACJ,OAAO,MAAM,gBAAgB,WAAW,KAAK,cAAc;AAC7D,UAAM,WAAW,GAAG,WAAW,IAAI,EAAE;AAErC,QAAI,OAAO,MAAM,aAAa,YAAY,KAAK,SAAS,WAAW,GAAG;AACpE,aAAO;AAAA,IACT;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,KAAK,QAAQ;AAAA,IACnC,QAAQ;AACN,aAAO;AAAA,IACT;AACA,QAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;AAElD,UAAM,SAAS,cAAc,MAAiC;AAC9D,QAAI,WAAW,OAAW,QAAO;AAEjC,UAAM,uBACJ,OAAO,KAAK,yBAAyB,WACjC,KAAK,uBACL;AACN,UAAM,qBACJ,qBAAqB,SAAS,QAC1B,6BAAe,oBAAoB,IACnC;AACN,QAAI,mBAAmB,WAAW,EAAG,QAAO;AAE5C,WAAO,GAAG,MAAM,IAAI,kBAAkB,IAAI,EAAE;AAAA,EAC9C;AACF;AAwBO,IAAM,4BAA4B;AAAA,EACvC,MAAM;AAAA,EACN,OAAO,CAAC,wBAAwB,eAAe,IAAI;AAAA,EACnD,KAAK,CACH,MACA,SAKG;AACH,UAAM,KAAK,OAAO,MAAM,OAAO,WAAW,KAAK,KAAK;AACpD,UAAM,cACJ,OAAO,MAAM,gBAAgB,WAAW,KAAK,cAAc;AAC7D,UAAM,WAAW,GAAG,WAAW,IAAI,EAAE;AAErC,UAAM,uBACJ,OAAO,MAAM,yBAAyB,WAClC,KAAK,uBACL;AACN,UAAM,qBACJ,qBAAqB,SAAS,QAC1B,6BAAe,oBAAoB,IACnC;AACN,QAAI,mBAAmB,WAAW,GAAG;AACnC,aAAO;AAAA,IACT;AAEA,WAAO,GAAG,kBAAkB,IAAI,EAAE;AAAA,EACpC;AACF;;;AD5MO,IAAM,sBAAsB,IAAI,wBAAO;AAAA,EAC5C,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA,IACX,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,eAAe,UAAU,QAAQ;AAAA,QACzD,UACE;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,OAAO,IAAI;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,eAAe,WAAW;AAAA,QAClD,UACE;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,OAAO,IAAI;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AGpJD,IAAAC,oBAAuB;AA8ChB,IAAM,oCAAoC,IAAI,yBAAO;AAAA,EAC1D,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,iBAAiB;AAAA,MACf,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AC5JD,IAAAC,oBAAuB;AAsDhB,IAAM,yCAAyC,IAAI,yBAAO;AAAA,EAC/D,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,iBAAiB;AAAA,MACf,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,aAAa;AAAA,QACrC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACtKD,IAAAC,oBAAuB;AAuBhB,IAAM,mBAAmB,IAAI,yBAAO;AAAA,EACzC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,uBAAuB;AAAA,MACrB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,IAAI;AAAA,QAC5B,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAWA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,WAAW;AAAA,QACnC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACzKD,IAAAC,oBAAuB;AAuChB,IAAM,iCAAiC,IAAI,yBAAO;AAAA,EACvD,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,cAAc;AAAA,MACZ,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,2BAA2B;AAAA,MACzB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACnKD,IAAAC,oBAAuB;AA0ChB,IAAM,sCAAsC,IAAI,yBAAO;AAAA,EAC5D,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,cAAc;AAAA,MACZ,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,aAAa;AAAA,QACrC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACzJD,IAAAC,oBAAuB;AAsBhB,IAAM,aAAa,IAAI,yBAAO;AAAA,EACnC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA,IAEX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,WAAW;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACnHD,IAAAC,oBAAuB;AAuBhB,IAAM,uBAAuB,IAAI,yBAAO;AAAA,EAC7C,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,IAAI;AAAA,QAC5B,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,WAAW;AAAA,QACnC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AClLD,IAAAC,oBAAuB;AAyChB,IAAM,qCAAqC,IAAI,yBAAO;AAAA,EAC3D,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AChLD,IAAAC,qBAAuB;AA0DhB,IAAM,0CAA0C,IAAI,0BAAO;AAAA,EAChE,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAUP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,aAAa;AAAA,QACrC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AC/LD,IAAAC,qBAAuB;AAoBhB,IAAM,eAAe,IAAI,0BAAO;AAAA,EACrC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,eAAe;AAAA,MACb,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,oBAAoB;AAAA,MAClB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA,IAEX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,UAAU;AAAA,QACtB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,WAAW;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACxID,IAAAC,qBAAuB;AAyBhB,IAAM,aAAa,IAAI,0BAAO;AAAA,EACnC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,YAAY;AAAA,MACV,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,gBAAgB;AAAA,MACd,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,mBAAmB;AAAA,MACjB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA,IAEX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBA,gBAAgB;AAAA,MACd,MAAM,CAAC,UAAU,YAAY,gBAAgB;AAAA,MAC7C,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,WAAW;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,WAAW,CAAC,UACV,OAAO,MAAM,eAAe,YAAY,MAAM,WAAW,SAAS;AAAA,MACpE,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,YAAY;AAAA,QACxB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC;AAAA,QACZ,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AC/LD,IAAAC,qBAAuB;AAmBhB,IAAM,kBAAkB,IAAI,0BAAO;AAAA,EACxC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,uBAAuB;AAAA,MACrB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA,IAEX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBA,gBAAgB;AAAA,MACd,MAAM,CAAC,UAAU,YAAY,gBAAgB;AAAA,MAC7C,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,IAAI;AAAA,QAC5B,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,WAAW;AAAA,QACnC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AhBlJD,IAAM,uBAAuB;AAAA,EAC3B,eAAe;AAAA,EACf,6BAA6B;AAAA,EAC7B,kCAAkC;AAAA,EAClC,YAAY;AAAA,EACZ,0BAA0B;AAAA,EAC1B,+BAA+B;AAAA,EAC/B,MAAM;AAAA,EACN,gBAAgB;AAAA,EAChB,8BAA8B;AAAA,EAC9B,mCAAmC;AAAA,EACnC,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,WAAW;AACb;AAEA,IAAM,sBAAsB,IAAI,2BAAQ,sBAAsB;AAAA,EAC5D,OAAO;AAAA,EACP,QAAQ;AACV,CAAC;AAWM,IAAM,uBAAuB;AAAA,EAClC,UAAU,oBAAoB;AAAA,EAC9B,aAAa,oBAAoB;AACnC;AAQO,SAAS,wBACd,WAC0B;AAC1B,QAAM,WAAW,aAAa;AAC9B,QAAM,UAAU,IAAI,2BAAQ,sBAAsB;AAAA,IAChD,OAAO;AAAA,IACP,QAAQ;AAAA,EACV,CAAC;AACD,SAAO;AAAA,IACL,UAAU,QAAQ;AAAA,IAClB,aAAa,QAAQ;AAAA,EACvB;AACF;;;AiB9BO,IAAM,iBAAiB;AAAA,EAC5B,QAAQ;AAAA,EACR,WAAW;AAAA,EACX,MAAM;AACR;;;ACdO,SAAS,sBAAsB,OAG1B;AACV,MAAI,gBAAgB,MAAM,SAAS,GAAG;AACpC,WAAO;AAAA,EACT;AACA,MAAI,eAAe,MAAM,MAAM,GAAG;AAChC,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAQA,SAAS,gBAAgB,WAAwC;AAC/D,MAAI,OAAO,cAAc,YAAY,UAAU,WAAW,GAAG;AAC3D,WAAO;AAAA,EACT;AACA,QAAM,QAAQ,UAAU,YAAY;AACpC,SAAO,UAAU,WAAW,MAAM,SAAS,OAAO;AACpD;AAOA,SAAS,eAAe,QAAqC;AAC3D,MAAI,OAAO,WAAW,YAAY,OAAO,WAAW,GAAG;AACrD,WAAO;AAAA,EACT;AACA,SAAO,OAAO,YAAY,EAAE,SAAS,OAAO;AAC9C;;;ACzEA,gCAAkC;AAClC,uBAcO;AAgIA,SAAS,iBACd,UACoB;AACpB,QAAM,OAAO,UAAU;AAGvB,QAAM,QAAQ,MAAM,SAAS,CAAC,GAAG;AACjC,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS,IAAI,QAAQ;AACjE;;;ACpFO,SAAS,cACd,MACA,UACQ;AACR,UAAQ,MAAM;AAAA,IACZ,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAIH,aAAO,4BAA4B,QAAQ;AAAA,IAC7C,KAAK;AAAA,IACL;AACE,aAAO;AAAA,EACX;AACF;;;ACvDA,eAAsB,gCACpB,QACiB;AACjB,QAAM,EAAE,QAAQ,OAAO,OAAO,UAAU,UAAU,IAAI;AAEtD,MAAI,SAAS,uBAAuB,CAAC,UAAU;AAC7C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,wBAAwB,SAAS;AACjD,QAAM,WAAW,cAAc,MAAM,QAAQ;AAE7C,QAAM,SAAS,MAAM,QAAQ,SAAS,yBAAyB,MAC5D,OAAO,EAAE,OAAO,CAAC,EACjB,OAAO,EAAE,IAAI,SAAS,CAAC,EACvB,GAAG,EAAE,OAAO,OAAO,YAAY,CAAC,cAAc,EAAE,CAAC;AAEpD,UAAQ,OAAO,QAAQ,CAAC,GAAG;AAC7B;;;ACQA,eAAsB,mCACpB,QAC0C;AAC1C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,YAIF;AAAA,IACF;AAAA,EACF;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AAEA,QAAM,SAAS,MAAM,QAAQ,SAAS,8BAA8B,MACjE,OAAO,EAAE,UAAU,YAAY,CAAC,EAChC,OAAO,EAAE,IAAI,cAAc,CAAC,EAC5B,GAAG,SAAS;AAEf,QAAM,SACJ,OAAO,QAAQ,CAAC,GAChB,IAAI,CAAC,SAAS;AAAA,IACd,UAAU,IAAI;AAAA,IACd,aAAa,IAAI;AAAA,IACjB,IAAI,IAAI;AAAA,IACR,QAAQ,IAAI;AAAA,IACZ,cAAc,IAAI;AAAA,IAClB,SAAS,IAAI;AAAA,IACb,KAAK,IAAI;AAAA,IACT,aAAa,IAAI;AAAA,IACjB,sBAAsB,IAAI;AAAA,EAC5B,EAAE;AAEF,SAAO,EAAE,OAAO,QAAQ,OAAO,UAAU,KAAK;AAChD;;;AC1GA,IAAAC,gBAA+C;;;ACA/C,uBAAqC;;;ADiPrC,IAAM,yBAAyB;AAE/B,IAAM,4BAA4B;AAkClC,eAAsB,kBACpB,QACA,MACA,SACkB;AAClB,MAAI,KAAK,WAAW,EAAG,QAAO,CAAC;AAE/B,QAAM,YAAqB,CAAC;AAC5B,MAAI,UAAU;AACd,MAAI,UAAU;AAEd,SAAO,QAAQ,SAAS,GAAG;AACzB,QAAI,UAAU,GAAG;AACf,YAAM,IAAI;AAAA,QAAQ,CAAC,YACjB,WAAW,SAAS,4BAA4B,MAAM,UAAU,EAAE;AAAA,MACpE;AAAA,IACF;AACA;AACA,UAAM,SAAS,MAAM,OAClB,IAAI,OAAO,EACX,GAAG,SAAS,aAAa,EAAE,YAAY,KAAK,IAAI,MAAS;AAC5D,cAAU,KAAK,GAAG,OAAO,IAAI;AAC7B,UAAM,cAAc,OAAO,eAAe,CAAC;AAC3C,QAAI,YAAY,WAAW,EAAG;AAC9B,QAAI,WAAW,wBAAwB;AACrC,YAAM,IAAI;AAAA,QACR,+BAA+B,YAAY,MAAM,mCAAmC,sBAAsB;AAAA,MAC5G;AAAA,IACF;AACA,cAAU;AAAA,EACZ;AAEA,SAAO;AACT;AAqCA,eAAsB,iBACpB,MACA,cACA,OAC+C;AAC/C,MAAI,SAAS,SAAS;AACpB,QAAI,QAAQ;AACZ,eAAW,eAAe,cAAc;AACtC,gBAAU,YAAY,QAAQ,CAAC,GAAG;AAAA,IACpC;AACA,WAAO,EAAE,SAAS,CAAC,GAAG,MAAM;AAAA,EAC9B;AAEA,MAAI,SAAS,WAAW;AACtB,UAAMC,WAAoB,CAAC;AAC3B,eAAW,eAAe,cAAc;AACtC,iBAAW,QAAQ,YAAY,QAAQ,CAAC,GAAG;AACzC,YAAI,OAAO,KAAK,YAAY,SAAU;AACtC,YAAI;AACJ,YAAI;AACF,mBAAS,KAAK,MAAM,KAAK,OAAO;AAAA,QAClC,QAAQ;AACN;AAAA,QACF;AACA,QAAAA,SAAQ,KAAK,MAAM,kBAAkB,KAAK,IAAI,MAAM,CAAC;AAAA,MACvD;AAAA,IACF;AACA,WAAO,EAAE,SAAAA,UAAS,OAAOA,SAAQ,OAAO;AAAA,EAC1C;AAEA,QAAM,aAAuB,CAAC;AAC9B,aAAW,eAAe,cAAc;AACtC,eAAW,QAAQ,YAAY,QAAQ,CAAC,GAAG;AACzC,iBAAW,KAAK,KAAK,EAAE;AAAA,IACzB;AAAA,EACF;AAEA,MAAI,WAAW,WAAW,EAAG,QAAO,EAAE,SAAS,CAAC,GAAG,OAAO,EAAE;AAE5D,QAAM,QAAQ,MAAM,MAAM,QAAQ,UAAU;AAC5C,QAAM,OAAO,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC;AAEnE,QAAM,UAAoB,CAAC;AAC3B,aAAW,MAAM,YAAY;AAC3B,UAAM,OAAO,KAAK,IAAI,EAAE;AACxB,QAAI,CAAC,KAAM;AACX,YAAQ,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC;AAAA,EACzC;AAEA,SAAO,EAAE,SAAS,OAAO,QAAQ,OAAO;AAC1C;;;AEpYA,IAAM,KAAK;AAqBX,eAAsB,yBACpB,QAC+B;AAC/B,QAAM,EAAE,SAAS,WAAW,OAAO,OAAO,IAAI;AAC9C,QAAM,WAAW,QAAQ;AACzB,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,WAAW,MACzB,KAAK,EAAE,UAAU,WAAW,OAAO,KAAK,EAAE,CAAC,EAC3C,GAAG;AAAA,IACR;AAAA,EACF;AAEA,SAAO,iBAGL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,UAAU,IAAI,IAAI,GAAG,EAAE;AAAA,IACnD;AAAA,IACF,OAAO,CAAC,SAAS,KAAK;AAAA,IACtB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,MAC9B;AAAA,IACF;AAAA,IACA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU,EAAE,cAAc,cAAc,IAAI,GAAG,OAAO;AAAA,IACxD;AAAA,EACF,CAAC;AACH;;;AC3CA,IAAAC,gBAA+B;AAmIxB,SAAS,qBACd,UACA,WACoB;AACpB,QAAM,QAAQ,SAAS,SAAS;AAChC,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AACA,QAAM,YAAa,MAAkC;AACrD,MAAI,OAAO,cAAc,YAAY,UAAU,WAAW,GAAG;AAC3D,WAAO;AAAA,EACT;AACA,QAAM,QAAQ,UAAU,YAAY,GAAG;AACvC,QAAM,OAAO,SAAS,IAAI,UAAU,MAAM,QAAQ,CAAC,IAAI;AACvD,SAAO,KAAK,SAAS,IAAI,OAAO;AAClC;;;ACnHA,SAASC,eAAc,QAAoC;AACzD,MAAI,WAAW,UAAa,OAAO,WAAW,GAAG;AAC/C,WAAO;AAAA,EACT;AACA,SAAO,kBAAkB,MAAM;AACjC;AAiCA,eAAsB,uCACpB,QAC8C;AAC9C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,UAAU,wBAAwB,SAAS;AACjD,QAAM,WAAWA,eAAc,MAAM;AAErC,QAAM,YAIF;AAAA,IACF;AAAA,EACF;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AAEA,QAAM,SAAS,MAAM,QAAQ,SAAS,kCAAkC,MACrE,OAAO,EAAE,UAAU,YAAY,CAAC,EAChC,OAAO,EAAE,IAAI,SAAS,CAAC,EACvB,GAAG,SAAS;AAEf,QAAM,SACJ,OAAO,QAAQ,CAAC,GAChB,IAAI,CAAC,SAAS;AAAA,IACd,UAAU,IAAI;AAAA,IACd,aAAa,IAAI;AAAA,IACjB,IAAI,IAAI;AAAA,IACR,QAAQ,IAAI;AAAA,IACZ,QAAQ,IAAI;AAAA,IACZ,kBAAkB,IAAI;AAAA,IACtB,SAAS,IAAI;AAAA,IACb,KAAK,IAAI;AAAA,IACT,aAAa,IAAI;AAAA,IACjB,sBAAsB,IAAI;AAAA,IAC1B,sBAAsB,IAAI;AAAA,EAC5B,EAAE;AAEF,SAAO,EAAE,OAAO,QAAQ,OAAO,UAAU,KAAK;AAChD;;;ACzIA,IAAMC,MAAK;AA8BX,SAAS,aAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAMA,eAAsB,wBACpB,QAC+B;AAC/B,QAAM,EAAE,SAAS,WAAW,OAAO,OAAO,IAAI;AAC9C,QAAM,EAAE,SAAS,IAAI;AACrB,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,UAAU,MACxB,KAAK,EAAE,UAAU,WAAW,OAAO,KAAK,EAAE,CAAC,EAC3C,GAAG;AAAA,IACR;AAAA,EACF;AAEA,SAAO,iBASL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,UAAU,IAAI,IAAIA,IAAG,EAAE;AAAA,IACnD;AAAA,IASF,OAAO,CAAC,SAAS,KAAK;AAAA;AAAA;AAAA;AAAA,IAItB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,QAC5B,QAAQ;AAAA,UACN,kBAAkB,aAAa,KAAK,gBAAgB;AAAA,UACpD,uBAAuB,aAAa,KAAK,qBAAqB;AAAA,UAC9D,wBAAwB,aAAa,KAAK,sBAAsB;AAAA,QAClE;AAAA,MACF;AAAA,IACF;AAAA;AAAA;AAAA,IAGA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAG;AAAA,QACH,QAAQ;AAAA,UACN,kBAAkB;AAAA,UAClB,uBAAuB;AAAA,UACvB,wBAAwB;AAAA,QAC1B;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAC;AACH;;;AC/CA,SAASC,cAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAGA,SAAS,iBAAiB,UAAiC;AACzD,SAAO;AAAA,IACL;AAAA,IACA,aAAa;AAAA,IACb,OAAM,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC7B,SAAS;AAAA,IACT,WAAW;AAAA,IACX,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AACF;AAeA,eAAsB,iCAAiC,QAGnB;AAClC,QAAM,EAAE,UAAU,UAAU,IAAI;AAChC,QAAM,UAAU,wBAAwB,SAAS;AACjD,QAAM,UAAU,iBAAiB,QAAQ;AAEzC,QAAM,mBAAmB,MAAM,wBAAwB;AAAA,IACrD;AAAA,IACA;AAAA,IACA,MAAM;AAAA,EACR,CAAC;AACD,QAAM,qBAAqB,iBAAiB;AAK5C,QAAM,cAAc,MAAM,yBAAyB;AAAA,IACjD;AAAA,IACA;AAAA,IACA,MAAM;AAAA,EACR,CAAC;AACD,MAAI,gBAAgB;AACpB,aAAW,SAAS,YAAY,SAAS;AACvC,UAAM,gBAAgB,qBAAqB,MAAM,UAAU,WAAW;AACtE,QAAI,kBAAkB,QAAW;AAC/B,uBAAiB;AAAA,IACnB;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,QAAQ,SAAS,OACpC,IAAI,EAAE,UAAU,IAAI,UAAU,CAAC,EAC/B,GAAG;AAEN,QAAM,QAAkC,CAAC;AACzC,QAAM,aAA4C;AAAA,IAChD;AAAA,IACA;AAAA,EACF;AAEA,aAAW,WAAW,OAAO,KAAK,UAAU,GAA2B;AACrE,UAAM,WAAWA,cAAa,QAAQ,OAAO,OAAO,CAAC;AACrD,UAAM,WAAW,WAAW,OAAO;AACnC,QAAI,aAAa,UAAU;AACzB,YAAM,KAAK;AAAA,QACT,QAAQ,eAAe;AAAA,QACvB,IAAI;AAAA,QACJ;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,UAAM,QAAQ,SAAS,OACpB,MAAM,EAAE,UAAU,IAAI,UAAU,CAAC,EACjC,IAAI,UAAU,EACd,GAAG;AAAA,EACR;AAEA,SAAO,EAAE,MAAM;AACjB;AAiBA,eAAsB,oCAAoC,QAItB;AAClC,QAAM,EAAE,UAAU,aAAa,UAAU,IAAI;AAC7C,QAAM,UAAU,wBAAwB,SAAS;AAGjD,MAAI,mBAAmB;AACvB,MAAI,mBAAkC;AACtC,KAAG;AACD,UAAM,OAAO,MAAM,mCAAmC;AAAA,MACpD;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AACD,wBAAoB,KAAK,MAAM;AAC/B,uBAAmB,KAAK;AAAA,EAC1B,SAAS,qBAAqB;AAK9B,MAAI,wBAAwB;AAC5B,MAAI,yBAAyB;AAC7B,MAAI,uBAAsC;AAC1C,KAAG;AACD,UAAM,OAAO,MAAM,uCAAuC;AAAA,MACxD;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AACD,eAAW,QAAQ,KAAK,OAAO;AAC7B,YAAM,YAAY,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA,KAAK;AAAA,MACP;AACA,UAAI,sBAAsB,EAAE,WAAW,QAAQ,KAAK,OAAO,CAAC,GAAG;AAC7D,iCAAyB;AAAA,MAC3B,OAAO;AACL,kCAA0B;AAAA,MAC5B;AAAA,IACF;AACA,2BAAuB,KAAK;AAAA,EAC9B,SAAS,yBAAyB;AAElC,QAAM,UAAU,MAAM,QAAQ,SAAS,UACpC,IAAI,EAAE,UAAU,IAAI,aAAa,IAAI,UAAU,CAAC,EAChD,GAAG;AAEN,QAAM,QAAkC,CAAC;AACzC,QAAM,aAA+C;AAAA,IACnD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,aAAW,WAAW,OAAO,KAAK,UAAU,GAA8B;AACxE,UAAM,WAAWA,cAAa,QAAQ,OAAO,OAAO,CAAC;AACrD,UAAM,WAAW,WAAW,OAAO;AACnC,QAAI,aAAa,UAAU;AACzB,YAAM,KAAK;AAAA,QACT,QAAQ,eAAe;AAAA,QACvB,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,UAAM,QAAQ,SAAS,UACpB,MAAM,EAAE,UAAU,IAAI,aAAa,IAAI,UAAU,CAAC,EAClD,IAAI,UAAU,EACd,GAAG;AAAA,EACR;AAEA,SAAO,EAAE,MAAM;AACjB;AAUA,eAAsB,+BAA+B,QAGjB;AAClC,QAAM,EAAE,QAAQ,UAAU,IAAI;AAC9B,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,iBAAiB,MAAM,gCAAgC;AAAA,IAC3D;AAAA,IACA,MAAM;AAAA,IACN;AAAA,EACF,CAAC;AACD,QAAM,oBAAoB,MAAM,gCAAgC;AAAA,IAC9D;AAAA,IACA,MAAM;AAAA,IACN;AAAA,EACF,CAAC;AAED,QAAM,UAAU,MAAM,QAAQ,SAAS,KACpC,IAAI,EAAE,IAAI,QAAQ,IAAI,UAAU,CAAC,EACjC,GAAG;AAEN,QAAM,QAAkC,CAAC;AACzC,QAAM,aAA0C;AAAA,IAC9C;AAAA,IACA;AAAA,EACF;AAEA,aAAW,WAAW,OAAO,KAAK,UAAU,GAAyB;AACnE,UAAM,WAAWA,cAAa,QAAQ,OAAO,OAAO,CAAC;AACrD,UAAM,WAAW,WAAW,OAAO;AACnC,QAAI,aAAa,UAAU;AACzB,YAAM,KAAK;AAAA,QACT,QAAQ,eAAe;AAAA,QACvB,IAAI;AAAA,QACJ;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,UAAM,QAAQ,SAAS,KACpB,MAAM,EAAE,IAAI,QAAQ,IAAI,UAAU,CAAC,EACnC,IAAI,UAAU,EACd,GAAG;AAAA,EACR;AAEA,SAAO,EAAE,MAAM;AACjB;AAQA,eAAe,cACb,SACA,UACA,kBAC6B;AAC7B,QAAM,WAAW,MAAM,QAAQ,SAAS,eACrC,IAAI,EAAE,UAAU,IAAI,kBAAkB,IAAI,UAAU,CAAC,EACrD,GAAG;AACN,MAAI,CAAC,SAAS,MAAM;AAClB,WAAO;AAAA,EACT;AACA,QAAM,WAAW,KAAK,MAAM,SAAS,KAAK,QAAQ;AAIlD,SAAO,iBAAiB,QAAQ;AAClC;;;ACpVA,IAAMC,MAAK;AA8BX,SAASC,cAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAOA,eAAsB,qBACpB,QAC4B;AAC5B,QAAM,EAAE,WAAW,OAAO,OAAO,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,OAAO,MAAM,KAAK,EAAE,WAAW,OAAO,KAAK,EAAE,CAAC,EAAE,GAAG;AAAA,IACtE;AAAA,EACF;AAEA,SAAO,iBAQL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,UAAU,IAAI,IAAID,IAAG,EAAE;AAAA,IACnD;AAAA,IAQF,OAAO,CAAC,SAAS,KAAK;AAAA;AAAA;AAAA;AAAA,IAItB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,QAC5B,QAAQ;AAAA,UACN,eAAeC,cAAa,KAAK,aAAa;AAAA,UAC9C,oBAAoBA,cAAa,KAAK,kBAAkB;AAAA,QAC1D;AAAA,MACF;AAAA,IACF;AAAA;AAAA;AAAA,IAGA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAG;AAAA,QACH,QAAQ,EAAE,eAAe,GAAG,oBAAoB,EAAE;AAAA,MACpD;AAAA,IACF;AAAA,EACF,CAAC;AACH;;;ACpGA,IAAMC,MAAK;AAgCX,SAASC,cAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAOA,eAAsB,mBACpB,QACyB;AACzB,QAAM,EAAE,WAAW,OAAO,OAAO,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,KAAK,MAAM,KAAK,EAAE,WAAW,OAAO,KAAK,EAAE,CAAC,EAAE,GAAG;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,iBAQL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAID,IAAG,EAAE;AAAA,IACzC;AAAA,IAQF,OAAO,CAAC,SAAS,KAAK;AAAA;AAAA;AAAA;AAAA,IAItB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,QAC5B,QAAQ;AAAA,UACN,gBAAgBC,cAAa,KAAK,cAAc;AAAA,UAChD,mBAAmBA,cAAa,KAAK,iBAAiB;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AAAA;AAAA;AAAA,IAGA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAG;AAAA,QACH,QAAQ,EAAE,gBAAgB,GAAG,mBAAmB,EAAE;AAAA,MACpD;AAAA,IACF;AAAA,EACF,CAAC;AACH;;;AC9DA,SAAS,cAAc,UAAiC;AACtD,SAAO;AAAA,IACL;AAAA,IACA,aAAa;AAAA,IACb,OAAM,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC7B,SAAS;AAAA,IACT,WAAW;AAAA,IACX,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AACF;AAOA,eAAsB,8BACpB,SAEI,CAAC,GAC4B;AACjC,QAAM,EAAE,UAAU,IAAI;AACtB,QAAM,QAAkC,CAAC;AACzC,MAAI,iBAAiB;AACrB,MAAI,oBAAoB;AACxB,MAAI,eAAe;AAGnB,QAAM,UAAU,MAAM,qBAAqB;AAAA,IACzC,SAAS,cAAc,EAAE;AAAA,IACzB;AAAA,IACA,MAAM;AAAA,EACR,CAAC;AACD,aAAW,UAAU,QAAQ,SAAS;AACpC,sBAAkB;AAClB,UAAM,eAAe,MAAM,iCAAiC;AAAA,MAC1D,UAAU,OAAO;AAAA,MACjB;AAAA,IACF,CAAC;AACD,UAAM,KAAK,GAAG,aAAa,KAAK;AAEhC,UAAM,aAAa,MAAM,wBAAwB;AAAA,MAC/C,SAAS,cAAc,OAAO,EAAE;AAAA,MAChC;AAAA,MACA,MAAM;AAAA,IACR,CAAC;AACD,eAAW,aAAa,WAAW,SAAS;AAC1C,2BAAqB;AACrB,YAAM,kBAAkB,MAAM,oCAAoC;AAAA,QAChE,UAAU,OAAO;AAAA,QACjB,aAAa,UAAU;AAAA,QACvB;AAAA,MACF,CAAC;AACD,YAAM,KAAK,GAAG,gBAAgB,KAAK;AAAA,IACrC;AAAA,EACF;AAGA,QAAM,QAAQ,MAAM,mBAAmB;AAAA,IACrC,SAAS,cAAc,EAAE;AAAA,IACzB;AAAA,IACA,MAAM;AAAA,EACR,CAAC;AACD,aAAW,QAAQ,MAAM,SAAS;AAChC,oBAAgB;AAChB,UAAM,aAAa,MAAM,+BAA+B;AAAA,MACtD,QAAQ,KAAK;AAAA,MACb;AAAA,IACF,CAAC;AACD,UAAM,KAAK,GAAG,WAAW,KAAK;AAAA,EAChC;AAEA,SAAO;AAAA,IACL;AAAA,IACA,SAAS;AAAA,MACP,SAAS;AAAA,MACT,YAAY;AAAA,MACZ,OAAO;AAAA,IACT;AAAA,IACA,mBAAmB,MAAM;AAAA,EAC3B;AACF;;;AjC/FO,IAAM,2BAA2B,OACtC,SACoC;AACpC,QAAM,SAAS,MAAM,KAAK,aAAa;AAIvC,UAAQ;AAAA,IACN,KAAK,UAAU;AAAA,MACb,SAAS;AAAA,MACT,SAAS,OAAO;AAAA,MAChB,mBAAmB,OAAO;AAAA,MAC1B,OAAO,OAAO;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,IAAM,yBAAyB,OAA0C;AAAA,EACvE,cAAc,MAAM,8BAA8B;AACpD;AAEO,IAAM,UAAU,YACrB,yBAAyB,uBAAuB,CAAC;","names":["exports","exports","exports","exports","exports","exports","exports","exports","publishWorkflowEvent","exports","exports","exports","exports","exports","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_types","entries","import_types","buildSkPrefix","SK","counterValue","SK","counterValue","SK","counterValue"]}
1	+ {"version":3,"sources":["../../workflows/src/envelope-version.ts","../../workflows/src/envelope.ts","../../workflows/src/sources.ts","../../workflows/src/detail-types/registry.ts","../../workflows/src/detail-types/control-plane.ts","../../workflows/src/detail-types/platform.ts","../../workflows/src/detail-types/index.ts","../../workflows/src/publisher.ts","../../workflows/src/consumer.ts","../../workflows/src/dedup/env.ts","../../workflows/src/dedup/workflow-dedup-client.ts","../../workflows/src/dedup/index.ts","../../workflows/src/index.ts","../src/workflows/control-plane/counter-reconciliation/counter-reconciliation.handler.ts","../src/data/dynamo/dynamo-control-service.ts","../src/data/dynamo/dynamo-client.ts","../src/data/dynamo/entities/control/configuration-entity.ts","../src/data/dynamo/entities/control/control-entity-common.ts","../src/data/dynamo/shard.ts","../src/data/dynamo/entities/control/configuration-user-projection-entity.ts","../src/data/dynamo/entities/control/configuration-workspace-projection-entity.ts","../src/data/dynamo/entities/control/membership-entity.ts","../src/data/dynamo/entities/control/membership-user-projection-entity.ts","../src/data/dynamo/entities/control/membership-workspace-projection-entity.ts","../src/data/dynamo/entities/control/role-entity.ts","../src/data/dynamo/entities/control/roleassignment-entity.ts","../src/data/dynamo/entities/control/roleassignment-user-projection-entity.ts","../src/data/dynamo/entities/control/roleassignment-workspace-projection-entity.ts","../src/data/dynamo/entities/control/tenant-entity.ts","../src/data/dynamo/entities/control/user-entity.ts","../src/data/dynamo/entities/control/workspace-entity.ts","../src/data/operations/control/counters/counter-apply-operation.ts","../src/data/operations/control/counters/role-admin-classification.ts","../src/data/operations/control/control-event-publisher.ts","../src/data/operations/control/membership/membership-list-by-user-operation.ts","../src/data/operations/control/membership/membership-count-by-user-operation.ts","../src/data/operations/control/membership/membership-list-by-workspace-operation.ts","../src/data/operations/data-operations-common.ts","../src/lib/compression.ts","../src/data/operations/control/membership/membership-list-operation.ts","../src/data/operations/control/membership/membership-user-projection.ts","../src/data/operations/control/roleassignment/roleassignment-list-by-workspace-operation.ts","../src/data/operations/control/workspace/workspace-list-operation.ts","../src/data/operations/control/counters/counter-reconcile-operation.ts","../src/data/operations/control/tenant/tenant-list-operation.ts","../src/data/operations/control/user/user-list-operation.ts","../src/data/operations/control/counters/counter-reconcile-driver.ts"],"sourcesContent":["/*\n Envelope version pinned by the publisher SDK on every emitted envelope.\n \n Shape is `\"<major>.<minor>\"` per TR-016 §Open Items #3 (P1).\n * Additive optional fields bump the minor; breaking changes bump the\n * major and require a documented overlap window in the consumer SDK.\n /\nexport const ENVELOPE_VERSION = \"1.0\";\n\nconst ENVELOPE_VERSION_PATTERN = /^\\d+\\.\\d+$/;\n\n/\n Lowest envelope major version this SDK's consumer parser accepts.\n \n Bump this when a deprecated major reaches end-of-life and the\n * overlap window closes.\n /\nconst MIN_SUPPORTED_MAJOR = 1;\n\n/\n Highest envelope major version this SDK's consumer parser accepts.\n \n Bump this in lockstep with `ENVELOPE_VERSION` whenever a new major\n * ships; the consumer always supports its own publish major.\n /\nconst MAX_SUPPORTED_MAJOR = 1;\n\n/\n Return `true` when `version` is shaped `<major>.<minor>` and its\n * major lies within `[MIN_SUPPORTED_MAJOR, MAX_SUPPORTED_MAJOR]`.\n /\nexport function isSupportedEnvelopeVersion(version: string): boolean {\n if (!ENVELOPE_VERSION_PATTERN.test(version)) {\n return false;\n }\n const major = Number.parseInt(version.split(\".\")[0], 10);\n return major >= MIN_SUPPORTED_MAJOR && major <= MAX_SUPPORTED_MAJOR;\n}\n","import type { OhiJwtClaims } from \"@openhi/types\";\n\n/\n Discriminated-union actor field per ADR-016 §Decision #3.\n \n User-initiated workflows project the four ADR-014 JWT claims (with\n * `ohi_tid` / `ohi_wid` required — a workflow event without a tenant\n * + workspace context belongs to the `system` variant); bootstrap\n * workflows run before a User exists and carry the bootstrap-role\n * name instead. The `system` value is free-form pending the\n * onboarding-bootstrap IAM role TR (TR-016 §Open Items #4).\n /\nexport type WorkflowActor = WorkflowUserActor \| WorkflowSystemActor;\n\n/* User-actor variant — required projection of the ADR-014 JWT claims. /\nexport interface WorkflowUserActor {\n readonly ohi_tid: string;\n readonly ohi_wid: string;\n readonly ohi_uid: string;\n readonly ohi_uname: string;\n}\n\n/* Bootstrap-actor variant — carries the bootstrap-role name. /\nexport interface WorkflowSystemActor {\n readonly system: string;\n}\n\n/\n Type guard for the user-actor variant.\n /\nexport function isWorkflowUserActor(\n actor: WorkflowActor,\n): actor is WorkflowUserActor {\n return (actor as WorkflowUserActor).ohi_uid !== undefined;\n}\n\n/\n Type guard for the system-actor variant.\n /\nexport function isWorkflowSystemActor(\n actor: WorkflowActor,\n): actor is WorkflowSystemActor {\n return (actor as WorkflowSystemActor).system !== undefined;\n}\n\n/\n Standard workflow event envelope per ADR-016 §Decision #3 / TR-016.\n \n The generic `TPayload` parameter narrows the per-workflow payload.\n \n Field naming note: the payload lives under `payload` (not `detail`)\n * deliberately. EventBridge's outer event already has its own `detail`\n * field that carries this whole envelope; nesting another `detail`\n * inside it produced double-`detail` paths in rule patterns\n * (`detail.detail.<x>`) that consistently bit consumers writing\n * filters. The unambiguous name is worth the rename.\n /\nexport interface WorkflowEvent<TPayload = Record<string, unknown>> {\n /* Per-event UUID. Dedup keys on `(eventId, attempt)`. /\n readonly eventId: string;\n /* 1-indexed delivery attempt. /\n readonly attempt: number;\n /* Originating cross-plane chain identifier. /\n readonly correlationId: string;\n /* Immediate predecessor event id, or null for a chain origin. /\n readonly causationId: string \| null;\n /* Discriminated actor — JWT-claim projection or bootstrap-role marker. /\n readonly actor: WorkflowActor;\n /* ISO-8601 timestamp marking when the envelope was constructed. /\n readonly occurredAt: string;\n /* Semver-shaped envelope version (e.g. `\"1.0\"`). /\n readonly envelopeVersion: string;\n /* Per-workflow payload narrowed by the generic parameter. /\n readonly payload: TPayload;\n}\n\n/\n Promote a raw `OhiJwtClaims` projection to a fully-required\n * `WorkflowUserActor`.\n \n Throws `MissingActorContextError` when `ohi_tid` or `ohi_wid` is\n * absent — those claims are optional on the JWT but required on the\n * workflow user-actor.\n /\nexport function workflowUserActorFromClaims(\n claims: OhiJwtClaims,\n): WorkflowUserActor {\n if (claims.ohi_tid === undefined \|\| claims.ohi_wid === undefined) {\n throw new MissingActorContextError(\n \"workflowUserActorFromClaims: ohi_tid and ohi_wid are required on the workflow user-actor; the caller's JWT is missing one or both. Use a system-actor for pre-provisioning bootstrap workflows.\",\n );\n }\n return {\n ohi_tid: claims.ohi_tid,\n ohi_wid: claims.ohi_wid,\n ohi_uid: claims.ohi_uid,\n ohi_uname: claims.ohi_uname,\n };\n}\n\n/* Thrown when JWT claims lack a field required by the workflow user-actor. /\nexport class MissingActorContextError extends Error {\n /* @param message - human-readable description of the missing claim. /\n constructor(message: string) {\n super(message);\n this.name = \"MissingActorContextError\";\n }\n}\n","/\n Per-bus `Source` constants for the three OpenHI EventBridge buses.\n \n Every workflow event carries one of these values in its EventBridge\n * `Source` field. Bus selection follows ADR-016 §Decision #1.\n \n @see https://github.com/codedrifters/openhi-planning/blob/main/docs/src/content/docs/requirements/architectural-decisions/ADR-016-workflow-boundary-strategy.md\n /\n\n/* Source for control-plane workflow events (Tenant / Workspace / User / Membership / Role / RoleAssignment / Configuration). /\nexport const OPENHI_CONTROL_SOURCE = \"openhi.control\" as const;\n\n/* Source for data-plane workflow events (committed writes to the FHIR data store). /\nexport const OPENHI_DATA_SOURCE = \"openhi.data\" as const;\n\n/* Source for ops-plane workflow events (platform telemetry, deployments, build events). /\nexport const OPENHI_OPS_SOURCE = \"openhi.ops\" as const;\n\n/\n Discriminated union over the three OpenHI EventBridge sources.\n \n A publisher that passes any other string for the EventBridge `Source`\n * field is rejected at compile time.\n /\nexport type OpenHiSource =\n \| typeof OPENHI_CONTROL_SOURCE\n \| typeof OPENHI_DATA_SOURCE\n \| typeof OPENHI_OPS_SOURCE;\n\n/\n Default EventBridge bus name for each OpenHI source.\n \n Deployments may override per-source via\n * `PublisherOptions.busNameByPlane`.\n /\nexport const DEFAULT_BUS_NAME_BY_SOURCE: Record<OpenHiSource, string> = {\n [OPENHI_CONTROL_SOURCE]: \"openhi-control-event-bus\",\n [OPENHI_DATA_SOURCE]: \"openhi-data-event-bus\",\n [OPENHI_OPS_SOURCE]: \"openhi-ops-event-bus\",\n};\n","import type { OpenHiSource } from \"../sources\";\n\n/\n One entry in the workflow detail-type registry.\n \n Each registered detail-type binds a typed `detail` payload to:\n * - the EventBridge `Source` (and therefore the bus) it ships on,\n * - the `detail-type` string consumers subscribe to,\n * - per-event metadata (`crossPlane`, `dedupRequired`) read by\n * downstream tooling (AsyncAPI generator, placement matrix).\n \n The `_detail` property is a phantom marker type only — never\n * read, never written, never instantiated. It carries the\n * compile-time TDetail through the entry so callers of\n * `publishWorkflowEvent` / `parseWorkflowEvent` see the typed\n * payload at the call site.\n /\nexport interface WorkflowDetailTypeEntry<TDetail> {\n /* Versioned detail-type string, e.g. `tenant.onboarded.v1`. /\n readonly detailType: string;\n /* The bus this detail-type ships on (compile-time enforced). /\n readonly source: OpenHiSource;\n /* Phantom marker carrying the payload shape. /\n readonly _detail?: TDetail;\n /* Marks events that cross plane boundaries (placement-matrix metadata). /\n readonly crossPlane?: boolean;\n /* Marks events that retryable consumers MUST dedupe on. /\n readonly dedupRequired?: boolean;\n}\n\n/\n Declare a registry entry with type inference.\n \n Call sites:\n \n ```ts\n * export const TenantOnboardedV1 = defineDetailType<TenantOnboardedV1Detail>({\n * detailType: \"tenant.onboarded.v1\",\n * source: OPENHI_CONTROL_SOURCE,\n * dedupRequired: true,\n * });\n * ```\n \n Detail-type strings follow `<area>.<event>.<version>` (TR-016 §Open\n * Items #2). The conformance regex below is the platform-wide format.\n /\nexport function defineDetailType<TDetail>(\n entry: Omit<WorkflowDetailTypeEntry<TDetail>, \"_detail\">,\n): WorkflowDetailTypeEntry<TDetail> {\n if (!isWellFormedDetailType(entry.detailType)) {\n throw new InvalidDetailTypeRegistrationError(\n `Detail-type \"${entry.detailType}\" does not match the platform-wide format <area>.<event>.v<integer>. See TR-016 §Open Items #2.`,\n );\n }\n return entry;\n}\n\n/\n Pattern enforced on every registered detail-type:\n * `<area>.<event>.v<integer>` where each segment is lowercase\n * alphanumeric with optional dashes.\n \n Multi-level areas (e.g. `fhir.audit-event.recorded.v1`) are\n * intentionally not yet allowed; TR-016 §Open Items #2 defers that.\n /\nconst DETAIL_TYPE_PATTERN =\n /^[a-z0-9]+(?:-[a-z0-9]+)\\.[a-z0-9]+(?:-[a-z0-9]+)\\.v\\d+$/;\n\n/* Return `true` when `detailType` matches the platform-wide format. /\nexport function isWellFormedDetailType(detailType: string): boolean {\n return DETAIL_TYPE_PATTERN.test(detailType);\n}\n\n/* Thrown by `defineDetailType` when the supplied string violates the format. /\nexport class InvalidDetailTypeRegistrationError extends Error {\n /* @param message - human-readable description of the violation. /\n constructor(message: string) {\n super(message);\n this.name = \"InvalidDetailTypeRegistrationError\";\n }\n}\n","import {\n OPENHI_CONTROL_SOURCE,\n OPENHI_DATA_SOURCE,\n OPENHI_OPS_SOURCE,\n} from \"../sources\";\nimport { defineDetailType } from \"./registry\";\n\n/\n Owning-entity types covered by the TR-022 hard-delete cascade.\n * The cascade pipeline today targets {@link OWNING_ENTITY_TYPE.Workspace}\n * and {@link OWNING_ENTITY_TYPE.User} — the two owning entities whose\n * deletion orphans adjacency-list projections under their partition.\n * Tenant hard-delete is intentionally out of scope (it cascades a much\n * wider graph and is handled outside this pipeline).\n /\nexport const OWNING_ENTITY_TYPE = {\n Workspace: \"Workspace\",\n User: \"User\",\n} as const;\n/* Union of the values of {@link OWNING_ENTITY_TYPE}. /\nexport type OwningEntityType =\n (typeof OWNING_ENTITY_TYPE)[keyof typeof OWNING_ENTITY_TYPE];\n\n/\n Payload (`detail.payload`) of `control-plane.owning-delete.v1` —\n * published on the `openhi.data` data event bus when the Firehose\n * transform Lambda observes a stream record showing\n * `lifecycleState: active → deleting` on a canonical Workspace or\n * User record. The owning-delete cascade state machine subscribes to\n * this detail-type.\n \n The full EventBridge `detail` carries this payload nested inside a\n * `WorkflowEvent<ControlPlaneOwningDeleteV1Detail>` envelope per\n * ADR-016 standard envelope shape — `eventId`, `attempt`,\n * `correlationId`, `causationId`, `actor`, `occurredAt` live on the\n * envelope, not on this payload.\n \n @see .state/adr-018-implementation-guide.md section 4 (TR-022 Hard-Delete-Cascade Contract)\n /\nexport interface ControlPlaneOwningDeleteV1Detail {\n readonly ownerType: OwningEntityType;\n readonly ownerId: string;\n /* Present for Workspace owners; absent for User (cross-tenant identity). /\n readonly tenantId?: string;\n}\n\n/\n Registry entry for `control-plane.owning-delete.v1`.\n \n The platform-wide detail-type format\n * (`<area>.<event>.v<integer>` enforced by `isWellFormedDetailType`)\n * does not allow the bare `ControlPlaneOwningDelete` shape the\n * ADR-018 implementation guide pseudocode uses; the registered string\n * is the format-compliant equivalent. The EventBridge rule pattern on\n * the cascade state machine matches this exact string.\n \n `dedupRequired: true` — the cascade state machine MUST dedupe on\n * `(eventId, attempt)` via `WorkflowDedupClient` so EventBridge retries\n * (which the data event bus delivers at-least-once) never start two\n * concurrent cascades on the same owning entity.\n /\nexport const ControlPlaneOwningDeleteV1 =\n defineDetailType<ControlPlaneOwningDeleteV1Detail>({\n detailType: \"control-plane.owning-delete.v1\",\n source: OPENHI_DATA_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload of `control-plane.owning-delete-complete.v1` — terminal\n * event published on the `openhi.ops` ops event bus when the cascade\n * state machine has successfully deleted every child projection and\n * the canonical owning record itself. Observability sinks subscribe\n * to this event to confirm cascade completion and emit metrics.\n \n @see .state/adr-018-implementation-guide.md section 4 (Terminal events on EventBridge)\n /\nexport interface ControlPlaneOwningDeleteCompleteV1Detail {\n readonly ownerType: OwningEntityType;\n readonly ownerId: string;\n readonly tenantId?: string;\n /* Number of `TransactWriteItems` chunks the cascade issued. /\n readonly chunkCount: number;\n /* Total number of projection rows removed by the cascade. /\n readonly projectionsRemoved: number;\n /* Wall-clock duration of the cascade, in milliseconds. /\n readonly durationMs: number;\n /* ISO-8601 UTC timestamp of cascade completion. /\n readonly completedAt: string;\n}\n\n/* Registry entry for `control-plane.owning-delete-complete.v1`. /\nexport const ControlPlaneOwningDeleteCompleteV1 =\n defineDetailType<ControlPlaneOwningDeleteCompleteV1Detail>({\n detailType: \"control-plane.owning-delete-complete.v1\",\n source: OPENHI_OPS_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload of `control-plane.owning-delete-failed.v1` — terminal event\n * published on the `openhi.ops` ops event bus when the cascade state\n * machine fails irrecoverably. The canonical owning record is left at\n * `lifecycleState = \"deleted-failed\"` for operator-driven recovery;\n * alerting subscribers fan out to oncall.\n \n @see .state/adr-018-implementation-guide.md section 4 (Terminal events on EventBridge)\n /\nexport interface ControlPlaneOwningDeleteFailedV1Detail {\n readonly ownerType: OwningEntityType;\n readonly ownerId: string;\n readonly tenantId?: string;\n /* Step Functions execution ARN — operators dereference for root cause. /\n readonly executionArn: string;\n readonly chunkCount: number;\n /* Last opaque cursor the state machine successfully processed, or null. /\n readonly lastProcessedCursor: string \| null;\n /* Short failure cause string from the Step Functions Catch block. /\n readonly failureCause: string;\n readonly failedAt: string;\n}\n\n/* Registry entry for `control-plane.owning-delete-failed.v1`. /\nexport const ControlPlaneOwningDeleteFailedV1 =\n defineDetailType<ControlPlaneOwningDeleteFailedV1Detail>({\n detailType: \"control-plane.owning-delete-failed.v1\",\n source: OPENHI_OPS_SOURCE,\n dedupRequired: true,\n });\n\n/\n Renamable entity types covered by the TR-023 rename cascade.\n \n Per ADR-018 only the three carrier entities whose display name is\n * denormalized onto Membership / RoleAssignment projections trigger a\n * cascade — Tenant, User, Role. A Workspace rename is intentionally\n * not in scope: Workspace's display name is denormalized onto the\n * Membership user-projection workspace sub-lane, but TR-024 § Open Item\n * #4 defers a formal Workspace-rename cascade — the SK falls back to a\n * sentinel until a future TR commits the contract.\n /\nexport const RENAMABLE_ENTITY_TYPE = {\n Tenant: \"Tenant\",\n User: \"User\",\n Role: \"Role\",\n} as const;\n/* Union of the values of {@link RENAMABLE_ENTITY_TYPE}. /\nexport type RenamableEntityType =\n (typeof RENAMABLE_ENTITY_TYPE)[keyof typeof RENAMABLE_ENTITY_TYPE];\n\n/\n Payload (`detail.payload`) of `control-plane.rename.v1` — published\n * on the `openhi.data` data event bus when the Firehose transform\n * Lambda observes a stream record showing a display-name change on a\n * canonical Tenant, User, or Role record. The rename-cascade state\n * machine subscribes to this detail-type.\n \n The full EventBridge `detail` carries this payload nested inside a\n * `WorkflowEvent<ControlPlaneRenameV1Detail>` envelope per ADR-016\n * standard envelope shape — `eventId`, `attempt`, `correlationId`,\n * `causationId`, `actor`, `occurredAt` live on the envelope, not on\n * this payload.\n \n The platform-wide detail-type format\n * (`<area>.<event>.v<integer>` enforced by `isWellFormedDetailType`)\n * does not allow the bare `ControlPlaneRename` shape the ADR-018\n * implementation guide pseudocode uses; the registered string is the\n * format-compliant equivalent (mirroring the\n * `control-plane.owning-delete.v1` naming).\n \n @see .state/adr-018-implementation-guide.md section 5 (TR-023 Rename-Cascade Consumer Contract)\n /\nexport interface ControlPlaneRenameV1Detail {\n readonly entityType: RenamableEntityType;\n readonly entityId: string;\n /* Present for User and Role; absent for Tenant (Tenant is the partition root). /\n readonly tenantId?: string;\n readonly oldName: string;\n readonly newName: string;\n /* Pre-computed via `extractLabel` so consumers do not re-normalize. /\n readonly oldNormalizedName: string;\n readonly newNormalizedName: string;\n}\n\n/\n Registry entry for `control-plane.rename.v1`.\n \n `dedupRequired: true` — the cascade state machine MUST dedupe on\n * `(eventId, attempt)` via `WorkflowDedupClient` so EventBridge retries\n * (which the data event bus delivers at-least-once) never start two\n * concurrent cascades on the same rename.\n /\nexport const ControlPlaneRenameV1 =\n defineDetailType<ControlPlaneRenameV1Detail>({\n detailType: \"control-plane.rename.v1\",\n source: OPENHI_DATA_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload of `control-plane.rename-complete.v1` — terminal event\n * published on the `openhi.ops` ops event bus when the cascade state\n * machine has successfully rewritten every affected projection row.\n * UI clients subscribe so they can refresh stale list views.\n \n @see .state/adr-018-implementation-guide.md section 5\n /\nexport interface ControlPlaneRenameCompleteV1Detail {\n readonly entityType: RenamableEntityType;\n readonly entityId: string;\n readonly tenantId?: string;\n readonly newName: string;\n /* Number of `TransactWriteItems` chunks the cascade issued. /\n readonly chunkCount: number;\n /* Total number of projection rows rewritten by the cascade. /\n readonly itemsRewritten: number;\n /* Wall-clock duration of the cascade, in milliseconds. /\n readonly durationMs: number;\n /* ISO-8601 UTC timestamp of cascade completion. /\n readonly completedAt: string;\n}\n\n/* Registry entry for `control-plane.rename-complete.v1`. /\nexport const ControlPlaneRenameCompleteV1 =\n defineDetailType<ControlPlaneRenameCompleteV1Detail>({\n detailType: \"control-plane.rename-complete.v1\",\n source: OPENHI_OPS_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload of `control-plane.rename-failed.v1` — terminal event\n * published on the `openhi.ops` ops event bus when the cascade state\n * machine fails irrecoverably. Alerting subscribers fan out to oncall.\n \n @see .state/adr-018-implementation-guide.md section 5\n /\nexport interface ControlPlaneRenameFailedV1Detail {\n readonly entityType: RenamableEntityType;\n readonly entityId: string;\n readonly tenantId?: string;\n /* Step Functions execution ARN — operators dereference for root cause. /\n readonly executionArn: string;\n readonly chunkCount: number;\n /* Short failure cause string from the Step Functions Catch block. /\n readonly failureCause: string;\n readonly failedAt: string;\n}\n\n/* Registry entry for `control-plane.rename-failed.v1`. /\nexport const ControlPlaneRenameFailedV1 =\n defineDetailType<ControlPlaneRenameFailedV1Detail>({\n detailType: \"control-plane.rename-failed.v1\",\n source: OPENHI_OPS_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload (`detail.payload`) of `control-plane.membership-created.v1` /\n * `control-plane.membership-deleted.v1` — published on the `openhi.control`\n * control event bus by the Membership create / delete operations on their\n * success path. The ADR-028 counter-maintenance consumer subscribes to these\n * detail-types and applies atomic ADD increments / decrements to the\n * denormalized counters on the canonical Tenant / Workspace / User records.\n \n The scope discriminator is the same `workspaceId`-set/unset distinction\n * ADR-018 uses to choose the membership projection sub-lane:\n * - `workspaceId` absent → a tenant-scoped membership (user ↔ tenant):\n * drives `Tenant.usersInTenant` and `User.tenantsForUser`.\n * - `workspaceId` present → a workspace-scoped membership (user ↔ workspace):\n * drives `Workspace.usersInWorkspace` and `User.workspacesForUser`.\n \n Carries enough context (`tenantId`, `userId`, optional `workspaceId`,\n * `membershipId`) for the consumer to adjust the right counter without an\n * extra read.\n \n @see ADR-028 — Denormalized Control-Plane Membership Counters\n /\nexport interface ControlPlaneMembershipChangedV1Detail {\n readonly membershipId: string;\n readonly tenantId: string;\n /* User the membership links; absent only when the resource omitted the reference. /\n readonly userId?: string;\n /* Present for workspace-scoped memberships; absent for tenant-scoped. /\n readonly workspaceId?: string;\n}\n\n/\n Registry entry for `control-plane.membership-created.v1`.\n \n `dedupRequired: true` — the counter-maintenance consumer MUST dedupe on\n * `(eventId, attempt)` via `WorkflowDedupClient` because the control bus\n * delivers at-least-once and an atomic `ADD` is not idempotent; a replayed\n * event would otherwise double-count.\n /\nexport const ControlPlaneMembershipCreatedV1 =\n defineDetailType<ControlPlaneMembershipChangedV1Detail>({\n detailType: \"control-plane.membership-created.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/* Registry entry for `control-plane.membership-deleted.v1`. /\nexport const ControlPlaneMembershipDeletedV1 =\n defineDetailType<ControlPlaneMembershipChangedV1Detail>({\n detailType: \"control-plane.membership-deleted.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload (`detail.payload`) of `control-plane.role-assignment-created.v1` /\n * `control-plane.role-assignment-deleted.v1` — published on the `openhi.control`\n * control event bus by the RoleAssignment create / delete operations on their\n * success path. The ADR-028 counter-maintenance consumer uses the role level /\n * type carried here to classify a workspace-scoped assignment as admin vs\n * normal and adjust `Workspace.adminUsersInWorkspace` /\n * `Workspace.normalUsersInWorkspace` without re-reading the Role record.\n \n Carries `tenantId`, `userId`, optional `workspaceId`, `roleId`, the\n * `roleAssignmentId`, and `roleLevel` (the ADR-019 organization-role code /\n * level extracted from the resource at publish time).\n \n @see ADR-028 — Denormalized Control-Plane Membership Counters\n * @see ADR-019 — Organization Role Vocabulary\n /\nexport interface ControlPlaneRoleAssignmentChangedV1Detail {\n readonly roleAssignmentId: string;\n readonly tenantId: string;\n readonly userId?: string;\n /* Present for workspace-scoped assignments; absent for tenant-level. /\n readonly workspaceId?: string;\n readonly roleId?: string;\n /\n The role level / type (ADR-019 organization-role code) the consumer uses\n * to classify the assignment as admin vs normal. Absent when the resource\n * carried no extractable role code.\n /\n readonly roleLevel?: string;\n}\n\n/* Registry entry for `control-plane.role-assignment-created.v1`. /\nexport const ControlPlaneRoleAssignmentCreatedV1 =\n defineDetailType<ControlPlaneRoleAssignmentChangedV1Detail>({\n detailType: \"control-plane.role-assignment-created.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/* Registry entry for `control-plane.role-assignment-deleted.v1`. /\nexport const ControlPlaneRoleAssignmentDeletedV1 =\n defineDetailType<ControlPlaneRoleAssignmentChangedV1Detail>({\n detailType: \"control-plane.role-assignment-deleted.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/\n Payload (`detail.payload`) of `control-plane.workspace-created.v1` /\n * `control-plane.workspace-deleted.v1` — published on the `openhi.control`\n * control event bus by the Workspace create / delete operations on their\n * success path. The ADR-028 counter-maintenance consumer subscribes to these\n * detail-types and applies an atomic ADD increment / decrement to\n * `Tenant.workspacesInTenant`.\n \n Workspace lifecycle is the one counter driver that the Membership /\n * RoleAssignment publish set (#1317) does not cover — `workspacesInTenant`\n * is driven by workspace creation / deletion, not by relationship changes.\n \n @see ADR-028 — Denormalized Control-Plane Membership Counters (Open Item #1)\n /\nexport interface ControlPlaneWorkspaceChangedV1Detail {\n readonly workspaceId: string;\n readonly tenantId: string;\n}\n\n/\n Registry entry for `control-plane.workspace-created.v1`.\n \n `dedupRequired: true` — the counter-maintenance consumer MUST dedupe on\n * `(eventId, attempt)` via `WorkflowDedupClient` because the control bus\n * delivers at-least-once and an atomic `ADD` is not idempotent; a replayed\n * event would otherwise double-count.\n /\nexport const ControlPlaneWorkspaceCreatedV1 =\n defineDetailType<ControlPlaneWorkspaceChangedV1Detail>({\n detailType: \"control-plane.workspace-created.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/* Registry entry for `control-plane.workspace-deleted.v1`. /\nexport const ControlPlaneWorkspaceDeletedV1 =\n defineDetailType<ControlPlaneWorkspaceChangedV1Detail>({\n detailType: \"control-plane.workspace-deleted.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n","import { OPENHI_CONTROL_SOURCE } from \"../sources\";\nimport { defineDetailType } from \"./registry\";\n\n/\n `detail` payload for `platform.deployment-completed.v1`.\n \n Projected by the platform-deploy bridge from a CloudFormation\n * `Stack Status Change` event (`CREATE_COMPLETE` / `UPDATE_COMPLETE`)\n * on a tagged OpenHI platform stack. Downstream control-plane\n * workflows (e.g. seed-system-roles, seed-demo-data) subscribe\n * to this detail-type on the control event bus.\n /\nexport interface PlatformDeploymentCompletedV1Detail {\n /* CloudFormation stack name (`AWS::CloudFormation::Stack` `StackName`). /\n readonly stackName: string;\n /* Full CloudFormation stack ARN. /\n readonly stackId: string;\n /* AWS region the stack deployed into (e.g. `us-east-1`). /\n readonly region: string;\n /* 12-digit AWS account id the stack deployed into. /\n readonly accountId: string;\n /* Terminal stack status that triggered the bridge. /\n readonly status: \"CREATE_COMPLETE\" \| \"UPDATE_COMPLETE\";\n /* Free-form reason text from CloudFormation; absent on most events. /\n readonly statusReason?: string;\n /\n Projected subset of stack tags. The bridge resolves tags via\n * `cloudformation:DescribeStacks` because the source EventBridge\n * event omits them.\n /\n readonly stackTags: ReadonlyArray<{\n readonly key: string;\n readonly value: string;\n }>;\n /* ISO-8601 timestamp from the source EventBridge `time` field. /\n readonly cloudformationEventTime: string;\n}\n\n/\n Registry entry for `platform.deployment-completed.v1`.\n \n Published on the control event bus (`OPENHI_CONTROL_SOURCE`) per\n * the workflow placement matrix (codedrifters/openhi#953 row 4):\n * the AWS-native source is the ops-plane default bus, but the bridge\n * republishes onto the control bus because the downstream consumers\n * are control-plane workflows.\n \n `dedupRequired: true` — at-least-once redelivery from EventBridge\n * means retryable consumers MUST dedupe on `(eventId, attempt)` via\n * `WorkflowDedupClient`.\n /\nexport const PlatformDeploymentCompletedV1 =\n defineDetailType<PlatformDeploymentCompletedV1Detail>({\n detailType: \"platform.deployment-completed.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n\n/\n `detail` payload for `platform.system-data-seeded.v1`.\n \n Published by the `seed-system-data` workflow after it has\n * idempotently re-asserted every platform-singleton control-plane\n * record (today: the three canonical Roles; future: additional system\n * data) on the back of a `platform.deployment-completed.v1` event.\n \n Downstream control-plane workflows that depend on the\n * platform-singleton records existing — `seed-demo-data`, for\n * example — subscribe to this detail-type instead of the raw\n * deploy-completion event so the dependency is enforced by a\n * happens-before edge rather than by EventBridge retry timing.\n /\nexport interface PlatformSystemDataSeededV1Detail {\n /\n EventBridge `eventId` of the originating\n * `platform.deployment-completed.v1` event that triggered the\n * system-data seeding. Propagated for correlation in logs and\n * downstream causation chains.\n /\n readonly sourceEventId: string;\n /\n Full CloudFormation stack ARN of the deploy that triggered the\n * system-data seeding. Mirrors the field on the originating\n * `PlatformDeploymentCompletedV1Detail`; downstream consumers can\n * filter by stack-id prefix without re-reading the source event.\n /\n readonly sourceStackId: string;\n /\n Number of platform-singleton records re-asserted on this run.\n * Useful for sanity checks and observability — divergence between\n * deploys signals either a generator-emitted catalog change or a\n * partial-failure recovery from the replay tooling.\n /\n readonly seededRecordCount: number;\n}\n\n/\n Registry entry for `platform.system-data-seeded.v1`.\n \n Published onto the control event bus (`OPENHI_CONTROL_SOURCE`).\n * `dedupRequired: true` — downstream consumers MUST dedup on\n * `(eventId, attempt)` via `WorkflowDedupClient`, same as every other\n * retryable consumer.\n /\nexport const PlatformSystemDataSeededV1 =\n defineDetailType<PlatformSystemDataSeededV1Detail>({\n detailType: \"platform.system-data-seeded.v1\",\n source: OPENHI_CONTROL_SOURCE,\n dedupRequired: true,\n });\n","export from \"./control-plane\";\nexport * from \"./platform\";\nexport * from \"./registry\";\n","import { randomUUID } from \"node:crypto\";\nimport {\n EventBridgeClient,\n PutEventsCommand,\n} from \"@aws-sdk/client-eventbridge\";\n\nimport type { WorkflowDetailTypeEntry } from \"./detail-types/registry\";\nimport type { WorkflowActor, WorkflowEvent } from \"./envelope\";\nimport { ENVELOPE_VERSION } from \"./envelope-version\";\nimport { DEFAULT_BUS_NAME_BY_SOURCE, type OpenHiSource } from \"./sources\";\n\n/*\n Caller-supplied envelope context the publisher consumes.\n \n The actor is required on every publish — pre-provisioning bootstrap\n * workflows pass a `{ system: <role-name> }` actor.\n \n `correlationId` and `causationId` propagate from an upstream event\n * when this publisher is consuming-then-publishing; pass them through\n * verbatim from the inbound envelope's fields. Both are optional;\n * when omitted the publisher treats the publish as a chain origin\n * (`correlationId` = fresh UUID, `causationId` = null).\n /\nexport interface PublishContext {\n readonly actor: WorkflowActor;\n readonly correlationId?: string;\n readonly causationId?: string \| null;\n}\n\n/\n Per-call output of a successful publish.\n /\nexport interface PublishResult {\n readonly eventId: string;\n}\n\n/\n Publisher overrides applied to every call against a single client.\n \n `eventIdGenerator`, `correlationIdGenerator`, and `now` are\n * test-only seams; production callers omit them and the publisher\n * uses `crypto.randomUUID()` and `new Date()`.\n /\nexport interface PublisherOptions {\n /* Override the default bus name for one or more sources. /\n readonly busNameByPlane?: Partial<Record<OpenHiSource, string>>;\n /* Test seam — supply a deterministic UUID generator for `eventId`. /\n readonly eventIdGenerator?: () => string;\n /* Test seam — supply a deterministic UUID generator for new `correlationId` values. /\n readonly correlationIdGenerator?: () => string;\n /* Test seam — supply a deterministic clock for `occurredAt`. /\n readonly now?: () => Date;\n}\n\n/\n Tree-shaped publisher client per ADR-016 Recommendation.\n \n The `publish` primitive accepts any registered detail-type and\n * returns a typed `PublishResult`. Downstream tree shaping\n * (`client.<bus>.<area>.<event>.publish(payload, ctx)`) is built from\n * the detail-type registry once entries are registered; until then,\n * callers invoke `client.publish(entry, payload, ctx)` directly.\n /\nexport interface WorkflowsClient {\n /\n Construct a workflow envelope around `payload` and publish it to\n * the EventBridge bus configured for `entry.source`.\n /\n publish<TPayload>(\n entry: WorkflowDetailTypeEntry<TPayload>,\n payload: TPayload,\n ctx: PublishContext,\n ): Promise<PublishResult>;\n}\n\n/\n Factory that returns a `WorkflowsClient` bound to a single\n * `EventBridgeClient`.\n /\nexport function workflowsClient(\n bridge: EventBridgeClient,\n options: PublisherOptions = {},\n): WorkflowsClient {\n return {\n publish: (entry, payload, ctx) =>\n publishWorkflowEvent(bridge, entry, payload, ctx, options),\n };\n}\n\n/\n Construct a workflow envelope and publish it via\n * `EventBridge.PutEvents`.\n \n Exposed as a stand-alone function for callers that prefer the\n * primitive over the `WorkflowsClient` indirection.\n /\nexport async function publishWorkflowEvent<TPayload>(\n bridge: EventBridgeClient,\n entry: WorkflowDetailTypeEntry<TPayload>,\n payload: TPayload,\n ctx: PublishContext,\n options: PublisherOptions = {},\n): Promise<PublishResult> {\n const eventIdGenerator = options.eventIdGenerator ?? (() => randomUUID());\n const correlationIdGenerator =\n options.correlationIdGenerator ?? (() => randomUUID());\n const now = options.now ?? (() => new Date());\n\n const envelope: WorkflowEvent<TPayload> = {\n eventId: eventIdGenerator(),\n attempt: 1,\n correlationId: ctx.correlationId ?? correlationIdGenerator(),\n causationId: ctx.causationId ?? null,\n actor: ctx.actor,\n occurredAt: now().toISOString(),\n envelopeVersion: ENVELOPE_VERSION,\n payload,\n };\n\n const busName =\n options.busNameByPlane?.[entry.source] ??\n DEFAULT_BUS_NAME_BY_SOURCE[entry.source];\n\n const result = await bridge.send(\n new PutEventsCommand({\n Entries: [\n {\n EventBusName: busName,\n Source: entry.source,\n DetailType: entry.detailType,\n Detail: JSON.stringify(envelope),\n },\n ],\n }),\n );\n\n if ((result.FailedEntryCount ?? 0) > 0) {\n const first = result.Entries?.[0];\n throw new WorkflowPublishError(\n `EventBridge rejected ${entry.detailType} publish on bus ${busName}: ${first?.ErrorCode ?? \"unknown\"} — ${first?.ErrorMessage ?? \"no error message\"}`,\n );\n }\n\n return { eventId: envelope.eventId };\n}\n\n/* Thrown when EventBridge rejects a `PutEvents` entry. /\nexport class WorkflowPublishError extends Error {\n /* @param message - human-readable description of the failed publish. /\n constructor(message: string) {\n super(message);\n this.name = \"WorkflowPublishError\";\n }\n}\n","import type { WorkflowDetailTypeEntry } from \"./detail-types/registry\";\nimport type { WorkflowEvent } from \"./envelope\";\nimport { isSupportedEnvelopeVersion } from \"./envelope-version\";\n\n/\n Structural shape of the EventBridge event objects this SDK's\n * consumer parses.\n \n Matches `@types/aws-lambda`'s `EventBridgeEvent<string, unknown>`\n * by structural compatibility without requiring callers to import\n * that types package — consumers may pass either an\n * `EventBridgeEvent` from `aws-lambda` or any record-shaped object\n * carrying the same keys.\n /\nexport interface EventBridgeEventLike {\n readonly source: string;\n readonly \"detail-type\": string;\n readonly detail: unknown;\n}\n\n/\n The `(eventId, attempt)` tuple every retryable consumer hands to\n * the `WorkflowDedupTable` client.\n /\nexport interface DedupKey {\n readonly eventId: string;\n readonly attempt: number;\n}\n\n/\n Output of `parseWorkflowEvent` — the validated envelope plus the\n * dedup tuple.\n /\nexport interface ParsedWorkflowEvent<TPayload> {\n readonly envelope: WorkflowEvent<TPayload>;\n readonly dedupKey: DedupKey;\n}\n\n/\n Parse an EventBridge event into a typed envelope and surface the\n * `(eventId, attempt)` tuple the dedup-table client consumes.\n \n Validates:\n * - `event.source` matches `expected.source`\n * - `event[\"detail-type\"]` matches `expected.detailType`\n * - the envelope's `envelopeVersion` is within the SDK's supported range\n * - every required envelope field is present and well-shaped\n /\nexport function parseWorkflowEvent<TPayload>(\n event: EventBridgeEventLike,\n expected: WorkflowDetailTypeEntry<TPayload>,\n): ParsedWorkflowEvent<TPayload> {\n if (event.source !== expected.source) {\n throw new InvalidWorkflowEventError(\n `EventBridge source \"${event.source}\" does not match expected detail-type's source \"${expected.source}\".`,\n );\n }\n\n if (event[\"detail-type\"] !== expected.detailType) {\n throw new InvalidWorkflowEventError(\n `EventBridge detail-type \"${event[\"detail-type\"]}\" does not match expected \"${expected.detailType}\".`,\n );\n }\n\n const candidate = asEnvelopeCandidate(event.detail);\n\n if (!isSupportedEnvelopeVersion(candidate.envelopeVersion)) {\n throw new UnsupportedEnvelopeVersionError(\n `Envelope version \"${candidate.envelopeVersion}\" is outside the SDK's supported range.`,\n );\n }\n\n const envelope: WorkflowEvent<TPayload> = {\n eventId: candidate.eventId,\n attempt: candidate.attempt,\n correlationId: candidate.correlationId,\n causationId: candidate.causationId,\n actor: candidate.actor,\n occurredAt: candidate.occurredAt,\n envelopeVersion: candidate.envelopeVersion,\n payload: candidate.payload as TPayload,\n };\n\n return {\n envelope,\n dedupKey: { eventId: envelope.eventId, attempt: envelope.attempt },\n };\n}\n\n/\n Validate that the EventBridge `detail` (which carries the workflow\n * envelope) has every required field with a plausible type. Returns a\n * typed `WorkflowEvent<unknown>` so the caller can narrow `payload`\n * once routing has succeeded.\n /\nfunction asEnvelopeCandidate(detail: unknown): WorkflowEvent<unknown> {\n if (detail === null \|\| typeof detail !== \"object\") {\n throw new InvalidWorkflowEventError(\n \"EventBridge detail is not a non-null object.\",\n );\n }\n\n const obj = detail as Record<string, unknown>;\n\n assertString(obj, \"eventId\");\n assertPositiveInteger(obj, \"attempt\");\n assertString(obj, \"correlationId\");\n assertCausationId(obj);\n assertActor(obj);\n assertString(obj, \"occurredAt\");\n assertString(obj, \"envelopeVersion\");\n\n if (!(\"payload\" in obj)) {\n throw new InvalidWorkflowEventError(\n \"Envelope is missing required field: payload.\",\n );\n }\n\n return obj as unknown as WorkflowEvent<unknown>;\n}\n\nfunction assertString(\n obj: Record<string, unknown>,\n field: string,\n): asserts obj is Record<string, unknown> & Record<typeof field, string> {\n const value = obj[field];\n if (typeof value !== \"string\" \|\| value.length === 0) {\n throw new InvalidWorkflowEventError(\n `Envelope field \"${field}\" must be a non-empty string.`,\n );\n }\n}\n\nfunction assertPositiveInteger(\n obj: Record<string, unknown>,\n field: string,\n): void {\n const value = obj[field];\n if (typeof value !== \"number\" \|\| !Number.isInteger(value) \|\| value < 1) {\n throw new InvalidWorkflowEventError(\n `Envelope field \"${field}\" must be a 1-indexed integer.`,\n );\n }\n}\n\nfunction assertCausationId(obj: Record<string, unknown>): void {\n if (!(\"causationId\" in obj)) {\n throw new InvalidWorkflowEventError(\n \"Envelope is missing required field: causationId.\",\n );\n }\n const value = obj.causationId;\n if (value !== null && (typeof value !== \"string\" \|\| value.length === 0)) {\n throw new InvalidWorkflowEventError(\n 'Envelope field \"causationId\" must be a non-empty string or null.',\n );\n }\n}\n\nfunction assertActor(obj: Record<string, unknown>): void {\n const actor = obj.actor;\n if (actor === null \|\| typeof actor !== \"object\") {\n throw new InvalidWorkflowEventError(\n 'Envelope field \"actor\" must be an object.',\n );\n }\n const actorObj = actor as Record<string, unknown>;\n const isUserActor =\n typeof actorObj.ohi_uid === \"string\" &&\n typeof actorObj.ohi_uname === \"string\" &&\n typeof actorObj.ohi_tid === \"string\" &&\n typeof actorObj.ohi_wid === \"string\";\n const isSystemActor = typeof actorObj.system === \"string\";\n if (!isUserActor && !isSystemActor) {\n throw new InvalidWorkflowEventError(\n 'Envelope field \"actor\" must be either a user-actor (ohi_tid, ohi_wid, ohi_uid, ohi_uname) or a system-actor ({ system: string }).',\n );\n }\n}\n\n/* Thrown when the event does not match the expected detail-type entry. /\nexport class InvalidWorkflowEventError extends Error {\n /* @param message - human-readable description of the validation failure. /\n constructor(message: string) {\n super(message);\n this.name = \"InvalidWorkflowEventError\";\n }\n}\n\n/* Thrown when the envelope version is outside the SDK's supported range. /\nexport class UnsupportedEnvelopeVersionError extends Error {\n /* @param message - human-readable description of the unsupported version. /\n constructor(message: string) {\n super(message);\n this.name = \"UnsupportedEnvelopeVersionError\";\n }\n}\n","/\n Environment-variable name the construct's `grantConsumer` integration\n * injects into a consumer Lambda; the runtime `WorkflowDedupClient`\n * reads it to discover the shared dedup table without a prop or import.\n \n The constant is the single cross-package contract between\n * `@openhi/constructs` (which emits the env var) and `@openhi/workflows`\n * (which consumes it). Renaming or removing it is a breaking change.\n /\nexport const WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR =\n \"OPENHI_WORKFLOW_DEDUP_TABLE_NAME\";\n\n/* Default TTL for dedup rows: 14 days, expressed in seconds (per TR-015). /\nexport const WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS = 14 24 * 60 * 60;\n\n/** Maximum length of a `consumerName` (per TR-015). /\nexport const WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH = 64;\n","import {\n ConditionalCheckFailedException,\n DynamoDBClient,\n PutItemCommand,\n UpdateItemCommand,\n} from \"@aws-sdk/client-dynamodb\";\n\nimport {\n WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS,\n WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH,\n WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR,\n} from \"./env\";\n\n/\n Inputs to `recordIfAbsent`.\n \n `eventId` and `attempt` are the dedup tuple every retryable\n * consumer derives from the standard envelope (see `parseWorkflowEvent`\n * and the `DedupKey` type); call sites typically spread the dedupKey\n * directly alongside the consumer name.\n /\nexport interface RecordIfAbsentInput {\n /* Stable logical name of the consumer. At most 64 chars; no whitespace. /\n readonly consumerName: string;\n /* Per-event UUID from the standard envelope. /\n readonly eventId: string;\n /* 1-indexed delivery attempt from the standard envelope. /\n readonly attempt: number;\n /* Override the 14-day default TTL. Must be a positive integer. /\n readonly ttlSeconds?: number;\n}\n\n/\n Result shape per TR-015. `recorded` is true on first delivery and\n * false on a duplicate; on a duplicate `alreadyProcessed` is also\n * true so callers can pattern-match without re-checking the boolean.\n /\nexport type RecordIfAbsentResult =\n \| { readonly recorded: true }\n \| { readonly recorded: false; readonly alreadyProcessed: true };\n\n/\n Inputs to `markFailed`.\n \n Updates the existing dedup row with `failed: true`, `failureReason`,\n * `failedAt` so the replay tooling (TR-016 follow-up) can re-publish\n * the originating event with a fresh `attempt`.\n /\nexport interface MarkFailedInput {\n /* Stable logical name of the consumer. /\n readonly consumerName: string;\n /* Per-event UUID. /\n readonly eventId: string;\n /* 1-indexed delivery attempt. /\n readonly attempt: number;\n /* Short string describing why the consumer gave up. /\n readonly reason: string;\n}\n\n/\n Runtime SDK every retryable workflow consumer calls before\n * performing its side-effect. See TR-015 for the contract.\n /\nexport interface WorkflowDedupClient {\n /\n Conditionally record a dedup token for the supplied consumer name\n * and dedup tuple. See `RecordIfAbsentResult` for the return shape.\n /\n recordIfAbsent(input: RecordIfAbsentInput): Promise<RecordIfAbsentResult>;\n /\n Mark the existing dedup row as permanently failed. Fire-and-forget\n * semantics for the caller; unexpected DynamoDB errors propagate.\n /\n markFailed(input: MarkFailedInput): Promise<void>;\n}\n\n/* Options shared by the factory and the standalone primitives. /\nexport interface WorkflowDedupClientOptions {\n /\n Table name. Defaults to `process.env[WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR]`\n * (populated by the `WorkflowDedupTable` construct's `grantConsumer`).\n /\n readonly tableName?: string;\n /* Override the 14-day default TTL for every `recordIfAbsent` call. /\n readonly defaultTtlSeconds?: number;\n /* Test seam — deterministic clock for `recordedAt` / `expiresAt`. /\n readonly now?: () => Date;\n}\n\n/* Factory that returns a `WorkflowDedupClient` bound to a single DynamoDB client. /\nexport function workflowDedupClient(\n dynamodb: DynamoDBClient,\n options: WorkflowDedupClientOptions = {},\n): WorkflowDedupClient {\n return {\n recordIfAbsent: (input) => recordIfAbsent(dynamodb, input, options),\n markFailed: (input) => markFailed(dynamodb, input, options),\n };\n}\n\n/\n Standalone primitive — exposed for callers that prefer it over the\n * `WorkflowDedupClient` indirection.\n /\nexport async function recordIfAbsent(\n dynamodb: DynamoDBClient,\n input: RecordIfAbsentInput,\n options: WorkflowDedupClientOptions = {},\n): Promise<RecordIfAbsentResult> {\n assertConsumerName(input.consumerName);\n assertPositiveInteger(input.attempt, \"attempt\");\n const ttlSeconds =\n input.ttlSeconds ??\n options.defaultTtlSeconds ??\n WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS;\n if (!Number.isInteger(ttlSeconds) \|\| ttlSeconds <= 0) {\n throw new WorkflowDedupInvalidInputError(\n `ttlSeconds must be a positive integer; got ${ttlSeconds}.`,\n );\n }\n\n const tableName = resolveTableName(options.tableName);\n const now = (options.now ?? defaultNow)();\n const sk = encodeSortKey(input.eventId, input.attempt);\n const expiresAt = Math.floor(now.getTime() / 1000) + ttlSeconds;\n\n try {\n await dynamodb.send(\n new PutItemCommand({\n TableName: tableName,\n Item: {\n consumerName: { S: input.consumerName },\n sk: { S: sk },\n eventId: { S: input.eventId },\n attempt: { N: String(input.attempt) },\n recordedAt: { S: now.toISOString() },\n expiresAt: { N: String(expiresAt) },\n },\n ConditionExpression:\n \"attribute_not_exists(consumerName) AND attribute_not_exists(sk)\",\n }),\n );\n return { recorded: true };\n } catch (err) {\n if (err instanceof ConditionalCheckFailedException) {\n return { recorded: false, alreadyProcessed: true };\n }\n throw err;\n }\n}\n\n/* Standalone primitive — flips `failed: true` on an existing dedup row. /\nexport async function markFailed(\n dynamodb: DynamoDBClient,\n input: MarkFailedInput,\n options: WorkflowDedupClientOptions = {},\n): Promise<void> {\n assertConsumerName(input.consumerName);\n assertPositiveInteger(input.attempt, \"attempt\");\n if (input.reason.length === 0) {\n throw new WorkflowDedupInvalidInputError(\"reason must be non-empty.\");\n }\n\n const tableName = resolveTableName(options.tableName);\n const now = (options.now ?? defaultNow)();\n const sk = encodeSortKey(input.eventId, input.attempt);\n\n await dynamodb.send(\n new UpdateItemCommand({\n TableName: tableName,\n Key: {\n consumerName: { S: input.consumerName },\n sk: { S: sk },\n },\n UpdateExpression:\n \"SET #failed = :failed, #failureReason = :reason, #failedAt = :failedAt\",\n ExpressionAttributeNames: {\n \"#failed\": \"failed\",\n \"#failureReason\": \"failureReason\",\n \"#failedAt\": \"failedAt\",\n },\n ExpressionAttributeValues: {\n \":failed\": { BOOL: true },\n \":reason\": { S: input.reason },\n \":failedAt\": { S: now.toISOString() },\n },\n }),\n );\n}\n\n/* Compose the composite sort key per the TR-015 encoding. /\nexport function encodeSortKey(eventId: string, attempt: number): string {\n if (eventId.length === 0) {\n throw new WorkflowDedupInvalidInputError(\"eventId must be non-empty.\");\n }\n return `${eventId}#${attempt}`;\n}\n\nfunction resolveTableName(explicit?: string): string {\n const name = explicit ?? process.env[WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR];\n if (!name) {\n throw new WorkflowDedupTableNameMissingError(\n `Workflow dedup table name not set. Pass options.tableName or set ${WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR}.`,\n );\n }\n return name;\n}\n\nfunction assertConsumerName(consumerName: string): void {\n if (consumerName.length === 0) {\n throw new WorkflowDedupInvalidInputError(\"consumerName must be non-empty.\");\n }\n if (consumerName.length > WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH) {\n throw new WorkflowDedupInvalidInputError(\n `consumerName must be ≤${WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH} chars; got ${consumerName.length}.`,\n );\n }\n if (/\\s/.test(consumerName)) {\n throw new WorkflowDedupInvalidInputError(\n \"consumerName must not contain whitespace.\",\n );\n }\n}\n\nfunction assertPositiveInteger(value: number, field: string): void {\n if (!Number.isInteger(value) \|\| value < 1) {\n throw new WorkflowDedupInvalidInputError(\n `${field} must be a 1-indexed integer; got ${value}.`,\n );\n }\n}\n\nfunction defaultNow(): Date {\n return new Date();\n}\n\n/* Thrown when the dedup table name cannot be resolved. /\nexport class WorkflowDedupTableNameMissingError extends Error {\n /* @param message - human-readable description. /\n constructor(message: string) {\n super(message);\n this.name = \"WorkflowDedupTableNameMissingError\";\n }\n}\n\n/* Thrown when an input violates a TR-015 invariant. /\nexport class WorkflowDedupInvalidInputError extends Error {\n /* @param message - human-readable description. /\n constructor(message: string) {\n super(message);\n this.name = \"WorkflowDedupInvalidInputError\";\n }\n}\n","export {\n WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS,\n WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH,\n WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR,\n} from \"./env\";\nexport {\n WorkflowDedupInvalidInputError,\n WorkflowDedupTableNameMissingError,\n encodeSortKey,\n markFailed,\n recordIfAbsent,\n workflowDedupClient,\n} from \"./workflow-dedup-client\";\nexport type {\n MarkFailedInput,\n RecordIfAbsentInput,\n RecordIfAbsentResult,\n WorkflowDedupClient,\n WorkflowDedupClientOptions,\n} from \"./workflow-dedup-client\";\n","export {\n ENVELOPE_VERSION,\n isSupportedEnvelopeVersion,\n} from \"./envelope-version\";\nexport {\n MissingActorContextError,\n isWorkflowSystemActor,\n isWorkflowUserActor,\n workflowUserActorFromClaims,\n} from \"./envelope\";\nexport type {\n WorkflowActor,\n WorkflowEvent,\n WorkflowSystemActor,\n WorkflowUserActor,\n} from \"./envelope\";\nexport {\n DEFAULT_BUS_NAME_BY_SOURCE,\n OPENHI_CONTROL_SOURCE,\n OPENHI_DATA_SOURCE,\n OPENHI_OPS_SOURCE,\n} from \"./sources\";\nexport type { OpenHiSource } from \"./sources\";\nexport {\n ControlPlaneMembershipCreatedV1,\n ControlPlaneMembershipDeletedV1,\n ControlPlaneOwningDeleteCompleteV1,\n ControlPlaneOwningDeleteFailedV1,\n ControlPlaneOwningDeleteV1,\n ControlPlaneRenameCompleteV1,\n ControlPlaneRenameFailedV1,\n ControlPlaneRenameV1,\n ControlPlaneRoleAssignmentCreatedV1,\n ControlPlaneRoleAssignmentDeletedV1,\n ControlPlaneWorkspaceCreatedV1,\n ControlPlaneWorkspaceDeletedV1,\n InvalidDetailTypeRegistrationError,\n OWNING_ENTITY_TYPE,\n PlatformDeploymentCompletedV1,\n PlatformSystemDataSeededV1,\n RENAMABLE_ENTITY_TYPE,\n defineDetailType,\n isWellFormedDetailType,\n} from \"./detail-types\";\nexport type {\n ControlPlaneMembershipChangedV1Detail,\n ControlPlaneOwningDeleteCompleteV1Detail,\n ControlPlaneOwningDeleteFailedV1Detail,\n ControlPlaneOwningDeleteV1Detail,\n ControlPlaneRenameCompleteV1Detail,\n ControlPlaneRenameFailedV1Detail,\n ControlPlaneRenameV1Detail,\n ControlPlaneRoleAssignmentChangedV1Detail,\n ControlPlaneWorkspaceChangedV1Detail,\n OwningEntityType,\n PlatformDeploymentCompletedV1Detail,\n PlatformSystemDataSeededV1Detail,\n RenamableEntityType,\n WorkflowDetailTypeEntry,\n} from \"./detail-types\";\nexport {\n WorkflowPublishError,\n publishWorkflowEvent,\n workflowsClient,\n} from \"./publisher\";\nexport type {\n PublishContext,\n PublishResult,\n PublisherOptions,\n WorkflowsClient,\n} from \"./publisher\";\nexport {\n InvalidWorkflowEventError,\n UnsupportedEnvelopeVersionError,\n parseWorkflowEvent,\n} from \"./consumer\";\nexport type {\n DedupKey,\n EventBridgeEventLike,\n ParsedWorkflowEvent,\n} from \"./consumer\";\nexport {\n WORKFLOW_DEDUP_DEFAULT_TTL_SECONDS,\n WORKFLOW_DEDUP_MAX_CONSUMER_NAME_LENGTH,\n WORKFLOW_DEDUP_TABLE_NAME_ENV_VAR,\n WorkflowDedupInvalidInputError,\n WorkflowDedupTableNameMissingError,\n encodeSortKey,\n markFailed,\n recordIfAbsent,\n workflowDedupClient,\n} from \"./dedup\";\nexport type {\n MarkFailedInput,\n RecordIfAbsentInput,\n RecordIfAbsentResult,\n WorkflowDedupClient,\n WorkflowDedupClientOptions,\n} from \"./dedup\";\n","import {\n reconcileAllCountersOperation,\n type CounterReconcileReport,\n} from \"../../../data/operations/control/counters/counter-reconcile-driver\";\n\n/\n @see sites/www-docs/content/packages/@openhi/constructs/workflows/control-plane/counter-reconciliation/counter-reconciliation-handler.md\n \n ADR-028 counter-reconciliation job handler. Invoked on demand (manual\n * `aws lambda invoke`, an operator runbook, or a scheduled trigger) — not\n * an EventBridge consumer. Walks every canonical Tenant / Workspace /\n * User, recomputes the denormalized counters from canonical data, repairs\n * any drift with a `SET` write, and logs the per-counter old → new drift\n * report.\n \n Idempotent by construction: each per-target recompute writes the\n * absolute recomputed value, so a second run over unchanged data corrects\n * nothing and reports zero drift. That is why the job needs no dedup\n * circuit-breaker (unlike the event-driven counter-maintenance consumer,\n * whose atomic ADDs are not idempotent).\n /\n\n/* Dependency seam for tests; production wires the real driver. /\nexport interface CounterReconciliationDependencies {\n /\n Run the full reconciliation sweep. Defaults to\n * {@link reconcileAllCountersOperation}; tests inject a fake.\n /\n readonly reconcileAll: () => Promise<CounterReconcileReport>;\n}\n\n/\n Test-visible orchestrator. The production `handler` calls this with the\n * real driver; unit tests inject a fake. Returns the drift report so an\n * invoker (or test) can assert on what was corrected.\n /\nexport const runCounterReconciliation = async (\n deps: CounterReconciliationDependencies,\n): Promise<CounterReconcileReport> => {\n const report = await deps.reconcileAll();\n\n // Structured, loggable summary. One JSON line so a log query can pluck\n // the totals; the full per-counter drift list rides along for an audit.\n console.log(\n JSON.stringify({\n message: \"counter-reconciliation complete\",\n scanned: report.scanned,\n countersCorrected: report.countersCorrected,\n drift: report.drift,\n }),\n );\n\n return report;\n};\n\nconst productionDependencies = (): CounterReconciliationDependencies => ({\n reconcileAll: () => reconcileAllCountersOperation(),\n});\n\nexport const handler = async (): Promise<CounterReconcileReport> =>\n runCounterReconciliation(productionDependencies());\n","import { Service } from \"electrodb\";\nimport { defaultTableName, dynamoClient } from \"./dynamo-client\";\nimport { ConfigurationEntity } from \"./entities/control/configuration-entity\";\nimport { ConfigurationUserProjectionEntity } from \"./entities/control/configuration-user-projection-entity\";\nimport { ConfigurationWorkspaceProjectionEntity } from \"./entities/control/configuration-workspace-projection-entity\";\nimport { MembershipEntity } from \"./entities/control/membership-entity\";\nimport { MembershipUserProjectionEntity } from \"./entities/control/membership-user-projection-entity\";\nimport { MembershipWorkspaceProjectionEntity } from \"./entities/control/membership-workspace-projection-entity\";\nimport { RoleEntity } from \"./entities/control/role-entity\";\nimport { RoleAssignmentEntity } from \"./entities/control/roleassignment-entity\";\nimport { RoleAssignmentUserProjectionEntity } from \"./entities/control/roleassignment-user-projection-entity\";\nimport { RoleAssignmentWorkspaceProjectionEntity } from \"./entities/control/roleassignment-workspace-projection-entity\";\nimport { TenantEntity } from \"./entities/control/tenant-entity\";\nimport { UserEntity } from \"./entities/control/user-entity\";\nimport { WorkspaceEntity } from \"./entities/control/workspace-entity\";\n\n/\n Control-plane entities only (service \"control\"). Same table as data plane; use\n * DynamoDataService for data-plane entities.\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n * @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n /\n\nconst controlPlaneEntities = {\n configuration: ConfigurationEntity,\n configurationUserProjection: ConfigurationUserProjectionEntity,\n configurationWorkspaceProjection: ConfigurationWorkspaceProjectionEntity,\n membership: MembershipEntity,\n membershipUserProjection: MembershipUserProjectionEntity,\n membershipWorkspaceProjection: MembershipWorkspaceProjectionEntity,\n role: RoleEntity,\n roleAssignment: RoleAssignmentEntity,\n roleAssignmentUserProjection: RoleAssignmentUserProjectionEntity,\n roleAssignmentWorkspaceProjection: RoleAssignmentWorkspaceProjectionEntity,\n tenant: TenantEntity,\n user: UserEntity,\n workspace: WorkspaceEntity,\n};\n\nconst controlPlaneService = new Service(controlPlaneEntities, {\n table: defaultTableName,\n client: dynamoClient,\n});\n\n/\n Control-plane service: entities for configuration and control. Use with the\n * data store table (PK, SK, GSI1; UserEntity also uses GSI2).\n \n `transaction` exposes ElectroDB's `service.transaction.write` /\n * `service.transaction.get` builders so the operations-layer multi-write\n * helper (#1010, ADR-018) can compose `TransactWriteItems` across the\n * control-plane entities.\n /\nexport const DynamoControlService = {\n entities: controlPlaneService.entities,\n transaction: controlPlaneService.transaction,\n};\n\nexport type DynamoControlServiceType = typeof DynamoControlService;\n\n/\n Returns the control-plane service. Table name is resolved from tableName (optional override),\n * then DYNAMO_TABLE_NAME, then \"jesttesttable\".\n /\nexport function getDynamoControlService(\n tableName?: string,\n): DynamoControlServiceType {\n const resolved = tableName ?? defaultTableName;\n const service = new Service(controlPlaneEntities, {\n table: resolved,\n client: dynamoClient,\n });\n return {\n entities: service.entities,\n transaction: service.transaction,\n };\n}\n","import { DynamoDBClient } from \"@aws-sdk/client-dynamodb\";\n\n/\n DynamoDB table name for the data store. Set via DYNAMO_TABLE_NAME at runtime\n * (e.g. from Lambda env); defaults for local/test.\n /\nexport const defaultTableName =\n process.env.DYNAMO_TABLE_NAME ?? \"jesttesttable\";\n\n/\n DynamoDB client. When MOCK_DYNAMODB_ENDPOINT is set (e.g. local DynamoDB or\n * jest-dynalite), uses that endpoint with no SSL and region \"local\".\n /\nexport const dynamoClient = new DynamoDBClient({\n ...(process.env.MOCK_DYNAMODB_ENDPOINT && {\n endpoint: process.env.MOCK_DYNAMODB_ENDPOINT,\n sslEnabled: false,\n region: \"local\",\n }),\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute } from \"./control-entity-common\";\n\n/\n Configuration data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Partially tenant-isolated, control plane. Cascade of scope\n * levels: resolution order user → workspace → tenant → baseline. Sentinels: tenantId \"BASELINE\" for\n * baseline tier; workspaceId/userId/roleId \"-\" for absent dimension.\n \n Key structure: PK = CONFIG#TID#<tenantId>#WID#<workspaceId>#UID#<userId>#RID#<roleId>,\n * SK = KEY#<key>#SK#<sk>. Uniqueness: one Configuration per (tenantId, workspaceId, userId, roleId, key).\n * Standard attributes and key-building conventions align with single-table design.\n \n GSI1 — Unified Sharded List per ADR-011: lists all Configuration entries in a tenant/workspace\n * across the four shards.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/entities/configuration.md\n * @see sites/www-docs/content/architecture/control-plane/configuration.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/entity-standards.md — Key-building conventions (keys built inside entity)\n /\nexport const ConfigurationEntity = new Entity({\n model: {\n entity: \"configuration\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key. \"CURRENT\" for current version; version history in S3. /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* Tenant scope. Use \"BASELINE\" when the config is baseline default (no tenant). /\n tenantId: {\n type: \"string\" as const,\n required: true,\n default: \"BASELINE\",\n },\n /* Workspace scope. Use \"-\" when absent. /\n workspaceId: {\n type: \"string\" as const,\n required: true,\n default: \"-\",\n },\n /* User scope. Use \"-\" when absent. /\n userId: {\n type: \"string\" as const,\n required: true,\n default: \"-\",\n },\n /* Role scope. Use \"-\" when absent. /\n roleId: {\n type: \"string\" as const,\n required: true,\n default: \"-\",\n },\n /* Config type (category), e.g. endpoints, branding, display. /\n key: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; logical id in URL and for the Configuration resource. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Payload as JSON string. JSON.stringify(resource) on write; JSON.parse(item.resource) on read. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, key, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). Tracks current version; S3 history key. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n gsi1Shard: gsi1ShardAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK, SK (data store key names). PK is built from tenantId, workspaceId, userId, roleId; SK is built from key and sk. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"workspaceId\", \"userId\", \"roleId\"],\n template:\n \"CONFIG#TID#${tenantId}#WID#${workspaceId}#UID#${userId}#RID#${roleId}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"key\", \"sk\"],\n template: \"KEY#${key}#SK#${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a\n * (tenant, workspace) across the four shards. Use for \"list configs scoped to this tenant\"\n * (workspaceId = \"-\") or \"list configs scoped to this workspace\". Does not support\n * hierarchical resolution in one query; use base table GetItem in fallback order\n * (user → workspace → tenant → baseline) for that.\n * SK is `<key>#<id>` — Configuration's `key` is a required entity attribute (the\n * config category: endpoints, branding, display, …) and the natural sort/lookup\n * dimension. `casing: \"none\"` preserves the literal key value.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"tenantId\", \"workspaceId\", \"gsi1Shard\"],\n template:\n \"TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"key\", \"id\"],\n template: \"${key}#${id}\",\n },\n },\n },\n});\n","import { extractLabel, normalizeLabel } from \"@openhi/types\";\nimport { computeShard } from \"../../shard\";\n\n/\n Shared GSI1 shard attribute for control-plane entities.\n \n Control-plane entities (User, Tenant, Workspace, Membership, Role, RoleAssignment,\n * Configuration) use the same `TID#/WID#/RT#/SHARD#` PK shape on GSI1 as data-plane\n * FHIR resources per ADR-011. The shard index is derived deterministically from `id`\n * via `computeShard` so updates always land on the same shard. Stored as a string\n * because it appears as a literal segment in the GSI1 PK template; the underlying\n * value is 0..3.\n \n Not `required` because the value is derived via `watch`/`set`; ElectroDB's\n * required-field check runs before watch propagation, so callers must not fail\n * validation on a derived field.\n /\nexport const gsi1ShardAttribute = {\n type: \"string\" as const,\n watch: [\"id\"] as const,\n set: (_val?: string, item?: { id?: string }) => {\n if (typeof item?.id !== \"string\" \|\| item.id.length === 0) {\n return undefined;\n }\n return String(computeShard(item.id));\n },\n};\n\n/\n Shared GSI1 sort-key attribute for control-plane entities.\n \n Derives the GSI1SK value at write time from the entity's `resource` JSON\n * string, applying the same label-extraction strategy as the data plane\n * (DR-004 / `@openhi/types` `extractLabel`). When the resource carries a\n * natural label (Tenant.name, Workspace.name, Configuration.key, …) the\n * sort key is `<normalizedLabel>#<id>` so list endpoints sort alphabetically\n * and `BEGINS_WITH` queries serve prefix searches. When no label is\n * extractable, falls back to `<entity.lastUpdated>#<id>` for stable\n * reverse-chronological ordering.\n \n Falls back gracefully on malformed `resource` payloads — JSON parse\n * failures and missing fields both route to the lastUpdated fallback so a\n * single bad write never blocks an entity put. The entity-level\n * `lastUpdated` is preferred over `resource.meta.lastUpdated` so the\n * fallback uses the authoritative timestamp the entity write supplies.\n \n Not `required` because the value is derived via `watch`/`set`.\n /\nexport const gsi1skAttribute = {\n type: \"string\" as const,\n watch: [\"resource\", \"lastUpdated\", \"id\"] as const,\n set: (\n _val?: string,\n item?: { resource?: string; lastUpdated?: string; id?: string },\n ) => {\n const id = typeof item?.id === \"string\" ? item.id : \"\";\n const lastUpdated =\n typeof item?.lastUpdated === \"string\" ? item.lastUpdated : \"\";\n const fallback = `${lastUpdated}#${id}`;\n\n if (typeof item?.resource !== \"string\" \|\| item.resource.length === 0) {\n return fallback;\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(item.resource);\n } catch {\n return fallback;\n }\n if (!parsed \|\| typeof parsed !== \"object\") return fallback;\n const resourceType = (parsed as { resourceType?: unknown }).resourceType;\n if (typeof resourceType !== \"string\") return fallback;\n\n const label = extractLabel(parsed as Parameters<typeof extractLabel>[0]);\n return label !== undefined ? `${label}#${id}` : fallback;\n },\n};\n\n/\n Extract a roleId from a RoleAssignment resource payload. Looks first at\n * a flat top-level `roleId` string, then at a FHIR-style `role.reference`\n * (e.g. `Role/<id>`). Returns `undefined` when neither shape is present\n * or the field is malformed — callers fall back to the generic GSI1SK\n * derivation in that case so a single bad write never blocks an entity put.\n /\nfunction extractRoleId(resource: Record<string, unknown>): string \| undefined {\n const flat = resource.roleId;\n if (typeof flat === \"string\" && flat.length > 0) return flat;\n\n const role = resource.role;\n if (role && typeof role === \"object\") {\n const reference = (role as { reference?: unknown }).reference;\n if (typeof reference === \"string\" && reference.length > 0) {\n const slash = reference.lastIndexOf(\"/\");\n const tail = slash >= 0 ? reference.slice(slash + 1) : reference;\n if (tail.length > 0) return tail;\n }\n }\n return undefined;\n}\n\n/\n RoleAssignment-specific GSI1 sort-key attribute (ADR-018 pattern #8 —\n * \"users with a specific role in a tenant, sorted by user name\").\n \n Composes the canonical-row GSI1SK as the discriminator-first shape\n * `<roleId>#<normalizedUserName>#<id>` so a GSI1 query partitioned on\n * the tenant can `begins_with('<roleId>#')` to enumerate every user\n * assigned to a given role, sorted by user name.\n \n - `<roleId>` is read from a flat `resource.roleId` field, falling back\n * to the slug after the final `/` in `resource.role.reference` (the\n * FHIR Reference shape). Sorting on `roleId` rather than the role's\n * display name means a Role rename does not cascade onto this index\n * (TR-024 / ADR-018 § Implementation Notes).\n * - `<normalizedUserName>` is `normalizeLabel(denormalizedUserName)` —\n * the top-level denormalized field promoted in #1009 (TR-024 rule 3:\n * canonical-record symmetry).\n \n Falls back to `gsi1skAttribute`'s `<lastUpdated>#<id>` shape when\n * either component is missing or malformed, so pre-TR-024 rows and\n * malformed payloads still produce a valid sort key.\n \n Not `required` because the value is derived via `watch`/`set`.\n \n @see ADR-018 § Access Pattern Coverage — pattern #8\n * @see TR-024 — Denormalized display-name attributes\n /\nexport const roleAssignmentGsi1skAttribute = {\n type: \"string\" as const,\n watch: [\"resource\", \"denormalizedUserName\", \"lastUpdated\", \"id\"] as const,\n set: (\n _val?: string,\n item?: {\n resource?: string;\n denormalizedUserName?: string;\n lastUpdated?: string;\n id?: string;\n },\n ) => {\n const id = typeof item?.id === \"string\" ? item.id : \"\";\n const lastUpdated =\n typeof item?.lastUpdated === \"string\" ? item.lastUpdated : \"\";\n const fallback = `${lastUpdated}#${id}`;\n\n if (typeof item?.resource !== \"string\" \|\| item.resource.length === 0) {\n return fallback;\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(item.resource);\n } catch {\n return fallback;\n }\n if (!parsed \|\| typeof parsed !== \"object\") return fallback;\n\n const roleId = extractRoleId(parsed as Record<string, unknown>);\n if (roleId === undefined) return fallback;\n\n const denormalizedUserName =\n typeof item.denormalizedUserName === \"string\"\n ? item.denormalizedUserName\n : \"\";\n const normalizedUserName =\n denormalizedUserName.length > 0\n ? normalizeLabel(denormalizedUserName)\n : \"\";\n if (normalizedUserName.length === 0) return fallback;\n\n return `${roleId}#${normalizedUserName}#${id}`;\n },\n};\n\n/\n Membership-specific GSI1 sort-key attribute (ADR-018 pattern #1 —\n * \"users in a tenant, sorted by user name\").\n \n Composes the canonical-row GSI1SK as `<normalizedUserName>#<id>` so a\n * GSI1 query partitioned on the tenant range-scans by user-name prefix\n * and returns memberships sorted alphabetically by user name. No role\n * discriminator goes in front — pattern #1 is user-name-first.\n \n - `<normalizedUserName>` is `normalizeLabel(denormalizedUserName)` —\n * the top-level denormalized field promoted in #1009 (TR-024 rule 3:\n * canonical-record symmetry).\n \n Falls back to `gsi1skAttribute`'s `<lastUpdated>#<id>` shape when\n * `denormalizedUserName` is missing, so pre-TR-024 rows and malformed\n * payloads still produce a valid sort key.\n \n Not `required` because the value is derived via `watch`/`set`.\n \n @see ADR-018 § Access Pattern Coverage — pattern #1\n * @see TR-024 — Denormalized display-name attributes\n /\nexport const membershipGsi1skAttribute = {\n type: \"string\" as const,\n watch: [\"denormalizedUserName\", \"lastUpdated\", \"id\"] as const,\n set: (\n _val?: string,\n item?: {\n denormalizedUserName?: string;\n lastUpdated?: string;\n id?: string;\n },\n ) => {\n const id = typeof item?.id === \"string\" ? item.id : \"\";\n const lastUpdated =\n typeof item?.lastUpdated === \"string\" ? item.lastUpdated : \"\";\n const fallback = `${lastUpdated}#${id}`;\n\n const denormalizedUserName =\n typeof item?.denormalizedUserName === \"string\"\n ? item.denormalizedUserName\n : \"\";\n const normalizedUserName =\n denormalizedUserName.length > 0\n ? normalizeLabel(denormalizedUserName)\n : \"\";\n if (normalizedUserName.length === 0) {\n return fallback;\n }\n\n return `${normalizedUserName}#${id}`;\n },\n};\n","/\n Shard selection for the data-plane single-table GSI1 partitioning per ADR-011.\n \n GSI1's partition key embeds a `SHARD#<n>` segment with `n = computeShard(id)`.\n * The hash is deterministic so updates to the same resource id always land on\n * the same shard (no cross-shard migration on update); reads fan out to all\n * shards in parallel and merge by SK.\n \n @see sites/www-docs/content/architecture/adr/ — ADR-011 (single-table DynamoDB)\n /\n\n/* Number of shards in the GSI1 partition key. Fixed at 4 in v1; raising it later is a backfill, not a schema migration. /\nexport const SHARD_COUNT = 4;\n\n/\n Returns a deterministic shard index in [0, SHARD_COUNT) for the given resource id.\n \n Implementation: 32-bit FNV-1a over the UTF-16 code units of the id, modulo SHARD_COUNT.\n * The function is pure and stable; the same id always returns the same shard.\n \n ESLint's `no-bitwise` rule is disabled inside this function because FNV-1a is\n * defined in terms of XOR and unsigned-right-shift — the bitwise ops are the\n * algorithm, not an accidental logical-operator confusion.\n /\nexport function computeShard(id: string): number {\n / eslint-disable no-bitwise /\n let hash = 0x811c9dc5;\n for (let i = 0; i < id.length; i++) {\n hash ^= id.charCodeAt(i);\n hash = Math.imul(hash, 0x01000193);\n }\n return (hash >>> 0) % SHARD_COUNT;\n / eslint-enable no-bitwise /\n}\n","import { Entity } from \"electrodb\";\n\n/\n Configuration user-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection — pattern #10 (user-scope half).\n * For every user-scoped Configuration write the operations-layer\n * multi-write helper writes one projection row under the user partition\n * so the user-rooted access pattern #10 is served by a single\n * base-table `Query` with no GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #10 user-scope \| Configuration is user-scoped (`userId !== \"-\"`) \| `USER#ID#<userId>` \| `CONFIGURATION#<normalizedConfigName>#<configurationId>` \|\n \n `<normalizedConfigName>` derives from Configuration's `key` attribute\n * (the canonical name dimension — Configuration carries no `displayName`\n * per TR-024 § Open Item #5, so `key` is the natural sort source). The\n * SK shape is operation-owned: the operations-layer projection writer\n * composes the SK string via `buildConfigurationUserProjectionSk` and\n * supplies it on the `sk` attribute. This entity stores the SK verbatim —\n * no `watch`/derived computation here — so the SK grammar (and any\n * future revision) lives in one place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'CONFIGURATION#')` is\n * self-sufficient — no BatchGet hop to the canonical record), plus the\n * projection-discriminating fields (`configurationId`, `userId`,\n * `tenantId`, `scope`).\n \n Cross-tenant partition. Unlike Membership/RoleAssignment-workspace\n * partitions, the Configuration user-projection's PK carries no tenant\n * prefix — a user's user-scoped Configurations are cross-tenant by\n * design (a user may carry preferences that follow them across tenant\n * memberships). This mirrors the RoleAssignment user-projection partition.\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition `USER#ID#<userId>`; the\n * GSI1/GSI2 catalog is unchanged. Tenant-scoped Configurations\n * continue to use the canonical GSI1 path (ADR-011) unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#10 — user-scope half)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const ConfigurationUserProjectionEntity = new Entity({\n model: {\n entity: \"configurationUserProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n User partition discriminator. Renders as `USER#ID#<userId>` on the\n * base-table PK. Always required — the projection has no meaning\n * outside a user partition.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildConfigurationUserProjectionSk`. The entity stores\n * the value verbatim so the SK grammar (pattern #10 user-scope) is\n * owned by the operations layer, not duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /\n Configuration canonical-record id. Stored as a discriminating\n * field so consumers can hydrate the canonical row via the\n * Configuration get-by-id operation when the projection's `summary`\n * is insufficient.\n /\n configurationId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Tenant the Configuration is associated with. The canonical row\n * keys off `(tenantId, workspaceId, userId, roleId)`; the projection\n * carries `tenantId` so consumers reconstructing the canonical PK\n * have the tenant segment without a hop.\n /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Scope marker. Always `\"user\"` on this projection — recorded\n * explicitly so future scope-bearing projections (workspace,\n * tenant, role) can share filter semantics in a unified\n * cross-projection list query if one ever lands.\n /\n scope: {\n type: \"string\" as const,\n required: true,\n default: \"user\",\n },\n /\n Configuration's `key` attribute (config category, e.g. endpoints,\n * branding, display). Mirrored from the canonical row so consumers\n * reading the projection get the natural display label without a\n * BatchGet hop. Doubles as the source of `<normalizedConfigName>` in\n * the SK.\n /\n displayName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Summary projection (key display fields as JSON string) — mirrored\n * from the canonical Configuration row so user-partition queries do\n * not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical Configuration row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical Configuration row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n },\n indexes: {\n /\n Base table: PK = USER#ID#\\<userId\\>, SK = operation-supplied. A\n * single `Query(PK = USER#ID#<userId>, SK begins_with 'CONFIGURATION#')`\n * returns the user's user-scoped Configurations sorted by\n * `<normalizedConfigName>` (then `<configurationId>` as the\n * tiebreaker).\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"userId\"],\n template: \"USER#ID#${userId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n Configuration workspace-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection — pattern #10 (workspace-scope half).\n * For every workspace-scoped Configuration the operations-layer\n * multi-write helper writes one projection row under the workspace\n * partition so the workspace-rooted access pattern #10 is served by a\n * single base-table `Query` with no GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #10 workspace-scope \| Configuration is workspace-scoped (`workspaceId !== \"-\"`, `userId === \"-\"`) \| `TID#<tenantId>#WORKSPACE#ID#<workspaceId>` \| `CONFIGURATION#<normalizedConfigName>#<configurationId>` \|\n \n The PK co-locates with the canonical Workspace record\n * (`SK = CURRENT`) and the Membership / RoleAssignment workspace-\n * projections (patterns #2, #9), so an admin workspace dashboard can\n * hydrate workspace metadata + member projections + role-assignment\n * projections + workspace-scoped Configurations in a single `Query`.\n \n `<normalizedConfigName>` derives from Configuration's `key` attribute\n * (the canonical name dimension — Configuration carries no `displayName`\n * per TR-024 § Open Item #5, so `key` is the natural sort source). The\n * SK shape is operation-owned: the operations-layer projection writer\n * composes the SK string via `buildConfigurationWorkspaceProjectionSk`\n * and supplies it on the `sk` attribute. This entity stores the SK\n * verbatim — no `watch`/derived computation here — so the SK grammar\n * (and any future revision) lives in one place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'CONFIGURATION#')`\n * is self-sufficient — no BatchGet hop to the canonical record), plus\n * the projection-discriminating fields (`configurationId`, `workspaceId`,\n * `tenantId`, `scope`).\n \n Tenant-prefixed partition. Unlike the Configuration user-\n * projection (whose PK is `USER#ID#<userId>` with no tenant prefix —\n * a user's user-scoped Configurations are cross-tenant by design),\n * the workspace-projection PK carries the tenant prefix because\n * Workspaces are tenant-scoped per ADR-011. This mirrors the\n * Membership / RoleAssignment workspace-projection partitions.\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition\n * `TID#<tenantId>#WORKSPACE#ID#<workspaceId>`; the GSI1/GSI2 catalog\n * is unchanged. Tenant-scoped Configurations continue to use the\n * canonical GSI1 path (ADR-011) unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#10 — workspace-scope half)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const ConfigurationWorkspaceProjectionEntity = new Entity({\n model: {\n entity: \"configurationWorkspaceProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n Tenant the workspace belongs to. Renders as the leading segment\n * of the base-table PK. Always required — the workspace partition\n * is tenant-scoped per ADR-011.\n /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace partition discriminator. Renders as the trailing\n * segment of the base-table PK\n * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —\n * the projection has no meaning outside a workspace partition.\n /\n workspaceId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildConfigurationWorkspaceProjectionSk`. The entity\n * stores the value verbatim so the SK grammar (pattern #10\n * workspace-scope) is owned by the operations layer, not\n * duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /\n Configuration canonical-record id. Stored as a discriminating\n * field so consumers can hydrate the canonical row via the\n * Configuration get-by-id operation when the projection's `summary`\n * is insufficient.\n /\n configurationId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Scope marker. Always `\"workspace\"` on this projection — recorded\n * explicitly so future scope-bearing projections (user, tenant,\n * role) can share filter semantics in a unified cross-projection\n * list query if one ever lands.\n /\n scope: {\n type: \"string\" as const,\n required: true,\n default: \"workspace\",\n },\n /\n Configuration's `key` attribute (config category, e.g. endpoints,\n * branding, display). Mirrored from the canonical row so consumers\n * reading the projection get the natural display label without a\n * BatchGet hop. Doubles as the source of `<normalizedConfigName>`\n * in the SK.\n /\n displayName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Summary projection (key display fields as JSON string) — mirrored\n * from the canonical Configuration row so workspace-partition\n * queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical Configuration row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical Configuration row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n },\n indexes: {\n /\n Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,\n * SK = operation-supplied. A single\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'CONFIGURATION#')`\n * returns the workspace's workspace-scoped Configurations sorted by\n * `<normalizedConfigName>` (then `<configurationId>` as the\n * tiebreaker).\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"workspaceId\"],\n template: \"TID#${tenantId}#WORKSPACE#ID#${workspaceId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport {\n gsi1ShardAttribute,\n membershipGsi1skAttribute,\n} from \"./control-entity-common\";\n\n/\n Membership data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Tenant-isolated, control plane. Membership links a User\n * to a Tenant (and optionally a Workspace). One record per (tenantId, id).\n \n Key structure: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT.\n * Uniqueness: one Membership per (tenantId, id).\n \n GSI1 — Unified Sharded List per ADR-011: lists all Memberships in a tenant across the four\n * shards. Membership is tenant-scoped (not workspace-scoped), so the GSI1 PK uses `WID#-` as a\n * sentinel.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-02-control-plane-roles-and-user-tenant-workspace-linkage.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const MembershipEntity = new Entity({\n model: {\n entity: \"membership\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* Tenant in which the user has membership (required). /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; membership id. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full Membership resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n gsi1Shard: gsi1ShardAttribute,\n /\n Derived GSI1 sort key — `<normalizedUserName>#<id>` per ADR-018\n * pattern #1 so a GSI1 query partitioned on the tenant range-scans\n * by user-name prefix and returns memberships sorted by user name.\n * Falls back to `<lastUpdated>#<id>` when `denormalizedUserName`\n * is missing.\n /\n gsi1sk: membershipGsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized `linked-data-identity` Reference (e.g. `Practitioner/abc`).\n * Populated from the FHIR extension on the Membership resource at write\n * time so future GSIs can index data-plane identity lookups without\n * deserializing the full resource JSON. See ADR 2026-03-13-02 §6.\n /\n linkedDataIdentityRef: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked Tenant, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list projection SKs (pattern #3 — `MEMBERSHIP#TENANT#<normalizedTenantName>#…`)\n * can be composed from a top-level field instead of digging into the\n * `resource` JSON. Optional on the schema so pre-TR-024 rows do not\n * break; the operations-layer multi-write helper (#1010) makes the\n * field load-bearing at write time per TR-024 rule 2 (write-time\n * source = canonical Tenant.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedTenantName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked User, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list canonical-record GSI1SK (pattern #1 —\n * `<normalizedUserName>#<id>`) and workspace-projection SK (pattern #2)\n * can be composed from a top-level field. Optional on the schema so\n * pre-TR-024 rows do not break; the operations-layer multi-write helper\n * (#1010) makes the field load-bearing at write time per TR-024 rule 2\n * (write-time source = canonical User.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = TID#<tenantId>#MEMBERSHIP#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"id\"],\n template: \"TID#${tenantId}#MEMBERSHIP#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the\n * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.\n * SK is derived via `membershipGsi1skAttribute` — composes\n * `<normalizedUserName>#<id>` per ADR-018 pattern #1 (users in a\n * tenant, sorted by user name); falls back to `<lastUpdated>#<id>`\n * when `denormalizedUserName` is missing. `casing: \"none\"` preserves\n * the normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"tenantId\", \"gsi1Shard\"],\n template: \"TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n Membership user-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection. For every Membership write the\n * operations-layer multi-write helper writes one of two projection rows\n * under the user partition so the user-rooted access patterns #3 and #4\n * are served by a single base-table `Query` with no GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #3 — tenant sub-lane \| `workspaceId` absent \| `USER#ID#<userId>` \| `MEMBERSHIP#TENANT#<normalizedTenantName>#TID#<tenantId>#<id>` \|\n * \| #4 — workspace sub-lane \| `workspaceId` set \| `USER#ID#<userId>` \| `MEMBERSHIP#WORKSPACE#TID#<tenantId>#<normalizedWorkspaceName>#WID#<workspaceId>#<id>` \|\n \n Both shapes share the user-partition `PK = USER#ID#<userId>`. The SK\n * shape is operation-owned: the operations-layer projection writer\n * composes the SK string via the `buildMembershipUserProjectionSk`\n helpers and supplies it on the `sk` attribute. This entity stores the\n * SK verbatim — no `watch`/derived computation here — so the SK grammar\n * (and any future revision) lives in one place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')` is\n * self-sufficient — no BatchGet hop to the canonical record), plus the\n * projection-discriminating fields (`tenantId`, `userId`, `workspaceId?`,\n * `membershipId`) and TR-024 denormalized display names\n * (`denormalizedTenantName`, `denormalizedUserName`,\n * `denormalizedWorkspaceName?`).\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition `USER#ID#<userId>`; the\n * GSI1/GSI2 catalog is unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#3, #4)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const MembershipUserProjectionEntity = new Entity({\n model: {\n entity: \"membershipUserProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n User partition discriminator. Renders as `USER#ID#<userId>` on the\n * base-table PK. Always required — the projection has no meaning\n * outside a user partition.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildMembershipUserProjectionSk` helpers. The entity\n stores the value verbatim so the SK grammar (patterns #3 and #4)\n * is owned by the operations layer, not duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /* Tenant in which the membership applies. Always required. /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace the membership scopes to. Present iff the projection\n * row is a pattern-#4 workspace sub-lane row; absent for pattern-#3\n * tenant sub-lane rows.\n /\n workspaceId: {\n type: \"string\" as const,\n required: false,\n },\n /\n Membership canonical-record id. Stored as a discriminating field\n * so consumers can hydrate the canonical row via\n * `MembershipEntity.get({ tenantId, id: membershipId })` when the\n * projection's `summary` is insufficient.\n /\n membershipId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id,\n * displayName, status) — mirrored from the canonical Membership row\n * so user-partition queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical Membership row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical Membership row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n Denormalized Tenant display name — required to compose pattern-#3\n * SK (`MEMBERSHIP#TENANT#<normalizedTenantName>#…`). Optional on the\n * schema because pre-TR-024 rows may not carry a display name; the\n * operations layer falls back gracefully when missing.\n /\n denormalizedTenantName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized User display name — mirrored from the canonical\n * Membership row per TR-024 rule 3 (canonical-record symmetry).\n * Carried on the projection so consumers can render the user's\n * display name without a hop to the User record.\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized Workspace display name — required to compose\n * pattern-#4 SK (`MEMBERSHIP#WORKSPACE#TID#<tenantId>#<normalizedWorkspaceName>#…`).\n * Optional on the schema (TR-024 § Open Item #4 defers a formal\n * Workspace-rename cascade); the operations layer falls back to a\n * sentinel when missing so the SK still has a valid shape.\n /\n denormalizedWorkspaceName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /\n Base table: PK = USER#ID#\\<userId\\>, SK = operation-supplied.\n * Both pattern #3 and pattern #4 use this same index — the SK string\n * encodes the lane discriminator (`MEMBERSHIP#TENANT#…` vs\n * `MEMBERSHIP#WORKSPACE#…`) so a single\n * `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')`\n * returns both lanes interleaved.\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"userId\"],\n template: \"USER#ID#${userId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n Membership workspace-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection. For every workspace-scoped\n * Membership the operations-layer multi-write helper writes one\n * projection row under the workspace partition so the workspace-rooted\n * access pattern #2 is served by a single base-table `Query` with no\n * GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #2 — users in a workspace \| `workspaceId` set \| `TID#<tenantId>#WORKSPACE#ID#<workspaceId>` \| `MEMBERSHIP#<normalizedUserName>#USER#<userId>#<id>` \|\n \n The PK co-locates with the canonical Workspace record\n * (`SK = CURRENT`) so a single `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>)`\n * returns workspace metadata + every member projection in one round\n * trip. The SK shape is operation-owned: the operations-layer\n * projection writer composes the SK string via the\n * `buildMembershipWorkspaceProjectionSk` helper and supplies it on the\n * `sk` attribute. This entity stores the SK verbatim — no\n * `watch`/derived computation here — so the SK grammar lives in one\n * place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'MEMBERSHIP#')`\n * is self-sufficient — no BatchGet hop to the canonical record), plus\n * the projection-discriminating fields (`tenantId`, `workspaceId`,\n * `userId`, `membershipId`) and TR-024 denormalized user display name\n * (`denormalizedUserName`).\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition\n * `TID#<tenantId>#WORKSPACE#ID#<workspaceId>`; the GSI1/GSI2 catalog\n * is unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#2)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const MembershipWorkspaceProjectionEntity = new Entity({\n model: {\n entity: \"membershipWorkspaceProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n Tenant the workspace belongs to. Renders as the leading segment\n * of the base-table PK. Always required — the workspace partition\n * is tenant-scoped per ADR-011.\n /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace partition discriminator. Renders as the trailing\n * segment of the base-table PK\n * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —\n * the projection has no meaning outside a workspace partition.\n /\n workspaceId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildMembershipWorkspaceProjectionSk`. The entity\n * stores the value verbatim so the SK grammar (pattern #2) is\n * owned by the operations layer, not duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /\n User the membership links. Stored as a discriminating field so\n * consumers can hydrate the canonical User row via\n * `UserEntity.get({ id: userId, sk: \"CURRENT\" })` when the\n * projection's `summary` is insufficient.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Membership canonical-record id. Stored as a discriminating field\n * so consumers can hydrate the canonical row via\n * `MembershipEntity.get({ tenantId, id: membershipId })` when the\n * projection's `summary` is insufficient.\n /\n membershipId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id,\n * displayName, status) — mirrored from the canonical Membership row\n * so workspace-partition queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical Membership row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical Membership row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n Denormalized User display name — required to compose the\n * pattern-#2 SK (`MEMBERSHIP#<normalizedUserName>#…`). Optional on\n * the schema because pre-TR-024 rows may not carry a display name;\n * the operations layer falls back to a sentinel when missing so\n * the SK still has a valid shape. The TR-023 rename-cascade\n * pipeline rewrites the SK on a User rename.\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /\n Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,\n * SK = operation-supplied. Pattern #2 uses this index — the SK\n * encodes the entity-type prefix (`MEMBERSHIP#…`) so a\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'MEMBERSHIP#')`\n * returns every member projection for the workspace in normalized-\n * user-name sort order.\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"workspaceId\"],\n template: \"TID#${tenantId}#WORKSPACE#ID#${workspaceId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute, gsi1skAttribute } from \"./control-entity-common\";\n\n/\n Role data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Non-tenant-isolated, control plane. Role is a\n * platform-wide role catalog (e.g. tenant-admin, tenant-user, system-admin); not scoped by tenant.\n * RoleAssignment references Role to assign a role to a User in a Tenant/Workspace context.\n \n Key structure: PK = ROLE#ID#<id>, SK = CURRENT.\n * The ROLE# prefix prevents key collisions with other non-tenant-isolated entities (User, etc.)\n * sharing the same table (ADR 2026-03-11-01 — preferred pattern for all control plane entities).\n * Uniqueness: one Role per id.\n \n GSI1 — Unified Sharded List per ADR-011: lists all Roles across the four shards. Non-tenant-\n * isolated, so the PK uses `TID#-#WID#-` sentinels.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-02-control-plane-roles-and-user-tenant-workspace-linkage.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const RoleEntity = new Entity({\n model: {\n entity: \"role\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* FHIR Resource.id; role id. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full Role resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n gsi1Shard: gsi1ShardAttribute,\n /* Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. /\n gsi1sk: gsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = ROLE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"id\"],\n template: \"ROLE#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.\n * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.\n * SK is derived via `gsi1skAttribute` — uses the resource's natural label when\n * extractable, else `<lastUpdated>#<id>` (DR-004). `casing: \"none\"` preserves the\n * normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"gsi1Shard\"],\n template: \"TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport {\n gsi1ShardAttribute,\n roleAssignmentGsi1skAttribute,\n} from \"./control-entity-common\";\n\n/\n RoleAssignment data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Tenant-isolated, control plane. RoleAssignment assigns\n * a Role to a User in a Tenant (and optionally Workspace) context.\n \n Key structure: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT.\n * Uniqueness: one RoleAssignment per (tenantId, id).\n \n GSI1 — Unified Sharded List per ADR-011: lists all RoleAssignments in a tenant across the four\n * shards. Tenant-scoped only (workspace context lives inside the resource), so the GSI1 PK uses\n * `WID#-` as a sentinel.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-02-control-plane-roles-and-user-tenant-workspace-linkage.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const RoleAssignmentEntity = new Entity({\n model: {\n entity: \"roleassignment\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* Tenant in which the role assignment applies (required). /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; role assignment id. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full RoleAssignment resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n gsi1Shard: gsi1ShardAttribute,\n /\n Derived GSI1 sort key — discriminator-first\n * `<roleId>#<normalizedUserName>#<id>` per ADR-018 pattern #8 so a\n * GSI1 query partitioned on the tenant can `begins_with('<roleId>#')`\n * to enumerate every user assigned to a given role, sorted by user\n * name. Falls back to `<lastUpdated>#<id>` when either component is\n * missing.\n /\n gsi1sk: roleAssignmentGsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked Tenant, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list user-projection SK (pattern #5 —\n * `ROLEASSIGNMENT#TENANT#<normalizedRoleName>#<roleId>#TID#<tenantId>#<id>`)\n * can be composed from a top-level field instead of digging into the\n * `resource` JSON. Optional on the schema so pre-TR-024 rows do not\n * break; the operations-layer multi-write helper (#1010) makes the\n * field load-bearing at write time per TR-024 rule 2 (write-time\n * source = canonical Tenant.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedTenantName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked User, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list canonical-record GSI1SK (pattern #8 —\n * `<roleId>#<normalizedUserName>#<id>`) and workspace-projection SK\n * (pattern #9) can be composed from a top-level field. Optional on\n * the schema so pre-TR-024 rows do not break; the operations-layer\n * multi-write helper (#1010) makes the field load-bearing at write\n * time per TR-024 rule 2 (write-time source = canonical\n * User.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized display name of the linked Role, captured at row\n * last-write time. Promoted to a top-level attribute so the ADR-018\n * adjacency-list user-projection SK (pattern #5 —\n * `ROLEASSIGNMENT#TENANT#<normalizedRoleName>#…`) can be composed from\n * a top-level field. Optional on the schema so pre-TR-024 rows do not\n * break; the operations-layer multi-write helper (#1010) makes the\n * field load-bearing at write time per TR-024 rule 2 (write-time\n * source = canonical Role.displayName).\n * @see TR-024 — Denormalized display-name attributes\n /\n denormalizedRoleName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = TID#<tenantId>#ROLEASSIGNMENT#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"id\"],\n template: \"TID#${tenantId}#ROLEASSIGNMENT#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the\n * four shards. Tenant-scoped only, so `WID#-` is a sentinel.\n * SK is derived via `roleAssignmentGsi1skAttribute` — composes the\n * discriminator-first `<roleId>#<normalizedUserName>#<id>` shape per\n * ADR-018 pattern #8 (users with a specific role in a tenant, sorted\n * by user name); falls back to `<lastUpdated>#<id>` when either\n * component is missing. `casing: \"none\"` preserves the normalized\n * label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"tenantId\", \"gsi1Shard\"],\n template: \"TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n RoleAssignment user-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection. For every RoleAssignment write\n * the operations-layer multi-write helper writes one projection row\n * under the user partition so the user-rooted access pattern #5 is\n * served by a single base-table `Query` with no GSI hop. The SK encodes\n * a tenant-vs-workspace discriminator sub-prefix so both sub-lanes share\n * the user partition:\n \n \| Sub-lane \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| tenant-level \| `workspaceId` absent \| `USER#ID#<userId>` \| `ROLEASSIGNMENT#TENANT#<normalizedRoleName>#<roleId>#TID#<tenantId>#<id>` \|\n * \| workspace-level \| `workspaceId` set \| `USER#ID#<userId>` \| `ROLEASSIGNMENT#WORKSPACE#<normalizedRoleName>#<roleId>#TID#<tenantId>#WID#<workspaceId>#<id>` \|\n \n The SK shape is operation-owned: the operations-layer projection\n * writer composes the SK string via the\n * `buildRoleAssignmentUserProjectionSk` helpers and supplies it on the\n `sk` attribute. This entity stores the SK verbatim — no\n * `watch`/derived computation here — so the SK grammar (and any future\n * revision) lives in one place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'ROLEASSIGNMENT#')` is\n * self-sufficient — no BatchGet hop to the canonical record), plus the\n * projection-discriminating fields (`tenantId`, `roleId`,\n * `roleAssignmentId`, `userId`, `workspaceId?`) and TR-024 denormalized\n * display names (`denormalizedTenantName`, `denormalizedUserName`,\n * `denormalizedRoleName`).\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition `USER#ID#<userId>`; the\n * GSI1/GSI2 catalog is unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#5)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const RoleAssignmentUserProjectionEntity = new Entity({\n model: {\n entity: \"roleAssignmentUserProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n User partition discriminator. Renders as `USER#ID#<userId>` on the\n * base-table PK. Always required — the projection has no meaning\n * outside a user partition.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildRoleAssignmentUserProjectionSk` helpers. The\n entity stores the value verbatim so the SK grammar (tenant-lane\n * vs workspace-lane) is owned by the operations layer, not\n * duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /* Tenant in which the role assignment applies. Always required. /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace the role assignment scopes to. Present iff the\n * projection row is the workspace-level sub-lane; absent for\n * tenant-level sub-lane rows.\n /\n workspaceId: {\n type: \"string\" as const,\n required: false,\n },\n /\n Role the assignment grants. Stored as a discriminating field so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'ROLEASSIGNMENT#…')`\n * results carry the role id without a hop to the canonical row.\n /\n roleId: {\n type: \"string\" as const,\n required: true,\n },\n /\n RoleAssignment canonical-record id. Stored as a discriminating\n * field so consumers can hydrate the canonical row via\n * `RoleAssignmentEntity.get({ tenantId, id: roleAssignmentId })`\n * when the projection's `summary` is insufficient.\n /\n roleAssignmentId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id,\n * displayName, status) — mirrored from the canonical RoleAssignment\n * row so user-partition queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical RoleAssignment row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical RoleAssignment row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n Denormalized Tenant display name — mirrored from the canonical\n * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).\n * Optional on the schema because pre-TR-024 rows may not carry a\n * display name; the operations layer falls back gracefully when\n * missing.\n /\n denormalizedTenantName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized User display name — mirrored from the canonical\n * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).\n * Carried on the projection so consumers can render the user's\n * display name without a hop to the User record.\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized Role display name — required to compose the SK's\n * `<normalizedRoleName>` segment. Optional on the schema (pre-TR-024\n * rows fall back to a sentinel) but expected to be present at write\n * time per TR-024 rule 2 (write-time source =\n * canonical Role.displayName).\n /\n denormalizedRoleName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /\n Base table: PK = USER#ID#\\<userId\\>, SK = operation-supplied. Both\n * sub-lanes (tenant-level and workspace-level) use this same index —\n * the SK string encodes the lane discriminator\n * (`ROLEASSIGNMENT#TENANT#…` vs `ROLEASSIGNMENT#WORKSPACE#…`) so a\n * single `Query(PK = USER#ID#<userId>, SK begins_with 'ROLEASSIGNMENT#')`\n * returns both lanes interleaved.\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"userId\"],\n template: \"USER#ID#${userId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\n\n/\n RoleAssignment workspace-projection entity (single-table store, no GSI).\n \n ADR-018 adjacency-list projection. For every workspace-scoped\n * RoleAssignment the operations-layer multi-write helper writes one\n * projection row under the workspace partition so the workspace-rooted\n * access pattern #9 is served by a single base-table `Query` with no\n * GSI hop:\n \n \| Pattern \| When \| PK \| SK \|\n * \|---\|---\|---\|---\|\n * \| #9 — users with a specific role in a workspace \| `workspaceId` set \| `TID#<tenantId>#WORKSPACE#ID#<workspaceId>` \| `ROLEASSIGNMENT#<roleId>#<normalizedUserName>#USER#<userId>#<id>` \|\n \n The SK is discriminator-first on the raw `<roleId>` (mirroring the\n * canonical GSI1SK from pattern #8): role id discriminates first so a\n * `begins_with('ROLEASSIGNMENT#<roleId>#')` filter returns every user\n * assigned to that role in the workspace, sorted alphabetically by\n * normalized user name. Omitting the `<roleId>#` segment\n * (`begins_with('ROLEASSIGNMENT#')`) returns every role assignment in\n * the workspace interleaved.\n \n The PK co-locates with the canonical Workspace record (`SK = CURRENT`)\n * and the Membership workspace-projection rows (pattern #2) so a single\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>)` returns\n * workspace metadata + every member projection + every role-assignment\n * projection in one round trip — the admin workspace-dashboard read shape.\n \n The SK shape is operation-owned: the operations-layer projection\n * writer composes the SK string via the\n * `buildRoleAssignmentWorkspaceProjectionSk` helper and supplies it on\n * the `sk` attribute. This entity stores the SK verbatim — no\n * `watch`/derived computation here — so the SK grammar lives in one\n * place: the operations layer.\n \n Projection attribute set per ADR-018 § Projection attribute set and\n * the implementation guide § 2: `summary`, `vid`, `lastUpdated` (so\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'ROLEASSIGNMENT#')`\n * is self-sufficient — no BatchGet hop to the canonical record), plus\n * the projection-discriminating fields (`tenantId`, `workspaceId`,\n * `roleId`, `roleAssignmentId`, `userId`) and TR-024 denormalized\n * display names (`denormalizedUserName`, `denormalizedRoleName`).\n \n Rename-cascade interaction (TR-023, Phase 6). The SK uses the\n * raw `<roleId>` (rename-stable) for the discriminator and\n * `<normalizedUserName>` for the secondary sort. A Role rename does NOT\n * rewrite this SK; a User rename DOES (cascaded by the rename pipeline).\n \n No GSI projection. Per ADR-018 § Decision, cross-cutting reads\n * are served by the main-table partition\n * `TID#<tenantId>#WORKSPACE#ID#<workspaceId>`; the GSI1/GSI2 catalog\n * is unchanged.\n \n @see ADR-018 § Access Pattern Coverage (#9)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n * @see .claude/rules/data-layer-layout.md — projection writers live in operations, not here\n /\nexport const RoleAssignmentWorkspaceProjectionEntity = new Entity({\n model: {\n entity: \"roleAssignmentWorkspaceProjection\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /\n Tenant the workspace belongs to. Renders as the leading segment\n * of the base-table PK. Always required — the workspace partition\n * is tenant-scoped per ADR-011.\n /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Workspace partition discriminator. Renders as the trailing\n * segment of the base-table PK\n * (`TID#<tenantId>#WORKSPACE#ID#<workspaceId>`). Always required —\n * the projection has no meaning outside a workspace partition.\n /\n workspaceId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Pre-composed sort key — built by the operations-layer projection\n * writer via `buildRoleAssignmentWorkspaceProjectionSk`. The entity\n * stores the value verbatim so the SK grammar (pattern #9) is\n * owned by the operations layer, not duplicated here.\n /\n sk: {\n type: \"string\" as const,\n required: true,\n },\n /\n User the role assignment grants the role to. Stored as a\n * discriminating field so consumers can hydrate the canonical User\n * row via `UserEntity.get({ id: userId, sk: \"CURRENT\" })` when the\n * projection's `summary` is insufficient.\n /\n userId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Role the assignment grants. Stored as a discriminating field —\n * also rendered into the SK as the discriminator-first segment so\n * `begins_with('ROLEASSIGNMENT#<roleId>#')` filters one role.\n /\n roleId: {\n type: \"string\" as const,\n required: true,\n },\n /\n RoleAssignment canonical-record id. Stored as a discriminating\n * field so consumers can hydrate the canonical row via\n * `RoleAssignmentEntity.get({ tenantId, id: roleAssignmentId })`\n * when the projection's `summary` is insufficient.\n /\n roleAssignmentId: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id,\n * displayName, status) — mirrored from the canonical RoleAssignment\n * row so workspace-partition queries do not need a BatchGet hop.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id mirrored from the canonical RoleAssignment row. /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n /* Last-updated timestamp mirrored from the canonical RoleAssignment row. /\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n Denormalized User display name — required to compose the\n * pattern-#9 SK (`ROLEASSIGNMENT#<roleId>#<normalizedUserName>#…`).\n * Optional on the schema because pre-TR-024 rows may not carry a\n * display name; the operations layer falls back to a sentinel when\n * missing so the SK still has a valid shape. The TR-023 rename-\n * cascade pipeline rewrites the SK on a User rename.\n /\n denormalizedUserName: {\n type: \"string\" as const,\n required: false,\n },\n /\n Denormalized Role display name — mirrored from the canonical\n * RoleAssignment row per TR-024 rule 3 (canonical-record symmetry).\n * Carried on the projection so consumers can render the role's\n * display name without a hop to the Role record. Not part of the\n * SK (pattern #9 sorts on `<normalizedUserName>`, not role name) —\n * a Role rename does NOT rewrite this SK.\n /\n denormalizedRoleName: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /\n Base table: PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>,\n * SK = operation-supplied. Pattern #9 uses this index — the SK\n * encodes the entity-type prefix and discriminator-first roleId\n * (`ROLEASSIGNMENT#<roleId>#…`) so\n * `Query(PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>, SK begins_with 'ROLEASSIGNMENT#<roleId>#')`\n * returns every user-assignment for that role in the workspace, sorted\n * by normalized user name.\n /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"workspaceId\"],\n template: \"TID#${tenantId}#WORKSPACE#ID#${workspaceId}\",\n },\n sk: {\n field: \"SK\",\n casing: \"none\" as const,\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute, gsi1skAttribute } from \"./control-entity-common\";\n\n/\n Tenant data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Tenant-isolated, control plane. Tenant IS the top scope;\n * the workspace dimension is not applicable and uses the sentinel `TENANT`. The tenant's own `id`\n * is stored as `tenantId` to drive the partition key.\n \n Key structure: PK = TENANT#ID#<tenantId>, SK = CURRENT.\n * Uniqueness: one Tenant per tenantId (id).\n \n GSI1 — Unified Sharded List per ADR-011: lists all Tenants across the four shards. Tenant has\n * no parent tenant or workspace, so the PK uses `TID#-#WID#-` sentinels.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-01-tenant-and-workspace-fhir-types-control-plane.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const TenantEntity = new Entity({\n model: {\n entity: \"tenant\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* The tenant's own id (= resource id). Drives the partition key. /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; logical id in URL. Equals tenantId. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full Tenant resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n ADR-028 denormalized counter — number of tenant-scoped Memberships\n * (users) in this tenant. Maintained by the counter-maintenance\n * consumer via atomic ADD; absent/0 until first event or reconciliation.\n /\n usersInTenant: {\n type: \"number\" as const,\n required: false,\n },\n /\n ADR-028 denormalized counter — number of Workspaces in this tenant.\n * Maintained by the counter-maintenance consumer via atomic ADD;\n * absent/0 until first event or reconciliation.\n /\n workspacesInTenant: {\n type: \"number\" as const,\n required: false,\n },\n gsi1Shard: gsi1ShardAttribute,\n /* Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. /\n gsi1sk: gsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = TENANT#ID#<tenantId>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\"],\n template: \"TENANT#ID#${tenantId}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.\n * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`\n * sentinels precede `RT#Tenant#SHARD#<n>`. SK is derived via `gsi1skAttribute` —\n * `<normalizedName>#<id>` when the resource carries a `name`, else `<lastUpdated>#<id>`\n * (DR-004). `casing: \"none\"` preserves the normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"gsi1Shard\"],\n template: \"TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute, gsi1skAttribute } from \"./control-entity-common\";\n\n/\n User data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Non-tenant-isolated, control plane. User is a\n * platform-wide identity; association with tenants and workspaces is through Membership and\n * RoleAssignment, not the User entity's own key.\n \n Key structure: PK = USER#ID#<id>, SK = CURRENT.\n * The USER# prefix prevents key collisions with other non-tenant-isolated entities (Role, etc.)\n * sharing the same table (ADR 2026-03-11-01 — preferred pattern for all control plane entities).\n * Uniqueness: one User per id.\n \n GSI1 — Unified Sharded List per ADR-011: lists all Users across the four shards. Non-tenant-\n * isolated, so the PK uses `TID#-#WID#-` sentinels.\n * GSI2 — Cognito sub-lookup per ADR-011: resolves a UserEntity from a Cognito `sub` claim\n * (`USER#SUB#<cognitoSub>` PK, `CURRENT` SK). The `cognitoSub` attribute is populated by the\n * Post Confirmation Lambda (Epic #765 / #770); kept optional here until that write path lands.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-11-01-user-type-definition-fhir-and-data-layer.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const UserEntity = new Entity({\n model: {\n entity: \"user\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* FHIR Resource.id; platform user id (ohi_uid). /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full User resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /\n Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the\n * Post Confirmation Lambda (#770) lands; required thereafter.\n /\n cognitoSub: {\n type: \"string\" as const,\n required: false,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n ADR-028 denormalized counter — number of tenant-scoped Memberships\n * (tenants) this user belongs to. Maintained by the\n * counter-maintenance consumer via atomic ADD; absent/0 until first\n * event or reconciliation.\n /\n tenantsForUser: {\n type: \"number\" as const,\n required: false,\n },\n /\n ADR-028 denormalized counter — number of workspace-scoped\n * Memberships (workspaces) this user belongs to. Maintained by the\n * counter-maintenance consumer via atomic ADD; absent/0 until first\n * event or reconciliation.\n /\n workspacesForUser: {\n type: \"number\" as const,\n required: false,\n },\n gsi1Shard: gsi1ShardAttribute,\n /* Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. /\n gsi1sk: gsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n /\n TR-022 / ADR-018 lifecycle state for the cascade pipeline.\n \n - `active` (or undefined) — normal, readable state.\n * - `deleting` — intermediate state set synchronously by the\n * hard-delete API entry point. The owning-delete cascade state\n * machine fans out from this transition (DynamoDB stream →\n * `control-plane.owning-delete.v1` → Step Functions). Readers MUST\n * short-circuit on `deleting` so partial cascades stay invisible.\n * - `deleted-failed` — terminal failure state set by the cascade\n * finalize Lambda when the cascade run fails irrecoverably.\n * Operators recover by re-running the cascade or by direct\n * intervention.\n \n The cascade finalize step deletes the canonical record conditional\n * on `lifecycleState = \"deleting\"`; on replay the conditional check\n * fails and the finalize step treats that as a no-op success.\n /\n lifecycleState: {\n type: [\"active\", \"deleting\", \"deleted-failed\"] as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = USER#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"id\"],\n template: \"USER#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.\n * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.\n * SK is derived via `gsi1skAttribute` — uses the resource's natural label when\n * extractable (string `name`/`title` via introspection), else `<lastUpdated>#<id>`\n * (DR-004). `casing: \"none\"` preserves the normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"gsi1Shard\"],\n template: \"TID#-#WID#-#RT#User#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n\n /\n GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.\n * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are\n * not indexed.\n /\n gsi2: {\n index: \"GSI2\",\n condition: (attrs: { cognitoSub?: string }) =>\n typeof attrs.cognitoSub === \"string\" && attrs.cognitoSub.length > 0,\n pk: {\n field: \"GSI2PK\",\n casing: \"none\" as const,\n composite: [\"cognitoSub\"],\n template: \"USER#SUB#${cognitoSub}\",\n },\n sk: {\n field: \"GSI2SK\",\n casing: \"none\" as const,\n composite: [],\n template: \"CURRENT\",\n },\n },\n },\n});\n","import { Entity } from \"electrodb\";\nimport { gsi1ShardAttribute, gsi1skAttribute } from \"./control-entity-common\";\n\n/\n Workspace data-store entity (single-table store).\n \n Classification (ADR 2026-03-03-01): Tenant-isolated, control plane. Each workspace belongs\n * to exactly one tenant; both tenantId and workspace id are in the partition key.\n \n Key structure: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT.\n * Uniqueness: one Workspace per (tenantId, id).\n \n GSI1 — Unified Sharded List per ADR-011: lists all Workspaces in a tenant across the four\n * shards. Workspace is itself the workspace identity, so the GSI1 PK uses `WID#-` as a sentinel.\n \n @see sites/www-docs/content/architecture/adr/2026-03-03-01-tenant-isolated-vs-non-tenant-isolated-entities.md\n * @see sites/www-docs/content/architecture/adr/2026-03-13-01-tenant-and-workspace-fhir-types-control-plane.md\n * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md\n /\nexport const WorkspaceEntity = new Entity({\n model: {\n entity: \"workspace\",\n service: \"control\",\n version: \"01\",\n },\n attributes: {\n /* Sort key sentinel. Always \"CURRENT\". /\n sk: {\n type: \"string\" as const,\n required: true,\n default: \"CURRENT\",\n },\n /* Tenant that contains this workspace (required). /\n tenantId: {\n type: \"string\" as const,\n required: true,\n },\n /* FHIR Resource.id; logical id in URL. /\n id: {\n type: \"string\" as const,\n required: true,\n },\n /* Full Workspace resource serialized as JSON string. /\n resource: {\n type: \"string\" as const,\n required: true,\n },\n /\n Summary projection (key display fields as JSON string: id, displayName, status).\n * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.\n /\n summary: {\n type: \"string\" as const,\n required: true,\n },\n /* Version id (e.g. ULID). /\n vid: {\n type: \"string\" as const,\n required: true,\n },\n lastUpdated: {\n type: \"string\" as const,\n required: true,\n },\n /\n ADR-028 denormalized counter — number of workspace-scoped\n * Memberships (users) in this workspace. Maintained by the\n * counter-maintenance consumer via atomic ADD; absent/0 until first\n * event or reconciliation.\n /\n usersInWorkspace: {\n type: \"number\" as const,\n required: false,\n },\n /\n ADR-028 denormalized counter — number of workspace-scoped\n * RoleAssignments classified as admin-tier in this workspace.\n * Maintained by the counter-maintenance consumer via atomic ADD;\n * absent/0 until first event or reconciliation.\n /\n adminUsersInWorkspace: {\n type: \"number\" as const,\n required: false,\n },\n /\n ADR-028 denormalized counter — number of workspace-scoped\n * RoleAssignments classified as non-admin in this workspace.\n * Maintained by the counter-maintenance consumer via atomic ADD;\n * absent/0 until first event or reconciliation.\n /\n normalUsersInWorkspace: {\n type: \"number\" as const,\n required: false,\n },\n gsi1Shard: gsi1ShardAttribute,\n /* Derived GSI1 sort key — name-based when extractable; else `<lastUpdated>#<id>`. /\n gsi1sk: gsi1skAttribute,\n deleted: {\n type: \"boolean\" as const,\n required: false,\n },\n /\n TR-022 / ADR-018 lifecycle state for the cascade pipeline.\n \n - `active` (or undefined) — normal, readable state.\n * - `deleting` — intermediate state set synchronously by the\n * hard-delete API entry point. The owning-delete cascade state\n * machine fans out from this transition (DynamoDB stream →\n * `control-plane.owning-delete.v1` → Step Functions). Readers MUST\n * short-circuit on `deleting` so partial cascades stay invisible.\n * - `deleted-failed` — terminal failure state set by the cascade\n * finalize Lambda when the cascade run fails irrecoverably.\n * Operators recover by re-running the cascade or by direct\n * intervention.\n \n The cascade finalize step deletes the canonical record conditional\n * on `lifecycleState = \"deleting\"`; on replay the conditional check\n * fails and the finalize step treats that as a no-op success.\n /\n lifecycleState: {\n type: [\"active\", \"deleting\", \"deleted-failed\"] as const,\n required: false,\n },\n bundleId: {\n type: \"string\" as const,\n required: false,\n },\n msgId: {\n type: \"string\" as const,\n required: false,\n },\n },\n indexes: {\n /* Base table: PK = TID#<tenantId>#WORKSPACE#ID#<id>, SK = CURRENT. Do not supply PK or SK from outside. /\n record: {\n pk: {\n field: \"PK\",\n composite: [\"tenantId\", \"id\"],\n template: \"TID#${tenantId}#WORKSPACE#ID#${id}\",\n },\n sk: {\n field: \"SK\",\n composite: [\"sk\"],\n template: \"${sk}\",\n },\n },\n\n /\n GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the\n * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.\n * SK is derived via `gsi1skAttribute` — `<normalizedName>#<id>` when the resource\n * carries a `name`, else `<lastUpdated>#<id>` (DR-004). `casing: \"none\"` preserves\n * the normalized label and ISO-8601 `T`/`Z`.\n /\n gsi1: {\n index: \"GSI1\",\n pk: {\n field: \"GSI1PK\",\n composite: [\"tenantId\", \"gsi1Shard\"],\n template: \"TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}\",\n },\n sk: {\n field: \"GSI1SK\",\n casing: \"none\" as const,\n composite: [\"gsi1sk\"],\n template: \"${gsi1sk}\",\n },\n },\n },\n});\n","import {\n getDynamoControlService,\n type DynamoControlServiceType,\n} from \"../../../dynamo/dynamo-control-service\";\n\n/\n ADR-028 atomic counter mutation against a canonical control-plane\n * record. Each call applies one concurrency-safe DynamoDB `ADD` delta\n * (`+1` on a relationship/lifecycle create, `-1` on delete) to a single\n * named counter attribute on the canonical Tenant / Workspace / User row.\n \n The mutation goes through ElectroDB's `patch(key).add({ counter })`,\n * which compiles to a DynamoDB `ADD` update expression — atomic, no\n * read-modify-write. `patch` also stamps an `attribute_exists` guard on\n * the partition key, so a counter is never written onto a phantom /\n * deleted canonical record. Using ElectroDB (rather than a raw\n * `UpdateItemCommand`) keeps the composite-key casing in lockstep with\n * the entity definitions.\n \n Floor guard contract (ADR-028 § Floor guard): a `-1` against an\n * absent / `0` counter is clamped to a no-op via a `.where(counter > 0)`\n * condition — when the condition fails ElectroDB throws and the\n * operation swallows it, returning `false`. The guard is a safety net,\n * not the source of truth: ADR-028's reconciliation job recomputes the\n * real value from canonical data and owns correctness.\n \n @see sites/www-docs/content/packages/@openhi/constructs/data/operations/control/counters/counter-apply-operation.md\n /\n\n/* Counter attribute names per ADR-028, grouped by the canonical record they live on. /\nexport const TENANT_COUNTERS = [\"usersInTenant\", \"workspacesInTenant\"] as const;\nexport const WORKSPACE_COUNTERS = [\n \"usersInWorkspace\",\n \"adminUsersInWorkspace\",\n \"normalUsersInWorkspace\",\n] as const;\nexport const USER_COUNTERS = [\"tenantsForUser\", \"workspacesForUser\"] as const;\n\nexport type TenantCounter = (typeof TENANT_COUNTERS)[number];\nexport type WorkspaceCounter = (typeof WORKSPACE_COUNTERS)[number];\nexport type UserCounter = (typeof USER_COUNTERS)[number];\n\n/* The `+1` (create) / `-1` (delete) delta direction. /\nexport type CounterDelta = 1 \| -1;\n\n/* Which canonical entity the counter lives on. /\nexport const COUNTER_TARGET = {\n Tenant: \"Tenant\",\n Workspace: \"Workspace\",\n User: \"User\",\n} as const;\nexport type CounterTarget =\n (typeof COUNTER_TARGET)[keyof typeof COUNTER_TARGET];\n\n/\n A resolved counter mutation: which canonical record (target + the\n * ElectroDB composite-key fields that identify it), the attribute, and\n * the delta. The router emits these; the operation applies them.\n /\nexport type CounterMutation =\n \| {\n readonly target: typeof COUNTER_TARGET.Tenant;\n readonly tenantId: string;\n readonly attribute: TenantCounter;\n readonly delta: CounterDelta;\n }\n \| {\n readonly target: typeof COUNTER_TARGET.Workspace;\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly attribute: WorkspaceCounter;\n readonly delta: CounterDelta;\n }\n \| {\n readonly target: typeof COUNTER_TARGET.User;\n readonly userId: string;\n readonly attribute: UserCounter;\n readonly delta: CounterDelta;\n };\n\nexport interface ApplyCounterDeltaParams {\n readonly mutation: CounterMutation;\n /* Table override (tests); defaults to `DYNAMO_TABLE_NAME`. /\n readonly tableName?: string;\n}\n\n/* Minimal shape of the ElectroDB patch builder this operation drives. /\ninterface PatchBuilder {\n add(attrs: Record<string, number>): {\n where(\n cb: (\n attr: Record<string, unknown>,\n op: { gt: (a: unknown, b: number) => string },\n ) => string,\n ): { go(): Promise<unknown> };\n go(): Promise<unknown>;\n };\n}\n\n/\n Apply one atomic counter delta. Increments are unconditional `ADD`s\n * (guarded only by `patch`'s implicit `attribute_exists` on the key);\n * decrements carry the floor guard so a `-1` against an absent / `0`\n * counter is a no-op. Returns `true` when the delta landed, `false`\n * when the floor guard clamped a decrement or the canonical record was\n * missing.\n /\nexport async function applyCounterDeltaOperation(\n params: ApplyCounterDeltaParams,\n): Promise<boolean> {\n const { mutation, tableName } = params;\n const service = getDynamoControlService(tableName);\n\n const patch = buildPatch(service, mutation);\n\n try {\n if (mutation.delta > 0) {\n // Unconditional atomic ADD. `patch` adds `attribute_exists(PK)`,\n // so a delete-before-create race is clamped rather than\n // resurrecting the record.\n await patch.add({ [mutation.attribute]: mutation.delta }).go();\n return true;\n }\n\n // Floor-guarded decrement: apply `-1` only when the counter exists\n // and is strictly positive.\n await patch\n .add({ [mutation.attribute]: mutation.delta })\n .where((attr, { gt }) => gt(attr[mutation.attribute], 0))\n .go();\n return true;\n } catch (err) {\n if (isConditionalCheckFailure(err)) {\n return false;\n }\n throw err;\n }\n}\n\n/* Select the entity + composite key for the mutation's target. /\nfunction buildPatch(\n service: DynamoControlServiceType,\n mutation: CounterMutation,\n): PatchBuilder {\n switch (mutation.target) {\n case COUNTER_TARGET.Tenant:\n return service.entities.tenant.patch({\n tenantId: mutation.tenantId,\n sk: \"CURRENT\",\n }) as unknown as PatchBuilder;\n case COUNTER_TARGET.Workspace:\n return service.entities.workspace.patch({\n tenantId: mutation.tenantId,\n id: mutation.workspaceId,\n sk: \"CURRENT\",\n }) as unknown as PatchBuilder;\n case COUNTER_TARGET.User:\n return service.entities.user.patch({\n id: mutation.userId,\n sk: \"CURRENT\",\n }) as unknown as PatchBuilder;\n }\n}\n\n/\n ElectroDB wraps a failed conditional check in its own error. Detect it\n * structurally so the floor guard / existence guard resolves to a\n * clamped no-op rather than propagating.\n /\nfunction isConditionalCheckFailure(err: unknown): boolean {\n if (typeof err !== \"object\" \|\| err === null) {\n return false;\n }\n const e = err as {\n name?: string;\n code?: string;\n message?: string;\n cause?: { name?: string };\n };\n if (\n e.name === \"ConditionalCheckFailedException\" \|\|\n e.code === \"ConditionalCheckFailedException\" \|\|\n e.cause?.name === \"ConditionalCheckFailedException\"\n ) {\n return true;\n }\n return typeof e.message === \"string\"\n ? e.message.includes(\"ConditionalCheckFailed\")\n : false;\n}\n","/\n ADR-028 admin-vs-normal classification for the workspace user breakdown.\n \n The counter-maintenance consumer counts every workspace-scoped\n * RoleAssignment into one of two buckets — `adminUsersInWorkspace` or\n * `normalUsersInWorkspace` — based on whether the assignment's role is\n * an admin-tier role. This module is the single documented predicate\n * that decision flows through so the rule lives in exactly one place.\n \n The signals come straight off the `control-plane.role-assignment-`\n event payload (no extra Role read): the ADR-019 organization-role\n * code carried as `roleLevel` (extracted from `PractitionerRole.code`\n * at publish time) and the `roleId` reference slug.\n \n Classification rule (per the #1318 brief against the ADR-019\n * vocabulary): an assignment is admin when either\n \n - its `roleLevel` code names an admin tier — it equals or ends with\n * `admin` (catches the data-plane organization role `billing-admin`\n * and the platform roles `tenant-admin` / `system-admin` when those\n * surface on the code), or\n * - its `roleId` matches `admin` (a defensive fallback for assignments\n * whose role code did not ride the event but whose stable role id\n * encodes the tier, e.g. `role-tenant-admin`).\n \n Everything else (including a missing roleLevel and roleId) classifies\n * as normal. Misclassification is self-correcting: ADR-028's\n * reconciliation job recomputes both buckets from canonical data and is\n * the authority on the true value.\n /\n\n/\n Returns `true` when a workspace-scoped RoleAssignment should count\n * toward `adminUsersInWorkspace`, `false` when it counts toward\n * `normalUsersInWorkspace`. See the module doc for the rule.\n /\nexport function isAdminRoleAssignment(input: {\n readonly roleLevel?: string;\n readonly roleId?: string;\n}): boolean {\n if (codeIsAdminTier(input.roleLevel)) {\n return true;\n }\n if (idMatchesAdmin(input.roleId)) {\n return true;\n }\n return false;\n}\n\n/\n An ADR-019 role code is admin-tier when it is exactly `admin` or ends\n * with the `-admin` / `admin` suffix (case-insensitive). Matches\n * `billing-admin`, `tenant-admin`, `system-admin`; rejects `biller`,\n * `scribe`, `practitioner`, etc.\n /\nfunction codeIsAdminTier(roleLevel: string \| undefined): boolean {\n if (typeof roleLevel !== \"string\" \|\| roleLevel.length === 0) {\n return false;\n }\n const lower = roleLevel.toLowerCase();\n return lower === \"admin\" \|\| lower.endsWith(\"admin\");\n}\n\n/\n Fallback signal — the stable role id slug encodes the tier even when\n * the role code did not ride the event. Matches any id containing the\n * substring `admin` (case-insensitive), e.g. `role-tenant-admin`.\n /\nfunction idMatchesAdmin(roleId: string \| undefined): boolean {\n if (typeof roleId !== \"string\" \|\| roleId.length === 0) {\n return false;\n }\n return roleId.toLowerCase().includes(\"admin\");\n}\n","import { EventBridgeClient } from \"@aws-sdk/client-eventbridge\";\nimport {\n ControlPlaneMembershipCreatedV1,\n ControlPlaneMembershipDeletedV1,\n ControlPlaneRoleAssignmentCreatedV1,\n ControlPlaneRoleAssignmentDeletedV1,\n ControlPlaneWorkspaceCreatedV1,\n ControlPlaneWorkspaceDeletedV1,\n OPENHI_CONTROL_SOURCE,\n publishWorkflowEvent,\n type ControlPlaneMembershipChangedV1Detail,\n type ControlPlaneRoleAssignmentChangedV1Detail,\n type ControlPlaneWorkspaceChangedV1Detail,\n type WorkflowActor,\n type WorkflowDetailTypeEntry,\n} from \"@openhi/workflows\";\nimport { OpenHiContext } from \"../../openhi-context\";\n\n/\n Env var carrying the name of the control event bus the REST API Lambda\n * publishes control-plane domain events to. Set by\n * {@link RestApiLambda} from the deterministic `ControlEventBus` name.\n * When unset (seed / import / unit-test contexts) the publisher is a no-op,\n * so operations stay usable outside the Lambda and the counter backfill in\n * the reconciliation job (#1319) repairs any rows created without an event.\n /\nexport const CONTROL_EVENT_BUS_NAME_ENV_VAR = \"CONTROL_EVENT_BUS_NAME\";\n\nlet cachedClient: EventBridgeClient \| undefined;\n\nfunction getClient(): EventBridgeClient {\n if (!cachedClient) {\n cachedClient = new EventBridgeClient({\n region: process.env.AWS_REGION ?? \"us-east-1\",\n });\n }\n return cachedClient;\n}\n\nfunction actorFromContext(context: OpenHiContext): WorkflowActor {\n return {\n ohi_tid: context.tenantId,\n ohi_wid: context.workspaceId,\n ohi_uid: context.actorId,\n ohi_uname: context.actorName,\n };\n}\n\n/\n Publish one control-plane domain event to the control event bus.\n \n Best-effort by contract (ADR-028): the canonical multi-write has already\n * committed by the time this runs, the counters it feeds are eventually\n * consistent, and the reconciliation job (#1319) is the correctness backstop.\n * A publish failure is therefore logged and swallowed so it never fails the\n * operation (which would 500 a request whose data write already succeeded).\n * When `CONTROL_EVENT_BUS_NAME` is unset the publish is skipped entirely.\n /\nasync function publishControlEvent<TDetail>(\n entry: WorkflowDetailTypeEntry<TDetail>,\n payload: TDetail,\n context: OpenHiContext,\n): Promise<void> {\n const busName = process.env[CONTROL_EVENT_BUS_NAME_ENV_VAR];\n if (!busName) {\n return;\n }\n try {\n await publishWorkflowEvent(\n getClient(),\n entry,\n payload,\n { actor: actorFromContext(context) },\n { busNameByPlane: { [OPENHI_CONTROL_SOURCE]: busName } },\n );\n } catch (err) {\n console.error(`control-event publish failed for ${entry.detailType}:`, err);\n }\n}\n\n/* Publish `control-plane.membership-created.v1`. /\nexport async function publishMembershipCreated(\n context: OpenHiContext,\n detail: ControlPlaneMembershipChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(ControlPlaneMembershipCreatedV1, detail, context);\n}\n\n/* Publish `control-plane.membership-deleted.v1`. /\nexport async function publishMembershipDeleted(\n context: OpenHiContext,\n detail: ControlPlaneMembershipChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(ControlPlaneMembershipDeletedV1, detail, context);\n}\n\n/* Publish `control-plane.role-assignment-created.v1`. /\nexport async function publishRoleAssignmentCreated(\n context: OpenHiContext,\n detail: ControlPlaneRoleAssignmentChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(\n ControlPlaneRoleAssignmentCreatedV1,\n detail,\n context,\n );\n}\n\n/* Publish `control-plane.role-assignment-deleted.v1`. /\nexport async function publishRoleAssignmentDeleted(\n context: OpenHiContext,\n detail: ControlPlaneRoleAssignmentChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(\n ControlPlaneRoleAssignmentDeletedV1,\n detail,\n context,\n );\n}\n\n/* Publish `control-plane.workspace-created.v1`. /\nexport async function publishWorkspaceCreated(\n context: OpenHiContext,\n detail: ControlPlaneWorkspaceChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(ControlPlaneWorkspaceCreatedV1, detail, context);\n}\n\n/* Publish `control-plane.workspace-deleted.v1`. /\nexport async function publishWorkspaceDeleted(\n context: OpenHiContext,\n detail: ControlPlaneWorkspaceChangedV1Detail,\n): Promise<void> {\n await publishControlEvent(ControlPlaneWorkspaceDeletedV1, detail, context);\n}\n\n/\n Extract the ADR-019 organization-role level / type from a RoleAssignment\n * resource so the counter-maintenance consumer can classify a workspace-scoped\n * assignment as admin vs normal without re-reading the Role record. Reads the\n * slim `PractitionerRole.code` coding per ADR-019 §1.2; returns `undefined`\n * when no code is present.\n /\nexport function extractRoleLevel(\n resource: Record<string, unknown> \| undefined,\n): string \| undefined {\n const code = resource?.code as\n \| { coding?: Array<{ code?: unknown }> }\n \| undefined;\n const first = code?.coding?.[0]?.code;\n return typeof first === \"string\" && first.length > 0 ? first : undefined;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/\n Filter modes for {@link membershipListByUserOperation}.\n \n Maps directly to the ADR-018 sub-lane discriminator in the user-projection\n * SK (`MEMBERSHIP#TENANT#…` vs `MEMBERSHIP#WORKSPACE#…`):\n \n - `\"all\"` — `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')`.\n * Returns both lanes interleaved in raw SK order.\n * - `\"tenant\"` — `SK begins_with 'MEMBERSHIP#TENANT#'`. Pattern #3 only.\n * - `\"workspace\"` — `SK begins_with 'MEMBERSHIP#WORKSPACE#'`. Pattern #4\n * across every tenant.\n * - `\"workspaceInTenant\"` — `SK begins_with 'MEMBERSHIP#WORKSPACE#TID#<tenantId>#'`.\n * Pattern #4 narrowed to one tenant. Requires `tenantId`.\n /\nexport type MembershipListByUserMode =\n \| \"all\"\n \| \"tenant\"\n \| \"workspace\"\n \| \"workspaceInTenant\";\n\n/* Inputs accepted by {@link membershipListByUserOperation}. /\nexport interface MembershipListByUserParams {\n readonly userId: string;\n /* Filter mode — see {@link MembershipListByUserMode}. Defaults to `\"all\"`. /\n readonly mode?: MembershipListByUserMode;\n /* Required only when `mode === \"workspaceInTenant\"`. /\n readonly tenantId?: string;\n /* ElectroDB cursor from a prior page. Forwarded to `.go({ cursor })`. /\n readonly cursor?: string \| null;\n /* Per-page item limit forwarded to `.go({ limit })`. /\n readonly limit?: number;\n /* Sort order forwarded to `.go({ order })`. Defaults to ElectroDB's `\"asc\"`. /\n readonly order?: \"asc\" \| \"desc\";\n /* Optional table-name override; resolved via env when omitted. /\n readonly tableName?: string;\n}\n\n/* One projection-row payload as returned to a consumer. /\nexport interface MembershipUserProjectionEntry {\n readonly userId: string;\n readonly sk: string;\n readonly tenantId: string;\n readonly workspaceId?: string;\n readonly membershipId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedTenantName?: string;\n readonly denormalizedUserName?: string;\n readonly denormalizedWorkspaceName?: string;\n}\n\n/* Page returned by {@link membershipListByUserOperation}. /\nexport interface MembershipListByUserResult {\n readonly items: Array<MembershipUserProjectionEntry>;\n /* ElectroDB cursor for the next page, or `null` when exhausted. /\n readonly cursor: string \| null;\n}\n\n/\n Compose the SK prefix for a given filter mode. Centralizing the\n * prefix string here keeps the SK grammar (owned by\n * `membership-user-projection.ts`) the single source of truth for the\n * lane discriminators — this function reads them, it does not invent them.\n /\nexport function buildSkPrefix(\n mode: MembershipListByUserMode,\n tenantId: string \| undefined,\n): string {\n switch (mode) {\n case \"tenant\":\n return \"MEMBERSHIP#TENANT#\";\n case \"workspace\":\n return \"MEMBERSHIP#WORKSPACE#\";\n case \"workspaceInTenant\":\n // Pattern-#4 SK places `<tenantId>` directly after the\n // `MEMBERSHIP#WORKSPACE#TID#` segment so a `begins_with` filter\n // narrows the workspace lane to a single tenant.\n return `MEMBERSHIP#WORKSPACE#TID#${tenantId}#`;\n case \"all\":\n default:\n return \"MEMBERSHIP#\";\n }\n}\n\n/\n List Memberships for a user via the ADR-018 user-partition projection\n * (no GSI hop).\n \n Reads `MembershipUserProjectionEntity` rows under `PK = USER#ID#<userId>`\n * with an `SK begins_with` filter selected by `mode`:\n \n \| Mode \| SK begins_with \| Covers \|\n * \|---\|---\|---\|\n * \| `all` (default) \| `MEMBERSHIP#` \| patterns #3 + #4 interleaved \|\n * \| `tenant` \| `MEMBERSHIP#TENANT#` \| pattern #3 only \|\n * \| `workspace` \| `MEMBERSHIP#WORKSPACE#` \| pattern #4 only, across tenants \|\n * \| `workspaceInTenant` \| `MEMBERSHIP#WORKSPACE#TID#<tenantId>#` \| pattern #4 in one tenant \|\n \n Returns the projection rows verbatim (`summary`, `vid`, `lastUpdated`\n * plus the projection-discriminating fields) — full canonical-resource\n * hydration is opt-in for callers via\n * `MembershipEntity.get({ tenantId, id: membershipId })`. Pagination\n * mirrors ElectroDB's native `.go({ cursor })` shape; the returned\n * `cursor` is opaque to callers.\n \n @see ADR-018 § Access Pattern Coverage (patterns #3 and #4)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar)\n /\nexport async function membershipListByUserOperation(\n params: MembershipListByUserParams,\n): Promise<MembershipListByUserResult> {\n const {\n userId,\n mode = \"all\",\n tenantId,\n cursor = null,\n limit,\n order,\n tableName,\n } = params;\n\n if (mode === \"workspaceInTenant\" && !tenantId) {\n throw new Error(\n 'membershipListByUserOperation: tenantId is required when mode === \"workspaceInTenant\"',\n );\n }\n\n const service = getDynamoControlService(tableName);\n const skPrefix = buildSkPrefix(mode, tenantId);\n\n const goOptions: {\n cursor?: string \| null;\n limit?: number;\n order?: \"asc\" \| \"desc\";\n } = {\n cursor,\n };\n if (limit !== undefined) {\n goOptions.limit = limit;\n }\n if (order !== undefined) {\n goOptions.order = order;\n }\n\n const result = await service.entities.membershipUserProjection.query\n .record({ userId })\n .begins({ sk: skPrefix })\n .go(goOptions);\n\n const items: Array<MembershipUserProjectionEntry> = (result.data ?? []).map(\n (row) => ({\n userId: row.userId,\n sk: row.sk,\n tenantId: row.tenantId,\n workspaceId: row.workspaceId,\n membershipId: row.membershipId,\n summary: row.summary,\n vid: row.vid,\n lastUpdated: row.lastUpdated,\n denormalizedTenantName: row.denormalizedTenantName,\n denormalizedUserName: row.denormalizedUserName,\n denormalizedWorkspaceName: row.denormalizedWorkspaceName,\n }),\n );\n\n return { items, cursor: result.cursor ?? null };\n}\n","import {\n buildSkPrefix,\n type MembershipListByUserMode,\n} from \"./membership-list-by-user-operation\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/* Inputs accepted by {@link countMembershipsByUserOperation}. /\nexport interface CountMembershipsByUserParams {\n readonly userId: string;\n /* Filter mode — see {@link MembershipListByUserMode}. Defaults to `\"all\"`. /\n readonly mode?: MembershipListByUserMode;\n /* Required only when `mode === \"workspaceInTenant\"`. /\n readonly tenantId?: string;\n /* Optional table-name override; resolved via env when omitted. /\n readonly tableName?: string;\n}\n\n/\n Count a user's Memberships via the ADR-018 user-partition projection, with the\n * same `SK begins_with` lane discriminator as {@link membershipListByUserOperation}.\n \n Pages through every matching projection row (`{ pages: \"all\" }`) projecting only\n * the `membershipId` key, and returns the row count. Backs\n * `GET /User/:id/Membership?_summary=count`.\n \n Note: the per-user counts (`tenantsForUser`, `workspacesForUser`) are also\n * maintained as denormalized counters on the User record per ADR-028; this\n * recompute-from-projection count is the FHIR `_summary=count` shape and the\n * authoritative source the counters are reconciled against.\n /\nexport async function countMembershipsByUserOperation(\n params: CountMembershipsByUserParams,\n): Promise<number> {\n const { userId, mode = \"all\", tenantId, tableName } = params;\n\n if (mode === \"workspaceInTenant\" && !tenantId) {\n throw new Error(\n 'countMembershipsByUserOperation: tenantId is required when mode === \"workspaceInTenant\"',\n );\n }\n\n const service = getDynamoControlService(tableName);\n const skPrefix = buildSkPrefix(mode, tenantId);\n\n const result = await service.entities.membershipUserProjection.query\n .record({ userId })\n .begins({ sk: skPrefix })\n .go({ pages: \"all\", attributes: [\"membershipId\"] });\n\n return (result.data ?? []).length;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/* Inputs accepted by {@link membershipListByWorkspaceOperation}. /\nexport interface MembershipListByWorkspaceParams {\n readonly tenantId: string;\n readonly workspaceId: string;\n /* ElectroDB cursor from a prior page. Forwarded to `.go({ cursor })`. /\n readonly cursor?: string \| null;\n /* Per-page item limit forwarded to `.go({ limit })`. /\n readonly limit?: number;\n /* Sort order forwarded to `.go({ order })`. Defaults to ElectroDB's `\"asc\"`. /\n readonly order?: \"asc\" \| \"desc\";\n /* Optional table-name override; resolved via env when omitted. /\n readonly tableName?: string;\n}\n\n/* One projection-row payload as returned to a consumer. /\nexport interface MembershipWorkspaceProjectionEntry {\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly sk: string;\n readonly userId: string;\n readonly membershipId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedUserName?: string;\n}\n\n/* Page returned by {@link membershipListByWorkspaceOperation}. /\nexport interface MembershipListByWorkspaceResult {\n readonly items: Array<MembershipWorkspaceProjectionEntry>;\n /* ElectroDB cursor for the next page, or `null` when exhausted. /\n readonly cursor: string \| null;\n}\n\n/\n List Memberships for a workspace via the ADR-018 workspace-partition\n * projection (no GSI hop).\n \n Reads `MembershipWorkspaceProjectionEntity` rows under\n * `PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>` with\n * `SK begins_with 'MEMBERSHIP#'`. The projection's SK shape\n * (`MEMBERSHIP#<normalizedUserName>#USER#<userId>#<membershipId>`) sorts\n * members alphabetically by user name within the workspace partition, so\n * the natural Query order is exactly what the access pattern expects —\n * no client-side sort.\n \n Returns the projection rows verbatim (`summary`, `vid`, `lastUpdated`\n * plus the projection-discriminating fields) — full canonical-resource\n * hydration is opt-in for callers via\n * `MembershipEntity.get({ tenantId, id: membershipId })`. Pagination\n * mirrors ElectroDB's native `.go({ cursor })` shape; the returned\n * `cursor` is opaque to callers.\n \n @see ADR-018 § Access Pattern Coverage (pattern #2)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar)\n /\nexport async function membershipListByWorkspaceOperation(\n params: MembershipListByWorkspaceParams,\n): Promise<MembershipListByWorkspaceResult> {\n const {\n tenantId,\n workspaceId,\n cursor = null,\n limit,\n order,\n tableName,\n } = params;\n\n const service = getDynamoControlService(tableName);\n\n const goOptions: {\n cursor?: string \| null;\n limit?: number;\n order?: \"asc\" \| \"desc\";\n } = {\n cursor,\n };\n if (limit !== undefined) {\n goOptions.limit = limit;\n }\n if (order !== undefined) {\n goOptions.order = order;\n }\n\n const result = await service.entities.membershipWorkspaceProjection.query\n .record({ tenantId, workspaceId })\n .begins({ sk: \"MEMBERSHIP#\" })\n .go(goOptions);\n\n const items: Array<MembershipWorkspaceProjectionEntry> = (\n result.data ?? []\n ).map((row) => ({\n tenantId: row.tenantId,\n workspaceId: row.workspaceId,\n sk: row.sk,\n userId: row.userId,\n membershipId: row.membershipId,\n summary: row.summary,\n vid: row.vid,\n lastUpdated: row.lastUpdated,\n denormalizedUserName: row.denormalizedUserName,\n }));\n\n return { items, cursor: result.cursor ?? null };\n}\n","import { extractSortKey, extractSummary } from \"@openhi/types\";\nimport type { Meta, FhirResourceLike } from \"@openhi/types\";\nimport { compressResource, decompressResource } from \"../../lib/compression\";\nimport { mergeAuditIntoMeta, type MetaWithExtensions } from \"../audit-meta\";\nimport { SHARD_COUNT } from \"../dynamo/shard\";\nimport { NotFoundError } from \"../errors\";\nimport type { OpenHiContext } from \"../openhi-context\";\n\n/\n Sort key for the current record version. Matches Dynamo record index SK default.\n * Use this in get/update/delete (and create where applicable) for data-plane entities.\n /\nexport const DATA_ENTITY_SK = \"CURRENT\" as const;\n\n/\n Derive the monotonic `vid` (version id) from a `lastUpdated` ISO instant.\n \n `vid` is the version the search-tier replication guards compare\n * (`EXCLUDED.version > version` on upsert, `>=` on soft delete), so it must\n * STRICTLY INCREASE on every write of the same item or the replication\n * silently drops the event as a stale replay. Two rules follow:\n \n 1. Every mutation path must write a fresh vid — `updateDataEntityById`\n * not doing so is exactly what made every UPDATE a search-tier no-op\n * (sibling of the #1379 DELETE bug).\n * 2. Full millisecond precision (all digits of the ISO instant, e.g.\n * `20260612143055123`) — the previous minute-precision truncation\n * (`slice(0, 12)`) would tie an update with a create from the same\n * minute and lose it to the strict guard.\n \n Lexicographic text comparison stays monotonic against legacy 12-digit\n * vids: equal-prefix-but-longer sorts greater (same minute, more precision)\n * and differing minutes are decided within the first 12 digits.\n /\nexport function deriveVid(lastUpdated: string): string {\n return lastUpdated.replace(/\\D/g, \"\") \|\| Date.now().toString(36);\n}\n\n/* Base params for data-entity operations: context and optional table override. /\nexport interface BaseDataEntityParams {\n context: OpenHiContext;\n /* Optional table name override; resolved by data service from DYNAMO_TABLE_NAME when omitted. /\n tableName?: string;\n}\n\n/* Params for get-by-id and delete (context + id + optional tableName). /\nexport interface GetByIdParams extends BaseDataEntityParams {\n id: string;\n}\n\n/\n Mode for list operations introduced by #853 to back FHIR `_summary` opt-ins.\n \n - `full` (default): GSI1 fan-out → BatchGet hydration → full FHIR resource per entry.\n * - `summary`: GSI1 fan-out only; the `summary` JSON projected onto GSI1 is parsed and used\n * as `resource` per entry. Skips BatchGet entirely — that's the cost win the FHIR spec\n * intends `_summary=true` to deliver.\n * - `count`: GSI1 fan-out only; entries are dropped, only `total` is populated. Routes\n * should pass `total` into `buildSearchsetBundle({ mode: \"count\", total })`.\n \n `_elements` is implemented at the route layer as `full` mode + post-hydration pruning,\n * since per-element pruning has to happen after decompression and is FHIR-spec-defined\n * (always retain root-level mandatories — see `prune-resource-by-elements.ts`).\n /\nexport type ListOperationMode = \"full\" \| \"summary\" \| \"count\";\n\n/* Params for list (context + optional tableName + optional mode for #853 `_summary`). /\nexport interface ListParams extends BaseDataEntityParams {\n /* Defaults to `\"full\"` (current behavior); routes pass other modes for `_summary` opt-ins. /\n mode?: ListOperationMode;\n}\n\n/* Result for create / get-by-id / update: single resource. /\nexport interface SingleResourceResult<T> {\n id: string;\n resource: T;\n}\n\n/* Entry shape for list results. /\nexport interface ListEntry<T> {\n id: string;\n resource: T;\n}\n\n/\n Result for list: entries array plus total count.\n \n - For `mode === \"full\"` and `mode === \"summary\"`, `total === entries.length`.\n * - For `mode === \"count\"`, `entries` is empty and `total` is the GSI1 fan-out count.\n \n Splitting `total` from `entries.length` lets count-mode routes report a true count\n * while skipping any per-entry work.\n /\nexport interface ListResult<T> {\n entries: Array<ListEntry<T>>;\n total: number;\n}\n\n/* Minimal entity shape for get (used by getDataEntityById). /\ninterface EntityWithGet {\n get(params: {\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }): { go(): Promise<{ data: { id: string; resource: string } \| null }> };\n}\n\n/* Minimal entity shape for delete (used by deleteDataEntityById). /\ninterface EntityWithDelete {\n delete(params: {\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }): { go(): Promise<unknown> };\n}\n\n/\n Minimal entity shape for list via GSI1 + BatchGet hydration (used by listDataEntitiesByWorkspace).\n * GSI1 is sharded per ADR-011, so listing fans out to each shard and concatenates ids; the\n * `resource` attribute is NOT projected onto GSI1 (per the summary projection in\n * `dynamo-db-data-store.ts`), so the second phase BatchGets the base table for full items.\n \n GSI1 INCLUDE projection (per `dynamo-db-data-store.ts`) carries `summary`, `vid`, `lastUpdated`,\n * `createdDate`, `modifiedDate`, `createdById`, `modifiedById` alongside the key attributes.\n * `summary` is what `mode: \"summary\"` returns to the caller without hitting the base table.\n /\ninterface DataEntityWithListAndBatchGet {\n query: {\n gsi1(params: {\n tenantId: string;\n workspaceId: string;\n gsi1Shard: string;\n }): {\n go(): Promise<{\n data: Array<{\n id: string;\n summary?: string;\n vid?: string;\n lastUpdated?: string;\n createdDate?: string;\n modifiedDate?: string;\n createdById?: string;\n modifiedById?: string;\n }> \| null;\n }>;\n };\n };\n get(\n keys: Array<{\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }>,\n ): {\n go(): Promise<{\n data: Array<{ id: string; resource: string }>;\n unprocessed: Array<{\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }>;\n }>;\n };\n}\n\n/* Minimal entity shape for put (used by createDataEntityRecord). /\ninterface EntityWithPut {\n put(attrs: {\n sk: string;\n tenantId: string;\n workspaceId: string;\n id: string;\n resource: string;\n summary: string;\n vid: string;\n lastUpdated: string;\n gsi1sk: string;\n }): { go(): Promise<unknown> };\n}\n\n/* Minimal entity shape for patch (used by updateDataEntityById). /\ninterface EntityWithPatch {\n get(params: {\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }): { go(): Promise<{ data: { id: string; resource: string } \| null }> };\n patch(params: {\n tenantId: string;\n workspaceId: string;\n id: string;\n sk: string;\n }): {\n set(attrs: {\n resource: string;\n summary: string;\n vid: string;\n lastUpdated: string;\n gsi1sk: string;\n }): {\n go(): Promise<unknown>;\n };\n };\n}\n\n/\n Get a single data-entity record by id. Decompresses and parses resource; throws NotFoundError if missing.\n * Use from get-by-id operations with the appropriate entity and resource type.\n /\nexport async function getDataEntityById<T>(\n entity: EntityWithGet,\n tenantId: string,\n workspaceId: string,\n id: string,\n resourceLabel: string,\n): Promise<SingleResourceResult<T>> {\n const result = await entity\n .get({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })\n .go();\n\n if (!result.data) {\n throw new NotFoundError(`${resourceLabel} ${id} not found`, {\n details: { id },\n });\n }\n\n const parsed = JSON.parse(decompressResource(result.data.resource)) as T & {\n id?: string;\n };\n return {\n id: result.data.id,\n resource: { ...parsed, id: result.data.id } as T,\n };\n}\n\n/\n Delete a data-entity record by id. Idempotent (no-op if not found).\n * Use from delete operations with the appropriate entity.\n /\nexport async function deleteDataEntityById(\n entity: EntityWithDelete,\n tenantId: string,\n workspaceId: string,\n id: string,\n): Promise<void> {\n await entity\n .delete({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })\n .go();\n}\n\n/* Maximum total attempts (initial + retries) when hydrating list ids via BatchGet. /\nconst BATCH_GET_MAX_ATTEMPTS = 3;\n/* Base backoff in milliseconds applied to BatchGet retries; doubles each attempt. /\nconst BATCH_GET_BASE_BACKOFF_MS = 50;\n\n/* Minimal entity shape for BatchGet hydration on the base table; chunks of 100 are handled by ElectroDB. /\ninterface EntityWithBatchGet<TKey, TItem> {\n get(keys: TKey[]): {\n go(options?: {\n consistent?: boolean;\n }): Promise<{ data: TItem[]; unprocessed: TKey[] }>;\n };\n}\n\n/* Options accepted by {@link batchGetWithRetry}. /\nexport interface BatchGetWithRetryOptions {\n /\n Forwarded to DynamoDB as `ConsistentRead`. BatchGet reads the *base\n table*, which supports strongly-consistent reads, so list operations\n that must reflect a just-committed write (read-after-write) pass\n * `consistent: true`. Defaults to ElectroDB's eventually-consistent read.\n * @see #1347 — role-assignment dropdowns must reflect their own write\n /\n readonly consistent?: boolean;\n}\n\n/\n BatchGet wrapper that retries `UnprocessedKeys` with exponential backoff. ElectroDB chunks the\n * input keys into groups of 100 internally, but does not retry unprocessed keys — DynamoDB can\n * return some keys unprocessed under throttling or partial failure, and the caller must reissue\n * them. Throws after `BATCH_GET_MAX_ATTEMPTS` if any keys remain unprocessed; intended for list\n * hydration (#854) where partial results would silently truncate the response.\n \n Pass `{ consistent: true }` for read-after-write correctness — the base-table\n * BatchGet then reflects the latest committed write rather than a possibly-stale\n * eventually-consistent replica (#1347).\n /\nexport async function batchGetWithRetry<TKey, TItem>(\n entity: EntityWithBatchGet<TKey, TItem>,\n keys: TKey[],\n options?: BatchGetWithRetryOptions,\n): Promise<TItem[]> {\n if (keys.length === 0) return [];\n\n const collected: TItem[] = [];\n let pending = keys;\n let attempt = 0;\n\n while (pending.length > 0) {\n if (attempt > 0) {\n await new Promise((resolve) =>\n setTimeout(resolve, BATCH_GET_BASE_BACKOFF_MS 2 (attempt - 1)),\n );\n }\n attempt++;\n const result = await entity\n .get(pending)\n .go(options?.consistent ? { consistent: true } : undefined);\n collected.push(...result.data);\n const unprocessed = result.unprocessed ?? [];\n if (unprocessed.length === 0) break;\n if (attempt >= BATCH_GET_MAX_ATTEMPTS) {\n throw new Error(\n `BatchGet exhausted retries: ${unprocessed.length} key(s) still unprocessed after ${BATCH_GET_MAX_ATTEMPTS} attempt(s)`,\n );\n }\n pending = unprocessed;\n }\n\n return collected;\n}\n\n/ GSI1 index item shape — what a sharded `gsi1.query().go()` returns per row. /\nexport interface ShardedListIndexItem {\n id: string;\n summary?: string;\n}\n\n/* Hooks that adapt a generic mode-dispatching list to a specific entity's hydration and entry shape. /\nexport interface DispatchListModeHooks<TItem, TEntry> {\n /* Hydrate the base table for the given ids (typically `batchGetWithRetry(entity, keys)`). /\n hydrate: (orderedIds: string[]) => Promise<TItem[]>;\n /* Extract the canonical id from a hydrated item so it can be matched back to the GSI1 order. /\n getId: (item: TItem) => string;\n /* Build the result entry for `mode === \"full\"` from a hydrated base-table item. /\n buildEntry: (id: string, item: TItem) => TEntry;\n /* Build the result entry for `mode === \"summary\"` from the parsed GSI1 `summary` JSON. /\n buildSummaryEntry: (\n id: string,\n parsedSummary: Record<string, unknown>,\n ) => TEntry;\n}\n\n/\n Mode dispatcher shared by data-plane and control-plane list operations (#853).\n \n Given pre-fetched `shardResults` from a sharded GSI1 fan-out, returns either:\n * - `mode === \"count\"` — `{ entries: [], total }` where total is the sum of shard row counts.\n * - `mode === \"summary\"` — entries built from each shard row's parsed `summary` JSON; rows with\n * missing or unparseable `summary` are dropped.\n * - `mode === \"full\"` — calls `hydrate(orderedIds)` (typically a BatchGet) and builds entries\n * from hydrated items in per-shard GSI1 sort order; missing items are dropped.\n \n Lives here (alongside `listDataEntitiesByWorkspace`) because the same dispatch logic is needed\n * by every list operation that backs a FHIR list/search endpoint, including the seven\n * control-plane peers (User, Role, Tenant, Workspace, Membership, RoleAssignment, Configuration).\n /\nexport async function dispatchListMode<TItem, TEntry>(\n mode: ListOperationMode,\n shardResults: Array<{ data: Array<ShardedListIndexItem> \| null }>,\n hooks: DispatchListModeHooks<TItem, TEntry>,\n): Promise<{ entries: TEntry[]; total: number }> {\n if (mode === \"count\") {\n let total = 0;\n for (const shardResult of shardResults) {\n total += (shardResult.data ?? []).length;\n }\n return { entries: [], total };\n }\n\n if (mode === \"summary\") {\n const entries: TEntry[] = [];\n for (const shardResult of shardResults) {\n for (const item of shardResult.data ?? []) {\n if (typeof item.summary !== \"string\") continue;\n let parsed: Record<string, unknown>;\n try {\n parsed = JSON.parse(item.summary) as Record<string, unknown>;\n } catch {\n continue;\n }\n entries.push(hooks.buildSummaryEntry(item.id, parsed));\n }\n }\n return { entries, total: entries.length };\n }\n\n const orderedIds: string[] = [];\n for (const shardResult of shardResults) {\n for (const item of shardResult.data ?? []) {\n orderedIds.push(item.id);\n }\n }\n\n if (orderedIds.length === 0) return { entries: [], total: 0 };\n\n const items = await hooks.hydrate(orderedIds);\n const byId = new Map(items.map((item) => [hooks.getId(item), item]));\n\n const entries: TEntry[] = [];\n for (const id of orderedIds) {\n const item = byId.get(id);\n if (!item) continue;\n entries.push(hooks.buildEntry(id, item));\n }\n\n return { entries, total: entries.length };\n}\n\n/\n List data-entity records in a workspace via GSI1.\n \n `mode` (default `\"full\"`) selects the read shape — see `dispatchListMode`. The data-plane\n * binding here adds the four-shard fan-out (per ADR-011) and the BatchGet hydration with\n * decompression for `mode === \"full\"`. K-way merge by `gsi1sk` is intentionally NOT done here\n * — full server-side natural sort lands with the FHIR list-endpoint plumbing that adds\n * pagination tokens.\n /\nexport async function listDataEntitiesByWorkspace<T>(\n entity: DataEntityWithListAndBatchGet,\n tenantId: string,\n workspaceId: string,\n mode: ListOperationMode = \"full\",\n): Promise<ListResult<T>> {\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n entity.query\n .gsi1({ tenantId, workspaceId, gsi1Shard: String(shard) })\n .go(),\n ),\n );\n\n return dispatchListMode<{ id: string; resource: string }, ListEntry<T>>(\n mode,\n shardResults,\n {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n entity,\n orderedIds.map((id) => ({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })),\n ),\n getId: (item) => item.id,\n buildEntry: (id, item) => {\n const parsed = JSON.parse(decompressResource(item.resource)) as T & {\n id?: string;\n };\n return { id, resource: { ...parsed, id } as T };\n },\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: { ...parsed, id } as T,\n }),\n },\n );\n}\n\n/\n Create a data-entity record with put. Computes vid from lastUpdated (from resource meta or fallback).\n * Use from create operations (e.g. Practitioner, Encounter) that build the resource with audit in meta.\n /\nexport async function createDataEntityRecord<T>(\n entity: EntityWithPut,\n tenantId: string,\n workspaceId: string,\n id: string,\n resourceWithAudit: T & { meta?: { lastUpdated?: string } },\n fallbackDate: string,\n): Promise<SingleResourceResult<T>> {\n const lastUpdated =\n resourceWithAudit.meta?.lastUpdated ??\n fallbackDate ??\n new Date().toISOString();\n const vid = deriveVid(lastUpdated);\n\n const resourceLike = resourceWithAudit as unknown as FhirResourceLike;\n const summary = JSON.stringify(extractSummary(resourceLike));\n const gsi1sk = extractSortKey(resourceLike);\n\n await entity\n .put({\n sk: DATA_ENTITY_SK,\n tenantId,\n workspaceId,\n id,\n resource: compressResource(JSON.stringify(resourceWithAudit)),\n summary,\n vid,\n lastUpdated,\n gsi1sk,\n })\n .go();\n\n return {\n id,\n resource: resourceWithAudit as T,\n };\n}\n\n/\n Build an updated resource with audit in meta for use with updateDataEntityById.\n * Parses existing resource string for existing meta, merges body with id/resourceType/meta (versionId \"2\"),\n * then merges modified audit (modifiedDate, modifiedById, modifiedByName) into meta.\n * Use from update operations (Patient, Encounter, Practitioner) to avoid duplicating this logic.\n /\nexport function buildUpdatedResourceWithAudit<T extends { meta?: Meta }>(\n body: T,\n id: string,\n date: string,\n actorId: string,\n actorName: string,\n existingResourceStr: string,\n resourceType: string,\n): {\n resource: T & { id: string; meta: MetaWithExtensions };\n lastUpdated: string;\n} {\n const existingMeta: MetaWithExtensions \| undefined = (\n JSON.parse(existingResourceStr) as { meta?: MetaWithExtensions }\n ).meta;\n\n const bodyWithMeta = body as T & { id?: string; meta?: Meta };\n const resourceWithVersion: T & { id: string; meta?: Meta } = {\n ...body,\n resourceType: resourceType as T[\"resourceType\"],\n id,\n meta: {\n ...(bodyWithMeta.meta ?? {}),\n lastUpdated: date,\n versionId: \"2\",\n },\n };\n\n const resourceWithAudit: T & { id: string; meta: MetaWithExtensions } = {\n ...resourceWithVersion,\n meta: mergeAuditIntoMeta(resourceWithVersion.meta ?? existingMeta, {\n modifiedDate: date,\n modifiedById: actorId,\n modifiedByName: actorName,\n }),\n };\n\n return {\n resource: resourceWithAudit,\n lastUpdated: date,\n };\n}\n\n/\n Update a data-entity record by id: get existing, throw if not found, then call builder with\n * decompressed existing resource string; builder returns \\{ resource, lastUpdated \\}; then patch.\n * Use from update operations with the appropriate entity and resource type.\n /\nexport async function updateDataEntityById<T>(\n entity: EntityWithPatch,\n tenantId: string,\n workspaceId: string,\n id: string,\n resourceLabel: string,\n context: OpenHiContext,\n buildPatched: (existingResourceStr: string) => {\n resource: unknown;\n lastUpdated: string;\n },\n): Promise<SingleResourceResult<T>> {\n const existing = await entity\n .get({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })\n .go();\n\n if (!existing.data) {\n throw new NotFoundError(`${resourceLabel} ${id} not found`, {\n details: { id },\n });\n }\n\n const existingStr = decompressResource(existing.data.resource);\n const { resource, lastUpdated } = buildPatched(existingStr);\n\n const resourceLike = resource as FhirResourceLike;\n const summary = JSON.stringify(extractSummary(resourceLike));\n const gsi1sk = extractSortKey(resourceLike);\n\n await entity\n .patch({\n tenantId,\n workspaceId,\n id,\n sk: DATA_ENTITY_SK,\n })\n .set({\n resource: compressResource(JSON.stringify(resource)),\n summary,\n // A fresh vid is what makes this UPDATE visible to the search tier:\n // the replication upsert rejects any event whose version does not\n // strictly exceed the stored row's. See deriveVid.\n vid: deriveVid(lastUpdated),\n lastUpdated,\n gsi1sk,\n })\n .go();\n\n return {\n id,\n resource: resource as T,\n };\n}\n","import { gzipSync, gunzipSync } from \"node:zlib\";\n\n/\n @see sites/www-docs/content/packages/@openhi/constructs/lib/compression.md\n /\n\n/* Envelope format version. See ADR 2026-02-15-02 (data layer compression). /\nconst ENVELOPE_VERSION = 1;\n\n/\n Compression algorithm identifiers supported by the envelope (string values).\n * Only algos that Node.js supports out of the box (zlib): gzip, brotli, deflate.\n * \"none\" = uncompressed payload. zstd was considered in the ADR but requires native addon/WASM.\n /\nexport const COMPRESSION_ALGOS = {\n NONE: \"none\",\n GZIP: \"gzip\",\n BROTLI: \"brotli\",\n DEFLATE: \"deflate\",\n} as const;\n\n/* Algorithm value for envelope `algo`; only gzip and none are implemented today. /\nexport type CompressionAlgo =\n (typeof COMPRESSION_ALGOS)[keyof typeof COMPRESSION_ALGOS];\n\n/* Stored value is a JSON string of this envelope. /\ninterface CompressionEnvelope {\n v: number;\n algo: string;\n payload: string;\n}\n\nfunction isEnvelope(obj: unknown): obj is CompressionEnvelope {\n return (\n typeof obj === \"object\" &&\n obj !== null &&\n \"v\" in obj &&\n \"algo\" in obj &&\n \"payload\" in obj &&\n typeof (obj as CompressionEnvelope).payload === \"string\"\n );\n}\n\n/\n Compresses a JSON string (e.g. serialized FHIR resource) for storage in DynamoDB.\n * Uses a versioned envelope: \\{ v, algo, payload \\} with gzip+base64 in payload.\n * Used by the data layer on write; see REST API docs (compression in data layer).\n * Optional compression: pass `{ algo: COMPRESSION_ALGOS.NONE }` to store in envelope without compressing.\n /\nexport function compressResource(\n jsonString: string,\n options?: { algo?: CompressionAlgo },\n): string {\n const algo = options?.algo ?? COMPRESSION_ALGOS.GZIP;\n if (algo === COMPRESSION_ALGOS.NONE) {\n const envelope: CompressionEnvelope = {\n v: ENVELOPE_VERSION,\n algo: COMPRESSION_ALGOS.NONE,\n payload: jsonString,\n };\n return JSON.stringify(envelope);\n }\n const buf = Buffer.from(jsonString, \"utf-8\");\n const payload = gzipSync(buf).toString(\"base64\");\n const envelope: CompressionEnvelope = {\n v: ENVELOPE_VERSION,\n algo: COMPRESSION_ALGOS.GZIP,\n payload,\n };\n return JSON.stringify(envelope);\n}\n\n/\n Decompresses a stored value: versioned envelope (v, algo, payload) or legacy gzip+base64 / raw.\n * If the value is not valid envelope JSON, falls back to legacy: try gzip magic on base64, else return as-is.\n /\nexport function decompressResource(compressedOrRaw: string): string {\n try {\n const parsed = JSON.parse(compressedOrRaw) as unknown;\n if (isEnvelope(parsed)) {\n if (parsed.algo === COMPRESSION_ALGOS.GZIP) {\n const buf = Buffer.from(parsed.payload, \"base64\");\n return gunzipSync(buf).toString(\"utf-8\");\n }\n if (parsed.algo === COMPRESSION_ALGOS.NONE) {\n return parsed.payload;\n }\n // Unknown algo: return payload as-is (safe fallback per ADR)\n return parsed.payload;\n }\n } catch {\n // Not valid envelope JSON — legacy path\n }\n\n // Legacy: pre-envelope gzip+base64 or raw\n try {\n const buf = Buffer.from(compressedOrRaw, \"base64\");\n if (buf.length >= 2 && buf[0] === 0x1f && buf[1] === 0x8b) {\n return gunzipSync(buf).toString(\"utf-8\");\n }\n } catch {\n // not base64 or gunzip failed\n }\n return compressedOrRaw;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport {\n batchGetWithRetry,\n dispatchListMode,\n type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface MembershipListParams {\n context: OpenHiContext;\n tableName?: string;\n /* #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. /\n mode?: ListOperationMode;\n}\n\nexport interface MembershipListResult {\n entries: Array<{\n id: string;\n resource: { resourceType: string; id: string; [key: string]: unknown };\n }>;\n total: number;\n}\n\n/\n Lists Memberships for the context tenant via GSI1 (sharded). See `dispatchListMode` for\n * the mode contract (#853).\n /\nexport async function listMembershipsOperation(\n params: MembershipListParams,\n): Promise<MembershipListResult> {\n const { context, tableName, mode = \"full\" } = params;\n const tenantId = context.tenantId;\n const service = getDynamoControlService(tableName);\n\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n service.entities.membership.query\n .gsi1({ tenantId, gsi1Shard: String(shard) })\n .go(),\n ),\n );\n\n return dispatchListMode<\n { id: string; resource: string },\n MembershipListResult[\"entries\"][number]\n >(mode, shardResults, {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n service.entities.membership,\n orderedIds.map((id) => ({ tenantId, id, sk: SK })),\n ) as Promise<Array<{ id: string; resource: string }>>,\n getId: (item) => item.id,\n buildEntry: (id, item) => ({\n id,\n resource: {\n resourceType: \"Membership\",\n id,\n ...(JSON.parse(item.resource) as Record<string, unknown>),\n },\n }),\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: { resourceType: \"Membership\", id, ...parsed },\n }),\n });\n}\n","/\n Membership user-projection composer.\n \n Owns the SK grammar for ADR-018 patterns #3 and #4 and assembles the\n * projection-row payloads consumed by the membership create / update /\n * delete operations. The {@link MembershipUserProjectionEntity} stores\n * the SK verbatim — the grammar lives here so the operations layer is\n * the single source of truth for projection-row shape (per\n * `.claude/rules/data-layer-layout.md`).\n \n SK grammar:\n \n - Pattern #3 (tenant sub-lane, `workspaceId` absent):\n * `MEMBERSHIP#TENANT#<normalizedTenantName>#TID#<tenantId>#<membershipId>`\n * - Pattern #4 (workspace sub-lane, `workspaceId` set):\n * `MEMBERSHIP#WORKSPACE#TID#<tenantId>#<normalizedWorkspaceName>#WID#<workspaceId>#<membershipId>`\n \n Both patterns share the user partition `PK = USER#ID#<userId>` so\n * `Query(PK = USER#ID#<userId>, SK begins_with 'MEMBERSHIP#')` returns\n * both lanes interleaved.\n \n @see ADR-018 § Access Pattern Coverage (patterns #3 and #4)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n /\n\nimport { normalizeLabel } from \"@openhi/types\";\n\n/\n Sentinel rendered into the SK when the source display name is missing\n * or empty. Keeps the SK shape stable so a `begins_with` prefix query\n * still matches the row; the rename-cascade pipeline (TR-023) will\n * rewrite the SK once the carrier display name lands. Matches the\n * `gsi1skAttribute` defensive posture — a missing source field never\n * produces a malformed key.\n /\nconst MISSING_NAME_SENTINEL = \"-\";\n\n/* Inputs to compose a Membership user-projection row. /\nexport interface MembershipUserProjectionInput {\n readonly tenantId: string;\n readonly userId: string;\n readonly workspaceId?: string;\n readonly membershipId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedTenantName?: string;\n readonly denormalizedUserName?: string;\n readonly denormalizedWorkspaceName?: string;\n}\n\n/* A projection-row payload ready for `multi-write` consumption. /\nexport interface MembershipUserProjectionItem {\n readonly userId: string;\n readonly sk: string;\n readonly tenantId: string;\n readonly workspaceId?: string;\n readonly membershipId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedTenantName?: string;\n readonly denormalizedUserName?: string;\n readonly denormalizedWorkspaceName?: string;\n}\n\n/\n Compose the SK for ADR-018 pattern #3 (tenant sub-lane). The\n * `<normalizedTenantName>` segment sorts memberships alphabetically by\n * tenant name within the user's partition. Missing `denormalizedTenantName`\n * falls back to {@link MISSING_NAME_SENTINEL} so the SK shape stays valid\n * pre-rename-cascade.\n /\nexport function buildMembershipUserProjectionSkTenantLane(params: {\n readonly tenantId: string;\n readonly membershipId: string;\n readonly denormalizedTenantName?: string;\n}): string {\n const normalizedTenantName =\n typeof params.denormalizedTenantName === \"string\" &&\n params.denormalizedTenantName.length > 0\n ? normalizeLabel(params.denormalizedTenantName)\n : MISSING_NAME_SENTINEL;\n return `MEMBERSHIP#TENANT#${normalizedTenantName}#TID#${params.tenantId}#${params.membershipId}`;\n}\n\n/\n Compose the SK for ADR-018 pattern #4 (workspace sub-lane). `tenantId`\n * appears before `<normalizedWorkspaceName>` so a\n * `begins_with('MEMBERSHIP#WORKSPACE#TID#<tenantId>#')` query filters\n * by one tenant. Missing `denormalizedWorkspaceName` falls back to\n * {@link MISSING_NAME_SENTINEL}.\n /\nexport function buildMembershipUserProjectionSkWorkspaceLane(params: {\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly membershipId: string;\n readonly denormalizedWorkspaceName?: string;\n}): string {\n const normalizedWorkspaceName =\n typeof params.denormalizedWorkspaceName === \"string\" &&\n params.denormalizedWorkspaceName.length > 0\n ? normalizeLabel(params.denormalizedWorkspaceName)\n : MISSING_NAME_SENTINEL;\n return `MEMBERSHIP#WORKSPACE#TID#${params.tenantId}#${normalizedWorkspaceName}#WID#${params.workspaceId}#${params.membershipId}`;\n}\n\n/\n Builds the projection item for the access lane implied by the input.\n * Pattern #3 when `workspaceId` is absent or empty; pattern #4 otherwise.\n * Returns `undefined` when `userId` is missing — a Membership without a\n * linked user cannot project onto the user partition.\n /\nexport function buildMembershipUserProjectionItem(\n input: MembershipUserProjectionInput,\n): MembershipUserProjectionItem \| undefined {\n if (!input.userId \|\| input.userId.length === 0) {\n return undefined;\n }\n const hasWorkspace =\n typeof input.workspaceId === \"string\" && input.workspaceId.length > 0;\n const sk = hasWorkspace\n ? buildMembershipUserProjectionSkWorkspaceLane({\n tenantId: input.tenantId,\n workspaceId: input.workspaceId as string,\n membershipId: input.membershipId,\n denormalizedWorkspaceName: input.denormalizedWorkspaceName,\n })\n : buildMembershipUserProjectionSkTenantLane({\n tenantId: input.tenantId,\n membershipId: input.membershipId,\n denormalizedTenantName: input.denormalizedTenantName,\n });\n return {\n userId: input.userId,\n sk,\n tenantId: input.tenantId,\n workspaceId: hasWorkspace ? input.workspaceId : undefined,\n membershipId: input.membershipId,\n summary: input.summary,\n vid: input.vid,\n lastUpdated: input.lastUpdated,\n denormalizedTenantName: input.denormalizedTenantName,\n denormalizedUserName: input.denormalizedUserName,\n denormalizedWorkspaceName: hasWorkspace\n ? input.denormalizedWorkspaceName\n : undefined,\n };\n}\n\n/\n Extracts a FHIR `Reference` slug — the segment after the final `/`.\n * Returns `undefined` when the reference is missing or malformed so\n * callers fall back gracefully (matches the defensive posture in\n * `extractRoleId` / `extractDenormalizedReferenceDisplay`).\n /\nexport function extractReferenceSlug(\n resource: Record<string, unknown>,\n fieldName: string,\n): string \| undefined {\n const field = resource[fieldName];\n if (!field \|\| typeof field !== \"object\") {\n return undefined;\n }\n const reference = (field as { reference?: unknown }).reference;\n if (typeof reference !== \"string\" \|\| reference.length === 0) {\n return undefined;\n }\n const slash = reference.lastIndexOf(\"/\");\n const tail = slash >= 0 ? reference.slice(slash + 1) : reference;\n return tail.length > 0 ? tail : undefined;\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\n\n/* Inputs accepted by {@link roleAssignmentListByWorkspaceOperation}. /\nexport interface RoleAssignmentListByWorkspaceParams {\n readonly tenantId: string;\n readonly workspaceId: string;\n /\n Optional role discriminator. When supplied, narrows the listing to\n * users assigned to a single role via the discriminator-first\n * `begins_with('ROLEASSIGNMENT#<roleId>#')` prefix — the central read\n * pattern (#9 is \"users with role X in workspace Y\"). Omit to return\n * every role assignment in the workspace interleaved by `<roleId>`.\n /\n readonly roleId?: string;\n /* ElectroDB cursor from a prior page. Forwarded to `.go({ cursor })`. /\n readonly cursor?: string \| null;\n /* Per-page item limit forwarded to `.go({ limit })`. /\n readonly limit?: number;\n /* Sort order forwarded to `.go({ order })`. Defaults to ElectroDB's `\"asc\"`. /\n readonly order?: \"asc\" \| \"desc\";\n /* Optional table-name override; resolved via env when omitted. /\n readonly tableName?: string;\n}\n\n/* One projection-row payload as returned to a consumer. /\nexport interface RoleAssignmentWorkspaceProjectionEntry {\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly sk: string;\n readonly userId: string;\n readonly roleId: string;\n readonly roleAssignmentId: string;\n readonly summary: string;\n readonly vid: string;\n readonly lastUpdated: string;\n readonly denormalizedUserName?: string;\n readonly denormalizedRoleName?: string;\n}\n\n/* Page returned by {@link roleAssignmentListByWorkspaceOperation}. /\nexport interface RoleAssignmentListByWorkspaceResult {\n readonly items: Array<RoleAssignmentWorkspaceProjectionEntry>;\n /* ElectroDB cursor for the next page, or `null` when exhausted. /\n readonly cursor: string \| null;\n}\n\n/\n Compose the SK prefix for the workspace-projection list. The\n * pattern-#9 SK is discriminator-first on the raw `<roleId>`\n * (`ROLEASSIGNMENT#<roleId>#<normalizedUserName>#USER#<userId>#<id>`)\n * so a `begins_with('ROLEASSIGNMENT#<roleId>#')` filter returns every\n * user assigned to that role in the workspace. The trailing `#` after\n * the role id is critical — without it `ROLEASSIGNMENT#role-1` would\n * also match `ROLEASSIGNMENT#role-10`, `role-100`, etc. Omitting the\n * `roleId` arg falls back to the wider `ROLEASSIGNMENT#` prefix.\n /\nfunction buildSkPrefix(roleId: string \| undefined): string {\n if (roleId === undefined \|\| roleId.length === 0) {\n return \"ROLEASSIGNMENT#\";\n }\n return `ROLEASSIGNMENT#${roleId}#`;\n}\n\n/\n List RoleAssignments for a workspace via the ADR-018 workspace-\n * partition projection (no GSI hop).\n \n Reads `RoleAssignmentWorkspaceProjectionEntity` rows under\n * `PK = TID#<tenantId>#WORKSPACE#ID#<workspaceId>` with an\n * `SK begins_with` filter:\n \n \| `roleId` arg \| SK begins_with \| Covers \|\n * \|---\|---\|---\|\n * \| omitted \| `ROLEASSIGNMENT#` \| Every role assignment in the workspace, interleaved by `<roleId>` \|\n * \| supplied \| `ROLEASSIGNMENT#<roleId>#` \| Pattern #9 — every user assigned to that role, sorted alphabetically by `<normalizedUserName>` \|\n \n The projection's SK shape\n * (`ROLEASSIGNMENT#<roleId>#<normalizedUserName>#USER#<userId>#<id>`)\n * is discriminator-first on the raw `<roleId>` (mirroring the canonical\n * GSI1SK from pattern #8) so the natural Query order is exactly what\n * the access pattern expects — no client-side sort. Tenant-scoped\n * RoleAssignments (no `workspaceId`) skip this projection entirely;\n * they live only in the user-projection's tenant sub-lane.\n \n Returns the projection rows verbatim (`summary`, `vid`, `lastUpdated`\n * plus the projection-discriminating fields) — full canonical-resource\n * hydration is opt-in for callers via\n * `RoleAssignmentEntity.get({ tenantId, id: roleAssignmentId })`.\n * Pagination mirrors ElectroDB's native `.go({ cursor })` shape; the\n * returned `cursor` is opaque to callers.\n \n @see ADR-018 § Access Pattern Coverage (pattern #9)\n * @see .state/adr-018-implementation-guide.md § 1 (SK grammar) and § 2 (attribute set)\n /\nexport async function roleAssignmentListByWorkspaceOperation(\n params: RoleAssignmentListByWorkspaceParams,\n): Promise<RoleAssignmentListByWorkspaceResult> {\n const {\n tenantId,\n workspaceId,\n roleId,\n cursor = null,\n limit,\n order,\n tableName,\n } = params;\n\n const service = getDynamoControlService(tableName);\n const skPrefix = buildSkPrefix(roleId);\n\n const goOptions: {\n cursor?: string \| null;\n limit?: number;\n order?: \"asc\" \| \"desc\";\n } = {\n cursor,\n };\n if (limit !== undefined) {\n goOptions.limit = limit;\n }\n if (order !== undefined) {\n goOptions.order = order;\n }\n\n const result = await service.entities.roleAssignmentWorkspaceProjection.query\n .record({ tenantId, workspaceId })\n .begins({ sk: skPrefix })\n .go(goOptions);\n\n const items: Array<RoleAssignmentWorkspaceProjectionEntry> = (\n result.data ?? []\n ).map((row) => ({\n tenantId: row.tenantId,\n workspaceId: row.workspaceId,\n sk: row.sk,\n userId: row.userId,\n roleId: row.roleId,\n roleAssignmentId: row.roleAssignmentId,\n summary: row.summary,\n vid: row.vid,\n lastUpdated: row.lastUpdated,\n denormalizedUserName: row.denormalizedUserName,\n denormalizedRoleName: row.denormalizedRoleName,\n }));\n\n return { items, cursor: result.cursor ?? null };\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport {\n batchGetWithRetry,\n dispatchListMode,\n type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface ListWorkspacesParams {\n context: OpenHiContext;\n tableName?: string;\n /* #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. /\n mode?: ListOperationMode;\n}\n\n/\n ADR-028 denormalized counter shape surfaced on a Workspace list\n * entry's `resource.counts`. Missing counters render as `0`.\n /\nexport interface WorkspaceCounts {\n usersInWorkspace: number;\n adminUsersInWorkspace: number;\n normalUsersInWorkspace: number;\n}\n\nexport interface WorkspaceListEntry {\n id: string;\n resource: Record<string, unknown> & { counts: WorkspaceCounts };\n}\n\nexport interface ListWorkspacesResult {\n entries: WorkspaceListEntry[];\n total: number;\n}\n\n/* Coerce a possibly-absent counter attribute to a non-negative number (default 0). /\nfunction counterValue(value: unknown): number {\n return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/\n Lists all Workspaces for the context tenant via GSI1 (sharded). See `dispatchListMode` for\n * the mode contract (#853).\n /\nexport async function listWorkspacesOperation(\n params: ListWorkspacesParams,\n): Promise<ListWorkspacesResult> {\n const { context, tableName, mode = \"full\" } = params;\n const { tenantId } = context;\n const service = getDynamoControlService(tableName);\n\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n service.entities.workspace.query\n .gsi1({ tenantId, gsi1Shard: String(shard) })\n .go(),\n ),\n );\n\n return dispatchListMode<\n {\n id: string;\n resource: string;\n usersInWorkspace?: number;\n adminUsersInWorkspace?: number;\n normalUsersInWorkspace?: number;\n },\n WorkspaceListEntry\n >(mode, shardResults, {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n service.entities.workspace,\n orderedIds.map((id) => ({ tenantId, id, sk: SK })),\n ) as Promise<\n Array<{\n id: string;\n resource: string;\n usersInWorkspace?: number;\n adminUsersInWorkspace?: number;\n normalUsersInWorkspace?: number;\n }>\n >,\n getId: (item) => item.id,\n // FULL mode (admin list default): read the ADR-028 counters off the\n // canonical record hydrated by BatchGet and expose them as\n // `resource.counts`. Missing counters render as 0.\n buildEntry: (id, item) => ({\n id,\n resource: {\n resourceType: \"Workspace\",\n id,\n ...(JSON.parse(item.resource) as Record<string, unknown>),\n counts: {\n usersInWorkspace: counterValue(item.usersInWorkspace),\n adminUsersInWorkspace: counterValue(item.adminUsersInWorkspace),\n normalUsersInWorkspace: counterValue(item.normalUsersInWorkspace),\n },\n },\n }),\n // SUMMARY mode reads only the GSI1 `summary` projection (no\n // counters); surface zeros so the shape stays uniform.\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: {\n resourceType: \"Workspace\",\n id,\n ...parsed,\n counts: {\n usersInWorkspace: 0,\n adminUsersInWorkspace: 0,\n normalUsersInWorkspace: 0,\n },\n },\n }),\n });\n}\n","import {\n COUNTER_TARGET,\n type CounterTarget,\n type TenantCounter,\n type UserCounter,\n type WorkspaceCounter,\n} from \"./counter-apply-operation\";\nimport { isAdminRoleAssignment } from \"./role-admin-classification\";\nimport { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport { extractRoleLevel } from \"../control-event-publisher\";\nimport { countMembershipsByUserOperation } from \"../membership/membership-count-by-user-operation\";\nimport { membershipListByWorkspaceOperation } from \"../membership/membership-list-by-workspace-operation\";\nimport { listMembershipsOperation } from \"../membership/membership-list-operation\";\nimport { extractReferenceSlug } from \"../membership/membership-user-projection\";\nimport { roleAssignmentListByWorkspaceOperation } from \"../roleassignment/roleassignment-list-by-workspace-operation\";\nimport { listWorkspacesOperation } from \"../workspace/workspace-list-operation\";\n\n/\n ADR-028 counter reconciliation — recompute the denormalized\n * control-plane counters from canonical data and repair drift.\n \n The atomic-ADD path ({@link applyCounterDeltaOperation}) maintains the\n * counters incrementally off domain events, but events can be missed,\n * replayed, or arrive after a record was created without one (rows that\n * predate the counter work). This operation is the correctness backstop\n * ADR-028 names: it ignores the current counter value, recomputes the\n * true value from canonical records, and writes the absolute recomputed\n * value back with a DynamoDB `SET` (not `ADD`). A `SET` repairs both\n * directions of drift and backfills an absent / `0` attribute to its\n * correct value in one write.\n \n Counter semantics recomputed here MUST match {@link counterEventRouter}:\n \n - `Tenant.usersInTenant` = # tenant-scoped Memberships in the tenant\n * (membership with NO workspace reference).\n * - `Tenant.workspacesInTenant` = # Workspaces in the tenant.\n * - `Workspace.usersInWorkspace` = # workspace-scoped Memberships for the workspace.\n * - `Workspace.adminUsersInWorkspace` / `normalUsersInWorkspace` =\n * # workspace-scoped RoleAssignments for the workspace, bucketed by\n * {@link isAdminRoleAssignment} on the assignment's role level / role id.\n * - `User.tenantsForUser` = # tenant-scoped Memberships for the user.\n * - `User.workspacesForUser` = # workspace-scoped Memberships for the user.\n \n @see counter-apply-operation.ts — the incremental ADD path this reconciles against.\n * @see counter-event-router.ts — the event → counter semantics this mirrors.\n /\n\n/* One counter's old → new transition, recorded only when `old !== new`. /\nexport interface CounterDriftEntry {\n /* Which canonical entity the counter lives on. /\n readonly target: CounterTarget;\n /* Identity of the canonical record (tenantId for Tenant, workspaceId for Workspace, userId for User). /\n readonly id: string;\n /* Tenant the record belongs to (Workspace only; omitted for Tenant / User). /\n readonly tenantId?: string;\n /* The counter attribute name. /\n readonly counter: string;\n /* The value found on the record before reconciliation (0 when the attribute was absent). /\n readonly old: number;\n /* The recomputed-from-canonical value written back. /\n readonly new: number;\n}\n\n/* Result of reconciling one target record. /\nexport interface CounterReconcileResult {\n /* Every counter whose value changed (empty when the record was already correct). /\n readonly drift: Array<CounterDriftEntry>;\n}\n\n/* Coerce a possibly-absent counter attribute to a non-negative number (default 0). /\nfunction counterValue(value: unknown): number {\n return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/* Minimal actor context the underlying list operations need (they read only `tenantId`). /\nfunction reconcileContext(tenantId: string): OpenHiContext {\n return {\n tenantId,\n workspaceId: \"\",\n date: new Date().toISOString(),\n actorId: \"counter-reconciliation\",\n actorName: \"Counter Reconciliation Job\",\n actorType: \"internal-system\",\n source: \"step-function\",\n };\n}\n\n/\n Recompute and repair the two counters on one Tenant record.\n \n - `workspacesInTenant` is the workspace count from\n * {@link listWorkspacesOperation} (`mode: \"count\"`, GSI1 fan-out).\n * - `usersInTenant` is the number of tenant-scoped Memberships in the\n * tenant. Memberships have no tenant-partition projection, so this\n * enumerates the tenant's canonical Memberships via\n * {@link listMembershipsOperation} (`mode: \"full\"`) and counts the rows\n * whose `resource` carries no `workspace` reference — the same\n * tenant-vs-workspace discriminator the create path uses\n * ({@link extractReferenceSlug} on the `workspace` field).\n /\nexport async function reconcileTenantCountersOperation(params: {\n readonly tenantId: string;\n readonly tableName?: string;\n}): Promise<CounterReconcileResult> {\n const { tenantId, tableName } = params;\n const service = getDynamoControlService(tableName);\n const context = reconcileContext(tenantId);\n\n const workspacesResult = await listWorkspacesOperation({\n context,\n tableName,\n mode: \"count\",\n });\n const workspacesInTenant = workspacesResult.total;\n\n // Full enumeration of the tenant's canonical Memberships; discriminate\n // tenant-scoped (no workspace reference) from workspace-scoped by the\n // resource's `workspace` reference, mirroring the create path.\n const memberships = await listMembershipsOperation({\n context,\n tableName,\n mode: \"full\",\n });\n let usersInTenant = 0;\n for (const entry of memberships.entries) {\n const workspaceSlug = extractReferenceSlug(entry.resource, \"workspace\");\n if (workspaceSlug === undefined) {\n usersInTenant += 1;\n }\n }\n\n const current = await service.entities.tenant\n .get({ tenantId, sk: \"CURRENT\" })\n .go();\n\n const drift: Array<CounterDriftEntry> = [];\n const recomputed: Record<TenantCounter, number> = {\n usersInTenant,\n workspacesInTenant,\n };\n\n for (const counter of Object.keys(recomputed) as Array<TenantCounter>) {\n const oldValue = counterValue(current.data?.[counter]);\n const newValue = recomputed[counter];\n if (oldValue !== newValue) {\n drift.push({\n target: COUNTER_TARGET.Tenant,\n id: tenantId,\n counter,\n old: oldValue,\n new: newValue,\n });\n }\n }\n\n if (drift.length > 0) {\n await service.entities.tenant\n .patch({ tenantId, sk: \"CURRENT\" })\n .set(recomputed)\n .go();\n }\n\n return { drift };\n}\n\n/\n Recompute and repair the three counters on one Workspace record.\n \n - `usersInWorkspace` pages every workspace-scoped Membership via\n * {@link membershipListByWorkspaceOperation} (ADR-018 pattern #2).\n * - `adminUsersInWorkspace` / `normalUsersInWorkspace` page every\n * workspace-scoped RoleAssignment via\n * {@link roleAssignmentListByWorkspaceOperation} (pattern #9), then\n * classify each with {@link isAdminRoleAssignment}. The projection row\n * does not carry the ADR-019 role level (its `summary` is the\n * id/displayName/status projection), so each assignment's canonical\n * RoleAssignment resource is read to extract the role level via\n * {@link extractRoleLevel} — the same signal the create path publishes.\n * The projection's `roleId` is passed alongside as the fallback signal.\n /\nexport async function reconcileWorkspaceCountersOperation(params: {\n readonly tenantId: string;\n readonly workspaceId: string;\n readonly tableName?: string;\n}): Promise<CounterReconcileResult> {\n const { tenantId, workspaceId, tableName } = params;\n const service = getDynamoControlService(tableName);\n\n // usersInWorkspace — page every workspace-scoped membership.\n let usersInWorkspace = 0;\n let membershipCursor: string \| null = null;\n do {\n const page = await membershipListByWorkspaceOperation({\n tenantId,\n workspaceId,\n cursor: membershipCursor,\n tableName,\n });\n usersInWorkspace += page.items.length;\n membershipCursor = page.cursor;\n } while (membershipCursor !== null);\n\n // admin/normal — page every workspace-scoped role assignment, then read\n // each canonical RoleAssignment to recover the role level for the\n // admin/normal split (the projection summary does not carry it).\n let adminUsersInWorkspace = 0;\n let normalUsersInWorkspace = 0;\n let roleAssignmentCursor: string \| null = null;\n do {\n const page = await roleAssignmentListByWorkspaceOperation({\n tenantId,\n workspaceId,\n cursor: roleAssignmentCursor,\n tableName,\n });\n for (const item of page.items) {\n const roleLevel = await readRoleLevel(\n service,\n tenantId,\n item.roleAssignmentId,\n );\n if (isAdminRoleAssignment({ roleLevel, roleId: item.roleId })) {\n adminUsersInWorkspace += 1;\n } else {\n normalUsersInWorkspace += 1;\n }\n }\n roleAssignmentCursor = page.cursor;\n } while (roleAssignmentCursor !== null);\n\n const current = await service.entities.workspace\n .get({ tenantId, id: workspaceId, sk: \"CURRENT\" })\n .go();\n\n const drift: Array<CounterDriftEntry> = [];\n const recomputed: Record<WorkspaceCounter, number> = {\n usersInWorkspace,\n adminUsersInWorkspace,\n normalUsersInWorkspace,\n };\n\n for (const counter of Object.keys(recomputed) as Array<WorkspaceCounter>) {\n const oldValue = counterValue(current.data?.[counter]);\n const newValue = recomputed[counter];\n if (oldValue !== newValue) {\n drift.push({\n target: COUNTER_TARGET.Workspace,\n id: workspaceId,\n tenantId,\n counter,\n old: oldValue,\n new: newValue,\n });\n }\n }\n\n if (drift.length > 0) {\n await service.entities.workspace\n .patch({ tenantId, id: workspaceId, sk: \"CURRENT\" })\n .set(recomputed)\n .go();\n }\n\n return { drift };\n}\n\n/\n Recompute and repair the two counters on one User record.\n \n Both derive from {@link countMembershipsByUserOperation} over the\n * ADR-018 user-partition projection lanes: `tenantsForUser` from the\n * `tenant` lane (pattern #3), `workspacesForUser` from the `workspace`\n * lane (pattern #4).\n /\nexport async function reconcileUserCountersOperation(params: {\n readonly userId: string;\n readonly tableName?: string;\n}): Promise<CounterReconcileResult> {\n const { userId, tableName } = params;\n const service = getDynamoControlService(tableName);\n\n const tenantsForUser = await countMembershipsByUserOperation({\n userId,\n mode: \"tenant\",\n tableName,\n });\n const workspacesForUser = await countMembershipsByUserOperation({\n userId,\n mode: \"workspace\",\n tableName,\n });\n\n const current = await service.entities.user\n .get({ id: userId, sk: \"CURRENT\" })\n .go();\n\n const drift: Array<CounterDriftEntry> = [];\n const recomputed: Record<UserCounter, number> = {\n tenantsForUser,\n workspacesForUser,\n };\n\n for (const counter of Object.keys(recomputed) as Array<UserCounter>) {\n const oldValue = counterValue(current.data?.[counter]);\n const newValue = recomputed[counter];\n if (oldValue !== newValue) {\n drift.push({\n target: COUNTER_TARGET.User,\n id: userId,\n counter,\n old: oldValue,\n new: newValue,\n });\n }\n }\n\n if (drift.length > 0) {\n await service.entities.user\n .patch({ id: userId, sk: \"CURRENT\" })\n .set(recomputed)\n .go();\n }\n\n return { drift };\n}\n\n/\n Read the ADR-019 role level off a canonical RoleAssignment so the\n * admin/normal split classifies the same way the create path published\n * it. Returns `undefined` when the record or its code is missing — the\n * classifier then falls back to the `roleId` signal.\n /\nasync function readRoleLevel(\n service: ReturnType<typeof getDynamoControlService>,\n tenantId: string,\n roleAssignmentId: string,\n): Promise<string \| undefined> {\n const response = await service.entities.roleAssignment\n .get({ tenantId, id: roleAssignmentId, sk: \"CURRENT\" })\n .go();\n if (!response.data) {\n return undefined;\n }\n const resource = JSON.parse(response.data.resource) as Record<\n string,\n unknown\n >;\n return extractRoleLevel(resource);\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport {\n batchGetWithRetry,\n dispatchListMode,\n type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface ListTenantsParams {\n context: OpenHiContext;\n tableName?: string;\n /* #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. /\n mode?: ListOperationMode;\n}\n\n/\n ADR-028 denormalized counter shape surfaced on a Tenant list entry's\n * `resource.counts`. Missing counters render as `0` so the admin console\n * never sees `undefined`.\n /\nexport interface TenantCounts {\n usersInTenant: number;\n workspacesInTenant: number;\n}\n\nexport interface TenantListEntry {\n id: string;\n resource: Record<string, unknown> & { counts: TenantCounts };\n}\n\nexport interface ListTenantsResult {\n entries: TenantListEntry[];\n total: number;\n}\n\n/* Coerce a possibly-absent counter attribute to a non-negative number (default 0). /\nfunction counterValue(value: unknown): number {\n return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/\n Lists all Tenants (platform-wide, no scope filter) via GSI1 (sharded). Tenant uses tenantId\n * as its identity (tenantId === id), so BatchGet keys reuse `id` as `tenantId`. See\n * `dispatchListMode` for the mode contract (#853).\n /\nexport async function listTenantsOperation(\n params: ListTenantsParams,\n): Promise<ListTenantsResult> {\n const { tableName, mode = \"full\" } = params;\n const service = getDynamoControlService(tableName);\n\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n service.entities.tenant.query.gsi1({ gsi1Shard: String(shard) }).go(),\n ),\n );\n\n return dispatchListMode<\n {\n id: string;\n resource: string;\n usersInTenant?: number;\n workspacesInTenant?: number;\n },\n TenantListEntry\n >(mode, shardResults, {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n service.entities.tenant,\n orderedIds.map((id) => ({ tenantId: id, sk: SK })),\n ) as Promise<\n Array<{\n id: string;\n resource: string;\n usersInTenant?: number;\n workspacesInTenant?: number;\n }>\n >,\n getId: (item) => item.id,\n // FULL mode (admin list default): read the ADR-028 counters off the\n // canonical record hydrated by BatchGet and expose them as\n // `resource.counts`. Missing counters render as 0.\n buildEntry: (id, item) => ({\n id,\n resource: {\n resourceType: \"Tenant\",\n id,\n ...(JSON.parse(item.resource) as Record<string, unknown>),\n counts: {\n usersInTenant: counterValue(item.usersInTenant),\n workspacesInTenant: counterValue(item.workspacesInTenant),\n },\n },\n }),\n // SUMMARY mode reads only the GSI1 `summary` projection, which does\n // not carry the counters; surface zeros so the shape stays uniform.\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: {\n resourceType: \"Tenant\",\n id,\n ...parsed,\n counts: { usersInTenant: 0, workspacesInTenant: 0 },\n },\n }),\n });\n}\n","import { getDynamoControlService } from \"../../../dynamo/dynamo-control-service\";\nimport { SHARD_COUNT } from \"../../../dynamo/shard\";\nimport { OpenHiContext } from \"../../../openhi-context\";\nimport {\n batchGetWithRetry,\n dispatchListMode,\n type ListOperationMode,\n} from \"../../data-operations-common\";\n\nconst SK = \"CURRENT\";\n\nexport interface UserListParams {\n context: OpenHiContext;\n tableName?: string;\n /* #853: defaults to `\"full\"`. `\"summary\"` skips BatchGet, `\"count\"` returns total only. /\n mode?: ListOperationMode;\n}\n\n/\n ADR-028 denormalized counter shape surfaced on a User list entry's\n * `resource.counts`. Missing counters render as `0`.\n /\nexport interface UserCounts {\n tenantsForUser: number;\n workspacesForUser: number;\n}\n\nexport interface UserListResult {\n entries: Array<{\n id: string;\n resource: {\n resourceType: string;\n id: string;\n counts: UserCounts;\n [key: string]: unknown;\n };\n }>;\n total: number;\n}\n\n/* Coerce a possibly-absent counter attribute to a non-negative number (default 0). /\nfunction counterValue(value: unknown): number {\n return typeof value === \"number\" && Number.isFinite(value) ? value : 0;\n}\n\n/\n Lists Users via GSI1 (sharded). `mode` (default `\"full\"`) selects between BatchGet hydration,\n * summary-only (parse `summary` JSON projected on GSI1), or count-only (skip both). See\n * `dispatchListMode` in data-operations-common for the canonical mode contract.\n /\nexport async function listUsersOperation(\n params: UserListParams,\n): Promise<UserListResult> {\n const { tableName, mode = \"full\" } = params;\n const service = getDynamoControlService(tableName);\n\n const shardResults = await Promise.all(\n Array.from({ length: SHARD_COUNT }, (_, shard) =>\n service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go(),\n ),\n );\n\n return dispatchListMode<\n {\n id: string;\n resource: string;\n tenantsForUser?: number;\n workspacesForUser?: number;\n },\n UserListResult[\"entries\"][number]\n >(mode, shardResults, {\n hydrate: (orderedIds) =>\n batchGetWithRetry(\n service.entities.user,\n orderedIds.map((id) => ({ id, sk: SK })),\n ) as Promise<\n Array<{\n id: string;\n resource: string;\n tenantsForUser?: number;\n workspacesForUser?: number;\n }>\n >,\n getId: (item) => item.id,\n // FULL mode (admin list default): read the ADR-028 counters off the\n // canonical record hydrated by BatchGet and expose them as\n // `resource.counts`. Missing counters render as 0.\n buildEntry: (id, item) => ({\n id,\n resource: {\n resourceType: \"User\",\n id,\n ...(JSON.parse(item.resource) as Record<string, unknown>),\n counts: {\n tenantsForUser: counterValue(item.tenantsForUser),\n workspacesForUser: counterValue(item.workspacesForUser),\n },\n },\n }),\n // SUMMARY mode reads only the GSI1 `summary` projection (no\n // counters); surface zeros so the shape stays uniform.\n buildSummaryEntry: (id, parsed) => ({\n id,\n resource: {\n resourceType: \"User\",\n id,\n ...parsed,\n counts: { tenantsForUser: 0, workspacesForUser: 0 },\n },\n }),\n });\n}\n","import {\n type CounterDriftEntry,\n reconcileTenantCountersOperation,\n reconcileUserCountersOperation,\n reconcileWorkspaceCountersOperation,\n} from \"./counter-reconcile-operation\";\nimport type { OpenHiContext } from \"../../../openhi-context\";\nimport { listTenantsOperation } from \"../tenant/tenant-list-operation\";\nimport { listUsersOperation } from \"../user/user-list-operation\";\nimport { listWorkspacesOperation } from \"../workspace/workspace-list-operation\";\n\n/\n ADR-028 counter-reconciliation driver — walks every canonical Tenant,\n * Workspace, and User, reconciles each record's denormalized counters\n * against canonical data, and accumulates a single drift report.\n \n Enumeration reuses the existing GSI1-sharded list operations\n * (`summary` mode — ids only, no per-record BatchGet hydration):\n \n - All Tenants via {@link listTenantsOperation}.\n * - Per tenant, all Workspaces in that tenant via\n * {@link listWorkspacesOperation} (the workspace GSI1 partition is\n * tenant-scoped).\n * - All Users via {@link listUsersOperation}.\n \n Each record is then handed to the matching per-target recompute\n * ({@link reconcileTenantCountersOperation},\n * {@link reconcileWorkspaceCountersOperation},\n * {@link reconcileUserCountersOperation}), which owns the SET-back repair\n * and returns the per-counter old → new drift it corrected.\n \n @see counter-reconcile-operation.ts — the per-target recompute + repair.\n /\n\n/* Totals summarizing one reconciliation run, alongside the per-counter drift list. /\nexport interface CounterReconcileReport {\n /* Every counter that changed across every record, in walk order. /\n readonly drift: Array<CounterDriftEntry>;\n /* How many canonical records of each kind were scanned. /\n readonly scanned: {\n readonly tenants: number;\n readonly workspaces: number;\n readonly users: number;\n };\n /* Total number of individual counters corrected (== `drift.length`). /\n readonly countersCorrected: number;\n}\n\n/* Minimal actor context the list operations need (they read only `tenantId`). /\nfunction driverContext(tenantId: string): OpenHiContext {\n return {\n tenantId,\n workspaceId: \"\",\n date: new Date().toISOString(),\n actorId: \"counter-reconciliation\",\n actorName: \"Counter Reconciliation Job\",\n actorType: \"internal-system\",\n source: \"step-function\",\n };\n}\n\n/\n Run a full reconciliation sweep across every Tenant, Workspace, and\n * User. Returns the accumulated drift report; the per-target operations\n * have already written the repairs by the time this resolves.\n */\nexport async function reconcileAllCountersOperation(\n params: {\n readonly tableName?: string;\n } = {},\n): Promise<CounterReconcileReport> {\n const { tableName } = params;\n const drift: Array<CounterDriftEntry> = [];\n let tenantsScanned = 0;\n let workspacesScanned = 0;\n let usersScanned = 0;\n\n // Tenants (and, per tenant, the tenant's workspaces).\n const tenants = await listTenantsOperation({\n context: driverContext(\"\"),\n tableName,\n mode: \"summary\",\n });\n for (const tenant of tenants.entries) {\n tenantsScanned += 1;\n const tenantResult = await reconcileTenantCountersOperation({\n tenantId: tenant.id,\n tableName,\n });\n drift.push(...tenantResult.drift);\n\n const workspaces = await listWorkspacesOperation({\n context: driverContext(tenant.id),\n tableName,\n mode: \"summary\",\n });\n for (const workspace of workspaces.entries) {\n workspacesScanned += 1;\n const workspaceResult = await reconcileWorkspaceCountersOperation({\n tenantId: tenant.id,\n workspaceId: workspace.id,\n tableName,\n });\n drift.push(...workspaceResult.drift);\n }\n }\n\n // Users (platform-wide, no tenant scope).\n const users = await listUsersOperation({\n context: driverContext(\"\"),\n tableName,\n mode: \"summary\",\n });\n for (const user of users.entries) {\n usersScanned += 1;\n const userResult = await reconcileUserCountersOperation({\n userId: user.id,\n tableName,\n });\n drift.push(...userResult.drift);\n }\n\n return {\n drift,\n scanned: {\n tenants: tenantsScanned,\n workspaces: workspacesScanned,\n users: usersScanned,\n },\n countersCorrected: drift.length,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BA,IAAAA,SAAA,6BAAA;AAxBa,IAAAA,SAAA,mBAAmB;AAEhC,QAAM,2BAA2B;AAQjC,QAAM,sBAAsB;AAQ5B,QAAM,sBAAsB;AAM5B,aAAgB,2BAA2B,SAAe;AACxD,UAAI,CAAC,yBAAyB,KAAK,OAAO,GAAG;AAC3C,eAAO;MACT;AACA,YAAM,QAAQ,OAAO,SAAS,QAAQ,MAAM,GAAG,EAAE,CAAC,GAAG,EAAE;AACvD,aAAO,SAAS,uBAAuB,SAAS;IAClD;;;;;;;;;;ACPA,IAAAC,SAAA,sBAAA;AASA,IAAAA,SAAA,wBAAA;AA6CA,IAAAA,SAAA,8BAAA;AAtDA,aAAgB,oBACd,OAAoB;AAEpB,aAAQ,MAA4B,YAAY;IAClD;AAKA,aAAgB,sBACd,OAAoB;AAEpB,aAAQ,MAA8B,WAAW;IACnD;AAyCA,aAAgB,4BACd,QAAoB;AAEpB,UAAI,OAAO,YAAY,UAAa,OAAO,YAAY,QAAW;AAChE,cAAM,IAAI,yBACR,iMAAiM;MAErM;AACA,aAAO;QACL,SAAS,OAAO;QAChB,SAAS,OAAO;QAChB,SAAS,OAAO;QAChB,WAAW,OAAO;;IAEtB;AAGA,QAAa,2BAAb,cAA8C,MAAK;;MAEjD,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,2BAAA;;;;;;;;;;AC3Fa,IAAAC,SAAA,wBAAwB;AAGxB,IAAAA,SAAA,qBAAqB;AAGrB,IAAAA,SAAA,oBAAoB;AAmBpB,IAAAA,SAAA,6BAA2D;MACtE,CAACA,SAAA,qBAAqB,GAAG;MACzB,CAACA,SAAA,kBAAkB,GAAG;MACtB,CAACA,SAAA,iBAAiB,GAAG;;;;;;;;;;;ACQvB,IAAAC,SAAA,mBAAA;AAuBA,IAAAA,SAAA,yBAAA;AAvBA,aAAgB,iBACd,OAAwD;AAExD,UAAI,CAAC,uBAAuB,MAAM,UAAU,GAAG;AAC7C,cAAM,IAAI,mCACR,gBAAgB,MAAM,UAAU,oGAAiG;MAErI;AACA,aAAO;IACT;AAUA,QAAM,sBACJ;AAGF,aAAgB,uBAAuB,YAAkB;AACvD,aAAO,oBAAoB,KAAK,UAAU;IAC5C;AAGA,QAAa,qCAAb,cAAwD,MAAK;;MAE3D,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,qCAAA;;;;;;;;;;AC1EA,QAAA,YAAA;AAKA,QAAA,aAAA;AAUa,IAAAC,SAAA,qBAAqB;MAChC,WAAW;MACX,MAAM;;AA4CK,IAAAA,SAAA,8BACX,GAAA,WAAA,kBAAmD;MACjD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AA0BU,IAAAA,SAAA,sCACX,GAAA,WAAA,kBAA2D;MACzD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AA0BU,IAAAA,SAAA,oCACX,GAAA,WAAA,kBAAyD;MACvD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAaU,IAAAA,SAAA,wBAAwB;MACnC,QAAQ;MACR,MAAM;MACN,MAAM;;AAgDK,IAAAA,SAAA,wBACX,GAAA,WAAA,kBAA6C;MAC3C,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AA0BU,IAAAA,SAAA,gCACX,GAAA,WAAA,kBAAqD;MACnD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAsBU,IAAAA,SAAA,8BACX,GAAA,WAAA,kBAAmD;MACjD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAwCU,IAAAA,SAAA,mCACX,GAAA,WAAA,kBAAwD;MACtD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAGU,IAAAA,SAAA,mCACX,GAAA,WAAA,kBAAwD;MACtD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAkCU,IAAAA,SAAA,uCACX,GAAA,WAAA,kBAA4D;MAC1D,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAGU,IAAAA,SAAA,uCACX,GAAA,WAAA,kBAA4D;MAC1D,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AA6BU,IAAAA,SAAA,kCACX,GAAA,WAAA,kBAAuD;MACrD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAGU,IAAAA,SAAA,kCACX,GAAA,WAAA,kBAAuD;MACrD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;;;;;;;;;;AC7YH,QAAA,YAAA;AACA,QAAA,aAAA;AAkDa,IAAAC,SAAA,iCACX,GAAA,WAAA,kBAAsD;MACpD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;AAgDU,IAAAA,SAAA,8BACX,GAAA,WAAA,kBAAmD;MACjD,YAAY;MACZ,QAAQ,UAAA;MACR,eAAe;KAChB;;;;;;;;;;;;;;;;;;;;;;;;;AC7GH,iBAAA,yBAAAC,QAAA;AACA,iBAAA,oBAAAA,QAAA;AACA,iBAAA,oBAAAA,QAAA;;;;;;;;;;AC6EA,IAAAC,SAAA,kBAAA;AAiBA,IAAAA,SAAA,uBAAAC;AAhGA,QAAA,gBAAA,QAAA,QAAA;AACA,QAAA,uBAAA,QAAA,6BAAA;AAOA,QAAA,qBAAA;AACA,QAAA,YAAA;AAsEA,aAAgB,gBACd,QACA,UAA4B,CAAA,GAAE;AAE9B,aAAO;QACL,SAAS,CAAC,OAAO,SAAS,QACxBA,sBAAqB,QAAQ,OAAO,SAAS,KAAK,OAAO;;IAE/D;AASO,mBAAeA,sBACpB,QACA,OACA,SACA,KACA,UAA4B,CAAA,GAAE;AAE9B,YAAM,mBAAmB,QAAQ,qBAAqB,OAAM,GAAA,cAAA,YAAU;AACtE,YAAM,yBACJ,QAAQ,2BAA2B,OAAM,GAAA,cAAA,YAAU;AACrD,YAAM,MAAM,QAAQ,QAAQ,MAAM,oBAAI,KAAI;AAE1C,YAAM,WAAoC;QACxC,SAAS,iBAAgB;QACzB,SAAS;QACT,eAAe,IAAI,iBAAiB,uBAAsB;QAC1D,aAAa,IAAI,eAAe;QAChC,OAAO,IAAI;QACX,YAAY,IAAG,EAAG,YAAW;QAC7B,iBAAiB,mBAAA;QACjB;;AAGF,YAAM,UACJ,QAAQ,iBAAiB,MAAM,MAAM,KACrC,UAAA,2BAA2B,MAAM,MAAM;AAEzC,YAAM,SAAS,MAAM,OAAO,KAC1B,IAAI,qBAAA,iBAAiB;QACnB,SAAS;UACP;YACE,cAAc;YACd,QAAQ,MAAM;YACd,YAAY,MAAM;YAClB,QAAQ,KAAK,UAAU,QAAQ;;;OAGpC,CAAC;AAGJ,WAAK,OAAO,oBAAoB,KAAK,GAAG;AACtC,cAAM,QAAQ,OAAO,UAAU,CAAC;AAChC,cAAM,IAAI,qBACR,wBAAwB,MAAM,UAAU,mBAAmB,OAAO,KAAK,OAAO,aAAa,SAAS,WAAM,OAAO,gBAAgB,kBAAkB,EAAE;MAEzJ;AAEA,aAAO,EAAE,SAAS,SAAS,QAAO;IACpC;AAGA,QAAa,uBAAb,cAA0C,MAAK;;MAE7C,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAD,SAAA,uBAAA;;;;;;;;;;ACnGA,IAAAE,SAAA,qBAAA;AA9CA,QAAA,qBAAA;AA8CA,aAAgB,mBACd,OACA,UAA2C;AAE3C,UAAI,MAAM,WAAW,SAAS,QAAQ;AACpC,cAAM,IAAI,0BACR,uBAAuB,MAAM,MAAM,mDAAmD,SAAS,MAAM,IAAI;MAE7G;AAEA,UAAI,MAAM,aAAa,MAAM,SAAS,YAAY;AAChD,cAAM,IAAI,0BACR,4BAA4B,MAAM,aAAa,CAAC,8BAA8B,SAAS,UAAU,IAAI;MAEzG;AAEA,YAAM,YAAY,oBAAoB,MAAM,MAAM;AAElD,UAAI,EAAC,GAAA,mBAAA,4BAA2B,UAAU,eAAe,GAAG;AAC1D,cAAM,IAAI,gCACR,qBAAqB,UAAU,eAAe,yCAAyC;MAE3F;AAEA,YAAM,WAAoC;QACxC,SAAS,UAAU;QACnB,SAAS,UAAU;QACnB,eAAe,UAAU;QACzB,aAAa,UAAU;QACvB,OAAO,UAAU;QACjB,YAAY,UAAU;QACtB,iBAAiB,UAAU;QAC3B,SAAS,UAAU;;AAGrB,aAAO;QACL;QACA,UAAU,EAAE,SAAS,SAAS,SAAS,SAAS,SAAS,QAAO;;IAEpE;AAQA,aAAS,oBAAoB,QAAe;AAC1C,UAAI,WAAW,QAAQ,OAAO,WAAW,UAAU;AACjD,cAAM,IAAI,0BACR,8CAA8C;MAElD;AAEA,YAAM,MAAM;AAEZ,mBAAa,KAAK,SAAS;AAC3B,4BAAsB,KAAK,SAAS;AACpC,mBAAa,KAAK,eAAe;AACjC,wBAAkB,GAAG;AACrB,kBAAY,GAAG;AACf,mBAAa,KAAK,YAAY;AAC9B,mBAAa,KAAK,iBAAiB;AAEnC,UAAI,EAAE,aAAa,MAAM;AACvB,cAAM,IAAI,0BACR,8CAA8C;MAElD;AAEA,aAAO;IACT;AAEA,aAAS,aACP,KACA,OAAa;AAEb,YAAM,QAAQ,IAAI,KAAK;AACvB,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,GAAG;AACnD,cAAM,IAAI,0BACR,mBAAmB,KAAK,+BAA+B;MAE3D;IACF;AAEA,aAAS,sBACP,KACA,OAAa;AAEb,YAAM,QAAQ,IAAI,KAAK;AACvB,UAAI,OAAO,UAAU,YAAY,CAAC,OAAO,UAAU,KAAK,KAAK,QAAQ,GAAG;AACtE,cAAM,IAAI,0BACR,mBAAmB,KAAK,gCAAgC;MAE5D;IACF;AAEA,aAAS,kBAAkB,KAA4B;AACrD,UAAI,EAAE,iBAAiB,MAAM;AAC3B,cAAM,IAAI,0BACR,kDAAkD;MAEtD;AACA,YAAM,QAAQ,IAAI;AAClB,UAAI,UAAU,SAAS,OAAO,UAAU,YAAY,MAAM,WAAW,IAAI;AACvE,cAAM,IAAI,0BACR,kEAAkE;MAEtE;IACF;AAEA,aAAS,YAAY,KAA4B;AAC/C,YAAM,QAAQ,IAAI;AAClB,UAAI,UAAU,QAAQ,OAAO,UAAU,UAAU;AAC/C,cAAM,IAAI,0BACR,2CAA2C;MAE/C;AACA,YAAM,WAAW;AACjB,YAAM,cACJ,OAAO,SAAS,YAAY,YAC5B,OAAO,SAAS,cAAc,YAC9B,OAAO,SAAS,YAAY,YAC5B,OAAO,SAAS,YAAY;AAC9B,YAAM,gBAAgB,OAAO,SAAS,WAAW;AACjD,UAAI,CAAC,eAAe,CAAC,eAAe;AAClC,cAAM,IAAI,0BACR,mIAAmI;MAEvI;IACF;AAGA,QAAa,4BAAb,cAA+C,MAAK;;MAElD,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,4BAAA;AASA,QAAa,kCAAb,cAAqD,MAAK;;MAExD,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,kCAAA;;;;;;;;;;ACrLa,IAAAC,SAAA,oCACX;AAGW,IAAAA,SAAA,qCAAqC,KAAK,KAAK,KAAK;AAGpD,IAAAA,SAAA,0CAA0C;;;;;;;;;;AC0EvD,IAAAC,SAAA,sBAAA;AAcA,IAAAA,SAAA,iBAAA;AAgDA,IAAAA,SAAA,aAAA;AAuCA,IAAAA,SAAA,gBAAA;AA/LA,QAAA,oBAAA,QAAA,0BAAA;AAOA,QAAA,QAAA;AAmFA,aAAgB,oBACd,UACA,UAAsC,CAAA,GAAE;AAExC,aAAO;QACL,gBAAgB,CAAC,UAAU,eAAe,UAAU,OAAO,OAAO;QAClE,YAAY,CAAC,UAAU,WAAW,UAAU,OAAO,OAAO;;IAE9D;AAMO,mBAAe,eACpB,UACA,OACA,UAAsC,CAAA,GAAE;AAExC,yBAAmB,MAAM,YAAY;AACrC,4BAAsB,MAAM,SAAS,SAAS;AAC9C,YAAM,aACJ,MAAM,cACN,QAAQ,qBACR,MAAA;AACF,UAAI,CAAC,OAAO,UAAU,UAAU,KAAK,cAAc,GAAG;AACpD,cAAM,IAAI,+BACR,8CAA8C,UAAU,GAAG;MAE/D;AAEA,YAAM,YAAY,iBAAiB,QAAQ,SAAS;AACpD,YAAM,OAAO,QAAQ,OAAO,YAAW;AACvC,YAAM,KAAK,cAAc,MAAM,SAAS,MAAM,OAAO;AACrD,YAAM,YAAY,KAAK,MAAM,IAAI,QAAO,IAAK,GAAI,IAAI;AAErD,UAAI;AACF,cAAM,SAAS,KACb,IAAI,kBAAA,eAAe;UACjB,WAAW;UACX,MAAM;YACJ,cAAc,EAAE,GAAG,MAAM,aAAY;YACrC,IAAI,EAAE,GAAG,GAAE;YACX,SAAS,EAAE,GAAG,MAAM,QAAO;YAC3B,SAAS,EAAE,GAAG,OAAO,MAAM,OAAO,EAAC;YACnC,YAAY,EAAE,GAAG,IAAI,YAAW,EAAE;YAClC,WAAW,EAAE,GAAG,OAAO,SAAS,EAAC;;UAEnC,qBACE;SACH,CAAC;AAEJ,eAAO,EAAE,UAAU,KAAI;MACzB,SAAS,KAAK;AACZ,YAAI,eAAe,kBAAA,iCAAiC;AAClD,iBAAO,EAAE,UAAU,OAAO,kBAAkB,KAAI;QAClD;AACA,cAAM;MACR;IACF;AAGO,mBAAe,WACpB,UACA,OACA,UAAsC,CAAA,GAAE;AAExC,yBAAmB,MAAM,YAAY;AACrC,4BAAsB,MAAM,SAAS,SAAS;AAC9C,UAAI,MAAM,OAAO,WAAW,GAAG;AAC7B,cAAM,IAAI,+BAA+B,2BAA2B;MACtE;AAEA,YAAM,YAAY,iBAAiB,QAAQ,SAAS;AACpD,YAAM,OAAO,QAAQ,OAAO,YAAW;AACvC,YAAM,KAAK,cAAc,MAAM,SAAS,MAAM,OAAO;AAErD,YAAM,SAAS,KACb,IAAI,kBAAA,kBAAkB;QACpB,WAAW;QACX,KAAK;UACH,cAAc,EAAE,GAAG,MAAM,aAAY;UACrC,IAAI,EAAE,GAAG,GAAE;;QAEb,kBACE;QACF,0BAA0B;UACxB,WAAW;UACX,kBAAkB;UAClB,aAAa;;QAEf,2BAA2B;UACzB,WAAW,EAAE,MAAM,KAAI;UACvB,WAAW,EAAE,GAAG,MAAM,OAAM;UAC5B,aAAa,EAAE,GAAG,IAAI,YAAW,EAAE;;OAEtC,CAAC;IAEN;AAGA,aAAgB,cAAc,SAAiB,SAAe;AAC5D,UAAI,QAAQ,WAAW,GAAG;AACxB,cAAM,IAAI,+BAA+B,4BAA4B;MACvE;AACA,aAAO,GAAG,OAAO,IAAI,OAAO;IAC9B;AAEA,aAAS,iBAAiB,UAAiB;AACzC,YAAM,OAAO,YAAY,QAAQ,IAAI,MAAA,iCAAiC;AACtE,UAAI,CAAC,MAAM;AACT,cAAM,IAAI,mCACR,oEAAoE,MAAA,iCAAiC,GAAG;MAE5G;AACA,aAAO;IACT;AAEA,aAAS,mBAAmB,cAAoB;AAC9C,UAAI,aAAa,WAAW,GAAG;AAC7B,cAAM,IAAI,+BAA+B,iCAAiC;MAC5E;AACA,UAAI,aAAa,SAAS,MAAA,yCAAyC;AACjE,cAAM,IAAI,+BACR,8BAAyB,MAAA,uCAAuC,eAAe,aAAa,MAAM,GAAG;MAEzG;AACA,UAAI,KAAK,KAAK,YAAY,GAAG;AAC3B,cAAM,IAAI,+BACR,2CAA2C;MAE/C;IACF;AAEA,aAAS,sBAAsB,OAAe,OAAa;AACzD,UAAI,CAAC,OAAO,UAAU,KAAK,KAAK,QAAQ,GAAG;AACzC,cAAM,IAAI,+BACR,GAAG,KAAK,qCAAqC,KAAK,GAAG;MAEzD;IACF;AAEA,aAAS,aAAU;AACjB,aAAO,oBAAI,KAAI;IACjB;AAGA,QAAa,qCAAb,cAAwD,MAAK;;MAE3D,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,qCAAA;AASA,QAAa,iCAAb,cAAoD,MAAK;;MAEvD,YAAY,SAAe;AACzB,cAAM,OAAO;AACb,aAAK,OAAO;MACd;;AALF,IAAAA,SAAA,iCAAA;;;;;;;;;;ACtPA,QAAA,QAAA;AACE,WAAA,eAAAC,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,MAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,2CAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,MAAA;IAAuC,EAAA,CAAA;AACvC,WAAA,eAAAA,UAAA,qCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,MAAA;IAAiC,EAAA,CAAA;AAEnC,QAAA,0BAAA;AACE,WAAA,eAAAA,UAAA,kCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAA8B,EAAA,CAAA;AAC9B,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,iBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAa,EAAA,CAAA;AACb,WAAA,eAAAA,UAAA,cAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAU,EAAA,CAAA;AACV,WAAA,eAAAA,UAAA,kBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAc,EAAA,CAAA;AACd,WAAA,eAAAA,UAAA,uBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,wBAAA;IAAmB,EAAA,CAAA;;;;;;;;;;ACXrB,QAAA,qBAAA;AACE,WAAA,eAAAC,UAAA,oBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,mBAAA;IAAgB,EAAA,CAAA;AAChB,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,mBAAA;IAA0B,EAAA,CAAA;AAE5B,QAAA,aAAA;AACE,WAAA,eAAAA,UAAA,4BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAwB,EAAA,CAAA;AACxB,WAAA,eAAAA,UAAA,yBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAqB,EAAA,CAAA;AACrB,WAAA,eAAAA,UAAA,uBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAmB,EAAA,CAAA;AACnB,WAAA,eAAAA,UAAA,+BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAA2B,EAAA,CAAA;AAQ7B,QAAA,YAAA;AACE,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,UAAA;IAA0B,EAAA,CAAA;AAC1B,WAAA,eAAAA,UAAA,yBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,UAAA;IAAqB,EAAA,CAAA;AACrB,WAAA,eAAAA,UAAA,sBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,UAAA;IAAkB,EAAA,CAAA;AAClB,WAAA,eAAAA,UAAA,qBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,UAAA;IAAiB,EAAA,CAAA;AAGnB,QAAA,iBAAA;AACE,WAAA,eAAAA,UAAA,mCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA+B,EAAA,CAAA;AAC/B,WAAA,eAAAA,UAAA,mCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA+B,EAAA,CAAA;AAC/B,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,oCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAgC,EAAA,CAAA;AAChC,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA0B,EAAA,CAAA;AAC1B,WAAA,eAAAA,UAAA,gCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA4B,EAAA,CAAA;AAC5B,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA0B,EAAA,CAAA;AAC1B,WAAA,eAAAA,UAAA,wBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAoB,EAAA,CAAA;AACpB,WAAA,eAAAA,UAAA,uCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAmC,EAAA,CAAA;AACnC,WAAA,eAAAA,UAAA,uCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAmC,EAAA,CAAA;AACnC,WAAA,eAAAA,UAAA,kCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA8B,EAAA,CAAA;AAC9B,WAAA,eAAAA,UAAA,kCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA8B,EAAA,CAAA;AAC9B,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,sBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAkB,EAAA,CAAA;AAClB,WAAA,eAAAA,UAAA,iCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA6B,EAAA,CAAA;AAC7B,WAAA,eAAAA,UAAA,8BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAA0B,EAAA,CAAA;AAC1B,WAAA,eAAAA,UAAA,yBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAqB,EAAA,CAAA;AACrB,WAAA,eAAAA,UAAA,oBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAgB,EAAA,CAAA;AAChB,WAAA,eAAAA,UAAA,0BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,eAAA;IAAsB,EAAA,CAAA;AAkBxB,QAAA,cAAA;AACE,WAAA,eAAAA,UAAA,wBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,YAAA;IAAoB,EAAA,CAAA;AACpB,WAAA,eAAAA,UAAA,wBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,YAAA;IAAoB,EAAA,CAAA;AACpB,WAAA,eAAAA,UAAA,mBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,YAAA;IAAe,EAAA,CAAA;AAQjB,QAAA,aAAA;AACE,WAAA,eAAAA,UAAA,6BAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAyB,EAAA,CAAA;AACzB,WAAA,eAAAA,UAAA,mCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAA+B,EAAA,CAAA;AAC/B,WAAA,eAAAA,UAAA,sBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,WAAA;IAAkB,EAAA,CAAA;AAOpB,QAAA,UAAA;AACE,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,2CAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAuC,EAAA,CAAA;AACvC,WAAA,eAAAA,UAAA,qCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAiC,EAAA,CAAA;AACjC,WAAA,eAAAA,UAAA,kCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAA8B,EAAA,CAAA;AAC9B,WAAA,eAAAA,UAAA,sCAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAkC,EAAA,CAAA;AAClC,WAAA,eAAAA,UAAA,iBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAa,EAAA,CAAA;AACb,WAAA,eAAAA,UAAA,cAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAU,EAAA,CAAA;AACV,WAAA,eAAAA,UAAA,kBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAc,EAAA,CAAA;AACd,WAAA,eAAAA,UAAA,uBAAA,EAAA,YAAA,MAAA,KAAA,WAAA;AAAA,aAAA,QAAA;IAAmB,EAAA,CAAA;;;;;AC1FrB;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAC,qBAAwB;;;ACAxB,6BAA+B;AAMxB,IAAM,mBACX,QAAQ,IAAI,qBAAqB;AAM5B,IAAM,eAAe,IAAI,sCAAe;AAAA,EAC7C,GAAI,QAAQ,IAAI,0BAA0B;AAAA,IACxC,UAAU,QAAQ,IAAI;AAAA,IACtB,YAAY;AAAA,IACZ,QAAQ;AAAA,EACV;AACF,CAAC;;;ACnBD,uBAAuB;;;ACAvB,mBAA6C;;;ACYtC,IAAM,cAAc;AAYpB,SAAS,aAAa,IAAoB;AAE/C,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,GAAG,QAAQ,KAAK;AAClC,YAAQ,GAAG,WAAW,CAAC;AACvB,WAAO,KAAK,KAAK,MAAM,QAAU;AAAA,EACnC;AACA,UAAQ,SAAS,KAAK;AAExB;;;ADhBO,IAAM,qBAAqB;AAAA,EAChC,MAAM;AAAA,EACN,OAAO,CAAC,IAAI;AAAA,EACZ,KAAK,CAAC,MAAe,SAA2B;AAC9C,QAAI,OAAO,MAAM,OAAO,YAAY,KAAK,GAAG,WAAW,GAAG;AACxD,aAAO;AAAA,IACT;AACA,WAAO,OAAO,aAAa,KAAK,EAAE,CAAC;AAAA,EACrC;AACF;AAsBO,IAAM,kBAAkB;AAAA,EAC7B,MAAM;AAAA,EACN,OAAO,CAAC,YAAY,eAAe,IAAI;AAAA,EACvC,KAAK,CACH,MACA,SACG;AACH,UAAM,KAAK,OAAO,MAAM,OAAO,WAAW,KAAK,KAAK;AACpD,UAAM,cACJ,OAAO,MAAM,gBAAgB,WAAW,KAAK,cAAc;AAC7D,UAAM,WAAW,GAAG,WAAW,IAAI,EAAE;AAErC,QAAI,OAAO,MAAM,aAAa,YAAY,KAAK,SAAS,WAAW,GAAG;AACpE,aAAO;AAAA,IACT;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,KAAK,QAAQ;AAAA,IACnC,QAAQ;AACN,aAAO;AAAA,IACT;AACA,QAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;AAClD,UAAM,eAAgB,OAAsC;AAC5D,QAAI,OAAO,iBAAiB,SAAU,QAAO;AAE7C,UAAM,YAAQ,2BAAa,MAA4C;AACvE,WAAO,UAAU,SAAY,GAAG,KAAK,IAAI,EAAE,KAAK;AAAA,EAClD;AACF;AASA,SAAS,cAAc,UAAuD;AAC5E,QAAM,OAAO,SAAS;AACtB,MAAI,OAAO,SAAS,YAAY,KAAK,SAAS,EAAG,QAAO;AAExD,QAAM,OAAO,SAAS;AACtB,MAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,UAAM,YAAa,KAAiC;AACpD,QAAI,OAAO,cAAc,YAAY,UAAU,SAAS,GAAG;AACzD,YAAM,QAAQ,UAAU,YAAY,GAAG;AACvC,YAAM,OAAO,SAAS,IAAI,UAAU,MAAM,QAAQ,CAAC,IAAI;AACvD,UAAI,KAAK,SAAS,EAAG,QAAO;AAAA,IAC9B;AAAA,EACF;AACA,SAAO;AACT;AA6BO,IAAM,gCAAgC;AAAA,EAC3C,MAAM;AAAA,EACN,OAAO,CAAC,YAAY,wBAAwB,eAAe,IAAI;AAAA,EAC/D,KAAK,CACH,MACA,SAMG;AACH,UAAM,KAAK,OAAO,MAAM,OAAO,WAAW,KAAK,KAAK;AACpD,UAAM,cACJ,OAAO,MAAM,gBAAgB,WAAW,KAAK,cAAc;AAC7D,UAAM,WAAW,GAAG,WAAW,IAAI,EAAE;AAErC,QAAI,OAAO,MAAM,aAAa,YAAY,KAAK,SAAS,WAAW,GAAG;AACpE,aAAO;AAAA,IACT;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,KAAK,QAAQ;AAAA,IACnC,QAAQ;AACN,aAAO;AAAA,IACT;AACA,QAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;AAElD,UAAM,SAAS,cAAc,MAAiC;AAC9D,QAAI,WAAW,OAAW,QAAO;AAEjC,UAAM,uBACJ,OAAO,KAAK,yBAAyB,WACjC,KAAK,uBACL;AACN,UAAM,qBACJ,qBAAqB,SAAS,QAC1B,6BAAe,oBAAoB,IACnC;AACN,QAAI,mBAAmB,WAAW,EAAG,QAAO;AAE5C,WAAO,GAAG,MAAM,IAAI,kBAAkB,IAAI,EAAE;AAAA,EAC9C;AACF;AAwBO,IAAM,4BAA4B;AAAA,EACvC,MAAM;AAAA,EACN,OAAO,CAAC,wBAAwB,eAAe,IAAI;AAAA,EACnD,KAAK,CACH,MACA,SAKG;AACH,UAAM,KAAK,OAAO,MAAM,OAAO,WAAW,KAAK,KAAK;AACpD,UAAM,cACJ,OAAO,MAAM,gBAAgB,WAAW,KAAK,cAAc;AAC7D,UAAM,WAAW,GAAG,WAAW,IAAI,EAAE;AAErC,UAAM,uBACJ,OAAO,MAAM,yBAAyB,WAClC,KAAK,uBACL;AACN,UAAM,qBACJ,qBAAqB,SAAS,QAC1B,6BAAe,oBAAoB,IACnC;AACN,QAAI,mBAAmB,WAAW,GAAG;AACnC,aAAO;AAAA,IACT;AAEA,WAAO,GAAG,kBAAkB,IAAI,EAAE;AAAA,EACpC;AACF;;;AD5MO,IAAM,sBAAsB,IAAI,wBAAO;AAAA,EAC5C,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA,IACX,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,eAAe,UAAU,QAAQ;AAAA,QACzD,UACE;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,OAAO,IAAI;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,eAAe,WAAW;AAAA,QAClD,UACE;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,OAAO,IAAI;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AGpJD,IAAAC,oBAAuB;AA8ChB,IAAM,oCAAoC,IAAI,yBAAO;AAAA,EAC1D,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,iBAAiB;AAAA,MACf,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AC5JD,IAAAC,oBAAuB;AAsDhB,IAAM,yCAAyC,IAAI,yBAAO;AAAA,EAC/D,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,iBAAiB;AAAA,MACf,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,aAAa;AAAA,QACrC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACtKD,IAAAC,oBAAuB;AAuBhB,IAAM,mBAAmB,IAAI,yBAAO;AAAA,EACzC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,uBAAuB;AAAA,MACrB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,IAAI;AAAA,QAC5B,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAWA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,WAAW;AAAA,QACnC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACzKD,IAAAC,oBAAuB;AAuChB,IAAM,iCAAiC,IAAI,yBAAO;AAAA,EACvD,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,cAAc;AAAA,MACZ,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,2BAA2B;AAAA,MACzB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACnKD,IAAAC,oBAAuB;AA0ChB,IAAM,sCAAsC,IAAI,yBAAO;AAAA,EAC5D,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,cAAc;AAAA,MACZ,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,aAAa;AAAA,QACrC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACzJD,IAAAC,oBAAuB;AAsBhB,IAAM,aAAa,IAAI,yBAAO;AAAA,EACnC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA,IAEX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,WAAW;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACnHD,IAAAC,oBAAuB;AAuBhB,IAAM,uBAAuB,IAAI,yBAAO;AAAA,EAC7C,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,IAAI;AAAA,QAC5B,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,WAAW;AAAA,QACnC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AClLD,IAAAC,oBAAuB;AAyChB,IAAM,qCAAqC,IAAI,yBAAO;AAAA,EAC3D,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AChLD,IAAAC,qBAAuB;AA0DhB,IAAM,0CAA0C,IAAI,0BAAO;AAAA,EAChE,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMV,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,QAAQ;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,sBAAsB;AAAA,MACpB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAUP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,aAAa;AAAA,QACrC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AC/LD,IAAAC,qBAAuB;AAoBhB,IAAM,eAAe,IAAI,0BAAO;AAAA,EACrC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,eAAe;AAAA,MACb,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,oBAAoB;AAAA,MAClB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA,IAEX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,UAAU;AAAA,QACtB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,WAAW;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;ACxID,IAAAC,qBAAuB;AAyBhB,IAAM,aAAa,IAAI,0BAAO;AAAA,EACnC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,YAAY;AAAA,MACV,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,gBAAgB;AAAA,MACd,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,mBAAmB;AAAA,MACjB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA,IAEX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBA,gBAAgB;AAAA,MACd,MAAM,CAAC,UAAU,YAAY,gBAAgB;AAAA,MAC7C,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,WAAW;AAAA,QACvB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,WAAW,CAAC,UACV,OAAO,MAAM,eAAe,YAAY,MAAM,WAAW,SAAS;AAAA,MACpE,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,YAAY;AAAA,QACxB,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC;AAAA,QACZ,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AC/LD,IAAAC,qBAAuB;AAmBhB,IAAM,kBAAkB,IAAI,0BAAO;AAAA,EACxC,OAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAAS;AAAA,EACX;AAAA,EACA,YAAY;AAAA;AAAA,IAEV,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,MACV,SAAS;AAAA,IACX;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,IAAI;AAAA,MACF,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA,IAKA,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA,IAEA,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,aAAa;AAAA,MACX,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,kBAAkB;AAAA,MAChB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,uBAAuB;AAAA,MACrB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,wBAAwB;AAAA,MACtB,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,WAAW;AAAA;AAAA,IAEX,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBA,gBAAgB;AAAA,MACd,MAAM,CAAC,UAAU,YAAY,gBAAgB;AAAA,MAC7C,UAAU;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,EACF;AAAA,EACA,SAAS;AAAA;AAAA,IAEP,QAAQ;AAAA,MACN,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,IAAI;AAAA,QAC5B,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,IAAI;AAAA,QAChB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASA,MAAM;AAAA,MACJ,OAAO;AAAA,MACP,IAAI;AAAA,QACF,OAAO;AAAA,QACP,WAAW,CAAC,YAAY,WAAW;AAAA,QACnC,UAAU;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,QACF,OAAO;AAAA,QACP,QAAQ;AAAA,QACR,WAAW,CAAC,QAAQ;AAAA,QACpB,UAAU;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AhBlJD,IAAM,uBAAuB;AAAA,EAC3B,eAAe;AAAA,EACf,6BAA6B;AAAA,EAC7B,kCAAkC;AAAA,EAClC,YAAY;AAAA,EACZ,0BAA0B;AAAA,EAC1B,+BAA+B;AAAA,EAC/B,MAAM;AAAA,EACN,gBAAgB;AAAA,EAChB,8BAA8B;AAAA,EAC9B,mCAAmC;AAAA,EACnC,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,WAAW;AACb;AAEA,IAAM,sBAAsB,IAAI,2BAAQ,sBAAsB;AAAA,EAC5D,OAAO;AAAA,EACP,QAAQ;AACV,CAAC;AAWM,IAAM,uBAAuB;AAAA,EAClC,UAAU,oBAAoB;AAAA,EAC9B,aAAa,oBAAoB;AACnC;AAQO,SAAS,wBACd,WAC0B;AAC1B,QAAM,WAAW,aAAa;AAC9B,QAAM,UAAU,IAAI,2BAAQ,sBAAsB;AAAA,IAChD,OAAO;AAAA,IACP,QAAQ;AAAA,EACV,CAAC;AACD,SAAO;AAAA,IACL,UAAU,QAAQ;AAAA,IAClB,aAAa,QAAQ;AAAA,EACvB;AACF;;;AiB9BO,IAAM,iBAAiB;AAAA,EAC5B,QAAQ;AAAA,EACR,WAAW;AAAA,EACX,MAAM;AACR;;;ACdO,SAAS,sBAAsB,OAG1B;AACV,MAAI,gBAAgB,MAAM,SAAS,GAAG;AACpC,WAAO;AAAA,EACT;AACA,MAAI,eAAe,MAAM,MAAM,GAAG;AAChC,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAQA,SAAS,gBAAgB,WAAwC;AAC/D,MAAI,OAAO,cAAc,YAAY,UAAU,WAAW,GAAG;AAC3D,WAAO;AAAA,EACT;AACA,QAAM,QAAQ,UAAU,YAAY;AACpC,SAAO,UAAU,WAAW,MAAM,SAAS,OAAO;AACpD;AAOA,SAAS,eAAe,QAAqC;AAC3D,MAAI,OAAO,WAAW,YAAY,OAAO,WAAW,GAAG;AACrD,WAAO;AAAA,EACT;AACA,SAAO,OAAO,YAAY,EAAE,SAAS,OAAO;AAC9C;;;ACzEA,gCAAkC;AAClC,uBAcO;AAgIA,SAAS,iBACd,UACoB;AACpB,QAAM,OAAO,UAAU;AAGvB,QAAM,QAAQ,MAAM,SAAS,CAAC,GAAG;AACjC,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS,IAAI,QAAQ;AACjE;;;ACpFO,SAAS,cACd,MACA,UACQ;AACR,UAAQ,MAAM;AAAA,IACZ,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAIH,aAAO,4BAA4B,QAAQ;AAAA,IAC7C,KAAK;AAAA,IACL;AACE,aAAO;AAAA,EACX;AACF;;;ACvDA,eAAsB,gCACpB,QACiB;AACjB,QAAM,EAAE,QAAQ,OAAO,OAAO,UAAU,UAAU,IAAI;AAEtD,MAAI,SAAS,uBAAuB,CAAC,UAAU;AAC7C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,wBAAwB,SAAS;AACjD,QAAM,WAAW,cAAc,MAAM,QAAQ;AAE7C,QAAM,SAAS,MAAM,QAAQ,SAAS,yBAAyB,MAC5D,OAAO,EAAE,OAAO,CAAC,EACjB,OAAO,EAAE,IAAI,SAAS,CAAC,EACvB,GAAG,EAAE,OAAO,OAAO,YAAY,CAAC,cAAc,EAAE,CAAC;AAEpD,UAAQ,OAAO,QAAQ,CAAC,GAAG;AAC7B;;;ACQA,eAAsB,mCACpB,QAC0C;AAC1C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,YAIF;AAAA,IACF;AAAA,EACF;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AAEA,QAAM,SAAS,MAAM,QAAQ,SAAS,8BAA8B,MACjE,OAAO,EAAE,UAAU,YAAY,CAAC,EAChC,OAAO,EAAE,IAAI,cAAc,CAAC,EAC5B,GAAG,SAAS;AAEf,QAAM,SACJ,OAAO,QAAQ,CAAC,GAChB,IAAI,CAAC,SAAS;AAAA,IACd,UAAU,IAAI;AAAA,IACd,aAAa,IAAI;AAAA,IACjB,IAAI,IAAI;AAAA,IACR,QAAQ,IAAI;AAAA,IACZ,cAAc,IAAI;AAAA,IAClB,SAAS,IAAI;AAAA,IACb,KAAK,IAAI;AAAA,IACT,aAAa,IAAI;AAAA,IACjB,sBAAsB,IAAI;AAAA,EAC5B,EAAE;AAEF,SAAO,EAAE,OAAO,QAAQ,OAAO,UAAU,KAAK;AAChD;;;AC1GA,IAAAC,gBAA+C;;;ACA/C,uBAAqC;;;AD0QrC,IAAM,yBAAyB;AAE/B,IAAM,4BAA4B;AAkClC,eAAsB,kBACpB,QACA,MACA,SACkB;AAClB,MAAI,KAAK,WAAW,EAAG,QAAO,CAAC;AAE/B,QAAM,YAAqB,CAAC;AAC5B,MAAI,UAAU;AACd,MAAI,UAAU;AAEd,SAAO,QAAQ,SAAS,GAAG;AACzB,QAAI,UAAU,GAAG;AACf,YAAM,IAAI;AAAA,QAAQ,CAAC,YACjB,WAAW,SAAS,4BAA4B,MAAM,UAAU,EAAE;AAAA,MACpE;AAAA,IACF;AACA;AACA,UAAM,SAAS,MAAM,OAClB,IAAI,OAAO,EACX,GAAG,SAAS,aAAa,EAAE,YAAY,KAAK,IAAI,MAAS;AAC5D,cAAU,KAAK,GAAG,OAAO,IAAI;AAC7B,UAAM,cAAc,OAAO,eAAe,CAAC;AAC3C,QAAI,YAAY,WAAW,EAAG;AAC9B,QAAI,WAAW,wBAAwB;AACrC,YAAM,IAAI;AAAA,QACR,+BAA+B,YAAY,MAAM,mCAAmC,sBAAsB;AAAA,MAC5G;AAAA,IACF;AACA,cAAU;AAAA,EACZ;AAEA,SAAO;AACT;AAqCA,eAAsB,iBACpB,MACA,cACA,OAC+C;AAC/C,MAAI,SAAS,SAAS;AACpB,QAAI,QAAQ;AACZ,eAAW,eAAe,cAAc;AACtC,gBAAU,YAAY,QAAQ,CAAC,GAAG;AAAA,IACpC;AACA,WAAO,EAAE,SAAS,CAAC,GAAG,MAAM;AAAA,EAC9B;AAEA,MAAI,SAAS,WAAW;AACtB,UAAMC,WAAoB,CAAC;AAC3B,eAAW,eAAe,cAAc;AACtC,iBAAW,QAAQ,YAAY,QAAQ,CAAC,GAAG;AACzC,YAAI,OAAO,KAAK,YAAY,SAAU;AACtC,YAAI;AACJ,YAAI;AACF,mBAAS,KAAK,MAAM,KAAK,OAAO;AAAA,QAClC,QAAQ;AACN;AAAA,QACF;AACA,QAAAA,SAAQ,KAAK,MAAM,kBAAkB,KAAK,IAAI,MAAM,CAAC;AAAA,MACvD;AAAA,IACF;AACA,WAAO,EAAE,SAAAA,UAAS,OAAOA,SAAQ,OAAO;AAAA,EAC1C;AAEA,QAAM,aAAuB,CAAC;AAC9B,aAAW,eAAe,cAAc;AACtC,eAAW,QAAQ,YAAY,QAAQ,CAAC,GAAG;AACzC,iBAAW,KAAK,KAAK,EAAE;AAAA,IACzB;AAAA,EACF;AAEA,MAAI,WAAW,WAAW,EAAG,QAAO,EAAE,SAAS,CAAC,GAAG,OAAO,EAAE;AAE5D,QAAM,QAAQ,MAAM,MAAM,QAAQ,UAAU;AAC5C,QAAM,OAAO,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC;AAEnE,QAAM,UAAoB,CAAC;AAC3B,aAAW,MAAM,YAAY;AAC3B,UAAM,OAAO,KAAK,IAAI,EAAE;AACxB,QAAI,CAAC,KAAM;AACX,YAAQ,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC;AAAA,EACzC;AAEA,SAAO,EAAE,SAAS,OAAO,QAAQ,OAAO;AAC1C;;;AE7ZA,IAAM,KAAK;AAqBX,eAAsB,yBACpB,QAC+B;AAC/B,QAAM,EAAE,SAAS,WAAW,OAAO,OAAO,IAAI;AAC9C,QAAM,WAAW,QAAQ;AACzB,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,WAAW,MACzB,KAAK,EAAE,UAAU,WAAW,OAAO,KAAK,EAAE,CAAC,EAC3C,GAAG;AAAA,IACR;AAAA,EACF;AAEA,SAAO,iBAGL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,UAAU,IAAI,IAAI,GAAG,EAAE;AAAA,IACnD;AAAA,IACF,OAAO,CAAC,SAAS,KAAK;AAAA,IACtB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,MAC9B;AAAA,IACF;AAAA,IACA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU,EAAE,cAAc,cAAc,IAAI,GAAG,OAAO;AAAA,IACxD;AAAA,EACF,CAAC;AACH;;;AC3CA,IAAAC,gBAA+B;AAmIxB,SAAS,qBACd,UACA,WACoB;AACpB,QAAM,QAAQ,SAAS,SAAS;AAChC,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AACA,QAAM,YAAa,MAAkC;AACrD,MAAI,OAAO,cAAc,YAAY,UAAU,WAAW,GAAG;AAC3D,WAAO;AAAA,EACT;AACA,QAAM,QAAQ,UAAU,YAAY,GAAG;AACvC,QAAM,OAAO,SAAS,IAAI,UAAU,MAAM,QAAQ,CAAC,IAAI;AACvD,SAAO,KAAK,SAAS,IAAI,OAAO;AAClC;;;ACnHA,SAASC,eAAc,QAAoC;AACzD,MAAI,WAAW,UAAa,OAAO,WAAW,GAAG;AAC/C,WAAO;AAAA,EACT;AACA,SAAO,kBAAkB,MAAM;AACjC;AAiCA,eAAsB,uCACpB,QAC8C;AAC9C,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,UAAU,wBAAwB,SAAS;AACjD,QAAM,WAAWA,eAAc,MAAM;AAErC,QAAM,YAIF;AAAA,IACF;AAAA,EACF;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AACA,MAAI,UAAU,QAAW;AACvB,cAAU,QAAQ;AAAA,EACpB;AAEA,QAAM,SAAS,MAAM,QAAQ,SAAS,kCAAkC,MACrE,OAAO,EAAE,UAAU,YAAY,CAAC,EAChC,OAAO,EAAE,IAAI,SAAS,CAAC,EACvB,GAAG,SAAS;AAEf,QAAM,SACJ,OAAO,QAAQ,CAAC,GAChB,IAAI,CAAC,SAAS;AAAA,IACd,UAAU,IAAI;AAAA,IACd,aAAa,IAAI;AAAA,IACjB,IAAI,IAAI;AAAA,IACR,QAAQ,IAAI;AAAA,IACZ,QAAQ,IAAI;AAAA,IACZ,kBAAkB,IAAI;AAAA,IACtB,SAAS,IAAI;AAAA,IACb,KAAK,IAAI;AAAA,IACT,aAAa,IAAI;AAAA,IACjB,sBAAsB,IAAI;AAAA,IAC1B,sBAAsB,IAAI;AAAA,EAC5B,EAAE;AAEF,SAAO,EAAE,OAAO,QAAQ,OAAO,UAAU,KAAK;AAChD;;;ACzIA,IAAMC,MAAK;AA8BX,SAAS,aAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAMA,eAAsB,wBACpB,QAC+B;AAC/B,QAAM,EAAE,SAAS,WAAW,OAAO,OAAO,IAAI;AAC9C,QAAM,EAAE,SAAS,IAAI;AACrB,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,UAAU,MACxB,KAAK,EAAE,UAAU,WAAW,OAAO,KAAK,EAAE,CAAC,EAC3C,GAAG;AAAA,IACR;AAAA,EACF;AAEA,SAAO,iBASL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,UAAU,IAAI,IAAIA,IAAG,EAAE;AAAA,IACnD;AAAA,IASF,OAAO,CAAC,SAAS,KAAK;AAAA;AAAA;AAAA;AAAA,IAItB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,QAC5B,QAAQ;AAAA,UACN,kBAAkB,aAAa,KAAK,gBAAgB;AAAA,UACpD,uBAAuB,aAAa,KAAK,qBAAqB;AAAA,UAC9D,wBAAwB,aAAa,KAAK,sBAAsB;AAAA,QAClE;AAAA,MACF;AAAA,IACF;AAAA;AAAA;AAAA,IAGA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAG;AAAA,QACH,QAAQ;AAAA,UACN,kBAAkB;AAAA,UAClB,uBAAuB;AAAA,UACvB,wBAAwB;AAAA,QAC1B;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAC;AACH;;;AC/CA,SAASC,cAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAGA,SAAS,iBAAiB,UAAiC;AACzD,SAAO;AAAA,IACL;AAAA,IACA,aAAa;AAAA,IACb,OAAM,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC7B,SAAS;AAAA,IACT,WAAW;AAAA,IACX,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AACF;AAeA,eAAsB,iCAAiC,QAGnB;AAClC,QAAM,EAAE,UAAU,UAAU,IAAI;AAChC,QAAM,UAAU,wBAAwB,SAAS;AACjD,QAAM,UAAU,iBAAiB,QAAQ;AAEzC,QAAM,mBAAmB,MAAM,wBAAwB;AAAA,IACrD;AAAA,IACA;AAAA,IACA,MAAM;AAAA,EACR,CAAC;AACD,QAAM,qBAAqB,iBAAiB;AAK5C,QAAM,cAAc,MAAM,yBAAyB;AAAA,IACjD;AAAA,IACA;AAAA,IACA,MAAM;AAAA,EACR,CAAC;AACD,MAAI,gBAAgB;AACpB,aAAW,SAAS,YAAY,SAAS;AACvC,UAAM,gBAAgB,qBAAqB,MAAM,UAAU,WAAW;AACtE,QAAI,kBAAkB,QAAW;AAC/B,uBAAiB;AAAA,IACnB;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,QAAQ,SAAS,OACpC,IAAI,EAAE,UAAU,IAAI,UAAU,CAAC,EAC/B,GAAG;AAEN,QAAM,QAAkC,CAAC;AACzC,QAAM,aAA4C;AAAA,IAChD;AAAA,IACA;AAAA,EACF;AAEA,aAAW,WAAW,OAAO,KAAK,UAAU,GAA2B;AACrE,UAAM,WAAWA,cAAa,QAAQ,OAAO,OAAO,CAAC;AACrD,UAAM,WAAW,WAAW,OAAO;AACnC,QAAI,aAAa,UAAU;AACzB,YAAM,KAAK;AAAA,QACT,QAAQ,eAAe;AAAA,QACvB,IAAI;AAAA,QACJ;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,UAAM,QAAQ,SAAS,OACpB,MAAM,EAAE,UAAU,IAAI,UAAU,CAAC,EACjC,IAAI,UAAU,EACd,GAAG;AAAA,EACR;AAEA,SAAO,EAAE,MAAM;AACjB;AAiBA,eAAsB,oCAAoC,QAItB;AAClC,QAAM,EAAE,UAAU,aAAa,UAAU,IAAI;AAC7C,QAAM,UAAU,wBAAwB,SAAS;AAGjD,MAAI,mBAAmB;AACvB,MAAI,mBAAkC;AACtC,KAAG;AACD,UAAM,OAAO,MAAM,mCAAmC;AAAA,MACpD;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AACD,wBAAoB,KAAK,MAAM;AAC/B,uBAAmB,KAAK;AAAA,EAC1B,SAAS,qBAAqB;AAK9B,MAAI,wBAAwB;AAC5B,MAAI,yBAAyB;AAC7B,MAAI,uBAAsC;AAC1C,KAAG;AACD,UAAM,OAAO,MAAM,uCAAuC;AAAA,MACxD;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AACD,eAAW,QAAQ,KAAK,OAAO;AAC7B,YAAM,YAAY,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA,KAAK;AAAA,MACP;AACA,UAAI,sBAAsB,EAAE,WAAW,QAAQ,KAAK,OAAO,CAAC,GAAG;AAC7D,iCAAyB;AAAA,MAC3B,OAAO;AACL,kCAA0B;AAAA,MAC5B;AAAA,IACF;AACA,2BAAuB,KAAK;AAAA,EAC9B,SAAS,yBAAyB;AAElC,QAAM,UAAU,MAAM,QAAQ,SAAS,UACpC,IAAI,EAAE,UAAU,IAAI,aAAa,IAAI,UAAU,CAAC,EAChD,GAAG;AAEN,QAAM,QAAkC,CAAC;AACzC,QAAM,aAA+C;AAAA,IACnD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,aAAW,WAAW,OAAO,KAAK,UAAU,GAA8B;AACxE,UAAM,WAAWA,cAAa,QAAQ,OAAO,OAAO,CAAC;AACrD,UAAM,WAAW,WAAW,OAAO;AACnC,QAAI,aAAa,UAAU;AACzB,YAAM,KAAK;AAAA,QACT,QAAQ,eAAe;AAAA,QACvB,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,UAAM,QAAQ,SAAS,UACpB,MAAM,EAAE,UAAU,IAAI,aAAa,IAAI,UAAU,CAAC,EAClD,IAAI,UAAU,EACd,GAAG;AAAA,EACR;AAEA,SAAO,EAAE,MAAM;AACjB;AAUA,eAAsB,+BAA+B,QAGjB;AAClC,QAAM,EAAE,QAAQ,UAAU,IAAI;AAC9B,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,iBAAiB,MAAM,gCAAgC;AAAA,IAC3D;AAAA,IACA,MAAM;AAAA,IACN;AAAA,EACF,CAAC;AACD,QAAM,oBAAoB,MAAM,gCAAgC;AAAA,IAC9D;AAAA,IACA,MAAM;AAAA,IACN;AAAA,EACF,CAAC;AAED,QAAM,UAAU,MAAM,QAAQ,SAAS,KACpC,IAAI,EAAE,IAAI,QAAQ,IAAI,UAAU,CAAC,EACjC,GAAG;AAEN,QAAM,QAAkC,CAAC;AACzC,QAAM,aAA0C;AAAA,IAC9C;AAAA,IACA;AAAA,EACF;AAEA,aAAW,WAAW,OAAO,KAAK,UAAU,GAAyB;AACnE,UAAM,WAAWA,cAAa,QAAQ,OAAO,OAAO,CAAC;AACrD,UAAM,WAAW,WAAW,OAAO;AACnC,QAAI,aAAa,UAAU;AACzB,YAAM,KAAK;AAAA,QACT,QAAQ,eAAe;AAAA,QACvB,IAAI;AAAA,QACJ;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA,MACP,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,UAAM,QAAQ,SAAS,KACpB,MAAM,EAAE,IAAI,QAAQ,IAAI,UAAU,CAAC,EACnC,IAAI,UAAU,EACd,GAAG;AAAA,EACR;AAEA,SAAO,EAAE,MAAM;AACjB;AAQA,eAAe,cACb,SACA,UACA,kBAC6B;AAC7B,QAAM,WAAW,MAAM,QAAQ,SAAS,eACrC,IAAI,EAAE,UAAU,IAAI,kBAAkB,IAAI,UAAU,CAAC,EACrD,GAAG;AACN,MAAI,CAAC,SAAS,MAAM;AAClB,WAAO;AAAA,EACT;AACA,QAAM,WAAW,KAAK,MAAM,SAAS,KAAK,QAAQ;AAIlD,SAAO,iBAAiB,QAAQ;AAClC;;;ACpVA,IAAMC,MAAK;AA8BX,SAASC,cAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAOA,eAAsB,qBACpB,QAC4B;AAC5B,QAAM,EAAE,WAAW,OAAO,OAAO,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,OAAO,MAAM,KAAK,EAAE,WAAW,OAAO,KAAK,EAAE,CAAC,EAAE,GAAG;AAAA,IACtE;AAAA,EACF;AAEA,SAAO,iBAQL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,UAAU,IAAI,IAAID,IAAG,EAAE;AAAA,IACnD;AAAA,IAQF,OAAO,CAAC,SAAS,KAAK;AAAA;AAAA;AAAA;AAAA,IAItB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,QAC5B,QAAQ;AAAA,UACN,eAAeC,cAAa,KAAK,aAAa;AAAA,UAC9C,oBAAoBA,cAAa,KAAK,kBAAkB;AAAA,QAC1D;AAAA,MACF;AAAA,IACF;AAAA;AAAA;AAAA,IAGA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAG;AAAA,QACH,QAAQ,EAAE,eAAe,GAAG,oBAAoB,EAAE;AAAA,MACpD;AAAA,IACF;AAAA,EACF,CAAC;AACH;;;ACpGA,IAAMC,MAAK;AAgCX,SAASC,cAAa,OAAwB;AAC5C,SAAO,OAAO,UAAU,YAAY,OAAO,SAAS,KAAK,IAAI,QAAQ;AACvE;AAOA,eAAsB,mBACpB,QACyB;AACzB,QAAM,EAAE,WAAW,OAAO,OAAO,IAAI;AACrC,QAAM,UAAU,wBAAwB,SAAS;AAEjD,QAAM,eAAe,MAAM,QAAQ;AAAA,IACjC,MAAM;AAAA,MAAK,EAAE,QAAQ,YAAY;AAAA,MAAG,CAAC,GAAG,UACtC,QAAQ,SAAS,KAAK,MAAM,KAAK,EAAE,WAAW,OAAO,KAAK,EAAE,CAAC,EAAE,GAAG;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,iBAQL,MAAM,cAAc;AAAA,IACpB,SAAS,CAAC,eACR;AAAA,MACE,QAAQ,SAAS;AAAA,MACjB,WAAW,IAAI,CAAC,QAAQ,EAAE,IAAI,IAAID,IAAG,EAAE;AAAA,IACzC;AAAA,IAQF,OAAO,CAAC,SAAS,KAAK;AAAA;AAAA;AAAA;AAAA,IAItB,YAAY,CAAC,IAAI,UAAU;AAAA,MACzB;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAI,KAAK,MAAM,KAAK,QAAQ;AAAA,QAC5B,QAAQ;AAAA,UACN,gBAAgBC,cAAa,KAAK,cAAc;AAAA,UAChD,mBAAmBA,cAAa,KAAK,iBAAiB;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AAAA;AAAA;AAAA,IAGA,mBAAmB,CAAC,IAAI,YAAY;AAAA,MAClC;AAAA,MACA,UAAU;AAAA,QACR,cAAc;AAAA,QACd;AAAA,QACA,GAAG;AAAA,QACH,QAAQ,EAAE,gBAAgB,GAAG,mBAAmB,EAAE;AAAA,MACpD;AAAA,IACF;AAAA,EACF,CAAC;AACH;;;AC9DA,SAAS,cAAc,UAAiC;AACtD,SAAO;AAAA,IACL;AAAA,IACA,aAAa;AAAA,IACb,OAAM,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC7B,SAAS;AAAA,IACT,WAAW;AAAA,IACX,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AACF;AAOA,eAAsB,8BACpB,SAEI,CAAC,GAC4B;AACjC,QAAM,EAAE,UAAU,IAAI;AACtB,QAAM,QAAkC,CAAC;AACzC,MAAI,iBAAiB;AACrB,MAAI,oBAAoB;AACxB,MAAI,eAAe;AAGnB,QAAM,UAAU,MAAM,qBAAqB;AAAA,IACzC,SAAS,cAAc,EAAE;AAAA,IACzB;AAAA,IACA,MAAM;AAAA,EACR,CAAC;AACD,aAAW,UAAU,QAAQ,SAAS;AACpC,sBAAkB;AAClB,UAAM,eAAe,MAAM,iCAAiC;AAAA,MAC1D,UAAU,OAAO;AAAA,MACjB;AAAA,IACF,CAAC;AACD,UAAM,KAAK,GAAG,aAAa,KAAK;AAEhC,UAAM,aAAa,MAAM,wBAAwB;AAAA,MAC/C,SAAS,cAAc,OAAO,EAAE;AAAA,MAChC;AAAA,MACA,MAAM;AAAA,IACR,CAAC;AACD,eAAW,aAAa,WAAW,SAAS;AAC1C,2BAAqB;AACrB,YAAM,kBAAkB,MAAM,oCAAoC;AAAA,QAChE,UAAU,OAAO;AAAA,QACjB,aAAa,UAAU;AAAA,QACvB;AAAA,MACF,CAAC;AACD,YAAM,KAAK,GAAG,gBAAgB,KAAK;AAAA,IACrC;AAAA,EACF;AAGA,QAAM,QAAQ,MAAM,mBAAmB;AAAA,IACrC,SAAS,cAAc,EAAE;AAAA,IACzB;AAAA,IACA,MAAM;AAAA,EACR,CAAC;AACD,aAAW,QAAQ,MAAM,SAAS;AAChC,oBAAgB;AAChB,UAAM,aAAa,MAAM,+BAA+B;AAAA,MACtD,QAAQ,KAAK;AAAA,MACb;AAAA,IACF,CAAC;AACD,UAAM,KAAK,GAAG,WAAW,KAAK;AAAA,EAChC;AAEA,SAAO;AAAA,IACL;AAAA,IACA,SAAS;AAAA,MACP,SAAS;AAAA,MACT,YAAY;AAAA,MACZ,OAAO;AAAA,IACT;AAAA,IACA,mBAAmB,MAAM;AAAA,EAC3B;AACF;;;AjC/FO,IAAM,2BAA2B,OACtC,SACoC;AACpC,QAAM,SAAS,MAAM,KAAK,aAAa;AAIvC,UAAQ;AAAA,IACN,KAAK,UAAU;AAAA,MACb,SAAS;AAAA,MACT,SAAS,OAAO;AAAA,MAChB,mBAAmB,OAAO;AAAA,MAC1B,OAAO,OAAO;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,IAAM,yBAAyB,OAA0C;AAAA,EACvE,cAAc,MAAM,8BAA8B;AACpD;AAEO,IAAM,UAAU,YACrB,yBAAyB,uBAAuB,CAAC;","names":["exports","exports","exports","exports","exports","exports","exports","exports","publishWorkflowEvent","exports","exports","exports","exports","exports","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_electrodb","import_types","entries","import_types","buildSkPrefix","SK","counterValue","SK","counterValue","SK","counterValue"]}