@openhi/constructs 0.0.85 → 0.0.87

package/lib/rest-api-lambda.handler.js

@@ -172,6 +172,31 @@ var dynamoClient = new import_client_dynamodb.DynamoDBClient({
 
 // src/data/dynamo/entities/control/configuration-entity.ts
 var import_electrodb = require("electrodb");
+
+// src/data/dynamo/shard.ts
+var SHARD_COUNT = 4;
+function computeShard(id) {
+  let hash = 2166136261;
+  for (let i = 0; i < id.length; i++) {
+    hash ^= id.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) % SHARD_COUNT;
+}
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var gsi1ShardAttribute = {
+  type: "string",
+  watch: ["id"],
+  set: (_val, item) => {
+    if (typeof item?.id !== "string" || item.id.length === 0) {
+      return void 0;
+    }
+    return String(computeShard(item.id));
+  }
+};
+
+// src/data/dynamo/entities/control/configuration-entity.ts
 var ConfigurationEntity = new import_electrodb.Entity({
   model: {
     entity: "configuration",
@@ -224,6 +249,14 @@ var ConfigurationEntity = new import_electrodb.Entity({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, key, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). Tracks current version; S3 history key. */
     vid: {
       type: "string",
@@ -233,6 +266,7 @@ var ConfigurationEntity = new import_electrodb.Entity({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -260,19 +294,27 @@ var ConfigurationEntity = new import_electrodb.Entity({
         template: "KEY#${key}#SK#${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Configuration in a tenant or workspace (no scan). Use for "list configs scoped to this tenant" (workspaceId = "-") or "list configs scoped to this workspace". Does not support hierarchical resolution in one query; use base table GetItem in fallback order (user → workspace → tenant → baseline) for that. */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
+     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
+     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
+     * hierarchical resolution in one query; use base table GetItem in fallback order
+     * (user → workspace → tenant → baseline) for that.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: ["tenantId", "workspaceId"],
-        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration"
+        field: "GSI1PK",
+        composite: ["tenantId", "workspaceId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["key", "sk"],
-        template: "KEY#${key}#SK#${sk}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -308,6 +350,14 @@ var MembershipEntity = new import_electrodb2.Entity({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -317,6 +367,7 @@ var MembershipEntity = new import_electrodb2.Entity({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -344,19 +395,24 @@ var MembershipEntity = new import_electrodb2.Entity({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Memberships for a tenant (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: ["tenantId"],
-        template: "TID#${tenantId}#RT#Membership"
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -387,6 +443,14 @@ var RoleEntity = new import_electrodb3.Entity({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -396,6 +460,7 @@ var RoleEntity = new import_electrodb3.Entity({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -423,19 +488,24 @@ var RoleEntity = new import_electrodb3.Entity({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Roles (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: [],
-        template: "RT#Role"
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -471,6 +541,14 @@ var RoleAssignmentEntity = new import_electrodb4.Entity({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -480,6 +558,7 @@ var RoleAssignmentEntity = new import_electrodb4.Entity({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -507,19 +586,24 @@ var RoleAssignmentEntity = new import_electrodb4.Entity({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all RoleAssignments for a tenant (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: ["tenantId"],
-        template: "TID#${tenantId}#RT#RoleAssignment"
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -555,6 +639,14 @@ var TenantEntity = new import_electrodb5.Entity({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -564,6 +656,7 @@ var TenantEntity = new import_electrodb5.Entity({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -591,19 +684,24 @@ var TenantEntity = new import_electrodb5.Entity({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Tenants (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
+     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
+     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is `<ISO-8601 lastUpdated>#<id>` (control-plane
+     * unlabeled per DR-004). `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: [],
-        template: "RT#Tenant"
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["tenantId"],
-        template: "ID#${tenantId}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -634,6 +732,22 @@ var UserEntity = new import_electrodb6.Entity({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
+     * Post Confirmation Lambda (#770) lands; required thereafter.
+     */
+    cognitoSub: {
+      type: "string",
+      required: false
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -643,6 +757,7 @@ var UserEntity = new import_electrodb6.Entity({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -670,19 +785,45 @@ var UserEntity = new import_electrodb6.Entity({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Users (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z` characters.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: [],
-        template: "RT#User"
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    },
+    /**
+     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
+     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
+     * not indexed.
+     */
+    gsi2: {
+      index: "GSI2",
+      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
+      pk: {
+        field: "GSI2PK",
+        casing: "none",
+        composite: ["cognitoSub"],
+        template: "USER#SUB#${cognitoSub}"
+      },
+      sk: {
+        field: "GSI2SK",
+        casing: "none",
+        composite: [],
+        template: "CURRENT"
       }
     }
   }
@@ -718,6 +859,14 @@ var WorkspaceEntity = new import_electrodb7.Entity({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -727,6 +876,7 @@ var WorkspaceEntity = new import_electrodb7.Entity({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -754,19 +904,24 @@ var WorkspaceEntity = new import_electrodb7.Entity({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Workspaces for a tenant (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
+     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: ["tenantId"],
-        template: "TID#${tenantId}#RT#Workspace"
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -820,6 +975,7 @@ async function createConfigurationOperation(params) {
   const roleId = body.roleId ?? context.roleId ?? "-";
   const lastUpdated = body.lastUpdated ?? date;
   const vid = body.vid ?? (date.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36));
+  const summary = JSON.stringify({ resourceType: "Configuration", id, key });
   const service = getDynamoControlService(tableName);
   await service.entities.configuration.put({
     tenantId,
@@ -829,6 +985,7 @@ async function createConfigurationOperation(params) {
     key,
     id,
     resource: compressResource(resourceStr),
+    summary,
     vid,
     lastUpdated,
     sk: SK
@@ -1235,22 +1392,25 @@ async function listConfigurationsOperation(params) {
   const { context, tableName } = params;
   const { tenantId, workspaceId } = context;
   const service = getDynamoControlService(tableName);
-  const result = await service.entities.configuration.query.gsi4({ tenantId, workspaceId }).go();
-  const entries = (result.data ?? []).map(
-    (item) => {
-      const resource = JSON.parse(decompressResource(item.resource));
-      return {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.configuration.query.gsi1({ tenantId, workspaceId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
+    const resource = JSON.parse(decompressResource(item.resource));
+    return {
+      id: item.id,
+      key: item.key,
+      resource: {
+        resourceType: "Configuration",
         id: item.id,
         key: item.key,
-        resource: {
-          resourceType: "Configuration",
-          id: item.id,
-          key: item.key,
-          resource
-        }
-      };
-    }
-  );
+        resource
+      }
+    };
+  });
   return { entries };
 }
 
@@ -1420,8 +1580,14 @@ async function updateConfigurationOperation(params) {
   const resourceStr = typeof resourcePayload === "string" ? resourcePayload : JSON.stringify(resourcePayload ?? {});
   const lastUpdated = body.lastUpdated ?? date;
   const nextVid = existing.data.vid != null ? String(Number(existing.data.vid) + 1) : date.replace(/[-:T.Z]/g, "").slice(0, 12) || "2";
+  const summary = JSON.stringify({
+    resourceType: "Configuration",
+    id: existing.data.id,
+    key: existing.data.key
+  });
   await service.entities.configuration.patch({ tenantId, workspaceId, userId: actorId, roleId, key: id, sk: SK4 }).set({
     resource: compressResource(resourceStr),
+    summary,
     lastUpdated,
     vid: nextVid
   }).go();
@@ -1499,6 +1665,7 @@ router.delete("/:id", deleteConfigurationRoute);
 var import_express2 = __toESM(require("express"));
 
 // src/data/operations/control/membership/membership-create-operation.ts
+var import_types = require("@openhi/types");
 async function createMembershipOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1506,20 +1673,19 @@ async function createMembershipOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
+  const resource = { resourceType: "Membership", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types.extractSummary)(resource));
   await service.entities.membership.put({
     tenantId: context.tenantId,
     id,
-    resource: JSON.stringify({
-      resourceType: "Membership",
-      id,
-      ...parsedResource
-    }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "Membership", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -1627,12 +1793,21 @@ async function getMembershipByIdRoute(req, res) {
 async function listMembershipsOperation(params) {
   const { context, tableName } = params;
   const service = getDynamoControlService(tableName);
-  const response = await service.entities.membership.query.gsi4({ tenantId: context.tenantId }).go();
-  const entries = (response.data ?? []).map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.membership.query.gsi1({ tenantId: context.tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsedResource = JSON.parse(item.resource);
     return {
       id: item.id,
-      resource: { resourceType: "Membership", id: item.id, ...parsedResource }
+      resource: {
+        resourceType: "Membership",
+        id: item.id,
+        ...parsedResource
+      }
     };
   });
   return { entries };
@@ -1661,6 +1836,7 @@ async function listMembershipsRoute(req, res) {
 }
 
 // src/data/operations/control/membership/membership-update-operation.ts
+var import_types2 = require("@openhi/types");
 async function updateMembershipOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1671,20 +1847,19 @@ async function updateMembershipOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
+  const resource = { resourceType: "Membership", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types2.extractSummary)(resource));
   await service.entities.membership.put({
     tenantId: context.tenantId,
     id,
-    resource: JSON.stringify({
-      resourceType: "Membership",
-      id,
-      ...parsedResource
-    }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "Membership", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -1741,6 +1916,7 @@ router2.delete("/:id", deleteMembershipRoute);
 var import_express3 = __toESM(require("express"));
 
 // src/data/operations/control/role/role-create-operation.ts
+var import_types3 = require("@openhi/types");
 async function createRoleOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1748,15 +1924,18 @@ async function createRoleOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
+  const resource = { resourceType: "Role", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types3.extractSummary)(resource));
   await service.entities.role.put({
     id,
-    resource: JSON.stringify({ resourceType: "Role", id, ...parsedResource }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "Role", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -1864,8 +2043,13 @@ async function getRoleByIdRoute(req, res) {
 async function listRolesOperation(params) {
   const { tableName } = params;
   const service = getDynamoControlService(tableName);
-  const response = await service.entities.role.query.gsi4({}).go();
-  const entries = (response.data ?? []).map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.role.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsedResource = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -1898,6 +2082,7 @@ async function listRolesRoute(req, res) {
 }
 
 // src/data/operations/control/role/role-update-operation.ts
+var import_types4 = require("@openhi/types");
 async function updateRoleOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1908,15 +2093,18 @@ async function updateRoleOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
+  const resource = { resourceType: "Role", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types4.extractSummary)(resource));
   await service.entities.role.put({
     id,
-    resource: JSON.stringify({ resourceType: "Role", id, ...parsedResource }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "Role", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -1973,6 +2161,7 @@ router3.delete("/:id", deleteRoleRoute);
 var import_express4 = __toESM(require("express"));
 
 // src/data/operations/control/roleassignment/roleassignment-create-operation.ts
+var import_types5 = require("@openhi/types");
 async function createRoleAssignmentOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1980,20 +2169,19 @@ async function createRoleAssignmentOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
+  const resource = { resourceType: "RoleAssignment", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types5.extractSummary)(resource));
   await service.entities.roleAssignment.put({
     tenantId: context.tenantId,
     id,
-    resource: JSON.stringify({
-      resourceType: "RoleAssignment",
-      id,
-      ...parsedResource
-    }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "RoleAssignment", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -2101,8 +2289,13 @@ async function getRoleAssignmentByIdRoute(req, res) {
 async function listRoleAssignmentsOperation(params) {
   const { context, tableName } = params;
   const service = getDynamoControlService(tableName);
-  const response = await service.entities.roleAssignment.query.gsi4({ tenantId: context.tenantId }).go();
-  const entries = (response.data ?? []).map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.roleAssignment.query.gsi1({ tenantId: context.tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsedResource = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -2139,6 +2332,7 @@ async function listRoleAssignmentsRoute(req, res) {
 }
 
 // src/data/operations/control/roleassignment/roleassignment-update-operation.ts
+var import_types6 = require("@openhi/types");
 async function updateRoleAssignmentOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2149,20 +2343,19 @@ async function updateRoleAssignmentOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
+  const resource = { resourceType: "RoleAssignment", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types6.extractSummary)(resource));
   await service.entities.roleAssignment.put({
     tenantId: context.tenantId,
     id,
-    resource: JSON.stringify({
-      resourceType: "RoleAssignment",
-      id,
-      ...parsedResource
-    }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "RoleAssignment", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -2219,6 +2412,7 @@ router4.delete("/:id", deleteRoleAssignmentRoute);
 var import_express5 = __toESM(require("express"));
 
 // src/data/operations/control/tenant/tenant-create-operation.ts
+var import_types7 = require("@openhi/types");
 async function createTenantOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2227,10 +2421,12 @@ async function createTenantOperation(params) {
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const resource = { resourceType: "Tenant", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types7.extractSummary)(resource));
   await service.entities.tenant.put({
     tenantId: id,
     id,
     resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
@@ -2339,8 +2535,13 @@ async function getTenantByIdRoute(req, res) {
 async function listTenantsOperation(params) {
   const { tableName } = params;
   const service = getDynamoControlService(tableName);
-  const { data: items } = await service.entities.tenant.query.gsi4({}).go();
-  const entries = items.map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.tenant.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsed = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -2373,6 +2574,7 @@ async function listTenantsRoute(req, res) {
 }
 
 // src/data/operations/control/tenant/tenant-update-operation.ts
+var import_types8 = require("@openhi/types");
 async function updateTenantOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2390,7 +2592,8 @@ async function updateTenantOperation(params) {
     resourceType: "Tenant",
     id
   };
-  await service.entities.tenant.patch({ tenantId: id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), vid, lastUpdated }).go();
+  const summary = JSON.stringify((0, import_types8.extractSummary)(updated));
+  await service.entities.tenant.patch({ tenantId: id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), summary, vid, lastUpdated }).go();
   return { id, resource: updated, meta: { lastUpdated, versionId: vid } };
 }
 
@@ -2446,6 +2649,7 @@ router5.delete("/:id", deleteTenantRoute);
 var import_express6 = __toESM(require("express"));
 
 // src/data/operations/control/user/user-create-operation.ts
+var import_types9 = require("@openhi/types");
 async function createUserOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2453,15 +2657,18 @@ async function createUserOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
+  const resource = { resourceType: "User", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types9.extractSummary)(resource));
   await service.entities.user.put({
     id,
-    resource: JSON.stringify({ resourceType: "User", id, ...parsedResource }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "User", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -2569,8 +2776,13 @@ async function getUserByIdRoute(req, res) {
 async function listUsersOperation(params) {
   const { tableName } = params;
   const service = getDynamoControlService(tableName);
-  const response = await service.entities.user.query.gsi4({}).go();
-  const entries = (response.data ?? []).map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsedResource = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -2603,6 +2815,7 @@ async function listUsersRoute(req, res) {
 }
 
 // src/data/operations/control/user/user-update-operation.ts
+var import_types10 = require("@openhi/types");
 async function updateUserOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2613,15 +2826,18 @@ async function updateUserOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
+  const resource = { resourceType: "User", id, ...parsedResource };
+  const summary = JSON.stringify((0, import_types10.extractSummary)(resource));
   await service.entities.user.put({
     id,
-    resource: JSON.stringify({ resourceType: "User", id, ...parsedResource }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "User", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -2678,6 +2894,7 @@ router6.delete("/:id", deleteUserRoute);
 var import_express7 = __toESM(require("express"));
 
 // src/data/operations/control/workspace/workspace-create-operation.ts
+var import_types11 = require("@openhi/types");
 async function createWorkspaceOperation(params) {
   const { context, body, tableName } = params;
   const { tenantId } = context;
@@ -2687,7 +2904,15 @@ async function createWorkspaceOperation(params) {
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const resource = { resourceType: "Workspace", id, ...parsedResource };
-  await service.entities.workspace.put({ tenantId, id, resource: JSON.stringify(resource), vid, lastUpdated }).go();
+  const summary = JSON.stringify((0, import_types11.extractSummary)(resource));
+  await service.entities.workspace.put({
+    tenantId,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
   return { id, resource, meta: { lastUpdated, versionId: vid } };
 }
 
@@ -2796,8 +3021,13 @@ async function listWorkspacesOperation(params) {
   const { context, tableName } = params;
   const { tenantId } = context;
   const service = getDynamoControlService(tableName);
-  const { data: items } = await service.entities.workspace.query.gsi4({ tenantId }).go();
-  const entries = items.map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.workspace.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsed = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -2830,6 +3060,7 @@ async function listWorkspacesRoute(req, res) {
 }
 
 // src/data/operations/control/workspace/workspace-update-operation.ts
+var import_types12 = require("@openhi/types");
 async function updateWorkspaceOperation(params) {
   const { context, id, body, tableName } = params;
   const { tenantId } = context;
@@ -2848,7 +3079,8 @@ async function updateWorkspaceOperation(params) {
     resourceType: "Workspace",
     id
   };
-  await service.entities.workspace.patch({ tenantId, id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), vid, lastUpdated }).go();
+  const summary = JSON.stringify((0, import_types12.extractSummary)(updated));
+  await service.entities.workspace.patch({ tenantId, id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), summary, vid, lastUpdated }).go();
   return { id, resource: updated, meta: { lastUpdated, versionId: vid } };
 }
 
@@ -2960,6 +3192,18 @@ var dataEntityAttributes = {
     type: "string",
     required: true
   },
+  /**
+   * Summary projection of the FHIR resource as a JSON string (uncompressed). Populated on every
+   * write via `extractSummary(resource)` so GSI projections can surface list/lookup data without
+   * reading the compressed `resource` blob. Kept uncompressed because the summary is small and
+   * must be fast to retrieve without encode/decode overhead.
+   *
+   * @see sites/www-docs/content/architecture/adr/2026-04-17-02-fhir-summary-projection-for-gsi-access-patterns.md
+   */
+  summary: {
+    type: "string",
+    required: true
+  },
   /** Version id (e.g. ULID). Tracks current version; S3 history key. */
   vid: {
     type: "string",
@@ -2969,6 +3213,41 @@ var dataEntityAttributes = {
     type: "string",
     required: true
   },
+  /**
+   * Shard index segment for the GSI1 partition key. Computed deterministically from `id`
+   * via `computeShard` so updates always land on the same shard. Stored as a string because
+   * it appears as a literal segment in the GSI1 PK template; the underlying value is 0..3.
+   * Not `required` because the value is derived via `watch`/`set`; ElectroDB's required-field
+   * check runs before watch propagation, so callers must not fail validation on a derived field.
+   *
+   * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md — GSI1 (sharded)
+   */
+  gsi1Shard: {
+    type: "string",
+    watch: ["id"],
+    set: (_val, item) => {
+      if (typeof item?.id !== "string" || item.id.length === 0) {
+        return void 0;
+      }
+      return String(computeShard(item.id));
+    }
+  },
+  /**
+   * GSI1 sort key. Written as the index's SK verbatim so list endpoints can
+   * use `BEGINS_WITH` for prefix queries (e.g. `?name=Sm` against Patient).
+   * Computed at write time via `extractSortKey(resource)` per DR-004:
+   *   - Labeled types (LABEL_PATHS): `<normalizedLabel>#<id>`
+   *   - Unlabeled types: `<ISO-8601 lastUpdated>#<id>`
+   * The factory deliberately does not derive this from `lastUpdated`/`id`
+   * — that would lock every type into the unlabeled fallback and defeat
+   * label-based BEGINS_WITH on labeled types.
+   *
+   * @see openhi-planning DR-004
+   */
+  gsi1sk: {
+    type: "string",
+    required: true
+  },
   deleted: {
     type: "boolean",
     required: false
@@ -3003,18 +3282,26 @@ function createDataEntity(entity, resourceTypeLabel) {
           composite: ["sk"]
         }
       },
-      /** GSI4 — Resource Type Index: list all resources of this type in a workspace (no scan). Used by list operations (e.g. GET /Patient). */
-      gsi4: {
-        index: "GSI4",
+      /**
+       * GSI1 — Unified Sharded List: list all resources of this type in a workspace; reads fan
+       * out across the four shards and merge by SK. SK is the writer-supplied `gsi1sk` verbatim
+       * (per DR-004) so labeled types serve `BEGINS_WITH` prefix queries on the natural label.
+       * `casing: "none"` is required on the SK because the writer (`extractSortKey`) already
+       * applies DR-004 normalization — ElectroDB's default lowercasing would mangle the
+       * ISO-8601 unlabeled fallback (`T`/`Z` → `t`/`z`).
+       */
+      gsi1: {
+        index: "GSI1",
         pk: {
-          field: "GSI4PK",
-          composite: ["tenantId", "workspaceId"],
-          template: `TID#\${tenantId}#WID#\${workspaceId}#RT#${resourceTypeLabel}`
+          field: "GSI1PK",
+          composite: ["tenantId", "workspaceId", "gsi1Shard"],
+          template: `TID#\${tenantId}#WID#\${workspaceId}#RT#${resourceTypeLabel}#SHARD#\${gsi1Shard}`
         },
         sk: {
-          field: "GSI4SK",
-          composite: ["id"],
-          template: `ID#\${id}`
+          field: "GSI1SK",
+          casing: "none",
+          composite: ["gsi1sk"],
+          template: `\${gsi1sk}`
         }
       }
     }
@@ -3908,6 +4195,7 @@ function getDynamoDataService(tableName) {
 }
 
 // src/data/operations/data-operations-common.ts
+var import_types13 = require("@openhi/types");
 var DATA_ENTITY_SK = "CURRENT";
 async function getDataEntityById(entity, tenantId, workspaceId, id, resourceLabel) {
   const result = await entity.get({
@@ -3936,28 +4224,40 @@ async function deleteDataEntityById(entity, tenantId, workspaceId, id) {
   }).go();
 }
 async function listDataEntitiesByWorkspace(entity, tenantId, workspaceId) {
-  const result = await entity.query.gsi4({ tenantId, workspaceId }).go();
-  const items = result.data ?? [];
-  const entries = items.map((item) => {
-    const parsed = JSON.parse(decompressResource(item.resource));
-    return {
-      id: item.id,
-      resource: { ...parsed, id: item.id }
-    };
-  });
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => entity.query.gsi1({ tenantId, workspaceId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = [];
+  for (const shardResult of shardResults) {
+    for (const item of shardResult.data ?? []) {
+      const parsed = JSON.parse(decompressResource(item.resource));
+      entries.push({
+        id: item.id,
+        resource: { ...parsed, id: item.id }
+      });
+    }
+  }
   return { entries };
 }
 async function createDataEntityRecord(entity, tenantId, workspaceId, id, resourceWithAudit, fallbackDate) {
   const lastUpdated = resourceWithAudit.meta?.lastUpdated ?? fallbackDate ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
+  const resourceLike = resourceWithAudit;
+  const summary = JSON.stringify((0, import_types13.extractSummary)(resourceLike));
+  const gsi1sk = (0, import_types13.extractSortKey)(resourceLike);
   await entity.put({
     sk: DATA_ENTITY_SK,
     tenantId,
     workspaceId,
     id,
     resource: compressResource(JSON.stringify(resourceWithAudit)),
+    summary,
     vid,
-    lastUpdated
+    lastUpdated,
+    gsi1sk
   }).go();
   return {
     id,
@@ -4004,6 +4304,9 @@ async function updateDataEntityById(entity, tenantId, workspaceId, id, resourceL
   }
   const existingStr = decompressResource(existing.data.resource);
   const { resource, lastUpdated } = buildPatched(existingStr);
+  const resourceLike = resource;
+  const summary = JSON.stringify((0, import_types13.extractSummary)(resourceLike));
+  const gsi1sk = (0, import_types13.extractSortKey)(resourceLike);
   await entity.patch({
     tenantId,
     workspaceId,
@@ -4011,7 +4314,9 @@ async function updateDataEntityById(entity, tenantId, workspaceId, id, resourceL
     sk: DATA_ENTITY_SK
   }).set({
     resource: compressResource(JSON.stringify(resource)),
-    lastUpdated
+    summary,
+    lastUpdated,
+    gsi1sk
   }).go();
   return {
     id,
@@ -12655,9 +12960,165 @@ async function listEncountersOperation(params) {
   );
 }
 
+// src/data/postgres/data-api-postgres-query-runner.ts
+var import_client_rds_data = require("@aws-sdk/client-rds-data");
+var DataApiPostgresQueryRunner = class {
+  constructor(options) {
+    this.client = options.client ?? new import_client_rds_data.RDSDataClient({});
+    this.clusterArn = options.clusterArn;
+    this.secretArn = options.secretArn;
+    this.database = options.database;
+    this.schema = options.schema;
+  }
+  async query(sql, params) {
+    const out = await this.client.send(
+      new import_client_rds_data.ExecuteStatementCommand({
+        resourceArn: this.clusterArn,
+        secretArn: this.secretArn,
+        database: this.database,
+        schema: this.schema,
+        sql,
+        parameters: params.map(toSqlParameter),
+        // Results as named columns so we can map them back to JS objects.
+        includeResultMetadata: true,
+        // Encode JSONB results as strings, then parse client-side. Without
+        // this, Data API returns JSON values inline as their underlying types
+        // and complex JSONB columns get clipped.
+        formatRecordsAs: "JSON"
+      })
+    );
+    if (!out.formattedRecords) {
+      return [];
+    }
+    return JSON.parse(out.formattedRecords);
+  }
+};
+function toSqlParameter(param) {
+  if (param.value === null) {
+    return { name: param.name, value: { isNull: true } };
+  }
+  const v = param.value;
+  let field;
+  if (typeof v === "string") {
+    field = { stringValue: v };
+  } else if (typeof v === "boolean") {
+    field = { booleanValue: v };
+  } else if (Number.isInteger(v)) {
+    field = { longValue: v };
+  } else {
+    field = { doubleValue: v };
+  }
+  return { name: param.name, value: field };
+}
+
+// src/data/postgres/default-postgres-query-runner.ts
+var cached;
+function readEnv(name) {
+  const v = process.env[name]?.trim();
+  if (!v) {
+    throw new Error(
+      `Missing required env var for default PostgresQueryRunner: ${name}`
+    );
+  }
+  return v;
+}
+function getDefaultPostgresQueryRunner() {
+  if (!cached) {
+    cached = new DataApiPostgresQueryRunner({
+      clusterArn: readEnv("OPENHI_PG_CLUSTER_ARN"),
+      secretArn: readEnv("OPENHI_PG_SECRET_ARN"),
+      database: readEnv("OPENHI_PG_DATABASE"),
+      schema: readEnv("OPENHI_PG_SCHEMA")
+    });
+  }
+  return cached;
+}
+
+// src/data/operations/data/encounter/encounter-search-by-patient-operation.ts
+var DEFAULT_LIMIT = 100;
+function buildOpenHiResourceUrn(opts) {
+  return `urn:ohi:${opts.tenantId}:${opts.workspaceId}:${opts.resourceType}:${opts.resourceId}`;
+}
+function buildSearchEncountersByPatientSql() {
+  return [
+    "SELECT resource_id AS id, resource",
+    "FROM resources",
+    "WHERE tenant_id = :tenantId",
+    "  AND workspace_id = :workspaceId",
+    "  AND resource_type = 'Encounter'",
+    "  AND deleted_at IS NULL",
+    "  AND (resource @> :containmentRelative::jsonb",
+    "    OR resource @> :containmentUrn::jsonb)",
+    "ORDER BY last_updated DESC",
+    "LIMIT :limit;"
+  ].join("\n");
+}
+async function searchEncountersByPatientOperation(params) {
+  const { context, patientId } = params;
+  const { tenantId, workspaceId } = context;
+  const runner = params.runner ?? getDefaultPostgresQueryRunner();
+  const limit = params.limit ?? DEFAULT_LIMIT;
+  const containmentRelative = JSON.stringify({
+    subject: { reference: `Patient/${patientId}` }
+  });
+  const containmentUrn = JSON.stringify({
+    subject: {
+      reference: buildOpenHiResourceUrn({
+        tenantId,
+        workspaceId,
+        resourceType: "Patient",
+        resourceId: patientId
+      })
+    }
+  });
+  const rows = await runner.query(
+    buildSearchEncountersByPatientSql(),
+    [
+      { name: "tenantId", value: tenantId },
+      { name: "workspaceId", value: workspaceId },
+      { name: "containmentRelative", value: containmentRelative },
+      { name: "containmentUrn", value: containmentUrn },
+      { name: "limit", value: limit }
+    ]
+  );
+  const entries = rows.map((row) => ({
+    id: row.id,
+    resource: {
+      ...row.resource,
+      id: row.id
+    }
+  }));
+  return { entries };
+}
+
 // src/data/rest-api/routes/data/encounter/encounter-list-route.ts
+function singleStringQueryParam(req, name) {
+  const v = req.query[name];
+  if (typeof v !== "string") {
+    return void 0;
+  }
+  const trimmed = v.trim();
+  return trimmed === "" ? void 0 : trimmed;
+}
 async function listEncountersRoute(req, res) {
   const ctx = req.openhiContext;
+  const patientId = singleStringQueryParam(req, "patient");
+  if (patientId) {
+    try {
+      const result = await searchEncountersByPatientOperation({
+        context: ctx,
+        patientId
+      });
+      const bundle = buildSearchsetBundle(BASE_PATH.ENCOUNTER, result.entries);
+      return res.json(bundle);
+    } catch (err) {
+      return sendOperationOutcome500(
+        res,
+        err,
+        "GET /Encounter?patient= search error:"
+      );
+    }
+  }
   try {
     const result = await listEncountersOperation({ context: ctx });
     const bundle = buildSearchsetBundle(BASE_PATH.ENCOUNTER, result.entries);
@@ -24574,6 +25035,7 @@ var import_ulid99 = require("ulid");
 // src/data/import-patient.ts
 var import_node_fs = require("fs");
 var import_node_path = require("path");
+var import_types14 = require("@openhi/types");
 function extractPatient(parsed) {
   if (parsed && typeof parsed === "object" && "resourceType" in parsed) {
     const root = parsed;
@@ -24639,6 +25101,9 @@ function patientToPutAttrs(patient, options) {
     workspaceId,
     id: patient.id,
     resource: compressResource(JSON.stringify(patientWithMeta)),
+    summary: JSON.stringify(
+      (0, import_types14.extractSummary)(patientWithMeta)
+    ),
     vid: lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36),
     lastUpdated,
     identifierSystem: "",
@@ -33959,6 +34424,7 @@ app.use(
     "/MedicinalProductPackaged",
     "/MedicinalProductPharmaceutical",
     "/MedicinalProductUndesirableEffect",
+    "/Membership",
     "/MessageDefinition",
     "/MessageHeader",
     "/MolecularSequence",
@@ -33988,6 +34454,8 @@ app.use(
     "/ResearchSubject",
     "/RiskAssessment",
     "/RiskEvidenceSynthesis",
+    "/Role",
+    "/RoleAssignment",
     "/Schedule",
     "/ServiceRequest",
     "/SearchParameter",
@@ -34007,12 +34475,15 @@ app.use(
     "/SupplyDelivery",
     "/SupplyRequest",
     "/Task",
+    "/Tenant",
     "/TerminologyCapabilities",
     "/TestReport",
     "/TestScript",
+    "/User",
     "/ValueSet",
     "/VerificationResult",
-    "/VisionPrescription"
+    "/VisionPrescription",
+    "/Workspace"
   ],
   openHiContextMiddleware
 );
@@ -34174,6 +34645,18 @@ app.use("/RoleAssignment", router4);
 app.use("/Tenant", router5);
 app.use("/User", router6);
 app.use("/Workspace", router7);
+app.use((_req, res) => {
+  res.status(404).json({
+    resourceType: "OperationOutcome",
+    issue: [
+      {
+        severity: "error",
+        code: "not-supported",
+        diagnostics: "The requested endpoint or resource type is not supported by this server."
+      }
+    ]
+  });
+});
 
 // src/data/lambda/rest-api-lambda.handler.ts
 var handler = (0, import_serverless_express2.default)({ app });